Audits by Federal and State governments of claims submitted by healthcare providers have increased significantly in recent years. The number of entities with audit authority has also increased and, among many others, includes: Recovery Audit Contractors (RAC), Medicare Administrative Contractors (MAC), Comprehensive Error Rate Testing (CERT), Medicare Integrity Contractors (MIC), in addition to the initial auditing entity, the Office of Inspector General (OIG). The most active audit entities at present are RACs and MICs. Practices need to prepare now for these upcoming audits in order to minimize risk, ensure that entity audit findings are correct, and understand the appeals process if it becomes necessary to challenge the entity audit findings.
RACs were established under the Medicare Modernization Act of 2003 as a pilot program to identify improper Medicare payments. By 2008 CMS reported that RAC had succeeded in collecting more than $1 billion in Medicare improper payments from just six states. By 2006, the Tax Relief and Health Care Act made the RAC program permanent and mandated that CMS extend it to all 50 states, allowing private third-party auditors to work on a contingency basis under contract to CMS to conduct audits and keep a percentage of recouped payments which they identify as improper.
Improper claims are identified by either automated or complex reviews. Automated reviews are conducted without review of the medical records supporting the claim. Complex reviews identify claims where the RAC believes there are overpayments but require further review of medical records or other documentation. Significantly, RACs may not audit based on randomly selected providers or claims, but must use data analysis techniques to perform targeted reviews.
For complex reviews, the RAC may either appear unannounced on site to review the provider’s records or request that the provider mail or securely transmit the records. RACs must abide by Medicare policies, regulations, CMS manuals, National and Local Coverage Determinations, and may not apply their own coverage, coding or billing policies.
An appeal of a RAC determination follows the same protocol as any other Medicare appeal. One caveat is that providers must submit a rebuttal to the RAC within 15 days of an initial determination or demand. There are five levels of appeal:
Redetermination (120 days after denial)
Reconsideration (180 days after Redetermination decision) by the Qualified Independent Contractor (QIC)
Administrative Law Judge (ALJ) Hearing (60 days after decision by QIC)
Medicare Appeals Council (MAC) Hearing (60 days after decision by ALJ)
Federal District Court (60 days after MAC decision)
A recent memorandum from CMS regarding appeals shows that providers were successful in overturning RAC determinations approximately 34% of the time. Given the incentive for the RAC contractors to find errors, providers should pursue an appeal if they believe the RAC determination to be in error.
CMS has also begun to examine potential overpayment by state Medicaid programs. As part of this process, CMS has entered into contracts with Medicaid Integrity Contractors (MIC). There are three types of contractors for this program:
Review MICs which analyze claims data to identify payment vulnerabilities;
Audit MICs which conduct post-payment audits of documentation to identify overpayments;
Education MICs which educate providers as needed based on discovered issues.
Regardless of the type of audit or the reason for initiation, there is a great deal of commonality. All audit programs are out to recoup money and providers should take steps to prepare for an entity audit. Not every provider has the manpower or financial resources to audit every claim that may be reviewed by one of the programs, but there are several preparatory and proactive measures that providers can take to minimize risk and ensure that they are ready for necessary and immediate action when faced with an entity audit.
The first step is to appoint an audit coordinator who will be responsible for responding to medical record audit requests within the limited time-frame allowed by the auditing entity.
Conduct a risk assessment, beginning with an internal audit of the requested medical records in order to ensure proper coding and billing conventions were followed. Conduction of regular internal audits even before entity audit notification is ever received will assure correct coding and billing conventions are being followed. Providers, managers, and coders should review the annual Work Plan of the Office of the Inspector General (oig.hhs.gov/reports-and-publications/workplan/index.asp), which provides information regarding issues that are under scrutiny.
Develop a work plan for response to audit notifications and documentation requests from an entity auditor. Issues to consider include:
Who will gather and copy requested documents?
Who will be responsible for auditing the documents?
Will an internal audit be sufficient? Should an outside auditor be engaged?
Who is responsible for tracking deadlines?
It is important to provide education to all impacted providers and staff, especially after identifying any potential risk areas. Providers, as well as staff, should be appropriately trained in order to prevent future errors.
If errors are identified through self-auditing, disclose the errors in order to mitigate damages and to prevent a potential entity audit. If possible, pay the claim directly to the MAC or state program and establish a mechanism for correction and education of the specific issues. These areas should then be continually monitored and audited to ensure compliance. A formal Compliance Plan should be in place – and in force – within the practice, as it will demonstrate to entity auditors that compliance is an essential component of the practice.
The elimination of fraud, waste, and abuse in government-funded healthcare reimbursement programs is a top priority and the government now has many weapons in its arsenal. The audit entities mentioned here are but a few that are in place. Providers need to be aware of how these programs work and be proactive in taking preventive measures in order to minimize risk and exposure.
Additional information is available from the Kentucky Medical Association at www.kma.org, as well as CGI, the RAC auditor for Kentucky, at http://racb.cgi.com, and the Medicare carrier for Kentucky, Cigna Medicare, at www.cgsmedicare.com/kyb/index.html. Additional helpful websites include: www.ama-assn.org and www.cms.gov.
Patricia Cordy Henricksen, CHCA, CPC-I, CPC, CCP-P, PCS, ACS-PM, is the Executive Vice President and Senior Auditor of Soterion Medical Services www.soterionmedical.com She is a Lead Editor for medical coding text books published by Elsevier, Inc., and is a Certified Instructor for the Professional Medical Coding Curriculum, the coding certification program of the American Academy of Professional Coders.