Category Archives: RAC Audits

Can Medicare/caid Auditors Double-Dip?

The issue today is whether health care auditors can double-dip. In other words, if a provider has two concurrent audits, can the audits overlap? Can two audits scrutinize one date of service (“DOS”) for the same consumer. It certainly doesn’t seem fair. Five years ago, CMS first compiled a list of services that the newly implemented RAC program was to audit. It’s been 5 years with the RAC program. What is it about the RAC program that stands out from the other auditor abbreviations?

We’re talking about Cotiviti and Performant Recovery; you know the players. The Recovery Audit Program’s mission is to reduce Medicare improper payments through the efficient detection and collection of overpayments, the identification of underpayments and the implementation of actions that will prevent future improper payments.

RACs review claims on a post-payment basis. The RACs detect and correct past improper payments so that CMS and Carriers, and MACs can implement actions that will prevent future improper payments.

RACs are also held to different regulations than the other audit abbreviations. 42 CFR Subpart F dictates the Medicaid RACs. Whereas the Medicare program is run by 42 CFR Subchapter B.

The auditors themselves are usually certified coders or LPNs.

As most of you know, I present on RACMonitor every week with a distinguished panel of experts. Last week, a listener asked whether 2 separate auditors could audit the same record. Dr. Ronald Hirsh’s response was: yes, a CERT can audit a chart that another reviewer is auditing if it is part of a random sample. I agree with Dr. Hirsh. When a random sample is taken, then the auditors, by definition, have no idea what claims will be pulled, nor would the CERT have any knowledge of other contemporaneous and overlapping audits. But what about multiple RAC audits? I do believe that the RACs should not overlap its own audits. Personally, I don’t like the idea of one claim being audited more than once. What if the two auditing companies make differing determinations? What if CERT calls a claim compliant and the RAC denies the claim? The provider surely should not pay back a claim twice.

I believe Ed Roche presented on this issue a few weeks ago, and he called it double-dipping.

This doesn’t seem fair. What Dr. Hirsh did not address in his response to the listener was that, even if a CERT is allowed to double-dip via the rules or policies, there could be case law saying otherwise.

I did a quick search on Westlaw to see if there were any cases where the auditor was accused of double-dipping. It was not a comprehensive search by any means, but I did not see any cases where auditors were accused of double-dipping. I did see a few cases where hospitals were accused of double-dipping by collecting DSH payments to cover costs that had already been reimbursed, which seems like a topic for another day.

Post-COVID Medicare/caid Rules Matter!

How many times have we panelists talked about COVID and COVID exceptions to the regulatory rules? How many times have we warned providers that the exceptions will expire at the end of public health emergency (“PHE”)? Well, it’s coming. The COVID PHE is still in effect for America, but some States have lifted their PHE status. NC’s state of emergency expired August 15, 2022. In Montana, the state of emergency ended June 30, 2021.

What does that mean? When America’s PHE expires, so does also all the exceptions. When your particular State’s PHE ends, so do the PHE exceptions your particular State allowed. This is imperative to ALL Medicare and Medicaid audits by whatever alphabet soup is knocking on your door. As well you know, auditors don’t always get it right. Add in confusion due to COVID exceptions…which apply in which State and which expired?

 Last week, CMS released fact sheets summarizing the current status of Medicare and Medicaid COVID waivers and exceptions by provider type. The fact sheets include information about which waivers and flexibilities have already been terminated, have been made permanent or will end at the end of the COVID-19 public health emergency. Unless specifically stated, all exceptions expire at the end of PHE, which is in the process of winding down.

 I decided to review a fact sheet to determine how useful it was. I chose for provider type – hospitals. The fact sheet is entitled, “Hospitals and CAH (including swing beds, DPUs), ASCs and CMHCs.” It is 28 pages. The fact sheets are must reads for all providers. When you play chess the rules matter. When you accept Medicare and/or Medicaid, the rules matter. And these fact sheets are the rules.

The fact sheets cover telehealth and reimbursement rates. The hospital fact sheet covers hospitals without walls, off-site patient screening, paperwork requirements, physical environment requirements, which waivers will or will not expire at the end of PHE, and much more. I would say these fact sheets, for whichever type of provider you are – are mandatory reads. The fact sheets may not be absolutely encompassing, but they are summaries for you, all in one spot, organized for ease of reading. Thank you, CMS, for gathering this info and putting it all in one spot.

The Importance of the Differences in SMRCs, RACs, and QIOs

The Centers for Medicare & Medicaid Services (“CMS”) has modified the additional documentation request (“ADR”) limits for the Medicare Fee-for-Service Recovery Audit Contractor (“RAC”) program for suppliers. Yet, one of our listeners informed me that CMS has found a “work around” from the RAC ADR limits. She said, “There is the nationwide Supplemental Medical Review Contractor (“SMRC”) audits and now nationwide Quality Improvement Organizations (“QIO”) contract audits. These contracts came about after the Congressional limits on number of audits by the RAC.” Dr. Hirsh retorted, “But SMRC and QIO are not paid contingency fee. So, they are “different” audits. RACs are evil; SMRC and QIO have a few redeeming qualities.” I completely agree with Dr. Hirsh. But her point is well taken – SMRCs and QIOs follow different rules than RACs, so of course the SMRCs and QIOs have distinct ADR limits.

This is similar to the lookback periods. The lookback period varies depending on the acronym: RAC, MAC, or UPIC. RACs’ lookback period is 3 years, yet other acronyms get longer periods. I think what Dr. Hirsh is saying is right, because RACs are paid by contingency instead of a contracted rate, we have to limit the RACs authority because they are already incentivized the find problems., plus they are allowed to extrapolate. The RACs already have too much leash.

So, what are the RAC ADR limits?

Well, interestingly they just changed in April 2022. These limits will be set by CMS on a regular basis to establish the maximum number of medical records that may be requested by a RAC, per 45-day period. Each limit will be based on a given supplier’s volume of Medicare claims paid within a previous 12-month period, in a particular Healthcare Common Procedure Coding System (HCPCS) policy group. The policy groups are available on the pricing, coding analysis, and coding (PDAC), website. Limits will be based on the supplier’s Tax Identification Number (TIN). Limits will be set at 10% of all paid claims, by policy group, paid within a previous 12-month period, divided into eight periods (45 days). Although a RAC may go more than 45 days between record requests, in no case shall a RAC make requests more frequently than every 45 days. Limits are based on paid claims, irrespective of individual lines, although credit/replacement pairs shall be considered a single claim.

I wanted to go into the SMRCs and QIOs’ ADR limits to see whether they are are following THEIR rules, but I’m out of time for today. I’ll research the SMRCs and QIOs ADR limits for next week and I will have an answer for you.

Senators Question RAC Audits!

I have presented on RACMonitor, I think, for 3 years. I’d have to ask Chuck Buck to be exact. Over the last three years, I have tried my best to get the message out – RAC Auditors do not know what they are doing. Always appeal the decisions. – I feel like on my blog and on RACMonitor I have screamed this message until I was blue in the face.

Apparently, a couple Senators have taken notice. Or their constituents complained enough. Senators Tim Scott and Rick Scott drafted a letter to the Comptroller of America. A comptroller is a “controller” of financial affairs for the Country. The comptroller is the police of our tax dollars.

A few months ago, Senators Tim and Rick Scott wrote the U.S. Comptroller and complained about RAC auditors.

It was a letter that was short and sweet. It asked three questions.

It asked:

  1. How have states used the Medicaid RAC program to address strategic program integrity needs, including audits of managed care, and what are the lessons learned?
  2. What steps do the states and the Centers for Medicare & Medicaid Services (CMS) take to coordinate state Medicaid RAC program audits and other program integrity efforts? This includes existing Medicaid integrity programs such as the Unified Program Integrity Contractors, Payment Error Rate Measurement program, state auditors and Medicaid Fraud Control Units.
  3. How do states and CMS oversee the Medicaid RAC program and what mechanisms are in place to appropriately refer suspected cases of fraud?

As for the first question, RACs do address strategic PI needs – the very reason for their existence is to detect supposed fraud, waste, and abuse (“FWA”) by Medicaid providers. I’d like to hear the Comptroller’s answer.

As for the second question, they asked whether the States and CMS coordinate State Medicaid RAC audits. I don’t really care if the States and CMS coordinate State Medicaid RAC audits. So, I don’t care whether I hear the Comptroller’s answer to this.

The third question – “how do States and CMS oversee the Medicaid RAC program and what mechanisms are in place to detect FWA by Medicaid providers?” –  I want to know that answer! I can tell the Comptroller the answer. The RAC Auditors are not supervised or overseen. If they were, they would audit differently; not try to find errors in every single audit conducted.

Maybe it’s time to get our Senators involved. While we’re at it, let’s talk about the Medicare provider appeal process, which is broken.

Questions Answered about RAC Provider Audits

Today I’m going to answer a few inquiries about recovery audit contractor (“RAC”) audits from providers. A question that I get often is: “Do I have to submit the same medical records to my Medicare Administrative Contractor (“MAC”) that I submit to a RAC for an audit?” The answer is “No.” Providers are not required to submit medical records to the MAC if submitted to a RAC, but doing so is encouraged by most MACs. There is no requirement that you submit to the MAC what you submit to RACs. This makes sense because the MACs and the RACs have disparate job duties. One of the MACs, Palmetto, instructs providers to send records sent to a RAC directly to the Palmetto GBA Appeals Department. Why send the records for a RAC audit to a MAC appeals department? Are they forecasting your intentions? The instruction is nonsensical unless ulterior motives exist.

RAC audits are separate from mundane MAC issues. They are distinct. Quite frankly, your MAC shouldn’t even be aware of your audit. (Why is it their business?) Yet, many times I see the MACs cc-ed on correspondence. Often, I feel like it’s a conspiracy –  and you’re not invited. You get audited, and everyone is notified. It’s as if you are guilty before any trial.

I also get this question for appeals – “Do I need to send the medical records again? I already sent them for the initial review. Why do I need to send the same documents for appeal?” I get it – making copies of medical records is time-consuming. It also costs money. Paper and ink don’t grow on trees. The answer is “Yes.” This may come as a shock, but sometimes documents are misplaced or lost. Auditors are humans, and mistakes occur. Just like, providers are humans, and 100% Medicare regulatory compliance is not required…people make mistakes; those mistakes shouldn’t cause financial ruin.

“Do the results of a RAC audit get sent to your MAC?” The answer is “Yes.” Penalties penalize you in the future. You have to disclose penalties, and the auditors can and will use the information against you. The more penalties you have paid in the past clear demonstrate that you suffer from abhorrent billing practices.

In fact, Medicare post-payment audits are estimated to have risen over 900 percent over the last five years. Medicare provider audits take money from providers and give to the auditors. If you are an auditor, you uncover bad results or you aren’t good at your job.

Politicians see audits as a financial win and a plus for their platform. Reducing fraud, waste, and abuse is a fantastic platform. Everyone gets on board, and votes increase.

Appealing your RAC audits is essential, but you have to understand that you won’t get a fair deal. The Medicare provider appeals process is an uphill battle for providers. And your MACs will be informed.

The first two levels, redeterminations and reconsiderations are, basically, rubber-stamps on the first determination.

The third level is the before an administrative law judge (ALJ), and is the first appeal level that is before an independent tribunal.

Moving to the False Claims Act, which is the ugly step-sister to regulatory non-compliance and overpayments. The government and qui tam relators filed 801 new cases in 2022.  That number is down from the unprecedented heights reached in 2020 (when there were a record 922 new FCA cases), but is consistent with the pace otherwise set over the past decade, reflecting the upward trend in FCA activity by qui tam relators and the government since the 2009 amendments to the statute.

See the chart below for reference:

Auditing Medicare Advantage Organizations – About Time!

The American Hospital Association (“AHA”) is asking the Department of Justice (DOJ) to look into health insurance companies that routinely deny patients access to care and payments to providers. I’d like a task force as well. This is exactly the problem I have witnessed with managed care organizations or MCOs. In traditional Medicare and Medicaid, MCOs are prepaid and make profit by denying consumers medical care, terminating provider contracts, and not paying providers for care rendered. Congress created the same scenario with Medicare Advantage. Individuals can elect coverage through private insurance plans. While MA has been wildly successful and popular, the AHA is complaining that too many people are getting denied services.

            An OIG report that was published in April cites MAOs as denying services for beneficiaries. We are always talking about providers getting audited, it is about time that the companies that are gateways for providers getting reimbursed and beneficiaries getting medically necessary services are likewise audited for denying services. It seems ironic that providers are audited for potentially billing for too many services and these gateway, third party reimbursement companies are audited for providing too few services – or denying too many prior authorizations. But if the MCO or MAO deny medical services, then the money that would have been paid to the provider stays in their pocket.

            The OIG report found that many MAOs delay or deny services despite those services meeting Medicare prior authorization criteria, approximately 13-18%. Almost a 20% wrongful denial rate. When these MAOs get tax payer money for a Medicare beneficiary and deny services those tax dollars stay in the MAO’s pockets.

            Supposedly MAOs approve the vast majority of requests for services and payment, they issue millions of denials each year, and OIG’s audit of MAOs has highlighted widespread and persistent problems related to inappropriate denials of services and payment. As enrollment in Medicare Advantage continues to grow, MAOs play an increasingly critical role in ensuring that Medicare beneficiaries have access to medically necessary covered services and that providers are reimbursed appropriately.

            According to the OIG report, MAOs denied prior authorization and payment requests that met Medicare coverage rules by: (1) using MAO clinical criteria that are not contained in Medicare coverage rules; (2) requesting unnecessary documentation; and (3) making manual review errors and system errors.

            Personally, I am fed up with these private, insurance companies denying services and keeping our tax dollars. It is about time the insurance companies are audited.

CMS Rulings Can Devastate a Provider, But Should It?

If you could light a torch to a Molotov Cocktail and a bunch of newspapers, you could not make a bigger explosion in my head than a recent Decision from a Medicare administrative law judge (“ALJ”). The extrapolation was upheld, despite an expert statistician citing its shortcomings, based on a CMS Ruling, which is neither law nor precedent. The Decision reminded me of the new Firestarter movie because everything is up in flames. Drew Barrymore would be proud.

I find it very lazy of the government to rely on sampling and extrapolations, especially in light that no witness testifies to its accuracy.

Because this ALJ relied so heavily on CMS Rulings, I wanted to do a little detective work as to whether CMS Rulings are binding or even law. First, I logged onto Westlaw to search for “CMS Ruling” in any case in any jurisdiction in America. Nothing. Not one case ever mentioned “CMS Ruling.” Ever. (Nor did my law school).

What Is a CMS Ruling?

A CMS Ruling is defined as, “decisions of the Administrator that serve as precedent final opinions and orders and statements of policy and interpretation. They provide clarification and interpretation of complex or ambiguous provisions of the law or regulations relating to Medicare, Medicaid, Utilization and Quality Control Peer Review, private health insurance, and related matters.”

But Are CMS Rulings Law?

No. CMS Rulings are not law. CMS Rulings are not binding on district court judges because district court judges are not part of HHS or CMS. However, the Medicare ALJs are considered part of HHS and CMS; thus the CMS Rulings are binding on Medicare ALJs.

This creates a dichotomy between the “real law” and agency rules. When you read CMS Ruling 86-1, it reads as if there two parties with oppositive views, both presented their arguments, and the Administrator makes a ruling. But the Administrator is not a Judge, but the Ruling reads like a court case. CMS Rulings are not binding on:

  1. The Supreme Court
  2. Appellate Courts
  3. The real world outside of CMS
  4. District Courts
  5. The Department of Transportation
  6. Civil Jurisprudence
  7. The Department of Education
  8. Etc. – You get the point.

So why are Medicare providers held subject to penalties based on CMS Rulings, when after the providers appeal their case to district court, that “rule” that was subjected against them (saying they owe $7 million) is rendered moot? Can we say – not fair, equitable, Constitutional, and flies in the face of due process?

The future does not look bright for providers going forward in defending overzealous, erroneous, and misplaced audits. These audits aren’t even backed up by witnesses – seriously, at the ALJ Medicare appeals, there is no statistician testifying to verify the results. Yet some of the ALJs are still upholding these audits.

In the “court case,” which resulted in CMS Ruling 86-1, the provider argued that:

  1. There is no legal authority in the Medicare statute or regulations for HCFA or its intermediaries to determine overpayments by projecting the findings of a sample of specific claims onto a universe of unspecified beneficiaries and claims.
  2. Section 1879 of the Social Security Act, 42 U.S.C. 1395pp, contemplates that medical necessity and custodial care coverage determinations will be made only by means of a case-by-case review.
  3. When sampling is used, providers are not able to bill individual beneficiaries not in the sample group for the services determined to be noncovered.
  4. Use of a sampling procedure violates the rights of providers to appeal adverse determinations.
  5. The use of sampling and extrapolation to determine overpayments deprives the provider of due process.

The CMS Ruling 86-1 was decided by Mr. Henry R. Desmarais, Acting Administrator, Health Care Financing Administration in 1986.

Think it should be upheld?

DME Providers Get Repose in RAC Audits

The Centers for Medicare & Medicaid Services (CMS) announced that they have modified the additional documentation request (ADR) limits for the Medicare Fee-for-Service Recovery Audit Contractor (RAC) program for suppliers. ADRs are the about of documents that a RAC auditor can demand from you. This is a win for DME providers.

Currently, the RAC’s methodology is based on a total claim number by NPI without consideration for the number of claims in a particular product category. This means that suppliers can receive large volumes of RAC audits for a product category in which they do minimal business.

These new limits will be set by CMS on a regular basis to establish the maximum number of medical records that may be requested by a RAC, per 45-day period. These changes will be effective beginning April 1, 2022

Each limit will be based on a given supplier’s volume of Medicare claims paid within a previous 12-month period, in a particular HCPCS policy group (The policy groups are available on the PDAC website). Limits will be based on the supplier’s Tax Identification Number (TIN). Limits will be set at 10% of all paid claims, by policy group, paid within a previous 12-month period, divided into eight periods (45 days). If you get more than the allowed ADRs, call them out. These limits are created to lessen the burden on providers.

Although a RAC may go more than 45 days between record requests, in no case shall a RAC make requests more frequently than every 45 days. Limits are based on paid claims, irrespective of individual lines, although credit/replacement pairs shall be considered a single claim.

            For example:

  • Supplier A had 1,253 claims paid with HCPCS codes in the “surgical dressings” policy group, within a previous 12-month period. The supplier’s ADR limit would be (1,253 * 0.1) / 8 = 15.6625, or 16 ADRs, per 45 days, for claims with HCPCS codes in the “surgical dressings” policy group.
  • Supplier B had 955 claims paid with HCPCS codes in the “glucose monitor” policy group, within a previous 12-month period. The supplier’s ADR limit would be (955 * 0.1) / 8 = 11.9375 or 12 ADRs, per 45 days, for claims with HCPCS codes in the “glucose monitor” policy group.

CMS reserves the right to give a RAC permission to exceed these ADR limits. But that would be in instances of potential fraud.

Absent Auditors in Medicare Provider Appeals

(On a personal note, I apologize for how long since it has been my last blog. I was in an accident and spent 3 days in the ICU.)

I’d like to write today about the sheer absurdity about how these RAC, ZPIC, MAC, and other types of audits are being held against health care providers. When an auditor requests documents from a provider and opines that the provider owes a million dollars in alleged overpayments, I would expect that the auditor will show up before an independent tribunal to defend its findings. However, for so many of these Medicare provider appeals, the auditor doesn’t appear to defend its findings.

In my opinion, if the entity claiming that you owe money back to the government does not appear at the hearing, the provider should automatically prevail. A basic legal concept is that the accused should be able to confront its accuser.

I had depositions the last two weeks for a case that involved an opiate treatment program. The two main accusers were Optum and ID Medicaid. When Optum was deposed, they testified that Optum did not conduct the audit of the facility. When ID Medicaid was deposed, it contended that Optum did conduct the audit at issue.

When not one person can vouch for the veracity of an audit, it is ludicrous to force the provider to pay back anything. Auditors cannot hide behind smoke and mirrors. Auditors need to testify to the veracity of their audits.

To poke holes in Medicare audits, you need to know the rules. You wouldn’t play chess without knowing the rules. Various auditor have disparate look-back period, which is the time frame the auditor is allowed to look back and review a claim. For example, RACs may only look back 3 years. Whereas ZPICs have no specific look back period, although I would argue that the older the claim, the less likely it is to be recouped. There is also the federal 48-month limit to look backs absent accusations of fraud.

When appealing the outcome of a MAC or RAC audit, it is necessary for providers to have a specific reason for challenging the auditors’ determinations. Simply being dissatisfied or having generalized complaints about the process is not enough. Some examples of potential grounds for challenging a MAC or RAC determination on appeal include: 

  • Application if inapplicable Medicare billing rules 
  • Misinterpretation of applicable Medicare billing rules 
  • Reliance on unsound auditing methodologies
  • Failure to seek an expert opinion 
  • Ignoring relevant information disclosed by the provider 
  • Exceeding the MAC’s or RAC’s scope of authority 

It is imperative that you arm yourself in defending a Medicare audit, but if the auditor fails to appear at any stage in litigation, then you should call foul and win on a “absent” technicality.

The Medicare Provider Appeals Backlog and LCDs May Not Be As Important as One Would Think!

It’s a miracle! HHS has reduced the Medicare appeals backlog at the Administrative Law Judge (“ALJ”) level[1] by 75 %, which puts the department on track to clear the backlog by the end of the 2022 fiscal year. The department had 426,594 appeals bottlenecked on backlog. An audit from 2016 could get heard by an ALJ in 2021. However, movement has occurred.

According to the latest status report, HHS has 86,063 pending appeals remaining at the Office of Medicare Hearing and Appeals (“OMHA”).

In 2018, a federal Judge ruled in favor of the American Hospital Association (“AHA”) and its hospital Plaintiffs and Ordered HHS to eliminate the backlog of appeals by the end of FY 2022 and provided the department with a number of goals. According to the ruling, HHS had to reduce the backlog by 19 percent by the end of FY 2019, 49 percent by the end of FY 2020, and 75 percent by the end of FY 2021. Originally, the Order scheduled the timeframe for disseminating the backlog much shorter, but CMS claimed impossibility.

On another note, lately, I’ve seen a lot of supposed audit results based on local coverage determinations (“LCDs”) or policy manuals. This is unacceptable. In a January 4, 2022, decision from the NC Court of Appeals, the Court held that when a State agency implements an unpromulgated rule, the rule may not be enforced. Hendrixson v. Div. of Soc. Servs., 2022-NCCOA-10, ¶ 9. The Hendrixson case piggybacks the Supreme Court, which held that LCDs are unenforceable against providers. Azar v. Allina Health Services, 139 S. Ct. 1804, 204 L. Ed. 2d 139 (2019).

In Hendrixson v. Division of Social Services, the Court held that people eligible for Medicare Part B must apply and enroll and that if the applicant fails to enroll, Medicaid pays no portion of the costs for medical services that would have been covered by Medicare Part B, as you know Medicare Part B provides coverage for certain hospital outpatient services, physician services, and services not covered by Part A. See Bruton, 134 N.C. App. at 42, 516 S.E.2d at 635; 42 U.S.C. § 1395k (2019); 42 C.F.R. § 407.2 (2020). Enrollment in Medicare Part B is generally not automatic, see 42 C.F.R. §§ 407.4-407.40 (2020), and requires the patient to pay insurance premiums to enroll, after which the federal government pays most of the reasonable costs, with patients paying the remaining cost and an annual deductible. See Bruton, 134 N.C. App. at 42, 516 S.E.2d at 635; 42 U.S.C. §§ 1395l, 1395r-1395s (2019); 42 C.F.R. § 407.2 (2020). “Together, the part B premiums, deductibles and coinsurance are generally referred to as ‘Part B cost-sharing.’” Bruton, 134 N.C. App. at 42, 516 S.E.2d at 635. At your hospital or health care entity, do you have someone dedicated to properly enrolling consumers into Medicare Part B? If not, you may want to consider as a financial investment. Additionally, while you do not want to ignore the LCDs, the LCDs or Manuals cannot be a basis for any alleged recoupment or other sanction. As a general canon, any unpromulgated rule cannot be the basis of any penalty.


[1] The ALJ level is the third level in Medicare provider audits, but the first time that providers are allowed to present evidence to an independent tribunal.