What Is DME Compliance? How to Build a Program That Actually Works in 2026

 

If you've searched for a plain-language explanation of DME compliance, you've probably found content written for compliance officers at large health systems, not for the owner of a 10-person DME operation who handles billing, intake, and vendor relationships on the same day.

This post is for you.

DME compliance is the set of practices, documentation standards, and billing processes that keep your business aligned with Medicare and Medicaid requirements. Done well, it protects your revenue, keeps your enrollment active, and gives you a defensible record if an auditor comes knocking. Done poorly, or ignored entirely, it's how suppliers end up with recoupment demands, enrollment holds, or revocations they didn't see coming.

In 2026, getting this right matters more than it has in years. CMS has expanded its required prior authorization list to 74 codes, finalized a new annual reaccreditation requirement, extended stay-of-enrollment to new scenarios, and imposed a nationwide enrollment moratorium on certain supplier types. The regulatory environment is tighter, and the margin for documentation error is shrinking.

Here's what DME compliance actually covers, and how to build a program that works even if you don't have a dedicated compliance team.

 

What DME Compliance Actually Covers

DME compliance isn't one thing. It's a combination of four overlapping areas:

1. Documentation compliance
Every covered item you supply must be backed by a valid physician order, supporting clinical documentation, and proof of medical necessity. For items on the DMEPOS Master List (which CMS expanded in April 2026 to include 18 additional HCPCS codes), you must also have face-to-face encounter documentation and a written order prior to delivery on file. For a full breakdown of what Medicare requires by item type, see our guide to Medicare DME documentation requirements.

2. Billing accuracy
Submitting a claim for equipment that doesn't match the clinical record, missing a required modifier, or billing a code without a valid prior authorization are all compliance failures, even if they weren't intentional. Medicare's automated claim review flags these patterns quickly.

3. Enrollment and accreditation maintenance
Staying enrolled as a DMEPOS supplier requires active accreditation, timely responses to CMS development requests, and prompt updates when your business changes. Under new 2026 rules, reaccreditation is required annually (down from every three years). Suppliers who fail to respond to a revalidation or change request within 30 days now face stay-of-enrollment, a pause on enrollment that disrupts billing operations.

4. Audit readiness
CMS runs multiple audit programs targeting DME suppliers: RAC audits, TPE (Targeted Probe and Educate) reviews, and prepayment reviews. Being audit-ready means your documentation is complete, organized, and retrievable before a request arrives, not scrambled together after one does.

 

Why 2026 Raises the Stakes

The spring 2026 CMS policy cycle brought several significant changes that directly affect small and midsize DME suppliers:

Prior authorization expanded to 74 codes. As of April 13, 2026, CMS added 7 more HCPCS codes to the required prior authorization list, including certain orthoses and pneumatic compression devices. Prior authorization is now a condition of payment for 74 codes. There is no grace period. Claims submitted without a valid prior auth for covered codes face automatic denial.

Annual reaccreditation is now required. CMS finalized a rule requiring DMEPOS suppliers to be resurveyed every 12 months, down from every 36 months. If you were already on a 3-year accreditation cycle before January 1, 2026, you will transition to annual reaccreditation when your current cycle expires, not immediately. Suppliers obtaining initial accreditation on or after January 1, 2026 must comply with the annual cycle from the start. This change materially increases the compliance calendar every supplier needs to manage going forward.

Stay-of-enrollment has new triggers. Starting May 18, 2026, CMS is applying stay-of-enrollment when suppliers fail to respond to development requests during revalidations or information changes within 30 days. Stay-of-enrollment pauses your enrollment for up to 60 days. For a small supplier, that's a billing interruption you may not recover from quickly.

A nationwide enrollment moratorium is in effect. CMS imposed a 6-month moratorium on new Medicare enrollment for DMEPOS medical supply companies starting February 27, 2026, covering all states, territories, and DC. The moratorium applies to seven defined categories of medical supply companies seeking new enrollment, including non-exempt changes in majority ownership. If your business falls into one of these categories and you are planning a new enrollment or an ownership change, get compliance guidance before you act.

None of these changes require you to become a compliance expert overnight. But they do require you to have systems in place, because a 30-day response window closes fast when you're short-staffed.

 

The Core Elements of a DME Compliance Program

A functional compliance program for a small or midsize DME supplier doesn't have to be complicated. It needs to cover five areas:

1. A documentation checklist by item category
For each category you bill (CGMs, power wheelchairs, respiratory equipment, orthoses), you need a clear list of what documentation is required before you submit a claim. This includes the physician order, proof of medical necessity, face-to-face documentation if required, and any item-specific DMEPOS Master List requirements.

2. A prior authorization workflow
If you bill any of the 74 codes now requiring prior auth, you need a workflow, not just awareness. This means someone is checking prior auth status before delivery, not after the claim is already submitted.

3. An audit response protocol
When a TPE probe, RAC demand letter, or prepayment review arrives, you need to know who handles it, where your records are, and what the response deadline is. The suppliers who fare best in audits are the ones who can respond quickly with complete documentation.

4. An accreditation and enrollment calendar
Track your next reaccreditation date, your revalidation window, and any pending information change requests. Under the new 12-month reaccreditation cycle, missing a deadline is a material compliance failure.

5. A process for staying current on CMS changes
Policy changes like the ones above don't always come with advance notice. Subscribing to AAHomecare alerts, following HME News, and building a regular review of the CMS DMEPOS center into your workflow keeps you from finding out about changes after they've already affected a claim.

 

How Technology Helps and Where It Falls Short

Some suppliers use documentation management software or billing platforms with built-in compliance checks. These tools can flag missing fields, alert you to prior auth requirements, and help organize records for audit response. When CMS oversight is running at the level it is in 2026, tools that automate documentation review before claim submission reduce the margin for error.

What technology can't replace is the judgment and follow-through of someone who owns the compliance function in your business: you, a billing manager, or an outside consultant. Technology is a guardrail, not a compliance program by itself.

 

Frequently Asked Questions

What is DME compliance?

DME compliance refers to the documentation, billing, enrollment, and audit-readiness practices that DMEPOS suppliers must follow to remain in good standing with Medicare and Medicaid. It includes maintaining accurate medical necessity documentation, submitting claims correctly, staying enrolled and accredited, and being able to respond to audits.

 

What are the most common DME compliance failures?

The most common compliance failures for small and midsize DME suppliers are incomplete documentation (missing physician orders, no proof of medical necessity, or face-to-face encounter requirements not met), billing codes without valid prior authorizations, and missed responses to CMS development or revalidation requests.

What is a DME compliance program?

A DME compliance program is the set of internal policies, checklists, workflows, and training that a DMEPOS supplier uses to ensure consistent, audit-ready documentation and billing. At minimum, it should cover documentation standards by product category, a prior authorization workflow, an audit response protocol, and an enrollment calendar.

How many DME codes require prior authorization in 2026?

As of April 13, 2026, CMS requires prior authorization for 74 HCPCS codes. Prior authorization is a condition of payment for these items. Claims submitted without a valid prior auth will be automatically denied.

How often do DMEPOS suppliers need to be reaccredited?

CMS finalized a rule effective January 1, 2026 requiring DMEPOS suppliers to be resurveyed and reaccredited every 12 months, down from the previous 36-month cycle. Suppliers already on a 3-year cycle before the effective date will transition to annual reaccreditation when their current cycle expires. Suppliers obtaining initial accreditation on or after January 1, 2026 must meet the annual cycle immediately.

What should a DME compliance checklist include?

A DME compliance checklist should cover the documentation required for each product category you bill, the prior authorization status for any of the 74 required codes, face-to-face encounter and written order requirements for items on the DMEPOS Master List, your accreditation renewal date, and any open CMS development requests or revalidation deadlines. The checklist should be reviewed before a claim is submitted, not after a denial is received.

What is DME audit readiness?

DME audit readiness means your documentation is complete, organized, and retrievable before a Medicare audit request arrives. This includes having valid physician orders, proof of medical necessity, prior authorization approvals where required, and face-to-face encounter notes on file for applicable items. Audit-ready suppliers can respond to a RAC or TPE request within the required timeframe without scrambling to reconstruct records.

 

You Don't Need a Compliance Department. You Need a System.

Most small and midsize DME suppliers aren't staffed for compliance the way a large health system is. But that doesn't mean compliance is optional. It has to be built into how you operate day to day.

Start with your documentation checklists. Add a prior authorization workflow. Build your audit response protocol before an audit arrives. And make sure someone in your organization knows when your reaccreditation is due.

CompliantRx is built to take the manual work out of documentation compliance, flagging gaps before claims go out and not after they come back denied.

Request a demo to see how CompliantRx works.