Mozu logoMozu
Insurance audit defense records for behavioral health practice
Back to BlogAudit Defense

How to Prepare for a Behavioral Health Insurance Audit 2026

July 8, 2026
13 min read
Mozu Health

Mozu Health

The Definitive Guide: How to Prepare for a Behavioral Health Insurance Audit

If you've ever opened your email to find a "Request for Medical Records" from Cigna, Aetna, or a state Medicaid contractor, you know the feeling — your stomach drops, your mind races, and you immediately start wondering which chart is going to cost you. Insurance audits of behavioral health providers are on the rise. In 2023 alone, the HHS Office of Inspector General (OIG) recovered over $2.9 billion in improper payments through audits, investigations, and reviews — and behavioral health was explicitly named as a high-risk area.

But here's the truth most practice consultants won't tell you upfront: a behavioral health insurance audit isn't a verdict — it's a process. And with the right preparation, documentation habits, and response strategy, you can not only survive an audit but come out of it with zero recoupment and a tighter practice as a result.

This guide is for therapists, LPCs, LCSWs, LMFTs, psychiatrists, and group practice owners who want a practical, no-nonsense roadmap to audit readiness — before the letter ever arrives.

Why Behavioral Health Providers Are Being Audited More Than Ever

Let's start with context. Payers and government programs don't audit randomly (well, sometimes they do — more on that in a moment). There are specific triggers that flag your practice for review.

Common audit triggers in behavioral health include:

  • High utilization of 90837 (53+ minute therapy sessions) — If you bill 90837 for 80%+ of your sessions, you're an outlier. Payers notice.
  • Telehealth billing post-pandemic — CMS and commercial payers are aggressively auditing telehealth claims billed during and after the PHE (Public Health Emergency) period.
  • Frequent use of add-on codes — Codes like 90785 (interactive complexity) or 90833 (psychotherapy add-on to E/M) raise flags when used without clear documentation.
  • Billing mismatches — When the time billed doesn't align with documented session length.
  • New provider enrollment — Newly credentialed providers, especially in group practices, are often subject to prepayment reviews.
  • Patient complaints — Yes, a single disgruntled patient who calls their insurance company can initiate a review.
  • Statistical outlier analysis — Payers like UnitedHealthcare and Optum run algorithmic comparisons. If your billing patterns deviate significantly from peers in your specialty and geography, you get flagged.

The three main audit types you'll face:

  1. Prepayment Review — Claims are held before payment until records are submitted and reviewed.
  2. Post-Payment Audit (Recovery Audit / RAC) — Claims already paid are reviewed and recoupment is demanded if documentation is insufficient.
  3. Focused Medical Review — A targeted, in-depth audit of a specific code, date range, or clinical area.

Step 1: Understand What Auditors Are Actually Looking For

Auditors — whether from Optum, Cotiviti, Conduent (for Medicaid), or a Recovery Audit Contractor (RAC) — are looking for one thing: medical necessity and documentation to support every billed service.

For behavioral health specifically, that means every clinical note must answer these four questions:

  1. Why does this patient need this service? (Diagnosis, presenting symptoms, functional impairment)
  2. What service was actually delivered? (Modality, content, provider interaction)
  3. How long did it take? (Start/end time or total time for timed codes)
  4. What's the treatment plan and progress? (Goals, interventions, patient response)

If your notes can't answer all four, you are at risk for recoupment — even if the session was clinically excellent.

CPT Code-Specific Documentation Requirements

| CPT Code | Description | Minimum Time | Key Documentation Requirements | |---|---|---|---| | 90832 | Psychotherapy, 30 min | 16–37 min | Start/end time, modality, interventions, patient response | | 90834 | Psychotherapy, 45 min | 38–52 min | Start/end time, modality, interventions, patient response | | 90837 | Psychotherapy, 60 min | 53+ min | Start/end time, modality, interventions, patient response | | 90847 | Family therapy w/ patient | No set time | Who was present, relationship to patient, content of session | | 90785 | Interactive complexity (add-on) | N/A | Must document one of four qualifying factors (e.g., maladaptive communication, third-party involvement) | | 99213/99214 | E/M visit (Psychiatry) | 20–29 / 30–39 min | MDM or total time, psychiatric exam elements, medication management | | 90833 | Psych add-on to E/M | 16+ min | Separate psychotherapy content documented, distinct from E/M | | H0031/H2019 | Medicaid SUD services | Varies by state | Authorization, progress notes, treatment plan in file |

Pro tip: For timed CPT codes, always document the actual start and end time of psychotherapy — not just the total minutes. "Session lasted 55 minutes" is weaker than "Session conducted 2:00 PM – 2:55 PM."

Step 2: Conduct an Internal Self-Audit Before You Get a Letter

The single best thing you can do is audit yourself first. Pull 10–20 random charts from the last 12 months and review them against payer documentation standards. This is called a mock audit or internal compliance review, and it's what every risk consultant recommends.

Your Internal Audit Checklist

For each chart, verify:

  • [ ] Signed, dated intake/consent forms are present
  • [ ] A current, active treatment plan exists with measurable goals
  • [ ] Each progress note includes: date, start/end time, CPT code billed, diagnosis codes (ICD-10), presenting complaints, interventions used, patient response, and next appointment
  • [ ] Telehealth notes include: the patient's location at time of service, modality (audio/video), and consent for telehealth on file
  • [ ] Medication management notes include: current medications, dosage, side effects discussed, patient compliance, and rationale for any changes
  • [ ] Group therapy notes include: group members present (or just total count per HIPAA), topics addressed, and individual patient response (this is where most providers fail)
  • [ ] Discharge summaries are completed for terminated cases
  • [ ] Supervision notes are in file for supervised clinicians billing under a supervisor NPI

Common findings in mock audits:

  • Missing or outdated treatment plans (this is the #1 finding across all payers)
  • Notes that are copy-pasted or "cloned" — a red flag that triggers further review
  • Missing time documentation for timed codes
  • Telehealth consent not documented
  • ICD-10 codes that don't match the note content (e.g., billing F32.1 Major Depressive Disorder, Moderate, but the note says "patient is doing well, no significant symptoms")

Step 3: Get Your Administrative Records in Order

Clinical notes are only half the picture. Auditors also want to see:

  • Credentialing records — Current licensure, CAQH profile, insurance contracts
  • Authorization records — Prior authorizations for services requiring them (EAP sessions, intensive outpatient, certain Medicaid services)
  • Coordination of Benefits (COB) documentation — Especially for patients with Medicare + commercial coverage
  • Superbills and claim records — So you can reconcile what was submitted vs. what was paid
  • Business Associate Agreements (BAAs) — Required by HIPAA for any vendor handling PHI

Many group practices discover during an audit that they cannot locate authorization records for sessions already billed and paid — resulting in full recoupment of those claims. Build an authorization tracking system now.

Step 4: Know Your Payer-Specific Standards

This is where a lot of providers get burned. Documentation requirements aren't universal — they vary by payer.

  • Medicare (CMS): Requires documentation to support medical necessity per LCD (Local Coverage Determination) policies. Telehealth has specific place-of-service (POS) coding requirements (POS 02 vs. POS 10).
  • Medicaid (varies by state): Many state Medicaid programs require treatment plans to be updated every 90 days and signed by the patient. Progress notes must reference treatment plan goals explicitly.
  • UnitedHealthcare / Optum: Has its own clinical documentation guidelines, available in their online provider manual. Frequently audits 90837 and interactive complexity.
  • Cigna: Known for aggressive post-payment reviews of telehealth and high-frequency billing.
  • Aetna: Often requires concurrent review for more than 20 sessions per year.
  • TRICARE: Has strict "medically necessary" criteria and requires specific diagnostic and functional language in notes.
  • EAP Programs (Lyra, Spring Health, Optum EAP): Session limits are strictly enforced — billing beyond authorized sessions is a recoupment guarantee.

Download and bookmark each payer's provider manual and clinical policy bulletins. Set a calendar reminder to check for updates quarterly.

Step 5: Prepare Your Audit Response Protocol

If you receive an audit letter, do not panic and do not ignore it. Every audit letter has a response deadline — typically 30–45 days — and missing it is the fastest way to guarantee a denial.

When the Letter Arrives:

  1. Read it carefully. Note the specific dates of service, CPT codes, and claim numbers being reviewed.
  2. Pull every requested record immediately. Don't wait until day 29.
  3. Review each record against the documentation requirements before submitting. You cannot alter records, but you can add an addendum (dated in the present) to clarify something that was ambiguous.
  4. Organize your response professionally. Submit records in the order requested, with a cover letter that includes your NPI, Tax ID, and a list of enclosed documents.
  5. Keep copies of everything you submit, with proof of delivery.
  6. Consider involving a healthcare attorney or billing consultant if the audit involves more than 10 claims or potential recoupment exceeds $5,000.

If Recoupment Is Demanded:

You have the right to appeal. Most payers and Medicare have a multi-level appeals process:

  • Level 1: Redetermination (Medicare) or first-level appeal (commercial payers) — submit within 120 days
  • Level 2: Reconsideration by a Qualified Independent Contractor (QIC) for Medicare
  • Level 3: Office of Medicare Hearings and Appeals (OMHA) — ALJ hearing
  • Level 4: Medicare Appeals Council
  • Level 5: Federal District Court

Commercial payer appeals processes vary, but always document every communication and submit appeals in writing.

Step 6: Build Audit-Proof Documentation Habits Going Forward

The goal isn't just to survive this audit — it's to never sweat one again. Here's what audit-proof practices look like:

Write notes the same day as the session. Memory degrades fast, and payers can tell when notes are backdated or reconstructed weeks later.

Use templated structure, not templated content. A consistent SOAP or DAP note format is great. Copy-pasting the same note is not.

Document what makes this session unique. What did the patient say today? What shifted? What intervention did you use and why? What's the plan for next session?

Link every intervention back to a treatment plan goal. "Patient and therapist worked on cognitive restructuring techniques (Goal 2: reduce frequency of catastrophic thinking)" is far more defensible than "patient discussed anxiety."

Review your billing before submission. Does the CPT code match the documented time? Does the diagnosis match the clinical content of the note?

How AI-Powered Documentation Changes the Audit Equation

The biggest shift in behavioral health compliance in the past two years has been the rise of AI clinical documentation tools. Platforms like Mozu Health are designed specifically for behavioral health providers and help you:

  • Generate structured, payer-compliant progress notes that automatically include required elements (time, diagnosis, interventions, patient response, plan)
  • Flag documentation gaps before you submit — missing treatment plan references, incomplete time documentation, mismatched diagnosis codes
  • Maintain audit-ready records with timestamped, tamper-evident note histories
  • Support telehealth documentation compliance, including consent tracking and POS coding guidance
  • Give group practice owners visibility across all providers to identify documentation outliers before a payer does

The difference between a $0 recoupment outcome and a $40,000 clawback often comes down to whether your notes were written with payer standards in mind from the start — or retrofitted under pressure during an audit.

FAQ: Behavioral Health Insurance Audits

Q1: How long does a behavioral health insurance audit take? It depends on the type. A prepayment review can delay payment for 30–90 days. A post-payment audit with appeals can take 6–18 months from initial letter to final resolution, especially if it escalates to a Medicare ALJ hearing.

Q2: Can I bill for a session if the note isn't done yet? Technically you should not submit a claim until the note supporting that service is complete. Submitting a claim before documentation exists is a billing compliance risk. More practically, if you're audited and a note is missing for a billed date of service, that claim will almost certainly be recouped.

Q3: What's the difference between an audit and a records request? A records request is often the first step of an audit — the payer is gathering documentation to review. However, some records requests are routine (e.g., for coordination of benefits or utilization management). Read the letter carefully. If it references "claim review," "overpayment," or "medical necessity determination," treat it as an audit.

Q4: Should I hire a lawyer if I get audited? For small reviews (5 or fewer claims, low dollar amounts), a billing consultant is usually sufficient. If the audit involves allegations of fraud, whistleblower complaints, or potential recoupment over $10,000, consult a healthcare attorney immediately.

Q5: Can I get audited even if I've never had a complaint? Absolutely. Many audits are triggered by statistical algorithms — your billing pattern is an outlier compared to peers, and no complaint is required. New providers are also frequently subject to prepayment reviews automatically upon enrollment with certain payers.

Q6: What happens if I can't find the records being requested? Missing records for a billed service are treated the same as insufficient documentation — the claim is likely to be recouped. This is why secure, organized, EHR-based record retention is non-negotiable. Under HIPAA, you must retain records for 6 years from creation or last use; many states require longer.

Q7: Does using an AI documentation tool protect me from audits? No tool eliminates audit risk entirely — but an AI documentation platform built for behavioral health compliance significantly reduces your risk by ensuring your notes are complete, time-stamped, and structured to meet payer requirements before claims are ever submitted.

Final Thoughts: Audit Readiness Is a Practice Culture, Not a One-Time Event

The providers who fare best in audits aren't necessarily the best clinicians — they're the ones who document like it matters every single day, because they understand that the audit letter doesn't ask how good of a therapist you are. It asks whether your paperwork proves it.

Build your self-audit habit. Know your payer standards. Write notes that tell the story of each patient's clinical journey. And use technology that's built to keep you compliant from day one.

Ready to Make Your Practice Audit-Proof?

Mozu Health is an AI-powered clinical documentation platform built specifically for behavioral health providers — therapists, psychiatrists, LPCs, LCSWs, LMFTs, and group practices. Our platform generates HIPAA-compliant, payer-ready progress notes, flags documentation gaps in real time, and gives you the audit trail you need to respond to any records request with confidence.

Stop scrambling when the audit letter arrives. Start documenting like you're already prepared.

👉 Try Mozu Health free at mozuhealth.com — and find out what audit-ready documentation actually feels like.

Ready to try Mozu?

Start documenting smarter with your first 20 sessions free.

Sign Up Free

Related Posts

How to Read Remittance Advice in Mental Health Billing
Billing & Coding

September 26, 2026

How to Read Remittance Advice in Mental Health Billing

Read More
EOB Explanation of Benefits Mental Health: 2026 Guide
Billing & Coding

September 25, 2026

EOB Explanation of Benefits Mental Health: 2026 Guide

Read More
Timely Filing Deadlines: Mental Health Insurance Payers 2026
Billing & Coding

September 24, 2026

Timely Filing Deadlines: Mental Health Insurance Payers 2026

Read More