Among different types of medical audits, the auditor’s role remains the same: review healthcare providers’ policies and procedures to ensure compliance with federal, state, and payer regulations. But questions arise due to the assortment of auditing methodologies and the many requirements that define compliant billing activity.

To help fill in the gaps of medical chart review knowledge, here are answers to the most common medical auditing questions asked by both seasoned medical coders accustomed to conducting audits and students preparing for the certification exam. This page is a resource to provide a better understanding of the healthcare auditing landscape.

What Is a Medical Chart Review?

A medical chart review, also referred to as a chart audit, is an examination of medical records to determine what procedures or services were performed. From this, the auditor determines if the documentation is compliant, if the claim is coded correctly, and if all charges are captured.

What Are Common Billing and Coding Errors to Include in an Audit?

A medical audit can reveal unexpected errors hidden in the medical record, such as services not provided, services billed under the wrong provider, services not ordered by a licensed professional, wrong procedures and diagnoses reported, and other coding and billing errors.

10 Common Billing Errors

1. Duplicate claim submission: Claims often are denied because the claim was previously processed (for instance, no payment was made on the initial claim). If the provider mistakenly refiles the claim to “correct” it, the second claim submitted is a duplicate. The initial claim was processed correctly but hadn’t been paid in 30 days.

2. Undocumented services: An effective audit will identify instances where codes are billed without supporting documentation. When a private payer, Medicare, or Medicaid requests written proof of billed charges, the provider must substantiate the services. Examples of missing documentation can range from laboratory results and imaging reports to problem lists and medications.

3. Noncovered services: Billing for services not covered by the payer is an error commonly found during both internal audits and external audits. Staying up to date on exclusion policies by checking with payers is important. For Medicare, most contractors will post policy changes with effective dates on their websites.

4. Medical necessity not established: This issue occurs when the payer deems the billed services as not medically necessary. The auditor should check the particular carrier's list of covered diagnoses for a specific service.

5. Inappropriate unbundling of services: Unbundling entails billing multiple procedure codes that are covered by a single CPT^® code or HCPCS Level II code. Providers and medical coders should not divide components of a procedure into separate codes when one code covers all components. Payer’s edits, such as Medicare’s National Correct Coding Initiative (NCCI) edits, list which codes may be billed separately on the same date of service (DOS), as well as the appropriate modifiers to use in those situations.

6. Beneficiary eligibility: Claims are often denied for eligibility because the beneficiary number is invalid on the claim, the beneficiary is not eligible to receive benefits, or the beneficiary’s claims must be filed with another insurance plan.

7. Incorrect carrier: Claims with this error were submitted to the incorrect payer/contractor for payment. It’s important to screen patients and be aware of the types of services provided prior to submitting a claim to the carrier. The patient’s identification number, such as the Medicare Beneficiary Identifier (MBI), should be correct and verified on the insurance card.

8. Medicare is the secondary payer: The care of a Medicare patient may be covered by another payer through coordination of benefits. Medicare may be the secondary payer, for example, when the Medicare patient is employed full- or part-time and covered under an employer group health plan.

9. Incorrect diagnosis: Services with an incorrect diagnosis error are denied because the diagnosis listed as primary was not a covered diagnosis for the procedures performed.

10. Modifier error: A modifier error means that the modifier necessary to process the claim is missing, incomplete, or invalid (based on the procedure and diagnosis indicated on the claim form). Misuse and abuse of modifiers is under Office of Inspector General (OIG) scrutiny and can result in penalties. It is essential to know how to apply CPT^® and HCPCS Level II modifiers for the specific condition or situation.

Why Is Medical Necessity Important?

The American Medical Association (AMA) defines medical necessity as “health care services or products that a prudent physician would provide to a patient for the purpose of preventing, diagnosing, or treating an illness, injury, disease, or its symptoms in a manner that is: (a) in accordance with generally accepted standards of medical practice; (b) clinically appropriate in terms of type, frequency, extent, site, and duration; and (c) not primarily for the economic benefit of the health plans and purchasers or for the convenience of the patient, treating physician, or other health care provider.”

The Centers for Medicare & Medicaid Services (CMS) relies on the Social Security Act (Title XVIII of the Social Security Act, Section 1862 [a] [1] [a]) for its understanding of “medical necessity.” That part of the law states “no payment may be made under [Medicare] part A or part B for any expenses incurred for items or services which … are not reasonable and necessary for the diagnosis or treatment of illness or injury or to improve the functioning of a malformed body member.” Other payers may take a similar approach.

If Medicare or other payers determine services were medically unnecessary after payment was issued, they will demand a refund of the overpayment with interest. Should payers find a pattern of overpayment, the physician may face monetary penalties, exclusion from the Medicare/payer program, and even criminal prosecution.

How Is Medical Necessity Established?

Diagnosis codes identify the medical necessity of services provided by describing the circumstances of the patient’s condition. Most payers use claim edits or automatic denial/review commands within their computer software to review claims. These edits ensure that payment is made for specific procedure codes when provided to a patient with a specific diagnosis code or range of ICD-10-CM codes.

Medical Coding Steps to Demonstrate Medical Necessity

1. List the principal diagnosis, condition, problem, or other reason for the medical service or procedure.

2. Assign the code to the highest level of specificity.

3. For office and/or outpatient services, never use a rule-out statement (a suspected but not confirmed diagnosis) for code selection. If no definitive diagnosis is yet determined, code symptoms and/or signs instead of using rule-out statements.

4. Be specific in describing the patient’s condition, illness, or disease.

5. Distinguish between acute and chronic conditions, when appropriate.

6. Identify the acute condition of an emergency situation (for example, coma, loss of consciousness, or hemorrhage).

7. Identify chronic complaints or secondary diagnoses only when treatment is provided or when they affect the overall management of the patient’s care.

8. Identify how injuries occur, including place of occurrence, if appropriate.

What Are Medically Unlikely Edits (MUEs)?

CMS developed Medically Unlikely Edits (MUEs) to help reduce the paid claims error rate for Medicare Part B claims. MUEs define the maximum units of service that a provider would report, under most circumstances, for a single beneficiary, on a single DOS, for a specific CPT^® or HCPCS Level II code.

What Is the Difference Between a Medical Coding Audit and a Medical Billing Audit?

A medical billing audit, sometimes referred to as a revenue cycle management (RCM) audit, covers broader areas than the medical coding audit. Designed to optimize RCM performance, the billing audit includes a medical record audit, as well as an evaluation of the entire billing cycle — from copay collection processes and insurance verification to claim submissions, payment posting, follow up, and denials and appeals processes.

Is an Internal Audit Better Than an External Audit?

Relying on both internal and external audits is the gold standard in the highly regulated, highly scrutinized healthcare industry.

A strong internal chart auditing program will detect insufficient documentation and improper coding, making it easier for healthcare organizations to resolve areas of noncompliance and capture missed revenue. An external audit, on the other hand, delivers invaluable objectivity.

Whether a healthcare organization is hospice, a home health agency, a solo physician practice, or a large university medical center, it can benefit from another set of eyes to help see what may be broken. Without auditing services from an objective partner — experts who live and breathe healthcare auditing — a healthcare organization is consigning their business to the status quo. And as third-party audits confirm, the status quo is likely to conceal risk.

What Is an Acceptable Pass Rate for Medical Audits?

Healthcare organizations commonly hold themselves to a minimum of 90 percent coding accuracy for most audit types. But when setting pass rate thresholds, it’s important to understand how to measure audits and the impact pass rates will have on the organization. For example, when discussing corporate integrity agreements (CIAs), the OIG states that a full sample size is only required and a systems review must be conducted if the net financial error rate of the discovery sample equals or exceeds 5 percent.

What Is the Difference Between Medical Auditing and Monitoring?

Auditing is the process of examining the medical record, verifying information, and gathering baseline information to identify risk areas. Monitoring is the ongoing process of reviewing coding practices and the adequacy of the documentation and code selection. Monitoring should be conducted regularly and include activities such as auditing, reviewing utilization patterns, reviewing computerized reports, and reviewing reimbursement. A monitoring system is usually implemented based on findings from the baseline audit.

What Is the Difference Between a Focused Audit and a Random Audit?

A focused audit looks at one item, one type of service, one provider, or one coder. A random audit reviews medical records chosen by chance to determine a healthcare organization’s compliance and possible liabilities.

Before beginning an audit, the auditor will need to determine if they are going to complete a focused audit or a random audit. The decision helps to determine what will be audited, as well as the sample size.

A focused audit may concentrate on one type of service to determine compliance, such as new patient visits, established patient visits, consultations, or nursing home visits. If a healthcare organization employs nonphysician practitioners, it's a good idea to conduct an audit to verify compliance with incident-to rules.

Random audits make excellent baseline audits. They look at all possible services provided within a specific timeframe and often identify areas for potential education and future focused audits to determine the effectiveness of the education.

What Types of Healthcare Audits Are Most Common?

Types of healthcare audits, in addition to random audits and focused audits, include:

• Retrospective audits: This is the most common audit method, and charts can be selected based on utilization or frequency. Retrospective audits examine medical record documentation after the provider has submitted the claim to the insurance carrier and payment is received. A report generated within the billing system typically identifies the claim sample for a retrospective audit. The auditor will review the billing record (charge ticket or superbill), the Remittance Advice/Explanation of Benefits, and the medical record documentation, along with other supporting documentation. A retrospective audit could lead to refunding payment or partial payment to the insurance carrier.

• Aggregate analyses: An aggregate analysis is valuable to compare data using a defined data set. By comparing coding data among providers, both within a practice as well as from another practice of the same specialty, the organization can identify areas of concern, such as undercoding and upcoding trends or utilization frequency.

• Rebuttal audit: In less common cases, a rebuttal audit is conducted in response to a payer audit with the objective of validating or refuting the conclusions of the payer. The work in a rebuttal audit is centered around determining whether the appropriate binding standards were applied correctly, or whether the information provided to the payer was complete and properly interpreted.

What Is Statistical Sampling?

A statistically valid sample uses scientific sampling methods to ensure that audit results from the medical chart sample reflect all claims submitted to or processed by payers.

One type of statistical sampling is proportional sampling. The sample is built around high frequency items or items considered proportionally significant. This could, for example, involve frequently billed CPT^® or HCPCS Level II codes with the highest dollar charge.

Another statistical method of sampling is known as numerical sampling. The sample size is based on all possible services within a determined period. This type of sample lends itself to a random final selection. During a simple random selection, all items in the total sample have an equal chance of selection in the audit. Random number generators can be found on the internet to provide a random selection process.

An example of nonstatistical sampling, also called judgmental sampling, can be applied to a focused audit. The sample is based on unique services defined in the objective and scope. This type of sampling could be used if the audit is being performed to look only at high levels of service. For instance, only the level 4 and 5 evaluation and management (E/M) visits would be included in the sample, and the selection would be made from that sample.

What Tools Do Medical Auditors Need?

The tools needed to perform a successful audit will depend on the type and scope of the audit. An array of healthcare auditing resources provides auditors with details needed to assess reporting accuracy.

1. Electronic audit tools: While electronic audit tools can do a great deal of work for auditors, a knowledge of auditing is a must. Electronic tools can’t determine medical necessity of services. The auditor will need to apply their knowledge of medical necessity while working in the tool. This will be especially important when auditing E/M codes.

2. Code books: Access to current CPT^®, ICD-10-CM, and HCPCS Level II code books is a must when auditing. Coding books are essential for coding and documentation review. The guidelines should be referred to often to ensure proper application of codes. Auditors also may use software and online medical coding tools that provide complete code sets with official guidelines

3. NCCI edits: If the audit contains claims with multiple CPT^® and HCPCS Level II codes billed for one DOS, the auditor should reference payer edits, such as Medicare NCCI edits. The NCCI manual can also help the auditor spot bundling errors and modifier issues.
   
   Modifier 59 Distinct procedural service, for example, has long been under audit scrutiny, which is why medical coders should review coding guidelines and Medicare rules before using this modifier. Documentation in the medical record must satisfy criteria to use modifier 59 and other NCCI-associated modifiers to bypass an NCCI edit.
   
   Government audits follow NCCI. Commercial payers may follow NCCI or have their own bundling edits. When unsure of a payer’s stance on modifier 59 and/or the X{EPSU} modifiers, the medical coder must check the payer contract before filing a claim with distinct procedural services.
   

4. Payer guidelines: Prior to beginning an audit, it’s important to consider the payer-specific guidelines for the cases being audited. If auditing Medicare claims, determine the Medicare administrative contractor (MAC) for the region or location being audited.
   
   Some MACs provide specific information pertaining to documentation and coding guidelines that must be adhered to. Auditors should review the information for the relevant MAC on their website to become familiar with various policies. Medicaid policies are also important to review, especially if the organization provides services for family medicine, internal medicine, pediatrics, or obstetrics and gynecology.
   
   Commercial insurance policies don’t always align with CMS, so it’s important to know the payer’s guidelines before beginning the audit. Payer contracts may detail information needed to complete an audit.
   

5. Local Coverage Determinations (LCDs)­: Auditors should consult the MAC website for LCD guidance regarding medical necessity coverage decisions for services provided. This is an opportunity to determine if advance beneficiary notice (ABN) forms are needed, used, and completed. It’s also an opportunity to audit the diagnosis code selections and linkage to CPT^®/HCPCS Level II codes, comparing that to the MAC’s LCD and related articles.

6. Guidelines: Having all guidelines to refer to during the audit is essential. The type of auditing will dictate which guidelines are necessary. For example, if the DOS was several years ago, the 1995 and 1997 Documentation Guidelines for Evaluation and Management Services may apply. For a more recent DOS, updated AMA CPT^® guidelines for E/M services apply. Timed codes, like those for physical therapy, require the documentation to include the time spent with the patient. There are also codes from the integumentary system — skin excisions, for example — that require the documentation to detail the location and size of the excision.

7. Office-specific documents: Not every clinical practice is entirely paperless. The auditor should know if a medical practice or physician uses templates, forms, or other types of documentation in addition to the general note. Having access to additional documentation will help determine the accuracy of code selection.

8. Policies of the healthcare organization: Know the policies of the organization that could impact the audit. For example, when auditing preventive services, the office policy may dictate billing only the preventive service and no problem-related services, if one is provided. An external auditor needs to understand this policy prior to reviewing the medical record.

9. Encounter forms: The encounter form, or superbill, shows the codes the provider selected. These forms are typically used for prospective audits where the claim hasn’t been submitted yet, and the auditor is auditing the provider. CMS-1500 or UB04 forms (or their electronic versions) are needed in retrospective audits. The auditor needs to determine what was billed to the payer to determine if coding errors occurred.

What Are Some Types of Unrealized Revenue That Audits Can Reveal?

Audits may identify missed charges and encourage the review and correction of denials. An audit’s revenue objectives involve examining coding practices for lost revenue due to the improper use of codes. Common issues causing revenue loss include:

• Underbilled services: The search for underbilled (and overbilled) services begins with comparing the chart documentation to the billed codes. All services, including E/M services, ancillary procedures or services, and surgical procedures should be documented with sufficient detail to allow coders to select the proper CPT^®, HCPCS Level II, and ICD-10-CM codes.

• Underdocumented services: Underdocumented services are services that support a higher E/M level or additional ancillary service, but the documentation lacks sufficient detail to report the full extent of care rendered.

• Downcoded or denied services: Downcoded services are services the payer determines should be paid at a lower level of service. When payers deny or downcode services, an audit will explore the cause by comparing billed services to the Explanation of Benefits (EOB) or Remittance Advice (RA) portion of the payer statement.

What Is a Utilization Review?

Utilization review and data mining provide insight into billing patterns and can uncover areas of risk. Utilization review provides data about how frequently certain services are billed. A utilization pattern can be found from looking at the utilization review to evaluate coding patterns.

Federal contractors like to focus on frequency of improperly paid claims because, as of Jan. 15, 2025, False Claims Act penalties increased from $13,946-$14,308 per claim, and the maximum penalty increased from $27,894-$28,619 per claim. To know whether a practice might throw up any red flags, auditors should check claims frequency against national frequency norms.

An auditor looks at your 25 most frequent services and compares them to Medicare utilization data. If, for example, the national average of a code is 5.5 percent of all services, and a practice uses it twice as often, the practice should prioritize a self-audit to review the service and verify that solid coding and documentation support the claims.

What Is Data Mining in Healthcare Audits?

Data mining is a method that many payers use to compare billing frequencies of one provider against other providers working in the same medical specialty. Together with utilization review, data mining reveals if a provider bills outside of the normal statistical pattern.

Auditors can use these two methodologies to compare providers in any size practice or facility. In large facilities, this comparison can be used to identify high-risk areas. For example, a compliance or audit department may decide to audit providers that show a greater than 20 percent variance between their billing patterns and those of their peers.

What Types of Compliance Issues Can a Healthcare Audit Uncover?

Periodic audits ensure the medical record meets with federal and state regulations and serves its three primary purposes:

1. To detail clinical information pertinent to the care of the patient

2. To serve as a legal document that describes a course of treatment

3. To validate accurate code selection

Proactively choosing to conduct an external audit, or even an internal audit, will allow an organization to identify problem areas and make corrections before a Recovery Audit Contractor (RAC), MAC, or the OIG requests an audit.

What Can We Expect From an Audit Report?

The medical record audit report should identify key findings and present the analysis, rationale, and recommendations in an easy-to-follow and easy-to-apply format.

What Triggers a MAC or RAC Audit?

Factors that raise red flags with federal healthcare programs and private payers could involve:

• Consistently using one level of E/M service or routinely using higher levels

• Ordering excessive tests

• Billing for care not provided

• Unbundling of bundled procedures

• Waiving coinsurance and deductibles in absence of financial hardship

• Changing codes to get paid

• Coding based only on reimbursement and not on medical necessity of services

• Practitioner’s profile (utilization pattern) doesn’t meet the standards of the industry

What Is Overpayment Disclosure?

Overpayment disclosure, or self-disclosure, refers to reporting errors identified in an audit that have resulted in overpayments and/or amount to illegal billing activity. Disclosure gives providers an opportunity to avoid the costs and disruptions of litigation, advises the OIG.

But it’s not the auditor’s responsibility to identify an organization’s legal duty to disclose and refund an overpayment. As a general rule, all overpayments should be disclosed and refunded, but moral duty is not necessarily legal duty. The auditor that discovers errors associated with liability should recommend that the medical practice engage legal counsel for analysis of legal duty.

What Is the CERT Improper Payment Rate?

Comprehensive Error Rate Testing (CERT) is a CMS program conducted annually to measure improper payments in the Medicare Fee-for-Service (FFS) program. The U.S. Department of Health and Human Services (HHS) publishes the improper payment rate in the Agency Financial Report each November. CMS later publishes the Medicare Fee-for-Service (FFS) Improper Payments Report and Appendices, which provides specific error rates and improper payment rates for services and provider types.

How Do CERT Stats Affect Medical Practices?

CERT data is reported annually to alert federal agencies of prevalent claim errors. While this report focuses on claims submitted to CMS, error statistics can benefit physician practices by illuminating reporting errors that likely reflect claims submitted to private payers. It’s advisable for auditors and medical coders to review the annual CERT report.

Provider organizations should understand how CMS uses the information garnered from the CERT program. First, CMS uses providers’ data to “protect the Medicare Trust Fund by identifying errors and assessing error rates, at both the national and regional levels,” as indicated by CGS Medicare.

Second, through the CERT program, the government tracks error trends among provider types, codes, and services. These findings help CMS pinpoint issues raising the improper payment rate. The agency then uses this information to rein in outliers, rectify issues, and facilitate program integrity.

Lastly, CMS uses the information garnered from the report to measure how MACs perform. The CERT data helps to determine regional programming and education, including tools like the Targeted Probe and Educate (TPE) program and Comparative Billing Reports (CBRs) in a jurisdiction.

What Is the OIG Work Plan?

The OIG Work Plan lists active items such as audits, evaluations, and inspections that are planned or underway. These priority projects will be conducted by the OIG’s Office of Audit Services, Office of Evaluation and Inspections, Office of Investigations, and Office of Counsel to the Inspector General.

According to the OIG, factors considered in their plan are based on:

• Required mandatory OIG reviews;

• Concerns raised by Congress;

• Office of Management and Budget;

• HHS management;

• HHS challenges with management and performance;

• Implemented OIG recommendations from earlier reviews;

• Potential for positive impact; and

• Work performed by oversight organizations.

How Does the Recovery Audit Contractor (RAC) Program Work?

The RAC program works through CMS, who hires contractors and pays them on a contingency fee basis. This means that RACs are paid a percentage of the money they recover, which gives them an incentive to rectify overpayments.

RACs are required to employ a variety of professionals to review claims, including nurses, therapists, certified medical coders, and physicians. Claims processing contractors have the responsibility of adjusting claims, managing offsets and refunds, and reporting the debt on financial statements. RACs can go back three years to review claims. Their main goal is to identify improper reimbursement.

FFS recovery auditors perform two types of reviews:

• Automated review occurs when a recovery auditor makes a claim determination at the system level without a human review of the medical record.

• Complex review occurs when a recovery auditor makes a claim determination using human review of the medical record or other required documentation.

To obtain the medical record and any supporting documentation, the RAC may issue an Additional Documentation Request (ADR). If the FFS recovery auditor identifies an improper payment, a letter is sent to the provider that includes the review results, decision, and rationale. The MAC will adjust the claim and send a demand letter to the provider for the overpayment.

If the provider agrees with the demand letter, they may submit payment, ask for a recoupment of future payments, or ask for an extended payment plan. If the provider disagrees with the demand letter, they may submit a discussion period request to the recovery auditor within 30 days from the date of the demand letter. Other options include submitting a rebuttal to the MAC within 15 days of the date of the demand letter or submitting a redetermination request to the MAC within 120 days of the date of the demand letter. This last option is the first level of appeal.

What Is a Compliance Plan?

A compliance plan is a collection of steps that a provider, organization, or practice establishes to ensure adherence to federal and state regulations. All physician offices and healthcare facilities should solidify a compliance plan that outlines the process for coding and submitting accurate claims, as well as clearly defining what to do if mistakes are found.

The voluntary compliance program implemented by an organization demonstrates good-faith efforts to submit claims appropriately. It also tells employees that compliance is a priority.

What Should a Compliance Program Include?

While the scope of a compliance program will depend on the size and resources of the organization, the OIG has identified 7 Elements of a Successful Compliance Program in their Complete General Compliance Guidance PDF. These elements include:

1. Written policies and procedures

2. Compliance leadership and oversight

3. Training and education

4. Effective lines of communication with the compliance officer and disclosure program

5. Enforcing standards: consequences and incentives

6. Risk assessment, auditing, and monitoring

7. Responding to detected offenses and developing corrective action initiatives

An effective compliance plan should expand on these seven elements and include directions, standards, and policies for how each element will be handled.

If an area of noncompliance is found, detailed records of the incident should be documented with the date, name of the person who reported the issue, the person who initiated action on the issue, and any corrective action taken.

What Is a Corporate Integrity Agreement?

A corporate integrity agreement (CIA) is a document resulting from a civil settlement that outlines actions required of a healthcare company to maintain the privilege of participating in federal healthcare programs. The OIG plays a prominent role in negotiating, developing, and enforcing CIAs, which typically last five years.

Common CIA Requirements

1. A compliance officer or compliance committee must be hired to oversee fulfillment of the CIA. Responsibilities of the officer or committee would include developing and implementing compliance policies and procedures to guarantee compliance with the CIA and federal healthcare program regulations.

2. Written standards and policies must be developed.

3. A comprehensive employee training program must be implemented.

4. An independent review organization must be retained to conduct annual reviews.

5. A confidential disclosure program must be established.

6. Employment of ineligible people must be restricted. CIAs outline the definition of an ineligible person.

7. Overpayments, reportable events, and current investigations or legal proceedings must be reported. These may include a large overpayment, a criminal or legal violation, or possibly a bankruptcy petition.

8. An implementation report and annual report must be provided to the OIG detailing the status of compliance activities. The OIG has the right to inspect the individual or organization at any time.

Complying with the obligations in the CIA is enforced by the OIG, with failure to do so subject to monetary penalties. The OIG also can exclude a provider or organization from participating in federal healthcare programs. OIG publishes a list of the organizations and providers that have breached their CIAs and have been penalized as a result.

Report Overpayments

Under CIAs, providers must promptly notify the appropriate payer of all identified overpayments and must promptly repay the overpayment amount in a manner consistent with the payer's policies. In addition, providers are expected to develop and implement written policies and procedures to ensure that overpayments are identified, quantified, and repaid in accordance with the CMS overpayment rule and other applicable federal healthcare program requirements.

Although all identified overpayments should be refunded to the appropriate payer, a provider under a CIA does not need to report to OIG all identified overpayments at the time it reports such amounts to the payer. The provider must, however, report to OIG within 30 days all "reportable events" as defined by the CIA. A "reportable event" generally means anything that involves:

• A substantial overpayment

• A matter that a reasonable person would consider a potential violation of criminal, civil, or administrative laws applicable to any federal healthcare program for which penalties or exclusion may be authorized

• The employment of or contracting with an ineligible person (as defined in the CIA)

• The filing of a bankruptcy petition

Select an Independent Review Organization (IRO)

An IRO acts as a third-party medical review resource that provides objective, unbiased audits and reports. An auditor working as an IRO needs to understand the CIA of their client, including specific terms that may affect the auditing or reporting of the IRO.

The OIG will not endorse a particular IRO, but, if the provider’s choice of IRO is unacceptable, most CIAs include language that gives the OIG the opportunity to notify a provider within 30 days of written notice identifying the IRO. If the OIG has concerns regarding the quality of the review, qualifications, or independence of the IRO during the term of the CIA, it will make the concerns known and may request the agreement with the IRO be terminated and another IRO be retained.

What Is a Certificate of Compliance Agreement (CCA)?

In November 2001, Inspector General Janet Rehnquist issued an Open Letter to Healthcare Providers announcing modifications to OIG policies as a response to concerns regarding the civil settlement process. It also stated circumstances that the OIG would consider relative to a CIA:

1. Whether the provider self-disclosed the alleged misconduct

2. The monetary damage to the federal healthcare programs

3. Whether the case involves successor liability

4. Whether the provider is still participating in the federal healthcare programs or in the line of business that gave rise to the fraudulent conduct

5. Whether the alleged conduct is capable of repetition

6. The age of the conduct

7. Whether the provider has an effective compliance program and would agree to limited compliance or integrity measures and would annually certify such compliance to the OIG

8. Other circumstances, as appropriate

This letter introduced the concept of the Certificate of Compliance Agreement (CCA). These CCAs require the provider to certify that it will continue to operate its existing compliance programs and to report to OIG for a period, usually three years.

Last reviewed on Feb. 12, 2025, by the AAPC Thought Leadership Team