Health care fraud is a persistent and costly problem both for commercial and government payors. The Centers for Medicare & Medicaid Services (CMS) estimates that a significant amount of fee-for-service payments are misspent on improper payments every year. To address health care fraud, Congress and CMS have developed a variety of approaches over the past several years to audit Medicare and Medicaid claims. The tables in this article summarize the major types of Medicare and Medicaid audits that could affect physicians. Entities responsible for these audits include:
- Medicare Recovery Audit Contractors (RACs)
- Medicaid RACs
- Medicaid Integrity Contractors (MICs)
- Zone Program Integrity Contractors (ZPICs)
- State Medicaid Fraud Control Units (MFCUs)
- Comprehensive Error Rate Testing (CERT)
- Payment Error Rate Measurement (PERM)
This article is intended to present a high-level summary of these seven common audits. For more detailed information on a specific audit, please click on the links at the end of this article. In addition to the audits outlined in this article, surgeons and other providers could be subject to audits conducted by the U.S. Department of Health and Human Services Office of the Inspector General (OIG), prepayment reviews or other audits by their Medicare Administrative Contractor (MAC), or the RAC Prepayment Review Demonstration Program; however, this article focuses on the seven major audits described earlier in this article.
What is the scope of the various types of audits? Who will be conducting the audits, and what are the look-back periods (the period of time in which an auditor can review claims that have been submitted for payment) for each audit?
| SCOPE, AUDITOR, AND LOOK-BACK PERIOD | |||
| Name | Scope | Auditor | Look-back period |
| Medicare RACs
Focus: Medicare overpayments and underpayments |
Medicare RACs identify Medicare fee-for-service overpayments and underpayments and collect overpayments as well as return underpayments.
Medicare RACs operate nationwide and only review issues approved for review by CMS. |
The four Medicare RACs, each responsible for a U.S. region, are private companies that have contracted with CMS.
Medicare RACs are paid on a contingency fee basis, receiving a percentage of both the overpayment and underpayments they correct. |
Medicare RACs perform audit and recovery activities on a postpayment basis and may review a claim up to three years after the date the claim was filed. |
| Medicaid RACs
Focus: Medicaid overpayments and underpayments |
Medicaid RACs identify all providers’ underpayments and overpayments of Medicaid claims and recoup the overpayments.
Medicaid RACs operate nationwide on a state-by-state basis. States have discretion to determine what areas of their Medicaid programs to target and are not required to publicly announce audit target areas. |
Each state contracts with a private company that operates as a Medicaid RAC to perform audits of Medicaid claims.
Individual states determine how each Medicaid RAC will be paid, usually on a contingency fee basis. |
Medicaid RACs perform audit and recovery activities on a postpayment basis and may not review a claim more than three years after the date the claim was filed, unless the Medicaid RAC has approval from the state. |
| MICs
Focus: Medicaid overpayments and education |
MICs review all Medicaid providers to identify high-risk areas, overpayments, and areas for provider education to reduce Medicaid fraud and abuse. | MICs are companies contracted by CMS, which has divided the U.S. into five MIC jurisdictions, each encompassing two CMS regions.
MICs are not paid on a contingency fee basis, but are eligible for financial incentives based on the effectiveness of their audits. |
MICs perform audit and recovery activities on a postpayment basis and may review a claim as far back as permitted under the laws of the states that have paid the claims (generally a five-year look-back period). |
| ZPICs
Focus: Medicare fraud, waste, and abuse |
ZPICs investigate potential Medicare fraud, waste, and abuse and refer these cases to their associated MAC for recoupment or to other federal and state agencies for other penalties. The goal of ZPICs is to identify fraud, not to conduct random audits. | ZPICs are companies contracted by CMS, which has divided the U.S. into seven ZPICs jurisdictions, each aligned with one to two MACs. ZPICs are not paid on a contingency fee basis. | ZPICs have no specified look-back period. |
| MFCUs
Focus: Medicaid fraud, waste, and abuse |
MFCUs, which are annually certified by the OIG, investigate and prosecute (or refer for prosecution) criminal and civil Medicaid fraud cases. | Each state, except North Dakota, has an MFCU, which is jointly funded on a matching basis with the federal government. | MFCUs have no stated look-back period. |
| CERT
Focus: Medicare improper payment rate |
The CERT program identifies and estimates the rate of improper payments in the Medicare program and publishes an annual report describing national paid claims and provider compliance error rates.
CERT program findings are not considered a measure of fraud because CERT randomly samples claims, rather than examining billing patterns that indicate potential fraud. |
CMS runs the CERT program using two private contractors. | The CERT program reviews Medicare claims on a postpayment basis. The reviewed claims are limited to the current fiscal year (October 1 to September 30). |
| PERM
Focus: Medicaid improper payment rate |
The PERM program identifies and estimates the rate of improper payments in Medicaid and the Children’s Health Insurance Program. Individual state error rates are measured and are then combined to extrapolate a national error rate.
The PERM program findings are not considered a measure of fraud because PERM randomly samples claims, rather than examining billing patterns that indicate potential fraud. |
CMS runs the PERM program using two private contractors. | The PERM program reviews Medicaid claims on a postpayment basis limited to the current fiscal year (the complete measurement cycle is 22 to 28 months). |
What are the audit/recoupment processes, penalties, and appeals processes for each audit?
| AUDIT/RECOUPMENT PROCESS, PENALTIES, AND APPEALS PROCESS | |||
| Name | Audit/recoupment process | Penalties | Appeals process |
| Medicare RACs | Medicare RACs use proprietary software programs to conduct two types of audits: automated, for which a decision can be made without requesting a medical record, and complex, for which the Medicare RAC will contact the provider to request medical records to make a decision about the payment.Limits exist on the number of documents RACs can request from providers. | There is no penalty if a provider agrees with a Medicare RAC’s determination of an overpayment and pays the money back to CMS.
If a provider misses a deadline in the appeals process, CMS could automatically recoup the alleged overpayment amount plus interest, which will start to accrue on the 31st day after the provider receives the initial demand letter from the Medicare RAC. |
The Medicare RAC appeals process mirrors the five-level Medicare claims appeals process by which fee-for-service providers appeal reimbursement decisions. |
| Medicaid RACs | States have discretion in how they will coordinate with Medicaid RACs to conduct audits and recoup overpayments.States are required to set limits on the number and frequency of medical records to be reviewed by Medicaid RACs. | There is no penalty if a provider agrees with a Medicaid RAC’s determination of an overpayment and pays back the money.If a Medicaid RAC identifies potential fraud, the case could be referred to the state MFCU. | States have the flexibility to decide the structure of the appeals process for providers to appeal any adverse determination made by the Medicaid RAC. |
| MICs | Using a data-driven approach to focus on aberrant billing practices, MICs analyze Medicaid claims and audit providers. Identified overpayments are referred to the states for collection.MICs are not bound by a number of claims records they can request in each audit. | Penalties, if any, are determined by the states. | The states individually adjudicate provider appeals. |
| ZPICs | A ZPIC audit may be initiated through data analysis or directly by fraud complaints. ZPICs’ review of claims may be either pre- or postpayment. ZPICs may make unlimited document requests, in addition to conducting interviews and on-site visits.
ZPICs refer identified overpayments to their associated MAC for recoupment or to other state or federal agencies for other penalties. |
In addition to recouping overpayments, ZPICs can also refer a finding of fraud to law enforcement for criminal, civil monetary penalty, or other administrative sanction, involving the OIG or to the U.S. Attorney.
ZPICs can also recommend that their MAC implement prepayment or auto-denial edits if deemed necessary. |
A provider has the right to appeal ZPIC overpayment determinations through the five-level Medicare appeals process by which fee-for-service providers appeal reimbursement decisions. |
| MFCUs | MFCUs are not restricted to a specific investigational or audit process. | In addition to recouping overpayments or referring the matter to an appropriate state agency for collection, MFCUs can also refer a finding of fraud to the appropriate investigation or prosecution authority.
If there is a pending investigation of Medicaid fraud, MFCUs may refer providers to the state Medicaid agency for payment suspension. |
The appeal rights of providers investigated by MFCUs depend on the entity to which the MFCU refers the case for overpayment, investigation, or prosecution. |
| CERT | CERT randomly selects a statistical sample of claims submitted to MACs and requests medical records from the providers who submitted the claims in the sample. The claims and the associated medical records are reviewed for compliance with Medicare coverage, coding, and billing rules. In instances of noncompliance, errors are assigned to the claims. | Claims selected for CERT review are subject to overpayment recoupment, potential postpayment denials, payment adjustments, or other administrative or legal actions depending on the result of the review.
If a provider fails to submit a requested record to the CERT program, the claim counts as an improper payment and may be recouped from the provider. |
A provider has the right to appeal CERT determinations through the five-level Medicare appeals process, which is the same as the appeals process for RAC determinations, described above. |
| PERM | PERM is conducted over a three-year period, focusing on 17 states per year. The PERM’s contractors draw random samples of claims from each state and request medical records associated with those claims from the providers who submitted the claims. The medical records are reviewed to validate compliance with Medicaid coverage, coding, and billing rules. The claims that are determined to have been paid incorrectly are scored as errors and payments are adjusted. | If a provider fails to submit a requested record to PERM, the claim counts as an improper payment and may be recouped from the provider. | Providers have the right to appeal PERM determinations. |
Where can I find more information on each of the audits discussed?
