OIG Work Plan 2026: The 10 Priorities Healthcare Compliance Officers Need to Know

Every year, healthcare compliance officers face the same challenge: predicting where federal scrutiny is headed before it reaches their organization. The OIG Work Plan 2026 gives compliance teams a meaningful head start. It outlines where the Health and Human Services (HHS) Office of Inspector General (OIG) is focusing its resources, which programs are under active review, and which audit activities are underway.

This is not just a reading assignment. The Work Plan is a dynamic document that OIG updates throughout the year as new risks emerge and program vulnerabilities surface in claims data. A significant cluster of new audit projects was announced in March 2026 alone, targeting billing compliance, managed care integrity, and Medicaid financial stewardship. When OIG announces the volume of projects at once, it signals that concentrated enforcement attention is on the way.

Compliance officers who use the Work Plan as a calendar for their own internal audit programs tend to catch problems before external reviewers do. Those who wait for a government letter have lost the advantage. This post examines the 10 OIG Work Plan 2026 priorities that pose the highest compliance risk to healthcare organizations, along with practical guidance on how to address each one.

How OIG's Work Plan Operates in 2026

Before getting into the 10 priorities, it helps to understand how the Work Plan functions in practice. OIG uses a risk-based planning process: its Engagement Committee assesses vulnerabilities across HHS programs, votes on proposed projects, and publicly posts approved audits and evaluations. Once a project is announced, OIG begins the work, issues findings, and monitors whether recommendations are implemented.

The March 2026 announcements were notable for their volume and specificity. Rather than broad thematic focus areas, OIG is drilling into particular billing codes, service categories, and payer programs. That level of detail tells compliance officers where to look in their own documentation and claims data.

Completed Work Plan projects also matter. Several audits finished in early 2026 have produced findings that OIG is now citing in enforcement actions. Reviewing those completed reports alongside active projects gives a fuller picture of where federal attention is concentrated. Pairing that review with an internal audit readiness checklist helps translate awareness into preparation.

Medicare Billing Integrity: Four Areas Under Active Review

Medicare billing practices account for four of the most consequential 2026 Work Plan priorities. Each involves a service category where OIG has identified payment patterns it believes are at risk of noncompliance.

Chronic Care Management Services

Medicare began paying for chronic care management (CCM) services in 2015, and utilization has grown year over year since then. From 2019 through 2024, Part B payments for CCM services increased at a rate that drew OIG's attention. In March 2026, OIG announced an audit targeting CCM payments that may not comply with Medicare's requirement that patients have two or more qualifying chronic conditions.

The exposure is clear. CCM billing requires documentation showing that the patient's conditions meet the eligibility standard and that the services billed occurred outside of regular office visits. Organizations that bill CCM without rigorous documentation policies face real recoupment risk. A prior OIG review found that Medicare was making overpayments for CCM services, and a $14.9 million settlement connected to false CCM claims followed shortly after.

Evaluation and Management Services with Modifier 25

Modifier 25 remains one of the most persistent compliance risks across all physician billing. The modifier is appended when a significant, separately identifiable evaluation and management (E/M) service is performed on the same day as a minor surgical procedure. When applied in the right clinical situation, Medicare pays for both the E/M and the procedure. When it is applied without supporting documentation, the result can be an overpayment and a potential false claims allegation.

OIG announced in March 2026 that it would review E/M claims paid alongside minor surgical procedures where Modifier 25 was not present in the claims data. The enforcement history here is substantial: settlements connected to improper Modifier 25 use have reached into the tens of millions of dollars across wound care, podiatry, ophthalmology, and other specialties.

Inpatient Neurostimulator Implantation Surgeries

OIG announced an audit of inpatient claims for neurostimulator implantation surgeries in March 2026. A prior review found that CMS overpaid $636 million for these procedures. Current prior authorization requirements apply to outpatient neurostimulator surgeries but not to inpatient ones. OIG has flagged this coverage gap as a vulnerability. Organizations billing these procedures in an inpatient setting should review documentation and billing logic and compare them to the current requirements.

Hospital and Outpatient Department Billing

Beyond the codes above, OIG continues to scrutinize hospital and outpatient department billing for patterns that suggest upcoding or payment errors. Emergency department billing levels, facility E/M coding, and device credits for implantable devices are all active areas of review. Organizations with high-volume outpatient departments should conduct internal audits across these categories. Turning Medicare audit results into a customized audit strategy is one way to keep internal audit programs aligned with current federal focus areas.

Medicare Advantage and Managed Care: Risk Adjustment in the Crosshairs

Medicare Advantage (also known as “MA”) risk adjustment has been one of OIG's most consistent enforcement areas for years, and 2026 is no different.

Risk Adjustment and Diagnosis Code Accuracy

OIG completed Medicare Advantage compliance audits for multiple plans in early 2026, including Gateway Health Plan and Blue Cross Blue Shield of Alabama. These audits focused on diagnosis codes submitted to CMS for risk adjustment purposes. The risk adjustment system is designed to align payments with enrollees' actual health status, but OIG has repeatedly found evidence of coding practices that inflate risk scores and monthly payments.

Common behaviors flagged by OIG include using retrospective chart reviews to add diagnoses that increase risk scores, conducting in-home health risk assessments that generate diagnoses not tied to patient care, and prompting physicians through electronic health record platforms to add diagnoses that did not affect treatment. MA organizations and downstream providers involved in these practices face exposure under the False Claims Act.

Medicare Part C Supplemental Benefit Oversight

In March 2026, OIG announced it would review the utilization and oversight of Medicare Part C supplemental benefits for over-the-counter items. Plans have expanded supplemental benefit offerings in recent years, and OIG is examining whether those benefits are being used as intended and whether oversight structures are adequate. For plans offering OTC benefits, compliance teams should review documentation of benefit utilization and the controls in place to prevent misuse.

Medicaid, Behavioral Health, Telehealth, and Pharmacy: Four More Priorities

The final four priorities span different program areas but share a common thread: OIG is examining places where federal dollars are flowing into programs with documentation, eligibility, or oversight gaps.

Medicaid State Reimbursement Compliance

OIG announced an audit in March 2026 examining whether state Medicaid agencies properly claimed federal reimbursement for certain services and whether state-only program expenditures were excluded from federal claims. This is a financial stewardship issue at the state level, but it has direct implications for providers and organizations whose services get categorized across Medicaid and state-only programs. Understanding how services are classified and what documentation supports each category is important

Behavioral Health and Substance Use Treatment

OIG continues to scrutinize behavioral health billing, with attention on Medicaid payments for opioid treatment programs and tele-behavioral health services. Provider enrollment and billing compliance for behavioral health services are active areas of review, and the documentation requirements for these services have been a persistent audit challenge. Organizations providing behavioral health services should review documentation standards and billing practices against current Medicaid requirements.

Telehealth and Virtual Care

Telehealth expanded during the pandemic, and many of those flexibilities have been extended or made permanent. OIG is reviewing telehealth claims for eligibility compliance, documentation sufficiency, duplicate billing, and cross-state licensure. The concern is that the rapid growth of telehealth created billing patterns that did not receive the same documentation scrutiny as in-person services. Compliance teams that have not conducted a thorough telehealth billing review should make it a priority. Closing the loop between compliance and auditing is an approach that connects audit findings to corrective action across any service area.

Pharmacy and 340B Program Compliance

The 340B drug pricing program allows qualifying healthcare organizations to purchase outpatient drugs at reduced prices. OIG has an ongoing interest in 340B compliance, focusing on drug pricing accuracy, proper use of contract pharmacies, and whether 340B savings are being used in ways that align with program intent. For covered entities in 340B, compliance programs should include regular reviews of eligibility, drug purchasing patterns, and contract pharmacy arrangements.

Turning Awareness Into a Workable Compliance Strategy

Reading a list of OIG priorities is one thing. Building those priorities into your compliance program is where the real work happens.

A few steps are worth taking now. Review your internal audit calendar against the 10 priorities covered in this post and identify any gaps: areas where OIG has announced active review but your organization has not conducted internal oversight recently. For each gap, set a timeline and assign ownership.

Documentation practices deserve a close look. Many of the 2026 priorities share a documentation problem at their core. CCM, Modifier 25, Medicare Advantage risk adjustment, and telehealth all rest on the same fundamental weakness: insufficient documentation standards. Clear policies, regular training, and consistent monitoring form the foundation of a defensible compliance position.

Treat this as an ongoing process, not a one-time review. OIG updates its Work Plan throughout the year, and compliance committee agendas should reflect that. Making the Work Plan a standing item means your organization responds to new project announcements instead of reacting to audit findings.

Healthicity's Compliance Manager is built to support proactive compliance program management. From risk assessments and audit tracking to incident management and OIG exclusion monitoring, Healthicity gives organizations like yours one place to organize, document, and demonstrate their work.