Health care fraud is a persistent and costly problem for both commercial and government payors. The Centers for Medicare & Medicaid Services (CMS) estimates that a significant amount of fee-for-service payments are misspent on improper payments every year. In 2015, the Medicare and Medicaid programs accounted for 99 percent—$88.8 billion—of improper payments reported by the U.S. Department of Health and Human Services (HHS).* An improper payment includes any payment made:
- In an incorrect amount (including overpayments and underpayments)
- To an ineligible provider
- For noncovered services
- For services not received
- For duplicate services
- Without supporting documentation of medical necessity
In addition to improper payments made under CMS, the U.S. Government Accountability Office (GAO) has identified millions of dollars in federal subsidy payments incorrectly made to individuals who were not eligible to enroll in Affordable Care Act (ACA) Health Insurance Marketplace plans.†
This column summarizes the major types of CMS and HHS audits that could affect surgeons, as well as the entities responsible for conducting the audits. It presents a high-level overview of nine common audits:
- Medicare Recovery Audit Contractors (RACs)
- Medicaid RACs
- Unified Program Integrity Contractors (UPICs)
- State Medicaid Fraud Control Units (MFCUs)
- Comprehensive Error Rate Testing (CERT)
- Payment Error Rate Measurement (PERM)
- Supplemental Medical Review Contractors (SMRCs)
- Medicare Risk Adjustment Data Validation (RADV)
- ACA HHS-RADV
In addition to these nine common audits, surgeons also may be subject to Medicare Administrative Contractor (MAC) and RAC prepayment audits, which are conducted on certain types of claims that historically have resulted in high rates of improper payment, as well as HHS Office of the Inspector General (OIG) audits, which investigate instances of potential criminal, civil, and administrative fraud and misconduct related to HHS programs and beneficiaries.
What are the types of audits and what is the focus and scope of each? Who conducts these audits, and how far back can an auditor review submitted payment claims?
See Table 1.
Table 1. Scope, auditor, and look-back period
| Name | Scope | Auditor | Look-back period |
| Medicare RACs
Focus: Medicare over- and underpayments |
Medicare RACs identify Medicare fee-for-service claims that contain improper payments. RACs may collect overpayments from or return underpayments to providers. | The three Medicare RACs, each responsible for up to two of five U.S. regions, are private companies contracted by CMS. The Regions 1–4 RACs review Medicare claims that were made under Parts A and B for all provider types other than durable medical equipment (DME) and home health/hospice. The Region 5 RAC is dedicated to the review of durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS) and home health/hospice claims nationally.
Medicare RACs are paid on a contingency fee basis, receiving a percentage of the improper payments they correct. |
Medicare RACs perform audit and recovery activities on a postpayment basis, and claims are reviewable up to three years from the date the claim was filed. |
| Medicaid RACs
Focus: Medicaid over- and underpayments |
Medicaid RACs identify Medicaid fee-for-service claims that contain improper payments. RACs may collect overpayments from, or return underpayments to, providers.
Medicaid RACs are administered on a state-by-state basis. States have discretion to determine which Medicaid programs to audit and are not required to publicly announce audit target areas. |
States contract with a private company that operates as a Medicaid RAC to perform audits of Medicaid claims.
Individual states determine how each Medicaid RAC will be paid, usually on a contingency fee basis. |
Medicaid RACs perform audits and recovery activities on a postpayment basis, and claims can be reviewed up to three years from the date they were filed. Review after this period requires approval from the state. |
| UPICs
Focus: Medicare and Medicaid fraud, waste, and abuse |
UPICs perform fraud, waste, and abuse detection, deterrence, and prevention activities for Medicare and Medicaid claims. Specifically, the UPICs perform integrity-related activities associated with:
UPICs operate in five geographical jurisdictions and combine the functions previously performed by Zone Program Integrity Contractors (ZPICs) and Medicaid Integrity Contractor (MICs). |
The five UPICs, each responsible for a U.S. region, are private companies contracted by CMS. | UPICs have no specific look-back period. |
| MFCUs
Focus: Medicaid fraud, waste, and abuse |
The MFCU program is operated on a state-by-state basis to investigate and prosecute Medicaid fraud cases, as well as patient abuse and neglect in health care facilities.
MFCUs are certified annually by the HHS Office of Inspector General (OIG). |
MFCUs operate in each state, excluding North Dakota and the District of Columbia, and are jointly funded by the state and federal government. Each MFCU receives federal funds equivalent to 75 percent of its total expenditures. | MFCUs have no specific look-back period. |
| CERT program
Focus: Improper Medicare payment rates |
The CERT program calculates the rates of improper Medicare fee-for-service payments.
CERT program findings are not considered a measure of fraud, as findings are based on a random sample of claims that did not meet Medicare coverage, coding, and billing rules. |
The CERT program is operated by two private CMS contractors: (1) the CERT Review Contractor (RC), and (2) the CERT Statistical Contractor (SC). | The CERT program reviews Medicare claims on a postpayment basis. The reviewed claims are limited to those submitted during the current federal fiscal year. |
| PERM program
Focus: Improper Medicaid payment rate |
The PERM program estimates the rate of improper payments made under Medicaid and the Children’s Health Insurance Program (CHIP). Payment error rates are derived from reviews of the fee-for-service, managed care, and eligibility components of Medicaid and CHIP. Individual state error rates are measured and then combined to extrapolate a national error rate.
PERM program findings are not considered a measure of fraud, as findings are based on a random sample of claims that did not meet Medicaid coverage, coding, and billing rules. |
The PERM program is operated by two private CMS contractors: (1) the PERM SC, and (2) the PERM RC. | The PERM program reviews Medicaid claims on a postpayment basis. The reviewed claims are limited to those submitted during the current federal fiscal year. |
| SMRCs
Focus: Medicare compliance |
The SMRC program conducts a nationwide medical review of Part A, Part B, and DME providers and suppliers.
SMRCs evaluate medical records and other related documents to determine whether Medicare claims were billed in compliance with coverage, coding, payment, and billing practices. SMRCs currently are performing medical record reviews on the following services and supplies:
|
The SMRC program is operated by StrategicHealthSolutions, LLC, a CMS contractor. | SMRCs have no specific look-back period. |
| Medicare RADV
Focus: Medicare Advantage risk adjustment |
The Medicare RADV program validates enrollment and health status data from Medicare Advantage (MA) claims to ensure the accuracy and integrity of risk-adjusted payments. Risk adjustment allows MA organizations that enroll less-healthy patients to receive money transferred from MA organizations that cover generally healthier individuals.
The Medicare RADV examines whether health plans obtain overpayments by exaggerating the severity of patients’ conditions. The RADV process verifies that diagnosis codes submitted for payment by an MA organization are supported by an enrollee’s medical records. |
CMS runs the Medicare RADV program. | The Medicare RADV program reviews MA claims on a postpayment basis for a period of not more than four federal fiscal years prior to the current federal fiscal year. |
| ACA HHS-RADV
Focus: ACA-compliant health plan risk adjustment |
The ACA HHS-RADV program validates enrollment and health status data from private health plans that participate in marketplaces under the ACA and that submit data for risk-adjusted payments. Risk adjustment allows insurers that enroll less-healthy patients to receive money transferred from health plans that cover generally healthier individuals.
The ACA HHS-RADV examines whether health plans obtain overpayments by exaggerating the severity of patients’ conditions. The RADV process verifies that diagnosis codes submitted for payment by a health plan are supported by an enrollee’s medical records. For the 2016 benefit year, RADV is performed on all ACA-compliant health plans that are offered in the individual and small group marketplaces. Beginning with the 2017 benefit year, ACA-compliant health plans with total annual premiums at or below $15 million will be randomly selected to participate in the RADV process. |
The ACA HHS-RADV program is operated by two auditors: (1) an independent auditor selected by the health plan, and (2) a secondary auditor retained by CMS. | The ACA HHS-RADV program reviews claims on a postpayment basis. The reviewed claims are limited to those submitted in the previous federal fiscal year. |
What are the processes, penalties, and appeals processes for each audit?
See Table 2.
Table 2. Process, penalties, and appeals process
| Name | Process | Penalties | Appeals process |
| Medicare RACs
Focus: Medicare over- and underpayments |
Medicare RACs use proprietary software programs to conduct two types of audits: automated and complex.
Automated audits occur when a RAC makes a claim determination at the system level without review of a medical record. Automated reviews may only be used when it is clear that (1) the service is not covered under Medicare or is incorrectly coded and (2) a written Medicare policy or coding guideline exists for that service. Complex audits occur when Medicare coverage of a service is unclear, requiring the RAC to review medical records or other documentation to make a payment determination. RACs must follow an additional documentation request (ADR) limit—the annual medical record request limit established for each provider based on the number of Medicare claims paid in the previous 12 months—to determine the maximum number of claims that can be included in a single 45-day period. Complex reviews must be completed within 30 days of receiving the medical record documentation from the provider. |
No penalties are imposed if the provider agrees with the Medicare RAC’s overpayment determination and repays CMS. If a provider misses a deadline in the appeals process, CMS is permitted to automatically recoup the alleged overpayment, plus interest. | A provider has the right to appeal a Medicare RAC’s determination through the five-level Medicare appeals process. The first level of appeal must be filed within 120 days of receipt of an overpayment demand letter. Providers can avoid a Medicare recoupment action if they file the first appeal within 30 days of receiving the letter of demand. |
| Medicaid RACs
Focus: Medicaid over- and underpayments |
States have discretion in how to coordinate and conduct audits and recoup overpayments. States must set limits on the number and frequency of medical records to be reviewed by the Medicaid RAC. | No penalties are imposed if the provider agrees with determination of an overpayment and repays CMS. If a Medicaid RAC identifies potential fraud, the RAC must refer the case to the state MFCU. | States have flexibility to decide the structure of the process for providers to appeal any adverse determination made by the Medicaid RAC. |
| UPICs
Focus: Medicare and Medicaid fraud, waste, and abuse |
UPICs perform statistical analyses and medical claims reviews to identify trends and patterns of potential fraud, waste, and abuse from three perspectives: Medicare-only, Medicaid-only, and joint/composite Medicare and Medicaid. | UPICs refer Medicare overpayments to the MAC that made the initial claims payment for collection. UPICs coordinate with MACs to track the collection of potential overpayments. UPICs refer Medicaid overpayments to the state Medicaid agency and CMS. UPICs coordinate with state Medicaid agencies to track the collection of potential overpayments. |
A provider may appeal a UPIC determination through the typical Medicare or Medicaid appeals process. |
| MFCUs
Focus: Medicaid fraud, waste, and abuse |
MFCUs are not restricted to a specific investigational or audit process. | MFCUs recover overpayments as part of resolution of a case or send the matter to an appropriate state entity for collection and can refer a finding of fraud to the appropriate law enforcement agency. MFCU investigations can result in both civil and criminal charges against providers. | The appeal rights of providers investigated by MFCUs depend on the entity to which the case is referred for recoupment, investigation, or prosecution. |
| CERT
Focus: Improper Medicare payment rates |
CERT reviews a random sample of Medicare fee-for-service claims submitted to MACs and requests supporting records from the providers who submitted the claims for payment. The claims and associated health care records are evaluated for compliance with Medicare requirements.
The CERT RC is responsible for reviewing medical records and compiling data from the sampled claims. The CERT SC then calculates improper payment rates. Errors are assigned to claims in instances of noncompliance with medical records requests. Once the review process is complete, CERT contractors analyze the error-rate data and produce a national Medicare fee-for-service error rate. |
CERT contractors notify the appropriate MAC of improper payments identified through the audit process. MACs are then responsible for recovering overpayments or reimbursing underpayments. If a provider fails to submit the necessary medical records to the CERT program within 75 days of the initial request, the claim counts as an improper payment and may be recouped from the provider. |
A provider has the right to appeal a CERT determination through the five-level Medicare appeals process. |
| PERM
Focus: Improper Medicaid payment rate |
PERM is conducted over a three-year period, focusing on 17 states per year. The PERM SC draws random samples of fee-for-service claims from each state and forwards to the PERM RC, which is responsible for requesting and reviewing supporting medical records to validate compliance with Medicaid and CHIP payment and eligibility requirements.
Using the data compiled in the medical records review, the PERM SC then calculates state and national improper payment rates, and creates error analysis reports to be used by states for corrective action purposes. |
Following each PERM measurement cycle, participating states are required to develop and submit a Medicaid and CHIP Corrective Action Plan (CAP) to CMS. The CAP, which is an outline of the steps states will take to reduce improper payments in each program, must be submitted by states within 90 days of error-rate notifications.
If a provider fails to submit a requested record to PERM, the claim counts as an improper payment and may be recouped from the provider. |
States may pursue two levels of PERM error determination dispute: the difference resolution process, and the CMS appeals process. These processes afford states the opportunity to overturn PERM error determinations. |
| SMRCs
Focus: Medicare compliance |
SMRCs conduct their review of medical records based on an analysis of national claims data compared to data limited to a specific jurisdiction controlled by one of the MACs. The SMRC reviews all submitted documents for evidence of improper payments. | SMRCs are responsible for notifying CMS of any improper payments and noncompliance. CMS, in turn, will direct the appropriate MAC to initiate claim adjustments and/or overpayment recoupment actions through the standard Medicare overpayment recovery process.
Penalties, if any, are determined by the appropriate MAC. |
Providers may appeal the results of an SMRC audit once they receive overpayment demand letters from their respective MACs. |
| Medicare RADV
Focus: MA risk adjustment |
CMS selects 30 contracts from MA organizations for RADV audits based on diagnosis coding intensity for enrollees whose reported diagnoses increased in severity at the fastest rates.
CMS ranks MA contracts by categorizing diagnoses into groups of clinically related conditions called hierarchical condition categories (HCCs), and uses the HCC and demographic information to calculate a risk score for each enrollee. Each contract is then divided into three risk score categories: high-, medium-, and low-risk. CMS then randomly selects contracts for audit: 20 high-risk, five medium-risk, and five from the low-risk scores. After CMS selects 30 MA contracts to audit, up to 201 enrollees are chosen from each contract based on the enrollees’ risk scores. 67 enrollee records are audited from each of the three risk score groups. |
CMS uses the RADV results to calculate overpayment estimates and adjusts the monthly payments made to MA organizations for the next payment period. | MA organizations may file a Medical Records Dispute (MRD) for claims that result in payment recovery through the RADV administrative appeals process within 30 days of the preliminary audit findings. |
| ACA HHS-RADV
Focus: ACA-compliant health plan risk adjustment |
Under the ACA HHS-RADV, Initial Validation Audit (IVA) and Second Validation Audit (SVA) entities test a sample of health plans’ enrollees to determine if an error rate should be applied to the plan’s average risk score. The process includes six stages:
|
If the IVA and SVA identify insurer-level overpayments, CMS uses the error rate discovered by the RADV to determine a payment adjustment to recover the funds. | CMS provides health plans the option of appealing the audit results or the application of the payment adjustment through the RADV administrative appeals process. |
Where can I find more information about these audits?
*Maxwell A. Medicare and Medicaid program integrity: Combatting improper payments and ineligible providers. 2016. U.S. House of Representatives Committee on Energy and Commerce—Subcommittee on Oversight and Investigations. Available at: docs.house.gov/meetings/IF/IF02/20160524/104979/HHRG-114-IF02-Wstate-MaxwellA-20160524.pdf/. Accessed May 22, 2017.
†U.S. Government Accountability Office. Patient Protection and Affordable Care Act: CMS should act to strengthen enrollment controls and manage fraud risk. GAO-16-29. 2016. Available at: www.gao.gov/products/GAO-16-29. Accessed May 22, 2017.
