Navigating the Many Different Types of Medical Record Audit

Various external audits are performed by government and private entities to assess the cost-effectiveness and quality of care for various provider services. The many types of audits and sources they come from can get confusing – see below for a breakdown of the many types of audits and what to expect when responding.

Commercial Payer Audits

These audits are conducted by private insurance companies and Medicare Advantage plans. All submitted claims information is analyzed to determine accuracy and look for signs of fraud or abuse. Commercial payers have gotten quite sophisticated at analyzing trends, comparative data, and looking for outliers. If a provider is showing a pattern of claims outside of the norm, an audit may follow.

That said, a pattern outside of the norm doesn’t necessarily mean that anything is wrong. This could happen for a variety of reasons – the particular patient population seen, specialization of the provider, or an overall increase in patients. Unintended errors can happen during the coding and billing process that can lead to discrepancies also. For example, the unbundling of procedures that are typically bundled and coded together can garner attention.

Federal Government Audits

Multiple government agencies hold oversight over healthcare facilities, payment programs, and providers. The Center for Medicare and Medicaid Services (CMS), the Department of Health and Human Services (DHHS), and the Social Security Administration (SSA) all can have reasons to conduct audits and are required to maintain protections against fraud, waste, and abuse.


Center for Medicare and Medicaid Services (CMS) uses Medicare Administrative Contractors (MACs) for Part A and Part B Medicare, home health and hospice, and durable medical equipment (DME) providers. These MACs process Medicare fee-for-service claims, enroll providers, process appeals, provide education, establish local coverage determinations (LCDs), and review medical records for selected claims. Each MAC is also responsible for conducting quality surveillance plans, which encompass around eighty performance metrics. These surveillance activities may lead to audits. For example, if a provider’s claims or payment patterns vary from the average or from comparable providers, then further investigation will be needed in the form of a targeted audit.


Medicaid, also called Medicaid and Children’s Health Insurance Program (CHIP), is a joint federal and state-based program that also analyzes data for quality improvement and payment metrics. State Medicaid contractors can initiate records requests and audits as needed for participating providers. These typically happen as post-payment reviews, giving the provider time to respond and make payment restitution if necessary.


Unified Program Integrity Coordinators (UPIC) contractors are involved in both Medicare and Medicaid programs, with the primary goal of identifying and investigating suspected incidences of fraud, waste, and abuse. UPIC audits are similar to other government audits in that medical records and documentation are often requested to be reviewed. If findings are verified, further investigation may occur in the form of onsite visits, interviews, and even punitive actions such as suspension, payback of funds, or involvement of law enforcement.


Medicare Comprehensive Error Rate Testing (CERT) audits are conducted to see if Medicare claims are being paid correctly according to the Medicare coverage, coding, and payment rules. It is essentially an audit of the MAC to make sure it is doing its job correctly. CERT audits are usually broad in scope, however records can be requested from providers to substantiate payments already received, if they are selected as part of the audit sample.

Even if not faced with a CERT audit, it IS important to stay abreast of the trending CERT audits each year, because areas that are found to be prone to error will likely be further audited by the MACs in the form of TPEs, RACs, etc.


Recovery Audit Contractor (RAC) audits are conducted to identify and correct improper payments made in Medicare and Medicaid transactions. These third-party contractors are tasked with maintaining the integrity of the Medicare and Medicaid systems by ensuring that all parties are compensated fairly. RAC auditors can do a look-back of up to three years of claims when trying to either determine overpayments or identify improper payments.


The Medicare Advantage Risk Adjustment Data Validation (RADV) program is CMS’ method for addressing improper overpayments to Medicare Advantage Organizations (MAO). CMS pays each MAO a monthly amount for each beneficiary in the Medicare Advantage plan, which is determined by the patient’s risk adjustment – based on medical diagnoses.  

During a RADV audit, records are audited to confirm that any diagnoses submitted by an MAO are supported in the documentation. Risk adjustment discrepancies are identified when a patient’s Hierarchical Condition Category (HCC) used for payment by the MAO doesn’t match up with the patient data in the medical record.

Risk adjustment discrepancies are then aggregated to determine an overall payment error, which can then be extrapolated to the entire pool of beneficiaries. CMS can then require restitution to Medicare, which can be in the millions. 



Targeted Probe and Educate (TPE) audits are done by MACs and focus on particular providers and/or suppliers that bill a particular item or service. These audits stem from high denial rates or providers who have aberrant billing practices. An initial TPE audit involves the review of 20 to 40 claims per provider, per item – called a “round”. After a round, providers are offered education regarding their results and how to correct any problems found. After a high error rate is found, a second TPE round will occur, followed by education – up to three rounds. If errors are not corrected after three TPE rounds, providers may be in danger of losing the ability to bill Medicare.

Quality Improvement Audits

There are many quality-related payment programs included in the value-based purchasing model introduced in 2010. These programs are constantly evolving and require an internal quality program that monitors processes and submits data as needed for the program. Performance metrics are tied to payment strategies, which essentially opens them up to audit.

Many of these payment models also gather data from claims, such as infection rates, mortality rates, and other patient outcomes. Providers and organizations attest to those results and receive scores that either positively impact their payment rates or can involve heavy penalties.


The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) was established to reward clinicians for value over volume of services. As part of this program, providers can choose one of two participation tracks:

  1.       The Merit-Based Incentive Payment System (MIPS) tracks performance in four categories – quality, cost, improvement activities, and promoting interoperability.
  2.       The Alternative Payment Models (APMs) are designed to pay more in exchange for the provider taking on higher-risk groups of patients, such as the chronically ill.

Both of these tracks involve varying levels of financial impact and risk, which is best determined by an individual provider practice or group. Some records of improvement activities are submitted electronically, some by a third party (such as patient survey data), and some data must be submitted by the provider.

All quality payment program information, including that of a third party, can be audited by CMS and must be kept for at least 6 years.


The Healthcare Effectiveness Data and Information Set (HEDIS) is a set of quality measures that CMS collects in conjunction with the National Committee for Quality Assurance (NCQA).  These measures are collected to assess care quality for Medicare Special Need Plans (SNPs) and other Medicare Advantage plans. There are 13 quality measures that have been collected since 2016. CMS and NCQA use these measures to identify gaps and opportunities for improvement, and provide benchmark data and comparison with other plans.

When HEDIS measure data is submitted each year, the health plan receives a score. That score is very important, because it determines whether that payer receives significant Medicare financial incentives over the following year. Because of the money involved in the HEDIS program, audits are necessary.

All health plans submitting data to NCQA must undergo a HEDIS compliance audit, which may only be performed by licensed organizations and certified auditors. This process entails a full audit of the organization’s data processing capabilities, and focuses on six elements:

  •       Information practices and control procedures
  •       Sampling methods and procedures
  •       Data integrity
  •       Compliance with HEDIS specifications
  •       Analytic file production
  •       Reporting and documentation

A HEDIS audit can be daunting. One of the most important things to do early on in the process is to engage with the auditor and determine the scope and number of records that will need to be provided. Many organizations use this to plan for the increased workload and staff that will be necessary during the audit period. 


Now you know about audits – What is next?

Audits are really no one’s idea of fun, but they are the tradeoff for accepting government and private payments. It is important to remember that not all audits end in bad results – some are neutral, and some could even work in the provider’s favor. For example, TPE audits can resolve issues that have been causing insurance denials, resulting in smoother claims and more timely payment – as well as less administrative work.

One thing audits can be – is a lot of work! Administrative tasks such as fulfilling release of medical records requests can be burdensome. The good news is that help is available!

RecordQuest is a leading release of information company that provides support, compliance knowledge, and superior technology to help navigate the ever-changing healthcare landscape. If your medical records processes need life support, contact us for a demonstration and more information.

Test Drive Our Services

Kick the tires. Check the lights. Look under the hood. Take it for a spin around the block. Discover why so many healthcare professionals are switching to RecordQuest for their health information needs.

Test Drive
Recent Posts

Start typing and press Enter to search