CMS Medicaid Fraud Crackdown 2026: What Hospital Finance Leaders Must Do Now

Three enforcement actions totaling $1.8B signal a shift from "pay and chase" to real-time detection. Your compliance playbook starts here.

On February 25, 2026, the Trump administration announced three simultaneous enforcement actions targeting Medicaid and Medicare fraud: a $259.5 million funding deferral against Minnesota, a six-month nationwide moratorium on DMEPOS supplier enrollment, and a request for information under a new initiative called CRUSH, Comprehensive Regulations to Uncover Suspicious Healthcare. These did not happen in isolation. In 2025 alone, CMS suspended $5.7 billion in suspected fraudulent Medicare payments and sent 372 fraud referrals to law enforcement encompassing $3.7 billion in billing.

If you lead finance at a hospital, health system, or Medicare Advantage plan, the message is not subtle. The enforcement environment has fundamentally changed, and your internal controls need to reflect that reality before CMS data analytics flag your organization.

The Three-Prong Enforcement Action: What CMS Actually Did

The Minnesota deferral is the headline, but the mechanics matter more than the dollar amount. CMS deferred $259.5 million in federal Medicaid matching funds tied to Minnesota's fourth quarter of fiscal year 2025. The deferred amount broke down as $243.8 million for unsupported or potentially fraudulent Medicaid claims and $15.4 million related to claims involving individuals lacking satisfactory immigration status.

CMS cited unusually high spending and rapid growth in three specific service categories: personal care services, home and community-based services, and other practitioner services. These categories are not unique to Minnesota. They represent some of the fastest-growing and hardest-to-audit service lines in Medicaid programs nationwide.

The DMEPOS moratorium is the second enforcement prong and has immediate operational implications for providers. CMS imposed a six-month nationwide moratorium on new Medicare enrollment for certain durable medical equipment, prosthetics, orthotics, and supplies suppliers. This builds on CMS preventing $1.5 billion in suspected fraudulent DMEPOS billing in 2025. Notably, CMS also announced it will publicly publish National Provider Identifiers and reasons for revocation for suppliers whose Medicare billing privileges have been revoked, giving private payers direct visibility into sanctioned entities.

The CRUSH initiative is the forward signal. CMS is soliciting stakeholder input on new regulatory approaches spanning Medicare, Medicaid, CHIP, and ACA marketplace plans. The proposed authorities under consideration include granting CMS power to require Medicare Advantage organizations to impose payment suspensions, expanding fingerprinting and background checks for ownership interests, deploying AI and machine learning for real-time fraud detection in MA and hospital billing, and decreasing the Medicare claims filing deadline from one year to 90 to 180 days for certain services.

The CRUSH comment period closes March 30, 2026. Submitting comments is not optional for finance leaders who want to influence how these rules develop.

The Enforcement Shift Finance Leaders Cannot Ignore

Secretary Kennedy framed the new posture directly: CMS is moving away from a retrospective "pay and chase" model toward a real-time "detect and deploy" strategy using advanced data analytics and artificial intelligence to identify and stop suspicious payments before funds are disbursed.

This is not political theater. The infrastructure to execute this shift already exists. CMS has been building cross-agency data analytics capabilities for years. The 2025 numbers confirm they work: 122,658 Medicare claims denied for failing preliminary approval checks, 5,586 providers and suppliers losing billing privileges, and a CMS-State Tax Fraud partnership now operating in 28 states.

What the Minnesota Case Teaches Every Finance Leader

Minnesota's situation is contested. The state filed a federal lawsuit on March 2, 2026, alleging CMS is unlawfully withholding $243 million in Medicaid payments, and courts will determine whether the enforcement approach exceeded CMS's statutory authority. That legal question is genuinely unresolved.

But set the litigation aside for a moment and look at what CMS flagged: personal care and home and community-based services showing unusually high spending with rapid growth. Those flags did not appear because Minnesota was being targeted politically. They appeared because the data patterns were there, generated by legitimate fraud that federal and state investigators had been working since before the current administration took office.

The fraud investigations in Minnesota involving fraudulent daycare and homecare companies resulted in numerous federal indictments. Providers billed Medicaid for services not rendered, and the fraud ran for years before enforcement caught up. CMS's error, if one exists, may be in the enforcement mechanism, not in identifying that fraud occurred.

For hospital finance leaders, the operational lesson is this: if your organization operates personal care, home health, HCBS, or any community-based service line, your billing patterns are almost certainly visible to CMS's analytics systems. The question is not whether you will be reviewed. The question is what those systems will find when they look.

I covered similar dynamics in Medicare Advantage in January when writing about the Kaiser $556M settlement and what finance leaders should recognize as fraud red flags before DOJ does. The pattern is consistent across both payer and provider contexts: revenue growth disconnected from care delivery is the primary signal that attracts federal scrutiny.

The Service Lines Under the Highest Scrutiny Right Now

CMS has not been subtle about where it is looking. Personal care services, home and community-based services, DMEPOS, laboratory and genetic testing, and other practitioner services are explicitly named in current enforcement actions and the CRUSH request for information.

For hospital systems with employed community health programs, these categories may represent a small percentage of total revenue but a disproportionate share of compliance risk. From my work at UF Health Jacksonville managing the community health division budget, I know how difficult it is to maintain rigorous documentation standards in community-based care settings. The visit volumes are high, the documentation burden falls on field-based staff without consistent supervision, and the billing codes are complex. That combination creates audit exposure even when intent is entirely legitimate.

The CRUSH initiative specifically signals interest in laboratory and genetic testing oversight, including potentially broadening the mandatory Molecular Diagnostic Services Program registration beyond its current 28-state footprint. Finance leaders with lab operations or genetics programs should treat this as a preview of coming requirements.

Your Internal Fraud Prevention Framework: What to Do Now

Compliance programs that existed before this enforcement environment need to be reassessed against a much higher standard. The following framework is not theoretical. It reflects what finance leaders at both payer and provider organizations should be executing right now.

Conduct a billing pattern audit against your own data before CMS does it for you. Pull the service lines that appear in CMS's enforcement language: personal care, HCBS, DMEPOS, lab, other practitioner services. For each, compare your billing volume growth rate against your documented patient census growth. If billing grew faster than census, understand why before someone else asks. This is the same diagnostic framework I described in the revenue cycle management article from January: stop optimizing processes and start diagnosing whether your reimbursement assumptions are based on accurate, documentable activity.

Verify that documentation supports every billed service. This sounds obvious. It is not consistently executed. For community-based and home health programs in particular, verify that visit documentation, time stamps, and service authorization records match billing submissions. The Minnesota fraud involved billing for services not rendered. CMS's analytics are specifically trained to detect when billing volume and service documentation diverge.

Review your DMEPOS supplier relationships immediately. CMS's moratorium applies to new enrollment, but the revocation list and new transparency requirements affect existing relationships. Private payers will now have access to the NPI revocation list, meaning your supply chain relationships with DMEPOS suppliers could affect your payer negotiations and network credibility. Know which suppliers you use and verify their enrollment status is current and clean.

Assess your corrective action plan infrastructure. The Minnesota case reveals a critical operational gap: CMS did not just flag fraud, it required Minnesota to demonstrate a credible corrective action plan. When CMS questions your billing, your ability to respond quickly with documented evidence of systematic controls determines whether this stays a review or escalates to a deferral. If your organization does not have a documented fraud, waste, and abuse response protocol, build one now.

Understand your CRUSH exposure and submit comments. The proposed CRUSH authorities would significantly expand CMS oversight if implemented as outlined. Shorter claims filing deadlines (90 to 180 days instead of 12 months) alone would require operational changes across your billing operations. Finance leaders should read the CRUSH RFI, assess which provisions would materially affect your operations, and submit specific comments before the March 30 deadline. This is how rules get shaped before they are finalized.

The Medicaid Policy Uncertainty Finance Leaders Must Plan For

The enforcement actions are happening against a backdrop of significant Medicaid funding uncertainty. The reconciliation framework moving through Congress proposes substantial Medicaid spending reductions, and the facility fee policy changes create additional revenue pressure on hospital-based outpatient programs. I covered that context in detail in Hospital Facility Fees Under Siege in January.

The combination matters because organizations facing margin pressure sometimes loosen billing controls when revenue is under stress. This is precisely the wrong response in the current enforcement environment. CMS's analytics systems are not going to reduce scrutiny because your margins are compressed.

The finance leaders who navigate this period successfully will be those who treat compliance investment as margin protection, not compliance cost. A $200,000 investment in documentation systems, staff training, and billing audit infrastructure is not overhead. It is risk mitigation against enforcement actions that can dwarf that number by an order of magnitude.

If you are working through Medicaid compliance strategy or scenario planning against the current enforcement environment, I want to hear what you are seeing in your markets. Hit reply and tell me what your compliance team is most concerned about.

A Note on the Political Framing

Reasonable people disagree about whether the Minnesota enforcement approach represents legitimate program integrity action or a politically motivated use of federal funding authority. That legal question will be resolved in court. Minnesota's lawsuit raises genuine due process concerns about how the two enforcement authorities were applied simultaneously, and courts will determine whether CMS exceeded its statutory authority.

Finance leaders do not need to resolve that debate to act on the underlying compliance implications. Medicaid fraud in personal care and HCBS services in Minnesota was real. Federal indictments predate the current administration. And CMS's intent to expand real-time fraud detection across all programs is documented in the CRUSH initiative regardless of which party controls the agency.

Your compliance program needs to be defensible under any administration's enforcement posture. Build it that way.

The most important question for your organization right now is not whether the Minnesota enforcement was appropriate. It is whether your billing patterns in high-scrutiny service lines would hold up under the level of review CMS applied to Minnesota's data. If you cannot answer that question with confidence, you have compliance work to do.

The Financial Sustainability playbook I published in January makes this point from a different angle: incrementalism does not work when the structural environment has shifted. CMS's enforcement posture has shifted structurally, not cyclically. Your compliance infrastructure needs to reflect that.

If your organization is conducting a billing pattern audit or building out corrective action plan infrastructure and you want a framework to start from, reply to this issue and I will share the template I reference in my compliance work.

P.S. Which service line in your organization would you least want CMS's data analytics team reviewing right now, and what is stopping you from auditing it internally first? Reply and tell me. I read every response.