A medical coding audit is a systematic review of coded medical records to confirm that diagnoses, procedures, and services are accurately documented and billed.
In 2026, the combined effect of ICD-10-CM code set updates, CPT revisions, and CMS AI-assisted claim review tools makes a structured audit checklist a compliance requirement, not just a best practice.
This guide covers what a medical coding audit is, the 6-point checklist for 2026, key code set updates, how to act on findings, and answers to the most specific compliance questions audit teams face.
What Is a Medical Coding Audit?
A medical coding audit is a structured examination of medical records, coded claims, and supporting clinical documentation to verify that codes assigned accurately reflect the services provided and comply with applicable payer and regulatory guidelines.
Audits protect organizations from claim denials, overpayment recoupment, and OIG scrutiny.
What Are the Types of Medical Coding Audits?
There are 4 primary audit types used across healthcare settings.
Internal audits are conducted by in-house coding or compliance teams to monitor ongoing accuracy. External audits are performed by third-party auditors for an unbiased, independent review.
Payer audits are initiated by insurance carriers like Medicare or Medicaid to validate submitted claims against documentation. OIG audits are triggered when billing patterns deviate from statistical norms for the provider’s specialty and geographic area.
What Is the Difference Between Prospective and Retrospective Audits?
Prospective audits review claims before submission to prevent errors from reaching the payer, while retrospective audits review claims after submission and payment to identify patterns that require correction or rebilling.
Prospective audits reduce denial rates upfront. Retrospective audits are used to identify systemic coding issues, assess coder performance over time, and support corrective action planning.
Medical Coding Audit Checklist for 2026
Use these 6 audit checkpoints to verify coding accuracy and maintain compliance with current CMS, ICD-10-CM, and CPT guidelines.
How Do You Verify Patient Demographics and Documentation?
Every audit begins with confirming that patient-level data is complete and consistent across all records.
The patient name, date of birth, and insurance ID must match the submitted claim exactly. The date of service must be accurate and consistent across all supporting documents.
Provider NPI numbers, referring physician information, and authorization records must be present where required by the payer. Demographic mismatches are among the fastest claim rejection triggers and are fully preventable at the pre-submission stage.
How Do You Audit ICD-10-CM and CPT Code Accuracy?
Code accuracy requires that every assigned code reflects exactly what is documented in the clinical record.
ICD-10-CM diagnosis codes must be coded to the highest level of specificity available in the 2026 code set. CPT procedure codes must match the documented service. The principal diagnosis must be sequenced correctly per official guidelines.
Secondary diagnoses should be included only when they affect care or resource utilization. Auditors should cross-check all codes against the FY2026 ICD-10-CM tabular list and the AMA CPT 2026 code set to confirm no deleted or outdated codes are in use.
How Do You Review Medical Necessity and Clinical Documentation?
Medical necessity errors are one of the leading reasons CMS downcodes or denies claims.
CMS defines a covered service as one that is reasonable and necessary for the diagnosis or treatment of illness or injury. Audit documentation for physician notes that clearly support the billed diagnosis, documented symptoms and treatment rationale, and signed and dated orders for any tests, imaging, or procedures billed.
The diagnosis recorded in the clinical note must align with the level of service billed. Unsupported E/M levels and procedures without documented indications are the two most common medical necessity failures identified in internal audits.
How Do You Check Compliance With CMS and OIG Guidelines?
Compliance reviews protect organizations from audits, penalties, and payment recoupments. Coding practices must align with the 2026 CMS ICD-10-CM Official Guidelines for Coding and Reporting, published October 1, 2025.
The OIG Work Plan for 2026 identifies telehealth billing, split/shared E/M visits, and Medicare Advantage risk adjustment coding as active audit focus areas. Specialties operating in these areas require heightened documentation and code accuracy standards.
HIPAA privacy rules must be followed in all documentation handling. Stark Law and Anti-Kickback Statute exposure areas should also be reviewed as part of any comprehensive compliance audit.
How Do You Audit Modifier Usage and Bundling Rules?
Incorrect modifier usage is a leading cause of claim denials and payer audit flags.
Modifier 25 is valid only when a significant, separately identifiable E/M service is documented on the same date as a procedure. It cannot be appended as a default. Modifier 59 must correctly identify distinct procedural services not bundled under NCCI edits.
Bilateral procedure modifiers (50) must be applied accurately and only when both sides are documented. Global surgery period rules must be followed for any post-operative services billed within the global window.
How Do You Evaluate Coding for E/M Services?
E/M coding accuracy requires that the level of service billed matches the complexity documented in the clinical note.
Medical decision making (MDM) or total physician time on the date of service must be clearly documented and support the assigned level. New versus established patient status must be correctly assigned.
For telehealth E/M services, which carry permanent flexibility under the 2026 CMS rules, the correct place of service code must accompany the E/M code. In 2026, CMS AI-based claim review tools flag statistical outliers in E/M code distribution by specialty, making level accuracy a compliance requirement with direct audit exposure.
What Are the Key 2026 Updates to Factor Into Your Audit?
What ICD-10-CM Changes Affect the Audit Checklist?
The FY2026 ICD-10-CM update, effective October 1, 2025, introduced over 300 new codes, revised existing code descriptions, and deleted obsolete entries.
Audit teams must verify that coders are not using legacy codes for categories that have been updated, particularly in the musculoskeletal and injury chapters where laterality and specificity requirements were revised.
The 2026 update also expanded guidance on coding social determinants of health (SDOH) using the Z55 through Z65 code range, which is now an active area of payer review for risk adjustment accuracy. Every ICD-10-CM code in audited records should be cross-referenced against the FY2026 tabular list published by CMS.
How Do CPT 2026 Updates Impact Coding Audits?
The AMA CPT 2026 code set includes new codes for digital health services, remote patient monitoring, and revised surgical procedure families.
Audit teams should confirm that deleted CPT codes are no longer in active use within the billing system. New remote therapeutic monitoring (RTM) codes require specific supporting documentation, and audits should verify that clinical records substantiate the services billed under these codes.
Revised E/M add-on codes for prolonged services must be applied correctly and only when total time documentation supports their use.
How Does AI and Automation Change the Audit Process?
AI-assisted coding tools and computer-assisted coding (CAC) software are widely used in 2026, but they introduce a distinct audit risk: codes suggested by AI that are accepted without clinical review.
A 2024 study published in the Journal of AHIMA found that AI coding tools achieve high accuracy on common code patterns but show increased error rates on complex, multi-condition encounters.
Audit teams should verify that AI-suggested codes are reviewed and approved by a credentialed coder, that CAC software is updated with 2026 code sets, and that a dedicated sample of AI-coded claims is audited separately each quarter to identify systematic error patterns early.
How Do You Act on Coding Audit Findings?
Coding accuracy rate is calculated by dividing the number of correctly coded records by the total records reviewed, then multiplying by 100.
AHIMA recommends auditing a statistically valid sample of 30 records per coder per audit cycle to produce reliable results. The industry standard accuracy target is 95% or higher.
Rates below 95% indicate a systemic issue in coder training, documentation quality, or coding tool configuration, and require a formal corrective response. Rates below 90% typically trigger immediate retraining and increased audit frequency until accuracy is restored.
What Should a Corrective Action Plan Include?
A corrective action plan (CAP) documents how the organization will address the root cause of identified coding errors. A complete CAP includes 5 components:
- Root cause analysis: identify whether errors stem from coder knowledge gaps, documentation deficiencies, outdated coding tools, or workflow breakdowns.
- Corrective steps: assign specific actions with owners and deadlines. Plans without clear accountability produce no measurable change.
- Education plan: coders with recurring errors in a specific code category require targeted training on that category, not general coding refreshers.
- Follow-up audit: schedule a re-audit 60 to 90 days after CAP implementation to measure improvement and confirm the error pattern has been corrected.
- Claims correction: document rebilling actions taken on claims with identified errors, including any overpayment self-disclosure obligations where applicable.
Conclusion
A medical coding audit checklist is the foundation of a compliant, revenue-protected coding program.
With 2026 bringing ICD-10-CM code set expansions, CPT revisions, new OIG audit priorities, and wider adoption of AI coding tools, audit teams need a checklist that reflects the current coding and compliance landscape.
The 6 core checkpoints cover the areas where coding errors are most likely to occur: patient demographics, ICD-10-CM and CPT code accuracy, medical necessity, CMS and OIG compliance, modifier usage, and E/M documentation.
Audit at minimum quarterly, benchmark accuracy at 95% or higher, and act on findings with a corrective action plan that includes a follow-up audit within 90 days. Consistent audits reduce claim denials, protect coder performance standards, and keep your organization ahead of both payer and OIG review.
Need help building a compliant coding audit program for 2026? Connect with a certified medical coding auditor and make sure your claims hold up to scrutiny.
FAQs
How Often Should a Medical Coding Audit Be Conducted?
Medical coding audits should be conducted at minimum quarterly for established coding teams.
What Is an Acceptable Coding Accuracy Rate Under CMS Guidelines?
CMS does not publish a single mandated accuracy threshold, but the industry standard is 95% or higher.
Can AI Tools Replace Manual Coding Audits?
AI coding tools do not replace manual coding audits.
What Is the OIG’s Role in Medical Coding Compliance?
The OIG publishes an annual Work Plan identifying the medical billing and coding areas it will actively audit each year.
How Do CPT Modifier Errors Affect Claim Reimbursement?
Incorrect CPT modifiers result in claim denials, reduced reimbursement, or overpayment recoupment depending on the direction of the error.