The Centers for Medicare and Medicaid Services (CMS) audits participating providers to ensure they remain in strict compliance with all Medicare and Medicaid rules and requirements. If you are a doctor, pharmacist, practice group, hospital or other healthcare provider and your organization is facing an upcoming audit, it is essential you retain experienced healthcare fraud defense counsel to help prepare for the audit and avoid the consequences of an unfavorable audit.

All healthcare-related organizations participating in Medicare or Medicaid are subject to CMS oversight. To ensure provider compliance, CMS periodically conducts audits that involve an in-depth review of an organization’s billing procedures.

According to CMS:

“CMS conducts program audits of [Medicare-Medicaid Plans (MMPs)], Medicare Advantage Organizations (MAOs), and Prescription Drug Plans (PDPs), … to help drive the industry towards improvements in the delivery of health care services. CMS Medicare Advantage Parts C and D program audits for sponsors that include an MMP utilize the Center for Medicare Program Audit Protocols as well as two MMP-specific protocols designed to ensure compliance with three-way contract requirements.”

If this sounds confusing, that’s because it is. The rules governing CMS audits are densely-phrased, and the audit procedures are exceptionally complex. As a result, healthcare providers and related organizations that face an upcoming CMS audit must defend themselves effectively in order to avoid program exclusion and other, potentially more serious, consequences.

At Oberheiden, P.C., our highly-experienced team of healthcare fraud defense attorneys has centuries of experience handling all types of audits and investigations. Many of our senior attorneys spent decades working for the federal government before entering private practice. This provides Oberheiden, P.C., with a wealth of knowledge regarding CMS audit rules and procedures. With our help, you will enter an audit knowing what to expect during the process and confident that our experienced advocates will have your back at every step of the way.

The Scope of a CMS Audit

The first step to developing an effective strategy in the face of a CMS audit is to better understand the scope of the audit. This way, you can efficiently manage your time by focusing on those issues that are pertinent to the audit. CMS conducts audits across various areas of compliance. Further, within each of the following areas, sponsors should expect auditors to look into all aspects of their billing and recordkeeping processes.

Currently, CMS audits sponsors in the following areas:

  • Compliance Program Effectiveness (CPE)
  • Medicare-Medicaid Plan (MMP) Care Coordination and Quality Improvement Program Effectiveness (MMP-CCQIPE)
  • Medicare-Medicaid Plan (MMP) Service Authorization Requests, Appeals and Grievances (MMP-SARAG)
  • Part C Organization Determinations, Appeals, and Grievances (ODAG)
  • Part D Coverage Determinations, Appeals, and Grievances (CDAG)
  • Part D Formulary and Benefit Administration (FA)
  • Special Needs Plans Model of Care (SNP-MOC)

The CMS Audit Process Explained

Recently, CMS provided an updated Program Audit Process Overview for 2022. In this document, CMS outlines the audit process, giving sponsors an idea of what to expect throughout the process. CMS breaks an audit down into four stages, each with sub-parts.

Phase I – Audit Engagement and Universe Submission

Phase I of a CMS audit focuses on providing notice of the audit and the gathering of the necessary information. CMS describes Phase I as follows:

The Audit Engagement and Universe Submission phase is the six-week period prior to the field work portion of the audit. During this phase, a Sponsoring organization is notified that it has been selected for a program audit and is required to submit the requested data, which is outlined in the respective Program Audit Protocol and Data Request document.

According to the recently released guidance, CMS routinely sends out engagement letters February through July; however, CMS can also send out engagement letters for ad hoc audits at any time throughout the year.

Once the Auditor-in-Charge reaches out to the sponsor notifying them of an upcoming audit, it begins a process of information gathering. CMS will expect providers to assemble a list of all activities within the scope of the audit that occurred during the 26-week period preceding and including the date of the audit engagement letter.

Phase I also includes an opportunity for sponsors to ask CMS any questions about the audit before submitting a list of “issues of noncompliance that are relevant to the program areas being audited and may be detected during the audit.”

Once all information has been submitted to the Auditor-in-Charge, CMS will review it to ensure completeness. Once complete, CMS will select a sample number of cases to conduct a more detailed review once the audit begins. Most audits are conducted over a webinar.

Phase II – Audit Field Work

The field work portion of a CMS audit lasts about three weeks. First, CMS will provide the sponsor with the cases selected for detailed review during a pre-audit meeting. Once the audit process begins, sponsors are expected to present supporting documentation. If any violations are discovered, a sponsor is given two days to conduct “root cause analysis” using the template provided by CMS. Within ten days of the violation’s discovery, a sponsor must submit an “impact analysis” which all lists parties subjected to or impacted by the issue of noncompliance, including the sample cases cited as noncompliant during the audit.

At the end of the audit field work phase, the Auditor-in-Charge issues a draft audit report to the sponsor, identifying all potential conditions and observations noted during the audit. Finally, the Auditor-in-Charge will hold an exit conference, where a sponsor can ask any questions about the findings and provide follow-up information, if necessary. Sponsors will be given an opportunity to formally respond to, or provide comments for, CMS consideration during the draft audit report process.

Phase III – Audit Reporting

Once the on-site portion of a CMS audit is complete, CMS will send all findings to Program Audit Consistency Teams (PACTs). PACTs are the subject matter experts on programs and audit policy and help to ensure consistency throughout audit scores.

PACTs can apply the following designations to any findings:

  • Immediate Corrective Action Required (ICAR) – CMS issues an ICAR if there are audit findings that “inappropriately delay, restrict or limit an enrollee’s access to required medications or services.” The ICAR results in two CMS audit points.
  • Corrective Action Required (CAR) – CMS labels audit findings that do not have an immediate impact on the enrollee’s ability to request or receive medications or services but are still significant are classified as CARs. The CAR results in one CMS audit point.
  • Observation Requiring Corrective Action (ORCA) – CMS considers audit findings that are limited in scope as “observations requiring corrective action.” These findings are less significant but require a sponsor’s attention. ORCAs do not result in any CMS audit points.
  • Observation – Audit findings that are insignificant are classified as observations. Often, these findings are an anomaly and will not require any corrective action. ORCAs do not result in any CMS audit points.
  • Invalid Data Submission (IDS) – An IDS is an audit finding stemming from the failure to produce an accurate or complete universe within three attempts. The IDS results in one CMS audit point.

Within 60 days, CMS will release its draft audit report, which will contain the sponsor’s CMS audit score. Sponsors have ten days to comment on or respond to the report. CMS will consider a sponsor’s comments and may make modifications accordingly. Within ten days of receiving a sponsor’s comments, CMS will issue its final report.

Phase IV – Audit Validation and Close Out

The last phase of the CMS audit process is the longest, lasting about six months. During this phase, sponsors have the opportunity to show CMS that they have cured any violations discovered during the audit.

The CMS audit process is complex and presents very high stakes for sponsors. Thus, it is essential that all sponsors not only understand how the audit will proceed but also are prepared for whatever findings the Auditor-in-Chief may discover.

Frequently Asked Questions:

Why don’t we call ourselves the “best CMS audit attorneys”?

All attorneys are subject to strict ethical rules when it comes to communicating with potential clients and the public in general. One of these rules prohibits a lawyer from making any statements that could be misleading. At Oberheiden, P.C., we believe that using the word “best” to describe an attorney’s services is subjective; for example, a provider has no way to verify a lawyer’s claim that they are the best CMS audit lawyer. Because of this, we refrain from calling ourselves the best healthcare fraud defense lawyers. However, we believe that our track record speaks for itself, and those who are looking for the best CMS audit lawyers are encouraged to review our past results. To learn more about Oberheiden, P.C., and to discuss what we can do to help you through CMS audit, give us a call to schedule a free case evaluation today.

What should I do if I received a CMS audit engagement letter?

Receiving an audit engagement letter is the first step in the CMS audit process. Once you receive the letter, it means that CMS will be reaching out within two days to see if you have any questions. From there, CMS will schedule the audit. There is little downtime between the receipt of an engagement letter and the beginning of the audit. Therefore, it is critical that any sponsor who receives an audit engagement letter immediately retains an experienced CMS audit defense lawyer for assistance. Not only will one of the healthcare fraud lawyers at Oberheiden, P.C. help you understand that audit process, they are also available to ensure your rights remain protected throughout the process.

Do I Need a Lawyer to if I am Facing a CMS Audit?

Strictly speaking, there is no legal requirement that you have a CMS audit lawyer present during an audit. However, given the high stakes involved as well as the complexity of the process, the assistance of an attorney will make the process much less burdensome. Additionally, a healthcare fraud defense lawyer can speed up the audit process by ensuring compliance with all audit procedures and timelines. While sponsors may feel as though they lack the ability to safely restrict an auditor’s access, because doing so can jeopardize their contract with CMS, an attorney can provide factual and legal reasons why the request exceeds the auditors’ authority. This can limit the scope of an audit without unnecessarily putting a sponsor’s compliance with CMS rules at risk. To learn more about how the CMS audit lawyers at Oberheiden, P.C. can help you navigate the audit process, reach out to us to schedule a free consultation.

Schedule a Complimentary CMS Audit Consultation with a Senior Healthcare Fraud Defense Lawyer

If you are preparing for a CMS audit, the senior federal healthcare fraud defense lawyers at Oberheiden, P.C. can advise you and represent your organization throughout the audit process. To get started with a complimentary initial consultation, please call 888-680-1745 or request an appointment online today.