Traditionally, payers and the government have ensured proper payment of claims for health care services through periodic review of previously paid claims. The government relies on a series of audit programs to conduct these reviews. The audit programs use various methods of reviewing claims and have distinct purposes, but ultimately, the goal remains the same: protection of the Medicare Trust Fund and beneficiary premium dollars.

For Medicare purposes, there are three entities that manage its audit programs:

  • The Centers for Medicare and Medicaid Services (CMS)
  • The Office of the Inspector General for Health and Human Services (OIG)
  • The Department of Justice (DOJ)

Click the plus (+) signs beside the headings below to learn more.

Centers for Medicare and Medicaid Services (CMS) Audit Program

The Centers for Medicare and Medicaid Services (CMS) manages a number of different audit programs. The most frequently mentioned programs include:

Comprehensive Error Rate Testing (CERT) Program

The CERT Program has traditionally focused more on educational audits, rather than punitive audits. The results of CERT audits are typically published (without the names or identifying information of participants) to assist practitioners and practice in identifying common billing errors that are generally unintentional in nature. This information generally leads to the creation and distribution of educational materials by CMS and its contractors. While the initial purpose is educational, the result of CERT audits may be used by other audit contractors to identify potential items for review. CERT reports are available here.

Medicare Contractor Audits

Medicare contractors – MACs, carriers, and fiscal intermediaries (FIs) – have long had the ability to conduct audits of claims submitted to them for payment. While traditionally these audits have been post-payment, they do have the ability to conduct pre-payment review, as well. In 2011, CMS provided additional funds for contractors to conduct prepayment review of claims for services identified by the CERT program as potential problem areas.

Recovery Audit Contractor (RAC) Program
The RAC program was created by the Medicare Prescription Drug, Improvement and Modernization Act of 2003 (MMA) as a demonstration program and then made permanent and expanded as part of the Medicare Improvements for Patients and Providers Act of 2007 (MIPPA). They are generally thought of as the “bounty hunters” of the audit world because they receive a percentage of the recovery from overpayments (and underpayments) they identify.

There are other audit programs, but these are the most common ones that practitioners face.

Office of the Inspector General for Health and Human Services (OIG)

Within each federal government department is the Office of the Inspector General (OIG), and the Department of Health and Human Services (HHS) is no different. The Inspector General (IG) and the staff of the OIG are independent of the Secretary for HHS and other political leaders. It is the OIG’s responsibility to prevent fraud, waste, abuse in Medicare, Medicaid and other federal health programs.

OIG Work Plan

The OIG carries out its responsibilities primarily through audits and investigations of government spending. Additionally, the OIG is responsible for the promulgation of the regulations and advisory opinions pertaining to the Anti-Kickback Statute. Each year, the OIG releases its Work Plan for the coming fiscal year. The Work Plan provides insight into areas identified by the OIG and other HHS audit programs as potential areas for waste, fraud and abuse. The Medicare audit contractors and others may use the OIG’s Work Plan as a way to identify areas for auditing, as well. Read this year’s OIG’s Work Plan.

Compliance Planning and Practitioner Education

The Affordable Care Act has brought with it a greater focus on compliance plans. Having a compliance plan in place can assist a physician practice and practice staff in determining steps to take in the event a problem is discovered. Additionally, following the compliance plan upon discovery of a problem can assist the practice with its defense if litigation is pursued. Lastly, developing a compliance plan and education pertaining to it can indicate to practice staff the importance of compliance and lead to a strong culture of compliance within the practice, all of which contribute to a higher quality of patient care.

The OIG has developed a guidance series for the development of compliance plan based on setting and provider type. Guidance for individual and small physician practices was last promulgated in 2000 and is available on the OIG’s website. The OIG has also made additional compliance planning resources available.

In addition to the guidance for compliance planning, the OIG has also created and made available a free series of videos and podcasts on compliance and the federal fraud and abuse laws. Also available for physicians are self-study materials on the federal fraud and abuse laws, including a slide set and other materials.

Department of Justice (DOJ)

Department of Justice Audit Programs

The Department of Justice (DOJ) works with the Office of the Inspector General (OIG) and the Centers for Medicare and Medicaid Services (CMS) to identify instances of fraud and abuse and litigates these cases on behalf of the government.

ICD Investigation

While the DOJ typically acts in concert with the OIG and CMS based on their investigations, it can undertake its own investigations. The most recent example of this is in the area of implantable cardioverter defibrillators (ICDs). In 2011 hospitals across the country were served subpoenas regarding their billing for implantation of ICDs.

Medicare coverage for the implantation of ICDs is spelled out in a National Coverage Determination (NCD), Chapter 1, Sec. 20.4 of the Internet-Only Medicare National Coverage Determinations Manual (Pub. 100-3). The DOJ suspects that hospitals may be billing inappropriately for these services. The NCD is quite specific in terms of situations where the implantation is not covered by Medicare, regardless of a cardiologist’s clinical judgment of medical necessity. In addition to serving the hospitals, a number of ICD manufacturers received subpoenas pertaining to any potential billing or reimbursement advice they may have furnished to practitioners. The DOJ has not released any formal findings, nor has it filed suit against any hospitals to date. However, in August 2012, hospitals were contacted via e-mail and encouraged to conduct internal audits, using a specially developed “Resolution Model” and medical review guidelines. These will be used by the DOJ to facilitate resolution of concerns raised during the investigation.

HEAT Task Force

The Health Care Fraud Prevention and Enforcement Action Team (HEAT) is an interagency team that both investigates potential fraud, as well as works to prevent it. As part of this interagency collaboration, the government has created the Medicare Fraud Strike Force consisting of investigators from DOJ, CMS and the OIG, as well as from state and local agencies designed to combat Medicare fraud through the use of Medicare data analysis techniques and an increased focus on community policing. Their efforts to date have focused on regions of the country that are considered high fraud areas, including but not limited to California, Florida and New York. Additionally, the HEAT Task Force has developed educational programming for clinicians, physician practices and others to help prevent fraud, waste and abuse.

To learn more about the HEAT Task Force, visit www.stopmedicarefraud.gov.

Private Payer Programs

Private payers conduct audits for a variety of reasons including: reducing improper payments, finding money, complying with regulations, and addressing suspected fraud. To find areas for review, payers commonly use claims data mining and analysis software to find potential coding errors, physician outliers compared to peers, and results from public audits (i.e. CMS, OIG, DOJ). There is an added focus on high cost and highly utilized procedures and devices. An increasing number of audits have differing goals outside of finding improper payments and finding money. Some audits aim to validate risk adjusted data within the Medicare Advantage program.

The audits typically begin with a certified letter from the insurer or its auditing contractor to the medical provider requesting copies of specific patient medical records to be returned within 60 to 90 days. It is important to remember some patients’ full records may be in multiple locations (physician’s office, hospital, and storage facility). Once the records are received, the audit investigator will review the patient records and provide the provider with its decision along with options for appeal and if applicable payment recovery request. It is strongly recommended that the medical provider review and appeal any decisions found to be questionable within the allotted time. The most common claim and medical record errors in private payer and Medicare audits include billing with the wrong date, patient name or physician, insufficient documentation, improper coding, and not meeting clinical indications.


If you become aware that you are the target of an audit or other investigation, it is generally a good idea to seek out legal advice. While there are a significant number of attorneys skilled in white collar litigation, the ACC strongly recommends that you consult an attorney who is a member of the American Health Lawyers Association and/or has a strong background in health care law. The federal statutes governing healthcare fraud and abuse are different and may be more complex than those governing other fields. Additionally, your situation may also implicate state fraud and abuse statutes and/or regulations, so consider an attorney who is familiar with your particular state’s healthcare laws.