Upcoding in medical billing means submitting a CPT, ICD-10, or DRG code that overstates the severity, complexity, or service level beyond what the medical record supports.
In FY 2022, the Department of Justice recovered over $2.2 billion through False Claims Act settlements across healthcare fraud categories — and coding violations, including upcoding, are a recurring basis for those cases.
What makes upcoding legally dangerous is not just the overpayment. Federal law treats knowingly submitting an inflated claim to a government healthcare program as a false claim, with civil penalties exceeding $25,000 per claim and criminal penalties that can include imprisonment.
In this article, we’ll be going through:
- How CMS classifies the line between error, abuse, and fraud
- How auditors detect upcoding patterns before reviewing a single chart
- Prevention controls that keep a coding error from becoming an investigation
- The four places upcoding actually happens in the billing workflow
- Civil, criminal, and administrative penalty tracks
How does CMS classify improper billing?
CMS and the OIG separate improper billing into three levels, and the boundaries between them are determined by pattern, not intent.
A coding error is an unintentional mistake — correctable through training and audits, with no legal liability unless a pattern of errors indicates reckless disregard
Abuse is billing that’s inconsistent with accepted standards but lacks clear evidence of intentional fraud — may result in repayment demands, corrective action plans, and increased audit scrutiny
Fraud is knowingly submitting false claims — subject to civil penalties under the FCA, criminal prosecution, and exclusion from federal healthcare programs
In practice, the bigger issue is that a single upcoded claim is a correctable error, but hundreds of upcoded claims with the same pattern suggest knowledge or reckless indifference. That threshold is enough for FCA liability — and it’s lower than most billing teams assume.
Compliance Framework
Error vs. Abuse vs. Fraud: How CMS Classifies Improper Billing
Where does upcoding actually happen?
Upcoding occurs at specific points in the billing workflow, and knowing where it happens explains both how to detect it and how to prevent it.
E/M level inflation
A patient visit supporting a level 3 code (99213 — low complexity) gets billed as level 4 (99214) or level 5 (99215). The reimbursement gap between 99213 and 99215 can exceed $100 per visit. Across thousands of encounters, that inflation produces significant overpayment.
Under CMS E/M guidelines, the level must be supported by documented medical decision-making (MDM) or total time.
When documentation describes a straightforward problem with a simple management plan, billing a high-complexity code is upcoding — whether the provider chose that code deliberately or the coder selected it without adequate review.
A common mistake is coding to what the provider remembers doing rather than what the note actually says.
Diagnosis inflation
Reporting an ICD-10 code that overstates severity to justify a higher-paying visit or procedure.
Coding a mild respiratory infection as pneumonia with complications, or unspecified chest pain as acute coronary syndrome, changes the reimbursement profile without clinical justification.
In hospital settings, diagnosis inflation directly affects DRG assignment. A higher-weighted DRG increases payment under Medicare’s Inpatient Prospective Payment System — and DRG upcoding is one of the most heavily audited improper payment categories.
Procedure misrepresentation
Billing a complex version of a procedure when only a simple version was performed. Simple wound repair (12001-12007) coded as intermediate (12031-12057) or complex (13100-13153) without documentation supporting the additional complexity.
EHR-assisted risk
EHR templates that auto-populate clinical findings or carry forward documentation from previous visits can produce notes that appear to support a higher E/M level than the encounter justified.
The note looks complete, but the clinical content wasn’t generated during the current visit. OIG has identified copy-forward and cloned notes as a compliance concern that contributes to upcoding risk.
For most practices, the danger isn’t intentional fraud — it’s that the EHR makes over-documentation invisible until an auditor compares the note to the actual encounter.
What are the legal consequences of upcoding?
The legal framework involves three separate enforcement tracks — civil, criminal, and administrative.
| Track | Statute | Penalties |
| Civil | False Claims Act (31 U.S.C. §§ 3729-3733) | Treble damages + $25,000+ per false claim; “knowing” includes reckless disregard |
| Criminal | 18 U.S.C. §1347 | Up to 10 years imprisonment, fines up to $250,000 (individuals) / $500,000 (organizations) |
| Administrative | OIG Exclusion (42 U.S.C. §1320a-7) | Exclusion from Medicare/Medicaid; state license revocation |
FCA cases can be initiated by the government or by whistleblowers under qui tam provisions.
Whistleblowers may receive 15-30% of the recovered amount — which creates a financial incentive for employees to report suspected upcoding that most practices underestimate.
Criminal prosecution requires proof of intent beyond what the FCA demands and is reserved for the most egregious cases.
But the FCA’s “reckless disregard” standard means a practice doesn’t need to intend fraud to face civil liability — billing patterns that demonstrate knowing indifference to accuracy are enough.
How is upcoding different from other billing problems?
Billing teams frequently conflate terms that describe different problems with different consequences.
| Term | What it means | Key difference |
| Upcoding | Billing a higher-level code than documentation supports | Overstates severity or complexity |
| Unbundling | Billing procedure components separately when a bundled code exists | Manipulates billing structure |
| Miscoding | Selecting an incorrect code (may be higher or lower) | Often accidental; may over- or underpay |
| Downcoding | Billing a lower-level code than documentation supports | Underpayment; lower legal risk but reduces revenue |
Upcoding and unbundling are the two billing practices most frequently targeted by OIG enforcement. Both result in overpayment, but through different mechanisms — upcoding inflates severity of a single code, while unbundling splits a bundled service into separately billed components.
How do auditors detect upcoding?
CMS, OIG, MACs, and RACs use multiple detection methods — and the most effective ones don’t start with chart review.
Audit Intelligence
How Auditors Find Upcoding
Billing distributions compared to specialty norms. Providers who code consistently higher than peers are flagged for review.
Chart documentation compared against submitted codes. Mismatch = improper payment finding.
Same-specialty, same-region comparison. Consistently higher coding than peers increases audit probability.
Machine learning scores claims for upcoding risk before payment. Flagged claims held for review.
The billing pattern itself becomes evidence — even before a single chart is reviewed. For most billing teams, the statistical profile of their providers is the first thing an auditor sees and the last thing the practice checks internally.
How do you prevent upcoding?
Prevention operates at two levels — individual coding accuracy and organizational compliance systems. The real tradeoff for most practices is between revenue optimization and audit risk, and the right answer depends on whether the documentation genuinely supports the code.
Documentation should determine coding decisions, not coding goals
Documentation must always support the code selection. When documentation is incomplete, vague, or lacks the elements required to justify a higher code level, coding should remain at the level supported by the record or be held for provider clarification before claim submission.
Audit coding patterns against specialty-specific benchmarks
Organizations should perform internal coding audits at least quarterly to evaluate E/M level distribution, procedure complexity trends, and diagnosis severity patterns. Comparing results against specialty benchmarks helps identify outliers, compliance risks, and potential documentation deficiencies before external audits occur.
Design EHR templates to require active documentation validation
EHR systems should require clinicians to actively review, confirm, or modify carried-forward information rather than automatically accepting prior documentation. Timestamped confirmations create a stronger audit trail and help reduce inaccuracies caused by unchecked copy-forward practices.
Align compensation incentives with coding compliance safeguards
Compensation models that reward higher coding levels without appropriate compliance oversight can create systemic risk. Effective programs balance productivity incentives with coding quality reviews, audit monitoring, and compliance controls to discourage unsupported code selection and reduce regulatory exposure.
An internal audit that finds a provider billing 70% of visits at 99215 is an opportunity for training. The same finding discovered by OIG is the start of an investigation. The difference between those two outcomes is timing — not the underlying data.
What should patients do if they suspect upcoding?
Patients who receive a bill or EOB that doesn’t match the care they received should request an itemized bill, compare each line item against their recollection of services, and contact the provider’s billing department for clarification.
If the explanation is unsatisfactory, patients can report suspected fraud to the OIG fraud hotline (1-800-HHS-TIPS) or contact their state insurance commissioner. Medicare beneficiaries can also report concerns to the Senior Medicare Patrol program.
Upcoding risk starts long before an audit
Most upcoding problems aren’t discovered when a claim is submitted — they’re discovered when billing patterns, documentation gaps, and coding trends attract auditor attention. The safest revenue cycle isn’t the one that bills the highest level possible. It’s the one that can defend every code under scrutiny.
- Documentation-to-code validation workflows
- Denial, audit, and reimbursement trend analysis
- Specialty-specific coding audits and compliance reviews
- Dedicated oversight with transparent reporting
- E/M level and modifier accuracy monitoring
If you’re concerned about coding compliance, audit exposure, or recurring documentation-related denials, contact us to learn how MedHeave helps practices optimize reimbursement while maintaining defensible coding and billing compliance.
Frequently asked questions
Here are some commonly asked questions on this topic:
Upcoding means submitting a CPT, ICD-10, or DRG code that represents a higher level of severity or complexity than what was actually performed or documented. The result is an overpayment from the payer. Upcoding can be intentional (fraud) or unintentional (coding error), but federal law does not require proof of specific intent — knowingly disregarding coding accuracy or acting with reckless indifference is enough to trigger False Claims Act liability.
Upcoding that results in overpayment from a federal healthcare program is always an improper payment that must be corrected. Whether it’s illegal depends on circumstances. An isolated error is correctable without legal liability. A persistent pattern — especially one that increases revenue and isn’t corrected after identification — can be classified as abuse or fraud, triggering FCA civil penalties or criminal prosecution under 18 U.S.C. §1347.
Upcoding inflates the severity of a single code — billing a higher E/M level or more severe diagnosis than documentation supports. Unbundling bills the components of a bundled procedure separately to increase total reimbursement. Both result in overpayment through different mechanisms. Both are enforcement targets for CMS and OIG.
Civil penalties under the FCA include treble damages plus per-claim penalties exceeding $25,000. Criminal prosecution under 18 U.S.C. §1347 carries up to 10 years imprisonment and fines up to $250,000 for individuals. Administrative consequences include Medicare/Medicaid exclusion and potential license revocation. Severity depends on whether the upcoding was an isolated error, a pattern of abuse, or intentional fraud.
Yes. Coding errors, documentation deficiencies, EHR auto-population, and misapplied CPT guidelines can all produce unintentional upcoding. The critical factor is what happens after the error is identified. A practice that discovers upcoding through an internal audit, corrects the overpayments, and implements training is managing a coding error. A practice that identifies the pattern and continues billing the same way is demonstrating reckless disregard — which converts an error into potential fraud liability.
Request an itemized bill and compare each line item against services actually received. Look for E/M levels disproportionate to time spent or problem complexity. Check whether listed procedures match what was performed. Compare the bill against your EOB. If charges don’t match your experience, contact the provider’s billing department first, then report concerns to your insurer or the OIG fraud hotline.
