Respond to a Payer Audit

Part 1: Handle private payer audits effectively and limit future risk.

Editor’s Note: This is the first in a series of articles to give you practical advice on how to handle payer audits, minimize your exposure, and limit future audits. This month, we discuss private payer audits. In upcoming months, we’ll cover audits by federal, state, and county government agencies.

If you’re targeted for an audit, protect yourself and your practice. Just as importantly, you should correct any coding, billing, or compliance problems uncovered. Failing to do so will make you the target of future audits, perhaps from other payers. 

Certified Professional Coder-Payer CPC-P

What to Do if You Receive an Audit Notification

Step 1: Don’t Panic

Read the notice several times. Do not confuse a Heralding Notice with a Notice of Audit. A Heralding Notice alerts all providers that the payer intends to conduct an audit. It does not necessarily mean they are auditing your practice.

If the reason is not clear, call the payer and ask why they are auditing you. If the payer refuses to explain, place a memo to file noting this.

Tip: Are you already being audited for Healthcare Effectiveness Data and Information Set (HEDIS®), quality assurance (QA), or some other audit? Often, a payer will defer an audit if the practice is already being audited for another reason.

Step 2: Determine the Scope (Focus) of the Audit

Find out the scope of the audit by determining:

  • Is the audit for recovery or fraud?
  • Is it an education or network-wide audit?
  • Is the payer asking for records?

Find out if the payer suspects improper coding or billing. Know also how many claims are involved. There is a difference if the payer revisits 20 claims versus 100. The latter may mean a comprehensive review, with statistical validity that allows extrapolation and a larger recovery. This might suggest the potential for a demand letter requesting recovery of overpaid claims.

Note: For more information on extrapolation, see the accompanying sidebar “Words of Wisdom on Extrapolation.”

Look for medical necessity issues. Without a medical record, it’s difficult for the payer to justify a medical necessity denial or to issue a request for recovery (many states and payers operate under specific rules regarding medical necessity reviews).

Step 3: Notify Parties Appropriately, Depending on Audit Type

Whether you notify your attorney and/or your auditing consultant depends on the type of audit and what is being requested. You do not need to contact your attorney for every medical record request (many of which are HEDIS or other reviews, not claim payment audits).

If possible, find out which of the payer’s departments is performing the audit. If it’s the payer’s Special Investigations Unit (SIU), they most likely want to recover overpayments and to prevent them in the future.

Note: For more information on SIUs, see the accompanying sidebar “Know What You’re Up Against.”

If this is a first notice, and there was no prior request for records, it’s an automated review. This should limit the scope of incorrect billing and coding. If money (repayment) or a large number of records are requested, notify your attorney.

Step 4: Have a Plan for Recovery or Fraud Audits

If the audit is for recovery or fraud, you should:

  • Call your team together
  • Name a project manager (someone experienced with medical records)
  • Assign an experienced person to pull the records
  • Retain an attorney and an expert (outside consultant) to review your coding, billing, and documentation

Step 5: Comply by the Deadline

If the payer requests medical records, you have an obligation to comply (often, within 45 days—check your contract and the Prompt Payment Law for your state). Be sure you pull the correct information. Don’t fail an audit because you didn’t submit the proper records.

Send a copy of the records (not the originals). If you cannot locate a particular record, ask for more time. Send everything requested, but do not be afraid of sending more documentation than requested.

What If a Payer Uncovers Improper Payments?

If an audit leads to a request for recoupment of claims payment, ask for time to review the demand, and then consider these questions:

  • Was the demand letter received within the proper timeframe following the audit?
  • Did the payer provide rationale and justification for the review, and explain how they determined the recovery amount?
  • Did the payer provide an explanation for each claim incorrectly paid or coded?
  • Did the payer explain statistical sampling if they used extrapolation?
  • Did the payer offer a chance to speak to someone prior to submitting an appeal?
  • Did the payer explain how to submit a rebuttal or an informal appeal before the formal one? (We’ll explain more about submitting rebuttals and informal appeals in Part 3 of this series.)
  • Did the payer explain how to appeal the findings?

Have an attorney and a coding/auditing expert on your team. Make sure you understand the issues and, if necessary, ask for clarification.

If, following your review, you believe repayment is required, check your accounts receivable to determine if you have credits that can be used to offset any requests for recovery. Note that sometimes payers are willing to waive some of the overpayments in return for proper coding and billing going forward.

Contesting Payer Findings

Review the report with your auditing and billing experts and identify any items with which you disagree. Notify the payer about these in writing. You may be able to avoid a formal appeal, but first you have to prepare yourself.

Focus on the facts. Do not let emotion or subjective thinking take over. Use authoritative references (citations) to understand the issues. Identify every error the payer made in auditing your claims. You want to determine their error rate, as well as your new (corrected) error rate.

You might consider calling the payer’s medical director if:

  • You know you’re right, based on the rules and authoritative references.
  • The payer is ignoring your explanation.
  • You believe you will win at arbitration.
  • Your doctor (or representative) is relaxed and good on the phone.
  • You are prepared and have the facts handy, including the audit and all of your references.

Minimize Exposure Going Forward

The single best strategy to protect your practice is to audit yourself before someone else does. Here are simple steps to put you on the right path:

  • Retain an expert team to assess your practice. Consider hiring a third party to perform an external chart review.
  • Make sure you’re using appropriate, up-to-date codes and modifiers. Improve your coding if necessary.
  • Make sure documentation supports the level of code submitted. Many physicians are (unpleasantly) surprised by their documentation when they review it.
  • Make sure time spent with the patient is properly documented in the medical record.
  • Make sure the patient’s condition supports the procedures performed and level of complexity billed. Make changes if you do not meet medical necessity criteria. And always remember: The needs of the patient determine the services required and the code billed. Just because you can document a “complex” visit does not mean the patient needed it.

Find alternatives to experimental procedures, which are often red flags for payers.

  • Consider how you compare with your peers. Usually, a physician or practice targeted for audit is an “outlier” (e.g., the provider bills a greater-than-average number of high level claims). Are you an outlier? If there is a good reason you are an outlier, document this in a memo to file. For example:
  • A physician might have a subspecialty (an infectious disease physician who runs an HIV clinic).
  • A dermatologist might have a patient population more susceptible to skin cancer than the normal population (elderly fishermen).
  • A physician attached to a Center of Excellence might see many complex referrals.

Tip: Double-check your profile with your payer. A nephrologist shown as an internist will appear to be an outlier when compared to internists, but not when compared to other nephrologists.

Consider also if your practice bills a high dollar amount for the payer. This could be a result of several physicians in the practice or the use of physician extenders. Do you have unique circumstances or multiple offices under one provider or tax ID? Is it just one doctor who bills high dollar amounts? Whatever the case, document it. Meet with payers to explain unusual patterns. Invite the medical director to lunch. Many of them love getting out and meeting their peers.

The Best Defense Is a Great Offense

Prevention is always the best medicine. Avoid red flags such as:

  • Using codes under review by the Office of Inspector General (OIG)
  • Not reviewing your practice against recovery audit contractor issues
  • Abusing codes
  • Aberrant billing patterns
  • Maximizing revenue in spite of insufficient documentation
  • Cutting and pasting documentation from one visit to the next (or one patient to another)
  • Setting electronic health records to a maximum level (this was deemed inappropriate seven years ago)

If you use codes reviewed by the OIG, document why and be prepared to explain your use. If you have a high number of duplicated claims, critical care codes, or prolonged service codes, review your practice. If there are good reasons for this behavior, document this in a memo to file.

If you’re acting imprudently, you’re making yourself a target. Think like a payer and be critical of your own processes. Most importantly, when you find weaknesses, correct them.


Know What You’re Up Against

Private payer audits come in several varieties. Here’s a quick rundown.

  • Post pay: After the claim is paid, the payer requests documentation to support the coding.
  • Prepay: These are usually automated, and you seldom know about them. If the payer requests documentation, they are looking at a specific issue.
  • Automated review: These are computer reviews performed to identify violations in standard rules or edits. The review is usually associated with a very clear and concise policy. The focus is the claim itself. The objective is to ensure the claim meets all of the edits and rules for payment.
  • Comprehensive review: This is a review of the medical record. A certified reviewer must audit the medical record. The payer may apply standard criteria [the Centers for Medicare & Medicaid Services (CMS), InterQual]to determine medical necessity or to validate that the service was provided.
  • Fraud and abuse audit: These audits focus on intentional violation of billing and coding rules (e.g., billing for services not provided).
  • Claim recovery or “administrative review” audit: These focus on improper billing/coding, but without suspicion of fraud.
  • Claim-focused audit: The payer is concerned with a particular type of claim or service, but is not necessarily focusing on your provider/practice.
  • Provider-focused audit: The payer focuses on the provider (your practice). Usually, they are concerned with specific billing and coding behavior.

Private payer audits may originate with a payer’s SIU as part of an effort to target fraud, waste, and abuse. Audits also may be performed by the Claims Recovery Department as part of proper claims management. Or, vendors may perform audits on behalf of the payer.

The rules for private payers vary more than those for government agencies. Research the rules for the particular payer performing the audit. You have some protection under the Prompt Payment Rules (which vary by state), and most payers do their best to follow those rules.


Words of Wisdom on Extrapolation

Extrapolation allows a payer to recover monies from claims that were not originally audited by “computating” the results from the claims. They might audit 100 claims, for instance, but extrapolate the results to 1,000 (or more) claims.

Extrapolation should never be allowed for automated claims. The payer has all of the claims in their system, and extrapolation is not necessary; the payer can perform automated reviews on every claim.

For medical records reviews, extrapolation may be allowed, if the rules are followed. There are many rules regarding extrapolation. Here are just a few:

  • The sample must be unbiased (for the segment).
  • In certain cases, a tiered or stratified sample is required (which means several samples, each for the particular issue, service, or code being reviewed).
  • The sample must be applied to the correct population (not necessarily to all claims).
  • The range and confidence interval should be stated.
  • You should have a statistician or expert review any recovery associated with extrapolation.



Dennis Mihale, M.D., MBA, is CEO of CMG, CMO/medical director for six healthcare technology companies, an assistant professor at USF’s Medical College, and former IBM and McKesson executive. He built two HMOs and several healthcare technology firms serving as CEO or CMO. Mihale is a major in the U.S. Army Reserve – Medical Corps. He is a member of AAPC’s Tampa, Fla., local chapter. His email address is:

Sidney Summers Welch, JD, MPH, is co-chair of the Healthcare, Life Sciences & Technology practice at Kilpatrick Townsend & Stockton, LLP, where she counsels clients on transactional, regulatory, administrative law, and litigation matters on a national basis. Welch earned a master’s in Public Health from George Washington University School of Medicine and Health Sciences and a Juris Doctorate from Samford University. Her email address is:

Jeremy P. Burnette, JD, MA, is an associate at Kilpatrick Townsend & Stockton, LLP and represents healthcare providers in litigation, white collar defense, administrative law, and regulatory matters. He earned a Juris Doctorate from Georgia State University and a Master of Arts in Clinical/Professional Psychology from Marshall University. His email address is:


John Verhovshek

John Verhovshek

John Verhovshek, MA, CPC, is Managing Editor at AAPC. He has covered medical coding and billing, healthcare policy, and the business of medicine since 1999. He is an alumnus of York College of Pennsylvania and Clemson University, and a member of the Asheville-Hendersonville AAPC Local Chapter.
John Verhovshek

Latest posts by John Verhovshek (see all)

About Has 393 Posts

John Verhovshek, MA, CPC, is Managing Editor at AAPC. He has covered medical coding and billing, healthcare policy, and the business of medicine since 1999. He is an alumnus of York College of Pennsylvania and Clemson University, and a member of the Asheville-Hendersonville AAPC Local Chapter.

Leave a Reply

Your email address will not be published. Required fields are marked *