Medicare accounts for approximately 16 percent of the total federal budget. As such, regulatory scrutiny by the Centers for Medicare and Medicaid Services (CMS) has gradually increased. With data-mining practices by federal auditors, it is imperative for providers (and their legal counsel) to possess a strong understanding of the different types of Medicare audits.
Additional Development Requests (ADRs)
The Medicare Administrative Contractor (MAC) is the frontline contractor in the Medicare regulatory framework. The MAC, created by the Medicare Prescription Drug Improvement and Modernization Act of 2003, is designed to process, pay and ensure accuracy of Medicare payments. MACs send ADRs to providers in order to gather information necessary to assess proper documentation associated with Medicare claims. Providers are given 45 days to respond to the ADR, though the MAC has discretion to grant extensions for responding if “good cause” is shown. The MAC must make a payment determination within 60 days of receipt of documentation from the provider and has authority to deny payment for minor errors or omissions.
The MAC is tasked with minimizing losses to the Medicare Trust Fund and to remedy issues with providers. Specifically, CMS instructs MACs to use penalties to remedy repeated infractions. As such, a provider’s compliance should include periodic audits of billing and documentation practices.
Comprehensive Error Rate Testing (CERT)
CMS uses CERTs to evaluate MACs’ processing to determine its accuracy with payment. The CERT also uses its gathered information to estimate the national Medicare fee-for-service improper payment rate. When CERTs are sent to providers as part of the monthly random sample, they request that medical records be returned within 75 days of the initial CERT letter. If a provider fails to respond or the response is incomplete, payment may be denied or CMS may require repayment of any money previously paid. If the CERT experts (e.g., nurses, coders, etc.) determine an improper payment was made, the provider will be required to reimburse payment. However, providers maintain a right to appeal any adverse decision.
Recovery Audit Contractor
Medicare Recovery Audit Contractors (RACs) are responsible for identifying and calculating overpayments and underpayments made to providers under Medicare through post payment claims review. RACs are increasingly expected to identify fraud and make appropriate referrals to CMS. It should be noted that RACs, unlike other Medicare contactors, are paid on a purely contingent fee basis, which arguably impacts RAC decisions.
RACs identify overpayments using an automated review, complex review or semi-automated review. The type of review utilized is determined by the certainty of the coding error and whether a Medicare guideline exists in relation to the coding error. With each review, the RAC can identify an overpayment because the services were not covered and an overpayment because of a coding error or some other issue (e.g., a duplicated claim).
The RAC can request additional documentation from the provider or third party provider. The RAC must allow the provider 45 days to respond to a request and grant one extension to the request to the provider if requested. The RAC is required to make a determination on the claim within 60 days of receipt of the requested documentation. If an overpayment is identified, the RAC validates the finding and notifies the provider of the error. The MAC is then accountable for recoupment of the overpayment.
Zone Program Integrity Contractor (ZPIC)
ZPICs are solely designed to detect fraud, acting as the “police officer” of the Medicare audit world. ZPIC audits derive from tips from other Medicare contractors, tips from whistleblowers and ZPIS own review of medical claims. High utilization and an abundance of high cost services are the usual suspects to trigger red flags. Unlike RACs, ZPICs are not required to receive prior approval from CMS for selecting billing issues or post a notice of billing issues targeted by the ZPIC.
The timeline to respond during a ZPIC audit is shorter, allowing the provider only 30 days to respond to any requests for information. Providers must be aware that prepayment review rules and deadlines are different from post payment reviews. The Affordable Care Act expanded payment suspensions, providing that payments may be suspended pending an investigation into a credible allegation of fraud unless good cause is shown not to suspend payments. Lastly, ZPICs are distinguished from other types of audits because if the likelihood of fraud or violation of the False Claims Act is determined, ZPICs will refer matters to the FBI, DOJ or OIG for investigation and possible prosecution.