Hospital medical records to come under more federal scrutiny than ever

RACs, MACs, CERTs, ZPICs all will perform audits

Some time in the next 18 months or so, four different sets of auditors could be scrutinizing the medical records at your hospital. It's all part of the Centers for Medicare & Medicaid Services' (CMS) Medicare Integrity Program initiative, mandated by the Deficit Reduction Act of 2005, which seeks to eliminate fraud, waste, and abuse in Medicare claims.

In its strategic plan, CMS calls the initiative "the first national strategy to combat fraud and abuse in the 41-year history of the program."

In addition to the Recovery Audit Contractors (RACs) program, which is being rolled out nationwide following a three-year pilot project, hospital records also will be subject to audits from the following:

  • Medicare Administrative Contractors (MACs), which will take over and expand the audits previously performed by quality improvement organizations (QIOs);
  • Comprehensive Error Rate Testing (CERT) auditors, who identify areas where high error rates occur and analyze data from specific providers to determine if the provider is billing in error;
  • Zoned Program Integrity Contractors (ZPICs), auditors with broad powers that extend to Medicare managed care and Medicaid claims.

"Hospitals are going to be subjected to intensive scrutiny from a number of directions on a pre-payment and post-payment basis. In the past, only the quality improvement organizations conducted reviews as a small part of their responsibilities. Now, hospitals will be challenged to give rigorous attention to making sure that patients are admitted to the appropriate level of care and that the documentation in the medical record supports the appropriateness of services received," says Deborah Hale, CSS, president of Administrative Consultant Services LLC, a Shawnee, OK, consulting firm.

All of the new auditing programs are slated to be in place throughout the country by January 2010, adds Brian Flood, CHC, CIG, Esq., managing director for KPMG LLP and a former member of the oversight committee for CMS.

"Having all of these implemented at roughly the same time will have a cumulative effect on the health care industry and provide a challenge for hospitals to mitigate their risks through documentation, make it more difficult to know who's asking for what records, and it will increase the importance of conducting a parallel internal review to keep track of and anticipate the potential findings of regulatory auditors," he says.

The auditors are expected to share findings of improper payments, waste, abuse, and fraud with each other, Flood points out.

"Every time one of them identifies an area that contains error rates, they are mandated to share the information, so it is likely that all of them will zero in on common areas. Providers will have to discuss error issues with several sets of auditors," Flood says.

As these programs roll out, case managers should pay more attention than ever before to Medicare patients, their admission status, length of stay, and documentation of the patient's diagnosis in the medical record, Hale suggests.

"In many hospitals, case managers have big caseloads that make it impossible for them to do everything, so they concentrate on patients with commercial insurance coverage, which requires daily phoned updates, and don't have time for Medicare reviews. Sometimes attention to the medical necessity of admission does not get the full attention of a case manager that it needs. The case managers' focus should be to get out in front of the process so they can monitor level-of-care orders by the physicians and take steps to make sure they are accurate at the point of entry," Hale says.

The auditors likely will concentrate on cases assigned to high-weighted DRGs and with short lengths of stays and low charges, which may suggest that the MS-DRG was upcoded, Hale says.

In addition, cases assigned to MS-DRGs representing signs and symptoms have repeatedly been found to represent medically unnecessary cases according to the Hospital Payment Monitoring Program reports, she says.

In the case of patients who are admitted with symptoms such as chest pain or weakness, when a medical work-up does not establish a definitive diagnosis, the result is assignment to a MS-DRG that reflects only the sign or symptom, Hale says.

"It is the position of CMS that, in most instances, these patients should not be formally admitted," she says.

Bigger burden on CM department

The new audits likely will result in a bigger burden on case management departments that already are challenged to help their hospitals comply with other CMS regulations, including monitoring the present-on-admission indicators and tracking an increased number of core measures and other quality data, Hale says.

"Case managers can't do everything. In many hospitals, there is an increased need for bed availability, which means that in addition to coordinating care and reviewing documentation, case managers must concentrate on throughput issues. They are getting overwhelmed," she says.

One of the mandates of the ZPICs is to examine individual medical records to ensure that the beneficiaries are properly enrolled in Medicare or Medicaid, Flood says.

"Hospitals have typically used the paperwork they have, rather than making sure that the eligibility determinations were properly documented. Now, they are more at risk for loss of revenue. Hospitals are going to have to increase administration costs and check all paperwork so they don't suffer losses," he says.

CMS awarded contracts to four permanent Recovery Audit Contractors in the fall and is gradually rolling out the program.

The goal of the RAC program is to identify improper payments made on the claims of health care services provided to Medicare beneficiaries. Some health care providers may begin receiving requests for medical records or a letter requesting that an overpayment be repaid as early as this month.

The permanent RACS will be paid on a contingency fee basis on both the overpayments and underpayments they find.

The RACs will hold "town hall" meetings in each state with health care providers and CMS staff and representatives from the RACs.

CMS is transitioning responsibility for reviewing hospital claims to determine the appropriate payment due and prevent or reduce improper payment from the QIOs to the fiscal intermediaries (FIs) and, ultimately, to seven MACs, which will be responsible for large regions, rather than just one state, Hale says.

QIQs focus changed

This will allow the QIOs to concentrate on improving patient quality of care and maintaining quality improvement and provider assistance efforts, according to CMS.

Unlike the QIOs, which performed only post-payment reviews, the FIs and MACs can perform medical review on a prepayment or post-payment basis.

In the past, the FIs primarily were responsible for auditing and making sure improper payments were not made for outpatient and skilled nursing facility services and did not have jurisdiction over the inpatient setting. It was the QIO's responsibility to determine if inpatient hospitals placed patients in the right MS-DRG and if admissions were medically necessary, Hale says.

The MACs will pay both inpatient and outpatient bills as well as professional fees and will be responsible for auditing all three for improper payments, fraud, and abuse, Hale points out.

This change may help hospitals in their efforts to assure that physician documentation is complete and accurate, she says.

"Up until this point, physician payment was made by a carrier. Hospitals were frustrated because if an admission was denied because it didn't meet medical necessity, the hospital payment was denied but the physician still got paid. Now, the physician payment may also be denied if the documentation in the medical record doesn't support the care provided," Hale adds.

The RACs were allowed to look at physician claims in the demonstration project but, as a rule, didn't look at many, since the hospital payments represent a bigger dollar amount and they were receiving a percentage of the improper claims they discovered, Hale points out.

For the first time ever, MACs can conduct pre-billing reviews, Hale says. This means that instead of getting the explanation of benefits that comes back with the check, hospitals will receive a request for medical records.

"The hospitals won't know if the chart will be reviewed until they submit the bill," she says.

Medicare has declared that there should be a three-month window between the implementation of the RAC and the MACs so hospitals won't get hit with both at the same time, Hale says.

Unlike the MACs and RACs, which concentrate on fee-for-service Medicare claims, the ZPICs will review all providers of Medicare and Medicaid services, including managed Medicare and Medicaid, Flood says.

The ZPIC program was created early this year and implemented July 1, 2008. The ZPIC program replaces the Program Safeguard Contractors created in 2006 to look for fraud and abuse, Flood says.

The Zone Program Integrity Contractors are private contractors who will work in the same geographic areas as the MACs. The ZPIC program is being rolled out from the West Coast to Mississippi starting this month. It should be in place throughout the country some time in 2009.

"The MACs are intended to take a team approach with providers. They review appropriateness of payment, ask for documentation, and educate the providers. From what I can tell, the ZPICs are going to act more as enforcers and regulators," Flood adds.

The scope of work for the RACs is fairly contained within standard fee-for-service billing, and they are limited to one year for medical utilization. The ZPICs have an extraordinarily wide scope of work with no limits, he adds.

The ZPICs have a legal staff, a medical director, a coding staff, a nursing staff, auditors, and investigators.

According to the CMS Statement of Work, the ZPICs will perform investigations; refer cases to law enforcement; make coverage and coding determinations; review audit, settlement, and reimbursement of cost reports; review bids for participation in the prescription drug program; assist CMS in developing a list of entities that may require future monitoring based on past history; conduct specified audits; conduct specified complaint investigations for Part C and D; conduct preliminary investigation into entities conducting fraudulent enrollment; eligibility determination and benefit distribution; match and analyze Medicare and Medicaid data; and coordinate potential fraud, waste, and abuse activities with the appropriate MMEs and complaint screening for Part C and Part D.

According to CMS, the ZPICs are authorized to perform pre-pay medical review, post-pay medical review, medical review in support of benefit integrity, provider notification and feedback, coordination with the staff at the MAC, and program integrity management reporting.

In addition, Medicare's CERT contractors began reviewing hospital claims, looking for high error rates, for the first time in April.

In the past, the CERTs never looked at inpatient claims but now they can pull samples of hospital records, Hale says.

The CERT methodology includes selection of a sample of claims, requesting medical records from providers who submitted the claims, and reviewing the claims and medical records for compliance with Medicare coverage, coding, and billing rules.

(For more information, contact: Brian Flood, CHC, CIG, Esq., managing director for KPMG LLP, e-mail:; Deborah Hale, president of Administrative Consultant Services LLC, e-mail: