Receiving a CMS audit notice triggers immediate anxiety for most medical practices. Whether it’s a routine Medicare review, a targeted probe based on billing patterns, or a post-payment audit, the stakes are high. Overpayment recovery demands, extrapolation to all similar claims, and potential exclusion from Medicare programs create genuine financial and operational risk.
But CMS audits aren’t automatic disasters. Practices that respond systematically, provide complete documentation, and understand the audit process typically survive with minimal financial impact. Practices that panic, provide incomplete records, or fail to take audits seriously face far worse outcomes.
This guide walks through exactly what to do when you receive an audit notice, how to prepare your response, and most importantly—how to prevent audits through ongoing compliance practices.
CMS doesn’t audit randomly. Specific patterns and risk factors increase audit likelihood significantly:
Outlier billing patterns. If your practice bills significantly more of a particular code compared to peers in your specialty, you’re flagged. Example: billing 99215 (highest level E/M) for 70% of visits when the specialty average is 25%. The statistical deviation triggers review.
High-dollar services with frequent denials. Services with high reimbursement that also have high initial denial rates suggest either aggressive coding or documentation problems. Both warrant audit investigation.
Sudden volume changes. A practice that doubles its billing for a particular service over 6 months raises red flags. Even if legitimate (new provider, expanded services), the sudden change triggers automated review systems.
Whistleblower complaints. Disgruntled employees, competing practices, or patients can file complaints with CMS or the OIG. These complaints trigger targeted investigations even if billing patterns appear normal.
Medicare Advantage plan referrals. MA plans audit claims internally and report suspicious patterns to CMS. High rates of upcoding, unbundling, or medical necessity issues identified by MA plans often lead to traditional Medicare audits.
Prior audit history. Practices that have previously been audited—even if no wrongdoing was found—remain on CMS’s radar for future reviews. Once flagged, you’re monitored more closely.
Participation in CERT reviews. The Comprehensive Error Rate Testing (CERT) program randomly selects claims for documentation review. Poor CERT results increase likelihood of targeted audits.
RAC/ZPIC/UPIC contractor referrals. Recovery Audit Contractors (RACs), Zone Program Integrity Contractors (ZPICs), and Unified Program Integrity Contractors (UPICs) perform ongoing data mining. When they identify potential issues, they refer cases for formal audit.
The key insight: CMS uses sophisticated data analytics. They know what “normal” looks like for your specialty, region, and practice size. Significant deviations from normal—even if your billing is legitimate—trigger review.
Not all CMS audits are equal. Understanding which type you’re facing determines your response strategy:
1. CERT (Comprehensive Error Rate Testing) Reviews
2. ZPIC/UPIC Audits
3. RAC (Recovery Audit Contractor) Audits
4. MAC (Medicare Administrative Contractor) Prepayment Reviews
5. ADR (Additional Documentation Requests)
The most common for typical practices are RAC audits and ADRs. ZPIC/UPIC audits are rare and indicate suspected fraud—requiring immediate legal representation.
When you receive an audit notice, follow this systematic response process:
What to look for:
Immediate actions:
Common mistake to avoid: Ignoring the notice or assuming it will go away. Non-response results in automatic claim denial and overpayment demand.
Required documentation typically includes:
Best practices for documentation compilation:
Critical point: Provide ALL documentation for the encounter, not just what you think CMS wants. Incomplete documentation is the #1 reason for audit denials. If a note references a prior visit or test result, include it.
Before submitting to CMS, conduct internal review to identify potential issues:
Medical necessity review:
Coding accuracy review:
Documentation completeness:
If you identify problems during internal review:
Do not alter medical records. Retroactive changes to documentation constitute fraud. If documentation is inadequate, that’s a learning opportunity for future improvement, not an invitation to fabricate records.
Submission requirements:
Cover letter should include:
Common mistakes to avoid:
After submission:
If claims are denied:
If claims are approved:
Understanding frequent audit findings helps prevent future issues:
1. Insufficient Documentation of Medical Necessity The service provided isn’t supported by the diagnosis, or documentation doesn’t explain why the service was medically necessary. Fix: Ensure provider documentation includes clinical rationale for all services.
2. E/M Upcoding Level of service billed (99214, 99215) not supported by documented history, exam, and medical decision making. Fix: Education on E/M documentation requirements; consider using E/M calculators.
3. Modifier Errors Missing required modifiers (25, 59, 76) or incorrect modifier use leading to unbundling. Fix: Create specialty-specific modifier quick-reference guides; implement pre-submission claim scrubbing.
4. Global Period Violations Billing separately for services included in surgical global period. Fix: Implement global period tracking system; flag post-op visits automatically.
5. Duplicate Billing Same service billed twice for same date of service. Fix: Implement duplicate claim checking before submission; investigate why duplicates occurred.
6. Incorrect Place of Service POS code doesn’t match where service was actually provided. Fix: Train front desk staff on correct POS codes; implement validation rules in billing system.
7. Missing Signatures Provider signature missing from medical record or illegible. Fix: Require providers to sign notes before claim submission; implement electronic signatures where possible.
8. Unbundling Billing separate codes for services that should be billed as a single comprehensive code. Fix: Implement NCCI edits in billing system; train coders on bundling rules.
For detailed guidance on specific denial codes and resolution strategies, see our Denial Code Lookup Tool.
If claims are denied after audit:
Level 1 – Redetermination (120 days to file): Request reconsideration from the same contractor. Provide any additional documentation not previously submitted. Success rate varies but can be effective if you have strong documentation.
Level 2 – Reconsideration by QIC (180 days): Independent Qualified Independent Contractor reviews the case. More formal than Level 1.
Level 3-5: Administrative Law Judge, Medicare Appeals Council, Federal Court. Rarely necessary unless large dollar amounts or systemic issues.
Implementing corrective actions:
The best audit response is prevention. Practices with strong compliance programs face fewer audits and better outcomes when audited:
1. Conduct quarterly internal audits. Review random sample of claims for coding accuracy, documentation completeness, and medical necessity. Identify and fix issues before CMS does.
2. Track and address denial patterns. High denial rates often precede audits. If particular codes or providers have elevated denials, investigate and correct immediately.
3. Provide ongoing coder education. CPT, ICD-10, and payer rules change constantly. Budget 20-30 hours annually per coder for continuing education.
4. Implement pre-claim scrubbing. Review claims before submission for common errors: missing modifiers, unbundling, medical necessity mismatches.
5. Document provider education. When audit identifies documentation deficiencies, document what training was provided to address it. This demonstrates good faith compliance efforts.
6. Monitor CERT results. If your practice is selected for CERT review, treat it seriously even though it’s “just educational.” Poor CERT results increase future audit risk.
7. Stay current on LCD/NCD policies. Local and National Coverage Determinations specify what services Medicare covers and under what circumstances. Billing outside these policies guarantees denials.
For practices seeking systematic approaches to compliance and denial prevention, our RCM Intelligence framework provides structured methodology.
CMS audits aren’t random bad luck—they’re triggered by billing patterns that deviate from norms. Understanding what triggers audits, responding systematically when audited, and implementing prevention strategies dramatically reduces audit risk and improves outcomes when audits occur.
The five-step response process—careful notice review, complete documentation assembly, internal review, timely submission, and follow-up tracking—gives practices the best chance of favorable audit outcomes. Most audit denials result from incomplete documentation or missed deadlines, not actual improper billing.
Long-term, the goal is prevention through ongoing compliance: regular internal audits, denial pattern monitoring, staff education, and pre-submission claim review. Practices with strong compliance programs rarely face audits, and when they do, documentation is ready and outcomes are favorable.
Want to reduce audit risk through better denial management? Review our top 10 medical billing denials guide to understand common patterns, or use our Revenue Recovery Simulator to identify billing issues before auditors do.
Official CMS Resources:
Compliance & Audit Resources:
Industry News:
This guide was developed by A-Z Medical Billing & Consulting, founded by Zain Vally based on experience navigating CMS audits and implementing compliance programs for Vally Medical Group and partner practices. We help practices prepare for audits, respond effectively when audited, and implement ongoing compliance systems to minimize audit risk.
Related Resources: