Medicare and Medicaid Audits: What to Know

Medicare and Medicaid audits are common but stressful aspects of healthcare compliance. These audits are designed to ensure that providers bill accurately, deliver medically necessary services, and adhere to federal and state regulations. Even minor documentation errors or coding discrepancies can trigger a review, potentially resulting in financial penalties, repayment demands, or regulatory scrutiny. Here is what to know about Medicare and Medicaid audits.

About Medicare and Medicaid Audits

Medicare and Medicaid audits are formal reviews conducted to ensure that healthcare providers comply with federal and state billing, coding, and documentation requirements. Audits typically involve a detailed examination of patient records, claims submissions, and supporting documentation to verify that services were medically necessary, accurately coded, and properly billed. Even minor discrepancies or incomplete records can result in questions, repayment requests, or further investigation.

The Audit Process

According to the Centers for Medicare & Medicaid Services (CMS), there are four phases of the audit process.

Phase I – Audit Engagement & Universe Submission: CMS notifies the sponsoring organization through an engagement letter and introductory calls, outlining the audit scope, required data “universes,” and any need for disclosure of prior compliance issues. The organization must submit all requested universes and documentation within about 15 business days. CMS then conducts data-integrity testing to ensure accuracy and selects sample records for detailed review.

Phase II – Audit Field Work: During a three-week period, CMS reviews sampled cases, primarily via webinars. Activities include compliance-program effectiveness assessments (supported by onsite visits), documentation review, root-cause analysis of non-compliant cases, and impact analyses to quantify affected enrollees or transactions. When field work concludes, CMS issues a preliminary draft audit report and holds an exit conference with the organization to discuss initial findings.

Phase III – Audit Reporting: Findings are categorized as Immediate Corrective Action Required (ICAR), Corrective Action Required (CAR), Observations, or Invalid Data Submission (IDS). ICARs indicate severe issues posing risks to beneficiaries; CARs reflect systemic operational deficiencies; observations capture isolated concerns; IDS indicates inadequate or unusable data. CMS assigns points for findings to generate an overall audit score. A draft report is issued about 60 days after the exit conference, followed by a 10-business-day sponsor response window and a final report within another 10 business days. Significant findings may trigger enforcement actions such as penalties, sanctions, or contract termination, and may influence Medicare Star Ratings.

Phase IV – Validation & Close-Out: For non-ICAR issues, organizations must submit a Corrective Action Plan (CAP) within 30 days. Upon CMS approval, they must complete a validation audit within 180 days to confirm that problems were corrected. Conducted by CMS or an independent auditor, this outcome-focused review evaluates actual transactional results. CMS then determines the adequacy of remediation and closes the audit.

Why Audits Occur

Medicare and Medicaid audits can be initiated for various reasons. Understanding what triggers an audit can help providers prepare and reduce risk. Common reasons audits occur include:

Complaints or Referrals

Audits can be initiated based on reports from patients, competitors, or internal staff. These complaints may relate to suspected overbilling, denial of services, fraud, or inconsistent practices. Investigations triggered by complaints are often focused and may target specific claims, procedures, or interactions highlighted in the report.

Data Analytics

Auditors often use advanced data analysis to identify unusual billing patterns, coding inconsistencies, or unusually high utilization of certain services. For example, a provider billing significantly more advanced imaging procedures than peers may attract scrutiny. While these patterns do not necessarily indicate wrongdoing, they often prompt a detailed review to confirm medical necessity and proper documentation.

Prior Findings

Providers with a history of compliance issues, previous audit discrepancies, or overpayment recovery actions may be subject to more frequent or in-depth reviews. Regulators use past findings to assess risk, which means even minor prior errors can result in heightened scrutiny in future audits. Maintaining accurate documentation and addressing issues promptly is crucial to minimizing exposure.

Random Selection

Providers may be chosen as part of routine compliance checks conducted by Medicare or Medicaid. These audits help maintain overall program integrity by monitoring billing practices, documentation, and service delivery. Even providers with a strong compliance record can be selected.

Steps To Take When Facing An Audit

Facing a Medicare or Medicaid audit can be stressful and complex, but taking a structured approach can help protect a provider’s practice and reputation. This is what one should do when facing a Medicare or Medicaid audit:

Review the Notice Carefully

Medical providers should carefully review the audit notice when responding to any Medicare or Medicaid audit. It is important to understand the type of audit being conducted—whether it is a documentation, coding, medical necessity, or compliance review—and to identify which claims are under scrutiny. Medical providers should pay close attention to the deadlines for submitting supporting documentation or responding to requests. Missing deadlines, submitting incomplete records, or misunderstanding the scope of the audit can lead to default findings, which may result in denied claims, overpayment demands, or further investigation.

Gather Documentation

Medical providers should gather all relevant documentation that supports the claims under review. This includes patient records, progress notes, billing and coding information, lab results, imaging reports, and any correspondence related to patient care. Documentation should clearly demonstrate medical necessity, justify the coding used, and show adherence to federal and state program rules. Organizing records logically, labeling them appropriately, and clearly connecting services rendered to billed claims can make it easier for auditors to review.

Document Interactions

It is essential to maintain a detailed record of every interaction with auditors, including phone calls, emails, letters, and submissions. Each entry should note the date, time, participants, and a concise summary of the discussion or information exchanged. Keeping comprehensive documentation helps ensure that no important details are overlooked and provides a clear timeline of communications. Such records can be invaluable during an appeal or review, offering evidence of responsiveness, accuracy, and good faith in addressing the audit. Beyond supporting the case, thorough documentation demonstrates diligence, accountability, and transparency.

Contact An Experienced Healthcare Attorney

Contact an experienced healthcare attorney to help you navigate Medicare and Medicaid audits with confidence and reduce the risk of costly findings or enforcement actions. A knowledgeable healthcare law attorney can guide you through data requests, corrective action planning, and communications with CMS or state agencies.