What Is Medical Auditing?
Medical auditing is a systematic performance assessment within a healthcare organization. Most healthcare elements can be audited, but many audits look at components of payer reimbursement processes to evaluate compliance with payer guidelines and federal and state regulations. By identifying errors and devising remedial actions to eliminate them, the medical audit serves a vital role in a healthcare organization’s compliance plan.
Medical audits provide a mechanism to:
Review quality of care provided to patients;
Educate providers on documentation guidelines;
Determine if organizational policies are current and effective;
Optimize revenue cycle management;
Ensure appropriate revenue is captured; and
Defend against federal and payer audits, malpractice litigation, and health plan denials.
Federal Scrutiny and Compliance Enforcement
Law requires the Centers for Medicare & Medicaid Services (CMS) — the largest payer for healthcare in the United States — to protect the two taxpayer-sponsored Medicare trust funds, which include the Hospital Insurance Trust Fund and the Supplementary Medical Insurance Trust Fund. The U.S. Government Accountability Office reports that, each year, medical claims errors filed by provider organizations result in inappropriate payments costing the fund tens of billions of dollars.
To prevent inappropriate payments from compromising the Medicare trust funds, CMS works with Part A and Part B Medicare Administrative Contractors (MACs) and Durable Medical Equipment MACs (DME MACs). In fact, CMS works with a constellation of contractors tasked with protecting taxpayers and future Medicare beneficiaries. Some CMS contractors include:
Recovery Audit Contractors (RACs) review postpayment claims with the goal of recovering improper payments made to healthcare providers under fee-for-service (FFS) Medicare plans. RACs also detect errors to direct CMS actions (directly and through MACs) that will prevent future improper payments. Providers should note that CMS pays RACs a percentage of the amounts they recover, which incentivizes aggressive RAC scrutiny, as well as the likelihood that a provider organization will be audited by a RAC. RACs may audit claims going back three years from the date of payer reimbursement.
Supplemental Medical Review Contractors (SMRCs) reduce improper payment rates through medical review of Medicare Part A, Part B, and DME claims. Noridian Healthcare Solutions serves as the nation’s SMRC and detects healthcare administrative inefficiencies, suboptimal care, fraud, and abuse. SMRC reviews that detect improper payment or fraud may trigger a recovery payment process through a MAC.
Unified Program Integrity Contractors (UPICs) conduct regional activities to detect and deter abuse, waste, and fraud for medical claims filed through Medicare Part A and Part B, Medicaid, and the Medicare-Medicaid data match program. UPICs also target DME and home health and hospice under Medicare. UPIC contracts operate in five U.S. regions and fulfill responsibilities previously met by the Zone Program Integrity Contractor (ZPIC), Program Safeguard Contractor (PSC), and Medicaid Integrity Contractor (MIC) contracts.
Investigations Medicare Drug Integrity Contractor (I-MEDIC) is responsible for monitoring fraud, waste, and abuse initiatives in the Medicare Advantage (Part C) and prescription drug coverage (Part D) benefits. Part D benefits are specific to providers, prescribers, and pharmacies.
Plan Program Integrity Medicare Drug Integrity Contractor (PPI MEDIC) is responsible for the Part C and Part D proactive data analysis, audits, risk assessment reports, and plan sponsor education and outreach.
Assigned various jurisdictions, these contracted entities perform claims analysis to identify questionable billing patterns and ensure that CMS reimbursement is made only to services meeting coding, medical necessity, and Medicare coverage requirements.
CMS’ Review Contractor Directory notes that one or several of these contractors may request claims records from providers.
The listed contractors are considered federal auditors. Their ongoing scrutiny is the reason every medical practice should staff a certified medical auditor. Routine internal audits, and external audits conducted by objective third-party auditing services, enable healthcare organizations to discover their compliance oversights. Implementing an auditing program is the most effective defense against federal and payer audits.
CMS, in its efforts to protect Medicare’s Hospital Insurance Trust Fund and the Supplementary Medical Insurance Trust Fund, is well fortified. The U.S. Department of Health and Human Services (HHS) oversees CMS, and the HHS Office of Inspector General (OIG) dedicates itself almost entirely to preventing healthcare waste, abuse, and fraud from siphoning taxpayer dollars from the trust funds.
Bottom line: Noncompliance is expensive. It costs federal and commercial payers through inappropriate payments, as well as programs to investigate, prevent, and recoup those payments. This cost is passed down to provider organizations through paybacks and, when applicable, monetary penalties.
While the OIG works with MACs and other auditors to detect abusive billing patterns, it also works with the Department of Justice and states’ attorneys general to facilitate legal actions. Medical coding and billing that violate state or federal laws can cost physician offices and other healthcare organizations in terms of:
Payback demands;
Fulfillment of a corporate integrity agreement;
Employment of an independent review organization;
Prosecution under the False Claims Act and other federal/state laws;
Civil monetary penalties;
Criminal penalties.
Importance of Medical Auditing
Medical auditing performed by the provider organization, or through a third-party on its behalf, will keep coding and billing errors in check. Audits not only identify incorrect coding, but also prevent incorrect coding from being repeated. Habitual claims errors impose a cumulative effect on an organization and, worse, invite federal reproach.
By uncovering areas of noncompliance, medical auditing resolves ignorance, and ignorance is a liability. To understand why the provider organization is responsible for detecting inappropriate coding and billing practices, consider that:
A pervasive error pattern resulting in higher reimbursement looks like fraud and may be indiscernible from fraud; and
A pervasive error pattern resulting in higher reimbursement for the provider has the same effect as fraud on the payer.
The laws governing healthcare fraud, chiefly the FCA, account for the ambiguity of intent in habitual overcoding and overbilling. The deliberate objective to defraud is not required for prosecution and penalty under the FCA.
The act of submitting a claim to Medicare or Medicaid is synonymous with certifying that the provider earned the payment requested, as coded on the claim. The OIG underscores the mandate of the FCA, explaining, “If you knew or should have known that the submitted claim was false, then the attempt to collect unearned money constitutes a violation.”
The key phrase to note is “should have known.” The OIG also states, “It is illegal to submit claims for payment to Medicare or Medicaid that you know or should know are false or fraudulent.” This means that healthcare organizations are accountable by law for errors such as upcoding, double-billing, unbundling, failing to establish medical necessity, and other errors that falsely claim unearned money.
Why is medical auditing of critical importance? Damages may be triple the claim amount in addition to a penalty that is linked to inflation.
What Does a Healthcare Auditor Do?
A professional medical auditor reviews coding accuracy, policies, and procedures to ensure that an organization is running an efficient and liability-free operation. The auditor must possess knowledge of medical coding, medical terminology, clinical documentation, compliance, and regulatory guidelines. The auditor also must be able to determine the scope of an audit, use approved tools to perform it, compile data, report findings, and provide corrective recommendations and staff training.
Most medical auditors are experienced medical coders with advanced training. Auditors may work on behalf of an insurer, government agency or contractor, or healthcare provider. In the latter workplace, auditors play a key role in the organization’s financial compliance by:
Reducing claims denials caused by inappropriate coding or insufficient documentation;
Determining outliers before payers ask the practice to conduct an internal audit;
Revealing variation from national averages due to inappropriate coding;
Avoiding a RAC audit or requests for medical record documentation from federal contractors;
Ensuring proper documentation that supports reported services and procedures;
Discovering overpayments and protecting against false claims liability; and
Identifying reimbursement deficiencies.
Auditors who conduct successful medical coding audits, impart knowledge to resolve noncompliant billing activity. This enables providers and staff to protect patients and achieve optimal reimbursement without risk of punitive actions.
Federal Audit Targets
Being aware of federal audit target trends based on claim errors is the first step to ensuring an organization doesn't invite a MAC or RAC audit. Several publications detail current targets and problem areas, directing medical coders toward vigilance and auditors toward proactivity. The two most definitive publications are the OIG Work Plan and the Comprehensive Error Rate Testing (CERT) report.
OIG Work Plan
Through ongoing assessments, the OIG prioritizes issues posing threats to Medicare trust funds. It then allocates resources to conduct audits targeting those issues in its Work Plan, which is updated monthly to address emerging issues.
A certified medical auditor should know what’s listed on the Work Plan. This knowledge allows the auditor to inform staff of billing practices that have been flagged as high risk for fraud and abuse and prepare for upcoming audits.
In addition to publishing its Work Plan, the OIG creates consumer fraud alerts, advisory opinions, and audit reports that influence auditing behavior among MACs and commercial payers.
CERT Report
CERT is a CMS initiative developed to measure improper payments in the Medicare FFS program. Testing is conducted annually with the goal of reducing payment to inappropriate claims.
For each reporting period throughout the year, CERT chooses a statistically valid stratified random sample of FFS claims submitted to A/B MACs and DME MACs. CERT then requests the supporting documentation for the sampled claims so they can be reviewed against their documentation by a medical review professional.
If the medical review professional discovers that coding, billing, and/or Medicare coverage criteria were not met, the claim is identified as a total or partial improper payment.
Through this annual review, CMS calculates the overall Medicare FFS improper payment rate. All data is then itemized in the annual CERT report.
CMS advises all provider organizations — from small physician practices to multihospital health systems — to carefully review the annual CERT report to identify their respective organizations’ potential areas of exposure. In the same manner, auditors gain insight by using third-party payer-provider bulletins, RAC-identified vulnerabilities (listed on their websites), and the OIG Work Plan.
Knowledge is power. If it’s on payers’ radars, it should be on the auditor’s radar. Auditing for pervasive claim problems will ensure an organization doesn’t overlook them.
Medical Chart Audit Process
The only way to verify coding accuracy is to compare the coding against the medical record documentation. The medical charts review, a frequently conducted healthcare audit, looks at documentation and claims information to determine if claims have been appropriately coded.
Chart auditing programs have become necessary in response to the increase in federal payer audits. Even commercial payers have geared up teams to conduct frequent and random hospital and medical practice onsite and offsite compliance audits.
When a provider organization performs an internal audit — or hires an independent auditor to perform an external audit — the organization learns if its claims will withstand government scrutiny. The audit also provides an opportunity to self-report and correct issues that pose a threat to the organization’s financial viability.
All medical coders should learn how to conduct an audit in view of its potential value to their employer (and their coding careers). Fortunately, the audit process is easy to understand when broken down to its component parts.
Step 1: Plan the Medical Record Audit
Perhaps a medical record audit is necessary to establish a baseline of coding accuracy for the organization or to assess the effectiveness of previous staff training related to areas targeted by audits. Auditing objectives range from investigating areas of insufficient documentation to identifying improper coding, billing activity, and postpayment risks. In any case, conducting an audit to produce useable data requires planning. Questions to consider include:
Does benchmark data from previous audits exist?
Do benchmarks suggest the focus of the audit (e.g., new patient visits, consultations, office visits, hospital visits, etc.)?
Do other events suggest the focus of the audit (e.g., claims denials, federal audit targets or error reports, a new regulation or guideline, a new internal policy or software platform, a new medical coder or provider)?
Will the audit evaluate revenue and compliance?
Is the audit prospective (before filing the claims) or retrospective (after filing the claims)?
How many charts will be reviewed?
Is there a measure for the focus (e.g., utilization patterns)?
Which audit tools will be used (e.g., code sets and guidelines, payer guidelines, fee schedules, and specialized software)?
Chart auditing is an iterative process, meaning the process is repeated, and what’s learned from one audit affects the starting point for the next, including the frequency of audits. As charts are audited, the answers to these questions will likely change.
Step 2: Choose Between 2 Basic Auditing Methods
A prospective audit helps identify and correct problems before sending claims to the payer. A prospective audit reviews the documentation and codes billed to the payer. This identifies inconsistencies or errors, although it may delay the billing process.
A retrospective audit is a postpayment audit to evaluate whether services that were previously reported to a payer were appropriate and consistent with the payer’s binding rules. The auditor reviews the documentation, claim forms, and sometimes the explanation of benefits (EOBs) to ensure proper medical billing.
Each medical practice must determine which type of audit method will work for its environment. Note that errors identified in the retrospective audit must be resolved through corrected claims, refunds to the payer, and possible fines.
Step 3: Decide the Audit Approach
Choosing between a focused audit and a random audit will depend on which approach serves the audit’s objectives.
Focused audits center around a particular service item, provider, diagnosis, etc. For instance, a single provider who is trending in above-average reimbursement may need to be audited. Or maybe the organization is struggling with modifier errors.
Random audits refer to comprehensive reviews involving a sample of charts arbitrarily selected to indicate compliance problems reflected in all charts. The sample will come from a designated period, preferably within the last three months. This type of audit pinpoints areas to focus improvement efforts and training. Baseline audits — designed to inform the medical practice how it fares in relation to correct coding and billing — are typically random audits and should include all coding practices, services, and practitioners in the organization.
Step 4: Determine Audit Scope
Determining the scope of the audit involves honing or defining factors that influenced the decision to perform a focused or random audit.
A random sampling may be chosen if this is the practice’s first audit. If the organization has conducted previous audits, past audit reports should suggest a focus area such as initial office visits, consultations, inpatient visits, or certain diagnosis codes. Reasons might necessitate a payer-focused audit and require a review of charts billed exclusively to Medicare, Medicaid, or another payer. Similarly, a provider-focused audit or a coder-focused audit may be performed. Maybe review is necessary for high-volume services or those with high denial rates.
Priority should define the audit scope. The focus of the audit should be on coding and billing complexities with a heightened potential to affect reimbursement or liability. Less urgent target areas should be scheduled with a recurring yearly audit work plan.
In defining the audit scope, the auditor should include the sample date range.
Step 5: Determine Sample Size
The audit sample should use a percentage of patient encounters that represent the encounter types. Auditing too few records may distort results, while auditing too many becomes impractical in terms of time and labor.
The standard audit sample size ranges from 10 to 15 charts. When conducting an audit involving multiple physicians, the OIG recommends five to 10 charts per medical provider.
The OIG also recommends using RAT-STATS to help with statistical sampling. This tool is provided for free through the OIG and will tell an auditor how many charts to pull for an accurate sample size.
Tools such as RAT-STATS allow the practice to understand the sampling methodologies used by payers. This allows the practice to remain proactive in compliance efforts by mining information that reflects high-risk areas. If the practice can identify these areas, audit the documentation and coding, and provide education based on variances, then the practice will lower the probability of having a payer audit reveal hidden liabilities.
Step 6: Select Audit Tools
Prioritizing efficiency when selecting an audit tool is important when auditing the medical record. If the auditor is conducting a review of surgical notes, for example, a surgical audit tool should be used. If the auditor is conducting an evaluation and management (E/M) audit, the tool needs to reflect the practitioner guidelines.
Some auditors choose audit software to audit records, print an audit report, and help analyze the data. Keep in mind that software does not have the capability to evaluate medical necessity. This is a “thinking” process that requires the auditor to possess a strong background in medical coding.
When selecting an audit tool, remember that tools vary among payers. MAC tools may vary, as well. The auditor should choose according to the audit scope, using a payer- or MAC-specific tool when applicable.
It’s also imperative to have references on hand. For accuracy and to support audit findings with verifiable guidelines, the auditor should refer to:
ICD-10-CM, CPT®, and HCPCS Level II code sets and guidelines when auditing outpatient organizations
CPT® Assistant references and AHA Coding Clinic® references
Frequency reports by physician (utilization of levels of service obtained by the medical billing software) and utilization based on specialty (can be obtained by insurance carrier)
Physician’s fee schedule by insurance carrier
Payer guidelines and payment policies
Medical terminology reference, such as a medical dictionary
The OIG Work Plan
Step 7: Locate Documentation
Once the sample size and charts have been identified, documentation pertaining to the date of service (DOS) for charts under review will need to be collected. In addition to a note, the medical record for the patient encounter might include labs, forms, images, and other miscellaneous items. All documentation is required to successfully conduct the review.
In a retrospective audit, the superbill/charge ticket, patient chart, claim form or billing record (to validate what was submitted), and the explanation of benefits (EOB) or remittance advice for each patient encounter is needed.
The auditor should become familiar with the chart organization, special forms including the history form, problem list, and medication sheet.
Step 8: Conduct the Audit
Use tools and resources to perform the audit. Be sure to review both coding and documentation. Pay attention to the guidelines in the CPT®, ICD-10-CM, and HCPCS Level II coding books, as well as ensuring proper documentation. Double-check coding criteria for services, such as:
New versus established patient
Consult versus transfer of care (referral)
Time-based code requirements
Critical care services
Hospital services
Nonphysician practitioner services
Step 9: Analyze Audit Findings
Once the audit is complete, the findings must be analyzed and problem areas identified, such as:
Improper assignment of CPT® or HCPCS Level II codes for procedures or services
E/M levels not supported by documentation
Incorrect diagnosis codes, including ICD-10-CM codes that don’t capture optimum specificity or support medical necessity
Missing modifiers and/or incorrect modifier usage
Incorrect diagnosis linkage
Services performed but not billed
Step 10: Create the Audit Analysis and Summary Report
The audit findings need to be compiled in a concise report. The writing style should be detailed, persuasive, and clear regarding what was audited and how the audit was performed.
Identify the number of encounters documented correctly and incorrectly. Note trends and errors in coding. Each error or risk area should be outlined categorically and labeled to define the category (for example, particular CPT® code, particular payer, particular provider, or specialty). All errors should be explained and include a citation to the appropriate standard.
Finally, suggest remedial actions. Recommendations might include additional training or modification of documentation systems. Include recommendations for follow-up analysis to evaluate the effectiveness of the corrective action.
The auditor’s approach to communicating the audit results is as important as the audit approach. Choose a constructive tone to avoid defensive reactions that could sabotage improvement efforts. Also give the staff time to review the results and prepare questions before meeting. The audit report should be the first postaudit communication. Know the audience and personalize findings for the medical coder, the physician, and the nonphysician practitioner.
Step 11: Meet with Coders, Practitioners, and Ancillary Staff
Discussing audit findings allows the auditor to address risks and the corrective actions to mitigate them. Allow enough time to talk about each case, offer suggestions, and answer questions.
When conferencing with the provider, the auditor may get pushback. Providers concerned with patient care may not prioritize learning the details of coding and compliance. Auditors can help providers understand the importance of these areas by speaking to their concerns. For instance, if the provider is concerned about unwanted attention from CMS, the auditor can outline the potential risk of an audit. Some auditors also show providers examples of how inaccurate coding can lead to revenue loss.
Let staff members know what they did well and how they can improve. If a physician isn’t documenting a thorough assessment and plan, for example, explain why capturing these elements is important for the patient and the practice. If audit findings are under dispute, substantiate them with hard copies of payer and coding guidelines.
Remember, the tone of communication is crucial. The goal is to establish open dialogue.
Step 12: Make Recommendations for Improvement
The audit won’t benefit the organization if efforts aren’t made to address utilization pattern abnormalities, coding errors, and documentation deficiencies.
Use audit findings to educate providers on how to improve clinical documentation. Recommendations might include shadowing sessions or creating “cheat sheets” to help practitioners capture the full clinical story and all services provided during the patient encounter.
Audits can also direct ancillary staff training. Tailor education to correct detected problems. Educate medical coders and billers on the proper coding and billing of CPT® codes, ICD-10-CM codes, HCPCS Level II codes, and modifiers.
If internal policy causes error, revise the policy. Commit to following through on all recommendations, particularly audit-tailored training, monitoring, and suggested target areas of future audits.
Step 13: Provide Ongoing Monitoring and Assessment
Consult with providers and the compliance officer or practice manager to establish (or modify) an audit work plan. A general rule to determine how often to conduct a chart review is “more errors, more audits.” Create a timeline based on the audit results.
For instance, if reviewed charts achieve 90 percent accuracy, a standard annual audit should keep the organization compliant. Up the audit cycle to every quarter if accuracy drops between 75 and 90 percent. Audit monthly for accuracy below 75 percent. Finally, perform a prospective audit with accuracy below 60 percent. The workload might seem daunting, but the alternative is worse.
Step 14: Execute Audit Follow-Up
If an identified error has resulted in payer overpayment, it’s necessary to report it to the payer. The organization may voluntarily return the overpayment or request that the payer initiate a demand letter. How refunds are handled will depend on the payer who made the overpayment.
If, however, the overpayment is suspected to be linked to a pattern of claim errors that has accumulated overpayments, there is an obligation to investigate and initiate a focused audit. If findings confirm a significant error rate involving overpayments, the organization should seek legal counsel regarding the next steps.
Auditors don’t handle self-disclosures. When one is needed, legal counsel should take over the disclosure process and participate in the creation of a corrective action plan.
Hire an External Auditor
AAPC has an audit services division, AAPC Client Services. It provides full-service healthcare compliance and corporate integrity audits for outpatient practices, health plans, healthcare attorneys, and government regulators to ensure supported medical necessity, correct coding, and compliance with regulatory issues. Get more information on how AAPC Client Services can fulfill auditing needs.
Schedule a medical chart review.
Medical Audit Checklist
Is the patient eligible for the DOS on the claim?
Do the claim demographics and data specifically match the medical records? For example, check for the same name, birth date, DOS, place of service (POS), etc.
Is the billing provider the rendering provider? And is this a licensed provider?
Was the required documentation submitted?
Is this the only claim submitted by the provider? Review the patient’s claims history for a previously denied or paid claim from this same provider for the same DOS, codes, and charges.
If there is a previously paid claim, what codes (claim lines) were paid and what were denied?
If there are claim lines denied, what was the reason?
What records were submitted with the previous claim? Are they the same or were additional records sent?
Is this a duplicate claim submitted by the provider?
Is the provider split-billing services performed on one DOS onto more than one claim?
Does the medical record align with the CPT® and HCPCS Level II codes on the claim? Look for upcoding, miscoding, unlisted codes, and unbundling of services.
Are modifiers clearly supported and used appropriately in the medical records? For example, is there enough notation to support modifier 25 Significant, separately identifiable evaluation and management service by the same physician or other qualified health care professional on the same day of the procedure or other service? Are modifiers 26 Professional component and TC Technical component supported by the billing provider and the POS?
Are the number of units billed correctly? Does the claim report 1 unit or multiple units for the code, as appropriate?
Do the ICD-10-CM codes reported on the claim align with the medical documentation? And are the diagnoses coded to the greatest specificity based on documentation?
If the claim is billing for radiology, is there an interpretation of the report included? An interpretation is required when a provider is billing the professional component only or billing a global service (both technical and professional components).
If the claim contains billing for DME, does the medical record include any required physician orders or prescriptions?
At the end of the medical record, is the documentation authenticated by the rendering provider? Are the rendering provider signature requirements met? What type of a signature is listed?
Last reviewed on Feb. 7, 2025, by the AAPC Thought Leadership Team
Presented by
Certified Professional Medical Auditor (CPMA)®
As a CPMA, you will use your proven knowledge of coding and documentation guidelines to improve the revenue cycle of nearly all types of healthcare practices.