Medicare: When the Auditor Comes Calling

June 1, 2006

Yes, you can survive a Medicare audit, as long as you know what to do. Here's how to get through it - and better yet, avoid it altogether.


After recently getting word that he was the subject of a CMS audit, a physical therapist did what most providers in his place typically do - he reviewed the records the agency requested. To his horror, he discovered that documentation for a $300,000 service he had billed to Medicare was particularly weak.

Panicked and not thinking clearly, he altered his records in an attempt to hide the errors he detected. However, he failed to re-date his revisions before sending the requested documents to CMS.

It never occurred to him in that desperate moment that CMS already had the records in question. Upon receiving his altered versions, the agency enlightened him.

“I was surprised he didn’t go to jail,” says David Glaser, a healthcare lawyer based in Minneapolis. But the physical therapist was compelled to return the $300,000 he had incorrectly billed.

This provider’s fear-driven reaction to his audit notice is not uncommon among physicians in similar situations. Glaser and other experts say this needn’t be the case. Having a good compliance plan in place - and following it carefully and consistently - can put you in a very confident position should you be hit with a Medicare or
Medicaid audit.

But whether you are ultracompliant or not, there are several steps and strategies to keep in mind should the day arrive when your practice gets that dreaded communiqué.

Tag - You’re It

OK, so say an audit letter has arrived. It states, “Please send us 15 charts from date A to date B.”

What then?

Glaser says it’s a good idea to contact your attorney first. She will help you determine whether CMS is simply conducting a routine audit of you and several other practices for benchmarking purposes or if you specifically are under investigation by its fraud unit. It’s often hard to tell by the letter’s content.

“Sometimes the letters that are a big deal don’t look like they are, and vise versa,” says Glaser. “To be safe, if you get a letter with a bird on it [the logo for the U.S. Department of Health & Human Services], call your lawyer.”

If it appears you are under investigation for fraud, Glaser says your attorney will likely employ a consulting company to conduct an internal audit of the requested records before you hand them over to CMS or the Office of the Inspector General, which handles CMS’s fraud cases. When your attorney works directly with the consultants she hires to review your records, what’s in them is privileged and thus not discoverable, Glaser explains.

However, if you leave the lawyer out of it and hire your own consulting company to audit the requested records, you are obligated to tell the government about any mistakes or problems you find. Glaser says he recently worked with a doctor who learned that lesson the hard way. He conducted his own internal audit without consulting an attorney and discovered that he had coded a visit improperly. When CMS realized he had this information and did not submit a correction immediately, he was hit with fraud charges.

Kenneth Hertz, a consultant for the Medical Group Management Association, says that if your attorney determines that a CMS audit is likely not a fraud investigation, it’s still a good idea to conduct your own “very focused internal audit” or hire a billing and coding consulting company do one for you. “That way, you can get a sense of what’s in the records CMS wants, and you yourself can determine if there was an overpayment or underpayment problem of any sort, or whether you stand out in comparison to your peers,” says Hertz.

But be sure to not call your internal audit an “audit,” warns Glaser. Instead, call it a “review.” “The government likes to seize on that [term],” Glaser says. It assumes that conducting an “audit” implies knowledge of mistakes or wrongdoing.


Just what is CMS looking for in your records? Most of the time the agency is trying to compare what you have submitted for payment versus what’s in your charts, says Hertz. That is, does your documentation of your patient visits match the services you’ve billed for?

Ideally, CMS would like to see such a match, but missing or improper documentation doesn’t put your practice in immediate peril with the Medicare program, as providers are not legally bound to use CMS’s documentation guidelines.

“The law only requires you to furnish information to show that you provided the service,” explains Glaser. “So billing for something that isn’t charted in the medical record isn’t - in and of itself - fraud … if you provided the service.” Your only obligation is to prove - in some form - that billed services were indeed provided.

Don’t Stand Out

How does CMS choose its targets?

The agency looks for outliers, says Hertz. He explains that CMS maintains detailed statistics regarding “the norm” in each specialty when it comes to coding and billing. If you are an outlier - say you are billing for far more midlevel established patient visits than are your peers - CMS may very well notice and ask to review your files more closely. To determine if this is what CMS suspects, gather your production data that’s under review and compare it to that of other physicians in your group, your state, and the country.

You might think that overall it doesn’t matter much if you tend toward more high-intensity visits than your peers here and there - but au contraire, warns Hertz. That’s because Medicare extrapolates.

“If Medicare asks you for 20 charts and 10 have a particular problem,” says Hertz, the likely response will be, “‘Let’s see - 50 percent of your charts are bad; therefore we need the payments back for half of all your Medicare visits plus penalties.’”

If you do turn out to be an outlier, but there are compelling reasons why, you have the right to submit extra information with your records as justification for your billing, says Hertz.

Also ensure that your informed consent documentation is in order. The informed consent that CMS requires is fairly rigorous; if any of it is missing in your records, that can trigger an audit, says Timothy Kelly, vice president of Dialog Medical, a software company that makes an automated informed consent product developed by a urologist.

“Paying very close attention to informed consent will be to a doctor’s advantage when it comes to avoiding a Medicare audit,” says Kelly, who says he has worked closely with CMS in developing the application.

Truly understanding all of CMS’s rules and regulations is crucial. Some ways to do this include: regularly accessing CMS’s Web site; frequently attending seminars on Medicare rules and regs; and investing in regular internal training for all staff.

An easy way to obtain such training is to purchase access to regular audioconferences on topics like coding, documentation, proper modifier use, and bundling/unbundling. These run in the $200 range, Hertz says, and they allow each staff member to listen in and interact with accompanying PowerPoint presentations. “The more you can educate everyone, the more you can monitor compliance within the practice,” says Hertz.

You can even have an expert come in and shadow each doc, observing how he or she codes and documents over a few days. Then, if you identify problems, spend time working with the doctors whose methods are flawed and could possibly trigger an audit.

“It’s absolutely crucial to the whole medical system,” says Hertz. “It’s just too bad this isn’t taught in medical school.”


In reality, very few doctors are guilty of out-and-out fraud. Far more often, problems arise from more innocent scenarios.

“Part of it is carelessness, lack of attention to details on the part of the doctors,” says Hertz. “Other physicians really just have a lack of understanding of the coding and documentation principles.”

Be Fast and Proactive

To ensure you satisfy CMS’s request in the quickest and most efficient manner possible, Hertz suggests turning the matter over to a specific point person in your office. That person should put a plan together for handling the audit and make it his top priority. And don’t take too long to perform your internal review; most auditors ask to have copies of the requested records in hand within 10 to 20 days of giving notice.

Communicate openly with the government from the moment you receive a letter announcing an audit, advises Sara Kay Wheeler, a healthcare attorney based in Atlanta. “Be really proactive,” she says. “Ask lots of questions. Get lots of details. Talk to the auditor about what is expected. The more open the attitude of the physician in working with the auditor, the better the audit will go.”

Glaser adds that when you call CMS for questions or advice during this process, it’s a good idea to write down everything said during the conversation - in specific and exact detail - and then send a copy of your notes to CMS via certified letter. That makes it difficult for them to deny that the conversation ever took place.

Wheeler says it also doesn’t hurt to mention in those conversations that you have an attorney and she is assisting you with this matter: “This lets the auditor know that the practice is protected.”

Walk the Line

Be accommodating with auditors when they come knocking - but within reason.

“The true art in cooperating with auditors is in not bending too far backward,” says Wheeler. “Just give them exactly what they are asking for and no more. Otherwise you may expose more problems than need be, causing the auditors to look at more than they - and you - had anticipated.”

Just as altering your records before sending them to CMS is a giant no-no, so is coaching your employees on what to say to auditors, says Glaser. “The bottom line is, don’t sit down and discuss it with employees,” he advises. “If, the night before auditors plan to visit, you sit down with everyone to make sure you have your stories straight, the government views that as conspiracy to lie to a federal official.”

Anything you say to employees without an attorney present is discoverable. However, you can tell your employees what their rights are should an OIG investigator show up at their home to ask questions - which is not uncommon. “You can let them know that they don’t have to speak to the investigator, and if they do, they can have a lawyer present,” Glaser says.

He also points out there are cases in which investigators have told practice employees not to tell their physician bosses that the investigator contacted them. Glaser says it’s important to let your employees know it’s perfectly legal to let you know if a government official contacts them.

The Waiting Game

You’ve sent CMS copies of the records they requested. They’ve had them for weeks now, and no one is calling to let you know the status of your audit. What do you do?


Let sleeping dogs lie, says Glaser.

“If you don’t hear from them, don’t call and check. No news is good news. Let it sit,” he advises. “Maybe they’ll forget about you - I’ve seen that happen.”

And be patient, he adds. Results from a Medicare audit can take months - even years. Put it out of your mind and remember that jail time for infractions is exceedingly uncommon - usually only seen when out-and-out fraud is apparent, says Glaser.

Yes, a Medicare audit can be a tremendous drag on your resources, time, and emotions - but if you can, focus on the upsides, suggests Wheeler. Surprisingly, she says there is more than one.

“In looking closely at your records during an audit, you may discover areas where you’re not capturing revenue to the greatest extent allowable by revenue rules - or you could find ways to tighten internal control that would help the bottom line,” Wheeler says. “Try and view the audit as an opportunity to shine and let CMS see what you’re doing right.”

Suz Redfearn is a freelance writer and editor with more than 10 years of experience writing about business and healthcare issues. She can be reached via editor@physicianspractice.com.

This article originally appeared in the June 2006 issue of Physicians Practice.