Audit Programs

In an effort to reduce fraud, waste, and abuse, the Federal Government is using various audit programs to minimize compliance risk in physician practices. It is vital for physician practices to understand and prepare for external payer audits to ensure that any audit findings are fair and accurate. Below are the key audit programs:

Recovery Audit Contractors (RAC)

The RAC audits were originally a part of a demonstration program under §306 of the Medicare Modernization Act of 2003. Due to the success of the demonstration program in recouping millions of dollars to the Medicare Trust Fund, it was expanded into a permanent nationwide program by §302 of the Tax Relief and Healthcare Act of 2006. The key mission of the RAC's audit program is to identify and correct improper Medicare payments (both overpayments and underpayments) and to collect identified overpayments. There are four regional RAC contractors that review claims on a post-payment basis from data files they receive from CMS claims processed within its region.

There are two changes related to the payments to the RACs: they can now be paid up to 20% versus the previous 9% - 12.5% of any identified improper payments and they will not receive any payments until after a provider has passed the second level of appeal of the five level appeal progression.

There are two types of RAC audits:

  1. Automated Reviews are conducted without the review of medical records. The RAC determines if claims have been improperly paid using its proprietary data mining techniques. Each error found in an automated review must be the result of a non-covered service or incorrect application of coding rules. Each error must also be supported by Medicare policy, approved articles, or coding guidance.
  2. Baseline Additional Documentation Request (ADR) Limits: in November 2015, the Center for Medicare and Medicaid Services modified the ADRs, otherwise known as complex review requests, for the Medicare Fee-for-Service Recovery Audit Program for providers, which became effective January 1, 2016. A baseline annual ADR limit will be established for each provider based on the number of Medicare claims paid out in the previous 12-month period linked with the provider’s six-digit CMS Certification Number (CCN) and the provider’s Provider Identifier (NPI) number.
    • Baseline annual ADR is 0.5% of the provider’s total number of paid Medicare claims from the previous 12-month period.
    • The ADR notices are sent on a 45 day cycle, which rounds out to be eight times a year. The Recovery Auditors may go more than 45 days between requests but never less than 45 days.
      Example: A provider was reimbursed $106,000 in the previous 12 months. The baseline ADR limit would be 106,000 x 0.005, which equals 530. The ADR cycle limit would be 530/8, which equals 66.25. This would be rounded to 66 ADR per 45 days.
RAC Contractor Regional Coverage
Region 1: Performant Recovery, Inc. (800-927-7667) CT, IN, KY, MA, ME, MI, NH, NY, OH, RI, VT
Region 2: Cotiviti, LLC
Region 3: Cotiviti, LLC, AL, FL GA, NC, SC, TN, VA, WV, Puerto Rico, U.S. Virgin Islands
Region 4: HMS Federal Solutions AK, AZ, CA, DE, ID, HI, MD, MT, ND, NJ, NV, OR, PA, SD, UT, WA, WY
Region 5: Performant Recovery, Inc. DMOPOS and Home Health Hospice claims

The RACs in Regions 1 - 4 will perform post-payment review to identify and correct Medicare claims that contain improper payments (overpayments or underpayments) that were made under Part A and Part B. The Region 5 RAC will be dedicated to the post-payment review of DMEPOS and Home Health/Hospice claims nationally.

Zone Integrity Program Contractors (ZPIC)

In 1999, CMS developed the Program Safeguard Contractor (PSC) program to support the Medicare Integrity Program, stop fraud, and facilitate provider adherence to CMS payment criteria, as well as conditions of participation in the Medicare program. Currently, CMS is transitioning the PSCs to ZPICs. The ZPIC audit program is considered the top program Medicare uses to initiative a fraud investigation.

ZPICS have the responsibility to:

  • Investigate allegations of fraud, including proactive data analysis results and pre and post-pay medical review for benefit integrity
  • Identify high volume or high cost services that are being widely over-utilized
  • Refer investigations to the Office of Inspector General/Office of Investigations for consideration of civil and criminal prosecution
  • Recommend administrative actions to CMS, such as suspending Medicare payment, identifying and recouping overpayments, pursuing civil monetary penalties, and recommending program exclusions
  • Prevent fraud by identifying program vulnerabilities to CMS
  • Identify where there is a need for a Local Coverage Determination (LCD)
  • Work cooperatively with law enforcement and others to fight fraud and abuse
  • Initiate and maintain networking, education, and outreach activities to ensure effective interaction and exchange of information with internal components as well as outside groups, suppliers, providers, and beneficiaries

The zone contractors have been given more discretion when conducting a review for the benefit of integrity. When a ZPIC receives an allegation of fraud or identifies a potentially fraudulent situation, it is charged with initiating an investigation to determine the facts and the magnitude of the alleged fraud. A ZPIC also conducts a variety of reviews simultaneously to determine the appropriateness of payments, even when there is no evidence of fraud. Unless otherwise advised by law enforcement, a ZPIC may use one or more of the following investigative methods to determine whether a provider has a pattern of fraud:

  • Review a small sample of claims submitted within recent months
  • Interview a small sample of beneficiaries by telephone to obtain information
  • Identify past reviews by another Medicare contractor concerning comparable violations
  • Perform random validation checks of physician licensure
  • Review original charts for medical necessity
  • Perform an analysis of high frequency/high cost procedures and services
  • Perform an analysis of local patterns or trends against national and regional trends
  • Perform a review of clinical documentation

All audit requests should be taken seriously; however, audits from the ZPIC carry additional concerns and must be addressed timely and appropriately to avoid additional investigations.

Comprehensive Error Rate Testing

CERT contractors are charged with statistically analyzing and establishing error rates for estimates of improper payments by claims randomly selected for review in a specific Medicare region. The goal of the CERT is to identify patterns of payment through reviews to determine which claims were reimbursed inappropriately. Keep in mind, CERT auditors are not required to notify providers of their intention to begin a review, but may issue an additional development request (ADR) to the provider for additional documentation if necessary.

The 2010 CERT study reported that approximately 42% of the error rate was due to payment on claims where the documentation did not support the medical necessity of a service or procedure. Nearly 50% of the error rate was for claims reported as having insufficient documentation to report the service. To avoid risk, it is important to ensure that coding and documentation in the medical record support medical necessity and the appropriate level of care.

Medicare Administrative Contractor

The MAC scope of work includes managing policy and payments related to reimbursement. They use data from other contractors to target improper payment and vulnerabilities as well as reports from the CERT which have identified problems in a specific region. MACs have the ability to perform medical reviews for all claims, at their discretion, and will do so by issuing an ADR to the provider through the form of a service specific probe.

It is important to understand, if the requested documentation is not submitted, the MAC will make a determination that the claim is invalid and will not be paid. If the documentation is submitted, it is reviewed for the appropriateness to bill the code in question, and will be paid only if the documentation supports the billed code. Usually, the results of a MAC review are forwarded to the providers, with the overall results of the review released on the MAC website at the conclusion of the review.

Commercial Insurance Audits

Commercial insurance carriers also have diverse ways of determining how claims are selected for audit, and for what reasons. In some cases, when billing anomalies are detected for a provider, the claim information is usually forwarded to a third party to conduct a documentation audit.

The third party contractors vary but it is important to know that the audit processes used by these companies are similar to Medicare audit structure.

With the increased scrutiny of clinical documentation and medical necessity through audits, it is important for physicians and their staff to ensure the billing and documentation in the practice is consistent with nationally recognized coding principles and guidelines as wells as payers’ medical payment policies.

For more information on how to respond to an audit request or conduct an internal self-audit, contact ACR's practice management staff at

© 2023 American College of Rheumatology.  All rights reserved.  Website & Privacy Policies | Sitemap | Help | Contact Us