CMS is requiring all 50 states to audit Medicaid providers and submit detailed plans to the agency by May 23, with hospital leaders eager to understand both the scope and the limits of what’s being asked.
CMS Administrator Mehmet Oz, MD, sent a letter April 23 to all state Medicaid directors directing them to develop and submit a comprehensive two-year provider revalidation strategy.
The initiative is aimed squarely at home- and community-based services and other non-hospital providers. But the Medicaid crackdown is one of three simultaneous federal actions — fraud enforcement, provider tax restrictions and coverage cuts — reshaping Medicaid finances and causing anxiety for health system leaders.
States must first notify CMS within 10 days of their plans to conduct swift revalidation of “high-risk providers,” then submit the full strategy within 30 days. The initiative follows Dr. Oz’s public announcement of the plan at Politico‘s Health Care Summit April 21.
“We’re asking the states to own that problem … red and blue, all of them,” Dr. Oz said at the event. “If you don’t take it seriously, it indicates to us that we might have to take the audits … more aggressively.”
The push is part of a broader federal effort to eliminate “fraud, waste and abuse” in Medicaid, which has included CMS freezing $260 million in Medicaid funding to Minnesota in February and Dr. Oz sending letters to California, Florida, Maine and New York alleging fraud in their programs.
Are hospitals actually in the crosshairs?
Under Dr. Oz, CMS’ fraud-related messaging and enforcement have largely focused on non-hospital services, including home- and community-based services, durable medical equipment and non-emergency medical transport. That pattern carries through to the current audit initiative.
CMS states in its letter that, regardless of how states define “high risk,” plans must address provider enrollment for providers without a National Provider Identifier. Hospitals generally maintain NPIs and are subject to Medicaid enrollment screening and revalidation requirements, suggesting the initiative is primarily aimed elsewhere.
In a statement shared with Becker’s, the American Hospital Association said, “there is no question that unscrupulous providers that exist solely to defraud the Medicaid program and divert precious resources away from the legitimate and critical work of caring for our nation’s children, elderly, and disabled should be addressed.”
But endorsing the goal is different from knowing what the initiative will require in practice. For hospitals enrolled in both Medicare and Medicaid, a key open question appears to be whether states will need to re-screen providers that federal programs have already vetted.
“It is unclear the extent to which provider revalidation efforts will affect hospitals. State Medicaid programs generally rely on Medicare information for providers who are enrolled in both programs,” Krista Fremming, interim director of medical services at North Dakota HHS, said in an April 29 statement shared with Becker’s. “We have questions into CMS regarding their expectations around revalidation for providers already enrolled with Medicare.”
What states are required to submit — and how are they responding?
The CMS letter to Medicaid directors lays out what states must submit to the agency.
States must first notify CMS within 10 business days of their intent to conduct swift revalidation of high-risk providers, including a proposed timetable. Within 30 days, they must submit a comprehensive two-year “provider revalidation” strategy covering their methodology and timeline for off-cycle revalidation, the metrics they will use to measure progress, their approach for keeping provider data current, how they ensure consistency across fee-for-service and managed care delivery systems, as well as how the Medicaid agency coordinates with law enforcement.
Dr. Oz also sent an accompanying letter to each state’s governor — not just its Medicaid director — underscoring the political dimension of the initiative.
“It is urgent that action be taken immediately to address the rapid increase in fraud, waste, abuse, and corruption in Medicaid and to bar fraudulent actors from further abusing the program,” Dr. Oz wrote in a letter to each state’s governor. “A revalidation process for high-risk providers will immediately deter criminal actors from continuing their fraud schemes as the federal and state governments closely review and scrutinize the qualifications of providers to suspend or terminate clearly abusive actors from the program. States have the ability to designate which providers are high-risk. However, CMS expects that your definition include any provider without a national provider identifier.”
Multiple states — including California, Pennsylvania, Colorado, Ohio, Georgia, North Dakota, and Nebraska — responded to Becker’s requests for comment. Their responses range from full-throated support to careful compliance with pointed caveats about access to care.
California’s Department of Health Care Services said it is reviewing the CMS letters and “share[s] the federal government’s commitment to preventing fraud, waste and abuse,” without committing to specific new actions.
“Most Medi-Cal providers follow the rules, and our established processes help identify and address issues when they arise,” Anthony Cava, a spokesperson for the California Department of Health Care Services, said in an April 30 statement provided to Becker’s. “We will continue working with our federal partners as part of our ongoing efforts to strengthen program integrity and protect access to care for the millions of Californians who rely on Medi-Cal.”
Nebraska was among the most enthusiastic. The state’s Department of Health and Human Services said it “fully supports” the CMS guidance and will “move quickly and collaboratively to meet and exceed these expectations.”
“Governor [Jim] Pillen has made it crystal clear that fraud will not be tolerated in the State of Nebraska,” Nebraska DHHS CEO Steve Corsi said in an April 23 news release. “We support CMS efforts to strengthen accountability and will move quickly and collaboratively to meet and exceed these expectations. Our goal is simple: ensure that every Medicaid dollar is spent on care for Nebraskans who truly need it.”
Georgia’s Department of Community Health announced it is soliciting vendor information for a comprehensive pre-payment and post-payment review operation and has identified applied behavior analysis and structured family caregiving as high-risk service categories.
Effective July 1, Georgia’s DCH proposes new prior authorization requirements, staffing ratio rules and remote supervision standards for ABA therapy providers. Effective Sept. 1, SFC providers would face new caregiver certification and background check requirements, electronic visit verification compliance and registered nurse sign-off on daily notes. The state said change-of-ownership and expansion requests for SFC providers will be accepted beginning October 2026, with new providers accepted starting March 2027.
Ohio’s Department of Medicaid confirmed to Becker’s it received the CMS letter and “plans to meet the 30-day timeline provided,” pointing to existing program integrity efforts including continuous data monitoring, automated claims review systems, provider oversight and coordination across state agencies to identify unusual billing patterns or behavior that may indicate fraud or abuse.
“We work closely with Attorney General Dave Yost and Auditor Keith Faber to safeguard taxpayer dollars and ensure Medicaid services are delivered properly,” a spokesperson for the organization said in an April 29 statement shared with Becker’s. “These partnerships strengthen Ohio’s ability to identify potential fraud, conduct investigations, and take appropriate action when needed.”
Colorado’s Department of Health Care Policy and Financing said it is “developing a comprehensive off-cycle provider revalidation strategy, with an initial focus on higher-risk providers and those without a national provider identifier,” while pledging to minimize disruption and give providers advance notice of new requirements.
“We will continue to partner with CMS to ensure our approach aligns with federal expectations while minimizing disruption where possible. As this work progresses, providers will receive advance notice of any new or updated requirements,” the organization said in a statement to Becker’s. “The Department has multiple safeguards in place to ensure providers are appropriately enrolled, including screening requirements, ongoing monitoring and system-based controls. These efforts are part of a broader program integrity framework focused on preventing fraud, waste, and abuse through coordinated oversight and collaboration with state and federal partners.”
Pennsylvania’s Department of Human Services struck a notably confident tone, noting the state is “currently ranked number one nationally in criminal convictions, and third overall in charges filed for Medicaid fraud.” The department said it is evaluating the federal request and intends to share its process and plans with CMS. “Should further action be necessary, we will work with our enrolled Medicaid providers at that point,” a spokesperson said in a statement shared with Becker’s.
“Pennsylvania is a national leader in this space. Providers in Medicaid are vetted upon application and revalidation, and ongoing monitoring occurs to ensure proper billing for services that are actually provided,” a spokesperson for Pennsylvania’s DHS told Becker’s. “We are proud of our work to protect our public assistance programs and the taxpayer resources that make this possible and continue our work towards this ongoing responsibility every day.”
The nationwide audit initiative arrives alongside a structural reshaping of Medicaid that executives should view in totality. HR1 cut nearly $1 trillion from Medicaid and is projected to result in roughly 10 million people losing coverage by 2034. CMS has also issued guidance tightening limits on provider tax structures that many states have used to draw down federal matching funds, a change that could erode the supplemental payments that hospitals in some states depend on to offset low Medicaid reimbursement rates.
These three forces — fraud enforcement, provider tax limits and coverage cuts — aren’t happening in isolation. Together, they amplify risk. Hospitals losing supplemental payments while treating more uninsured patients face a far steeper financial hit than any single policy would create.
At the Becker's 11th Annual IT + Revenue Cycle Conference: The Future of AI & Digital Health, taking place September 14–17 in Chicago, healthcare executives and digital leaders from across the country will come together to explore how AI, interoperability, cybersecurity, and revenue cycle innovation are transforming care delivery, strengthening financial performance, and driving the next era of digital health. Apply for complimentary registration now.
