As addressed in the first installment of this three-part series, healthcare providers face potential audits from an increasing number of Medicare and Medicaid contractors. Failing to respond properly can lead to significant and sometimes draconian consequences. This content – the second in a three-part alert series – explores how best to respond to audits and the potential consequences that can result from negative audit results.

Due to the significant potential negative impact of audits and the actions that can result from them, healthcare providers’ responses to Medicare and Medicaid audits require a thoughtful and thorough approach to ensure the claims under review are fully supported. A provider cannot wait until a request is received but must take proactive steps to ensure compliance with all coding and billing requirements and develop a thorough response plan to activate when a request is received.

Ensuring an Effective Compliance Plan

Healthcare providers who successfully avoid being an audit target or navigate audits when they occur have an effective compliance program that allows for the detection of potential billing issues. A provider should periodically evaluate their compliance programs to ensure they have all components necessary for detecting these issues. This includes taking the following steps:

  • Ensuring the facilitation of a culture of open communication and numerous options, including an anonymous reporting mechanism, for reporting any billing concerns.
  • Providing relevant staff members with the necessary training on coding and billing requirements to help the organization with ongoing monitoring and assessment of risks.
  • Immediately responding to any reports of potential non-compliance by investigating and taking corrective action as necessary.
  • Periodically assessing current practices and confirming compliance with all Medicare and Medicaid policies and procedures, including any applicable coverage decisions, when billing claims.
  • Self-auditing when issues are identified internally and instituting corrective action, including prompt repayment of the identified overpayment.

Developing an Audit Response Plan

An effective compliance plan alone will not prevent a provider from being an audit target. Considering the increase in audit contractors and activity, a provider should also anticipate being the target of an audit and take steps to prepare for this eventuality. A provider can ensure that an audit response is successful by developing a process for responding to audit requests. A multi-disciplinary committee (with representation across departments such as medical records, billing, medical staff, nursing administration, case management, utilization review, compliance and legal) is recommended to assist in drafting policies and procedures for responding to audit requests. This committee can assist in evaluating all possible records needed to support a claim and where and how such records may be quickly located.

After the committee is assembled, the committee should be tasked with developing the audit response policies and procedures. These policies and procedures should do the following:

  • Anticipate the different types of requests and the response plan for each type of audit. For example, because of the potential impact of Unified Program Integrity Contractor (UPIC) audits, employees should be trained to recognize a UPIC audit and distinguish it from other more routine audit requests.
  • Include a process for responding to both record requests and onsite reviews.
  • Designation of a point person responsible for any audit response and requirement for all audit requests to be immediately forwarded to this individual.
  • A reference guide to potential sources of records for inclusion to ensure there are no gaps in response.

After the policies and procedures are developed, the provider’s staff should receive training on the processes. This training is crucial in ensuring that the processes are followed in any audit. The staff receiving training should include any individuals who may receive an audit request, such as the billing team who may receive Additional Documentation Requests (ADRs) and the mailroom staff who may process incoming mail. Audit requests can sometimes be missed due to the volume of payor correspondence received by providers, which can lead to claims denials or even more serious consequences.

Responding to an Audit

When an audit request is received, or an auditor appears onsite, the audit response plan is put into action. Before responding to an audit, an individual should be designated as a point of contact with any audit contractor and coordinate the audit response. If a response is not submitted within the deadline, the auditor may deny the claim and issue a negative finding. Therefore, a provider must be cognizant of any response deadlines. If an extension to respond is needed, the point person should immediately request one and document this request and any response.

A provider must carefully and deliberately submit complete documentation to support the billed services. A provider should closely review the audit request and consider whether to submit records outside of the specific date range of the requests, such as physician orders, consultations, or certifications. If the provider determines the records do not support the claims billed, the provider should consider whether refunds should be made for these claims. Best practices include the following actions:

  • Submitting a cover letter with the response.
  • Memorializing the documents collected.
  • Retaining or requesting a copy of all documents provided.

If an auditor appears onsite, the provider should:

  • Contact legal counsel to interface with the auditors, monitor and document the audit process, be present during interviews and assist in the document collection.
  • Prepare summaries of any interviews to document the information shared with the auditor.
  • If the auditors have interviewed beneficiaries or staff members outside of the office, conduct their interviews to learn the topics discussed and to understand the audit focus and any potential concerns that may arise from the interview.

Understanding Potential Ramifications of Negative Audits

While claims denials by an auditor have significant revenue implications, a negative audit result may in even more adverse consequences. The Centers for Medicare & Medicaid (CMS) and its contractors have several powerful tools to recoup overpayments and address program integrity concerns due to adverse audit results.


After an overpayment determination, the contractor refers the decision to the claims administrative contractor – the Medicare Administrative Contractor (MAC) or Medicaid agency – for recovery. The overpayment can include an extrapolated overpayment demand based on a statistically valid claims review.

When an overpayment determination includes extrapolation, the contractor has used a sample of submitted claims to extrapolate the results of the review to a large universe of claims to estimate an overpayment amount. While an overpayment for actual claims denial amounts is typically small, the overpayment amount can quickly balloon into hundreds of thousands or millions of dollars when the error rate is applied across the entire claims “universe,” which often consists of a year or more of claims.

42 U.S.C. § 1395ddd(f)(3) authorizes Medicare contractors to use extrapolation to determine overpayments only if there is a determination of one of the following:

  1. There is a sustained or high level of payment error.
  2. Documented educational intervention has failed to correct the payment error.

While this determination is not subject to administrative or judicial review, a contractor’s failure to make this determination can be used to overturn extrapolation to calculate the overpayment amount.

The Medicare Program Integrity Manual (MPIM) has established a framework based upon this statute dictating when extrapolation should be used, noting a contractor “shall use statistical sampling when it has been determined that a sustained or high level of payment error exists.” Statistical sampling may also be used after documented intervention has failed to correct the payment error, such as in Target, Probe and Educate (TPE) audits where educational efforts have failed.

For purposes of extrapolation, a “sustained or high level of payment error” shall be determined to exist through a variety of means, such as one or more of the following:

  • High error rate determinations by the contractor or other medical reviews (e., greater than or equal to 50% from a previous pre- or post-payment review).
  • Provider history (e., prior history of non-compliance for similar billing issues or a history of non-compliant billing practices).
  • CMS approval provided in connection to a payment suspension.
  • Information from law enforcement investigations.
  • Allegations of wrongdoing by current or former employees of a provider.
  • Audits or evaluations conducted by Health and Human Services’ Office of Inspector General (HHS-OIG).

For Medicaid audits, the law of the state where the Medicaid agency is located governs the use of extrapolation. When a provider is subject to an extrapolated overpayment demand, it is imperative to appeal the denial of each individual claim because, though each claim will be small, the extrapolated dollar amount will be significant. While the decision to use extrapolation is not appealable, the sampling methodology and extrapolation calculations are subject to appeal and a provider can seek to have extrapolation overturned. Statistical extrapolation used in estimations of overpayments must follow the requirements and process outlined in the MPIM. CMS affords its contractors significant leeway to make errors in their statistical sampling methodology, but a provider should consider whether the cumulative impact of otherwise allowable errors was enough to render the statistical extrapolation invalid.

Prepayment Review

There has been a sharp increase in the number of prepayment reviews in which a reviewer makes a claim determination before the claim is paid. Targeted, provider-specific prepayment reviews are triggered “only when there is the likelihood of sustained or high level of payment error,” often informed by data analysis or prior unfavorable audits.

The contractor will issue ADRs to a provider, who must timely respond within 30 to 45 days. No extensions, even under extenuating circumstances, will be granted.

Prepayment reviews can include a small “probe” sample of 20 to 40 potential problem claims up to a 100% prepayment review if the provider has shown prolonged non-compliance with CMS policies and if requested by a UPIC, where CMS approves. In either case, the MAC will institute an edit to flag all claims for review until the probe sample records are submitted. This often impacts a provider’s cash flow while the contractor reviews and approves each claim, which typically takes 90-120 days.

While the claims decisions of the claims under review can be appealed, the decision to institute a prepayment review is not appealable and can often be a time-consuming and burdensome process if a significant number of claims are reviewed. To terminate the prepayment review, the provider must provide sufficient documentation to support the claims. The provider should carefully review all applicable regulations and guidance for the claims at issue to ensure the claims are supportive. Open dialogue with the audit contractor may also be helpful in understanding the contractor’s concerns.

Payment Suspensions

Coupled with the increase in audit contractors and audit activity, CMS and its contractors are also choosing payment suspensions as the first line of defense to address potential billing irregularities and overpayments. Although CMS has assured providers it will exercise its payment authority “judiciously” and will remain mindful of the impact they may have on providers, payment suspensions have become increasingly commonplace following an audit-related records request. A payment suspension, especially when coupled with a prepayment review, can have a devastating impact on a provider’s cash flow and long-term operational and financial sustainability.

A payment suspension may be used where one or more of the following exists:

  • Reliable information that an overpayment exists, but the overpayment amount is not yet determined.
  • Reliable information that the payments to be made may not be correct.
  • Reliable information that the provider fails to furnish records and other essential information necessary to determine the amounts due to the provider.
  • In cases of suspected fraud, a payment suspension may be used when there is a credible allegation of fraud.

A provider often learns of a payment suspension through a notice letter, but there are instances where the suspension becomes effective prior to the provider receiving notice. When prior notice is “appropriate,” a provider is given at least 15 calendar days prior notice before the payment suspension is effectuated. However, advance notice of the suspension is not required if the payment suspension request is a fraud suspension. In instances of a “credible allegation of fraud,” the provider will receive notice concurrent with the implementation of the payment suspension but not later than five calendar days after the payment suspension is imposed.

Payment suspensions can, but are not required to, be coupled with a 100% prepayment review. If a prepayment review is not conducted, a post-payment review will be performed on the universe of claims adjudicated for payment during the payment suspension prior to the issuance of the overpayment determination.

Payment suspensions can remain in place for many months but must be re-evaluated every 180 days to confirm that the suspension continues to be appropriate. A provider must be given an opportunity to submit a rebuttal statement in opposition to the imposition of a payment suspension, but there is no appeals process available. If the payment suspension is lifted, the provider will receive the payments held during the time of the suspension. However, this delayed payment is of little comfort to a provider dealing with a payment suspension which is receiving no payment during the pendency of the investigation.

Referrals to Other Agencies

CMS has granted its contractors wide authority to refer providers to other agencies where appropriate. For example, depending on the circumstances, the MAC may refer providers to agencies such as HHS-OIG, the Department of Justice (DOJ), the Quality Improvement Organization (QIO), or even state licensing authorities for further review and action.

Medicare Revocation

CMS is authorized to revoke Medicare billing privileges for a number of reasons, including a failure to respond to requests for medical records. CMS will revoke a provider’s Medicare enrollment even when the cause is inadvertent, such as when a provider does not receive record requests because it failed to update its address in PECOS. CMS may also revoke Medicare billing privileges if it determines a provider has a pattern or practice of submitting claims that fail to meet Medicare requirements. This type of revocation often follows an audit where the contractor alleges the provider performed poorly. Although a revocation may be appealed, its impact can be far-reaching and have a devastating impact on providers.


CMS audits present more than merely administrative or procedural hurdles. If handled incorrectly, a CMS audit can fundamentally impact a provider’s business. Providers should have a plan in place to respond in a timely and thoughtful manner to CMS audits to avoid potential negative ramifications. Our next alert will wrap up our CMS Audit Series by providing an overview of the appeals process and tips for appealing adverse audit results.

If you have any questions about responding to audits, please contact the authors. If you would like more information on the audit process, Bass, Berry & Sims will host a webinar on March 8 titled, “Medicare and Medicaid Audits: Current Audit Landscape and Best Practices for Response and Appeal of Adverse Results.” For additional details about the webinar and registration information, click here.