First the RACs, now wait for what's coming next

Medicaid, commercial insurers starting their audits

By the end of the year, it's likely that every type of medical record in your hospital will be scrutinized by one auditor or another, predicts Brian Flood, managing director for KPMG LLP, the U.S. audit, tax, and advisory firm.

"It's a new world for health care. Medicaid is rolling out its Medicaid Integrity Contractor [MIC] program to audit Medicaid records, and commercial insurers are beginning to use the same model — and, in some cases, the same auditors — to review the records of their members," he adds.

The Pennsylvania Department of Public Welfare's Bureau of Program Integrity has been auditing fee-for-service Medicaid claims for the past three years, using one of the Centers for Medicare & Medicaid Services (CMS) contractors for the Recovery Audit Contractor (RAC) demonstration project, reports Charleeda Redman, RN, MSN, ACM, director of corporate case management for the University of Pittsburgh Medical Center, an integrated health system with 20 acute care hospitals.

The contractor has been auditing records retrospectively and recovering payment if there was a coding error or the patient didn't meet medical necessity criteria, she adds.

CMS has contracted with a different auditor to handle its MIC audits in Pennsylvania, but it will use a similar process, Redman says.

"The MIC auditor will request charts and make determinations. We will appeal through the Department of Public Welfare," she says.

The auditors may have different targets based on the contracts or scope of work they have with the state Medicaid office, Redman adds.

"Some quality issues have been identified as potential risks. In addition, the auditors are looking at the continuum of care, such as cases that are readmitted within a certain time frame," she says.

In addition, a large commercial insurer has contracted with the same contractor used by the Department of Public Welfare to audit medical records in Pennsylvania with a focus on DRG validation. Another commercial health plan has a contract with another firm to review the records of its members for both medical necessity and coding, Redman says.

"The commercial insurers contract with vendors to audit specific areas where they have identified potential risk. So far, the contracts have varied from payer to payer," she adds.

Thanks to the three-year pilot program, there's a lot of information available on the RACs and what the auditors focused on during the pilot project, and hospitals can use that information to get ready for the permanent RACs.

In comparison, information on the MICs is not readily available, and hospitals can't base their expectations on the experiences of other hospitals because what the MICs are focusing on may vary from state to state.

The auditors hired by commercial insurers may focus on a totally different area, depending on the contract specifications from each insurer. This means that the commercial audits may vary from insurer to insurer and possibly from hospital to hospital, depending on the terms of the contract.

The MICs are selected by CMS but will interact with each individual state's integrity program. This means it's more than likely that MICs will operate somewhat differently in every state.

"The MICs will be consistent in how they perform the audits, but they may be looking at different issues. In the beginning, the MIC focus is likely to be very similar to the focus of the RACs, but they may get into the finer details in the coming years," Flood says.

The MICs are going to focus on issues that are continually problematic in Medicaid, Flood points out.

Likely MIC targets

Upcoding, lack of documentation to support the coding that was billed, unbundling, violation of time-base codes for outpatient therapy and inpatient therapy services, imaging services, durable medical equipment usage, and medical necessity issues are likely to be MIC targets, he says.

The MIC process is different from the RACs in several ways.

MICs must conform to state laws in terms of time for hospitals to respond to their requests for data; so the time providers will have to respond will differ from state to state. Generally, requirements are between 15 and 45 days.

The RACs are limited to requesting data that go back three years, but MICs base their length of time on regulations in the individual states or the allowed rules of evidence based on the continuing nature of the activity being reviewed, Flood says.

MICs have no limits on the number of records they can request, while RACs are limited to 200.

In Arkansas, the MICs have been reviewing 100% of the records from 100% of providers, Flood reports.

Unlike with the RACs, CMS will not reimburse providers for copying medical records requested by the MICs.

MICs are not paid by contingency fees but on a contracted basis, plus an award for performance during the contract year, which gives them an incentive to dig deep and identify as many improper payments as possible, Flood adds.

The MIC process was expected to be rolled out nationwide in January, when the last task orders were to be assigned and the auditors are able to get staff on board. The MICs will audit the medical records of Medicaid managed care patients as well as fee-for-service patients. The process is expanding beyond inpatient services and will include outpatient treatment as well.

"Since many states have gone to a capitated rate and 60% of Medicaid patients are in managed care, if the MICs audit only fee-for-service beneficiaries, they'll miss an entire population," Flood says.

In addition to auditing hospitals, MICs will audit long-term care facilities, pharmacies, physician practices, labs, transportation providers, and other types of providers.

Largest hospitals probably first

When the MICs begin their audits of hospitals, the first targets likely are to be large hospitals or health systems in large population centers, Flood says.

"The MICs are picking organizations to audit based on population and growth. The largest providers in the largest population centers are likely to be first, but they eventually will get around to every facility in the state," Flood says.

Most of the MIC audits are likely to be "desk audits" — in which the auditors request records and audit them off site. However, the MIC auditors also may come in person to the hospital to review records and interview providers and their office staff.

In addition to auditing providers for coding and medical necessity issues, the MIC protocols require the auditors to review organizations for their handing of billing and costs and to begin measuring for governance of risk, Flood says.

"The MICs will be going beyond case management to determine how the hospitals are running the operations side of the medical encounters and how it impacts the financial side," he says.

For instance, if an auditor asks for certain files, the hospital has to be able to find them and deliver them on time.

The auditors also can ask to see organizational charts, such as a chart showing how the organization deals with overseeing risks and how internal audits are conducted.

They may look at the organization's compliance efforts, how many staff are responsible for compliance, what the budget is, how many audits are conducted each year, and what the results have been, Flood adds.

MICs get to heart of operations

"The MIC auditors are looking for a lot of different issues that the RACs did not focus on. Their scrutiny goes straight to the heart of the operations at the institution," he says.

For instance, if a hospital's compliance department has 25 full-time staff, extensive policies and procedures, regularly scheduled audits, and a database of audit results, the MIC auditor is likely to conclude that the organization has a good governance structure, he adds.

On the other hand, if the hospital has a part-time compliance office with no staff, and no clear description of what he or she does, the facility is likely to receive a lot of scrutiny from the auditors, Flood adds.

"When the auditors write their reports, they will note standard issues, including documentation and proper billing. The governance report will go to the state Medicaid integrity director, which will get the hospital on the radar of the state program immediately," he says.

As part of the Deficit Reduction Act of 2005, Congress required CMS to establish the Medicaid Integrity Program and hire contractors to review provider activities to determine if fraud, waste, or abuse has occurred; audit provider claims; identify overpayments; and conduct provider education.

There are three types of MICs: Review MICs, Audit MICS, and Education MICs. Review MICs analyze electronic Medicaid claims data and identify issues for the Audit MICs to pursue. Education MICs are charged with educating providers, state Medicaid officials, and others on Medicaid payment integrity, quality of care, and other issues.

When the MIC process begins, the institutions will receive a nine-page questionnaire and have 15 days to answer it before an entrance conference with the MIC auditor, Flood says.

An example of a question on the questionnaire is "Please tell us all the instances you had to pay back state and federal funds, the reasons, and the amounts," he says.

The entrance conference may be on site or on the telephone and will include a document request and a time frame, typically 30 to 45 days, in which the hospital must respond.

After the audit is completed, the MIC will prepare a report that will be shared with the state and the provider. The state and the provider will be able to review and comment on the draft report.

CMS will use the information from the reviews to prepare a revised draft report and send it to the state for review and additional comments. Then CMS will identify any overpayments and send the report to the state to collect. Once the final report is issued, the appeals will be handled through the state appeals process.

"There is no appeal for providers at the federal level, even though these are federal contractors doing the work," Flood says.

(For more information, contact: Brian Flood, managing director, KPMG LLP, e-mail:; Charleeda Redman, RN, MSN, ACM, director of corporate case management, University of Pittsburgh Medical Center, e-mail: