The ABCs of Medicare and Medicaid Claims Audits: Understanding the Audit Contractors

CMS Audit Series

Because Medicare and Medicaid claims audit requests can look like routine billing-related correspondence, they can be easy to miss, leading to expensive and potentially catastrophic consequences. Providers, therefore, should be prepared to identify and promptly and diligently respond to any audit requests from government contractors. This alert – the first in a three-part series – explores the different types of audit contractors and their respective scopes of work to assist providers in identifying the contractors, the mechanics of their specific requests, and the issues they present. In future installments, we will discuss how to best respond to audits, the potential ramifications of negative results, and how to appeal negative audit results. 

As discussed in the Bass, Berry & Sims Healthcare Fraud & Abuse Review, healthcare providers and suppliers (Providers) face increased government scrutiny from whistleblower lawsuits under the False Claims Act and government regulators pursuing civil and criminal healthcare fraud enforcement. A significant area of government scrutiny includes claims reviews by the Centers for Medicare & Medicaid Services (CMS) and its audit contractors to ensure CMS accomplishes its stated mission for program integrity to “prevent, detect and combat fraud, waste and abuse in the Medicare and Medicaid Programs.”  A key component of CMS’s program integrity efforts includes different types of program integrity audits, often run by third-party government contractors.

Types of CMS Contractor Audits

Common types of Medicare and Medicaid audits include:

  • Targeted Probe & Educate (TPE) Program audits.
  • Unified Program Integrity Contractor (UPIC) audits.
  • Supplemental Medical Review Contractor (SMRC) audits.
  • Comprehensive Error Rate Testing (CERT) audits.

While these audits are the most common, Medicare and Medicaid Providers may encounter other audits, including audits conducted directly by CMS’s Center for Program Integrity and quality of care-related audits by quality improvement organizations (QIOs) and state agencies. Understanding the different audit types can decrease the administrative burden and costs on a Provider when they are inevitably faced with an audit.

Targeted Probe & Educate (TPE) Program Audits

As the name suggests, TPE audits are intended to educate Providers on specific billing issues to increase accuracy and reduce claim denials and appeals, but they can also result in penalties. During TPE audits, Providers are subject to up to three rounds of claims reviews (both pre-payment and post-payment) and individualized education. Medicare Administrative Contractors (MACs) target Providers identified through data analysis as having high claim error rates or unusual billing practices compared to their peers.

TPE audits start with the receipt of a “Notice of Review” letter from a Provider’s MAC requesting 20-40 claims for each healthcare item or service under review. Once the Provider submits the supporting medical records for the selected claims, the MAC reviews and determines whether the Provider is compliant. If the MAC denies any claims, the Provider is invited to a one-on-one education session where the MAC reviews the improper claims and provides education on how to correctly bill for the specific items or services that were improperly billed. The Provider also receives a “Final Results Letter” from the MAC before or after the education session. At the end of the round, the MAC calculates the Provider’s claim error rate to decide whether an additional round of TPE is appropriate. The Provider has the right to appeal any denied claims.

An additional round of TPE review may only review claims with dates of service at least 45 days after the previous round’s one-on-one education session, thus providing the Provider an opportunity to incorporate the changes learned during the previous round’s education session. While a TPE audit is typically comprised of up to three rounds, additional rounds could occur at CMS’s discretion. Once a Provider is found to be compliant, it will not be subject to a TPE audit on the same topic for at least one year unless there are significant changes to the Provider’s billing.

If the Provider continues to have a high error rate after the third round, the MAC will refer the Provider to CMS for further action. While MACs conduct a substantial amount of TPE audits every year, only a small percentage of Providers fail all three rounds of review. Providers should take TPE audits seriously, however, as the outcomes from failure can be substantial, including but not limited to 100% pre-payment review, extrapolation, or even revocation.

Unified Program Integrity Contractor (UPIC) Audits

CMS established the UPICs to consolidate program integrity activities formally performed by the Zone Program Integrity Contractors (ZPICs), Program Safeguard Contractors (PSCs), and Medicaid Integrity Contractors. As a result, UPICs are the only program integrity contractors that monitor both the Medicare fee-for-service (FFS) and Medicaid programs. UPICs are responsible for identifying and protecting against fraud, waste, and abuse using both pre-payment medical reviews and post-payment audits. UPIC audits should be taken very seriously as they can result in high-dollar extrapolated overpayment demands, payment suspensions, and referral to law enforcement for additional review.

UPICs identify potentially fraudulent billing in several ways, including data mining to uncover billing aberrancies that could indicate fraud, waste, and abuse. UPICs also investigate referrals from MACs, CMS, the Office of Inspector General for Health and Human Services (HHS OIG), beneficiaries, Providers, suppliers, state Medicaid Fraud Control Units, and others. After a UPIC has determined it has a potential lead, it is required to screen the lead before contacting the Provider in question. The screening process may include coordination with the MAC on prior activities, such as prior education efforts and appeals, data analysis, and beneficiary interviews. If the UPIC determines the lead warrants further investigation, it submits the lead to CMS for approval to open an investigation.

For Providers, the first sign of a UPIC audit is typically a site visit and/or a documentation request. Providers should scrutinize the UPIC’s documentation request to better understand the focus of the UPIC’s review. The number of medical records being requested could also provide a clue. If only a small number of claims are requested (less than 10, for example), this could indicate that the UPIC is conducting a probe sample to validate the initial data analysis or allegation that led to the audit to determine the need for additional post-payment medical review actions. If the UPIC’s request is for 30 or more claims, it is likely the UPIC is reviewing claims in connection with what it will call a statistically valid random sample, which may lead to a determination of an extrapolated overpayment.

If an overpayment is detected based on a post-payment audit, the UPIC shares that information with CMS and, if relevant, the state Medicaid agency. The Provider then receives a review results letter from the UPIC and a demand letter from the MAC to recoup the overpayment. For Medicaid, if CMS approves of the UPIC’s findings, the matter is referred to the state Medicaid agency for recoupment. Additionally, UPICs may refer cases to the Department of Justice, HHS OIG, and state Medicaid Fraud Control Units for civil or criminal prosecution. Providers have the right to appeal any claims denials.

UPIC audits will likely expand following HHS OIG’s review of the program. In October 2022, HHS OIG released its report on the five different UPIC contractors’ program integrity activity performance and efficacy for 2019. The report shows the value of overpayments referred by UPICs for recovery in 2019 was approximately $347 million. The report also states that in 2019, UPICs submitted 462 payment suspensions. HHS OIG’s key takeaway was UPICs have the potential to strengthen oversight of program integrity across both Medicare and Medicaid with recommendations to increase the UPICs’ auditing activities of Medicaid, particularly Medicaid managed care claims. HHS OIG found the UPICs conducted disproportionately fewer program integrity activities for Medicaid than Medicare. Additionally, it found that while 83% of people with Medicaid in 2019 received services through managed care, the UPICs estimated only 11% of their Medicaid program integrity activities focused on managed care. Providers who bill a substantial amount of claims to Medicaid-managed care plans should take note of this report and review their overall compliance and billing practices to ensure they are compliant to avoid any UPIC audit activities in the future.

Supplemental Medical Review Contractor (SMRC) Audits

The purpose of the SMRC is to reduce improper payments in the Medicare FFS program, accomplished through post-payment audits of Medicare Part A; Part B; and Durable Medical Equipment, Prosthetics, Orthotics, & Supplies (DMEPOS) claims. The current SMRC is Noridian Healthcare Solutions, LLC (Noridian), which conducts nationwide medical review projects as directed by CMS. The projects are focused on issues identified through various means, including issues identified by CMS internal data analysis; the Comprehensive Error Rate Testing (CERT) program; professional organizations; and other federal agencies, such as the HHS OIG or Government Accountability Office (GAO). Providers should regularly consult Noridian’s website for its list of current projects to determine whether they fit in one of the existing project categories to be prepared in the event of a future SMRC audit.

For a SMRC audit, Providers receive an Additional Documentation Request (ADR) stating what additional documentation is needed to determine whether the claims were billed in compliance with coverage, coding, and payment rules. Once the review is complete, the SMRC sends the results to the Provider in a final review results letter. At this point, Providers can request a discussion and education (D&E) period with the SMRC to submit additional information or documentation support to the SMRC and to receive education on improving future billing practices. After the D&E period, the Provider receives an updated findings letter, and the SMRC sends any identified overpayments to the MAC for collection purposes.

Providers who do not comply with the SMRC’s requests may be referred to CMS. The SMRC will notify CMS of any identified improper payment and noncompliance with the documentation requests. The MAC may initiate claims adjustments and/or overpayment recoupment actions through the standard recovery process. Providers may then exercise their appeal rights to appeal any denied claims.

Comprehensive Error Rate Testing (CERT) Audits

The CERT audit is a post-payment audit for Medicare Part A, Part B, and DMEPOS claims that CMS uses to estimate Medicare FFS improper payments. Unlike the other audit types discussed in this alert, CERT audits review a random sample of Medicare FFS claims. From that sample, CMS determines the estimated improper payment rate and extrapolates it to the universe of FFS claims. The CERT reviewers categorize improper payment claims into categories if underpayments or overpayments are found. These categories include the following:

  • Insufficient documentation supporting the claim.
  • Incorrect coding.
  • Lack of medical necessity (as determined by Medicare program requirements).
  • No documentation.
  • Other.

The CERT will notify the MAC in all cases of improper payment, which may recoup any overpayments. Providers may appeal adverse audit results.

Upcoming Alerts and Webinar

Understanding the different types of audits allows Providers to best prepare for the requests. The next alert in the CMS Audit Series will address how to respond to audits and discuss the tools available to CMS and its contractors to address program integrity concerns in connection with adverse audit results. We will wrap up our CMS Audit Series with an alert providing an overview of the appeals process and tips for appealing adverse audit results.

If you would like more information on audit contractors, Bass, Berry & Sims will host a webinar on March 8 titled, “Medicare and Medicaid Audits: Current Audit Landscape and Best Practices for Response and Appeal of Adverse Results.” For additional details about the webinar and registration information, click here.

Related Professionals
Related Services
CMS Audit Series

Because Medicare and Medicaid claims audit requests can look like routine billing-related correspondence, they can be easy to miss, leading to expensive and potentially catastrophic consequences. Providers, therefore, should be prepared to identify and promptly and diligently respond to any audit requests from government contractors. This alert – the first in a three-part series – explores the different types of audit contractors and their respective scopes of work to assist providers in identifying the contractors, the mechanics of their specific requests, and the issues they present. In future installments, we will discuss how to best respond to audits, the potential ramifications of negative results, and how to appeal negative audit results. 

As discussed in the Bass, Berry & Sims Healthcare Fraud & Abuse Review, healthcare providers and suppliers (Providers) face increased government scrutiny from whistleblower lawsuits under the False Claims Act and government regulators pursuing civil and criminal healthcare fraud enforcement. A significant area of government scrutiny includes claims reviews by the Centers for Medicare & Medicaid Services (CMS) and its audit contractors to ensure CMS accomplishes its stated mission for program integrity to “prevent, detect and combat fraud, waste and abuse in the Medicare and Medicaid Programs.”  A key component of CMS’s program integrity efforts includes different types of program integrity audits, often run by third-party government contractors.

Types of CMS Contractor Audits

Common types of Medicare and Medicaid audits include:

  • Targeted Probe & Educate (TPE) Program audits.
  • Unified Program Integrity Contractor (UPIC) audits.
  • Supplemental Medical Review Contractor (SMRC) audits.
  • Comprehensive Error Rate Testing (CERT) audits.

While these audits are the most common, Medicare and Medicaid Providers may encounter other audits, including audits conducted directly by CMS’s Center for Program Integrity and quality of care-related audits by quality improvement organizations (QIOs) and state agencies. Understanding the different audit types can decrease the administrative burden and costs on a Provider when they are inevitably faced with an audit.

Targeted Probe & Educate (TPE) Program Audits

As the name suggests, TPE audits are intended to educate Providers on specific billing issues to increase accuracy and reduce claim denials and appeals, but they can also result in penalties. During TPE audits, Providers are subject to up to three rounds of claims reviews (both pre-payment and post-payment) and individualized education. Medicare Administrative Contractors (MACs) target Providers identified through data analysis as having high claim error rates or unusual billing practices compared to their peers.

TPE audits start with the receipt of a “Notice of Review” letter from a Provider’s MAC requesting 20-40 claims for each healthcare item or service under review. Once the Provider submits the supporting medical records for the selected claims, the MAC reviews and determines whether the Provider is compliant. If the MAC denies any claims, the Provider is invited to a one-on-one education session where the MAC reviews the improper claims and provides education on how to correctly bill for the specific items or services that were improperly billed. The Provider also receives a “Final Results Letter” from the MAC before or after the education session. At the end of the round, the MAC calculates the Provider’s claim error rate to decide whether an additional round of TPE is appropriate. The Provider has the right to appeal any denied claims.

An additional round of TPE review may only review claims with dates of service at least 45 days after the previous round’s one-on-one education session, thus providing the Provider an opportunity to incorporate the changes learned during the previous round’s education session. While a TPE audit is typically comprised of up to three rounds, additional rounds could occur at CMS’s discretion. Once a Provider is found to be compliant, it will not be subject to a TPE audit on the same topic for at least one year unless there are significant changes to the Provider’s billing.

If the Provider continues to have a high error rate after the third round, the MAC will refer the Provider to CMS for further action. While MACs conduct a substantial amount of TPE audits every year, only a small percentage of Providers fail all three rounds of review. Providers should take TPE audits seriously, however, as the outcomes from failure can be substantial, including but not limited to 100% pre-payment review, extrapolation, or even revocation.

Unified Program Integrity Contractor (UPIC) Audits

CMS established the UPICs to consolidate program integrity activities formally performed by the Zone Program Integrity Contractors (ZPICs), Program Safeguard Contractors (PSCs), and Medicaid Integrity Contractors. As a result, UPICs are the only program integrity contractors that monitor both the Medicare fee-for-service (FFS) and Medicaid programs. UPICs are responsible for identifying and protecting against fraud, waste, and abuse using both pre-payment medical reviews and post-payment audits. UPIC audits should be taken very seriously as they can result in high-dollar extrapolated overpayment demands, payment suspensions, and referral to law enforcement for additional review.

UPICs identify potentially fraudulent billing in several ways, including data mining to uncover billing aberrancies that could indicate fraud, waste, and abuse. UPICs also investigate referrals from MACs, CMS, the Office of Inspector General for Health and Human Services (HHS OIG), beneficiaries, Providers, suppliers, state Medicaid Fraud Control Units, and others. After a UPIC has determined it has a potential lead, it is required to screen the lead before contacting the Provider in question. The screening process may include coordination with the MAC on prior activities, such as prior education efforts and appeals, data analysis, and beneficiary interviews. If the UPIC determines the lead warrants further investigation, it submits the lead to CMS for approval to open an investigation.

For Providers, the first sign of a UPIC audit is typically a site visit and/or a documentation request. Providers should scrutinize the UPIC’s documentation request to better understand the focus of the UPIC’s review. The number of medical records being requested could also provide a clue. If only a small number of claims are requested (less than 10, for example), this could indicate that the UPIC is conducting a probe sample to validate the initial data analysis or allegation that led to the audit to determine the need for additional post-payment medical review actions. If the UPIC’s request is for 30 or more claims, it is likely the UPIC is reviewing claims in connection with what it will call a statistically valid random sample, which may lead to a determination of an extrapolated overpayment.

If an overpayment is detected based on a post-payment audit, the UPIC shares that information with CMS and, if relevant, the state Medicaid agency. The Provider then receives a review results letter from the UPIC and a demand letter from the MAC to recoup the overpayment. For Medicaid, if CMS approves of the UPIC’s findings, the matter is referred to the state Medicaid agency for recoupment. Additionally, UPICs may refer cases to the Department of Justice, HHS OIG, and state Medicaid Fraud Control Units for civil or criminal prosecution. Providers have the right to appeal any claims denials.

UPIC audits will likely expand following HHS OIG’s review of the program. In October 2022, HHS OIG released its report on the five different UPIC contractors’ program integrity activity performance and efficacy for 2019. The report shows the value of overpayments referred by UPICs for recovery in 2019 was approximately $347 million. The report also states that in 2019, UPICs submitted 462 payment suspensions. HHS OIG’s key takeaway was UPICs have the potential to strengthen oversight of program integrity across both Medicare and Medicaid with recommendations to increase the UPICs’ auditing activities of Medicaid, particularly Medicaid managed care claims. HHS OIG found the UPICs conducted disproportionately fewer program integrity activities for Medicaid than Medicare. Additionally, it found that while 83% of people with Medicaid in 2019 received services through managed care, the UPICs estimated only 11% of their Medicaid program integrity activities focused on managed care. Providers who bill a substantial amount of claims to Medicaid-managed care plans should take note of this report and review their overall compliance and billing practices to ensure they are compliant to avoid any UPIC audit activities in the future.

Supplemental Medical Review Contractor (SMRC) Audits

The purpose of the SMRC is to reduce improper payments in the Medicare FFS program, accomplished through post-payment audits of Medicare Part A; Part B; and Durable Medical Equipment, Prosthetics, Orthotics, & Supplies (DMEPOS) claims. The current SMRC is Noridian Healthcare Solutions, LLC (Noridian), which conducts nationwide medical review projects as directed by CMS. The projects are focused on issues identified through various means, including issues identified by CMS internal data analysis; the Comprehensive Error Rate Testing (CERT) program; professional organizations; and other federal agencies, such as the HHS OIG or Government Accountability Office (GAO). Providers should regularly consult Noridian’s website for its list of current projects to determine whether they fit in one of the existing project categories to be prepared in the event of a future SMRC audit.

For a SMRC audit, Providers receive an Additional Documentation Request (ADR) stating what additional documentation is needed to determine whether the claims were billed in compliance with coverage, coding, and payment rules. Once the review is complete, the SMRC sends the results to the Provider in a final review results letter. At this point, Providers can request a discussion and education (D&E) period with the SMRC to submit additional information or documentation support to the SMRC and to receive education on improving future billing practices. After the D&E period, the Provider receives an updated findings letter, and the SMRC sends any identified overpayments to the MAC for collection purposes.

Providers who do not comply with the SMRC’s requests may be referred to CMS. The SMRC will notify CMS of any identified improper payment and noncompliance with the documentation requests. The MAC may initiate claims adjustments and/or overpayment recoupment actions through the standard recovery process. Providers may then exercise their appeal rights to appeal any denied claims.

Comprehensive Error Rate Testing (CERT) Audits

The CERT audit is a post-payment audit for Medicare Part A, Part B, and DMEPOS claims that CMS uses to estimate Medicare FFS improper payments. Unlike the other audit types discussed in this alert, CERT audits review a random sample of Medicare FFS claims. From that sample, CMS determines the estimated improper payment rate and extrapolates it to the universe of FFS claims. The CERT reviewers categorize improper payment claims into categories if underpayments or overpayments are found. These categories include the following:

  • Insufficient documentation supporting the claim.
  • Incorrect coding.
  • Lack of medical necessity (as determined by Medicare program requirements).
  • No documentation.
  • Other.

The CERT will notify the MAC in all cases of improper payment, which may recoup any overpayments. Providers may appeal adverse audit results.

Upcoming Alerts and Webinar

Understanding the different types of audits allows Providers to best prepare for the requests. The next alert in the CMS Audit Series will address how to respond to audits and discuss the tools available to CMS and its contractors to address program integrity concerns in connection with adverse audit results. We will wrap up our CMS Audit Series with an alert providing an overview of the appeals process and tips for appealing adverse audit results.

If you would like more information on audit contractors, Bass, Berry & Sims will host a webinar on March 8 titled, “Medicare and Medicaid Audits: Current Audit Landscape and Best Practices for Response and Appeal of Adverse Results.” For additional details about the webinar and registration information, click here.

In Case You Missed It: