The war on health care fraud, with Shannon Sumner, CPA, CHC, of PYA

Health care fraud enforcement recovered more than $6 billion last year. Shannon Sumner, CPA, CHC, expects this year to be even larger.

In this episode, Sumner, managing principal of PYA's Nashville office and the firm's chief compliance officer, explains how enforcement has shifted from targeting large health systems to going after individual physicians and practice leaders. She walks through the highest-risk areas regulators are focused on in 2026, including billing and coding integrity, value-based care arrangements, telehealth documentation and artificial intelligence (AI)-assisted tools, and what practices of every size can do right now to get ahead of it.

Sumner also breaks down what a realistic compliance program looks like for a smaller practice — separating the true must-haves from the nice-to-haves — and explains exactly what to do if an internal audit turns up a potential problem, including when self-disclosure is necessary and when a corrective action plan is enough.

Don’t miss our recent episodes on practice finances, virtual care, MIPS and Texas 2036.

Music Credits:
Soft Morning by Cephas - stock.adobe.com
A Textbook Example by Skip Peck - stock.adobe.com

Editor's note: Episode timestamps and transcript produced using AI tools.

0:00 – 0:22 | Cold open Sumner previews the episode's central warning: health care fraud recoveries hit a record last year, and 2026 is on track to surpass it.

0:22 – 1:11 | Introduction Austin Littrell introduces the episode and previews the conversation with Sumner.

1:11 – 2:38 | Meet Shannon Sumner and PYA Sumner introduces herself and PYA, a top-100 national health care consulting and accounting firm, and describes her background spanning traditional accounting, internal auditing and regulatory compliance.

2:38 – 5:43 | How the enforcement environment is changing in 2026 Sumner explains that enforcement is now analytics-driven — practices get flagged because their data doesn't look like their peers. She walks through the top risk areas: billing and coding integrity, quality reporting and value-based payment errors, Medicare Advantage and risk adjustment, and data privacy and cybersecurity.

5:43 – 7:40 | Where value-based care arrangements create fraud and abuse risk Sumner identifies the biggest compliance risks in VBC deals — risk adjustment, quality reporting, patient attribution and incentive payments — and urges practices to demand clear contractual definitions, independent access to performance data and thorough legal vetting before signing or renewing any arrangement.

7:40 – 9:42 | Red flags in VBC negotiations — and fixes that don't blow up the deal Sumner says most deals don't need to be scrapped, just properly vetted. Key fixes include clarifying definitions, adding payment guardrails, requiring data transparency and building in ongoing monitoring. She flags False Claims Act exposure for knowingly inaccurate data submissions and warns that Stark law remains strict liability.

9:42 – 12:36 | Telehealth fraud patterns drawing regulatory attention Sumner outlines the concerning patterns the OIG is flagging: brief or scripted encounters, improbable utilization, incorrect place-of-service coding and remote prescribing violations. She also stresses HIPAA risks including platforms without business associate agreements and recording sessions without patient authorization.

12:36 – 14:22 | How analytics have changed compliance and what practices should do Sumner explains that regulators now analyze the full population of claims, not just samples — and practices should be doing the same internally. She recommends building dashboards to track outlier metrics, conducting targeted audits and focusing on the 20% of activity generating 80% of risk.

14:22 – 15:14 | P2 Management Minute Keith Reynolds shares practice management tips and invites listeners to submit their own workflow ideas.

15:14 – 20:44 | Must-haves vs. nice-to-haves for a compliance program in 2026 Drawing on the OIG's updated General Compliance Program Guidance, Sumner outlines the must-haves for small practices: a designated compliance lead who isn't involved in coding and billing, written policies that match actual workflows, role-specific training, a mechanism to report concerns without retaliation, basic auditing and monitoring, and a corrective action roadmap. Nice-to-haves include third-party compliance assessments every three to five years and advanced analytic tools — though she says the latter is quickly becoming a must-have.

20:44 – 22:29 | What to do when an internal audit finds a problem Sumner's plan of action: contain the issue immediately, pause billing, locate documentation and seek counsel versed in fraud, waste and abuse before doing anything else. She walks through how to determine whether self-disclosure or an internal corrective action plan is the appropriate response.

22:29 – 24:16 | Where the next wave of enforcement is heading Sumner points to AI-enabled documentation and coding tools as the next major enforcement frontier and recommends practices form an AI governance committee — even a small one — to inventory tools and assess risk. Third-party vendor risk is another growing area, with business associate agreements and security assessments taking on new importance.

24:16 – 26:38 | The CRUSH initiative and what it means for individual physicians Sumner explains that enforcement has shifted from large health systems to individual providers, notes that CMS held a "chili cook-off" contest to solicit better fraud-detection analytics, and warns that the government has now put practices on notice: the absence of an effective compliance program is an aggravating factor in enforcement actions.

26:38 – 27:22 | Closing thoughts Sumner's bottom line: the best compliance programs are operational partners, not paper programs. Practices need to move from reactive to proactive compliance — because prevention is the best medicine.

27:22 – 28:15 | Outro Littrell thanks listeners and reminds the audience to subscribe and visit MedicalEconomics.com and PhysiciansPractice.com.