No one wants to be audited. Still, health care audits are an integral part of the quality control cycle for all health care stakeholders—federal and state governments, third party insurers, health care providers and patients. Health care fraud drains the economic resources of all participants and also costs us in terms of patient health. Yet, very little fraud, waste and abuse is properly identified and adjudicated. This “invisible tax” on our health care system is costly to all. In an environment of increasing scrutiny on everything that touches a patient encounter, technology and big data are playing an increasing role in identifying outliers and irregular patterns of care.

The Recovery Audit Program
The mission of the federal Recovery Audit Program (RAC) is to correct improper Medicare payments through the detection and collection of overpayments made on claims of health care services provided to Medicare beneficiaries, and the identification of underpayments to providers so that the Centers for Medicare and Medicaid Services (CMS) can implement actions that will prevent future improper payments.1 In 2005 to 2008, CMS ran a demonstration project that used recovery auditors to identify Medicare overpayments and underpayments to health care providers and suppliers in randomly selected states. The program was so successful—returning over $900 million in overpayments to the Medicare Trust Fund and $38 million in underpayments to health care providers—that Congress required the Secretary of the Department of Health and Human Services (HHS) to institute a permanent and national recovery audit program to recoup overpayments associated with services for which payment was made under part A or part B of the Medicare program.

There are four recovery audit contractors, each responsible for identifying overpayments and underpayments in approximately a quarter of the country. The RAC program regions mirror the Durable Medical Equipment Medicare Administrative Contractor (DME MAC) jurisdictions. The RAC auditors work and are paid on a contingency basis, so they have significant financial incentive to recover improper payments.

In 2013, RAC auditors identified and recovered $3.75 billion in improper payments (see “Corrections by Recovery Auditors in 2013,” below).

Corrections by Recovery Auditors in 20133

Overpayments Collected
Underpayments RestoredTotal Corrected Payments
Recovery Auditor
Number of Claims
Amount Collected
Number of Claims
Amount Collected
Number of Claims
Amount Collected

Additionally, in the 2013 the Office of Inspector General (OIG) mandated increased collaboration between the RAC auditors, CMS and program integrity contractors to ensure that the RAC auditors refer all instances of suspected fraud to both the OIG and CMS. Reports of improper payments are easily accessible on the CMS website, under the Comprehensive Error Rate Testing (CERT) heading.2

So we know that audits provide a great return on investment for the federal government. But other third party payers are also getting into the audit business as well. This is not just for medical carriers either; managed vision care plans, such as VSP, are also aggressively auditing their providers. So what do practitioners have to do to survive an audit? Because, as the maxim goes, “it is not a question of if, but of when.”

Fraud vs. Waste & Abuse
The most important step in avoiding a negative audit outcome is understanding what these organizations are looking for. CMS has consolidated all of its fraud and abuse information into its Medicare Learning Network (MLN).4 These key resources can help practitioners identify “red flags” within their practice that would be subject to scrutiny under the US Federal False Claims Act (FCA), the Anti-Kickback Statute, the Physician Self-Referral Law (Stark Law), the Social Security Act and the US Criminal Code.

According to CMS, abuse describes practices that, either directly or indirectly, result in unnecessary costs to the Medicare program.5 Abuse includes any practice that is not consistent with the goals of providing patients with services that are medically necessary, does not meet professionally recognized standards and is not priced fairly. Examples include billing for services that were not medically necessary; charging excessively for services or supplies; and misusing codes on a claim, such as upcoding or unbundling codes.

In contrast to abuse, CMS defines fraud as knowingly: submitting false statements or making misrepresentations of fact to obtain payment; soliciting, paying and/or accepting remuneration to induce or reward referrals; making prohibited referrals; billing for services not furnished, supplies not provided, or both; or billing for services at a level of complexity higher than the service actually provided.5

Penalties for these violations are not insignificant. Let’s look at the False Claims Act as an example.

What Exactly is ‘Medical Necessity’?
According to the American Medical Association, medical necessity is defined as “services or procedures that a prudent physician would provide to a patient in order to prevent, diagnose or treat an illness, injury or disease or the associated symptoms in a manner that is:

  • In accordance with the generally accepted standard of medical practice.
  • Clinically appropriate in terms of frequency, type, extent, site and duration.
  • Not intended for the economic benefit of the health plan or purchaser or the convenience of the patient, physician or other health care provider.”1

 CMS defines medical necessity as the need for an item(s) or service(s) to be reasonable and necessary for the diagnosis or treatment of disease, injury or defect. The need for the item or service must be clearly documented in the patient’s medical record. Medically necessary services or items must be: 

  • Appropriate for the symptoms and diagnosis or treatment of the patient’s condition, illness, disease or injury.
  • Provided for the diagnosis or the direct care of the patient’s condition, illness, disease or injury.
  • In accordance with current standards of good medical practice.
  • Not primarily for the convenience of the patient or provider.
  • The most appropriate supply or level of service that can be safely provided to the patient.”2,3
1. American Medical Association. Statement of the American Medical Association to the Institute of Medicine’s Committee on Determination of Essential Health Benefits. January 14, 2011.
2. Riva Lee Asbell. Medical necessity: can you please define that? Part I.
3. OptiCare Managed Vision. Medical necessity: can you please define that? – Part I.

False Claims Act
The FCA protects the government from being overcharged or sold substandard goods or services. It imposes civil liability on any person who knowingly submits, or causes the submission of, a false or fraudulent claim to the federal government. The “knowing” standard includes acting in deliberate ignorance or reckless disregard of the truth related to the claim—for example, a physician who submits claims to Medicare for a higher level of medical services than he or she actually provided or that the medical record documents.

The civil penalties for violating the FCA can include a fine of $5,500 to $11,000 per false claim and up to three times the amount of damages sustained by the government as a result of the false claim. In addition, individuals or entities that submit false claims can also face criminal penalties.5

Often, the main focus of an audit is proper billing for rendered services. Rendered services adhere to a fairly strict yet straightforward standard: medically necessary services. This means we must document in the record why a particular service or procedure is medically necessary and provides a benefit or aids in the patient’s outcome.

Failure to meet the requirement of medical necessity is often the most cited omission during an audit process. Overtesting to protect oneself from medical liability is an often-used defense by practitioners. Available technology is also often used as prognostic testing rather than its required diagnostic value when a physician is suspicious of a specific disease or problem. This is best summed by CMS’ position on “worthless” services.6 While not specifically defined in the False Claims Act, worthless services are generally services that are:

  • Not accepted as safe and effective by the medical community.
  • Not supported in peer-reviewed medical literature.
  • Experimental or investigational.
  • Not medically necessary in a specific case or specific medical diagnosis.
  • Furnished at a level, duration, dosage or frequency not appropriate for a specific patient or clinical condition.
  • Not furnished in a manner consistent with standards of care.
  • Not furnished in a setting (place of service) consistent with the patient's medical needs and condition.
  • Furnished in a manner for patient or provider convenience.
  • A device not approved by the FDA.
  • A test or service now considered obsolete.6

Optometrists have the greatest exposure in the statements in bold.

So, how do you avoid performing “worthless services”? Stick to the established clinical guidelines for eye care provided by the American Academy of Ophthalmology’s Preferred Practice Patterns and by the American Optometric Association’s Clinical Practice Guidelines.7,8

Legal Liability
Relationships with patients are increasingly dominated by the contractual relationship of a third party payer. Contractual agreements, or a provider document, generally stipulate rules for accurate coding and billing practices, medical records documentation, appropriate prescription authority and assignment within that particular healthcare system.

The progression from an innocent mistake to intentional deception. Penalties for these violations are not insignificant.

In clinical practice, of course, we don’t send our actual records to a third party each time we want to get reimbursed for a contracted service or procedure. Instead, we represent the service or procedure with a five-character code: a CPT code, a Level II HCPCS code or a Level III HCPCS code. We don’t ever submit our clinical findings or medical judgment of a patient’s condition; rather, we submit an ICD-9 code on a claim form—either electronically through your EMR or by paper on a CMS-1500 form or its derivation. Your signature on the form signifies that you have reviewed all information and it is true and accurate in all aspects.

If you have never read the back of your CMS-1500 form, I highly encourage you to do so. It reminds practitioners of their legal obligations when completing the form and the possibility of civil penalties if information is missing or misrepresented.

A few pertinent excerpts:

  • Any person who knowingly files a statement of claim containing any misrepresentation or any false, incomplete or misleading information may be guilty of a criminal act punishable under law and me be subject to civil penalties
  • The information on this form is true, accurate and complete
  • I have familiarized myself with all laws, regulations and program instructions available from the Medicare contractor
  • I have provided or can provide sufficient information required to allow the government to make an informed eligibility and payment decision
  • I certify that the services shown on this form were medically indicated and necessary for the health of the patient
  • This claim complies with all Medicare program instructions

Additionally, box #31 (Signature of Physician or Supplier) further says: “I certify that the states on the reverse apply to this bill and are made a part thereof.”

By signing this form you are really attesting under the penalties of perjury that all information provided on this form have been reviewed by you, and you attest to its accuracy and completeness. That is, when you are submitting a certain level of office visit to a carrier for reimbursement, you are stating that this level of visit was medically necessary and appropriate for the patient presentation, the services recorded in the medical record are most closely represented by the CPT code used, and the services were provided in a manner consistent with the CPT definition, the local standard of care, and are in compliance with all applicable laws, regulations and carrier program instructions.

CMS Sharpens its Stance Against Fraud and Abuse9

  • Providers suspected of fraudulent activity were put on prepay review, sometimes indefinitely
  • CMS initiated overpayment recovery
  • Law enforcement determined if any arrest is appropriate
  • Denies individual claims
  • Its contractors use prepay review as an investigative technique
  • Revokes providers for improper practices
  • Collaborates with law enforcement before, during and after case development
  • Addresses the root cause of identified vulnerabilities

HIPAA requires us to follow the rules of both CPT and ICD—and we have to follow all of the rules, not just the ones that are convenient for us. That, in turn, means that you must know the rules before you submit any code representing the clinical care you performed and the diagnoses you attributed to the patient encounter. The clinical care you provide and the codes you use to represent that care are inseparable. In fact, they are the only legal representation of the services you provided and they must be accurately represented within the medical record that leaves the boundaries of your office.

Fraud Detection
There is no question that technology used to capture the patient encounter is making record keeping more accurate—and time consuming. The emergence of meaningful use also means that the EMR must be consistent with specific federal standards. That also means that you must spend more time making sure that your record is truthful, accurate and complete before signing it and translating it into CPT and ICD codes for billing purposes.

With the increasing specificity of the upcoming ICD-10, you’ll need to spend an even greater amount of time ensuring that the chief complaint, clinical findings, diagnosis(es) and clinical plan all match appropriately with the coding represented on the claim.

CMS has also changed its approach to combatting fraud, waste and abuse (see “CMS Sharpens its Stance Against Fraud and Abuse,” below).9

The RED Flags
So, knowing all of these things, how can you avoid an adverse result of an audit? There are certainly red flags or behaviors that might trigger the attention of a third party payer. They include:

  • Using codes under review by the OIG
  • Not reviewing your submitted claims against recovery audit issues
  • Abusing codes
  • Aberrant or inconsistent billing patterns
  • Maximizing revenue without sufficient documentation
  • Cloning documentation
  • Not understanding definitions of modifiers and inappropriate use of modifiers

The primary item a carrier can use against you in an audit is your medical record. The primary item that you can use in your defense in an audit is your medical record—and the only thing that is 100% in your control to create is the medical record. So, even if getting audited is a matter of when and not if, the adverse outcome of an audit is completely preventable by putting good controls, self-auditing procedures and compliance measures into effect within your practice.

Types of Audits
Pre-payment Audit: These are generally automated, and you may never even know about it. If the payer requests documentation, they are looking at a specific issue.
Post-payment Audit: After the claim is paid, the payer requests specific information to support the coding and claim.
Automated Review Audit: This is a computer-generated review to identify violations in standard rules or edits. The review is usually associated with a very clear policy.
Comprehensive Review Audit: This is a review, performed by a certified reviewer, of the entire medical record. The payer may apply standard criteria (such as CMS standards) to determine medical necessity requirements or to validate that the service was provided.
Fraud and Abuse Audit: This is an audit conducted when there is suspicion of an intentional violation. If the Special Investigations Unit (SIU) is conducting the audit, it is because there is a very high degree of suspicion of intentional fraudulent behavior and the potential penalties can be much more significant.
Claim Recovery (Administrative Review) Audit: An audit that is focused on violation of coding rules, where intentional fraud is not suspected.
Claim Focused Audit: The payer is looking at specific types of claims or services, but is not necessarily focusing on your particular practice.
Provider-focused Audit: This is focused specifically on your practice or a specific provider within your practice with concern surrounding specific coding and billing behaviors.

‘I Think I’m Getting Audited’
The very first thing to do if you receive a letter from a carrier is to determine what you have received. There are different types of correspondence that are easily confused:

  • Heralding Notice—This alerts all providers that the payer intends to conduct audits system wide. It does not necessarily mean that you are getting audited.
  • Notice of Audit—This is an official notification that you are getting audited.

If you are getting audited, then consider these more specific questions:

  1. Has the carrier identified key issues of concern?
  2. Is the audit for recovery or fraud?
  3. Is it an educational or network-wide audit?
  4. Is the payer asking for specific records?
  5. Is the payer targeting specific diagnoses?
  6. How many records is the payer asking for? Higher numbers may indicate a more comprehensive review, with the expectation of a higher recovery.
  7. Is the payer suspecting improper coding or inconsistent billing processes?
  8. Is the payer questioning medical necessity of specific procedures or relationships with specific diagnoses and CPT codes?

Building Your Defense
If you are being audited, there are some important steps to take when building your defense. The first is creating a team of experienced individuals to assist you. That will most likely include an attorney who can help you understand your rights and requirements contained within your provider agreement/contract. It should also consist of a peer who specializes in audit defense; has a good understanding of CPT coding definitions, rules, regulations and requirements; and is familiar with all of the zip code-specific local coverage determinations and national coverage decisions that were in place on the dates of the service called into question. This is often a very emotional and stressful time in your professional career, and it is good to have the advice of professionals who deal with this objectively.

Other tips to keep in mind are:

  • Find out who at the carrier is conducting the audit. Learning the department conducting the audit can provide you with insight on the level of seriousness.
  • Pay attention to all date-specific deadlines. The general time limit to pull records is 45 days, but can vary based upon your contract and your state’s Prompt Payment Law.
  • Assemble the correct information to send. Don’t fail an audit by neglecting to submit the requested information.
  • Assign someone in the office as the primary contact for the carrier (someone familiar with your medical records).
  • Send copies of records, not the originals. If you can’t find a record in question, request more time.
  • Never send less than what the carrier is requesting.
  • If an audit leads to a request for recoupment of claims payment, ask for time to review the demand letter.
  • Determine if you received the demand letter within the proper time period following the audit.
  • Make sure the auditors provided proper rationale and justification, as well as explanation of how they determined the recovery amount.
  • Check if the payer provided an explanation for each claim incorrectly paid or coded
  • Ensure the payer explained the statistical sampling and extrapolation, if extrapolation was used to determine the total amount of restitution.
  • Be sure the payer provides information on your rights of appeal and the timeframe and requirements of it.

Guidelines for Good Practice

  • Take care of the patient first and foremost. You have a fiduciary responsibility to the patient to put their medical outcome first.
  • Take care of the medical record second. Make sure to record what you are doing and why you are doing it. Make an effort to record your thoughts and impressions about the patient’s conditions and your care plan.
  • Code your encounter from only what you have written in the record. Never assume you have provided a certain examination service level. Learn the definitions and specifications of the special ophthalmic procedures that you order.
  • Learn how to use modifiers correctly. Their specific purpose is describing the episode of care and how it differed from normal.
  • If you get audited, don’t go it alone. Build your team with individuals who can properly assist you in audit defense. Use an OD-knowledgeable firm that specializes in audit defense and an attorney who can help you understand your rights and responsibilities under your provider contract.

Getting audited does not have to be a frightening experience. While audits are a serious issue and should be treated accordingly, you can prevent negative outcomes by practicing in accordance with local standards of care, keeping detailed and accurate medical records, and staying up-to-date with the legal requirements of being a licensed physician.

The health care environment is only going to get more demanding in the areas of compliance and proper medical coding. And the process of “checks and balances”—what we call audits—are only going to get more complex and arduous. Avoid fear of audits by using good preventive measures in how you provide, record and report your care for payment by a third party. That means more time spent on your “paperwork” in a world that demands that you provide care in a more efficient, cost effective manner. You have to learn and follow the rules of the CPT and ICD, and you have to learn and practice the concept of medically necessary care. And yes, you may make less money if you are currently upcoding office visits and ordering tests that do not clearly demonstrate a beneficial outcome for the patient. You and you alone can control the outcome of an audit by the preventive measures you put into place.

1. Centers for Medicare and Medicaid Services. Recovery Audit program. Comprehensive Error Rate Testing (CERT).
2. Centers for Medicare and Medicaid Services.
3. Centers for Medicare and Medicaid Services. Recovery auditing in Medicare for fiscal year 2013.
4. Centers for Medicare and Medicaid Services. Medicare learning network (MLN) fraud & abuse products.
5. Centers for Medicare and Medicaid Services. Medicare fraud & abuse: prevention, detection, and reporting.
6. Morrow D, Richman H, Wartman R. Coverage indications, limitations and medical necessity. AOA Focus. 2014 Sept:51.
7. American Academy of Ophthalmology. Preferred practice pattern guidelines.
8. American Optometric Association. AOA optometric clinical practice guidelines.
9. Centers for Medicare and Medicaid Services. Module: 10. Medicare and Medicaid fraud prevention.