Audit Programs

In an effort to reduce fraud, waste and abuse, the Federal government is using various audit programs to minimize compliance risk in physician practices. It is vital for physician practices to understand and prepare for external payer audits to ensure that any audit findings are fair and accurate. Below are the key audit programs:

Recovery Audit Contractors (RAC)

The RAC audits were originally a part of a demonstration program under §306 of the Medicare Modernization Act of 2003. Due to the success of the demonstration program in recouping millions of dollars to the Medicare Trust Fund, it was expanded into a permanent nationwide program by §302 of the Tax Relief and Healthcare Act of 2006. The key mission of the RACs audit program is to identify and correct improper Medicare payments (both overpayments and underpayments) and to collect identified overpayments.

There are four regional RAC contractors that review claims on a post-payment basis from data files they receive from CMS claims processed within its region. The RACs are paid based on a contingency fee between 9 and 12.5% of any identified improper payments and are required to report any potential fraud to CMS and potential quality issues to the Quality Improvement Organizations (QIOs).

There are three different types of RAC audits:

  1. Automated reviews are conducted without the review of medical records. The RAC determines if claims have been improperly paid using its proprietary data mining techniques. Each error found in an automated review must be the result of a non-covered service or incorrect application of coding rules. Each error must also be supported by Medicare policy, approved articles or coding guidance.
  2. Complex reviews require the review of a provider’s health record. Claims subject to a complex review are first identified as having a high probability of error based on the RAC’s data mining methodologies. It is important to know that there are limits regarding the number of records a RAC can request from providers per 45-day period based on the type and size of an organization.
    • Less than 5: 10 medical records per 45 days per group taxpayer identification number
    • 6-24: 25 medical records per 45 days per group taxpayer identification number
    • 25-49: 40 medical records per 45 days per group taxpayer identification number
    • 50 or more: 50 medical records per 45 days per group taxpayer identification number
    • RACs must implement the look-back date of three years
    • RACs cannot review claims prior to October 1, 2007
  3. Semi-automated reviews usually begin as an automated reviews, and progress to the level of complex review based on other problems with the claims in the view of the RAC contractor. Unlike complex reviews, there is no limit to the number of records that can be requested under the semi-automated review process.
RAC Contractor Regional Coverage
Region A: Diversified Collection Services (DCS) (866-201-0580) Connecticut, Delaware, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, New York, Pennsylvania, Rhode Island and Vermont
Region B: CGI Technologies and Solutions, Inc. (CGI) (877-316-7222) Illinois, Indiana, Kentucky, Michigan, Minnesota, Ohio, and Wisconsin
Region C: Connolly Consulting Associates, Inc. (866-360-2507) Alabama, Arkansas, Colorado, Florida, Georgia, Louisiana, Mississippi, New Mexico, North Carolina, Oklahoma, South Carolina, Tennessee, Texas, Virginia, and West Virginia
Region D: Health Data Insights, Inc. (HDI) (866-376-2319) Alaska, Arizona, California, Hawaii, Idaho, Iowa, Kansas, Missouri, Montana, Nebraska, Nevada, North Dakota, Oregon, South Dakota, Utah, Washington, and Wyoming

Zone Integrity Program Contractors (ZPIC)

In 1999, CMS developed the Program Safeguard Contractor (PSC) program to support the Medicare Integrity Program, stop fraud and facilitate provider adherence to CMS payment criteria, as well as conditions of participation in the Medicare program. Currently, CMS is transitioning the PSCs to ZPICs. The ZPIC audit program is considered the top program Medicare uses to initiative a fraud investigation.

ZPICS have the responsibility to:

  • Investigate allegations of fraud, including proactive data analysis results and pre- and post-pay medical review for benefit integrity
  • Identify high volume or high cost services that are being widely over-utilized.
  • Refer investigations to the Office of Inspector General/Office of Investigations for consideration of civil and criminal prosecution
  • Recommend administrative actions to CMS, such as suspending Medicare payment, identifying and recouping overpayments, pursuing civil monetary penalties and recommending program exclusions
  • Prevent fraud by identifying program vulnerabilities to CMS
  • Identify where there is a need for a Local Coverage Determination (LCD)
  • Work cooperatively with law enforcement and others to fight fraud and abuse.
  • Initiate and maintain networking, education and outreach activities to ensure effective interaction and exchange of information with internal components as well as outside groups, suppliers, providers and beneficiaries

The zone contractors have been given more discretion when conducting a review for the benefit of integrity. When a ZPIC receives an allegation of fraud or identifies a potentially fraudulent situation, it is charged with initiating an investigation to determine the facts and the magnitude of the alleged fraud. A ZPIC also conducts a variety of reviews simultaneously to determine the appropriateness of payments, even when there is no evidence of fraud. Unless otherwise advised by law enforcement, a ZPIC may use one or more of the following investigative methods to determine whether a provider has a pattern of fraud:

  • Review a small sample of claims submitted within recent months
  • Interview by a small sample of beneficiaries by telephone to obtain information
  • Identify past reviews by another Medicare contractor concerning comparable violations
  • Perform random validation checks of physician licensure.
  • Review original charts for medical necessity.
  • Perform an analysis of high frequency/high cost procedures and services
  • Perform an analysis of local patterns or trends against national and regional trends.
  • Perform a review of clinical documentation

All audit requests should be taken seriously; however, audits from the ZPIC carry additional concerns and must be addressed timely and appropriately to avoid additional investigations.

Comprehensive Error Rate Testing

CERT contractors are charged with statistically analyzing and establishing error rates for estimates of improper payments by claims randomly selected for review in a specific Medicare region. The goal of the CERT is to identify patterns of payment through reviews to determine which claims were reimbursed inappropriately. Keep in mind, CERT auditors are not required to notify providers of their intention to begin a review, but may issue an additional development request (ADR) to the provider for additional documentation if necessary.

The 2010 CERT study reported that approximately 42% of the error rate was due to payment on claims where the documentation did not support the medical necessity of a service or procedure. Nearly 50% of the error rate was for claims reported as having insufficient documentation to report the service. To avoid risk, it is important to ensure that coding and documentation in the medical record support medical necessity and the appropriate level of care.

Medicare Administrative Contractor

The MAC scope of work includes managing policy and payments related to reimbursement. They use data from other contractors to target improper payment and vulnerabilities as well as reports from the CERT which have identified problems in a specific region. MACs have the ability to perform medical reviews for all claims, at their discretion, and will do so by issuing an ADR to the provider through the form of a service specific probe.

It is important to understand, if the requested documentation is not submitted, the MAC will make a determination that the claim is invalid and will not be paid. If the documentation is submitted, it is reviewed for the appropriateness to bill the code in question, and will be paid only if the documentation supports the billed code. Usually, the results of a MAC review are forwarded to the providers, with the overall results of the review released on the MAC website at the conclusion of the review.

Commercial Insurance Audits

Commercial insurance carriers also have diverse ways of determining how claims are selected for audit, and for what reasons. In some cases, when billing anomalies are detected for a provider, the claim information is usually forwarded to a third party to conduct a documentation audit.

The third party contractors vary but it is important to know that the audit processes used by these companies are similar to Medicare audit structure.

With the increased scrutiny of clinical documentation and medical necessity through audits, it is important for physicians and their staff to ensure the billing and documentation in the practice is consistent with nationally recognized coding principles and guidelines as wells as payers’ medical payment policies.


For more information on how to respond to an audit request or conduct an internal self-audit, contact the practice management department at practice@rheumatology.org