Responding to Healthcare Audits

Healthcare audits can be among the most dreaded aspects of medical practice, but, of course, they are an important tool for maintaining high standards of patient care and ensuring compliance with federal and state regulations. It is best for healthcare providers to have a plan in place for facing audits when they happen, not if they happen. Healthcare law attorneys are best suited to help healthcare practices plan for audits. However, there are steps that healthcare practitioners can take today to navigate audits effectively. This is what healthcare providers should know about healthcare audits. 

Why Might I Be Audited?

Healthcare audits come in several forms, each targeting specific aspects of an organization’s operations to ensure compliance with federal and state regulations and to support quality patient care.

Financial audits focus on billing practices, claims submission, reimbursements, and overall financial reporting. Auditors review patient records, payment histories, and accounts to confirm that payments and reimbursements are accurate and properly documented. These audits help prevent overpayments, underpayments, and financial discrepancies that could lead to recoupment or penalties.

Compliance audits assess whether providers follow federal, state, and local regulations, including HIPAA, the Stark Law, and the False Claims Act. They evaluate organizational policies, procedures, and internal controls to ensure legal and ethical operations and reduce the risk of fines or legal action.

Coding and documentation audits assess the accuracy of medical coding using systems such as ICD-10, CPT, and HCPCS, ensuring that billed services are fully supported by appropriate documentation. These audits prevent errors that could trigger denials, payment delays, or regulatory scrutiny.

Quality-of-care audits evaluate patient outcomes, clinical documentation, and adherence to treatment protocols. They focus on ensuring that care meets established clinical standards, identifying areas for improvement, and safeguarding patient safety.

Who Might Audit Me?

Audits can come from a variety of sources. Medicare and Medicaid audits are formal reviews designed to ensure healthcare providers follow federal and state billing, coding, and documentation rules. Even small documentation errors or coding inconsistencies can lead to repayment demands, penalties, or further investigation. Audits may be triggered by complaints from patients or staff, unusual billing patterns identified through data analysis, previous compliance issues, or routine random selection. The audit process generally includes notification and data submission, detailed review of selected records, reporting of findings, and corrective actions if problems are identified.

​​Third-party payer medical audits are reviews conducted by private insurers or other payers to examine a healthcare provider’s medical and billing records. These audits can create significant financial risk and, in some cases, lead to licensing concerns or government investigations. Auditors often request extensive patient and billing data and review records for issues such as lack of medical necessity, duplicate billing, incorrect coding, or inadequate documentation. Audits may analyze a small sample of records and then use extrapolation to estimate larger billing errors. 

Another large auditor is HHS. For instance, it will conduct HIPAA audits to evaluate whether covered entities and business associates comply with the Privacy, Security, and Breach Notification Rules. 

I Found Out About an Audit–What Now?

Receiving notice of a healthcare audit can be stressful, but having a plan in place helps protect the provider and the organization. Here is what healthcare providers should do upon notification of an audit:

1. Confirm that You Received the Audit Notification
   Immediately confirm receipt of the audit notification. Document the date and method of acknowledgment, and note any deadlines for providing records, responding to requests, or scheduling meetings with auditors. 
2. Review the Scope of the Audit
   Carefully examine the audit notice to understand its full scope. Identify the type of audit being conducted. Is it financial, compliance, coding, or quality of care? What time period will the organization be under review? What specific issues or claims were cited? What documentation is requested? 
3. Assemble an Audit Team
   Bring together a team to help with the audit. This may include compliance officers, medical coders, billing specialists, clinical staff, and legal counsel. Ideally, a healthcare organization should have a team assembled prior to any audit. 
4. Designate a Point of Contact
   Assign a single individual to serve as the liaison with auditors. This central point of contact ensures that all communication is consistent, reviewed for accuracy, and properly documented. It also reduces confusion among staff and minimizes the risk of conflicting or incomplete responses.

Consider a Self-Audit

As healthcare practitioners, you are aware that prevention is the best medicine. This sentiment applies to the healthcare organization when it comes to compliance. Audits are a pain. They can be time-consuming, stressful, and consume a lot of resources that the organization wishes to dedicate to patient care. That said, audits are significantly more complicated when there is no plan in place and when issues are not identified early on. 

This is why healthcare organizations might choose to self-audit. The Office of Inspector General recommends that physician practices conduct regular self-audits to monitor billing accuracy and reduce the risk of fraud. Most audit data can be gathered from a practice’s electronic health record system, which tracks claims, visit levels, and coding patterns. Reviewing these reports helps identify trends and compare performance within the practice.

Organizations can also engage in HIPAA self-audits. They can do this by using a HIPAA checklist. This will guide organizations in examining policies, procedures, and documentation to identify gaps and correct issues. Each checklist should be tailored to the organization’s operations. Common review areas include administrative requirements, proper uses and disclosures of protected health information, patient authorizations, and Notices of Privacy Practices. Audits also assess Security Rule safeguards to ensure data protection. 

Contact a Healthcare Audit Attorney

Receiving notification of a medical audit can be stressful, but there is no need to go through it alone. Experienced healthcare audit attorneys can walk healthcare organizations through the process, ensuring that the audit is as smooth as possible.