Category Archives: RAC
Can Medicare/caid Auditors Double-Dip?
The issue today is whether health care auditors can double-dip. In other words, if a provider has two concurrent audits, can the audits overlap? Can two audits scrutinize one date of service (“DOS”) for the same consumer. It certainly doesn’t seem fair. Five years ago, CMS first compiled a list of services that the newly implemented RAC program was to audit. It’s been 5 years with the RAC program. What is it about the RAC program that stands out from the other auditor abbreviations?
We’re talking about Cotiviti and Performant Recovery; you know the players. The Recovery Audit Program’s mission is to reduce Medicare improper payments through the efficient detection and collection of overpayments, the identification of underpayments and the implementation of actions that will prevent future improper payments.

RACs review claims on a post-payment basis. The RACs detect and correct past improper payments so that CMS and Carriers, and MACs can implement actions that will prevent future improper payments.
RACs are also held to different regulations than the other audit abbreviations. 42 CFR Subpart F dictates the Medicaid RACs. Whereas the Medicare program is run by 42 CFR Subchapter B.
The auditors themselves are usually certified coders or LPNs.
As most of you know, I present on RACMonitor every week with a distinguished panel of experts. Last week, a listener asked whether 2 separate auditors could audit the same record. Dr. Ronald Hirsh’s response was: yes, a CERT can audit a chart that another reviewer is auditing if it is part of a random sample. I agree with Dr. Hirsh. When a random sample is taken, then the auditors, by definition, have no idea what claims will be pulled, nor would the CERT have any knowledge of other contemporaneous and overlapping audits. But what about multiple RAC audits? I do believe that the RACs should not overlap its own audits. Personally, I don’t like the idea of one claim being audited more than once. What if the two auditing companies make differing determinations? What if CERT calls a claim compliant and the RAC denies the claim? The provider surely should not pay back a claim twice.
I believe Ed Roche presented on this issue a few weeks ago, and he called it double-dipping.
This doesn’t seem fair. What Dr. Hirsh did not address in his response to the listener was that, even if a CERT is allowed to double-dip via the rules or policies, there could be case law saying otherwise.
I did a quick search on Westlaw to see if there were any cases where the auditor was accused of double-dipping. It was not a comprehensive search by any means, but I did not see any cases where auditors were accused of double-dipping. I did see a few cases where hospitals were accused of double-dipping by collecting DSH payments to cover costs that had already been reimbursed, which seems like a topic for another day.
The Importance of the Differences in SMRCs, RACs, and QIOs
The Centers for Medicare & Medicaid Services (“CMS”) has modified the additional documentation request (“ADR”) limits for the Medicare Fee-for-Service Recovery Audit Contractor (“RAC”) program for suppliers. Yet, one of our listeners informed me that CMS has found a “work around” from the RAC ADR limits. She said, “There is the nationwide Supplemental Medical Review Contractor (“SMRC”) audits and now nationwide Quality Improvement Organizations (“QIO”) contract audits. These contracts came about after the Congressional limits on number of audits by the RAC.” Dr. Hirsh retorted, “But SMRC and QIO are not paid contingency fee. So, they are “different” audits. RACs are evil; SMRC and QIO have a few redeeming qualities.” I completely agree with Dr. Hirsh. But her point is well taken – SMRCs and QIOs follow different rules than RACs, so of course the SMRCs and QIOs have distinct ADR limits.
This is similar to the lookback periods. The lookback period varies depending on the acronym: RAC, MAC, or UPIC. RACs’ lookback period is 3 years, yet other acronyms get longer periods. I think what Dr. Hirsh is saying is right, because RACs are paid by contingency instead of a contracted rate, we have to limit the RACs authority because they are already incentivized the find problems., plus they are allowed to extrapolate. The RACs already have too much leash.
So, what are the RAC ADR limits?
Well, interestingly they just changed in April 2022. These limits will be set by CMS on a regular basis to establish the maximum number of medical records that may be requested by a RAC, per 45-day period. Each limit will be based on a given supplier’s volume of Medicare claims paid within a previous 12-month period, in a particular Healthcare Common Procedure Coding System (HCPCS) policy group. The policy groups are available on the pricing, coding analysis, and coding (PDAC), website. Limits will be based on the supplier’s Tax Identification Number (TIN). Limits will be set at 10% of all paid claims, by policy group, paid within a previous 12-month period, divided into eight periods (45 days). Although a RAC may go more than 45 days between record requests, in no case shall a RAC make requests more frequently than every 45 days. Limits are based on paid claims, irrespective of individual lines, although credit/replacement pairs shall be considered a single claim.
I wanted to go into the SMRCs and QIOs’ ADR limits to see whether they are are following THEIR rules, but I’m out of time for today. I’ll research the SMRCs and QIOs ADR limits for next week and I will have an answer for you.
Senators Question RAC Audits!
I have presented on RACMonitor, I think, for 3 years. I’d have to ask Chuck Buck to be exact. Over the last three years, I have tried my best to get the message out – RAC Auditors do not know what they are doing. Always appeal the decisions. – I feel like on my blog and on RACMonitor I have screamed this message until I was blue in the face.
Apparently, a couple Senators have taken notice. Or their constituents complained enough. Senators Tim Scott and Rick Scott drafted a letter to the Comptroller of America. A comptroller is a “controller” of financial affairs for the Country. The comptroller is the police of our tax dollars.
A few months ago, Senators Tim and Rick Scott wrote the U.S. Comptroller and complained about RAC auditors.

It was a letter that was short and sweet. It asked three questions.
It asked:
- How have states used the Medicaid RAC program to address strategic program integrity needs, including audits of managed care, and what are the lessons learned?
- What steps do the states and the Centers for Medicare & Medicaid Services (CMS) take to coordinate state Medicaid RAC program audits and other program integrity efforts? This includes existing Medicaid integrity programs such as the Unified Program Integrity Contractors, Payment Error Rate Measurement program, state auditors and Medicaid Fraud Control Units.
- How do states and CMS oversee the Medicaid RAC program and what mechanisms are in place to appropriately refer suspected cases of fraud?
As for the first question, RACs do address strategic PI needs – the very reason for their existence is to detect supposed fraud, waste, and abuse (“FWA”) by Medicaid providers. I’d like to hear the Comptroller’s answer.
As for the second question, they asked whether the States and CMS coordinate State Medicaid RAC audits. I don’t really care if the States and CMS coordinate State Medicaid RAC audits. So, I don’t care whether I hear the Comptroller’s answer to this.
The third question – “how do States and CMS oversee the Medicaid RAC program and what mechanisms are in place to detect FWA by Medicaid providers?” – I want to know that answer! I can tell the Comptroller the answer. The RAC Auditors are not supervised or overseen. If they were, they would audit differently; not try to find errors in every single audit conducted.
Maybe it’s time to get our Senators involved. While we’re at it, let’s talk about the Medicare provider appeal process, which is broken.
Questions Answered about RAC Provider Audits
Today I’m going to answer a few inquiries about recovery audit contractor (“RAC”) audits from providers. A question that I get often is: “Do I have to submit the same medical records to my Medicare Administrative Contractor (“MAC”) that I submit to a RAC for an audit?” The answer is “No.” Providers are not required to submit medical records to the MAC if submitted to a RAC, but doing so is encouraged by most MACs. There is no requirement that you submit to the MAC what you submit to RACs. This makes sense because the MACs and the RACs have disparate job duties. One of the MACs, Palmetto, instructs providers to send records sent to a RAC directly to the Palmetto GBA Appeals Department. Why send the records for a RAC audit to a MAC appeals department? Are they forecasting your intentions? The instruction is nonsensical unless ulterior motives exist.
RAC audits are separate from mundane MAC issues. They are distinct. Quite frankly, your MAC shouldn’t even be aware of your audit. (Why is it their business?) Yet, many times I see the MACs cc-ed on correspondence. Often, I feel like it’s a conspiracy – and you’re not invited. You get audited, and everyone is notified. It’s as if you are guilty before any trial.
I also get this question for appeals – “Do I need to send the medical records again? I already sent them for the initial review. Why do I need to send the same documents for appeal?” I get it – making copies of medical records is time-consuming. It also costs money. Paper and ink don’t grow on trees. The answer is “Yes.” This may come as a shock, but sometimes documents are misplaced or lost. Auditors are humans, and mistakes occur. Just like, providers are humans, and 100% Medicare regulatory compliance is not required…people make mistakes; those mistakes shouldn’t cause financial ruin.
“Do the results of a RAC audit get sent to your MAC?” The answer is “Yes.” Penalties penalize you in the future. You have to disclose penalties, and the auditors can and will use the information against you. The more penalties you have paid in the past clear demonstrate that you suffer from abhorrent billing practices.
In fact, Medicare post-payment audits are estimated to have risen over 900 percent over the last five years. Medicare provider audits take money from providers and give to the auditors. If you are an auditor, you uncover bad results or you aren’t good at your job.
Politicians see audits as a financial win and a plus for their platform. Reducing fraud, waste, and abuse is a fantastic platform. Everyone gets on board, and votes increase.
Appealing your RAC audits is essential, but you have to understand that you won’t get a fair deal. The Medicare provider appeals process is an uphill battle for providers. And your MACs will be informed.
The first two levels, redeterminations and reconsiderations are, basically, rubber-stamps on the first determination.
The third level is the before an administrative law judge (ALJ), and is the first appeal level that is before an independent tribunal.
Moving to the False Claims Act, which is the ugly step-sister to regulatory non-compliance and overpayments. The government and qui tam relators filed 801 new cases in 2022. That number is down from the unprecedented heights reached in 2020 (when there were a record 922 new FCA cases), but is consistent with the pace otherwise set over the past decade, reflecting the upward trend in FCA activity by qui tam relators and the government since the 2009 amendments to the statute.
See the chart below for reference:

DME Providers Get Repose in RAC Audits
The Centers for Medicare & Medicaid Services (CMS) announced that they have modified the additional documentation request (ADR) limits for the Medicare Fee-for-Service Recovery Audit Contractor (RAC) program for suppliers. ADRs are the about of documents that a RAC auditor can demand from you. This is a win for DME providers.
Currently, the RAC’s methodology is based on a total claim number by NPI without consideration for the number of claims in a particular product category. This means that suppliers can receive large volumes of RAC audits for a product category in which they do minimal business.
These new limits will be set by CMS on a regular basis to establish the maximum number of medical records that may be requested by a RAC, per 45-day period. These changes will be effective beginning April 1, 2022.
Each limit will be based on a given supplier’s volume of Medicare claims paid within a previous 12-month period, in a particular HCPCS policy group (The policy groups are available on the PDAC website). Limits will be based on the supplier’s Tax Identification Number (TIN). Limits will be set at 10% of all paid claims, by policy group, paid within a previous 12-month period, divided into eight periods (45 days). If you get more than the allowed ADRs, call them out. These limits are created to lessen the burden on providers.
Although a RAC may go more than 45 days between record requests, in no case shall a RAC make requests more frequently than every 45 days. Limits are based on paid claims, irrespective of individual lines, although credit/replacement pairs shall be considered a single claim.
For example:
- Supplier A had 1,253 claims paid with HCPCS codes in the “surgical dressings” policy group, within a previous 12-month period. The supplier’s ADR limit would be (1,253 * 0.1) / 8 = 15.6625, or 16 ADRs, per 45 days, for claims with HCPCS codes in the “surgical dressings” policy group.
- Supplier B had 955 claims paid with HCPCS codes in the “glucose monitor” policy group, within a previous 12-month period. The supplier’s ADR limit would be (955 * 0.1) / 8 = 11.9375 or 12 ADRs, per 45 days, for claims with HCPCS codes in the “glucose monitor” policy group.
CMS reserves the right to give a RAC permission to exceed these ADR limits. But that would be in instances of potential fraud.
RAC Audit Update: Renewed Focus on the Two-Midnight Rule
In RAC news, on June 1, 2021, Cotiviti acquired HMS RAC region 4. Don’t be surprised if you see Cotiviti’s logo on RAC audits where you would have seen HMS. This change will have no impact in the day-to-day contract administration and audit timelines under CMS’ guidance. You will continue to follow the guidance in the alleged, improper payment notification letter for submission of medical documentation and discussion period request. In March 2021, CMS awarded Performant an 8.5 year contract to serve as the Region 1 RAC.
There really cannot be any deviations regardless the name of the RAC Auditor because this area is so regulated. Providers always have appeal rights regardless Medicare/caid RAC audits. Or any other type of audit. Medicaid RAC provider appeals are found in 42 CFR 455.512. Whereas Medicare provider redeterminations and the 5 levels of appeal are found in 42 CFR Subpart I. The reason that RAC audits are spoken about so often is that the Code of Federal Regulations applies different rules for RAC audits versus MAC, TPE, UPIC, or other audits. The biggest difference is that RAC auditors are limited to a 3 year look back period according to 42 CFR 455.508. Other auditors do not have that same limitation and can look back for longer periods of time. Of course, whenever “credible allegations of fraud” is involved, the lookback period can be for 10 years.
The federal regulations also allow States to request exceptions from the Medicaid RAC program. CMS mandates every State to participate in the RAC program. But there is a federal reg §455.516 that allows exceptions. To my knowledge, no State has requested exceptions out of the RAC Audit program.
RAC auditors have announced a renewed focus on the two-midnight rule for hospitals. Again. This may seem like a rerun and it is. You recall around 2012, RACs began noticing high rates of error with respect to patient status in certain short-stay Medicare claims submitted for inpatient hospital services. CMS and the RACs indicated the inpatient care setting was medically unnecessary, and the claims should have been billed as outpatient instead. Remember, for stays under 2 midnights, inpatient status may be used in rare and unusual exceptions and may be payable under Medicare Part A on a case-by-case basis.
Post-COVID (ish) RAC Audits – Temporary Restrictions
2020 was an odd year for recovery audit contractor (“RAC”) and Medicare Administrative Contractors (“MAC”) audits. Well, it was an odd year for everyone. After trying five virtual trials, each one with up to 23 witnesses, it seems that, slowly but surely, we are getting back to normalcy. A tell-tale sign of fresh normalcy is an in-person defense of health care regulatory audits. I am defending a RAC audit of pediatric facility in Georgia in a couple weeks and the clerk of court said – “The hearing is in person.” Well, that’s new. Even when we specifically requested a virtual trial, we were denied with the explanation that GA is open now. The virtual trials are cheaper and more convenient; clients don’t have to pay for hotels and airlines.
In-person hearings are back – at least in most states. We have similar players and new restrictions.
On March 16, 2021, CMS announced that it will temporarily restrict audits to March 1, 2020, and before. Medicare audits are not yet dipping its metaphoric toes into the shark infested waters of auditing claims with dates of service (“DOS”) March 1 – today. This leaves a year and half time period untouched. Once the temporary hold is lifted, audits of 2020 DOS will be abound. March 26, 2021, CMS awarded Performant Recovery, Inc., the incumbent, the new RAC Region 1 contract.
RAC’s review claims on a post-payment and/or pre-payment basis. (FYI – You would rather a post payment review rather than a pre – I promise).
The RACs were created to detect fraud, waste, and abuse (“FWA”) by reviewing medical records. Any health care provider – not matter how big or small – are subject to audits at the whim of the government. CMS, RACs, MCOs, MACs, TPEs, UPICs, and every other auditing company can implement actions that will prevent future improper payments, as well. As we all know, RACs are paid on a contingency basis. Approximately, 13%. When the RACs were first created, the RACs were compensated based on accusations of overpayments, not the amounts that were truly owed after an independent tribunal. As any human could surmise, the contingency payment creates an overzealousness that can only be demonstrated by my favorite case in my 21 years – in New Mexico against Public Consulting Group (“PCG”). A behavioral health care (“BH”) provider was accused of over $12 million overpayment. After we presented before the administrative law judge (“ALJ”) in NM Administrative Court, the ALJ determined that we owed $896.35. The 99.23% reduction was because of the following:
- Faulty Extrapolation: NM HSD’s contractor PCG reviewed approximately 150 claims out of 15,000 claims between 2009 and 2013. Once the error rate was defined as high as 92%, the base error equaled $9,812.08; however the extrapolated amount equaled over $12 million. Our expert statistician rebutted the error rate being so high. Once the extrapolation is thrown out, we are now dealing with much more reasonable amounts – only $9k
- Attack the Clinical Denials: The underlying, alleged overpayment of $9,812.08 was based on 150 claims. We walked through the 150 claims that PCG claimed were denials and proved PCG wrong. Examples of their errors include denials based on lack of staff credentialing, when in reality, the auditor could not read the signature. Other denials were erroneously denied based the application of the wrong policy year.
The upshot is that we convinced the judge that PCG was wrong in almost every denial PCG made. In the end, the Judge found we owed $896.35, not $12 million. Little bit of a difference! We appealed.
Medicare Appeal Backlog Dissolves and SMRC Audits Escalate
I have good news and bad news today. I have chosen to begin with the good news. The ALJ backlog will soon be no more. Yes, the 4-6 years waiting period between the second and third level will, by sometime in 2021, be back to 90 days, with is the statutory requirement. What precipitated this drastic improvement? Money. This past year, CMS’ budget increased exponentially, mostly due to the Medicare appeals backlog. OMHA was given enough dough to hire 70 additional ALJs and to open six additional locations. That brings the number of ALJs ruling over provider Medicare appeals to over 100. OMHA now has the capability to hear and render decisions for approximately 300,000 appeals per year. This number is drastically higher than the number of Medicare appeals being filed. The backlog will soon be nonexistent. This is fantastic for all providers because, while CMS will continue to recoup the alleged overpayment after the 2nd level, the providers will be able to have its case adjudicated by an ALJ much speedier.
Now the bad news. Remember when the RAC program was first implemented and the RACs were zealously auditing, which is the reason that the backlog exists in the first place. RACs were given free rein to audit whichever types of service providers they chose to target. Once the backlog was out of hand, CMS restricted the RACs. They only allowed a 3 year lookback period when other auditors can go back 6 years, like the SMRC audits. CMS also mandated that the RACs slow down their number of audits and put other restrictions on RACs. Now that OMHA has the capacity to adjudicate 300,000 Medicare appeals per year, expect that those reins that have been holding the RACs back will by 2021 or 2022 be fully loosened for a full gallop.
Switching gears: Two of the lesser known audits that are exclusive to the CMS are the Supplemental Medical Review Contractor (“SMRC”) and the Targeted Probe and Educate (“TPE”) audits. Exclusivity to CMS just means that Medicare claims are reviewed, not Medicaid.
The SMRCs, in particular, create confusion. We have seen DME SMRC audits on ventilator claims, which are extremely document intensive. You can imagine the high amounts of money at issue because, for ventilators, many people require them for long periods of time. Sometimes there can 3000 claim lines for a ventilator claim. These SMRC audits are not extrapolated, but the amount in controversy is still high. SMRCs normally request the documents for 20-40 claims. It is a one-time review. It’s a post payment review audit. It doesn’t sound that bad until you receive the request for documents of 20-40 claims, all of which contain 3000 claim lines and you have 45 days to comply.
Lastly, in a rare act, CMS has inquired as whether provider prefer TPE audits or continue with post payment review audits for the remainder of the pandemic. If you have a strong opinion one way or the other, be sure to contact CMS.
Beware the Ides of March! And Medicare Provider Audits!
Hello! And beware the Ides of March, which is today! I am going to write today about the state of audits today. When I say Medicare and Medicaid audits, I mean, RACs, MACs, ZPICs, UPICs, CERTs, TPEs, and OIG investigations from credible allegations of fraud. Without question, the new Biden administration will be concentrating even more on fraud, waste, and abuse germane to Medicare and Medicaid. This means that auditing companies, like Public Consulting Group (“PCG”) and National Government Services (“NGS”) will be busy trying to line their pockets with Medicare dollars. As for the Ides, it is especially troubling in March, especially if you are Julius Caesar. “Et tu, Brute?”
One of the government’s most powerful tool is the federal government’s zealous use of 42 CFR 455.23, which states that “The State Medicaid agency must suspend all Medicaid payments to a provider after the agency determines there is a credible allegation of fraud for which an investigation is pending under the Medicaid program against an individual or entity unless the agency has good cause to not suspend payments or to suspend payment only in part.” (emphasis added). That word – “must” – was revised from “may” in 2011, part of the Affordable Care Act (“ACA”).
A “credible allegation” is defined as an indicia of reliability, which is a low bar. Very low.
Remember back in 2013 when Ed Roche and I were reporting on the New Mexico behavioral health care cluster? To remind you, the State of NM accused 15 BH health care providers, which constituted 87.5% of the BH providers in NM, of credible allegations of fraud after the assistant AG, at the time, Larry Heyeck, had just published a legal article re “Credible Allegations of Fraud.” See blog and blog. Unsurprisingly, the suicide rate and substance abuse skyrocketed. There was even a documentary “The Shake-Up” about the catastrophic events in NM set off by the findings of PCG.

I was the lawyer for the three, largest entities and litigated four administrative appeals. If you recall, for Teambuilders, PCG claimed it owed over $12 million. After litigation, an ALJ decided that Teambuilders owed $836.35. Hilariously, we appealed. While at the time, PCG’s accusations put the company out of business, it has re-opened its doors finally – 8 years later. This is how devastating a regulatory audit can be. But congratulations, Teambuilders, for re-opening.
Federal law mandates that during the appeal of a Medicare audit at the first two levels: the redetermination and reconsideration, that no recoupment occur. However, after the 2nd level and you appeal to the ALJ level, the third level, the government can and will recoup unless you present before a judge and obtain an injunction.
Always expect bumps along the road. I have two chiropractor clients in Indiana. They both received notices of alleged overpayments. They are running a parallel appeal. Whatever we do for one we have to do for the other. You would think that their attorneys’ fees would be similar. But for one company, NGS has preemptively tried to recoup THREE times. We have had to contact NGS’ attorney multiple times to stop the withholds. It’s a computer glitch supposedly. Or it’s the Ides of March!