Medicare’s New Bounty Hunters

March 1, 2010
Ken Terry

Concerned about Medicare’s new Recovery Audit Contractors snooping around? Though your practice may not be affected by RACs for at least a year, the time to ready your defenses is now. Here’s how.


The RACs are coming, and physicians are concerned - even though they’re not likely to feel the impact of Medicare’s new Recovery Audit Contractors for at least a year.

Internist Gregory Hood of Lexington, Ky., worries that the RACs won’t be sufficiently discriminating when they audit E&M codes - a point that the AMA is stressing in discussions with CMS.

Hood also objects to what he believes is the RACs’ methodology for potential extrapolation. That’s the denial of a series of claims over a period of time, based on an allegation that there has been a pattern of improper payments to a practice.

Will Sawyer, a family physician in Cincinnati, views the RACs, which receive a percentage of the dollars they recover for Medicare, as bounty hunters. But he’s less fearful of the RACs than he is of third-party auditors hired by Medicare Advantage plans and commercial insurers. “I’m not afraid of the RACs, as long as they’re transparent and honest,” he says.

Attorneys and consultants familiar with the RAC attack say it’s part of a rising tide of payer auditing activity. On the government side, the Obama Administration has stepped up its rhetoric about cracking down on Medicare and Medicaid fraud and abuse. Meanwhile, private insurers and their third-party auditors are also increasing pressure on physician practices, and they will look closely at how well the RACs are doing, say Abby Pendleton and Jessica Gustafson, attorneys in Southfield, Mich., who specialize in defending healthcare providers from RAC audits.

For now, the RACs are focusing on hospitals, and will continue to do so until CMS works out some issues with the AMA. But Pendleton and Gustafson note that the RACs are here to stay. Physicians should start paying attention to what these government contractors are after and how to guard against their assaults.

Physicians targeted in pilot

During a three-year pilot program that eventually covered six states, the RACs focused mostly on hospitals because of the large dollar amounts involved in their claims. But they also investigated some Medicare Part B claims. About 15 percent of the more than $900 million in overpayments collected by the RACs in the pilot came from physicians, according to a CMS official.

On Jan. 1, CMS completed its launch of a permanent, national RAC program, with four RACs assigned to different regions of the country. According to the agency, “The goal of the recovery audit program is to identify improper payments made on claims of healthcare services provided to Medicare beneficiaries. Improper payments may be overpayments or underpayments.”

Physicians are naturally skeptical that the RACs might consider the possibility that they were underpaid - and, in fact, less than 4 percent of the improper payments detected in the demonstration program were underpayments. One reason for that is that finders’ fees for underpayments were not introduced until halfway into the pilot. In the permanent program, RACs may receive 9 percent to 12 percent - depending on the region - of the overpayments or underpayments they discover.

If a RAC’s determinations are overturned on appeal, the contractor doesn’t receive a fee. David Glaser, a Minneapolis audit defense attorney, says this gives RACs an incentive to adjust their approach going forward so that they don’t have to risk losing appeals. “That holds out some hope that they’ll be more rational than the past auditors [from Medicare carriers] have been,” he says.

What about fraud?

Overall, the RACs will look at the same kinds of things that Medicare intermediaries have always audited. But, because of the White House’s focus on fraud and abuse, Glaser says he is concerned that the RACs are going to “nail people on things like unsigned notes. It’s clearly unfair to the doctors, because there’s no doubt the service was provided. And recently, they’ve been hinting that if your signature is illegible, that’s a basis for a denial.”

The RACs are looking for improper payments, not fraud. But if they detect fraud, they cannot ignore it. Some observers say, however, that RACs are less likely than traditional Medicare auditors to turn cases over to the zone program integrity contractors, which are private companies that handle fraud and abuse allegations for CMS. Because the RACs are paid on a contingency basis, Gustafson says, “the financial incentive is for them to audit,” not to hand cases over to another entity.


There is no consistent pattern in how Medicare intermediaries and contractors distinguish improper payments from fraud, notes Glaser. But Pendleton says that in her 14 years of defending against Medicare audits, every one has alleged that the claims were for medically unnecessary services. “When does it rise to the level of fraud and abuse? It’s got to be pretty extreme.”

While Medicare carriers have long extrapolated certain coding patterns to sets of earlier claims, the RACs must obtain CMS permission to do this on a case-by-case basis. In a letter to the AMA, CMS Acting Administrator Charlene Frizzera said the agency will allow extrapolation only in “limited, highly focused situations.” And the RACs will be able to extrapolate only as far back as they can review claims, according to Glaser. The RACs can audit claims going back a maximum of three years, or to Oct. 1, 2007, if that is no more than three years.

The RACs are also limited in the number of records they can request, which the AMA would like to reduce even further. Within a 45-day period, a RAC can request 10 medical records from a solo physician, 20 records per provider from a two- to five-provider practice, 30 records per provider from a group of six to 15 practitioners, and 50 records per provider from groups of 16 or more physicians and midlevels.

Some dos and don’ts

To avoid getting in trouble with the RAC in your region, you should first get the company’s name, which is available on the CMS Web site. Then tell your staff to forward any letter from the RAC to you or your administrator.

“In a lot of practices, requests come in for medical records, and many times, the staff pays no attention to who is making those requests,” says Cindy Dunn, a Medical Group Management Association consultant. “They get used to payers asking for charts to audit. So they get the letter, and they send out the records. The manager might not even know the practice has received a RAC letter.”

This problem underlines the need for practices to have a formal policy on handling record requests, Dunn says. They should keep a log of all requests and what records were sent out, she says. Unless the requests are from a health plan or a CMS-related entity, you will need specific patient permission to release records. In addition, there are several things you should check before sending anything to a payer, such as whether the patient is a current plan member.

Internal audits and overpayments

HIPAA regulations require every practice to review its billing and coding once a year. In addition, CMS recommends that practices do internal audits periodically “to identify if you are in compliance with Medicare rules.”

After a practice does a self-audit, Dunn says, it should share the results with all of the physicians within a certain period of time. If there’s any problem, the practice must show that it offered providers education on coding and that it re-reviewed their claims to see whether they were in compliance.

What if your internal review turns up evidence that Medicare might have overpaid you? If it’s just a matter of poor documentation, or you didn’t sign the note, you don’t have to refund the money - unless you think an audit might call into question whether the service was performed, says Glaser. In general, he adds, you’re better off refunding if there’s any uncertainty.

Pendleton and Gustafson take a different position. While there are some circumstances in which a refund to Medicare is warranted, Pendleton says, “Self-auditing is the job of the government. You might be paying claims back when they might never have been reviewed, and there may be gray areas where you could prevail in the appeals process and you might not necessarily have to refund.”

Appeals can be lengthy

RACs use data mining to review your claims, and they can either do an automatic review or ask to see some of your records. The first method is usually confined to cases where there are obvious problems with claims, such as mammograms being performed on men. (However, consultant Lucien Roberts of Richmond, Va., has seen automated reviews based on high utilization of certain codes. In one case, this led to extrapolation that will cost a physician group more than $2 million.)

After you send copies of your records to a RAC, the company has 60 days to make a determination. Assuming that any of your claims are denied, and that you accept that the claims contain errors, you can re-bill those claims after correcting the mistakes. Your other recourse is to appeal.

Be aware that the appeals process is long and tortuous. It can take six months to a year or even longer. And defending yourself will not be inexpensive, although some malpractice insurers sell riders that cover $25,000 to $50,000 of your legal costs, Glaser says.


When CMS collects an overpayment, it deducts that amount from your next Medicare payment. But CMS has to follow specific steps to withhold the money while you’re appealing a RAC determination. It can’t withhold the funds during the first two stages of the appeal, as long as you file on a timely basis, Pendleton says. And if you win the appeal, you get your money back with interest.

Other information sources

To form a better idea of what RACs may be looking for, Dunn suggests looking at the annual work plan of the HHS Office of the Inspector General (OIG). This year, for instance, the OIG is focusing on “place of service” errors and certain modifiers. Also, the CMS Web site provides a list of the financial recoveries that the RACs made during the pilot, which will give you some idea of what they’ll do in the permanent program. Some RAC Web sites also tell you what the contractors are pursuing.

Regardless of how well you prepare, and how honest you are, a RAC may audit you anyway. In some cases, this might simply be because you work exceptionally hard. Your coding levels might also be higher than those of your peers because of the kind of work you do or the nature of your patient base. Just remember, the best defense is good documentation.

* (Find out who is your Recovery Audit Contractor for 2010.)

Ken Terry is a New Jersey-based freelance writer and the author of the book “Rx for Health Care Reform.” He can be reached at physicianspractice@cmpmedica.com.

This article originally appeared in the March 2010 issue of Physicians Practice.