The ABCs of Government Auditors

More than a dozen government audit programs currently inspect Medicare and Medicaid claims. Following are descriptions of the major auditors and their areas of focus.


CMS implemented the Comprehensive Error Rate Testing (CERT) program to measure improper payments in the Medicare Fee-for-Service (FFS) program. It was designed to comply with the Improper Payments Elimination and Recovery Act of 2010.

All claims for the CERT program are chosen at random and designed to pull a random electronic sample of claims. CMS outlines how records are requested for the CERT program through its “Improper Medicare Fee-for-Service Payments Report.”


The Department of Justice collaborates with many of the auditing agencies including OIG and the Department of Health and Human Services (HHS). In addition, DOJ can perform other audits if requested by other government agencies.

DOJ primarily uses auditors to work on civil fraud cases and uses these same auditors to work on healthcare fraud. When a federal or state investigative agency identifies that a subject is under current investigation in multiple states or jurisdictions, that information is sent to DOJ to develop a nationwide strategy to coordinate the multiple efforts and resources.


The goal of the Health Care Fraud Prevention and Enforcement Action Team is to prevent fraud and abuse in the Medicare and Medicaid programs by identifying fraud perpetrators and those abusing the system. The program also focuses on perpetrators who prey on Medicare and Medicaid beneficiaries.

Increased HEAT audits are considered to be the number-one compliance risk of 2011 because the program has been incredibly successful in building partnerships between DOJ, HHS, and other agencies to recover tax-payer dollars.3 In fact, an additional $60.2 million in funds has been dedicated to fund additional teams and investigations in FY 2011.4


Medicare Administrative Contractors are contracted to perform prepayment medical reviews to ensure services provided to Medicare beneficiaries are covered and medically necessary. All claims submitted to MACs are put through a “scrubber” to check against claim edits and ensure payments are made to certified providers. CMS publishes and maintains these edits, such as the Outpatient Code Edit (OCE).

Once the claim passes all edits, the MAC calculates the payment amount based on fee schedules, formulas, geographical adjustments, provider characteristics, and beneficiary copayments.

The Medicare Prescription Drug Improvement and Modernization Act of 2003 mandated CMS transition all its fee-for-service fiscal intermediaries and carriers to MACs by 2011. As a result, 15 A/B MAC jurisdictions were established. In July 2010 CMS posted a notice of plans to consolidate the 15 MACs into 10 jurisdictions, implement a contract limit for the A/B MAC contracts, and enhance the role of the contractor medical directors.

In 2011 MAC audits are expected to be combined with RAC audits and leverage their resources in identifying payment errors. MACs primarily review on a prepayment basis, while RACs review on a retrospective system. As the MAC utilizes prepayment edits to identify payment errors, the results may be sent to the RAC for retrospective review.

If an organization receives a MAC review and identifies that a billing or coding error has occurred, it is best to self-report regarding past discharges. By self-reporting, the organization stops a potential RAC retrospective review, which could also open the organization to full medical necessity review in addition to a DRG review.

MIP and MICs

The Deficit Reduction Act of 2005 created the Medicaid Integrity Program (MIP) under section 1936 of the Social Security Act. MIP is the first comprehensive federal strategy to prevent and reduce provider fraud, waste, and abuse in the $300-billion-per-year Medicaid program.

CMS has two broad responsibilities under MIP: to hire contractors to review provider activities and to support states in their efforts to combat fraud and abuse.

The Social Security Act also required CMS develop the five-year Comprehensive Medicaid Integrity Plan in consultation with internal and external partners. The Medicaid Integrity Group oversees MIP through Medicaid Integrity Contractors (MICs) and State Program Integrity Operations.

There are three primary MICs. Review MICs analyze Medicaid claims data to determine potential provider fraud, waste, or abuse. Audit MICs audit provider claims and identify overpayments. Education MICs provide education to providers and others on payment integrity and quality-of-care issues.

Medicaid RAC

Medicaid Recovery Audit Contractors are a supplemental approach to Medicaid program integrity efforts already under way to ensure that states make proper payments to providers. The Affordable Care Act of 2010 required states and territories establish the Medicaid RAC program under the statute that establishes the Medicare RAC program. The program launched in January 2012.

Medicaid RACs are tasked with identifying and recovering Medicaid overpayments and identifying underpayments. They are also tasked with designing their programs so that the Medicaid RACs report instances of fraud and criminal activity in addition to the pursuit of overpayments.


A Medicaid Fraud Control Unit is a single identifiable entity of state government annually certified by the secretary of HHS. MFCUs are responsible for conducting a state initiative aimed at investigating and prosecuting providers that defraud the Medicaid program.

In addition, MFCUs may also review complaints of abuse or neglect of nursing home residents or the misappropriation of a patient’s private funds while in the home. The Ticket to Work and Work Incentives Improvement Act of 1999 extended MFCU jurisdiction to include fraud investigation in any federally funded healthcare program.

North Dakota received a waiver from the federal government, leaving MFCUs in 49 states and the District of Columbia. Most are located in the state attorney general’s office, though it is not a requirement.

In order to be certified by HHS, MFCUs are required to employ attorneys experienced in the investigation and prosecution of civil fraud or criminal cases, investigators with extensive knowledge in commercial and financial investigations, and auditors capable of investigating allegations of fraud.


Since 1993 OIG has been performing and supervising audits and investigations of fraud and abuse to promote efficiency and effectiveness and minimize loss of governmental programs. As mandated by amended Public Law 95-452, OIG’s mission is to protect the integrity of HHS programs as well as the health and welfare of the beneficiaries of those programs. All activities performed by OIG lie within the authority of the US Inspector General.

Depending on the nature of the violations, organizations or providers should consider engaging legal counsel, auditors, or other healthcare experts to help ongoing OIG investigations.


The State Offices of Medicaid Inspector General are independent agencies within individual state departments of health. Their purpose is to improve the integrity of state Medicaid programs by coordinating the fraud and abuse activities for multiple state agencies that provide Medicaid-funded services.

Although each OMIG is different, many work with agencies such as the Department of Mental Health, Office of Children and Family Services, and Office of People with Developmental Disabilities. They also work closely with MFCUs to support their enforcement activities.


The Payment Error Rate Measurement program measures improper payments in the Medicaid program and the Children’s Health Insurance Program (CHIP). PERM is designed to comply with the Improper Payments Information Act of 2002. Executive Order 13520 further intensified PERM efforts to eliminate payment errors, waste, fraud, and abuse in federal programs, including Medicaid.

For PERM, CMS is using a national contracting strategy consisting of three contractors to perform statistical calculations, medical records collection, and medical/data processing review of select state Medicaid and CHIP fee-for-service and managed care claims. In FY 2006 CMS reviewed only Medicaid Fee-for-Service claims. Starting in FY 2007 CMS expanded PERM to include reviews of FFS and managed care claims, as well as beneficiary eligibility in both the Medicaid and CHIP programs.


The Recovery Audit Contractor (RAC) program’s mission is to reduce Medicare improper payments through the detection and collection of overpayments, the identification of underpayments, and the implementation of actions that will prevent future improper payments. Many of these activities involve data-mining activities based on billing information.

The Tax Relief and Health Care Act of 2006 mandated CMS implement Medicare RAC auditors in all states. CMS awarded contracts to four regional RACs, each responsible for ensuring identification of payment errors for approximately a quarter of the US.

In 2011 industry experts suggest RAC audits will continue to be a compliance risk for organizations and providers due to the large scope and increased data-mining efforts. In addition, RAC audits may impose the largest operational impact to healthcare organizations and providers in 2011. Recent changes have increased RAC record requests to 500 records every 45 days.

The contingency fee nature of RAC payments will ensure that these audits remain a top risk and operational concern for organizations and providers in 2011.


Effective January 26, 2009, benefit integrity work transitioned from Program Safeguard Contractors and the Medicare Prescription Drug Integrity Contractors into Zone Program Integrity Contractors, which will be located in seven zones. The scope of work for ZPICs is similar to the previous scope of work carried out by the earlier contractors. ZPIC auditors perform a wide range of medical review, data analysis, and evidence-based policy auditing activities designed to find fraud, abuse, and waste within the Medicare system.

These audits are often the most concerning for organizations and providers because they have a tendency to use statistical data sampling and extrapolation methods. These methods allow ZPIC auditors to recoup overpayments totaling hundreds of thousands of dollars. ZPIC audits should not be taken lightly and organizations should handle these types of audits with due diligence.

Adapted from the July 2011 AHIMA practice brief “Understanding Governmental Audits.”

1 Comment

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!