The Law: Third-party Audits on the Rise

November 1, 2008

More payers - and even some employers - are hiring third parties to conduct chart audits on their behalf. Is this legal? What should you do if you receive such a request?


Arvind Cavale was confused.

In spring 2008, the endocrinologist got a letter from a company called TPL2. It asked for a refund, saying Cavale had been overpaid for office visits in 2006. The letter also gave Cavale the option of a chart review to defend his payments.

Cavale didn’t know who TPL2 was. But he did know the patient whose visits were under question was insured by a Blue Shield plan, so he contacted his rep there. They didn’t know anything about it.

It turned out the request was from an ex-employer of the patient’s spouse. Cavale then sent complaints to the Pennsylvania Insurance Commissioner’s office, which refused to get involved. The state attorney general begged off as well.

Finally, the Blue Shield plan asked the ex-employer to knock it off, and the matter seemed to go away. But today Cavale still isn’t happy. “I am itching for a fight; I would love to squish these guys like a cockroach. It is truly beyond the capacity of any small practice to sift through this maze.”

True enough words. As if your practice isn’t already crazy enough, audits seem to be on the increase across the country. Especially troubling: Audits from third parties, such as that which Cavale faced, are becoming more common. Payers are outsourcing audits to outside companies and some employers are performing their own audits as well.

That raises eyebrows. While HIPAA allows the release of medical records for payment and operations, things get a little murky when you start giving employers the records of employees, even if the employer is also the employee’s payer. Plus, no one wants to facilitate a fishing expedition by someone not really involved in the payer-provider relationship.

It’s all fair and square, usually, but it sure can be confusing to a worried practice.

Experts advise a deep breath and two simple steps: Check credentials and your contracts.

Check credentials

“If someone walks in and says they want to audit charts, you ask, ‘OK, by what authority?’” says Jeff Hausfeld, a physician who also is managing director at FMS Financial Solutions in Washington, D.C. Keep in mind that most auditors don’t just show up unannounced at the door. Legitimate audits start with a letter that clearly divulges who is asking. Just review the letter then ask simple questions and confirm the payer indeed deputized any third-party organizations. Have the letter-sender fax something showing its authority and get all pertinent e-mails and phone numbers.

Whether the audit targets one patient or a handful, look for who insures those patients. You can also call the payer directly, as Cavale did, to make sure they’ve engaged the organization as a legal agent. Still worried? Call your local medical society or even a lawyer if the inquiry seems especially far-fetched or vague.

Also, an auditing group should send a business associates agreement for you to sign, as required by HIPAA, says Rohan D’Souza, founder of D’Souza and Associates, a billing and consulting company in Hockessin, Del.

Most auditors “aren’t going on a safari where they are looking at hundreds and hundreds of charts,” says Judy Bee, a consultant with Practice Performance Group in La Jolla, Calif. In Bee’s experience, auditors usually will specify what they want to see, such as 10 examples of a 99215 or some routine, general sampling. If the request does seem more random, you certainly can limit your chart pulls to patients insured by the payer in question, she adds.

Generally speaking, don’t be surprised or overly concerned if a third-party representative sends you a note, says attorney Sidney Welch with Atlanta-based law firm Arnall Golden Gregory, noting the increase in outsourcing. Both Hausfeld and D’Souza agree with Welch, saying that most payers do contract with an outside source, which therefore grants the third-party with proper authority.

Still, shady shenanigans do happen occasionally, so be on the lookout. Here are some tell-tale signs that what you’re facing may be off-kilter or particularly odious, and that you should grab a lawyer:

  • Auditors at the door - Most audits are initiated via letter. If an auditor actually comes to your door and wants to see some charts now, he probably suspects you’ll alter records if given a chance. They are after something serious.

  • Who are you? - Even third-party auditors usually make it pretty clear who they are working for. If you just aren’t sure who is asking for information and with whose authority, get help.

  • Oldies but not goodies - If, post-audit, you discover a payer has extrapolated in a way you find unfair or inconsistent with their own processes, you’ll want to appeal. There was a time when some payers would grab just a few charts, find a problem, then assume that every payment for years connected with those codes was made in error. That can add up to a big refund for you to pay. Fight for your rights.

Go to your contract

Although it’s probably in there, always, always, always double-check your contracts if you have any questions at all on whether your payers can legally subcontract auditing tasks (assuming you know where they are - not a given in medical practices). “Go immediately to the contract and find … audit rights, scope of the audit, and so on,” advises Welch. Likely, the contract will refer you to the payer’s policies and procedures. You’ll need to get a copy of those.

Frankly, it’s good to have the policies on hand even if you aren’t facing an audit. Knowing what and how payers are likely to audit helps you prepare your charts proactively, MGMA consultant Cindy Dunn points out. Moreover, part of good contracting is reviewing these pages so you know what you are getting into before you sign, says Welch. You can try to negotiate how long a payer has - after making a payment - to go back for an audit, and request a refund. Welch says 90 days is plenty.


Take time to scrutinize all the clauses about refunds, asking yourself these questions: Can the payer in fact audit you, decide it overpaid you, and just start taking money out of your next checks? It might be best if they can’t take your money until all your opportunities for appeal are exhausted. If you agree, take steps to ensure such language is included in your contract.

Extrapolation is another hot button. Say a payer reviews 50 charts, decides you were paid incorrectly, and then extrapolates the findings, saying you were paid incorrectly for thousands of claims over a six month period. Yikes! Is such heinous latitude spelled out in your contract? Hopefully not. Try to intervene and soften this before you agree to the terms of the contract.

Don’t panic

If you are audited, don’t panic. It’s not necessarily a done deal, with you left in the financial gutter. While audits can reap significant money for payers - Medicare recoups about $12 to every dollar they spend in audits, says Hausfeld - you don’t need to sweat an audit if you’ve been doing the right thing all along. “I just came out of one practice,” says Bee. “The manager has had three different audits with three different payers and passed all three with flying colors.”

And how you react to the prospect of an upcoming audit will tip the outcome in any number of directions - not all of them good. First and foremost, be nice. Your response to an audit request should be to “gain [the payer] as an ally instead of making them an enemy,” Hausfeld suggests.

Instead, “physicians get scared and get worried,” says D’Souza. His advice: Just get the basics and stay on top of things, responding the deadline as you are asked - calmly.

Just do what you are required to do and be done with it so you can get back to doing what you love.

Pamela L. Moore is editorial director for Physicians Practice. She can be reached at pmoore@physicianspractice.com.

This article originally appeared in the November 2008 issue of Physicians Practice.