Understanding Governmental Audits (2013 update)

This practice brief supersedes the July 2011 practice brief "Understanding Governmental Audits."

Today, armed with enhanced fraud and abuse laws, the federal government has launched new audits that organizations and providers must contend with on a regular basis. Recent additions include Recovery Audit Contractors (RACs) and Zone Program Integrity Contractors (ZPICs). Others such as Comprehensive Error Rate Testing (CERT) auditors have been around for a number of years.

Some of these government auditors have overlapping jurisdictions. In addition, each auditing entity has different operational requirements, which healthcare organizations can find overwhelming to meet.

This practice brief provides an overview of current healthcare reimbursement auditors and their purposes. AHIMA’s “Healthcare Reimbursement Audit Toolkit,” available online through www.ahimastore.org, outlines additional information, such as the record request limit, scope of work, and the appeal process for each.

Audit Process

Government auditors are authorized to investigate claims submitted by any entity or provider that provides Medicare beneficiaries with procedures, services, and treatments. In addition, anyone who submits claims to Medicare and/or their fiscal intermediaries, regional home health intermediaries, Medicare Administrative Contractors (MACs), durable medical equipment suppliers, and/or carriers are also subject to investigation.

Each government auditor is established independently with a different mission and scope of work. Therefore, there is no standard for the number of record requests, timeline, appeals process, or type of review. In addition, many external payers are also conducting healthcare reimbursement audits. As such, organizations often struggle to understand their operational and financial impact of these audits.

Preparation Checklist

Organizations should prepare for government and external payer audits with the following steps:

  • Outline the process for responding to an audit step-by-step
  • Identify who needs to be involved in the process
  • Develop policies and procedures that clearly designate roles and responsibilities for each piece of the audit process, including coding professionals who assign codes, business office staff who may receive denials, revenue integrity auditors who review records, and HIM staff who process or copy charts for each request
  • Develop policies and procedures to arrange for an onsite auditor (i.e., procedure to provide electronic health record access and orientation to the auditor, to assign staff to assist with any questions, and to participate in exit interviews as well as resolve any identified issues)
  • Develop organizational education regarding the increase in government audits and the need for clear and concise documentation
  • Develop education specific to each department in the revenue cycle process and the department’s role in the audit program
  • Determine the different types of record requests and time frames
  • Distinguish the various types of appeals to secure each claim

The preparation checklist in appendix A of AHIMA’s “Healthcare Reimbursement Audit Toolkit” provides a big-picture overview to help HIM professionals understand these action steps. It also includes references to key resources.

Organizations should also identify and name an audit coordinator. This is an essential role in any program, as this individual is the focal point for all audit activity, helping manage and oversee the internal process. For a sample job description of the audit coordinator role, see appendix C in the “Healthcare Reimbursement Audit Toolkit.”

Extrapolation Method

Sampling and extrapolation are standard audit practices designed to reduce the cost of auditing in exchange for accepting a small amount of risk in the results. In fraud and abuse audits, extrapolation is the use of statistical sampling to calculate and project (i.e., extrapolate) overpayment amounts to be recovered by recoupment.

This method is used when a statistical sampling determines that a sustained level of payment error exists or when documented educational efforts fail to correct the error. A sustained level of payment error may be determined to exist through a variety of means, including probe samples, data analysis, provider history, and information from law enforcement investigations or Office of Inspector General (OIG) evaluations.

Government auditors must use the services of a qualified statistician to determine the sample size and selection method. They must also explicitly document the sampling methods.

Once the sample size and selection method are determined, the auditor will request records from the provider. Following a review of the records, the auditor will calculate the average per-claim overpayment amount of the sample. This amount is then multiplied by the number of claims in the review population to determine the overpayment amount (i.e., average per-claim overpayment multiplied by the number of claims in review population will equal the overpayment amount)

Organizations should carefully review auditor requests for the possible extrapolation method because these audits have significant financial risk. The auditor may review only five to ten records but based on the extrapolation method take back money on more than 100 records because that is the number of patient records with that specific DRG. For example, if the organization sees that the record request will be extrapolated, it can immediately review the five records requested. If the organization finds that the code assignment is incorrect, it can prepare financially for the loss of revenue.

The auditor is required to send the results of the review in a demand letter that outlines the method used and overpayment amount. These rulings can be appealed through the auditor’s appeal process.

Federal Government Audit Entities
Acronym Program Name
CERT Comprehensive Error Rate Testing Program
DOJ Department of Justice
HEAT Health Care Fraud Prevention and Enforcement Action Team
MAC Medicare Administrative Contractor
Medicaid RAC State Medicaid Recovery Audit Contractor
MFCU Medicaid Fraud Control Unit
MIC Medicaid Integrity Contractor
MIP Medicaid Integrity Program
OIG Office of Inspector General
OMIG State Office of Medicaid Inspector General
PERM Payment Error Rate Measurement Program
RAC Medicare Recovery Audit Contractor
RADV Medical Advantage Risk Adjusted Data Validation
ZPIC Zone Program Integrity Contractor

Impact of the Query Process

An effective query process can help organizations and providers submit claims that best describe the services provided. Queries can be applied concurrently, pre-bill, or post-bill. Many organizations struggle to understand the impact a post-bill query and the impact its subsequent payment rebill has on the audit process.

“Post-bill queries generally occur as a result of an audit or other internal monitor. It is recommended that healthcare entities develop a policy regarding whether they will generate post-bill queries and the timeframe following claims generation that queries may be initiated. They may consider the following three concepts in the development of a post-bill (including query) policy:

  • Applying normal course of business guidelines—being sure the post-bill query process is conducted in the entity’s normal timreframe for completing health records in accordance with medical staff bylaws and rules and regulations for health record completion.
  • Using payer-specific rules on rebilling timeframes
  • Determining reliability of query response over time”1

The Centers for Medicare and Medicaid Services (CMS) has reminded providers to ensure that “any information that affects the billed services and is acquired after physician documentation is complete…be added to the existing documentation in accordance with accepted standards for amending medical record documentation.”2,3

If the query is accepted through organizational policy as an amendment to the health record documentation, the query would be sent as part of the record requested for a governmental or external payer audit. If the claim is denied, organizations can submit an appeal letter along with the query as health record documentation throughout the appeal process, including administrative law judge hearings.

Audit Operations

CMS considers the compliance officer role to be crucial in reducing the number of improper payments. As a result, the Hospital Payment Monitoring Program (HPMP), formerly the Payment Error Prevention Program, developed the HPMP Compliance Workbook to provide guidance and tools for organizations seeking to strengthen their compliance programs and help reduce payment errors.

The guidance includes documents related to clinical laboratories, home health agencies, hospices, and nursing homes that should be referenced if those services are provided. It is available at www.metastar.com/Web/Portals/0/Documents/HPMP/HPMP-ComplianceWorkbook.pdf.

An organization’s compliance program should go beyond inpatient claims to encompass other government audits because an organization’s risk is based on high-volume or problem areas as well as the variety of services or settings it provides.

In addition, organizations should gain an understanding of the increased workload that may result due to these external audits. For example, RAC auditors are allowed to request up to 400 records every 45 days. For a facility with more than $100 million in annual Medicare payments the cap is 600 medical records. Organizations should determine the staffing needs required to support the process from the point of request receipt and record copying through the possible denial and appeal process.

2012 Audit Monetary Returns

During fiscal year 2012, the federal government won or negotiated approximately $4.2 billion in healthcare fraud judgments and settlements. The Medicare Trust Fund received transfers of approximately $2.4 billion during this period as a result of the federal government’s auditing efforts.1

In addition, the federal government recovered nearly $1.5 billion in restitution and compensatory damages through various federal agencies. More than $280 million in funds were also awarded to private persons who filed suits on behalf of the federal government under the qui tam provisions of the False Claims Act.

The table below outlines the funds the federal government recovered during fiscal year 2012.

Department of the Treasury Deposits to the Medicare Trust Fund, as required by HIPAA
Gifts and Bequests $54
Amount Equal to Criminal Fines $$1,389,126,761
Civil Monetary Penalties $15,766,272
Asset Forfeiture $20,370,629
Penalties and Multiple Damages $602,272,078
Subtotal Centers for Medicare and Medicaid Services $2,027,535,794
HHS/OIG Audit Disallowances—Recovered $89,677,367
Restitution/Compensatory Damages $332,565,650
Subtotal $422,243,026
Grand Total of Amounts Transferred to the Medicare Trust Fund $2,449,778,820
Restitution/Compensatory Damages to Federal Agencies
TRICARE $121,733,571
Department of Veterans Affairs $81,149,775
HHS/OIG Cost of Audits, Investigations, and Compliance Monitoring $11,847,360
Office of Personnel Management $157,225,672
Other Agencies $3,113,738
Federal Share of Medicaid $835,723,125
HHS/OIG Audit Disallowances – Recovered Medicaid $275,559,307
Subtotal $1,486,352,548
Funds awarded to private persons who file suits on behalf of the federal government
under the qui tam provisions of the False Claims Act, 31 U.S.C. 3730(b)
TOTAL $4,220,671,240


  1. Office of Inspector General, Department of Health and Human Services. “The Department of Health and Human Services and the Department of Justice Health Care Fraud and Abuse Control Program Annual Report for Fiscal Year 2012.” February 2013. https://oig.hhs.gov/publications/docs/hcfac/hcfacreport2012.pdf.

The ABCs of Government Auditors

More than a dozen government auditors are currently at work in healthcare. Following are descriptions of the major auditors and the focus of their audits.


CMS implemented the Comprehensive Error Rate Testing (CERT) program to measure improper payments in the Medicare Fee-for-Service (FFS) program. It was designed to comply with the Improper Payments Elimination and Recovery Act of 2010.

All claims for the CERT program are chosen at random and designed to pull a random electronic sample of claims. CMS outlines how records are requested for the CERT program through its “Improper Medicare Fee-for-Service Payments Report,” available at http://www.cms.gov/Research-Statistics-Data-and-Systems/Monitoring-Programs/CERT/CERT-Reports.html.


The Department of Justice collaborates with many of the auditing agencies including OIG and the Department of Health and Human Services (HHS). In addition, DOJ can perform other audits if requested by other government agencies.

DOJ primarily uses auditors to work on civil fraud cases and uses these same auditors to work on healthcare fraud. When a federal or state investigative agency identifies that a subject is under current investigation in multiple states or jurisdictions; that information is sent to DOJ to develop a nationwide strategy to coordinate the multiple efforts and resources.


The goal of the Health Care Fraud Prevention and Enforcement Action Team is to prevent fraud and abuse in the Medicare and Medicaid programs by identifying fraud perpetrators and those abusing the system. The program also focuses on perpetrators who prey on Medicare and Medicaid beneficiaries.

The HEAT audits have been incredibly successful in building partnerships between DOJ, HHS, and other agencies to recover tax-payer dollars.4


Medicare Administrative Contractors are contracted to perform prepayment medical reviews to ensure services provided to Medicare beneficiaries are covered and medically necessary. All claims submitted to MACs are put through a “scrubber” to check against claim edits and ensure payments are made to certified providers. CMS publishes and maintains these edits, such as the Outpatient Code Edit (OCE).

Once the claim passes all edits, the MAC calculates the payment amount based on fee schedules, formulas, geographical adjustments, provider characteristics, and beneficiary copayments.

The Medicare Prescription Drug Improvement and Modernization Act of 2003 mandated CMS transition all its fee-for-service fiscal intermediaries and carriers to MACs by 2011. As a result, 15 A/B MAC jurisdictions were established. In July 2010 CMS posted a notice of plans to consolidate the 15 MACs into 10 jurisdictions, implement a contract limit for the A/B MAC contracts, and enhance the role of the contractor medical directors.

MAC audits have been combined with RAC audits in order to leverage their resources in identifying payment errors. MACs primarily review on a prepayment basis, while RACs review on a retrospective system. As the MAC utilizes prepayment edits to identify payment errors, the results may be sent to the RAC for retrospective review.

If an organization receives a MAC review and identifies that a billing or coding error has occurred, it is best to self-report regarding past discharges. By self-reporting, the organization stops a potential RAC retrospective review, which could also open the organization to full medical necessity review in addition to a DRG review.

MIP and MICs

The Deficit Reduction Act of 2005 created the Medicaid Integrity Program (MIP) under section 1936 of the Social Security Act. MIP is the first comprehensive federal strategy to prevent and reduce provider fraud, waste, and abuse in the $300-billion-per-year Medicaid program.

CMS has two broad responsibilities under MIP: to hire contractors to review provider activities and to support states in their efforts to combat fraud and abuse.

The Social Security Act also required CMS develop the five-year Comprehensive Medicaid Integrity Plan in consultation with internal and external partners. The Medicaid Integrity Group oversees MIP through Medicaid Integrity Contractors (MICs) and State Program Integrity Operations.

There are three primary MICs. Review MICs analyze Medicaid claims data to determine potential provider fraud, waste, or abuse. Audit MICs audit provider claims and identify overpayments. Education MICs provide education to providers and others on payment integrity and quality-of-care issues.

Medicaid RAC

Medicaid Recovery Audit Contractors are a supplemental approach to Medicaid program integrity efforts already under way to ensure that states make proper payments to providers. The Affordable Care Act of 2010 required states and territories establish the Medicaid RAC program under the statute that establishes the Medicare RAC program.

Medicaid RACs are tasked with identifying and recovering Medicaid overpayments and identifying underpayments. They are also tasked with designing their programs so that the Medicaid RACs report instances of fraud and criminal activity in addition to the pursuit of overpayments.

All states were to implement a Medicaid RAC program by January 1, 2012.

“The Medicaid RAC Final rule requires states to report on certain performance metrics to CMS. The performance metrics gather information on the number of audits completed, overpayments identified and recovered, underpayments identified, and fraud referrals to MFCUs.”5 The final rule does allow the States flexibility in designing their programs as appropriate.


A Medicaid Fraud Control Unit is a single identifiable entity of state government annually certified by OIG. MFCUs are responsible for conducting a state initiative aimed at investigating and prosecuting providers that defraud the Medicaid program.

In addition, MFCUs may also review complaints of abuse or neglect of nursing home residents or the misappropriation of a patient’s private funds while in the home. The Ticket to Work and Work Incentives Improvement Act of 1999 extended MFCU jurisdiction to include fraud investigation in any federally funded healthcare program.

North Dakota received a waiver from the federal government in 1994, leaving MFCUs in 49 states and the District of Columbia. Most are located in the state attorney general’s office, though it is not a requirement.

In order to be certified by HHS, MFCUs are required to employ attorneys experienced in the investigation and prosecution of civil fraud or criminal cases, investigators with extensive knowledge in commercial and financial investigations, and auditors capable of investigating allegations of fraud.


Since 1993 OIG has been performing and supervising audits and investigations of fraud and abuse to promote efficiency and effectiveness and minimize loss of governmental programs. As mandated by amended Public Law 95-452, OIG’s mission is to protect the integrity of HHS programs as well as the health and welfare of the beneficiaries of those programs. All activities performed by OIG lie within the authority of the US Inspector General.

Depending on the nature of the violations, organizations or providers should consider engaging legal counsel, auditors, or other healthcare experts to help ongoing OIG investigations.


The State Offices of Medicaid Inspector General are independent agencies within individual state departments of health. Their purpose is to improve the integrity of state Medicaid programs by coordinating the fraud and abuse activities for multiple state agencies that provide Medicaid-funded services.

Although each OMIG is different, many work with agencies such as the Department of Mental Health, Office of Children and Family Services, and Office of People with Developmental Disabilities. They also work closely with MFCUs to support their enforcement activities.


The Payment Error Rate Measurement program measures improper payments in the Medicaid program and the Children’s Health Insurance Program (CHIP). PERM is designed to comply with the Improper Payments Information Act of 2002. Executive Order 13520 further intensified PERM efforts to eliminate payment errors, waste, fraud, and abuse in federal programs, including Medicaid.

For PERM, CMS is using a national contracting strategy consisting of three contractors to perform statistical calculations, medical records collection, and medical/data processing review of select state Medicaid and CHIP fee-for-service and managed care claims. In FY 2006 CMS reviewed only Medicaid Fee-for-Service claims. Starting in FY 2007 CMS expanded PERM to include reviews of FFS and managed care claims, as well as beneficiary eligibility in both the Medicaid and CHIP programs.


The Recovery Audit Contractor (RAC) program’s mission is to reduce Medicare improper payments through the detection and collection of overpayments, the identification of underpayments, and the implementation of actions that will prevent future improper payments. Many of these activities involve data-mining activities based on billing information.

The Tax Relief and Health Care Act of 2006 mandated CMS implement Medicare RAC programs in all states. CMS awarded contracts to four regional RACs, each responsible for ensuring identification of payment errors for approximately a quarter of the US.

RAC audits continue to be a compliance risk for organizations and providers due to the large scope and increased data-mining efforts. In addition, RAC audits impose a significant operational impact to healthcare organizations and providers. The maximum number of medical records that recovery audit contractors (RACs) can request in a 45-day period from a hospital is 400. For facilities with more than $100 million in annual Medicare payments, the cap is 600 medical records. RACs are currently engaged in a pre-payment review demonstration which began on September 1, 2012. This demonstration is focused on certain types of claims that historically result in high rates of improper payments.


Effective January 26, 2009, benefit integrity work transitioned from Program Safeguard Contractors and the Medicare Prescription Drug Integrity Contractors into Zone Program Integrity Contractors, which are located in seven zones. The scope of work for ZPICs is similar to the previous scope of work carried out by the earlier contractors. ZPIC auditors perform a wide range of medical review, data analysis, and evidence-based policy auditing activities designed to find fraud, abuse, and waste within the Medicare system.

These audits are often the most concerning for organizations and providers because they have a tendency to use statistical data sampling and extrapolation methods. These methods allow ZPIC auditors to recoup overpayments totaling hundreds of thousands of dollars. ZPIC audits should not be taken lightly and organizations should handle these types of audits with due diligence.


The Medicare Advantage Risk Adjustment Validation Audits have been developed to ensure that risk adjustment payments are supported by medical record documentation. The risk adjustment model is utilized for the Medicare Advantage program and Medicare Managed Care Organizations and is based upon the hierarchical condition categories (HCC) for coding.


  1. AHIMA. “Managing an Effective Query Process” Journal of AHIMA 79, no. 10 (October 2008): 83-88.
  2. Centers for Medicare and Medicaid Services. “Recovery Audit Contractor (RAC) Demonstration High-Risk Medical Necessity Vulnerabilities for Inpatient Hospitals.” MLN Matters SE 1027. November 12, 2010. https://www.cms.gov/MLNMattersArticles/downloads/SE1027.pdf.
  3. Centers for Medicare and Medicaid Services. “Recovery Audit Contractor (RAC) Demonstration for High-Risk Diagnosis Related Group (DRG) Coding Vulnerabilities for Inpatient Hospitals.” MLN Matters SE1028 revised. August 21, 2012. http://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNMattersArticles/downloads/SE1028.pdf.
  4. “Top Ten Health Care Compliance Risks for 2011.” January 1, 2011. www.zpicaudit.com/2011/01/top-ten-health-care-compliance-risks-for-2011.
  5. Centers for Medicare and Medicaid Services. “Recovery Auditing in the Medicare and Medicaid Programs for Fiscal Year 2011.” http://www.cms.gov/Research-Statistics-Data-and-Systems/Monitoring-Programs/Recovery-Audit-Program/Downloads/FY2011-Report-To-Congress.pdf.


American Hospital Association. “Recovery Audit Contractor (RAC) Program.” http://www.aha.org/advocacy-issues/rac/index.shtml.

Centers for Medicare and Medicaid Services (CMS). “Demonstration to Work toward Assuring Accurate Medicare Payments.” Press release. March 28, 2005. www.cms.gov.

CMS. “Statementof Work for the Recovery Audit Program.” http://www.cms.gov/Research-Statistics-Data-and-Systems/Monitoring-Programs/Recovery-Audit-Program/Downloads/090111RACFinSOW.pdf.

CMS. “MMA—The Centers for Medicare & Medicaid Services (CMS) Recovery Audit Contractor (RAC) Initiative.” MLN Matters SE0469. http://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNMattersArticles/downloads/SE0469.pdf.CMS. “Recovery Audit Contractor Overview.” www.cms.gov/RAC.

Johnson, Kathy M., et al. “RAC Ready: How to Prepare for the Recovery Audit Contractor Program.” Journal of AHIMA 80, no. 2 (Feb. 2009): 28–31.

Wilson, Donna D. Responding to a Recovery Audit Contractor (RAC) Evaluation. Chicago, IL: AHIMA, 2010.

Prepared by

Theresa Rihanek, MHA, RHIA, CCS
Doreen Lopez, RHIT student


Elizabeth Barta, RHIA, MSA, CDIP
Angie Comfort, RHIT, CDIP, CCS
Julie Dooling, RHIA
Katherine Downing, MA, RHIA, CHP, PMP
Lesley Kadlec, MA, RHIA
Diana Warner, MS, RHIA, CHPS, FAHIMA

Original prepared by

Dawson Ballard, CCS-P, CPC, CEMC
Cathy Brownfield, RHIA, CCS
Kathy DeVault, RHIA, CCS, CCS-P
Sharon Easterling, MHA, RHIA
Mary Gregory, RHIT, CCS, CCS-P, CPC
Tedi Lojewski, RHIA, CCS
Pat Maccariella-Hafey, RHIA, CCS, CCS-P, CIRCC
Ginny Martin, RHIA, CCS
Kathy Myrick, RHIT, CCS
Mary Stanfill, RHIA, CCS, CCS-P
Lou Ann Wiedemann, MS, RHIA, FAHIMA, CPEHR
Donna Wilson, RHIA, CCS, CCDS
Ann Zeisset, RHIT, CCS, CCS-P

Original acknowledgments

Judy Bielby, MBA, RHIA, CPHQ, CCS
Angela Dinh, MHA, RHIA, CHPS
Julie Dooling, RHIT
Gwen Jimenz, RHIA
Carole Liebner, RHIT, CCS
Laura Rizzo, MHA, RHIA
Joyce Shearry, RHIA, CCS
Heather Taillon, RHIA
Diana Warner, MS, RHIA, CHPS, FAHIMA

Article citation:
AHIMA Practice Brief. "Understanding Governmental Audits (2013 update)" (Updated November 2013)