Blog Archives

Can Medicare/caid Auditors Double-Dip?

The issue today is whether health care auditors can double-dip. In other words, if a provider has two concurrent audits, can the audits overlap? Can two audits scrutinize one date of service (“DOS”) for the same consumer. It certainly doesn’t seem fair. Five years ago, CMS first compiled a list of services that the newly implemented RAC program was to audit. It’s been 5 years with the RAC program. What is it about the RAC program that stands out from the other auditor abbreviations?

We’re talking about Cotiviti and Performant Recovery; you know the players. The Recovery Audit Program’s mission is to reduce Medicare improper payments through the efficient detection and collection of overpayments, the identification of underpayments and the implementation of actions that will prevent future improper payments.

RACs review claims on a post-payment basis. The RACs detect and correct past improper payments so that CMS and Carriers, and MACs can implement actions that will prevent future improper payments.

RACs are also held to different regulations than the other audit abbreviations. 42 CFR Subpart F dictates the Medicaid RACs. Whereas the Medicare program is run by 42 CFR Subchapter B.

The auditors themselves are usually certified coders or LPNs.

As most of you know, I present on RACMonitor every week with a distinguished panel of experts. Last week, a listener asked whether 2 separate auditors could audit the same record. Dr. Ronald Hirsh’s response was: yes, a CERT can audit a chart that another reviewer is auditing if it is part of a random sample. I agree with Dr. Hirsh. When a random sample is taken, then the auditors, by definition, have no idea what claims will be pulled, nor would the CERT have any knowledge of other contemporaneous and overlapping audits. But what about multiple RAC audits? I do believe that the RACs should not overlap its own audits. Personally, I don’t like the idea of one claim being audited more than once. What if the two auditing companies make differing determinations? What if CERT calls a claim compliant and the RAC denies the claim? The provider surely should not pay back a claim twice.

I believe Ed Roche presented on this issue a few weeks ago, and he called it double-dipping.

This doesn’t seem fair. What Dr. Hirsh did not address in his response to the listener was that, even if a CERT is allowed to double-dip via the rules or policies, there could be case law saying otherwise.

I did a quick search on Westlaw to see if there were any cases where the auditor was accused of double-dipping. It was not a comprehensive search by any means, but I did not see any cases where auditors were accused of double-dipping. I did see a few cases where hospitals were accused of double-dipping by collecting DSH payments to cover costs that had already been reimbursed, which seems like a topic for another day.

The Importance of the Differences in SMRCs, RACs, and QIOs

The Centers for Medicare & Medicaid Services (“CMS”) has modified the additional documentation request (“ADR”) limits for the Medicare Fee-for-Service Recovery Audit Contractor (“RAC”) program for suppliers. Yet, one of our listeners informed me that CMS has found a “work around” from the RAC ADR limits. She said, “There is the nationwide Supplemental Medical Review Contractor (“SMRC”) audits and now nationwide Quality Improvement Organizations (“QIO”) contract audits. These contracts came about after the Congressional limits on number of audits by the RAC.” Dr. Hirsh retorted, “But SMRC and QIO are not paid contingency fee. So, they are “different” audits. RACs are evil; SMRC and QIO have a few redeeming qualities.” I completely agree with Dr. Hirsh. But her point is well taken – SMRCs and QIOs follow different rules than RACs, so of course the SMRCs and QIOs have distinct ADR limits.

This is similar to the lookback periods. The lookback period varies depending on the acronym: RAC, MAC, or UPIC. RACs’ lookback period is 3 years, yet other acronyms get longer periods. I think what Dr. Hirsh is saying is right, because RACs are paid by contingency instead of a contracted rate, we have to limit the RACs authority because they are already incentivized the find problems., plus they are allowed to extrapolate. The RACs already have too much leash.

So, what are the RAC ADR limits?

Well, interestingly they just changed in April 2022. These limits will be set by CMS on a regular basis to establish the maximum number of medical records that may be requested by a RAC, per 45-day period. Each limit will be based on a given supplier’s volume of Medicare claims paid within a previous 12-month period, in a particular Healthcare Common Procedure Coding System (HCPCS) policy group. The policy groups are available on the pricing, coding analysis, and coding (PDAC), website. Limits will be based on the supplier’s Tax Identification Number (TIN). Limits will be set at 10% of all paid claims, by policy group, paid within a previous 12-month period, divided into eight periods (45 days). Although a RAC may go more than 45 days between record requests, in no case shall a RAC make requests more frequently than every 45 days. Limits are based on paid claims, irrespective of individual lines, although credit/replacement pairs shall be considered a single claim.

I wanted to go into the SMRCs and QIOs’ ADR limits to see whether they are are following THEIR rules, but I’m out of time for today. I’ll research the SMRCs and QIOs ADR limits for next week and I will have an answer for you.

Senators Question RAC Audits!

I have presented on RACMonitor, I think, for 3 years. I’d have to ask Chuck Buck to be exact. Over the last three years, I have tried my best to get the message out – RAC Auditors do not know what they are doing. Always appeal the decisions. – I feel like on my blog and on RACMonitor I have screamed this message until I was blue in the face.

Apparently, a couple Senators have taken notice. Or their constituents complained enough. Senators Tim Scott and Rick Scott drafted a letter to the Comptroller of America. A comptroller is a “controller” of financial affairs for the Country. The comptroller is the police of our tax dollars.

A few months ago, Senators Tim and Rick Scott wrote the U.S. Comptroller and complained about RAC auditors.

It was a letter that was short and sweet. It asked three questions.

It asked:

  1. How have states used the Medicaid RAC program to address strategic program integrity needs, including audits of managed care, and what are the lessons learned?
  2. What steps do the states and the Centers for Medicare & Medicaid Services (CMS) take to coordinate state Medicaid RAC program audits and other program integrity efforts? This includes existing Medicaid integrity programs such as the Unified Program Integrity Contractors, Payment Error Rate Measurement program, state auditors and Medicaid Fraud Control Units.
  3. How do states and CMS oversee the Medicaid RAC program and what mechanisms are in place to appropriately refer suspected cases of fraud?

As for the first question, RACs do address strategic PI needs – the very reason for their existence is to detect supposed fraud, waste, and abuse (“FWA”) by Medicaid providers. I’d like to hear the Comptroller’s answer.

As for the second question, they asked whether the States and CMS coordinate State Medicaid RAC audits. I don’t really care if the States and CMS coordinate State Medicaid RAC audits. So, I don’t care whether I hear the Comptroller’s answer to this.

The third question – “how do States and CMS oversee the Medicaid RAC program and what mechanisms are in place to detect FWA by Medicaid providers?” –  I want to know that answer! I can tell the Comptroller the answer. The RAC Auditors are not supervised or overseen. If they were, they would audit differently; not try to find errors in every single audit conducted.

Maybe it’s time to get our Senators involved. While we’re at it, let’s talk about the Medicare provider appeal process, which is broken.

Questions Answered about RAC Provider Audits

Today I’m going to answer a few inquiries about recovery audit contractor (“RAC”) audits from providers. A question that I get often is: “Do I have to submit the same medical records to my Medicare Administrative Contractor (“MAC”) that I submit to a RAC for an audit?” The answer is “No.” Providers are not required to submit medical records to the MAC if submitted to a RAC, but doing so is encouraged by most MACs. There is no requirement that you submit to the MAC what you submit to RACs. This makes sense because the MACs and the RACs have disparate job duties. One of the MACs, Palmetto, instructs providers to send records sent to a RAC directly to the Palmetto GBA Appeals Department. Why send the records for a RAC audit to a MAC appeals department? Are they forecasting your intentions? The instruction is nonsensical unless ulterior motives exist.

RAC audits are separate from mundane MAC issues. They are distinct. Quite frankly, your MAC shouldn’t even be aware of your audit. (Why is it their business?) Yet, many times I see the MACs cc-ed on correspondence. Often, I feel like it’s a conspiracy –  and you’re not invited. You get audited, and everyone is notified. It’s as if you are guilty before any trial.

I also get this question for appeals – “Do I need to send the medical records again? I already sent them for the initial review. Why do I need to send the same documents for appeal?” I get it – making copies of medical records is time-consuming. It also costs money. Paper and ink don’t grow on trees. The answer is “Yes.” This may come as a shock, but sometimes documents are misplaced or lost. Auditors are humans, and mistakes occur. Just like, providers are humans, and 100% Medicare regulatory compliance is not required…people make mistakes; those mistakes shouldn’t cause financial ruin.

“Do the results of a RAC audit get sent to your MAC?” The answer is “Yes.” Penalties penalize you in the future. You have to disclose penalties, and the auditors can and will use the information against you. The more penalties you have paid in the past clear demonstrate that you suffer from abhorrent billing practices.

In fact, Medicare post-payment audits are estimated to have risen over 900 percent over the last five years. Medicare provider audits take money from providers and give to the auditors. If you are an auditor, you uncover bad results or you aren’t good at your job.

Politicians see audits as a financial win and a plus for their platform. Reducing fraud, waste, and abuse is a fantastic platform. Everyone gets on board, and votes increase.

Appealing your RAC audits is essential, but you have to understand that you won’t get a fair deal. The Medicare provider appeals process is an uphill battle for providers. And your MACs will be informed.

The first two levels, redeterminations and reconsiderations are, basically, rubber-stamps on the first determination.

The third level is the before an administrative law judge (ALJ), and is the first appeal level that is before an independent tribunal.

Moving to the False Claims Act, which is the ugly step-sister to regulatory non-compliance and overpayments. The government and qui tam relators filed 801 new cases in 2022.  That number is down from the unprecedented heights reached in 2020 (when there were a record 922 new FCA cases), but is consistent with the pace otherwise set over the past decade, reflecting the upward trend in FCA activity by qui tam relators and the government since the 2009 amendments to the statute.

See the chart below for reference:

Audit the Medicare Payors…It’s Not Always the Providers That Commit Fraud

Today, I am going to write about America’s managed care problem. We always talk about providers getting audited. It is about time that the payors get audited. In particular, for Medicaid, States contract with managed care organizations, which are prepaid, and, for Medicare, Medicare Advantage companies, which are prepaid.

Managed care in Medicare is MA organizations. Managed care in Medicaid is MCOs. These MCOs and MAs need to be held accountable for the misuse of funds.

Today, capitated, managed care is the dominant way in which states deliver services to Medicaid enrollees. And MA is becoming the dominant way to receive Medicare.

Under these prepaid programs, these private companies are paid a flat fee per month depending on the number of consumers to provide whatever care is required for patients based on age, gender, geography and health risk factors. The more diagnoses a person has, the more the company is prepaid. To compensate plans and providers for potential costs of care for individual patients with long-term conditions such as diabetes, heart disease or cancer, Medicare boosts the monthly payment to Medicare Advantage plans under a “risk adjustment” for each additional condition. The system differs from the traditional “fee for service” payment, in which Medicare pays hospitals and doctors directly each time they provide a service.

If companies add more risk adjustment codes to a Medicare Advantage beneficiary’s medical record to receive higher payment — but don’t spend money on the additional care — they make more money. Same as MCOs denying care or terminating providers, the tax dollars line the executive pockets instead of reimbursing providers for providing medically necessary care.

Maybe the answer is remaining with the fee-for service model. Prepaying entities creates a financial incentive to bolster beneficiaries’ health problems then cross your fingers that the health problems never come to fruition either because the beneficiary remains healthy or the health problem was fabricated.

MCOs and MA companies must be supervised by the single agency. These companies cannot have the ability to refuse medically necessary services or terminate provider at will for whatever reason with no repercussions. It’s not fair to the recipients or providers. Maybe it’s time to switch our telescopic lens from auditing providers to auditing MCOs and MAs.  Let’s get these RAC, ZPIC, and TPE auditors focused on the stewards of our tax dollars, the prepaid entities.

42 CFR §431.10 dictates a single state agency for Medicaid, which is the Department in each State. CMS is the single agency in Medicare. CMS and State Departments are ultimately responsible for the private MCOs and MAs, but really are allowing these companies autonomy to the deficit of our tax dollars.

If you recall, earlier this year, The American Hospital Association urged the Justice Department to use its authority under the False Claims Act to create a fraud task force to investigate commercial insurers that routinely deny patients access to services. This was due to the April 2022 OIG report that “Some Medicare Advantage Organization Denials of Prior Authorization Requests Raise Concerns about Beneficiary Access to Medically Necessary Care.”

Instead of audits of providers or concurrently in audits of providers, we need to audit the payors. Both MCOs and MAs. What’s good for the goose is good for the gander.

DME Providers Get Repose in RAC Audits

The Centers for Medicare & Medicaid Services (CMS) announced that they have modified the additional documentation request (ADR) limits for the Medicare Fee-for-Service Recovery Audit Contractor (RAC) program for suppliers. ADRs are the about of documents that a RAC auditor can demand from you. This is a win for DME providers.

Currently, the RAC’s methodology is based on a total claim number by NPI without consideration for the number of claims in a particular product category. This means that suppliers can receive large volumes of RAC audits for a product category in which they do minimal business.

These new limits will be set by CMS on a regular basis to establish the maximum number of medical records that may be requested by a RAC, per 45-day period. These changes will be effective beginning April 1, 2022

Each limit will be based on a given supplier’s volume of Medicare claims paid within a previous 12-month period, in a particular HCPCS policy group (The policy groups are available on the PDAC website). Limits will be based on the supplier’s Tax Identification Number (TIN). Limits will be set at 10% of all paid claims, by policy group, paid within a previous 12-month period, divided into eight periods (45 days). If you get more than the allowed ADRs, call them out. These limits are created to lessen the burden on providers.

Although a RAC may go more than 45 days between record requests, in no case shall a RAC make requests more frequently than every 45 days. Limits are based on paid claims, irrespective of individual lines, although credit/replacement pairs shall be considered a single claim.

            For example:

  • Supplier A had 1,253 claims paid with HCPCS codes in the “surgical dressings” policy group, within a previous 12-month period. The supplier’s ADR limit would be (1,253 * 0.1) / 8 = 15.6625, or 16 ADRs, per 45 days, for claims with HCPCS codes in the “surgical dressings” policy group.
  • Supplier B had 955 claims paid with HCPCS codes in the “glucose monitor” policy group, within a previous 12-month period. The supplier’s ADR limit would be (955 * 0.1) / 8 = 11.9375 or 12 ADRs, per 45 days, for claims with HCPCS codes in the “glucose monitor” policy group.

CMS reserves the right to give a RAC permission to exceed these ADR limits. But that would be in instances of potential fraud.

Absent Auditors in Medicare Provider Appeals

(On a personal note, I apologize for how long since it has been my last blog. I was in an accident and spent 3 days in the ICU.)

I’d like to write today about the sheer absurdity about how these RAC, ZPIC, MAC, and other types of audits are being held against health care providers. When an auditor requests documents from a provider and opines that the provider owes a million dollars in alleged overpayments, I would expect that the auditor will show up before an independent tribunal to defend its findings. However, for so many of these Medicare provider appeals, the auditor doesn’t appear to defend its findings.

In my opinion, if the entity claiming that you owe money back to the government does not appear at the hearing, the provider should automatically prevail. A basic legal concept is that the accused should be able to confront its accuser.

I had depositions the last two weeks for a case that involved an opiate treatment program. The two main accusers were Optum and ID Medicaid. When Optum was deposed, they testified that Optum did not conduct the audit of the facility. When ID Medicaid was deposed, it contended that Optum did conduct the audit at issue.

When not one person can vouch for the veracity of an audit, it is ludicrous to force the provider to pay back anything. Auditors cannot hide behind smoke and mirrors. Auditors need to testify to the veracity of their audits.

To poke holes in Medicare audits, you need to know the rules. You wouldn’t play chess without knowing the rules. Various auditor have disparate look-back period, which is the time frame the auditor is allowed to look back and review a claim. For example, RACs may only look back 3 years. Whereas ZPICs have no specific look back period, although I would argue that the older the claim, the less likely it is to be recouped. There is also the federal 48-month limit to look backs absent accusations of fraud.

When appealing the outcome of a MAC or RAC audit, it is necessary for providers to have a specific reason for challenging the auditors’ determinations. Simply being dissatisfied or having generalized complaints about the process is not enough. Some examples of potential grounds for challenging a MAC or RAC determination on appeal include: 

  • Application if inapplicable Medicare billing rules 
  • Misinterpretation of applicable Medicare billing rules 
  • Reliance on unsound auditing methodologies
  • Failure to seek an expert opinion 
  • Ignoring relevant information disclosed by the provider 
  • Exceeding the MAC’s or RAC’s scope of authority 

It is imperative that you arm yourself in defending a Medicare audit, but if the auditor fails to appear at any stage in litigation, then you should call foul and win on a “absent” technicality.

New Report Points to More Audits of Hospitals

Hospitals across the nation are seeing lower profits, and it’s all because of a sudden, tsunami of Medicare and Medicaid provider audits. Whether it be RAC, MAC, UPIC, or Program Integrity, hospital audits are rampant. Billing errors, especially ‘supposed bundling,’ are causing a high rate of insurance claims denials, hurting the finances of hospitals and providers.

A recent report from American Hospital Association (AHA) found “Under an optimistic scenario, hospitals would lose $53 billion in revenue this year. Under a more pessimistic scenario, hospitals would lose $122 billion thanks to a $64 billion decline in outpatient revenue”*[1]

The “Health Care Auditing and Revenue Integrity—2021 Benchmarking and Trends Report” is an insider’s look at billing and claims issues but reveals insights into health care costs trends and why administrative issues continue to play an outsize role in the nation’s high costs in this area. The data used covers 900+ facilities, 50,000 providers, 1500 coders, and 700 auditors – what could go wrong?

According to the report,

  • 40% of COVID-19-related charges were denied and 40% of professional outpatient audits for COVID-19 and 20% of hospital inpatient audits failed.
  • Undercoding poses a significant revenue risk, with audits indicating the average value of underpayment is $3,200 for a hospital claim and $64 for a professional claim.
  • Overcoding remains problematic, with Medicare Advantage plans and payers under scrutiny for expensive inpatient medical necessity claims, drug charges, and clinical documentation to justify the final reimbursement.
  • Missing modifiers resulted in an average denied amount of $900 for hospital outpatient claims, $690 for inpatient claims, and $170 for professional claims.
  • 33% of charges submitted with hierarchical condition category (HCC) codes were initially denied by payers, highlighting increased scrutiny of complex inpatient stays and higher financial risk exposure to hospitals.

The top fields being audited were diagnoses, present on admission indicator, diagnosis position, CPT/HCPCS coding, units billed, and date of service. The average outcome from the audits was 70.5% satisfactory. So, as a whole, they got a ‘C’.

While this report did not in it of itself lead to any alleged overpayments and recoupments, guess who else is reading this audit and salivating like Pavlov’s dogs? The RACs, MACs, UPICs, and all other alphabet soup auditors. The 900 facilities and 50,000 health care providers need to be prepared for audits with consequences. Get those legal defenses ready!!!!


[1] * https://www.fiercehealthcare.com/hospitals/kaufman-hall-hospitals-close-between-53-and-122b-year-due-to-pandemic

TPE and Prepay Audits: Speak Softly, But Carry a Big Stick

Audits have now resumed to 100% capacity – or even 150% capacity. All audits that were suspended during COVID are reinstated. As you all know, RAC and MAC audits were reinstated back in August. CMS announced that Targeted Probe and Educate (TPE) audits would resume on Sept. 1, 2021. Unlike RAC audits, the stated goal of TPE audits is to help providers reduce claim denials and appeals with one-on-one education, focused on the documentation and coding of the services they provide. However, do not let the stated mission fool you. Failing a TPE audit can result in onerous actions such as 100 percent prepay review, extrapolation, referral to a RAC, or other action, a carefully crafted response to a TPE audit is critical. TPEs can be prepay or post-pay.

Speaking of prepayments, these bad babies are back in full swing. CareSource is one of the companies contracted with CMS to conduct prepayment reviews and urgent care centers seem to be a target. Prepayment review is technically and legally not a penalty; therefore being placed on prepayment review is not appealable. But do not believe these legalities – prepay is Draconian in nature and puts many providers out of business, especially if they fail to seek legal counsel immediately and believe that they will pass without any problem. When it comes to prepay, believing that everything will be ok, is a death trap. Instead get a big stick.

            42 CFR §447.45 requires 90% of clean claims to be paid to a provider within 30 days of receipt. 99% must be paid within 90 days. The same regulations mandate the agency to conduct prepayment review of claims to ensure that the claims are not duplicative, the consumer is eligible for Medicare, or that the number of visits and services delivered are logically consistent with the beneficiary’s characteristics and circumstances, such as type of illness, age, sex, and service location. This standard prepayment review is dissimilar from a true prepayment review.

            Chapter 3 of the Medicare Program Integrity Manual lays out the rules for a prepayment review audit. The Manual states that MACs shall deal with serious problems using the most substantial administrative actions available, such as 100 percent prepayment review of claims. Minor or isolated inappropriate billing shall be remediated through provider notification or feedback with reevaluation after notification. The new prepay review rules comments closed 9/13/21, so it will take effect soon.

            If a 100% prepay is considered the most substantial administrative action, then why is it not considered an appealable sanction? I have, however, been successful in obtaining an injunction enjoining the suspension of payments without appealing being placed on prepay.

When requesting documentation for prepayment review, the MACs and UPICs shall notify providers when they expect documentation to be received. It is normally 30-days. The Manual does not allow for time extensions to providers who need more time to comply with the request. Reviewers shall deny claims when the requested documentation to support payment is not received by the expected timeframe. Any audit, but especially prepay audits can lead to termination under 42 CFR §424.535. You may choose to speak softly, but always carry a big stick.

Instead of Orange, Medicare Advantage Audits Are the New Black

In case you didn’t know, instead of orange, Medicare Advantage is the new black. Since MA plans are paid more for sicker patients, there are huge incentives to fabricate co-morbidities that may or may not exist.

Medicare Advantage will be the next most audited arena. Home health, BH, and the two-midnight rule had held the gold medal for highest number of audits, but MA will soon prevail.

As an example, last week- a New York health insurance plan for seniors, along with amedical analytics company the insurer is affiliated with, was accused by the Justice Department of committing health care fraud to the tune of tens of millions of dollars. The dollar amounts are exceedingly high, which also attracts auditors, especially the auditors who are paid on contingency fee, which is almost all the auditors.

CMS pays Medicare Advantage plans using a complex formula called a “risk score,” which is intended to render higher rates for sicker patients and less for those in good health. The data mining company combed electronic medical records to identify missed diagnoses — pocketing up to 20% of new revenue it generated for the health plan. But the Department of Justice alleges that DxID’s reviews triggered “tens of millions” of dollars in overcharges when those missing diagnoses were filled in with exaggerations of how sick patients were or with charges for medical conditions the patients did not have. “All problems are boring until they’re your own.” – Red

MA plans have grown to now cover more than 40% of all Medicare beneficiaries, so too has fraud and abuse. A 2020 OIG report found that MA paid $2.6 billion a year for diagnoses unrelated to any clinical services.

Diagnoses fraud is the main issue that auditors are focusing on. Juxtapose the other alphabet soup auditors – MACs, SMRCs, UPICs, ZPICs, MCOs, TPEs, RACs – they concentrate on documentation nitpicking. I had a client accused of FWA for using purple ink. “Yeah I said stupid twice, only to emphasize how stupid that is!” – Pennsatucky. Other examples include purported failing of writing the times “in or out” when the CPT code definition includes the amount of time.

Audits will be ramping up, especially since HHS has reduced the Medicare appeals backlog at the Administrative Judge Level by 79 percent, which puts the department on track to clear the backlog by the end of the 2022 fiscal year.

 As of June 30, 2021, the end of the third quarter of FY 2021, HHS had 86,063 pending appeals remaining at OMHA, according to the latest status report, acquired by the American Hospital Association. The department started with 426,594 appeals. This is progress!!