A cardiology practice bills Medicare for three years without problems. Claims get paid. Revenue flows. Everything seems fine. Then a letter arrives from a Medicare audit contractor. They want medical records for 30 randomly selected claims from the past year.
The practice pulls the charts. The office manager reviews them before sending. Her stomach drops. The documentation does not support the codes billed. Level 4 and 5 office visits were billed, but the notes show brief encounters with minimal decision-making. The notes are templates with the same generic language copied forward visit after visit. Time is not documented for any visit. The diagnosis codes do not match what is actually documented.
The auditors find a 90% error rate in the 30-claim sample. They extrapolate this rate to all 4,200 similar claims submitted during the review period. The overpayment demand: $680,000. The practice cannot pay. Medicare refers the case to the Department of Justice for False Claims Act prosecution. The penalties could reach tens of millions. The practice faces closure. The physicians face exclusion from Medicare and potential license discipline.
All of this could have been prevented. If the practice had conducted regular compliance audits, they would have caught the coding and documentation problems years earlier. They could have fixed the issues, refunded small overpayments, and retrained staff. Instead, they ignored compliance until federal auditors forced them to pay attention. By then, the damage was catastrophic.
Compliance audits are not optional extras for practices with extra time and money. They are required protections against financial disaster. Regular internal audits catch billing errors before external auditors do. They identify compliance gaps before they become federal investigations. They prove good faith compliance efforts when mistakes are discovered. They protect practices, providers, and staff from the devastating consequences of billing fraud.
This guide explains what compliance audits are, why they matter so much, what types of audits practices need, how to conduct effective audits, what to do with audit findings, how audits prevent problems, and how to build sustainable compliance audit programs.
What Compliance Audits Are
Compliance audits are systematic reviews of billing practices, documentation, and coding to verify they follow laws, regulations, and payer requirements. Audits examine whether claims submitted to Medicare, Medicaid, and commercial insurance companies are accurate, properly coded, and supported by documentation.
The goal is finding problems before payers find them. Internal audits conducted by the practice or external consultants identify errors, patterns of improper billing, documentation deficiencies, and compliance risks. Once identified, problems can be corrected before they grow into massive overpayments or fraud allegations.
What Audits Review
Compliance audits examine multiple aspects of billing operations.
Coding accuracy is the primary focus. Auditors review medical records and compare documented services to codes billed. They verify CPT codes match what was actually done. They check diagnosis codes accurately reflect documented conditions. They look for upcoding, undercoding, and code combinations that violate bundling rules.
Documentation completeness and quality get scrutinized. Auditors check whether notes support codes billed. They look for required elements like chief complaint, history, examination, medical decision-making, time documentation for time-based codes, and provider signatures. They identify template abuse, copy-paste problems, and vague documentation that does not describe specific services.
Medical necessity gets evaluated. Auditors assess whether services billed were appropriate for documented conditions. They look for services that exceed what clinical circumstances warranted. They identify patterns suggesting revenue-driven rather than clinically-driven care.
Compliance with payer policies is checked. Each insurance company has specific billing rules. Auditors verify claims follow these rules including authorization requirements, frequency limits, coverage policies, and modifier usage.
Compliance with federal regulations is verified. Audits check adherence to Medicare rules, Stark Law requirements, Anti-Kickback Statute compliance, HIPAA privacy and security requirements, and False Claims Act exposure.
Internal controls and processes are assessed. Auditors evaluate whether the practice has proper procedures for verifying insurance, obtaining authorizations, reviewing claims before submission, handling denials, and training staff.
Types of Audit Reviews
Audits can take different forms depending on what is being examined.
Prospective audits review claims before submission. Staff or auditors check claims before they go out the door. Errors caught prospectively never reach payers. This prevents denials and overpayments. Prospective review is the best type of audit because it stops problems before they happen.
Concurrent audits review billing while services are ongoing. For hospital admissions or therapy courses, auditors review documentation and coding during treatment. This allows real-time corrections before final billing.
Retrospective audits review claims after submission. These audits look back at previously billed services. Retrospective audits identify patterns and problems that occurred. They find overpayments that need refunding. They reveal training gaps that need addressing.
Most compliance audit programs use retrospective audits because they can review larger volumes and identify systemic issues. Ideally, practices would add prospective audits too, catching high-dollar or high-risk claims before submission.
Internal vs External Audits
Audits can be conducted by practice staff or outside consultants.
Internal audits use practice employees. Someone on staff reviews charts and compares documentation to billing. This might be the practice manager, a compliance officer, an experienced coder, or dedicated audit staff. Internal audits cost less than external but depend on staff having adequate expertise.
External audits hire independent consultants. Certified coders, billing consultants, or compliance specialists from outside the practice conduct the audit. External auditors bring fresh eyes, specialized expertise, and objectivity. They are more expensive but often find issues internal staff miss.
Best practice is combining both. Regular internal audits quarterly or monthly catch ongoing issues. Annual external audits provide independent validation and deeper analysis.
| Audit Type | When It Happens | What It Catches | Best Use |
| Prospective | Before claim submission | Errors before they reach payers | High-dollar claims, new services, high-risk codes |
| Concurrent | During ongoing treatment | Problems in real-time | Inpatient stays, therapy courses, complex cases |
| Retrospective | After claim submission | Historical patterns and trends | Regular compliance monitoring, identifying systemic issues |
| Internal | Ongoing by staff | Routine errors and issues | Monthly or quarterly monitoring |
| External | Annually by consultants | Hidden problems staff miss | Annual validation, deep dives, objective assessment |
Why Compliance Audits Matter
Practices that skip compliance audits operate blind. They have no idea if their billing is correct. They do not know if documentation supports claims. They are unaware of patterns that will trigger external audits. Then one day the letter arrives from Medicare or a commercial payer, and they discover they have massive problems.
Regular compliance audits prevent this nightmare scenario. They provide early warning of problems while they are still fixable.
Catching Errors Before Payers Do
The single biggest benefit of compliance audits is finding your own mistakes before payers find them for you. When you discover errors through internal audits, you control the situation. When payers discover errors through their audits, they control everything.
Finding errors internally means small overpayments. If your quarterly audit finds you have been upcoding office visits for three months, the overpayment might be $5,000-$15,000. You refund it, retrain staff, and move on. The financial hit is manageable.
Payers finding errors means massive extrapolated overpayments. If Medicare audits you after three years of upcoding and extrapolates their findings to all similar claims, the overpayment could be $500,000. Plus interest. Plus potential penalties. The financial hit destroys practices.
Internal audits also let you fix problems before they establish patterns. One quarter of incorrect coding can be corrected quickly. Three years of systematic upcoding looks like intentional fraud.
Reducing Audit Risk and Liability
Medicare and commercial insurance companies target practices for audit based on data analysis. They look for statistical outliers whose billing patterns differ significantly from peers. Practices that audit themselves and correct problems before payers analyze the data never become outliers. They stay under the radar.
Compliance audits also demonstrate good faith. If payers do audit you and find problems, documented evidence that you conducted regular internal audits, identified issues, and implemented corrective actions shows you were trying to bill correctly. This good faith effort reduces penalties significantly.
Practices without compliance programs face presumptions of negligence or intent. Practices with robust compliance programs including regular audits get credit for trying even when errors occur.
Protecting Against False Claims Act Liability
The False Claims Act punishes “knowing” submission of false claims. Knowing includes actual knowledge, deliberate ignorance, and reckless disregard.
Practices that never audit their billing arguably show reckless disregard. They are not checking whether claims are correct. They do not care if they are billing improperly. This reckless disregard satisfies the knowledge requirement for False Claims Act violations.
Practices that conduct regular audits demonstrate the opposite. They are actively checking accuracy. They care about compliance. When errors are found despite audit efforts, it is harder to prove reckless disregard or deliberate ignorance.
Documented compliance audits are powerful defenses against fraud allegations. They prove the practice was not deliberately submitting false claims but rather made mistakes despite good faith efforts to bill correctly.
Avoiding Overpayments and Refund Demands
Every billing error that generates overpayment creates a ticking time bomb. Under the 60-day rule, practices must report and return overpayments within 60 days of identifying them. Keeping overpayments beyond 60 days creates False Claims Act liability.
Regular audits identify overpayments while they are still small. You refund $8,000 discovered in a quarterly audit and move on. If you never audit and the overpayment grows to $80,000 over three years, the refund demand is devastating.
Small refunds from regular audits are manageable. Large refunds from external audits threaten practice survival.
Improving Collections Through Accurate Billing
Audits do not just find overbilling. They also find underbilling. Practices often fail to bill for all services provided or use codes that pay less than appropriate. Compliance audits identify these missed revenue opportunities.
When audits find undercoding, practices can correct it going forward and capture revenue they were leaving on the table. This revenue improvement often exceeds the cost of the audit.
Audits also improve collections by reducing denials. Claims submitted with correct codes and proper documentation get paid faster with fewer denials. Clean claims mean better cash flow.
Training and Education Opportunities
Audit findings reveal training gaps. If audits consistently find the same errors, staff need education on those specific issues.
Maybe physical therapy time documentation is always incomplete. The audit identifies this pattern. Training focuses on time documentation requirements. The problem gets fixed.
Without audits, you would not know where training is needed. You would waste time on generic training that does not address actual problems. Audit-driven training is targeted and effective.
Demonstrating Compliance to Payers
Some commercial insurance contracts require practices to conduct compliance audits. The contract might mandate annual audits with results reported to the payer. Failing to conduct required audits breaches the contract and can result in network termination.
Even when not contractually required, demonstrating compliance through regular audits builds trust with payers. Practices with strong compliance programs get fewer audits from payers. They are lower risk.
Payers conducting focused audits might request evidence of your internal compliance efforts. Being able to produce audit reports showing you monitor your own billing and correct problems creates favorable impressions.
Protecting Staff and Providers
When billing fraud is discovered, everyone involved faces consequences. The physician whose name is on the claims faces potential exclusion and license discipline. The practice administrator who oversaw billing operations faces potential personal liability. Billing staff who submitted false claims can be prosecuted.
Compliance audits protect all these people. Regular audits show staff were doing their jobs properly. They show physicians were monitoring their billing. They show administrators were implementing proper oversight.
When problems are caught through internal audits and corrected, staff and providers avoid the personal consequences of external fraud findings.
Types of Compliance Audits Practices Need
Effective compliance programs include multiple types of audits addressing different risk areas. No single audit covers everything. Layered audits provide comprehensive protection.
General Billing and Coding Audits
The foundation is regular audits of billing and coding across all services. These audits sample claims randomly, review documentation, and verify codes are correct.
Monthly or quarterly audits should review 10-30 claims per provider. Random sampling across different service types and dates catches various issues. The sample should include a mix of high-level codes, common codes, and procedures.
Auditors check CPT codes match documented services, ICD-10 codes accurately reflect diagnoses, code combinations follow NCCI bundling rules, modifiers are used correctly when needed, and documentation supports all codes billed.
General audits identify patterns. If every audit finds office visit upcoding, you have a systematic problem. If audits find random scattered errors, you have quality control issues. The pattern tells you what needs fixing.
Documentation Audits
Separate documentation-focused audits examine whether medical records contain required elements and support medical necessity.
Documentation audits review charts without looking at what was billed. The auditor reads notes and assesses whether documentation is complete, specific, and adequate. Only after evaluating documentation quality does the auditor compare to codes billed.
This approach identifies documentation problems even when codes happen to be correct. Maybe you billed correctly by luck, but documentation would not support the code if questioned. Documentation audits catch this.
Elements checked include chief complaint documented, history of present illness with adequate detail, review of systems when required, physical examination with specific findings, assessment and plan clearly stated, medical decision-making elements present, time documented for time-based services, required signatures present, and amendments or corrections properly dated.
Poor documentation creates massive risk even if current coding is correct. When documentation is inadequate, future coders cannot select correct codes. Future auditors cannot verify what was done. Documentation audits prevent this.
Focused Audits on High-Risk Areas
Beyond general audits, practices should conduct targeted audits of specific high-risk services or areas.
High-level E/M codes warrant focused review. Level 4 and 5 office visits pay significantly more than level 2 and 3. They also get scrutinized more by payers. Audit all level 5 visits quarterly. Review a sample of level 4 visits. Verify documentation truly supports these complex codes.
Procedures and surgeries need attention. Surgical coding is complex with bundling rules, modifiers, and global periods. Audit surgical claims to verify procedure codes are correct, modifiers are appropriate, global period services are not billed separately, and documentation supports the procedures performed.
Time-based services require time documentation. Psychotherapy codes, critical care codes, prolonged services, and other time-based codes must have documented time. Audit these services specifically to verify time is documented and codes match actual time spent.
Services requiring authorization should be audited. Check that authorizations were obtained before services, authorization numbers are on claims, services are within authorized amounts, and authorizations have not expired. Missing authorizations cause denials and compliance problems.
New services or procedures need immediate audits. When practices add new service lines or start billing new codes, audit them immediately. New services have high error rates until staff become familiar with requirements. Early auditing prevents problems from becoming patterns.
Medical Necessity Audits
Medical necessity audits specifically evaluate whether services provided were appropriate for the patient’s condition and whether they follow accepted standards of care.
These audits require clinical expertise. A physician or advanced practice provider reviews cases to determine if services were medically necessary. Was weekly therapy appropriate for a stable patient? Was extensive testing justified by symptoms? Were medications appropriate for the diagnosis?
Medical necessity audits identify care that might be excessive, duplicative, or not supported by clinical guidelines. This protects practices from allegations that services were performed to generate revenue rather than to treat patients.
Compliance Program Effectiveness Audits
Beyond reviewing claims and documentation, practices should audit their compliance programs themselves. Are policies being followed? Is training happening? Are audits occurring as scheduled? Are problems identified in audits actually getting fixed?
Program effectiveness audits examine the compliance infrastructure, not individual claims. They assess whether the compliance program is working as designed or whether it is just paperwork nobody follows.
External Payer-Specific Audits
Some commercial payers have unique billing rules that differ from Medicare. A payer-specific audit reviews claims submitted to that payer against their specific requirements.
Maybe United Healthcare has different authorization requirements than Aetna. Maybe Blue Cross bundles certain codes differently than Medicare. Payer-specific audits catch these unique requirements.
These audits are particularly valuable when practices have contracts with payers that have unusual or complex rules.
How to Conduct Effective Compliance Audits
Running a compliance audit is not just pulling random charts and glancing at them. Effective audits follow a structured process that provides reliable results and actionable findings.
Planning the Audit
Good audits start with planning. Before pulling charts, decide what the audit will cover.
Define the scope. Will you audit all service types or focus on specific codes? What time period will you review? How many claims will you sample? Clear scope prevents the audit from becoming too broad to complete or too narrow to be useful.
Select the sample. Random sampling is usually best for general audits. Use a random number generator to select claim numbers or dates. Random samples represent overall billing patterns. Targeted sampling focuses on high-risk areas like level 5 visits or specific procedures.
Sample size matters. Too few claims and you might miss patterns. Too many and the audit becomes burdensome. For general audits, 10-30 claims per provider per quarter is reasonable. For focused audits, sample all instances of high-risk services or at least 30 instances if volume is high.
Assign qualified auditors. The person conducting the audit must have coding expertise and clinical knowledge. Certified coders (CPC, CCS) are ideal. Experienced billers can audit but need training on audit methodology. Never have the person who did the original coding audit their own work.
Establish audit criteria. What are you checking for? Create a checklist of items to review for each claim. This ensures consistency across all audited claims.
Gathering Records
Once the sample is selected, gather all necessary records for review.
Pull complete medical records. Get the full encounter note, not just the face sheet. Include any supporting documentation like lab results, imaging reports, or referral letters that were part of the medical decision-making.
Pull the claim as submitted. Get the actual claim form or electronic claim file showing exactly what codes were billed, what modifiers were used, and what diagnosis codes were submitted.
Pull remittance information. Get the EOB or ERA showing what the payer paid. This shows whether the claim was paid as billed or adjusted.
Organize the records. Create a file for each audited claim containing all these documents. Organized records make the audit process efficient.
Reviewing Documentation
The auditor reviews each medical record independently before looking at what was billed.
Read the entire note. Understand what happened during the encounter. What was the patient’s complaint? What did the provider do? What decisions were made?
Check for required elements. Does the note include chief complaint, history, examination, assessment, plan, and signature? For E/M services, are the medical decision-making elements present?
Assess documentation quality. Is the note specific to this patient and this encounter? Or is it a generic template? Does it contain copy-paste from previous visits? Is it detailed enough to support coding?
Identify what can be coded from the documentation. Based solely on what is documented, what CPT codes are supported? What ICD-10 codes are supported? Do not look at what was billed yet. Determine what should have been billed based on documentation alone.
Document your findings. Write down what codes the documentation supports. Note any documentation deficiencies or unclear areas.
Comparing to Billed Codes
After independently determining what documentation supports, compare this to what was actually billed.
Match CPT codes. Does the procedure code billed match the service documented? If a level 4 office visit was billed, does the documentation support level 4 complexity and time?
Match diagnosis codes. Do the diagnosis codes billed accurately reflect conditions documented? Are diagnosis codes overstated to justify services?
Check code combinations. Do the billed code combinations follow NCCI edits? Are modifiers used appropriately when billing codes that normally bundle?
Verify medical necessity. Do the diagnosis codes support the procedures billed? Is the service appropriate for the documented condition?
Identify discrepancies. Note every difference between what documentation supports and what was billed. Classify discrepancies as overcoding, undercoding, incorrect code selection, or documentation deficiency.
Calculating Error Rates
After reviewing all sampled claims, calculate error rates and findings.
Error rate is the percentage of audited claims with errors. If you reviewed 30 claims and found errors in 12, your error rate is 40%. Break this down by error type: overcoding rate, undercoding rate, documentation deficiency rate.
Dollar impact matters. Calculate the overpayment or underpayment from errors. If 10 claims were overcoded by an average of $80 each, that is $800 in overpayments in your sample.
Extrapolation estimates total exposure. If your sample shows 40% error rate with $800 overpayment in 30 claims, and you billed 1,200 similar claims during the audit period, extrapolation suggests 480 claims were wrong with approximately $32,000 in overpayments. This is a rough estimate but shows the magnitude of the problem.
Pattern identification is critical. Are errors random or systematic? Is one specific code always wrong? Is one provider’s billing always problematic? Patterns tell you where to focus corrections.
Documenting Findings
Audit results must be documented thoroughly. Create a written audit report for every audit conducted.
Executive summary states key findings. Error rates, dollar impact, major issues identified, and recommendations for correction. This goes to practice leadership.
Detailed findings list each error. For every claim with errors, document what was wrong, why it was wrong, and what should have been done instead.
Include supporting documentation. Attach copies of claims and records showing the errors. Evidence supports your findings if questioned later.
Make specific recommendations. Do not just identify problems. Recommend solutions. “Provide training on E/M coding requirements.” “Implement time documentation template for psychotherapy notes.” “Review and correct authorization tracking process.”
Track audit reports. Maintain files of all audit reports. These prove you conducted regular audits if ever questioned by payers or regulators.
What to Do With Audit Findings
Finding problems is only half the purpose of audits. The other half is fixing them. Audit findings must lead to corrective action or the audit was pointless.
Correcting Individual Errors
When specific claims are found to have errors, decide how to handle each one.
Overcoded claims that were overpaid must be refunded. If you billed level 5 but should have billed level 3, and the claim was paid, you owe a refund. Calculate the difference between what was paid and what should have been paid. Refund it to the payer.
Undercoded claims that were underpaid might not be correctable. Most payers have time limits for correcting claims. Medicare allows claims to be corrected up to one year after initial payment. If the undercoding is within correction timeframes, submit corrected claims. If timely filing has passed, accept the loss and learn from it.
Denied claims with identified errors can be corrected and resubmitted. If a claim was denied because coding was wrong, correct the coding and resubmit. The audit findings guide the correction.
Refunding Overpayments
When audits identify overpayments, practices must refund them. The 60-day rule requires reporting and returning overpayments within 60 days of identifying them.
Quantify the overpayment. Calculate exactly how much was overpaid. For individual claims, this is straightforward. For systematic errors across many claims, you might need to review more claims or use statistical sampling to quantify total overpayment.
Report the overpayment to the payer. Contact Medicare or the commercial insurance company. Explain that your internal audit identified overpayments and you are refunding them. Provide details on which claims were involved and how much is being refunded.
Submit the refund. Medicare has specific procedures for voluntary refunds. Commercial payers may have their own processes. Follow the proper procedures and keep documentation that you submitted the refund.
Document everything. Keep copies of the refund check, letters to payers, and any responses received. This documentation proves you complied with the 60-day rule.
Refunding small overpayments found through internal audits is far better than having large overpayments discovered by external auditors years later.
Implementing Corrective Actions
Beyond fixing individual errors, audits reveal systemic issues that need corrective action.
Training addresses knowledge gaps. If audits find consistent errors with E/M coding, provide E/M training to physicians and coders. If time documentation is always missing, train providers on time documentation requirements. Targeted training based on audit findings fixes root causes.
Policy and procedure updates fix process problems. If audits find authorizations are frequently missing, implement a procedure requiring verification of authorization before services. If claims are submitted with unbundled code combinations, implement a claim scrubbing process checking NCCI edits before submission.
Staffing changes might be needed. If one coder consistently makes errors despite training, they might not be qualified for the job. Consider additional supervision, reassignment, or replacement. If volume is too high for current staff to code carefully, add staff.
Technology solutions prevent recurring errors. Practice management software can have edits preventing certain code combinations. Claim scrubbers can catch errors before submission. Electronic health records can have templates that prompt for required documentation. Technology prevents humans from making the same mistakes repeatedly.
Monitoring and follow-up ensure corrections work. After implementing corrective actions, audit the same area again. Did the training fix the E/M coding errors? Is authorization tracking working now? Follow-up audits verify corrections were effective.
Creating Corrective Action Plans
For significant audit findings, document a formal corrective action plan.
The plan should identify the problem found by the audit, state the root cause analysis of why it happened, list specific corrective actions to be taken, assign responsibility for each action, set deadlines for completion, and define how effectiveness will be measured.
Example corrective action plan:
Problem: Internal audit found 60% of psychotherapy claims billed 60-minute codes (90837) but documentation showed sessions were 40-45 minutes.
Root cause: Therapists were not documenting time. Billing staff defaulted to the highest code when time was not documented.
Corrective actions:
- Retrain all therapists on time documentation requirements (Dr. Smith, by March 15)
- Update psychotherapy note template to include mandatory time field (IT Department, by March 10)
- Implement claim review checking for time documentation before submitting psychotherapy claims (Billing Manager, by March 20)
- Conduct focused audit of psychotherapy claims in April to verify correction (Compliance Officer, by May 1)
Measurement: April focused audit should show less than 5% error rate on psychotherapy time documentation.
Documented corrective action plans show good faith efforts to fix problems. They provide evidence that errors were not ignored but were addressed systematically.
Reporting to Leadership
Audit findings should be reported to practice leadership including physicians, practice administrator, and compliance committee if one exists.
Leadership needs to know what problems were found, how serious they are, what financial impact they have, and what is being done to fix them. They need this information to understand compliance risks and support necessary changes.
Regular compliance reports keep leadership informed. Quarterly reports showing audit results, error rates, corrective actions taken, and compliance program status help leadership fulfill oversight responsibilities.
When to Self-Disclose
If internal audits find significant systematic billing problems that generated large overpayments, consider voluntary self-disclosure to the Office of Inspector General.
OIG’s Self-Disclosure Protocol allows providers to report problems to the government before being audited. The provider discloses the issue, quantifies the overpayment, and negotiates a settlement with OIG. Self-disclosure usually results in better terms than being caught.
Factors suggesting self-disclosure might be appropriate:
- Overpayments exceed $100,000
- Errors were systematic over extended periods
- Errors could be interpreted as intentional
- Risk of whistleblower lawsuit exists
- The problem cannot be fully quantified without government resources
Self-disclosure decisions should be made with experienced healthcare attorneys. The disclosure process is complex and has risks. But for serious problems, voluntary disclosure is often better than waiting to be caught.
Building a Sustainable Compliance Audit Program
One-time audits provide snapshots. Sustainable programs with regular ongoing audits provide continuous monitoring and protection.
Establishing Audit Frequency
How often should audits occur? The answer depends on practice size, risk level, and resources.
Minimum recommendation is annual audits. Every practice should audit at least once per year. Annual audits catch problems before they grow into disasters.
Better practice is quarterly audits. Reviewing billing every three months identifies problems faster. Quarterly audits of 20-30 claims per provider are manageable and effective.
High-risk practices need monthly audits. Practices with previous compliance problems, practices in specialties with complex billing, or practices with rapid growth should audit monthly. Monthly audits of 10-15 claims per provider catch issues immediately.
New services need immediate audits. When implementing new service lines, audit them within the first month. Early auditing prevents bad habits from forming.
Creating an Audit Schedule
Do not audit randomly when you remember. Create a schedule and stick to it.
Annual audit calendar maps out the year. January: audit E/M coding. April: audit procedures. July: audit documentation. October: general audit of all services. Scheduled audits happen.
Unscheduled audits get postponed indefinitely.
Assign responsibility. Someone must be responsible for conducting each audit. Put names and deadlines on the calendar. Follow up if audits do not happen on schedule.
Include external audits. Schedule annual external audits by consultants. These provide independent validation of internal audit findings.
Developing Audit Tools and Checklists
Standardized tools make audits consistent and efficient.
Audit checklists ensure nothing is missed. Create checklists for different service types. Office visit checklist covers E/M requirements. Procedure checklist covers surgical coding requirements. Psychotherapy checklist covers time documentation and service type requirements.
Audit worksheets document findings. Forms that guide auditors through the review process and capture findings in standardized format make analysis easier.
Audit report templates provide consistency. Standard report formats ensure all audits document the same information in comparable ways.
Develop these tools once and use them repeatedly. Over time, refine them based on experience.
Training Audit Staff
Auditors need specific skills beyond general billing knowledge.
Coding certification is valuable. CPC (Certified Professional Coder) or CCS (Certified Coding Specialist) certification demonstrates auditor competency. Send staff to certification courses or hire certified auditors.
Audit-specific training is different from coding training. Auditing requires objectivity, attention to detail, and ability to identify patterns. Training on audit methodology, sampling techniques, and report writing improves audit quality.
Clinical knowledge matters. Auditors need enough medical knowledge to understand what providers did and why. Non-clinical auditors struggle with complex medical documentation. Provide clinical education or pair non-clinical auditors with clinical reviewers.
Using Technology
Practice management systems and specialized audit software make auditing more efficient.
PM systems can generate audit reports. Most systems can produce reports showing all claims with specific codes, claims above certain dollar amounts, or claims with specific modifiers. These reports help select audit samples.
Claim scrubbing software identifies potential problems. Software that checks claims against NCCI edits, medical necessity edits, and payer-specific rules before submission prevents errors. The same software can be used retrospectively to identify submitted claims that might have problems.
Audit tracking software manages the audit process. Specialized compliance software tracks which claims were audited, findings for each, corrective actions taken, and audit schedules. This software is expensive but valuable for larger practices with complex audit needs.
Integrating Audits Into Compliance Programs
Audits are one component of comprehensive compliance programs. They should integrate with other compliance activities.
Audit findings drive training priorities. Training should address errors identified in audits. If audits find E/M coding problems, focus training there. Training not based on actual audit findings might miss real issues.
Audit results inform policy updates. When audits reveal process gaps, update policies and procedures to close those gaps. Policies should evolve based on audit findings.
Audit trends are reported to compliance committees. Regular reporting to compliance oversight keeps leadership informed and engaged in compliance efforts.
Audits test compliance program effectiveness. If the compliance program is working, error rates should decrease over time. If error rates stay high despite training and corrective actions, the compliance program needs strengthening.
Maintaining Audit Documentation
Keep detailed records of all audits conducted. Audit documentation proves compliance efforts if ever questioned.
Retain audit reports permanently. These reports demonstrate ongoing compliance monitoring. In investigations or lawsuits, producing years of audit reports shows good faith efforts.
Document corrective actions taken. Keep records of training provided, policies updated, and other actions taken in response to audit findings. This proves problems were addressed.
Track refunds made. Document all overpayment refunds including amounts, dates, payers, and reasons. This proves you returned money when overpayments were identified.
Organize documentation logically. Create an audit file with all reports, corrective action plans, training records, and refund documentation. Make it easy to find information if needed.
Conclusion
Compliance audits are systematic reviews of billing, coding, and documentation to verify accuracy and compliance with laws and payer requirements. They identify errors, assess compliance risks, and provide opportunities for correction before external auditors find problems.
Regular compliance audits catch billing errors before payers do, turning potentially catastrophic overpayments into manageable refunds. They reduce audit risk by identifying and correcting patterns that would flag practices as statistical outliers. They protect against False Claims Act liability by demonstrating good faith compliance efforts. They identify training needs, improve collections through accurate billing, and protect staff and providers from personal consequences of billing fraud.
Effective compliance programs include multiple types of audits: general billing and coding audits reviewing random samples, documentation audits assessing record quality, focused audits on high-risk services, medical necessity audits evaluating appropriateness of care, and compliance program effectiveness audits assessing whether controls are working.
Conducting effective audits requires planning the scope and sample, gathering complete records, reviewing documentation independently before comparing to billed codes, calculating error rates and financial impact, and documenting findings thoroughly. Audit findings must lead to corrective action including refunding overpayments, implementing training, updating policies, and monitoring to verify corrections work.
Sustainable audit programs establish regular audit schedules, assign clear responsibilities, use standardized tools and checklists, train qualified auditors, integrate audits with broader compliance efforts, and maintain detailed documentation of all audit activities.
For most practices, quarterly internal audits of 20-30 claims per provider combined with annual external audits by consultants provide adequate compliance monitoring. High-risk practices need monthly audits. New services need immediate auditing.
The cost of compliance audits is minimal compared to the cost of being audited by payers and found to have systematic billing problems. Internal audits costing a few thousand dollars annually prevent external audit findings costing hundreds of thousands or millions in overpayments and penalties.
Compliance audits are not optional extras for practices with spare time and money. They are fundamental protections against financial disaster. Practices that audit regularly, act on findings, and demonstrate good faith compliance efforts survive audits and investigations. Practices that ignore compliance until forced to pay attention by external auditors face catastrophic consequences including massive overpayments, False Claims Act penalties, program exclusion, and practice closure.
The choice is simple: audit yourself or wait for payers to audit you. One option protects your practice. The other destroys it.
