Billing Medicare or Medicaid? Understanding Your Audit Risk


If you are a healthcare provider enrolled with Medicare and Medicaid, it is imperative that you know the governmental agencies’ expectations for compliant billing and understand that the agencies constantly monitor and audit provider claims to identify aberrant claims submissions and billing patterns.  This article summarizes several primary governmental agencies and Center for Medicare and Medicaid Services (“CMS”) contractors who conduct audits of healthcare claims reimbursed by Medicare and Medicaid and provides information as to how to monitor and identify the current audit targets of these auditors.

The Department of Health and Human Services Office of Inspector General (“OIG”)

The OIG is the largest inspector general in the federal government that is tasked with combatting fraud, waste and abuse in the Medicare and Medicaid programs. The OIG announces its projects in a web-based “Work Plan” which is updated monthly and is searchable by topic.[1] While a provider is unlikely to receive an audit directly from the OIG, it is imperative to stay on top of current OIG audit targets as CMS directs its agencies and contractors based on OIG investigative audit reports. Current OIG audits projects include a focus on telehealth, the implementation of COVID-19 waivers and flexibilities and home health/hospice claims. In June of 2023, the OIG announced an “Audit of Selected High-Risk Medicare Hospice General Inpatient Services (“Hospice GIP”).[2]

Supplemental Medical Reviewer Contractor (“SMRC”) 

CMS utilizes Noridian Healthcare Solutions, to conduct nationwide reviews of Medicaid and Medicare Part A, Part B and DME claims. The claims for review are often identified by CMS data mining, including Comparative Billing Reports which highlight providers who have billing and payment patterns that are different than their peers. The SMRC has the ability to use statistical sampling to extrapolate overpayments it identifies. The SMRC project list is updated on a regular basis and was last updated on June 8, 2023.[3]  Hospice GIP claims are also included on the SMRC project list.

Targeted Probe and Educate (“TPE”)

The TPE is the only CMS auditing mechanism that allows for direct communication with a      Medicare Administrative Contractor (“MAC”) to identify errors and correct them. The MAC will review 20-40 claims for up to three rounds. If a provider is found compliant before three rounds of education are completed, the provider will not be audited on the same topic for a year. However, if a provider continues to be non-compliant after three rounds of education, then the MAC will most likely take punitive action. This action can include placing the provider on pre-payment review, issuing overpayments (that can be extrapolated) and referring the matter to a Recovery Auditor Contractor. Current TPE audit topics can be found on the MAC websites and commonly involve certification and eligibility issues for hospice and home health claims.

There is currently a nationwide TPE audit of five claims for every skilled nursing facility (“SNF”) to determine if services are being properly billed under the SNF payment model that became effective in 2019.[4] However, unlike traditional TPE audits, only one round of review and education will be offered.

Unified Program Integrity Contractors (“UPICs”)

UPICs perform fraud, waste, and abuse detection, deterrence and prevention activities for Medicare and Medicaid claims. UPICs can identify overpayments, extrapolate overpayments, and impose payment suspension. There are five UPIC jurisdictions and three UPIC contractors: Qlarant Integrity Solutions, CoventBridge, Inc., and Safeguard Services, LLC. UPIC audits often focus on: (1) kickbacks; (2) routine waiver of co-payments; (3) false certificates of medical necessity, plans of care, or other records; (4) billing for services not rendered; (5) misrepresenting the diagnosis to justify payment; and (6) beneficiaries sharing Medicare cards.[5]

Medicare and Medicaid Recovery Audit Contractors (RACs)


Medicare RACs are contracted by CMS and given incentives based on the amount of overpayments collected. There are four regions for the Medicare RACs handling Part A and B claims. Performant Recovery, Inc. is the RAC for Region 1 and 2, and Cotiviti, Inc. is the RAC for Region 3 and 4. For DME claims, there is one RAC:  Performant Recovery, Inc. CMS determines the RAC audit topics.[6]


Medicaid RACs are contracted by state Medicaid agencies and given incentives based on the amount of overpayments collected. Current audit topics and the results of RAC audits can typically be found on the State Medicaid’s website. For example, in South Carolina, Health Management Systems (HMS) is the RAC for South Carolina Medicaid – Healthy Connections.[7]

Audit Medicaid Integrity Contractors (Audit MICs)

CMS contracts with Audit MICs to conduct post-payment audits of Medicaid providers nationwide to identify overpayments and to ultimately decrease the payment of inappropriate Medicaid claims.[8] Audit MICs perform field audits and desk audits.

Medicaid Program Integrity Divisions, Fraud Units, and Medicaid Managed Care Oversight

State Medicaid programs often have internal divisions of Program Integrity tasked with identifying, preventing, and recovering loses resulting from fraud, waste, and abuse. These divisions not only receive complaints and tips regarding suspected fraud and abuse, they conduct their own audits and investigations.  In the event of suspected fraud, the Medicaid agency will turn over the investigation to its Medicaid Fraud Control Unit (MFCU), which operates separately from the Medicaid agency.[9] The Medicaid program integrity divisions also provide oversight over Medicaid-managed care organizations.[10]

Medicare and Medicaid Post-Payment Reviews

MACs and state Medicaid agencies can also conduct post-payment reviews on their own. Current medical review activity can usually be found on the MAC and state Medicaid agency websites.[11]


Providers billing Medicare and Medicaid need to understand their audit risk by understanding who can audit them and what the current audit targets are. Providers should consider making sure a compliance officer or other designated person monitors the OIG work plan, the MAC and state Medicaid audit project websites, and CMS auditing websites. Although outside the scope of this article, this monitoring should include topics that the commercial payors are identifying as audit targets.

If you need assistance with implementing an audit monitoring plan, policy, or process, or with navigating a current audit, the healthcare attorneys at Maynard Nexsen are here to help.









[9] MFCUs operate in all fifty states, the District of Columbia, Puerto Rick, and the U.S. Virgin Islands.   

[10] This CMS Focused Program Integrity Review (2017) describes how the South Carolina Medicaid integrity functions are structured.

[11] For example, Novitas Solutions, MAC JH for Arkansas, Colorado, Louisiana, Mississippi, Louisiana, Oklahoma and Texas, lists their audit topics here:

About Maynard Nexsen

Maynard Nexsen is a full-service law firm with more than 550 attorneys in 24 offices from coast to coast across the United States. Maynard Nexsen formed in 2023 when two successful, client-centered firms combined to form a powerful national team. Maynard Nexsen’s list of clients spans a wide range of industry sectors and includes both public and private companies. 

Related Capabilities

Media Contact

Tina Emerson

Chief Marketing Officer 

Direct: 803.540.2105

Photo of Billing Medicare or Medicaid? Understanding Your Audit Risk
Jump to Page