CMS releases Medicaid billing data to expand fraud oversight

The Trump administration’s ongoing push to address fraud in government healthcare programs includes the release of a massive data set showing Medicaid billing patterns of individual providers.

With more than 227 million rows of Medicaid fee-for-service and managed-care billing data and roughly 1.8 million national provider identifiers (NPIs), the file shows the NPI for each billing and servicing provider, along with the outpatient or professional HCPCS code and the month in which the service took place.

Each entry also lists the total number of claims, total paid amounts and unique beneficiaries. Rows with fewer than 12 claims have been suppressed to remove low-volume providers.

Data is sourced from CMS’s Transformed Medicaid Statistical Information System (TMSIS), which aggregates information from files submitted by states.

The approach is an open-source concept to give data analysts a chance to spot patterns that merit closer scrutiny by Congress or regulatory agencies, said Amy Gleason, an administrator with the U.S. Department of Government Efficiency (DOGE), which released the file: “Figuring out how to share more data with the public and having other people get involved,” Gleason said during a discussion that was broadcast March 2 as part of the 2026 Virtual Value-Based Payment Summit.

“Using this data set, it would have been possible to easily detect the large-scale autism diagnosis fraud in Minnesota,” DOGE stated last month when the data was released.

However, after being released Feb. 13, the data was offline as of March 3. HHS said the data “is temporarily unavailable while we make improvements,” without stating what specific issues are being addressed. The data appeared to be accessible on Hugging Face, an AI community platform.

What the Medicaid billing data release excludes

Diagnosis codes are not included in the 10 gigabytes of data. Thus, while analysts may be able to spot issues such as upcoding at the provider level, the data is seen as unlikely to uncover fraud pertaining to medical necessity. Another limitation of the data is that it contains only hospital outpatient and professional claims, leaving out inpatient services.

Early analysis also suggests data is incomplete for Medicaid managed care. Data also appears to be missing for 2024, tailing off near the end of the year, according to a published analysis by McDermott.

“Outliers are often appropriate starting points for inquiry,” the analysis states. “However, several frequently cited metrics are insufficient without additional information.”

For instance, the payment per claim metric can be misleading due to differences in billing practices among providers. Or an assessment of year-over-year revenue growth using the data may not account for factors such as business expansion or mergers and acquisitions.

“Public data can surface anomalies, but it cannot substitute for formal investigation,” the analysis states.

A KFF analysis points out that interstate comparisons are difficult using the data because states differ in their coverage policies for the same services, and Medicaid enrollment criteria can differ from one state to the next.

In addition, significant disparities in provider type may not be recognized: “Some of the providers [in the data] are individuals whereas others are group practices, clinics, or even entire county and state health departments.”

Despite the shortcomings of the data, providers should understand the potential implications of the release.

“It increases reputational exposure for providers whose billing patterns may now be publicly scrutinized, regardless of whether those patterns reflect fraud, business growth, coding practices or structural state differences,” the McDermott analysis states.

Other federal actions targeting fraud, waste and abuse

The administration’s focus on healthcare fraud, waste and abuse also recently included a decision to withhold nearly $260 million in federal funding from Minnesota’s Medicaid program, due to concerns about program integrity. In a news release, CMS said nearly $244 million was being denied due to “unsupported or potentially fraudulent Medicaid claims,” while the remainder was related to “claims involving individuals lacking a satisfactory immigration status.”

Much of the fraud concern stems from billing for personal care services (i.e., nonmedical, hands-on care to support daily activities), home- and community-based services, and “other practitioner services,” according to CMS.

The decision to withhold funds came after a Dec. 5 notice in which CMS gave Minnesota until the end of that month to send a corrective action plan. CMS received the plan but rejected it. The state submitted an updated plan in early February, including a proposal to revalidate Medicaid eligibility of providers, but that was not enough to prevent the funding suppression.

This week, Minnesota filed a lawsuit in which it seeks to claim the funds.

“Should Minnesota fail to clean up its significant program integrity vulnerabilities or demonstrate that the expenditures are allowable, CMS may defer more than $1 billion in federal funds over the next year,” the agency stated in its announcement last month.

Medicare enrollment moratorium for DMEPOS suppliers

With respect to Medicare, CMS announced a six-month pause in new enrollment for distributors of durable medical equipment, prosthetics, orthotics and supplies (DMEPOS). The action follows a 2025 crackdown that CMS says prevented more than $1.5 billion in fraudulent DMEPOS billing, and it also comes on the heels of increased documentation requirements announced for DMEPOS in 2026.

“The DMEPOS supplier enrollment moratorium will allow CMS to explore additional safeguards to further mitigate longstanding instances of fraud, waste, and abuse perpetrated by certain DMEPOS companies,” CMS states.

Of note to providers, a related policy states that any provider or supplier for which Medicare participation has been revoked will be listed online with their NPI and the reason for the revocation.

“This additional transparency will allow patients and payers, including private insurers, to understand which providers have been subject to such administrative enforcement action by the government,” CMS states.

Potential regulatory changes under CMS RFI

Another initiative by the administration is a request for information (RFI) about regulatory changes that could be included in an upcoming proposed rule on healthcare fraud, waste and abuse.

One question posed in the RFI is whether there are “ways to modify provider enrollment (including revocation), medical review, investigation, audit, payment suspension, and other program integrity oversight policies to provide CMS with increased authority and flexibility to expeditiously prevent bad actors from engaging in fraud, waste and abuse.”

CMS also posits in the RFI that it may be worth shrinking the one-year claim-filing deadline for high-risk items and services, among them DMEPOS, or for providers that have been identified as high-risk.

Regarding Medicare Advantage, the RFI asks whether AI would be a viable tool for checking diagnoses as part of medical records reviews, and how AI can potentially improve the efficiency and accuracy of hospital billing.

The RFI also asks about ways to tamp down fraud in Medicaid, including approaches to help states identify and address fraud, waste and abuse in supplemental payments such as disproportionate share hospital (DSH) payments.