Since their inception in 1965, Medicare and Medicaid have instituted many audit agencies and programs. Among the newest and fastest-growing is the Recovery Audit Contractor program, known as RAC.

The Centers for Medicare & Medicaid Services pay private auditors a bounty to find mistakes in Medicare and Medicaid fee-for-service claims. The auditors are paid a percentage of all errors they uncover, whether overpayment or underpayment, giving them a strong incentive to be inventive and thorough.

Providers must reimburse the government for any overpayments they receive, though they also are compensated for any underpayments revealed. Audits can be conducted on claims up to three years after they are paid.

RACs approved by CMS have full access to all Medicare fee-for-service claims data, which they sift with proprietary software in a process called “automated review.” Contractors also can examine medical records from any provider when they have reason to suspect an error. This process is called “complex review.”

The bulk of errors identified are overpayments. In a six-state pilot of the RAC program conducted from March 2005 through March 2008, auditors collected nearly $1 billion in Medicare overpayments. Just under $39 million in underpayments were returned to providers.

RAC went national in federal fiscal 2010. Compared with the pilot, the national program got off to a slow start. In the first year, just $75.4 million in overpayments were collected and $16.9 million in underpayments were returned. Controls by CMS to standardize activities and ensure RAC auditors weren’t exceeding their authority are largely ineffective. Among them is a requirement that contractors publish the claims issues they propose to investigate and clear them with CMS before they can demand provider repayments.

But since the beginning of fiscal 2011 (Oct. 1, 2010), recoveries have increased exponentially. In the first quarter, RAC uncovered about as many errors as in all of fiscal 2010. In the second quarter, ending March 2011, RAC recoveries nearly doubled, to $162 million, CMS reported.

A big reason is that RACs greatly increased the number of issues they can investigate. The program began with a handful of questionable claims practices and a few DRGs. But each of the four RACs now list 150 or more issues on their websites. Many were added this year, and many cover more than one service or DRG.

Similarly, the scope of issues subject to review also has expanded. For example, CGI, the contractor for RAC Region B, received permission to audit DRG assignment, but not medical necessity, for major gastrointestinal disorders and peritoneal infections in June 2010. In April 2011, medical-necessity reviews were added, potentially reopening previously RAC-reviewed claims. The other three RACs have made similar moves.

CMS has not released data on how much auditors have collected in each area. However, data from the American Hospital Association’s quarterly RACTrac survey, which includes reports from 1,852 hospitals nationwide, suggest that complex reviews are increasing compared with automated reviews. In the fourth quarter of 2010, RACTrac participants reported nearly as many requests for medical records as in the three previous quarters combined.

Likewise, complex denials in the fourth quarter exceeded 15,000, more than double the total for the three previous quarters. Automated denials also nearly doubled to more than 21,000 through the fourth quarter. However, complex denials accounted for 90 percent of the dollar volume of recoveries, or more than $78 million of the $86.4 million reported for the calendar year. The average value of complex denials was $5,281 compared with $399 for automated denials. Medical necessity was by far the fastest-growing reason for complex denials, with 57 percent of RACTrac hospitals reporting them in the fourth quarter, up from just 14 percent in the third quarter.

To cap it all off, the RAC program has and will expand its scope. The number of records RACs may request from hospitals in a 45-day period was raised from 200 to 300 in November 2010. In March, it was increased to 500 for hospitals with more than $100 million in annual Medicare billings. A new category of “semi-automated” review also was added this year. It allows RACs to scan claims data for patterns of possible errors, as opposed to picking out defined errors for the automated program. Once RACs notify providers of a potential billing error, the provider has 45 days to document the initial claim. If not, claims are adjusted automatically. Later this year, Medicaid RAC audits are set to commence.

The stage is set for RAC to become a significant economic threat for hospitals, physicians and other providers. Fully half of the RACTrac hospitals report that the program already has increased administrative costs. This reflects the broad changes that hospitals and systems must make to ensure they comply with Medicare medical necessity, coverage, documentation and billing standards organizationwide.

Active board leadership and oversight are critical to ensure that vulnerability to RAC audits is assessed systemwide. Admissions standards and procedures, utilization management, medical records, provider documentation practices, coding, billing and advance beneficiary notices all are affected. Where multiple-provider entities, including medical groups, individual physicians, skilled nursing and home care, are involved, coordination among them is critical. Board leadership may be necessary to secure funds to increase staff, provide training and add automated tracking systems to ensure records requests are met and appeals filed on a timely basis. In addition, the financial risk of RAC audits should be assessed and reserves considered

History of RAC

The Medicare Modernization Act of 2003 authorized a three-year demonstration project of the RAC program, which began in March 2005. RACs corrected more than $1.03 billion in improper Medicare payments in six states, according to the CMS report. Approximately 96 percent, or $992.7 million, were overpayments collected from providers, while the remaining 4 percent, or $37.8 million, were underpayments repaid to providers.

The Tax Relief and Health Care Act of 2006 made the RAC program permanent and extended it to all 50 states. Its stated mission is to detect and correct past improper payments so that CMS and carriers, fiscal intermediaries and Medicare administrative contractors can implement actions that will prevent future improper payments. The goal is for providers to avoid submitting claims that do not comply with Medicare rules, which lowers CMS’ error rate and protects taxpayers and future beneficiaries from waste and fraud.

The country was divided into four RAC regions: the Northeast, the Great Lakes/Midwest, the South and the West (see map, below). After an extensive review of bids, CMS awarded four fiveyear contracts. Health care providers in each state must look to the RAC for their region for requirements. RACs have conducted mandatory outreach programs to educate providers, set up administrative operations and cleared hundreds of audit issues with CMS.

RACs are paid a percentage of both improper overpayments and underpayments they identify ranging from 9 percent to 12.45 percent. RACs must refund fees if their determinations are overturned on appeal.

Claims RACs May and May Not Review

RACs are limited to reviewing fee-forservice claims on a post-payment basis. Claims filed by any Part A or Part B provider are covered, including hospital inpatient and outpatient, skilled nursing facility, physician, ambulance and laboratory services, and durable medical equipment. RACs may not review Medicare managed care or drug program claims (although a RAC program for Medicare Advantage has been proposed). The look-back period is three years after the date the claim was paid.

RACs may not reopen claims subjected to post-payment review by a carrier, FI or MAC, nor are they allowed to review the same claim for the same issue. However, the same claims may be re-examined for a separate issue. For example, a claim reviewed for coding or DRG assignment subsequently may be examined for medical necessity. RACs also may not target high-dollar claims for that reason alone, though the dollar amount may be considered with other factors to identify possible payment- error patterns.

Types of Claims Reviews

Automated reviews. These generally pertain to unambiguous issues of internally incompatible claims data and are conducted without human intervention. Determinations must be based on written guidelines, except in cases of “clinically unbelievable” scenarios, such as a second appendix removal.

Automated reviews, conducted using proprietary software, are based on issues posted on each RAC’s website. Once a determination of error is made, the RAC issues a demand letter to the provider, and a 45-day appeal timeline starts. This is typically the first notice a provider receives of an automated audit because no records are requested in advance. The carrier, FI or MAC issues remittance advice to the provider with the code “N432: Adjustment based on Recovery Audit.” During the appeal period the provider can rebut the RAC determination directly and/or file an appeal. The RAC can reverse the determination based on rebuttal information, which is supplied by providers outside the formal appeal process, or the denial may be reversed on appeal. Appeals are adjudicated by independent third parties. If the provider does not challenge the RAC determination, file an appeal or repay the overpayment, the Medicare carrier, FI or MAC will recoup overpayment from future payments.

Complex reviews. These include issues such as DRG validation; appropriateness of coding, provider documentation and medical necessity; and suspected claim errors for which no written guidelines exist. ey are conducted by nurses, therapists, certified coding experts and other professionals based on records requested from providers. A full-time medical director oversees the process and must review claims determinations that are based on medical judgment without specific supporting Medicare guidelines.

Complex reviews also must be based on CMS-approved issues posted on the RAC website. The RAC issues a letter requesting medical records from the provider. Original, copied or electronic copies of records can be submitted. e claim is denied if the provider does not respond within 45 days plus 10 days for mail delivery. When records are supplied, RACs have 60 days to review them, make a determination and inform the provider by letter. The provider can present additional information during this time. Once an error determination has been made, the Medicare carrier, FI or MAC issues remittance advice and the RAC issues a demand letter. It must specify the amount and grounds for the denial. The provider can rebut the findings and has 30 days to appeal the decision or pay, after which the carrier, FI or MAC deducts that liability from future payments.

Providers also must be informed when an overpayment has not been identified. RACs must provide pending claims status via a website.

Full- and Partial-Claims Denials

RACs can deny claims fully or partially based on coverage or coding rules, or other reasons, including medical necessity as determined on a per-case basis.

A full denial occurs when a service is not covered, not delivered or was not medically necessary, and no other service could be justified in its place. The provider is liable for refunding the entire payment.

A partial denial occurs when the level of service is not supported by documentation, it occurred in an unnecessary setting such as an inpatient vs. an outpatient facility, was incorrectly coded, or a different service was provided than claimed. Partial denials also might result from failure of Medicare claims processors to apply payment rules, such as reduced payment for additional procedures performed during a surgical encounter.

When a project has a positive NPV, there is an expected positive cash flow over and above inflation and the targeted return. Such projects are financially appealing. If a project has a negative NPV, there is an expected negative cash flow or the project won’t generate enough cash to cover inflation and the targeted return. Such a project would be a financial drain on an organization over time.


When a RAC identifies an underpayment, the information is forwarded to the carrier, FI or MAC. The claims processor will validate the error and reimburse the provider. While RACs are not obligated to accept evidence of underpayments from providers, they can conduct audits solely for the purpose of identifying underpayments.

Note, however, that 96 percent of the errors detected in the RAC demonstration were overpayments. While this has dropped to 86 percent in the national program through the first calendar quarter of 2011, the bulk of errors are still against providers.

Minimiziing RAC Risk

Hospitals and systems can and should take a range of actions to minimize RAC risks. For the most part, these are standard documentation and compliance measures, such as ensuring that:

  • Treatment and admissions requirements comply with Medicare and Medicaid standards, and all clinical personnel follow them.
  • Critical service elements are documented by all care providers, most especially physicians.
  • Medical records systems accurately record services provided and include prompts to help ensure critical service functions are documented. and therefore availability and access
  • Coders understand and adequately capture critical reporting elements including case severity, primary and secondary diagnoses, as well as times, complications and interventions undertaken beyond the typical intervention scope; and accurately classify services accordingly.
  • Billers apply standard rules, such as reducing charges for additional surgical interventions provided during a single trip to an operating room, and durable medical equipment provided in conjunction with a system encounter is billed according to applicable rules.

Beyond these compliance measures, the limited timelines for complying with medical record requests and other requirements suggest that hospitals and systems should consider adopting the following RAC-specific measures:

  • A designated contact communicated to the regional RAC. This helps ensure that requests for records and other time-sensitive RAC requests are not overlooked.
  • A designated contact communicated to the regional RAC. This helps ensure that requests for records and other time-sensitive RAC requests are not overlooked.
  • Internal RAC audits. While RAC criteria for payment variances are the same as those applied by other Medicare auditors, given the concentrated incentives of RAC auditors and the brief response timelines, it may be worth conducting a compliance audit based on approved and pending RAC audit issues. Uncovering RAC issues will help prevent future losses. Disclosing payment issues prior to an audit may not prevent scrutiny, but demonstrates good will and an intent to comply, which could forestall or mitigate future actions by any enforcement agency.
  • RAC monitoring. A designated RAC team or team leader could be tasked with keeping pace with developing issues, coordinating responses to actual or potential RAC threats to ensure a timely response, and developing regular contact with RAC personnel. One problem that has emerged is that RAC requests for documents and demand letters have been sent to the general hospital address, resulting in critical delays in reaching appropriate personnel.

Given the apparent shift toward medical- necessity reviews, AHA Senior Associate Director of Policy Elizabeth Baskett suggests that educating physicians and nurses on the risks and proper documentation will play a big part in heading off future RAC audits. “Meeting with physicians and sharing with them that including a few notes on why they provided a specific service can mean hundreds of thousands of dollars to the bottom line. Closer collaboration with physicians will help,” she says.

Implications For Boards

Given the partially educational emphasis of the RAC program, evidenced by the dialogue opportunity available before the formal appeal process (see sidebar, page 17), options to communicate with RAC representatives on proposed audit issues and the mission of reducing provider errors, RAC may represent an opportunity for hospitals and other providers to understand and comply with clinical and reporting requirements. However, the financial incentives of the auditors to find errors, and the fact that most of the errors to date are on the provider side, inherently puts providers on defense.

Nonetheless, the best defense may well be a good offense. This starts with requiring comprehensive compliance efforts, and regular reporting of their activities to trustees. It also involves establishing relationships with the human beings responsible for RAC audits.

Hospital leadership, even at the board level, should cultivate relationships with RAC personnel, particularly the required full-time medical director. Emphasizing the hospital or network’s community-service mission as well as its congruity with, and honest attempts to meet, compliance requirements will build good will and help establish a moral and factual high ground should it be necessary to contest RAC decisions through the appeals process.

Letting RAC representatives know you are familiar with the appeals process and also are talking to their overseers in the payment contractor and CMS hierarchies can’t hurt, especially if you have confidence in your organization’s compliance efforts. Your position as a community representative with no direct financial interest will bolster your credibility in these discussions.

Operationally, the most important defensive measure is ensuring your system is in compliance with Medicare and Medicaid requirements. Such compliance should be part of the performance metrics for which top administrative officials are held responsible.

Because physicians are so intimately involved in diagnosing, documenting and providing qualified services, it is essential to ensure they are on board with these compliance measures. Such standards not only should be explicitly written into any physician employment or affiliation agreement, with appropriate financial incentives attached, but they also should be a main focus of physicians admitted to the system board. This can be facilitated by bringing physicians onto the board, and regularly soliciting physician participation in board discussions.

At the same time, line staff should communicate regularly with RAC staff regarding potential and approved audit issues to ensure compliance and head off audits.

While RAC may appear to be a threat, it also provides a useful external incentive to discipline hospital and health system operations. As such, it may be a useful tool for governance.

For more information and resources on RAC, go to

Howard Larkin, is a contributing editor to Hospitals & Health Networks magazine.