Fraud, waste and abuse (FWA) drain money out of healthcare and create avoidable risk for the practices caught in enforcement activity. For medical group leaders, the practical question is narrower than the policy debate: how do you structure a compliance program that prevents, detects, and corrects FWA in your own organization before it becomes a repayment demand, an audit finding, or a whistleblower case?

What FWA looks like in a practice

OIG and CMS use slightly different shades of the same definitions, and every medical group should have them spelled out in policy.

• Fraud is knowingly submitting false claims or making misrepresentations to obtain payment — or knowingly soliciting, offering, paying or receiving remuneration to induce or reward referrals for services reimbursed by a federal healthcare program.
• Abuse covers billing for unnecessary services, charging excessively, or misusing codes through upcoding or unbundling.
• Waste generally includes overuse and misuse of services that does not rise to fraud or abuse but still costs the system. The dollar figures vary by source and year, but improper payments in Medicare alone run into the tens of billions of dollars annually — an environment in which practice-level errors can attract outsized scrutiny.

Coding is where most practices encounter FWA in real life, and the most common coding problem is also the most mundane: insufficient documentation. A claim that cannot be supported by what's in the record is exposed, whether the gap is a missing signature, an unsupported level of service, a modifier the documentation doesn't justify, or a time-based code that isn't tied to documented time. OIG's physician-practice guidance organizes the practice-level risks into four areas that still frame most audit activity: coding and billing; reasonable and necessary services; documentation; and improper inducements, kickbacks, and self-referrals.¹ Those four categories cover nearly every practice-level compliance case that lands on an administrator's desk.

How FWA is detected

Most FWA detection starts with patterns rather than single events. Auditors, payers, and OIG look for unusual service volume, excessive testing, false claims, unbundling, upcoding, high-reimbursement procedure patterns, and signals that suggest quality-of-care problems. A compliance program earns its keep by surfacing those patterns internally before they attract outside attention.

The signals a compliance program watches are the same ones administrators already use to run the practice: denial trends, modifier use by clinician, E/M distribution, medical-necessity denials, patient complaints, exclusion-list hits, licensure expirations. Compliance work reads that data with more discipline than day-to-day operations typically does.

The seven elements, scaled to your practice

OIG's General Compliance Program Guidance describes the seven elements of an effective compliance program: written policies and procedures; compliance leadership and oversight; training and education; effective lines of communication; enforcement of standards through well-publicized disciplinary guidelines; risk assessment, auditing, and monitoring; and response and prevention, meaning corrective action when problems are found.² The same guidance explicitly says small entities should scale these elements to their size and constraints.³ A 10-provider independent group doesn't need a hospital-style compliance department. It needs a defined person accountable for compliance activity, a set of policies staff can read and follow, a predictable review frequency, and a credible way for people to raise concerns.

Written policies do the quiet work of preventing problems before they start. They should be plain-language, role-specific where it matters, and kept current as codes, regulations, and payer rules change. The policies people actually touch — documentation standards, coding and billing procedures, referral and financial-relationship rules, exclusion screening, and the process for reporting concerns — matter more than the length of the binder. A compliance plan that cannot be found, read, or explained by staff is not functioning as a compliance plan.¹

Risk assessment and auditing

OIG says small entities should assess compliance risks at least once a year and conduct at least an annual audit.³ In practical terms, that means a yearly look at the signals the practice generates: claim denials, medical-necessity challenges, patient complaints, unusual utilization shifts, exclusion-list issues, and licensure or certification gaps. An annual audit earns its keep when it is real, documented, and tied to corrective action when it finds something. Practices that audit the same small sample the same way every year, find nothing, and file the report have a compliance program on paper but not in operation.

Training that sticks

Training is where many small practices underinvest and pay for it later. OIG physician-practice guidance emphasizes training for new hires and existing staff, with refreshers as appropriate,¹ and MGMA's September 2025 poll found that 43% of medical groups hold an annual compliance week or month focused on trainings and refreshers.⁴ That rhythm works if the content is tied to the risks each role actually touches: front-desk staff on registration and eligibility accuracy; clinical staff on documentation habits and order workflows; coders and billers on modifier use and payer rules; physicians and APPs on medical necessity, signatures, supervision, and referral relationships; managers on escalation and corrective action. Generic annual training satisfies the checkbox without changing behavior.

Reporting without retaliation

Employees see FWA problems before auditors do. Whether they say anything depends on how the practice handles reporting. OIG guidance tells organizations to provide user-friendly reporting methods, prohibit retaliation for good-faith reporting, and make clear where to raise concerns.² It also warns that when organizations fail to act on questionable situations, employees may pursue False Claims Act channels out of frustration.

The essentials for a small practice are an open-door reporting structure, visible nonretaliation language, and a clear process for what happens after someone raises a concern. A formal hotline vendor helps larger organizations but isn't required at small scale. In physician-owned practices where the owners are also the practicing clinicians, discipline matters most here: a staff concern about documentation pressure, billing edits, or a referral arrangement has to trigger review rather than defensiveness.

Emerging areas: AI tools and third-party billing

The risk landscape has grown. MGMA found in January 2026 that only 42% of medical group leaders either had an AI governance or formal AI-use policy or were developing one, while 56% said “no.”⁵ By mid-2025, 71% of leaders reported some AI use in patient visits. AI now touches ambient note capture, draft patient communications, coding and charge review, prior authorization support, and workflow automation — the same surfaces where documentation, medical necessity, and billing already create compliance exposure. A compliance program that has not yet defined which tools are approved, what data can be entered, what human review is required, and how errors are escalated has a live FWA vector running through it. OIG's guidance notes that providers entering new areas, including health care technology, should evaluate new risk areas as they grow.²

Third-party relationships are the other expanding surface. Practices working with management services organizations (MSOs) or outside billing companies should not assume compliance has transferred with the services. MSOs can help practices navigate HIPAA, Stark, Anti-Kickback, and other regulatory demands, but the clinical entity remains responsible for what is billed in its name.⁶ Someone inside the practice still needs to own exclusion checks, annual risk assessment, contract review, coding and documentation audits, and incident escalation. OIG specifically calls for coordination between the practice and any outside billing company when one is used.¹

Why this pays off

A functioning compliance program does unglamorous but valuable work. It improves documentation. It reduces repeated overpayments and denials. It catches exclusion-list hits before they become recoupments. It gives clinicians clearer expectations. And when something does go wrong, a credibly operated program is part of how OIG and DOJ evaluate intent and remediation. A credible compliance program runs on intent rather than scale: a named owner, a written plan, an annual cycle, real training, a safe way to report, and corrective action when something surfaces. That discipline is what keeps FWA from becoming the practice's problem.

Notes

1. Federal Register, "OIG Compliance Program for Individual and Small Group Physician Practices." https://www.federalregister.gov/documents/2000/10/05/00-25500/oig-compliance-program-for-individual-and-small-group-physician-practices
2. HHS Office of Inspector General, "General Compliance Program Guidance." https://oig.hhs.gov/compliance/general-compliance-program-guidance/
3. HHS Office of Inspector General, General Compliance Program Guidance, November 2023. https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf
4. MGMA Staff Members. "Making compliance visible: Trainings and refreshers that pay off for your practice." MGMA. Sept. 3, 2025. Available from: https://www.mgma.com/mgma-stat/making-compliance-visible-trainings-and-refreshers-for-your-practice 
5. Harrop C. "AI governance in medical group practices: Rules for the humans in the loop." MGMA. Jan. 21, 2026. Available from: https://www.mgma.com/mgma-stat/ai-governance-in-medical-group-practices
6. Weissenberg A, Lee DY. "Understanding management services organizations (MSOs): Benefits, compliance risks, and best practices." MGMA. Feb. 25, 2025. Available from: https://www.mgma.com/articles/understanding-management-services-organizations-msos-benefits-compliance-risks-and-best-practices