AI in Revenue Cycle Management: Navigating the New FCA and OIG Compliance Landscape

The Enforcement-Adoption Tension: Why 2026 Is Different for AI in RCM

Two parallel trends are converging in 2026, and for revenue cycle leaders, the intersection is becoming the central compliance challenge of the year. On one side, AI adoption in revenue cycle management (RCM) has reached a tipping point. An HFMA-AKASA survey of 519 CFOs and revenue cycle leaders conducted in April 2025 found that 80% of health systems are now exploring, piloting, or implementing generative AI tools for RCM — a 38% jump from 58% in 2023. On the other side, the Department of Justice (DOJ) announced a record-breaking $6.8 billion in False Claims Act (FCA) settlements and judgments for fiscal year 2025, the largest annual total in the statute's history and roughly a 120% increase over 2024.

These two lines are not independent. The same technology that promises to close revenue leakage and reduce administrative burden is creating new, poorly understood avenues for FCA exposure. The government is not waiting for the industry to sort out its governance. It has built new enforcement infrastructure — a dedicated National Fraud Enforcement Division within DOJ, a White House Task Force on fraud in federal benefits programs, and HHS's own AI fraud detection tools — and it is deploying them against precisely the kinds of coding and documentation practices that AI tools are now automating at scale.

The AI RCM Adoption Surge: Key Statistics and Trends

The adoption data from three major surveys paints a consistent picture: AI in RCM is no longer experimental. It is becoming operational infrastructure.

The financial stakes are substantial. The HFMA-AKASA survey found that 89% of finance leaders said missed or inaccurate codes impact revenue, with 51% describing the impact as significant or very significant. On average, respondents estimated that 8.49% of total revenue is at risk due to documentation or coding issues. For a health system with $2 billion in net revenue, that represents approximately $170 million in exposure — a figure that makes the business case for AI adoption compelling and the compliance case for rigorous oversight equally urgent.

The Oliver Wyman survey adds that between 70% and 90% of decision-makers expect to increase spending on AI-enabled RCM capabilities over the next three years, with ambient documentation, clinical documentation improvement, coding automation, and electronic prior authorization identified as the top initiatives. Studies cited in the survey report coding accuracy reaching 90% or higher in specific clinical domains and up to nearly 46% reductions in coding time for complex cases.

Record FCA Enforcement and the New Government Infrastructure

While health systems were scaling AI in RCM, the DOJ was scaling enforcement. The $6.8 billion in FCA settlements and judgments for FY2025 represents a fundamental shift in the government's capacity and willingness to pursue healthcare fraud. Approximately $5.7 billion — 84% of total recoveries — came from healthcare cases. Nearly 500 new FCA cases were initiated in just the second half of FY2025, and whistleblower-initiated qui tam filings reached their highest level since the statute was enacted: 1,298 actions.

At RISE National 2026, DOJ's Edward Crooke made the government's priorities explicit. Medicare Advantage (MA) has become DOJ's "number one" enforcement priority, he stated, citing a series of major settlements: Kaiser ($556 million), Aetna ($117 million), Independent Health ($98 million), and Seoul Medical Group ($62 million), all involving MA risk-adjustment fraud allegations. These cases signal that the government is scrutinizing not just outright fabrication, but the systematic inflation of risk scores through aggressive or unsupported coding — precisely the kind of behavior that AI coding tools, if poorly governed, can amplify.

The enforcement infrastructure supporting these efforts has expanded significantly:

• DOJ created a new Division for National Fraud Enforcement, consolidating and expanding its capacity to pursue complex, multi-jurisdictional fraud cases.
• The White House established a Task Force to combat fraud in federal benefits programs, signaling executive-level prioritization.
• HHS plans to deploy its own AI tools to detect Medicare and Medicaid fraud, creating a scenario where government AI is scrutinizing claims generated by provider AI.
• CMS has proposed initiatives to significantly expand fraud prevention, detection, and enforcement capabilities, including AI-driven claim review.

OIG's March 2026 Work Plan: What It Means for AI-Assisted Coding

The March 2026 update to the OIG Work Plan contains several items directly relevant to organizations using AI in the revenue cycle. These are not abstract policy signals — they are active audit targets with specific timelines and methodologies.

• Chronic Care Management (CCM) services audit: OIG will examine Medicare Part B payments for CCM services, which increased substantially from CY2019 through CY2024. A prior OIG audit found that Medicare continued making overpayments for CCM services costing the program millions. The DOJ announced a $14.9 million settlement with a chronic disease management provider for alleged false claims related to CCM. For organizations using AI to identify and document CCM-eligible patients, this audit target is directly relevant.
• Modifier 25 usage review: OIG will analyze Medicare paid claims data for evaluation and management (E/M) services performed on the same day as minor surgical procedures during CY2023-2025. AI coding tools that automatically append Modifier 25 based on keyword detection rather than clinical judgment create clear audit exposure.
• Medicare Advantage compliance guidance: OIG issued its first major update to MA compliance program guidance since 1999. The updated guidance specifically addresses risk adjustment practices, including the use of AI, and cautions against improper agent and broker payment arrangements. This is the first time OIG has formally acknowledged AI-assisted coding as a distinct compliance risk area in MA.

OIG's Chief AI Officer Arjuna Swaminathan, speaking at RISE National 2026, warned about the emerging threat landscape. He described a "ghost ecosystem" of fake digital identities and noted that "in 2026, fraud isn't just fake — it's statistically indistinguishable from the truth." His warning for providers using AI in RCM was direct: "AI solutions without human oversight are just a faster way to make mistakes."

Specific FCA Risks from AI-Assisted Coding: Upcoding, Hallucination, and Context Errors

The compliance community has begun to identify the specific mechanisms through which AI coding tools create FCA exposure. These risks are not theoretical — they are grounded in how current-generation AI models function and how they are being deployed in clinical and administrative workflows.

• Upcoding from keyword-based code flagging. AI coding engines that flag codes based on keyword detection without clinical judgment context can systematically inflate severity. The NAMAS compliance framework warns of a specific scenario: an AI tool flagging sepsis codes for a patient with a low-grade fever and prophylactic antibiotics, where the clinical picture does not support the sepsis diagnosis. Each unsupported code submitted for payment is a potential false claim.
• Hallucination in ambient documentation. Generative AI models used for ambient clinical documentation can produce text that looks clinically impeccable but is factually inaccurate. The NAMAS article provides a concrete example: an ambient documentation tool auto-completing "patient reports no chest pain" when the provider had noted that the patient was unable to communicate. If that fabricated documentation becomes the basis for a billed service, the FCA exposure is direct.
• Context errors in complex coding scenarios. AI models trained on structured data may miss clinical nuance that a human coder would catch — the distinction between a condition that is present on admission versus hospital-acquired, or the difference between a chronic condition that was actively managed versus one that was merely documented in the history. These context errors compound when they affect risk adjustment scores in MA.
• Algorithmic bias and systematic over-coding. If an AI coding tool was trained on data that over-represents certain coding patterns or under-represents others, it may systematically over-code for specific patient populations or clinical scenarios. When that systematic bias results in a pattern of upcoding that the government identifies through its own AI analytics, the organization faces not just a single false claim allegation but a pattern-of-practice FCA case.

The Human-in-the-Loop Compliance Framework for RCM Teams

The response to these risks is not to abandon AI in RCM — the adoption data makes clear that the industry has passed that point. The response is to build a compliance framework that matches the speed and scale of AI with human oversight that is systematic, documented, and auditable.

The NAMAS "trust but verify" model provides a practical starting point. It recommends random sampling of 5-10% of high-risk AI-assisted cases, tracking discrepancies between AI output and human reviewer judgment, and feeding those discrepancies back into model retraining. This creates a closed-loop system where the AI improves over time and the organization builds a documented record of its oversight process — critical evidence if a government inquiry arises.

OIG's Swaminathan introduced the concept of an "integrity loop" at RISE National 2026, describing a framework where AI provides speed and scale while humans provide context, ethics, and intent determination. This framing is useful for RCM leaders building their governance approach: the goal is not to eliminate AI errors — that is not achievable with current technology — but to create a system where errors are caught, documented, and corrected before they become false claims.

Practical Governance Steps for RCM Leaders

For revenue cycle leaders, compliance officers, and healthcare attorneys who need to act on this information, the following steps provide a structured path from awareness to operational governance.

1. Conduct a current-state audit of all AI tools in the revenue cycle. Inventory every AI-powered tool touching coding, documentation, prior authorization, charge capture, and claims submission. For each tool, document the vendor, the model version, the deployment date, the clinical or administrative workflow it supports, and whether any formal validation or bias testing has been conducted. This inventory is the foundation for all subsequent governance work.
2. Establish a cross-functional AI compliance committee. The committee should include representation from legal, compliance, revenue cycle operations, health information management (HIM), IT, and clinical documentation improvement. This is not an IT project — it is a compliance governance structure that must have authority to approve, suspend, or require modifications to AI tool deployments.
3. Implement the AI Compliance Log. This log should track, for each AI tool: the specific version deployed, the date range of cases processed, the number of cases reviewed by a human auditor, the discrepancy rate, and any actions taken in response to identified errors. The log serves as the primary evidence of reasonable oversight if a government inquiry arises.
4. Develop and deliver training on AI-specific risks. Standard coding compliance training does not cover hallucination risks, context errors, or the specific failure modes of generative AI in clinical documentation. Develop training that gives coders and clinicians concrete scenarios — the sepsis code flagging example, the ambient documentation hallucination example — and clear guidance on when and how to override AI suggestions.
5. Create a process for responding to CMS AI-driven claim reviews and OIG inquiries. CMS is using augmented intelligence tools to flag billing outliers and weak documentation. Organizations should have a pre-defined response protocol that includes: identifying the specific AI tool involved in the flagged claims, producing the AI Compliance Log entries for those claims, demonstrating the human review process that was applied, and documenting any corrective actions taken. The speed and quality of this response can significantly influence the outcome of a government inquiry.

The convergence of surging AI adoption in RCM and record-setting FCA enforcement creates a compliance environment that no organization can afford to treat as business as usual. The government has built the infrastructure, set the priorities, and deployed its own AI tools. The question is no longer whether AI in RCM will be scrutinized — it is whether your organization has the governance framework in place to demonstrate that its AI-assisted claims are accurate, supported, and subject to meaningful human oversight.