I’ve spent 11 years in the trenches—first as a compliance director, now as a defense paralegal. If I hear one more executive tell me their multi-state footprint is "just a billing complexity," I’m going to lose my mind. It isn’t a billing complexity. It is an enforcement multiplier.
State Attorneys General (AGs) and Medicaid Fraud Control Units (MFCUs—the specialized state-level units tasked with investigating and prosecuting provider fraud) have moved past the era of manual, claim-by-claim audits. They are operating in a new, hyper-connected landscape. If you are operating across state lines, you aren't just dealing with local regulators; you are dealing with a national net that is tightening by the day.
The 2024-2025 Enforcement Scale Jump
Between 2024 and 2025, we have seen a tectonic shift in how state regulators prioritize cases. It isn’t just about the volume of claims anymore; it’s about the velocity of detection.
In previous years, an audit notice might arrive six months after a pattern of behavior. Today, through AI-driven detection (using algorithmic pattern recognition to flag billing anomalies in real-time), state agencies are identifying red flags before the payment cycle even closes. This is not "AI" as a magical solution—it is basic, high-speed data processing. When you bill across three states, your patterns are being normalized against the industry standard across all three simultaneously. If your genetic testing volume in Texas looks like an outlier compared to your peers in Florida, the system flags it. Immediately.
The Data Fusion Center Reality
The biggest threat to multi-state providers is cross-agency data consolidation. Historically, state lines acted as walls. An AG in Nevada didn't easily talk to an AG in Georgia. That wall is gone. Through regional Data Fusion Centers, Medicaid agencies, the Department of Justice (DOJ), and the Office of Inspector top compliance strategies 2026 General (OIG) share data lakes. If you receive an investigative inquiry in one state, assume the other states you operate in have already been notified via these inter-agency hubs.
High-Risk Verticals: Where the Crosshairs Are
Regulators are not conducting random audits. They are hunting for specific high-margin, high-volume billing patterns. If your group is involved in these four areas, you are currently being watched:
- Telemedicine: The massive shift to remote care post-COVID-19 has created a goldmine for investigators looking for "ghost" visits or providers billing for patients they’ve never seen. Genetic Testing: This remains the "flavor of the month" for MFCU investigations. High payouts paired with questionable medical necessity requirements are a magnet for federal and state subpoenas. Durable Medical Equipment (DME): If you are shipping back braces or nebulizers across state lines based on questionable referrals, you are inviting a multi-state scrutiny that is very difficult to defend. Wound Care: This is a massive area for "upcoding" (billing for a more complex service than what was performed). Because wound care is often performed in nursing facilities, regulators use data matching to see if your billing matches the facility's census.
The Multi-State Trap
When you operate in multiple states, you have a fragmented compliance profile. You have different state Medicaid manuals, different clinical guidelines, and different state-specific billing rules.
State AG investigations rely on this fragmentation. They look for inconsistencies. If your documentation standards in Ohio are significantly looser than in Kentucky, an https://bizzmarkblog.com/how-to-stress-test-your-compliance-program-moving-beyond-the-paper-exercise/ investigator will use the Ohio records to establish "intent" to defraud in the Kentucky audit. They don't view your practices as separate entities; they view your organization as one massive, centralized target.
Risk Factor Single-State Reality Multi-State Reality Audit Trigger Isolated billing anomaly Cross-state pattern variance Coordination State MFCU only Multi-state fusion center alert Scope of Defense Single jurisdiction law National compliance burden Documentation Local review Peer-to-peer benchmarkingWhat To Do: The First 48 Hours
When that investigative letter hits your desk, stop telling me to "tighten compliance." That is empty advice. Do these things in the first 48 hours to prevent a bad situation from becoming an existential crisis.
Preserve Everything: Do not just "keep records." Issue a formal litigation hold. This includes emails, text messages (yes, those count), and any "internal notes" billing staff made on claims. Identify the Nexus: Determine if the inquiry is from one state or if it is a coordinated effort. Look at the return address and the signature block. Are they citing federal False Claims Act (FCA) statutes? That’s a sign that the feds are involved, not just the state. Audit the "Peer" States: If the inquiry is regarding DME in State A, immediately perform a mock audit of DME billing in States B, C, and D. If the same error exists, identify it now before they come asking. Silence the Staff: Do not let billing teams talk to each other about the letter. Fear leads to gossip, and gossip leads to destroying documents. Send a clear, written instruction that all inquiries go to legal counsel.The Bottom Line
Stop pretending that "nothing is wrong" because you haven't received a letter yet. The MFCU coordination happening right now means that your billing behavior is being analyzed for anomalies 24/7. If you operate across state lines, you have a larger footprint and a larger target.
Don't wait for the subpoena to start looking at your data. Use the same AI-driven detection the government is using to test your own claims. If you find a pattern that looks suspicious to you, it will look like fraud to them. Fix it before they do. That is not "tightening compliance"—that is basic defensive strategy.