Mid-Atlantic Health Law TOPICS

Background hero atmospheric image for Provider Audits on the Rise

Provider Audits on the Rise

There has been a rise in audit activity aimed at health care providers, due in no small part to auditors’ access to big data, which allows auditors to analyze more data in less time. It is important, therefore, to understand who the auditors are, the kinds of audits they conduct and why you might be audited, because auditors’ access to and reliance on big data means no health care provider is out of reach.

A. Who are the Auditors?

Auditors fall into one of three categories: (1) private insurance companies; (2) Medicaid contractors; or (3) Medicare contractors. Medicare contractors are third parties contracted by the Centers for Medicare and Medicaid Services (CMS) to identify improper Medicare payments. 

There are five types of Medicare claim review contractors: (a) Medicare administrative contractors (MACs); (b) recovery audit contractors (RACs); (c) zone program integrity contractors (ZPICs); (d) the supplemental medical review contractor (SMRC); and (e) the certified electronic record testing contractor (CERT). 

Medicaid contractors, similar to Medicare contractors, are third parties contracted by CMS to identify overpayments. However, unlike Medicare contractors, Medicaid contractors work in collaboration with the states.

1. MACs

The MACs are responsible for processing and paying Medicare claims and establishing regional policy guidelines, called Local Coverage Determinations. And, because MACs are in the thick of Medicare reimbursement, MACs are also tasked with identifying overpayments. 

Maryland falls into MAC jurisdiction “L,” which means that the MAC responsible for claims submitted by providers in Maryland is Novitas Solutions, Inc.

2. RACs

The RAC program began in 2005 as a CMS demonstration program and has since become permanent. RACs provide additional review of Medicare claims for payment. RACs are paid on a contingency fee basis and are, therefore, highly motivated to identify, and collect, overpayments. 

The United States is divided into four RAC regions. Maryland is included in Region 4, which means Maryland’s RAC is HMS Federal Solutions.

3. ZPICs

ZPICs focus primarily on fraud and abuse, meaning ZPICs are focused on uncovering overpayments that resulted from intentional deviations from normal billing practices.  Therefore, if a provider receives a ZPIC audit request, it is because the provider is the subject of a fraud investigation, or the ZPIC is investigating to determine if a fraud investigation should be opened. 

Since CMS has tasked ZPICs with uncovering fraud, CMS has granted ZPICs broader powers than the other Medicare contractors. ZPICs do not have a “look back” period, meaning ZPICs do not have to limit their review of claims to recent years. ZPICs also have unlimited document requests. And, ZPICs can conduct on-site visits to interview providers’ patients and employees.


The SMRC has the primary task of conducting nationwide medical review as directed by CMS. Medical review is the evaluation of medical records and related documents to determine whether Medicare claims were billed in compliance with coverage, coding, payment and billing practices. CMS has contracted with StrategicHealthSolutions, LLC as the SMRC for the entire United States.    


The CERT program was implemented as a mechanism for CMS to assess whether the MACs are properly paying claims. The CERT program determines the national Medicare fee for service improper payment rate, which is published on an annual basis. 

The national improper payment rate is calculated based on a stratified random sample of Medicare fee for service claims. The claims are reviewed, documentation is collected and reviewed, and, ultimately, the national improper payment rate is calculated, based on the percentage of the claims reviewed that were improperly paid.

6. Medicaid Contractors

The Medicaid Integrity Program created Medicaid Integrity Contractors, which audit claims to identify overpayments. Medicaid contractors work in collaboration with the states because Medicaid is a state-run program. Once a Medicaid contractor identifies an overpayment, it passes the responsibility to collect to the state.

B. What Kinds of Audits?

Auditors engage in either pre-payment review or post-payment review. Pre-payment review means that a provider’s claims are being reviewed prior to payment; whereas, post-payment review means that a provider’s claims are being reviewed after payment. 

Pre-payment review can be incredibly onerous, because all reimbursement for a particular code  for example, 99214 may be delayed by the review process. Because of this, pre-payment review is never random. A provider is placed under pre-payment review based on identified billing errors.

Automated review is the result of a computer-identified billing error that resulted in an overpayment. If a provider is the subject of an automated review, the provider will receive a demand letter in the mail for the amount of the overpayment. And, there is no review of the provider’s medical documentation prior to the issuance of the demand letter.

A complex review, on the other hand, involves a clinical review of the provider’s medical documentation. If a provider is the subject of a complex review, the provider will receive documentation requests in the mail and will be required to supply the requested documentation within a certain time frame.

C. Why Might You Be Audited?

The most common reasons you might be audited include: (1) inadequate documentation, (2) unbundling, (3) upcoding, (4) inappropriate balance billing and (5) the routine waiver of copayments, coinsurance or deductibles.

1. Inadequate Documentation

Inadequate documentation can put a provider at risk of an audit when the documentation does not show that the allowed services: (a) were actually provided; (b) were provided at the level billed or (c) were medically necessary. 

Inadequate documentation can be the product not only of poor provider notes, but also cloning, which is when a provider copies and pastes patient information in an electronic medical record from one date of service to another for the same patient. While cloning is not automatically a problem, it becomes a problem when the cloning results in medical documentation that does not accurately reflect the patient’s condition and the services provided to him or her. 

Similarly, if there is a requirement as a condition of payment, such as a physician signature on an order, and that requirement is missing from the documentation, the provider’s documentation is inadequate and, accordingly, the auditor may conclude that an overpayment has occurred.

2. Unbundling

Unbundling has been defined by the Office of Inspector General (OIG) as “billing for each component of the service instead of billing or using an all-inclusive code.” Similar to inadequate documentation, unbundling is not automatically a problem. 

CMS developed the National Correct Coding Initiative (NCCI) edits to prevent payment when incorrect code combinations are reported. However, modifiers bypass the NCCI edits, such as modifier 59 for “distinct procedural service.” If such a modifier is used inappropriately to bypass the NCCI edits, meaning, the modifier is used when documentation in the medical record does not satisfy the criteria required by that modifier, the result will be an overpayment.

3. Upcoding

A provider upcodes when he or she reports a higher-level service or procedure or a more complex diagnosis, than is supported by medical necessity, medical facts or the provider’s documentation. 

For example, upcoding can occur when a provider bills 99214, but the provider’s documentation only supports 99213. Because billing 99214 results in higher provider reimbursement than billing 99213, if the provider’s documentation does not support the higher level code, an overpayment has occurred.

4. Inappropriate Balance Billing

Balance billing means billing a patient for the difference between the provider’s billed amount and the payer’s allowed amount. 

In Maryland, balance billing is illegal if the patient is: (a) a Medicare beneficiary and the provider is a participating provider or has accepted assignment; (b) a Medicaid beneficiary; or (c) covered by an HMO. Therefore, if a provider balance bills one of the aforementioned types of patients, an auditor may seek to collect the amount balance billed on behalf of the patient.

5. Routine Waivers

The routine waiving of copayments, coinsurance or deductibles can amount to a violation of a provider’s contract with a payer. For example, if the insurance company is responsible for 90% of a $100 bill, and the patient is responsible for the remaining 10%, but the provider routinely waives the patient responsibility, the insurance company may demand a refund on the basis that the insurance company should only be responsible for 90% of $90. 

Therefore, unless good cause exists, such as a patient’s financial distress, for waiving a copayment or deductible, providers should attempt to collect the patient’s responsibility, and should be able to show that reasonable efforts at collection were taken.

D. Conclusion

With auditors now engaging in data mining and predictive modeling, it behooves providers to understand the audit landscape. An understanding of audits and auditors may be a provider’s first line of defense. Of course, the ultimate line of defense is the implementation of a comprehensive compliance plan that includes conducting internal monitoring and auditing.

Barry Rosen
(410) 576-4224 • brosen@gfrlaw.com

A version of this article was published by The Daily Record on February 28, 2018 and March 1, 2018.


September 15, 2017




Rosen, Barry F.


Health Care