HHS just announced it will use AI to scan every federal grantee audit for signs of fraud. For CCOs with Medicaid exposure, the window to get ahead of this is narrow.
Federal officials are using AI tools built on platforms like ChatGPT to decide which organizations to audit first, working through a $2 trillion portfolio with explicit political pressure to produce results. The mechanism is the 1984 Single Audit Act: states and grantees receiving more than $1 million in federal funds must file annual audits. Those filings have piled up for years without serious federal review. That changes now.
For Chief Compliance Officers at health systems with significant Medicaid exposure, the question is no longer whether scrutiny will arrive. It is whether your program is built to withstand it.
What Federal Auditors Are Looking For
Federal auditors do not review individual claims. They look for aggregate patterns: deficiencies repeated across multiple audit cycles, weak subgrantee oversight, and HCC coding rates that deviate from peer norms. The HHS AI initiative is designed to surface exactly these signals at scale, across every grantee filing in the federal system.
The compliance programs that hold up under this scrutiny share one characteristic: they identified the pattern first. In MDaudit’s 2025 benchmark data, organizations running proactive programs increased risk-based audits by 25% and pre-bill audits by 30%, and retained significantly more revenue when external scrutiny arrived.
Four Risks Escalating Right Now
Continuous Monitoring Is the Foundation
A program that audits quarterly will miss the patterns that develop between cycles. Continuous monitoring means your team sees what an auditor would see, before the auditor sees it: real-time visibility into charge anomalies, E/M distributions, HCC capture rates, and denial trends across every provider and service line.
“Before MDaudit, my compliance team couldn’t focus on under-coded or under-billed claims. In only our first year we identified 55%+ more under-billed claims than in prior years.”
Health System Compliance Manager, MDaudit Customer
MDaudit’s AI framework does exactly what federal regulators are now doing at scale: surface the pattern and route it to a human reviewer who can act on it. The difference is your compliance team should be making that call first, with the corrective action already documented.
Five Steps for the Next 90 Days
-
Run a Medicaid-specific risk assessment. Pull HCC capture rates and E/M distributions and compare them against national benchmarks. MDaudit’s community of 170+ health systems provides real-time peer data to make this comparison actionable.
-
Review payer audit at-risk dollar trends. If at-risk dollars have grown significantly in the past 12 months, the pattern is already visible to payers and will be visible to federal reviewers.
-
Map your subrecipient relationships. Identify every entity receiving a pass-through of federal funds. Confirm monitoring documentation for each is current and audit-ready.
-
Organize your corrective action history. A documented record of self-identified overpayments reported within the 60-day ACA window is one of the most credibility-building things you can bring to a federal review.
-
Check your audit failure rates against benchmarks. MDaudit data shows 25% of providers and 33% of facilities fail billing audits on average. If your program is not finding failures at that rate, ask whether the risk is absent or whether detection is not sensitive enough.
The Bottom Line
HHS has the legal authority to withhold or cut off funding from recipients with unresolved oversight gaps, has already sent warning letters to states, and is using AI to prioritize targets across Medicaid, research grants, addiction services, and child care programs. This is not a future risk. It is a present one, compounding on top of a payer audit environment where at-risk dollars are already at an all-time high.
The compliance programs built for this moment are running continuous monitoring, benchmarking in real time, maintaining audit-ready documentation, and using AI that is explainable and governed. For programs still operating on periodic cycles and reactive workflows, the time to act is now.
See Where Your Program Stands
MDaudit’s Revenue Integrity Maturity Assessment takes 10 minutes and shows compliance leaders exactly where to focus first.
