Direct Answer
Medical coding audits evaluate whether billed services are supported by documentation and coded correctly. The major audit programs targeting physician practices and hospitals include: Recovery Audit Contractors (RACs) — CMS-contracted auditors who identify Medicare overpayments and underpayments; OIG investigations — Office of Inspector General audits and investigations triggered by statistical anomalies or complaints; Targeted Probe and Educate (TPE) — MAC-conducted claim review programs focusing on high-error areas; Payer audits — commercial and government payer post-payment reviews. Preparation is the key to audit survival: practices that conduct regular internal audits, maintain strong documentation, and respond to audits systematically recover more on appeal and avoid extrapolated overpayment demands.
Table of Contents
Types of Coding Audits
Understanding the audit type determines the response strategy, timeline, and stakes: Recovery Audit Contractors (RACs): CMS contracts with RAC organizations to identify improper Medicare payments on a contingency fee basis; RACs conduct both automated reviews (no medical record needed) and complex reviews (records reviewed by clinical staff); RACs can look back three years from the date of payment; RAC issues include DRG validation for inpatient claims, level of care (inpatient vs. observation), and E&M code level appropriateness for professional claims; Targeted Probe and Educate (TPE): MAC-driven program that selects providers with high claim error rates for 20–40 claim reviews; if errors are found, the provider receives education and is re-reviewed; three rounds of TPE without improvement can result in prepayment review (all claims require prior review before payment); Comprehensive Error Rate Testing (CERT): national random sample audit program that measures the Medicare Fee-for-Service error rate; CERT audits are not targeted — any provider can receive a CERT request; Unified Program Integrity Contractors (UPICs): successor to ZPICs; investigate potential fraud, waste, and abuse; can suspend payments pending investigation; OIG audits and investigations: often follow statistical analysis of billing patterns or whistleblower complaints; can result in Civil Monetary Penalty actions, exclusion from Medicare/Medicaid, or criminal referral; Payer post-payment audits: commercial payers conduct their own post-payment reviews, often focused on high-value codes, E&M level distribution, and specialty-specific patterns; payer audits follow the payer contract's dispute resolution provisions.
High-Risk Coding Areas Auditors Target
RAC and OIG audit targets change annually but consistently include: E&M level upcoding: billing level 4 (99214) or level 5 (99215) office visits at rates significantly higher than specialty peers is a statistical red flag; auditors review whether documentation supports the medical decision making (MDM) or time required for the billed level; place of service errors: billing POS 11 (office) when service was delivered in a facility (POS 22 outpatient hospital) inflates the payment because non-facility rates are higher than facility rates; Modifier 59/X-modifier misuse: as discussed in NCCI guidance, systematic modifier 59 use to bypass bundling edits is a top audit target; global surgery period violations: billing E&M services during a procedure's global period without a modifier (57 or 24) indicating the visit was unrelated to the surgery; upcoded diagnoses for HCC risk adjustment: in Medicare Advantage and ACO programs, coding conditions to higher HCC categories without documentation support attracts OIG attention; incident-to billing: billing under a physician's NPI for services actually performed by a non-physician provider when the incident-to requirements (physician present in office suite, established patient, plan of care) were not met; laboratory and pathology unbundling: billing component lab codes when a panel code is required; DME billing: face-to-face documentation requirements for DME orders are frequently cited as deficient; telehealth billing: audit interest is high following the pandemic's telehealth expansion — POS codes, audio-only restrictions, and prescribing limitations for controlled substances via telehealth are active audit areas.
Responding to ADRs and Documentation Requests
An Additional Documentation Request (ADR) is a formal request from a payer, MAC, or RAC for medical records to support a claim. Proper ADR response: respond within the deadline — ADR response deadlines are strict (typically 30–45 days); missing the deadline results in automatic denial of the claim and waives appeal rights for that request; identify the correct records — pull the complete medical record for the date of service including: progress notes, orders, results, medication records, operative reports (if a surgical claim), or any documentation supporting the billed service; review the documentation before submitting — before submitting, a coder or compliance officer should review whether the documentation supports the billed codes; if there is a deficiency, assess whether it can be addressed by: a late addendum (a provider addendum to the record with proper date/time stamping and the late entry notation); querying the provider for missing information; submit a complete, organized response — send the complete record, not excerpts; include a cover letter identifying the patient, DOS, claim number, and the specific codes being reviewed; retain a complete copy of everything submitted; follow up on the ADR status — confirm receipt and track the review timeline; Documentation that is frequently deficient in ADR reviews: missing chief complaint or reason for service; medical decision making not clearly documented (complexity of problems, amount/complexity of data, risk of complications); time-based services (therapy, counseling) without a start/stop time or total time documented; signatures without credentials or date; electronic health record copy-paste issues where notes look identical across visits ("note cloning").
Overpayment Demands and Appeals
If an audit results in an overpayment demand, the provider has both appeal rights and repayment obligations: Medicare appeals process (5 levels): Level 1 — Redetermination: submitted to the MAC within 120 days of the initial determination; often the fastest resolution for clear documentation issues; Level 2 — Reconsideration: submitted to the Qualified Independent Contractor (QIC) within 180 days of the redetermination decision; Level 3 — Administrative Law Judge (ALJ) hearing: requested within 60 days of the QIC decision; ALJ hearings are the most favorable level for providers — ALJs are more independent from CMS than MAC and QIC reviewers; Level 4 — Medicare Appeals Council (MAC): review by the CMS MAC within 60 days of the ALJ decision; Level 5 — Federal District Court: for claims over $1,740 (2024 threshold, adjusted annually); Repayment and recoupment: Medicare will begin recouping the overpayment demand from future payments if not timely appealed; filing a Level 1 or Level 2 appeal stays the recoupment; if the appeal is not filed or fails, recoupment begins at Level 3; Extrapolation: RACs and other auditors may use statistical sampling and extrapolation to project a small sample's error rate to a larger claim population — a 10-claim sample with a 30% error rate can become a demand for repayment on 3,000 claims based on that extrapolation; challenging extrapolation methodology is possible and sometimes successful at ALJ; if the sample is too small for statistical validity, the extrapolation can be invalidated; Self-disclosure protocol: if an internal audit identifies overpayments, CMS's Self-Referral Disclosure Protocol (SRDP) and the OIG's Self-Disclosure Protocol allow voluntary repayment with reduced penalties compared to a government-initiated audit finding.
Building an Internal Audit Program
A proactive internal coding audit program is the most effective defense against external audits — it finds errors before auditors do and demonstrates compliance intent. Program elements: audit frequency and scope: at minimum, a quarterly audit of a random sample of 5–10 claims per provider per specialty; higher frequency for new providers, newly added services, or services that have been audit targets; include both pre-payment (retrospective review before billing) and post-payment (review of submitted claims) elements; code-specific targeted audits: schedule targeted audits for high-risk codes — E&M level distribution audit, modifier 59 use audit, global period billing audit, incident-to billing review; coding accuracy metrics: track error rate by provider, by code type, and by payer; target error rates below 5% for established codes; Coder education and feedback: every audit finding should result in specific coder education addressing the root cause; track repeat errors to identify coders who need additional training; provider feedback loop: coding audit findings must be communicated to the providers whose documentation is generating the errors — coder education alone is insufficient if the documentation itself is the problem; Annual OIG Work Plan review: each October, the OIG publishes its new Work Plan identifying billing areas under active scrutiny; review the Work Plan annually and add newly targeted areas to the internal audit schedule; Compliance program documentation: maintain written audit logs, findings reports, education records, and corrective action plans; in the event of an external audit, this documentation demonstrates the practice's good-faith compliance effort and is relevant to penalty mitigation.
FAQ
What is the difference between a RAC audit and a MAC Targeted Probe and Educate review?
RAC audits and MAC TPE reviews are both Medicare post-payment claim review programs, but they operate under different authorities, with different goals and different consequences. RAC (Recovery Audit Contractor) audits: RACs are private contractors paid on contingency — they receive a percentage of the overpayments they identify; RACs conduct both automated reviews (claim-level editing without records) and complex reviews (clinical staff reviews medical records); RACs can look back three years from the date of payment; RAC audits are specifically targeted at identifying overpayments (and, less commonly, underpayments); when a RAC identifies an overpayment through complex review, the MAC recoups the amount from future payments unless the provider appeals; RAC focus areas change and are published on the CMS website — current targets include specific DRGs, procedure codes, and modifier combinations; MAC Targeted Probe and Educate (TPE): TPE is conducted by the Medicare Administrative Contractor (MAC) that processes the provider's claims, not by a separate RAC contractor; TPE selects providers who have higher-than-expected claim error rates for a specific service; the MAC reviews 20–40 claims for the targeted service and provides individual education to the provider based on findings; the goal is education and compliance improvement, not simply overpayment recovery; three rounds of TPE without improvement can result in prepayment review — the most significant TPE consequence — where every claim for the targeted service must be reviewed before Medicare pays; prepayment review creates a severe cash flow disruption and is the strongest incentive to resolve compliance issues identified in TPE. Key strategic difference: RAC audit response is primarily about documentation defense and appeals; TPE response is primarily about education and process improvement to demonstrate compliance before the MAC escalates to prepayment review.
How should a practice respond when it discovers its own coding errors through an internal audit?
When an internal audit identifies overpayments — meaning services were billed at a higher level than the documentation supports, or services were billed that were not performed or not covered — the Affordable Care Act (ACA) created a legal obligation to repay. The 60-day rule: the ACA requires providers to report and return identified Medicare and Medicaid overpayments within 60 days of identifying them; failure to repay within 60 days converts the identified overpayment into a potential False Claims Act violation, with penalties of $13,000+ per claim plus treble damages; Step-by-step response: Quantify the overpayment: calculate the exact overpayment amount for the identified error pattern; determine whether the errors are isolated or systemic (affecting multiple providers or a time period); Determine lookback period: Medicare's lookback period for self-identified overpayments is six years; the 6-year lookback is standard, though providers can use risk-stratified analysis to prioritize the highest-value periods; Choose the repayment pathway: direct repayment to the MAC for straightforward overpayments; OIG Self-Disclosure Protocol for potential False Claims Act violations (inflated penalties, systemic errors, or errors that appear willful); Self-Referral Disclosure Protocol (SRDP) for Stark Law-related overpayments; File the self-disclosure: submit to the MAC with a cover letter explaining the identified error, the overpayment calculation methodology, and the corrective action plan implemented to prevent recurrence; Document everything: maintain complete records of the audit that identified the error, the calculation methodology, the repayment submission, and the corrective actions; this documentation is the practice's protection if a future external audit covers the same period. Voluntary self-disclosure, done correctly, typically results in lower penalties than a government-initiated audit of the same conduct.
Proactive Coding Audits That Find Errors Before the RAC Does
Valiant Lifecare's compliance audit services include internal coding accuracy reviews, E&M level distribution analysis, modifier use audits, ADR response management, and overpayment appeal preparation — protecting your practice from external audit risk while maximizing compliant reimbursement.
Schedule a Coding Compliance Audit