What Is Medical Auditing? - AAPC (2023)

Federal Scrutiny and Compliance Enforcement

Law requires the Centers for Medicare & Medicaid Services (CMS) — the largest payer for healthcare in the U.S. — to protect the taxpayer-sponsored Medicare Trust Fund. Each year, medical claim errors filed by provider organizations result in inappropriate payments costing the fund tens of billions of dollars.

To prevent inappropriate payments from compromising the Medicare Trust Fund, CMS works with Part A and Part B Medicare Administrative Contractors (MACs) and Durable Medical Equipment MACs (DME MACs). In fact, CMS works with a constellation of contractors, each ultimately tasked with protecting taxpayers and future Medicare beneficiaries. CMS contractors include:

• RAC: The Recovery Audit Contractors review post-payment claims with the goal of recovering improper Medicare payments made to healthcare providers under fee-for-service (FFS) Medicare plans. RACs also inform CMS of detected errors to enable CMS to implement actions (directly and through MACs) that will prevent future improper payments.
  Providers should note that CMS pays RACs a percentage of the amounts they recover, which incentivizes aggressive RAC scrutiny, as well as the likelihood that a provider organization will be audited by a RAC. RACs may audit claims going back three years from the date of payer reimbursement.
• SMRC: The Supplemental Medical Review Contractor is a nationwide program fulfilled by Noridian Healthcare Solutions aimed at reducing improper payment rates through medical review of Medicare Part A, Part B, and DME claims. SMRC reviews are CMS-directed, in that CMS chooses the issue, scope, and time frame of SMRC activities.
• UPIC: Unified Program Integrity Contractors conduct regional activities to detect and deter abuse, waste, and fraud for medical claims filed through Medicare Part A and Part B, DME, Home Health and Hospice (HH+H), Medicaid, and the Medicare-Medicaid data match program.
  UPIC contracts operate in five U.S. regions and fulfill responsibilities previously met by the Zone Program Integrity Contractor (ZPIC), Program Safeguard Contractor (PSC), and Medicaid Integrity Contractor (MIC) contracts.
• I-MEDIC: The Investigations Medicare Drug Integrity Contractor is responsible for monitoring all fraud, waste, and abuse initiatives in the Medicare Advantage (Part C) and Prescription Drug Plan (Part D) benefits (specific to provider, prescribers, and pharmacies).
• PPI MEDIC: The Plan Program Integrity Medicare Drug Integrity Contractor is responsible for the Medicare Advantage (Part C) and Prescription Drug Plan (Part D) proactive data analysis, audits, generation of risk assessment reports, and plan sponsor education and outreach.

Assigned various jurisdictions, these contracted entities perform analysis of claims data to identify questionable billing patterns and ensure that CMS reimbursement is made only to services meeting coding, medical necessity, and Medicare coverage requirements.

As noted in CMS’ Review Contractor Directory, “You may receive correspondence from one or several of these contractors in your state. They may request medical records from you, as they perform business on behalf of CMS.”

For all intents, in other words, the above contractors are federal auditors. Their ongoing scrutiny is the reason every medical practice should staff a certified medical auditor. Routine internal audits, and external audits conducted by objective third-party auditing services, enable healthcare organizations to discover their compliance oversights. Choosing to implement an auditing program is the most effective defense against federal and payer audits.

CMS, in its efforts to protect the Medicare Trust Fund, is well fortified. The U.S. Department of Health and Human Services(HHS), which oversees CMS, has the U.S. government’s largest Office of Inspector General (OIG). The HHS dedicates the OIG almost entirely to preventing healthcare waste, abuse, and fraud from siphoning taxpayer dollars from the fund.

Bottom line: Noncompliance is expensive. It costs federal and commercial payers through inappropriate payments, as well as programs to investigate, prevent, and recoup inappropriate payments. This cost is passed down to provider organizations through paybacks and, when applicable, monetary penalties.

While the OIG works with MACs and other auditors to detect abusive billing patterns, it also works with the Department of Justice (DOJ) and states’ Attorneys General to facilitate legal actions. Medical coding and billing that violates state or federal laws can cost physician offices and other healthcare organizations in terms of:

• Payback demands;
• Fulfillment of aCorporate Integrity Agreement (CIA);
• Employment of an Independent Review Organization (IRO);
• Prosecution under the False Claims Act and other federal/state laws;
• Civil monetary penalties;
• Exclusion fromMedicare andMedicaidprograms; and
• Criminal penalties.

Federal Audit Targets

Remaining aware of federal audit targets based on claim errors trending across the U.S. is the first step to ensuring your organization doesn't invite a MAC or RAC audit. Several publications detail current targets and problem areas, directing medical coders toward vigilance and auditors toward proactivity. The two most definitive publications are the OIG Work Plan and the Comprehensive Error Rate Testing (CERT) report.

The OIG Work Plan

Through ongoing assessments, the OIG prioritizes issues posing a threat to the Medicare Trust Fund. It then allocates resources to conduct audits targeting those priorities in its annual Work Plan, which is updated monthly to address emerging issues.

A certified medical auditor should know what’s listed on the OIG Work Plan. This knowledge allows the auditor to inform staff of billing practices that have been flagged as high risk for fraud and abuse. The Work Plan should also inform the auditor's choice of scope for upcoming audits.

In addition to publishing its Work Plan, the OIG creates fraud alerts, advisory opinions, and audit reports that influence auditing behavior among MACs and commercial payers.

The CERT Report

CERT is a CMS initiative developed to measure improper payments in the Medicare Fee-for-Service (FFS) program. It is conducted annually with the goal of reducing payment to inappropriate claims.

For each reporting period throughout the year, CERT chooses a stratified random sample of claims submitted to A/B MACs and DME MACs. CERT then requests the supporting documentation for the sampled claims so they can be reviewed against their documentation by an independent medical review contractor.

If the medical review contractor discovers that coding, billing, and/or Medicare coverage criteria were not met, the claim is identified as a total or partial improper payment.

Through this annual review, CMS calculates the overall Medicare FFS improper payment rate. All data is then itemized in the Improper Payment Rates for Centers for Medicare & Medicaid Services (CMS) Programs, also known as the CERT Report.

CMS advises all provider organizations — from the small physician practice to the multi-hospital health system — to look carefully at the annual CERT Report for potential areas of exposure. In the same manner, auditors gain insight by using third-party payer-provider bulletins, RAC-identified vulnerabilities (listed on their websites), and the OIG Work Plan.

Knowledge is power. If it’s on the payers’ radar, it should be on the auditor’s radar. Auditing for pervasive claim problems will ensure your organization doesn’t overlook them.

The Medical Chart Audit Process

The only way to verify coding accuracy is to compare the coding against the medical record documentation. The medical charts review, the most frequently conducted healthcare audit, looks at documentation and claims information to determine if claims have been appropriately coded.

Chart auditing programs have become necessary in response to the increase in federal payer audits. Even commercial payers have geared up teams to conduct frequent and random on-site and off-site compliance audits of hospitals and medical practices.

When a provider organization performs an internal audit — or hires an independent auditor to perform an external audit — the organization learns if its claims will withstand government scrutiny. It also gains an opportunity to self-report and correct issues that pose a threat to their financial viability.

Every medical coder should learn how to conduct a medical coding audit in view of its potential value to their employer (and their coding career). Fortunately, the audit process is easy to understand when broken down into its component parts.

Step 1: Plan the Medical Record Audit

Perhaps you need a medical record audit to establish a baseline for the organization. Perhaps you need to assess the effectiveness of previous staff education. Auditing objectives range from investigating areas of insufficient documentation to identifying improper coding, billing activity, and post-payment risks. Regardless, in all cases, conducting the audit to produce useable data requires planning. The first questions to consider include:

• Does benchmark data from previous audits exist?
• Does benchmark data suggest the focus of the audit (e.g., new patient visits, consultation, office, hospital, etc.)?
• Do other events suggest the focus of the audit (e.g., claim denials, federal audit targets or error reports, a new regulation or guideline, a new internal policy or software platform, a new medical coder or provider)?
• Will the audit evaluate for revenue and compliance?
• Are you performing a prospective or retrospective audit?
• What is the number of charts you are going to review?
• Is there a measure for the focus (e.g., utilization patterns)?
• What type of audit tools will you use?

Chart auditing is an iterative process, meaning that you repeat the process, and what you learn from one audit affects your starting point for the next. Therefore, answers to these questions will likely change. But understanding what is to be learned through the audit will enable the auditor to make the best decisions, and, once decisions are made, to maintain a focus on the objectives throughout the course of the medical audit.

Step 2: Choose Between 2 Basic Auditing Methods

• 1.

  A prospective audit helps identify and correct problems before sending claims to the payer. In a prospective audit, you review the documentation along with the codes that would have been billed to the payer. This allows for inconsistencies to be identified but typically delays the billing process.

• 2.

  A retrospective audit is a post-payment audit to evaluate whether services that were previously reported to a carrier were reported appropriately and consistent with the carrier’s binding rules. The auditor reviews the documentation, claim forms, and sometimes the explanation of benefits (EOBs) to ensure proper medical billing.

Each medical practice must determine which type of audit method will work for its environment. It’s also important to note that errors identified in the retrospective audit must be resolved through corrected claims, refunds to the payer, and possible self-disclosure.

Step 3: Decide the Audit Approach

Choosing between a focused audit and a random audit will depend on which approach serves the audit’s objectives.

• 1.

  A focused audit centers on a particular service item, provider, diagnosis, etc. For instance, you may need to audit a single provider because they’re trending in above-average reimbursement. Or maybe your organization is struggling with modifier errors.

• 2.

  A random audit refers to a comprehensive review involving a sample of charts arbitrarily selected to indicate compliance problems reflected in all charts. The sample will come from a designated period, preferably within the last three months. This type of audit pinpoints areas to focus improvement efforts and training, as well as targets of future focus audits.

Most baseline audits, designed to inform the medical practice how it fares in relation to correct coding and billing, are random audits and should include all coding practices, services, and physicians and practitioners in the organization.

Step 4: Determine Audit Scope

Determining the scope of the audit involves honing or defining factors that entered the decision to go with a focused or random audit.

You might choose a random sampling if this is the practice’s first audit. If, though, the organization has conducted previous audits, past audit reports should suggest a focus area, such as new office visits, consultations, inpatient visits, or certain diagnosis codes. Reasons might necessitate a payer-focused audit and require you to review charts billed exclusively to Medicare, Medicaid, or another payer. Similarly, you might perform a provider-focused audit or a coder-focused audit. Maybe you need to review high-volume services or services with high denial rates.

Priority should be the key determinant when defining the audit scope. Coding and billing complexities with a heightened potential to affect reimbursement or liability can’t be overlooked without consequences. Less urgent target areas can be assured necessary assessment with an audit work plan that schedules recurring audits for the year.

In defining the audit scope, the auditor should include the date range of the audit sample.

Step 5: Determine Sample Size

The audit sample should use a percentage of patient encounters that represent the encounter types. Auditing too few records may distort results, while auditing too many records becomes impractical in terms of time and labor.

The standard sample size ranges from 10 to 15 charts. When conducting an audit involving multiple physicians, the OIG recommends five to 10 charts per medical provider.

The OIG also recommends using RAT-STATS to help with statistical sampling. This tool is provided for free through the OIG and will tell an auditor how many charts to pull for an accurate sample size.

Tools such as RAT-STATS allow the practice to understand the sampling methodologies used by payers. This, in turn, allows the practice to remain proactive in compliance efforts by mining information reflecting high-risk areas. If the practice can identify these areas, audit the documentation and coding, and provide education based on variances, it will lower the probability of having a payer audit reveal hidden liabilities.

Step 6: Select Audit Tools

An efficient audit tool is important when auditing the medical record. If the auditor is conducting a review of surgical notes, for example, a surgical audit tool should be used. If the auditor is conducting an evaluation and management (E/M) audit, the tool needs to reflect the guidelines used by the practitioner.

Some auditors choose audit software to audit records, print an audit report, and help analyze the data. Keep in mind that computer software does not have the capability to evaluate medical necessity. This is a “thinking” process that requires the auditor to possess a strong background in medical coding.

When selecting an audit tool, remember that tools can vary among payers. MAC tools may vary, as well. The auditor should choose according to the audit scope, using a payer- or MAC-specific tool when applicable.

It’s also imperative to have references on hand. For accuracy and to support audit findings with verifiable guidelines, the auditor should refer to:

• 1.

  Evaluation and Management Documentation Guidelines (1995, 1997) and current CPT^® guidelines

• 2.

  ICD-10-CM, CPT^®, and HCPCS Level II code sets when auditing outpatient organizations

• 3.

  CPT^® Assistant references and AHA Coding Clinic^® references

• 4.

  Frequency reports by physician (utilization of levels of service obtained by the medical billing software) and utilization based on specialty (can be obtained by insurance carrier)

• 5.

  Physician’s fee schedule by insurance carrier

• 6.

  Payer guidelines and payment policies

• 7.

  Medical terminology reference, such as a medical dictionary

• 8.

  The OIG Work Plan

Step 7: Locate Documentation

Once the sample size and charts have been identified, you’ll need to collect documentation pertaining to the date of service (DOS) for charts under review. In addition to a note, the medical record for the patient encounter might include labs, forms, images, and other miscellaneous items. All documentation is required to successfully conduct the review.

In a retrospective audit, you’ll need the superbill/charge ticket, patient chart, claim form or billing record (to validate what was submitted), and the explanation of benefits (EOB) or Remittance Advice — for each patient encounter.

You might also want to familiarize yourself with the chart organization, special forms including the history form, problem list, and medication sheet.

Step 8: Conduct the Audit

Using your tools and resources, perform the audit. Be sure to review both coding and documentation. Pay attention to the guidelines in the CPT®, ICD-10-CM, and HCPCS Level II coding books, as well as ensuring proper documentation. Double check coding criteria for services such as:

• New versus established patient
• Consult versus transfer of care (referral)
• Time-based code requirements
• Critical care services
• Hospital services
• Nonphysician practitioner services

Step 9: Analyze Audit Findings

Once the audit is complete, analyze your findings and identify problem areas, such as:

• Improper assignment of CPT^® or HCPCS Level II codes for procedures or services
• E/M levels not supported by documentation
• Incorrect diagnosis codes, including ICD-10-CM codes that don’t capture optimum specificity or support medical necessity
• Missing modifiers and/or incorrect modifier usage
• Incorrect diagnosis linkage
• Services performed but not billed

Step 10: Create the Audit Analysis and Summary Report

Compile the audit findings in a concise audit report. Your writing style should be detailed yet persuasive. The reader should be able to understand what was audited and how the audit was performed.

Identify the number of encounters documented correctly and incorrectly. Note trends and errors in coding. Each error or risk area should be outlined categorically and labeled so as to define the category (for example, particular CPT^® code, particular payer, particular provider, or specialty). All errors should be explained and include a citation to the appropriate standard.

Finally, suggest remedial actions. Recommendations might include additional training or modification of documentation systems. Usually included is a recommendation for follow-up analysis to evaluate the effectiveness of the corrective action.

The auditor’s approach to communicating the audit results is as important as the approach to the audit. Choose a constructive tone to avoid defensive reactions that could sabotage improvement efforts. And give the staff time to review the results and prepare questions before meeting. The audit report should be the first post-audit communication, in other words. Know your audience and personalize audit findings for the medical coder, the physician, and the nonphysician practitioner.

Step 11: Meet with Coders, Practitioners, and Ancillary Staff

Discussing audit findings allows the auditor to address risks and the corrective actions to mitigate them. Allow enough time to talk about each case, offer suggestions, and answer questions.

When conferencing with the provider, you may get pushback. A physician may be less concerned with coding and compliance and more concerned with patient care. If reimbursement drives the provider’s thinking, have figures ready that show a revenue loss or gain. If the provider is more concerned with unwanted attention from CMS, outline the potential risk for an audit target.

Let staff know what they did well and how they can improve. If a physician isn’t documenting a thorough assessment and plan, for example, explain why capturing these elements is important for the patient and the practice. If audit findings are under dispute, substantiate them with hard copies of payer and coding guidelines.

Remember, the tone of communication is crucial. Your goal is to establish open dialogue.

Step 12: Make Recommendations for Improvement

The audit won’t benefit the organization if efforts aren’t made to address utilization pattern abnormalities, coding errors, and documentation deficiencies.

Use audit findings to educate providers on how to improve clinical documentation. Your recommendations might include shadowing sessions or creating “cheat sheets” to help practitioners capture the full clinical story and all services provided during the patient encounter.

Audits can also direct ancillary staff training. Tailor education to correct detected problems. Educate medical coders and billers on the proper coding and billing of CPT^® codes, ICD-10-CM codes, HCPCS Level II codes, and modifiers.

If internal policy causes error, revise the policy. Commit to following through on all recommendations, particularly audit-tailored training, monitoring, and suggested target areas of future audits.

Step 13: Provide Ongoing Monitoring and Assessment

Consult with providers and the compliance officer or practice manager to establish (or modify) an audit work plan. A general rule of thumb to determine how often to conduct a chart review is more errors, more audits. Create a timeline based on the audit results.

For instance, if reviewed charts achieve 90% accuracy, a standard annual audit should keep the organization compliant. Up the audit cycle to every quarter if accuracy drops between 75 and 90%. Audit monthly for accuracy below 75%. Finally, perform a prospective audit with accuracy below 60%. The workload might seem daunting, but the alternative is worse.

Step 14: Execute Audit Follow-up

If an error has been identified and found to have resulted in overpayment, it’s necessary to report the error to the payer. The organization may voluntarily return the overpayment or request that the payer initiate a demand letter. How refunds are handled will depend on the payer who made the overpayment.

If, however, you suspect the overpayment is linked to a pattern of claim errors that has accumulated a sum in overpayments, you have an obligation to investigate. You will need to initiate the process of a focused audit. If your findings confirm a significant error rate involving overpayments without evidence of fraudulent conduct, the organization should seek legal counsel to determine whether to voluntarily identify, disclose, and refund overpayments.

Auditors don't handle self-disclosures. When one is needed, legal counsel should take over the disclosure process and participate in the creation of a corrective action plan.