As federal and state governments focus on safeguarding Medicaid dollars and preventing fraud, waste, and abuse (FWA), healthcare organizations are facing heightened enforcement, expanded oversight, and a renewed focus on accountability from entities including Medicaid Fraud Control Units (MFCUs), CMS, and the U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG).
With organizations receiving inquiries from these governmental agencies daily, the overarching message for healthcare providers, health plans, and managed care organizations is to prioritize proactive compliance and become audit-ready now.
This article explores the recent emphasis on enforcement and strategies to help organizations adapt.
What Is the Role of Medicaid Fraud Control Units?
MFCUs are specialized state agencies tasked with investigating and prosecuting fraud committed by healthcare providers under the Medicaid program, as well as abuse or neglect of patients in healthcare facilities and other care settings. Federal law requires every state, along with the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, to maintain an MFCU, unless it can demonstrate that such a unit is unnecessary. MFCUs are funded jointly by federal and state governments, with HHS covering 75% of operating costs.
These units employ teams of investigators, auditors, and attorneys, with varied state-by-state staffing levels (from fewer than five staff members in Wyoming to several hundred in California). The impact of these MFCUs is substantial. According to the OIG, MFCUs recovered approximately $2 billion through combined civil and criminal actions in fiscal year 2025.
While recovery rates vary by state, the aggregate recovery results emphasize why Medicaid program integrity remains a top enforcement priority.
How Are HHS & CMS Enforcing Medicaid Compliance?
Recent actions by the OIG and CMS reflect a more aggressive stance on preventing and holding organizations accountable for Medicaid FWA. Leaders from the Trump administration have criticized underperforming MFCUs and emphasized expectations for stronger investigative outcomes—particularly criminal convictions.1
This criticism has started to translate into action. In early June, the OIG chose not to recertify Hawaii’s MFCU, citing its failure to secure any Medicaid fraud indictments or convictions between 2022 and 2025, despite receiving approximately $3 million annually in federal funding.
In response, Hawaii Attorney General Anne Lopez indicated that the state will pursue reconsideration, emphasizing that fraud enforcement is not limited to prosecutions and noting the unit has achieved over $14 million in judgments, settlements, and recoveries since 2021.2
CMS has complemented the OIG’s focus with direct financial actions of its own. In 2026 alone, the agency has:
- Withheld $1.3 billion in Medicaid funding from California
- Deferred nearly $260 million in payments to Minnesota over unsupported or potentially fraudulent claims
- Expanded scrutiny to other states, including New York and Hawaii
In addition, CMS is deploying off‑cycle provider revalidations, enrollment moratoria for high‑risk provider types, and enhanced data‑driven monitoring tools. Corporate Integrity Agreements (CIAs) mandating intense oversight are another lever to drive accountability. Congressional oversight has also intensified, with the House Energy and Commerce Committee launching or expanding Medicaid fraud investigations across multiple states.
How Should Providers & Health Plans Respond to Medicaid Fraud Enforcement Efforts?
Even organizations that are indirect targets of enforcement initiatives can face significant financial and operational exposure from these efforts. Payments may be suspended, enrollments terminated, or claims recouped due to documentation gaps, missed revalidation deadlines, or administrative oversights, often unrelated to intentional misconduct.
Common risk areas include:
- Coding and billing inaccuracies, which may lead to overpayments
- Insufficient clinical documentation of medical necessity
- Vulnerable enrollment and revalidation controls
- Inadequate tracking and response to regulatory correspondence
A well‑designed and well‑documented compliance program is not only a crucial defensive strategy, but also an essential demonstration of good‑faith stewardship in this environment. Organizations can strengthen their compliance program through strategies including:
- Compliance Program Effectiveness Assessments: Evaluating compliance programs against federal and state expectations, including CMS and OIG guidance, and assessing governance, training, monitoring, auditing, issue management, and corrective action processes.
- FWA & Payment Integrity Reviews: Assessing FWA prevention, detection, investigation, and recovery controls across claims operations, vendor oversight, and data analytics to help identify vulnerabilities before they become enforcement issues.
- Audit & Investigation Readiness: Preparing for MFCU, CMS, and congressional inquiries by strengthening documentation, response protocols, and internal controls so that leadership can demonstrate diligence and accountability with confidence.
- Regulatory Change Monitoring: Tracking legislative and regulatory developments and adjusting compliance program protocols accordingly.
How Forvis Mazars Can Help With Compliance & Medicaid Fraud Enforcement Readiness
Compliance professionals at Forvis Mazars support healthcare organizations at each stage of the compliance and audit‑readiness journey. Our approach is grounded in deep regulatory knowledge, operational realism, and forward‑looking risk management. We help organizations move beyond check‑the‑box compliance to build programs that are effective, sustainable, and defensible under scrutiny.
As federal and state governmental entities intensify their focus on FWA, healthcare organizations that act now may be better positioned to navigate scrutiny and reimbursement shifts and sustain their missions.
If you have questions or would like assistance strengthening your compliance infrastructure and audit-readiness, please reach out to our team today.