The Medicare Audit: It’s not “If”, it’s “When”

By: Cheryl Canon, PT, DPT;  OptimisPT Director of Implementation and Compliance

During the COVID-19 pandemic, Medicare suspended audits.  Now that the Public Health Emergency (PHE) is more under control, Medicare has resumed the audit process and it may feel to some like CMS is making up for lost time.

There are three main types of audits you may experience: RAC Audit, Cert Audit, and Probe Audit. Here are some of the differences:

Recovery Audit Contractor (RAC) Audit:

  • Reclaims money by reviewing fee-for-service (FFS) claims (“clawback”)
  • Country divided into 4 regions (5 including DME)
  • Focuses on upcoding and medical necessity

Triggers for a RAC Audit:

  • Not billing according to your payer methodology (i.e. 8-min rule/total time rule)
  • Overbilling certain codes (aka upcoding), per provider
  • Working outside of the allowed provider ratio (1 PT:2 PTAs, 1 PT:1 PT aide, 1 PT:1 student PT)
  • Multiple therapists billing under a single provider number rather than individual enrolled PTs billing separately

The primary role of a Recovery Audit Contractor (RAC) is to review Medicare claims data and determine if a claim was appropriately paid. Each RAC is responsible for identifying overpayments and underpayments in a geographically defined area (Medicare Region) that is roughly one-quarter of the country.  There are two types of RAC audits: automated and complex. A Complex audit is a comprehensive review of charts and claims, while an automated audit is more of a random spot check of files. A complex RAC audit goes beyond policy analysis and almost always requires uploading medical documentation to make a final judgment on the audit outcome.  So if you’re not sure which audit you are involved in, if the initial letter requests documentation, it is most likely a complex review. The audit can look back at up to three years of your records from the claim they are reviewing.  The more problems a RAC auditor finds, the more they get paid.

Research has shown that improper payments generally fall into four categories:

1. Payments are made for services that were not medically necessary; 

2. Payments are made for services that are incorrectly coded; 

3. Providers fail to submit documentation to support the services provided or fail to submit enough documentation to support the claim; and 

4. Other errors are made (i.e., the claim is submitted twice and ultimately paid twice).

Certified Error Rate Testing (CERT) Audit:

  • Auditor reviews a specific number of random sample claims to determine whether they appropriately paid under all applying rules

Triggers for a CERT audit:

  • Overutilizing a KX modifier (hitting allowed dollar amount on many patients)
  • Medicare Plan of Care (POC) certification
    • Not signed within 30 days or no due diligence in attempting to obtain signature
    • Doesn’t cover dates of service
    • Incomplete, per requirements
  • No difference between interventions from one diagnosis to another (i.e. an ankle sprain gets as many visits as a s/p Rotator Cuff repair and what’s billed is the same)

Every year the CERT program reviews a stratified random sample of Medicare FFS claims to determine if they were paid properly under Medicare coverage, coding and payment rules.

When the patterns of incorrectly paid claims appear on its radar, the CERT steps in and educates providers. The auditor requests a small number of medical records as samples as a percentage of claims.

CERT auditors receive a set amount outlined in their contract, regardless of the percentage of payment errors they find (versus RACs who are paid through contingency fees; the more under- or over-payments they uncover, the more money they receive).

Probe Audit:

  • Targets a specific service or specialty
  • Sample of submitted claims pulled for review before payments are made
  • Additional documentation requested
  • If audit uncovers perceived fraudulent activity, additional investigation occurs

Triggers for a Probe Audit:

  • Medicare Administrative Contractors (MACs) audit Medicare providers and suppliers with a history of high claim error rates and billing practices or utilization rates that vary from their peers
  • Lack of medical necessity

If chosen, you receive a letter from your MAC, the MAC will review 20-40 claims and supporting documentation. If everything looks good, you won’t be reviewed again for at least 1 year on the same topic. If some claims are denied, you will be invited to a one-on-one education session and be given at least a 45-day period to make changes.

Suggestions to fair well in an audit:

POC certification

  • Signed within 30 days (*NO STAMP!) and scanned into episode of care (EOC)
  • If no signature, due diligence in trying to obtain signature (fax log)
  • Re-certification if necessary
  • Use reports to stay on top of POC expiration dates and certifications

Provider ratio

  • PT to aide ratio (1:1)
  • PT to PTA ratio (1:2)
  • Student supervision (make sure you’re following supervision guidelines)
  • Make sure your schedule matches what is possible (i.e. if billing 4 units for a Medicare 1:1, make sure the patient is scheduled for the full time, and not in a 30 minute slot back-to-back with another Medicare patient)


  • Ensure documentation supports medical necessity
  • Don’t allow it to look like you perform and document the exact same thing on every client on every visit
    • exercises: are parameters and intensity level changing as the patient improves/regresses?
    • manual therapy techniques: are they in line with the remaining impairments?
    • Patient subjective and Provider interactions: make sure you’re not saying the same thing every visit and that what is being documented relates back to the treatment.  Is the treatment impacting the patient’s improvement or lack thereof?
  • Establish and document functional progress as often as possible. It helps with medical necessity and in the case a patient self-discharges so you have objective change documented


  • KX modifier should not be needed on every patient; those that it is used, documentation should clearly support why it’s still medically necessary
  • Ensure documentation supports units being billed


  • If you have PTAs and Students, ensure supervision and what is being billed is in line; Medicare will look at your schedule during an audit
  • Sign-in sheet: while not required, it’s the only way to prove the patient was there

Audits can be scary, but they don’t have to be.  Make sure you are utilizing an EMR that has features to help you document toward medical necessity, compliance, and other issues that are heavily looked at during an audit and frequently trigger them in the first place.  OptimisPT does include these features.