Your Medical Auditing Questions Answered

Among different types of medical audits, the auditor’s role remains the same: review healthcare providers’ policies and procedures to ensure compliance with federal, state, and payer regulations. But questions invariably arise, given the assorted methodologies of auditing and the myriad requirements that define compliant billing activity.

To help you fill in the gaps of your medical chart review knowledge, we’ve outlined answers to the most common medical auditing questions asked by both seasoned medical coders accustomed to conducting audits and students preparing for their CPMA exam. Bookmark this page and refer to it as needed or read it in one sitting to broaden your understanding of the healthcare auditing landscape.

What is a medical chart review?

A medical chart review, also referred to as a chart audit, is an examination of medical records to determine what procedures or services were performed. From this, the auditor determines if the documentation is compliant, if the claim is correctly coded, and if all charges are captured.

What are some billing and coding errors to include in an audit?

A medical audit can reveal unexpected errors hidden in the medical record, such as services not provided, services billed under the wrong provider, services not ordered by the licensed professional, wrong procedures and diagnoses reported, and other coding and billing errors.

10 Common Billing Errors

• 1.
  Duplicate claim submission: Claims often are denied because the claim was previously processed (for instance, no payment made, allowed amount applied to deductible on the initial claim). If the provider mistakenly refiles the claim to “correct” it, the second claim submitted is a duplicate. The initial claim was processed correctly but hadn’t been paid in 30 days.
• 2.
  Undocumented services: An effective audit will identify instances where codes are billed without supporting documentation. When a private payer, Medicare, or Medicaid requests written proof of billed charges, the provider must substantiate the services. Examples of misplaced information range from laboratory results and imaging reports to problem lists and medications.
• 3.
  Non-covered services: Billing for services not covered by the payer is an error commonly found during both internal audits and external audits. Staying up to date on exclusion policies by checking with your payers is important. For Medicare, most contractors will post policy changes with effective dates on their websites.
• 4.
  Medical necessity not established: This issue occurs when the payer deems the services billed are not medically necessary. Check the particular carrier or contractor for the list of covered diagnoses for a specific service.
• 5.
  Inappropriate bundling of services: Unbundling entails billing multiple procedure codes that are covered by a single CPT^® code or HCPCS Level II code. Never divide the components of a procedure when one code covers all components. Access the payer’s edits, such as Medicare’s National Correct Coding Initiative (NCCI) edits to review which codes may be billed separately on the same date of service (DOS), as well as the appropriate modifiers to use in those situations.
• 6.
  Beneficiary eligibility: Claims are often denied for eligibility because the beneficiary number is invalid on the claim, the beneficiary is not eligible to receive benefits, or the beneficiary’s claims must be filed to another insurance plan.
• 7.
  Incorrect carrier: Claims with this error were submitted to the incorrect payer/contractor for payment. It’s important to screen patients and be aware of the types of services provided prior to submitting a claim to the carrier. Check the patient’s insurance card and verify the patient’s identification number, such as the Medicare Beneficiary Identifier (MBI), on the card.
• 8.
  Medicare is the secondary payer: The care of a Medicare patient may be covered by another payer through coordination of benefits. Medicare may be the secondary payer, for example, when the Medicare patient is employed full- or part-time and covered under an Employer Group Health Plan (EGHP).
• 9.
  Incorrect diagnosis: Services with an incorrect diagnosis error were denied because the diagnosis listed as primary was not a covered diagnosis for the procedures performed.
• 10.
  Modifier error: A modifier error means that the modifier necessary to process the claim is missing, incomplete, or invalid (based on the procedure and diagnosis indicated on the claim form). Misuse and abuse of modifiers is under OIG scrutiny and can result in penalties. Know how to apply CPT^® and HCPCS Level II modifiers for the specific condition or situation.

Why is medical necessity important?

The American Medical Association defines medical necessity as “health care services or products that a prudent physician would provide to a patient for the purpose of preventing, diagnosing, or treating an illness, injury, disease, or its symptoms in a manner that is: (a) in accordance with generally accepted standards of medical practice; (b) clinically appropriate in terms of type, frequency, extent, site, and duration; and (c) not primarily for the economic benefit of the health plans and purchasers or for the convenience of the patient, treating physician, or other health care provider.”

CMS relies on the Social Security Act (Title XVIII of the Social Security Act, Section 1862 [a] [1] [a]) for its understanding of “medical necessity.” That part of the law states “no payment may be made under [Medicare] part A or part B for any expenses incurred for items or services which … are not reasonable and necessary for the diagnosis or treatment of illness or injury or to improve the functioning of a malformed body member.” Other payers may take a similar approach.

If Medicare or other payers determine services were medically unnecessary after payment was issued, they will demand a refund of the overpayment with interest. Should payers find a pattern of overpayment, the physician may face monetary penalties, exclusion from the Medicare/payer program, and even criminal prosecution.

How do you establish medical necessity?

Diagnosis codes identify the medical necessity of services provided by describing the circumstances of the patient’s condition. Most payers use claim edits or automatic denial/review commands within their computer software to review claims. These edits ensure that payment is made for specific procedure codes when provided to a patient with a specific diagnosis code or range of ICD-10-CM codes.

Steps in medical coding to demonstrate medical necessity:

• 1.
  List the principal diagnosis, condition, problem, or other reason for the medical service or procedure.
• 2.
  Assign the code to the highest level of specificity.
• 3.
  For office and/or outpatient services, never use a rule-out statement (a suspected but not confirmed diagnosis) for code selection. If no definitive diagnosis is yet determined, code symptoms and/or signs instead of using rule-out statements.
• 4.
  Be specific in describing the patient’s condition, illness, or disease.
• 5.
  Distinguish between acute and chronic conditions, when appropriate.
• 6.
  Identify the acute condition of an emergency situation (for example, coma, loss of consciousness, or hemorrhage).
• 7.
  Identify chronic complaints or secondary diagnoses only when treatment is provided or when they affect the overall management of the patient’s care.
• 8.
  Identify how injuries occur, including place of occurrence, if appropriate.

What are Medically Unlikely Edits (MUEs)?

The Centers for Medicare & Medicaid Services (CMS) developed Medically Unlikely Edits (MUEs) to help reduce the paid claims error rate for Medicare Part B claims. MUEs define the maximum units of service that a provider would report, under most circumstances, for a single beneficiary, on a single date of service, for a specific CPT^® or HCPCS Level II code.

What is the difference between a medical coding audit and a medical billing audit?

A medical billing audit, sometimes referred to as a revenue cycle management (RCM) audit, covers broader areas than the medical coding audit. Designed to optimize RCM performance, the billing audit includes a medical record audit, as well as an evaluation of the entire billing cycle — from copay collection processes and insurance verification to claim submissions, payment posting, follow up, and denial and appeals processes.

Is an internal audit better than an external audit?

Relying on both internal and external audits is the gold standard in the highly regulated, highly scrutinized healthcare industry.

A strong internal chart auditing program will detect insufficient documentation and improper coding, making it easier for healthcare organizations to resolve areas of noncompliance and capture missed revenue. An external audit, on the other hand, delivers invaluable objectivity.

Whether you manage a hospice or a home health agency, a solo physician practice, or a large university medical center, your organization benefits from another set of eyes. You can’t fix what you don’t know is broken. Without auditing services from an objective partner — experts who live and breathe healthcare auditing — you’re consigning your business to the status quo. And as third-party audits confirm, the status quo is likely to conceal risk.

What is an acceptable pass rate for medical audits?

The Office of Inspector General (OIG) allows a 5% error rate on claims, according to its website. This doesn’t always correlate to a 95% pass rate threshold on compliance audits, however. When you’re setting pass rate thresholds, it’s important to understand how to measure your audits and the impact pass rates will have on your organization. Healthcare organizations commonly hold themselves to a minimum of 90% coding accuracy for most audit types.

What is the difference between medical auditing and monitoring?

Auditing is the process of examining the medical record, verifying information, and gathering baseline information to identify risk areas. Monitoring is the ongoing process of reviewing coding practices and the adequacy of the documentation and code selection. Monitoring should be conducted regularly and include activities such as auditing, reviewing utilization patterns, reviewing computerized reports, and reviewing reimbursement. A monitoring system is usually implemented based on findings from the baseline audit.

What is the difference between a focused audit and a random audit?

A focused audit looks at one item, one type of service, one provider, or one coder. A random audit reviews medical records chosen by chance to determine a healthcare organization’s compliance and possible liabilities.

Before beginning an audit, the auditor will need to determine if he or she is going to complete a focused audit or a random audit. The decision helps to determine what will be audited, as well as the sample size.

A focused audit may concentrate on one type of service to determine compliance, such as new patient visits, established patient visits, consultations, or nursing home visits. If your organization employs nonphysician practitioners, you might conduct an audit to verify compliance with incident-to rules.

Random audits make excellent baseline audits. They look at all possible services provided within a specific timeframe and often identify areas for potential education and future focused audits to determine the effectiveness of the education.

What types of healthcare audits are most common?

Types of healthcare audits, in addition to random audits and focused audits, include:

• Prospective audits: The prospective audit, also called a pre-payment audit, is performed prior to claim submission. Typically, the billing record (charge ticket or superbill) is obtained, along with the chart documentation and any supporting labs, medication sheets, problem lists, etc. If the documentation doesn’t support the CPT^®, HCPCS Level II, and ICD-10-CM codes to be billed, the coding will be corrected based on the audit findings. This type of audit may affect claim turnaround time. Communication between the provider and auditor should follow the audit immediately.

  A prospective audit may be random or focused. A healthcare organization, for example, may decide to conduct a prospective audit focused on level 4 established patient E/M visits for a single provider.

• Retrospective Audits: Retrospective audits examine medical record documentation after the provider has submitted the claim to the insurance carrier and payment is received. The auditor will review the billing record (charge ticket or superbill), the Remittance Advice/Explanation of Benefits, and the medical record documentation, along with other supporting documentation. A retrospective audit could lead to refunding payment or partial payment to the insurance carrier.

  This is the most common audit method and charts can be selected based on utilization or frequency. A report generated within the billing system typically identifies the claim sample for a retrospective audit.

• Aggregate Analyses: An aggregate analysis is valuable to compare data using a defined data set. By comparing coding data among providers, both within a practice as well as from another practice of the same specialty, the organization can identify areas of concern, such as undercoding and upcoding trends or utilization frequency.

• Rebuttal Audit: In less common cases, a rebuttal audit is conducted in response to a payer audit with the objective of validating or refuting the conclusions of the payer. The work in a rebuttal audit centers on determining whether the appropriate binding standards were applied correctly, or whether the information provided to the payer was complete and properly interpreted.

What is a statistical sampling?

A statistically valid sample uses scientific sampling methods to ensure that audit results from the medical chart sample reflect all claims submitted to or processed by payers.

One type of statistical sampling is proportional sampling. The sample is built around high frequency items or items considered proportionally significant. This could, for example, involve frequently billed CPT^® or HCPCS Level II codes with the highest dollar charge.

Another statistical method of sampling is known as numerical sampling. The sample size is based on all possible services within a determined period. This type of sample lends itself to a random final selection. During a simple random selection, all items in the total sample have an equal chance of selection in the audit. Random number generators can be found on the internet to provide a random selection process.

An example of non-statistical sampling, also called judgmental sampling, can be applied to a focused audit. The sample is based on unique services defined in the objective and scope. This type of sampling could be used if the audit is being performed to look only at high levels of service. For instance, only the level 4 and 5 E/M visits would be included in the sample, and the selection would be made from that sample.

What tools do you need to conduct a medical audit?

The tools needed to perform a successful audit will depend on the type and scope of the audit. An array of healthcare auditing resources provides auditors with details needed to assess reporting accuracy.

• 1.
  Electronic audit tools: While electronic audit tools can do a great deal of work for auditors, a knowledge of auditing is a must. Electronic tools can’t determine medical necessity. The auditor will need to apply their knowledge of medical necessity while working in the tool. This will be especially important when auditing E/M codes.
• 2.
  Coding books: Keep current CPT^®, ICD-10-CM, and HCPCS Level II code books at your disposal when auditing. Coding books are essential for the coding and documentation review. The guidelines should be referred to often to ensure proper application of codes.
• 3.
  National Correct Coding Initiative (NCCI): If the audit contains claims with multiple CPT^® codes billed for one DOS, the auditor should reference payer edits, such as Medicare NCCI edits. The NCCI manual can also help the auditor spot CPT^® bundling errors and modifier issues.

  Modifier 59 Distinct procedural service, for example, has long been under audit scrutiny, which is why you should review coding guidelines and Medicare’s rules before using this modifier. Documentation in the medical record must satisfy criteria to use modifier 59 and other NCCI-associated modifiers to bypass an NCCI edit.

  Government audits follow NCCI. Commercial payers may follow NCCI or have their own bundling edits. If you’re unsure of your payer’s stance on modifier 59 and/or the X modifiers, be sure to check your contract before filing a claim with distinct procedural services.
• 4.
  Payer guidelines: Prior to beginning an audit, it’s important to consider the payer-specific guidelines for the cases being audited. If auditing Medicare claims, determine the MAC for the region or location being audited.

  Some MACs provide specific information pertaining to documentation and coding guidelines that must be adhered to. Review the information for the relevant MAC on their website to familiarize yourself with the various policies. Medicaid policies are also important to review, especially if the organization provides services for family medicine, internal medicine, pediatrics, or obstetrics and gynecology.

  Commercial insurance policies don’t always align with CMS, so be sure you know the payer’s guidelines before beginning the audit. Additionally, payer contracts may detail information needed to complete an audit. 
• 5.
  Local Coverage Determinations (LCD)­: Consult the MAC website for LCD guidance regarding medical necessity coverage decisions for services provided. This is an opportunity to determine if advanced beneficiary notice (ABN) forms are used and completed. It’s also an opportunity to audit the diagnosis code selections and linkage to CPT^®/HCPCS Level II codes.
• 6.
  Guidelines: Having all guidelines to refer to during the audit is essential. The type of auditing you are doing will dictate the guidelines you need. For example, E/M auditing relies on 1995 and 1997 documentation guidelines or AMA CPT^® 2021 guidelines for office/outpatient encounters, while procedure auditing will use documentation differently. Timed codes, like those for physical therapy, require the documentation to include the time spent with the patient. There are also codes from the integumentary system — skin excisions, for example — that require the documentation to detail the location and size of the excision.
• 7.
  Office-specific documents: Not every clinical practice is entirely paperless. The auditor should know if a medical practice or physician uses templates, forms, or other types of documentation in addition to the general note. Having access to additional documentation will help determine the accuracy of code selection.
• 8.
  Policies of the healthcare organization: Know the policies of the organization that could impact the audit. For example, when auditing preventive services, the office policy may dictate billing only the preventive service and no problem-related services, should one be provided. An external auditor needs to understand this policy prior to reviewing the medical record.
• 9.
  Encounter forms: The encounter form, or superbill, shows the codes the provider selected. These forms are typically used for prospective audits where the claim hasn’t been submitted yet, and the auditor is auditing the provider. CMS-1500 or UB04 forms (or their electronic versions) are needed in retrospective audits. The auditor needs to determine what was billed to the payer to determine if coding errors occurred.

What are some types of unrealized revenue audits can reveal?

Audits may identify missed charges and encourage the review and correction of denials. An audit’s revenue objectives involve examining coding practices for lost revenue due to the improper use of codes. Common issues causing revenue loss include:

• Underbilled services: The search for underbilled (and overbilled) services begins with comparing the chart documentation to the billed codes. All services, including E/M services, ancillary procedures or services, and surgical procedures should be documented with sufficient detail to allow coders to select the proper CPT^®, HCPCS Level II, and ICD-10-CM codes.
• Under-documented services: Under-documented services are services that support a higher E/M level or additional ancillary service, but the documentation lacks sufficient detail to report the full extent of care rendered.
• Downcoded or denied services: Downcoded services are services the payer determines should be paid at a lower level of service. When payers deny or downcode services, an audit will explore the cause by comparing billed services to the Explanation of Benefits (EOB) or Remittance Advice (RA) portion of the payer statement.

What is a utilization review?

Utilization review and data mining provide insight into billing patterns and can uncover areas of risk. Utilization review provides data about how frequently certain services are billed. A utilization pattern can be found from looking at the utilization review to evaluate coding patterns.

Federal contractors like to focus on frequency of improperly paid claims because, as of 2020, they can generate penalties of up to $23,331 per claim under the False Claims Act. To know whether your practice might throw up any red flags, auditors should check claims frequency against national frequency norms.

Look at your 25 most frequent services and compare them to Medicare utilization data. If, for example, the national average of a code is 5.5% of all services, and you use it twice as often, prioritize a self-audit to review the service and verify that solid coding and documentation support your claims.

To give you an idea of what to look for, consider the 2019 national frequency norms of the most commonly performed services in these five specialties (2021 code descriptors are shown):

• General surgery: Under this specialty, 99213 Office or other outpatient visit for the evaluation and management of an established patient, which requires a medically appropriate history and/or examination and low level of medical decision making. When using time for code selection, 20-29 minutes of total time is spent on the date of the encounter is the most used code and represents 8% of general surgeons’ claims.
• Gastroenterology: For gastroenterologists, 43239 Esophagogastroduodenoscopy, flexible, transoral; with biopsy, single or multiple is the most utilized code at 7%.
• Emergency medicine: According to the Medicare utilization data, 99284 Emergency department visit for the evaluation and management of a patient, which requires these 3 key components: A detailed history; A detailed examination; and Medical decision making of moderate complexity … comprises 16% of these specialty claims.
• Oncology: Code 99214 Office or other outpatient visit for the evaluation and management of an established patient, which requires a medically appropriate history and/or examination and moderate level of medical decision making. When using time for code selection, 30-39 minutes of total time is spent on the date of the encounter is the top individual code used by oncologists 7% of the time.
• Family practice: CPT^® codes 99213 and 99214 are tied for most used codes and put into play by family practitioners 7% each.

What is data mining in healthcare audits?

Data mining is a method that many payers use to compare billing frequencies of one provider against other providers working in the same medical specialty. Together with utilization review, data mining reveals if a provider bills outside of the normal statistical pattern.

Auditors can use these two methodologies to compare providers in any size practice or facility. In large facilities, this comparison can be used to identify high-risk areas. For example, a compliance or audit department may decide to audit providers that show a greater than 20% variance between their billing patterns and those of their peers.

What types of compliance issues can a healthcare audit uncover?

Periodic audits ensure that the medical record meets with federal and state regulations and serves its three primary purposes:

• 1.
  To detail clinical information pertinent to the care of the patient
• 2.
  To serve as a legal document that describes a course of treatment
• 3.
  To validate accurate code selection

Proactively choosing to conduct an external audit, or even an internal audit, will allow an organization to identify problem areas and make corrections before a Recovery Audit Contractor (RAC), Medicare Administrative Contractor (MAC), or the Office of Inspector General (OIG) requests an audit.

What can we expect from an audit report?

The medical record audit report should identify key findings and present the analysis, rationale, and recommendations in an easy-to-follow and easy-to-apply format.

What triggers a MAC or RAC audit?

Factors that raise red flags with federal healthcare programs and private payers could involve:

• Consistently using one level of E/M service or routinely using higher levels
• Ordering excessive tests
• Billing for care not provided
• Unbundling of procedures
• Waiving coinsurance and deductibles in absence of financial hardship
• Changing codes to get paid
• Coding based only on reimbursement and not medically necessary services
• Practitioner’s profile (utilization pattern) doesn’t meet the standards of the industry

What is overpayment disclosure?

Overpayment disclosure, or self-disclosure, refers to reporting errors identified in an audit that have resulted in overpayments and/or amount to illegal billing activity. Disclosure gives providers an opportunity to avoid the costs and disruptions of litigation, advises the OIG.

But it’s not the auditor’s responsibility to identify an organization’s legal duty to disclose and refund an overpayment. As a general rule, all overpayments should be disclosed and refunded, but moral duty is not necessarily legal duty. The auditor that discovers errors associated with liability should recommend that the medical practice engage legal counsel for analysis of legal duty.

What is the CERT improper payment rate?

CERT stands for Comprehensive Error Rate Testing (CERT) and is a CMS program conducted annually to measure improper payments in the Medicare Fee-for-Service (FFS) program. The U.S. Department of Health and Human Services (HHS) publishes the improper payment rate in the Agency Financial Report each November. CMS later publishes the Medicare Fee-for-Service (FFS) Improper Payments Report and Appendices, which provides specific error rates and improper payment rates for services and provider types.

How do CERT stats affect your medical practice?

CERT data is reported annually to alert federal agencies to prevalent claim errors. While this report focuses on claims submitted to CMS, error statistics can benefit physician practices by illuminating reporting errors that likely reflect claims submitted to private payers. It’s advisable for auditors and medical coders to review the annual CERT report.

Provider organizations should understand how CMS uses the information garnered from the CERT program. First, CMS uses providers’ data to “protect the Medicare Trust Fund by identifying errors and assessing error rates, at both the national and regional levels,” indicates Part B Medicare Administrative Contractor (MAC) CGS Medicare.

Second, through the CERT program, the government tracks error trends among provider types, codes, and services. These findings help CMS pinpoint issues raising the improper payment rate. The agency then uses this information to rein in outliers, rectify issues, and facilitate program integrity.

Lastly, CMS uses the information garnered from the report to measure how MACs perform. The CERT data helps to determine regional programming and education, including tools like the Targeted Probe and Educate (TPE) program and Comparative Billing Reports (CBRs) in a jurisdiction.

What is the OIG Work Plan?

The OIG Work Plan lists active items such as audits, evaluations, and inspections that are planned or underway. These priority projects will be conducted by the Office of Inspector General’s Office of Audit Services, Office of Evaluation and Inspections, Office of Investigations, and Office of Counsel to the Inspector General.

According to the OIG, factors considered in their plan are based on required mandatory OIG reviews, concerns raised by Congress, the Office of Management and Budget, HHS management, HHS challenges with management and performance, implemented OIG recommendations from earlier reviews, potential for positive impact, and work performed by oversight organizations.

How does the Recovery Audit Contractor (RAC) program work?

The RAC program works through CMS, who hires contractors and pays them on a contingency fee basis. This means that RACs are paid a percentage of the amount of money they recover, which gives them an incentive to rectify overpayments.

RACs are required to employ a variety of professionals to review claims, including nurses, therapists, certified medical coders, and physicians. Claims processing contractors have the responsibility of adjusting claims, managing offsets and refunds, and reporting the debt on financial statements. Recovery audit contractors can go back three years to review claims. Their main goal is to identify improper reimbursement.

FFS recovery auditors perform two types of reviews:

• Automated review occurs when a recovery auditor makes a claim determination at the system level without a human review of the medical record.
• Complex review occurs when a recovery auditor makes a claim determination using human review of the medical record or other required documentation.

If the FFS recovery auditor identifies an improper payment, a letter is sent to the provider that includes the review results, decision, and rationale. The MAC will adjust the claim and send a demand letter to the provider for the overpayment.

If the provider agrees with the demand letter, they may submit payment, ask for a recoupment of future payments, or ask for an extended payment plan. If the provider disagrees with the demand letter, they may submit a discussion period request to the recovery auditor within 30 days from the date of the demand letter. Other options include submitting a rebuttal to the MAC within 15 days of the date of the demand letter or submitting a redetermination request to the MAC within 120 days from the date of the demand letter. This last option is the first level of appeal.

What is a compliance plan?

A compliance plan is a collection of steps that a provider, organization, or practice establishes to ensure adherence to federal and state regulations. All physician offices and healthcare facilities should solidify a compliance plan that outlines the process for coding and submitting accurate claims, as well as clearly defining what to do if mistakes are found.

The voluntary compliance program implemented by an organization demonstrates good-faith efforts to submit claims appropriately. It also tells employees that compliance is a priority.

What should you include in your compliance program?

While the scope of a compliance program will depend on the size and resources of the organization, the OIG has identified seven elements that should be present in every compliance plan. These elements include:

• Implement compliance and practice standards through the development of written standards and procedures
• Designate a compliance officer or contact(s) to monitor compliance efforts and enforce practice standards
• Conduct appropriate training and education on practice standards and procedures
• Conduct internal monitoring and auditing through the performance of periodic audits
• Respond appropriately to detected violations through the investigation of allegations and the disclosure of incidents to appropriate government entities
• Develop open lines of communication, such as: (1) discussions at staff meetings regarding how to avoid erroneous or fraudulent conduct and (2) community bulletin boards to keep practice employees updated regarding compliance activities
• Enforce disciplinary standards through well-publicized guidelines

An effective compliance plan should expand on these seven elements and include directions, standards, and policies for how each element will be handled.

If an area of noncompliance is found, detailed records of the incident should be documented with the date, name of the person who reported the issue, the person who initiated action on the issue, and any corrective action taken.

What is a corporate integrity agreement?

A corporate integrity agreement (CIA) is a document resulting from a civil settlement that outlines actions required of a healthcare company to maintain the privilege of participating in federal healthcare programs. The OIG plays a prominent role in negotiating, developing, and enforcing CIAs, which typically last five years.

Common CIA Requirements

• 1.
  A compliance officer or compliance committee must be hired to oversee fulfillment of the CIA. Responsibilities of the officer or committee would include developing and implementing compliance policies and procedures to guarantee compliance with the CIA and federal healthcare program regulations.
• 2.
  Written standards and policies must be developed.
• 3.
  A comprehensive employee training program must be implemented.
• 4.
  An independent review organization must be retained to conduct annual reviews. OIG may reject an organization’s choice within 30 days after the OIG has been notified in writing of the identity of the third-party audit company.
• 5.
  A confidential disclosure program must be established. The program must consist of a reporting policy, a hotline, or any other method of non-retaliatory disclosure.
• 6.
  Employment of ineligible persons must be restricted. CIAs outline the definition of an ineligible person.
• 7.dent Review Organization (
  Overpayments, reportable events, and current investigations or legal proceedings must be reported. These may include a large overpayment, a criminal or legal violation, or possibly a bankruptcy petition.
• 8.
  An implementation report and annual report must be provided to OIG detailing the status of compliance activities. OIG has the right to inspect the individual or organization at any time.

Complying with the obligations in the CIA is enforced by the OIG, with failure to do so subject to monetary penalties. The OIG also can exclude a provider or organization from participating in federal healthcare programs. OIG publishes a list of the organizations and providers that have breached their CIAs and have been penalized as a result.

Report Overpayments

Under CIAs, providers must promptly notify the appropriate payer of all identified overpayments and must promptly repay the overpayment amount in a manner consistent with the payer's policies. In addition, providers are expected to develop and implement written policies and procedures to ensure that overpayments are identified, quantified, and repaid in accordance with the CMS overpayment rule and other applicable federal healthcare program requirements.

Although all identified overpayments should be refunded to the appropriate payer, a provider under a CIA does not need to report to OIG all identified overpayments at the time it reports such amounts to the payer. However, the provider must report to OIG within 30 days all "reportable events" as defined by the CIA. A "reportable event" generally means anything that involves:

• A substantial overpayment
• A matter that a reasonable person would consider a potential violation of criminal, civil, or administrative laws applicable to any federal healthcare program for which penalties or exclusion may be authorized
• The employment of or contracting with an ineligible person (as defined in the CIA)
• The filing of a bankruptcy petition

Select an Independent Review Organization (IRO)

An IRO acts as a third-party medical review resource that provides objective, unbiased audits and reports. An auditor working as an IRO needs to understand the CIA of their client, including specific terms that may affect the auditing or reporting of the IRO.

The OIG will not endorse a particular IRO, but most CIAs include language that gives the OIG the opportunity to notify a provider if its choice of IRO is unacceptable within 30 days of written notice identifying the IRO. If the OIG has concerns regarding the quality of the review, qualifications, or independence of the IRO during the term of the CIA, it will make the concerns known and may request the agreement with the IRO be terminated and another IRO be retained.

What is a Certificate of Compliance Agreement (CCA)?

In November 2001, Inspector General Janet Rehnquist issued an Open Letter to Healthcare Providers announcing modifications to OIG policies as a response to concerns regarding the civil settlement process. It also stated circumstances that the OIG would consider relative to a Corporate Integrity Agreement:

• 1.
  Whether the provider self-disclosed the alleged misconduct
• 2.
  The monetary damage to the federal healthcare programs
• 3.
  Whether the case involves successor liability
• 4.
  Whether the provider is still participating in the federal healthcare programs or in the line of business that gave rise to the fraudulent conduct
• 5.
  Whether the alleged conduct is capable of repetition
• 6.
  The age of the conduct
• 7.
  Whether the provider has an effective compliance program and would agree to limited compliance or integrity measures and would annually certify such compliance to the OIG
• 8.
  Other circumstances, as appropriate

This letter introduced the concept of the Certificate of Compliance Agreement (CCA). These CCAs require the provider to certify that it will continue to operate its existing compliance programs and to report to OIG for a period, usually three years.

Last reviewed on March 5, 2021