Skip to main content

Successfully Navigating Today’s World of CMS Audits

There was a time in healthcare when we would say, “If we get audited.” Now, the more realistic and correct notion is, “When we get audited.” Audits are a very regular, sometimes daily part of the routine activities that occur throughout all areas of healthcare. Our documentation has never been under this degree of scrutiny by such a variety of contractors.

Revenue Integrity, Health Information Management, Coding, Revenue Cycle and Medical Billing teams are just a few of the departments that have had to become very intimate in their understanding of who can ask for documentation and why.

Today, it’s incredibly important to understand the different audits that might be encountered. Understanding the origin of the audit, why the audit is taking place, and how to submit a complete and timely reply can help successfully navigate through today’s world of audits.

The Centers for Medicare and Medicaid Services (CMS) are at the forefront of the most frequent and impactful audits, so taking a closer look at its audits is not only important but actually necessary for a successful journey through the audit process. This information and all the accompanying details can be found in the Medicare Program Integrity Manual (100-08). It is located in CMS Internet Only Manual section of its website.1

Of course, any payer can request documentation either before or after processing a claim, but we all appreciate that the CMS generally leads the way in requesting additional documentation. Most additional documentation requests (ADR) are required to include the necessary elements of what and why the documentation is being requested. No matter who sends the ADR, the first step to a successful outcome is to review the entire documentation request carefully.

As noted in the Program Integrity Manual, addressing improper payments in the Medicare Fee-For-Service program and promoting compliance with Medicare coverage and coding rules are top priorities for the CMS.

To handle of all this audit workload, CMS uses a variety of contractors, each with a very specific scope of work and goal, and all designed to do their part in protecting against fraud, waste and abuse, thus ensuring the stability of Medicare Trust Fund. As listed in the Program Integrity Manual, a “Review Contractor” can be any of the following: Medicare Administrative Contractor (MAC), Comprehensive Error Rate Test Contractor (CERT), Supplemental Medical Review Contractor (SMRC), Recovery Auditor Contractor (RAC), Program Safeguard Contractor (PSC), Zone Program Integrity Contractor (ZPIC) or Unified Program Integrity Contractor (UPIC). For a specific list of contractors that could possibly send a documentation request, check the “Review Contractor Directory – Interactive Map.”2 From this site, once a specific state is selected, a complete list of the various contractors assigned to that area is provided.

There are several different types of audits within or under CMS’s direction and each of them can be either a pre-payment or a post-payment audit. Pre-payment means that the documentation is required before a payment or determination are made. Post-payment indicates just that—the audit or review is conducted after the claim has been processed and paid.

Currently, the audit activity most seem to be experiencing is a result of two particular CMS initiatives. One is the Targeted Probe and Educate (TPE) audit program, which is administered by the MACs. The other is under the direction of the Supplemental Medical Review Contractor (SMRC) as instructed by CMS.

What You Should Know About Targeted Probe and Educate (TPE)

Initially the thought of yet another type of CMS-directed audit is almost unbearable. However, an audit might not be so bad with the Targeted Probe and Educate (TPE) program, which CMS has designed to help provider and suppliers reduce claim denials and appeals through one-on-one help. The goal of this initiative is to help hospitals and providers quickly improve when errors are found. Through TPE, MACs will work directly with hospitals and providers, in person, to identify errors and provide assistance or direction to correct them.

As the name implies, this initiative is targeted, meaning that CMS has instructed MACs to use data analysis within each of their jurisdictions to identify hospitals, providers and suppliers that have high claim error rates or unusual billing practices and items, and identify services that have high national error rates and are a financial risk to Medicare. CMS reports that most providers will never need TPE.1

However, if chosen for the program, a notification letter is sent from the MAC.

This notification letter will explain the TPE program, including the opportunity for education, the reason for inclusion in the TPE program and that an additional documentation request is forthcoming. The notification letter does not require a reply.

Following the TPE Notification Letter will be an actual ADR requesting documentation for 20 to 40 claims. This is considered Round 1. Attention and care should be noted when preparing the documentation reply, which is discussed further in this article. The documentation is reviewed and if it is compliant, meaning there are no unfavorable findings, that ends Round 1 and no further review on that selected topic will take place for at least one year.

However, should there be unfavorable findings, one-on-one education will be offered. Participation in that education is strongly recommended. This affords an opportunity to speak directly with the auditor and discuss the findings. For TPE, CMS defines one-on-one education as teleconference calls, fact-to-face visits, electronic visits using webinar technology, or other similar technologies that enable direct communication between the MAC educator and the hospital/provider or supplier. Once that education is completed, there is a 45-day period for improvement allowed and then a second ADR is sent requesting another 20 to 40 claims. This is considered Round 2. The same process takes place and could continue a third time or to Round 3 should there be no noted improvement and there are still unfavorable findings. If after Round 3, there are still unfavorable findings, the hospital, provider or supplier could be referred back to CMS for next steps or additional follow up. Those next steps could include 100% prepay review, extrapolation, referral to a Recovery Auditor or other action as instructed by CMS.

The overall goal, if included in the TPE program, is to be successful at Round 1. Keep in mind that should there be unfavorable findings at any round of TPE, the appeals process can be considered and utilized when needed.

Chapter 3, section 3.2.5 of the Program Integrity Manual provides the details and MAC instructions for implementing the TPE program.3 For the Medicare Administrative Contractor, the purpose of TPE is to decrease provider burden, reduce appeals and improve the medical review/education process. Remember that TPE reviews can be either pre-payment of post-payment and involve MACs focusing on specific providers/suppliers that bill a particular item or service. This section of the Program Integrity Manual also confirms that in addition to initiating a TPE review based on CMS’s data analysis, they may also initiate at TPE review upon referral from other contractors such as the RAC, CERT or UPIC as well as the Office of Inspector General (OIG) or Government Accountability Office (GAO).

In order to stay abreast of all TPE activity, monitoring each MACs website is essential. Medicare Administrative Contractors will publish the topics (specific services) that they are reviewing under the TPE program. Additionally, MACs also provide regular webinars, updates and FAQs regarding the TPE program within their jurisdiction.

What the Supplemental Medical Review Contractor (SMRC) Does

Although CMS, through the MACs, has undertaken actions to prevent improper payments, it is difficult to prevent all improper payments, especially considering that the Medicare Fee-For-Service program processes more than 1 billion claims each year. In addition to the Recovery Audit program, CMS also uses other resources such as the Supplemental Medical Review Contractors (SMRC), whose main tasks are to perform and/or provide support for a for a variety of tasks aimed at lowering the improper payment rates and increasing the efficiencies of the medical review functions of the Medicare and Medicaid programs. CMS states that having a centralized medical review (MR) resource that can perform large volume MR nationally allows for a timely and consistent execution of MR review, activities and decisions. The focus of SMRC reviews may include but is not limited to issues identified by CMS internal data analysis, the CERT program, professional organizations and other federal agencies, such as the OIG/GAO as well as the use of comparative billing reports.

Simply stated, the topics or services that the SMRC is reviewing may come from and/or are directed by other agencies and organizations.

Noridian Healthcare Solutions, LLC, was selected by CMS to conduct nationwide medical reviews as directed by CMS. As the national SMRC contractor, Noridian will conduct nationwide medical reviews for Part A, Part B and Durable Medical Equipment (DME) providers and suppliers, in accordance with all applicable statutes, laws, regulations, national and local coverage determination policies, and coding guidance. These reviews determine whether Medicare claims have been billed in compliance with coverage, coding, payment and billing practices.4

The Noridian website confirms that these reviews are assigned through CMS’s formal notifications and the reviews focus on analysis of national claims data issues identified by Federal agencies such as the OIG, GAO, CMS data analysis, CERT and professional organizations. A complete list of the services currently being reviewed under the SMRC scope of work can be found at the website.5

If providers or suppliers agree with the SMRC medical review findings that are included in the Review Results Letter, they will follow the standard overpayment recovery process as outlined by the contractor. If, however, the provider or supplier disagrees with the decision according to the medical review findings, and the project is eligible for a Discussion & Education (D&E) Period, the letter will contain the D&E process details. The review results letter shall also notify the provider/supplier that they may elect to submit missing information but decline a D&E session.

Noridian further explains that the D&E period is intended to allow for the communication of the payment recommendations, discussion of the rationale for the medical review findings, education about coverage, coding and payment policies for the subject claim to avoid further denials and provide another opportunity to submit missing documentation. The Discussion & Education Period is detailed on the Noridian website.6

Be sure to review the SMRC information on the Noridian website.

How to Prepare a Proper Reply to an Audit

Regardless of the type of audit, a complete, proper and timely reply is imperative for expecting positive, successful results. Every audit or documentation request includes a very specific date or timeliness requirement for responding. Most allow 45 days from the date of the ADR or documentation request. A good general rule of thumb is to set a 30-day time limit to reply, thus allowing for mail or other submission challenges.

Most ADR letters include a specific list of the documentation components that are being requested. That list could include specific items such as the physician order, lab and other diagnostic test results, the procedure note(s), plan of care, discharge notes, the claim and sometimes the patient billing statement. Be sure that each item requested is included with the reply packet. CMS has cited missing or incomplete documentation as one of the top denial reasons.

The next step in preparing your documentation reply is to organize the packet in the most appropriate chronological order as possible. From beginning to end, the documentation packet should guide the auditor or reviewer through the patient’s plan of care. The ADR should be included in the reply packet and a specific point of contact should also be noted with the reply. The ADR and contact information should be the first few pages, in front of the actual medical records. Once the packet is organized, number each page in the packet. This will assist with any questions or calls with the auditor.

Be sure to keep copies of the entire packet and when possible, utilize the contractor’s website portals for submitting the documentation reply electronically. This is by far the most efficient and fastest method for submitting documentation. If other submission options are utilized, be sure to confirm and note how the documentation was submitted. For example, if sent via fax, print the fax confirmation page. If sending through the mail, include the option for return receipt requested. When sending by mail, also confirm the address is correct, as contractors may use a different mailing address for medical review replies.

Monitoring Audit Activity

Monitor all audit activity not only within the outpatient department but throughout the hospital. Consider utilizing an internal revenue integrity type of team to track all audit activity and the outcome of all audits. Establish a tracking process or system that identifies who is auditing, the services being audited and the outcome. Trends could possibly emerge that might provide opportunity for additional or supplemental internal documentation education and support for the clinical staff.

If unfavorable findings are initially rendered, remember to utilize the appeals process when appropriate. For most audit activity, the appeals process is still available and should always be considered.


While this article has focused on two specific types of audits, remember there could also be other types. One should give the utmost attention to all requests for documentation, particularly any request from the OIG. Often, the results of the OIG's audit work as outlined in its Work Plan can lead to subsequent audits and reviews under the SMRC, as was noted earlier in this article, and can also lead to changes in coverage and coding guidelines. After all, it was just a few short years after the OIG conducted reviews on consultation services documentation that CMS announced consultation codes would no longer be accepted for reimbursement in the Medicare program.  Other contractors may also initiate similar changes in their coverage guidelines.

As noted throughout this article, successfully navigating through all of today’s audits does require a good basic understanding of the types of audits that exist today. In addition to the CMS and MACs email list serve updates, it’s also recommended to subscribe to any commercial payer electronic updates and websites.

Read the documentation request very carefully, provide all the documentation that’s requested and note how the reply is submitted. Participate in any offered follow-up education and ask questions when the auditor’s comments are not clear.

Successfully navigating through today’s audit processes can be done with a basic understanding of the audit process itself and properly replying with the most complete and supportive documentation package.

Diane G. Weiss is the Vice President of Revenue Integrity & Education at RestorixHealth.

Diane G. Weiss, CPC, CPB, CCP, CHRI

1. Centers for Medicare and Medicaid Services. Available at

2. Centers for Medicare and Medicaid Services. Available at

3. Centers for Medicare and Medicaid Services. Medicare Program Integrity Manual Chapter 3. Available at .

4. Noridian. Supplemental Medical Review Contractor (SMRC). Available at

5. Noridian. Current projects. Available at

6. Noridian. Discussion and education period. Available at

Back to Top