Healthcare Compliance Strategies
CMS CRUSH: What Behavioral Health and Mental Health Practices Need to Know Before the Audits Hit
On February 25, 2026, the White House announced a sweeping set of anti-fraud actions across Medicare and Medicaid. The centerpiece is called CRUSH, which stands for Comprehensive Regulations to Uncover Suspicious Healthcare. I want to be direct with you: this is not a distant policy development. If your practice bills Medicare or Medicaid, this affects you now.
The stated philosophy is a formal shift from “pay and chase” to “detect and deploy.” CMS is replacing retrospective recoupment with real-time fraud prevention powered by AI, and the agency has already moved past the announcement phase into active enforcement. The system is built and running.
The “pay and chase” model was the one most providers learned to operate around. Submit the claim, get paid, deal with any audit later. That window has closed.
Why Behavioral Health Practices Are Particularly Exposed
The CRUSH Request for Information explicitly identifies behavioral health services as a high-risk service area, alongside home and community-based services, personal care assistant services, and nonemergency medical transportation. When CMS names your service category in its fraud framework, that is not background noise.
Medicaid agencies have also acknowledged that community-based behavioral health services and services delivered by non-traditional providers present program integrity challenges because of decentralized delivery models and inconsistent oversight. That description fits a significant portion of the mental health and behavioral health practices I work with every day.
Mental health documentation has always carried compliance risk because of how subjective the clinical language tends to be, and because clinicians are trained to document clinical progress, not billing requirements. Those two things are not the same, and AI-powered audit systems will not make that distinction on your behalf.
What the AI Is Actually Looking For
CMS’s advanced analytics can process millions of medical records in real time, flagging invalid attestations, copied diagnoses, mismatched enrollee names, and high volumes of the same procedure code from a single provider. Any of those patterns can trigger immediate review regardless of whether the underlying billing was appropriate.
If your practice uses AI-assisted documentation or coding tools, you need human review of every AI-generated output before it goes on a claim. The shift to AI-driven preemptive denial creates a compliance environment where the greatest risk to a compliant practice is not deliberate fraud. It is collateral damage from automated systems acting on data that looks irregular, even when it is not.
What Has Already Happened
CMS has already revoked billing privileges for 5,586 providers and suppliers and sent 372 fraud referrals covering an estimated $3.7 billion in billing to law enforcement. A Medicare billing revocation does not stay within CMS. It typically triggers exclusion or suspension in state Medicaid programs and can be grounds for termination with commercial payers.
One revocation does not just affect your Medicare volume. It can dismantle your entire payer portfolio.
The Fraud Defense Operations Center launched as a pilot in March 2025 and identified more than $100 million in fraudulent Medicare claims by May of that same year. CMS made it permanent by June 2025 because of how fast it produced results. It uses AI to conduct data-driven analyses proactively, before payment goes out.
What You Should Be Doing Right Now
The practices that come through this enforcement environment without disruption are the ones treating every claim as though it is already under audit. That is not a new standard. It is what compliance has always required, and it is the foundation HPC has built every client engagement on for over 37 years.
Start here.
Your documentation must justify the level of service billed before the claim goes out, not after you receive an audit letter. For mental health providers, that means the session note needs to reflect medical necessity, support the diagnosis, and align with the procedure code. Every time.
Your denial rate tells you where your documentation gaps are. If you are not reviewing it at least monthly, you do not have a clear picture of your exposure.
CMS is currently cross-referencing MAC portal MBI lookups against claims submitted with associated NPIs. A high ratio of lookups without corresponding claims can result in portal access being revoked. Most practices have no idea whether this is in order. Check it.
Your billing team needs to know which service lines CMS has identified as high-risk and run those claims with heightened scrutiny, not standard process.
And if you have not had an independent review of your compliance posture in the last 12 months, that is the first conversation you need to have. Not with your biller. With a revenue cycle partner who understands what an AI audit system is looking for and can tell you whether your documentation would survive one.
Where This Is Heading
Providers who have relied on the old billing rhythm are operating on borrowed time, and CRUSH is not a proposed rule that may or may not materialize. The enforcement infrastructure is already built. The audits are already happening, and behavioral health is in the crosshairs.
Your job is to make sure your practice is not caught in that net.
HPC works with behavioral health and mental health group practices to identify revenue risk before it becomes revenue loss. If you want to know where your practice stands, the conversation starts at hpcbilling.com or 888-517-4992.
Need help applying this?
Talk to a billing specialist who knows your payer mix.
HPC manages the full revenue cycle for medical and mental-health practices across the U.S. Book a call to see what tightening claims, denials, and credentialing could mean for your numbers.
Schedule a meeting