Navigating CMS Audits:

Understanding the Different Types: RAC, CERT, UPIC, MAC, SMRC & OIG Audits

For healthcare providers, CMS audits can be a daunting reality. Whether it is a RAC audit looking for overpayments, a CERT audit measuring error rates, or a UPIC audit investigating fraud, understanding the differences between these audits is crucial. While they share a common goal of ensuring compliance, each audit serves a distinct purpose, follows different procedures, and carries unique risks.

Knowing how they are related—and more importantly, how they are not—can mean the difference between a simple documentation request and a full-blown investigation. The following information breaks down the differences, their impact on your practice, and the best strategies to manage each effectively.

 

CMS Audit Types

CMS conducts several different types of audits to ensure compliance, prevent fraud, and recover improper payments. The primary types of CMS audits include:

1. Recovery Audit Contractor (RAC) Audits
2. Comprehensive Error Rate Testing (CERT) Audits
3. Unified Program Integrity Contractor (UPIC) Audits
4. Medicare Administrative Contractor (MAC) Audits
5. Supplemental Medical Review Contractor (SMRC) Audits
6. Office of Inspector General (OIG) Audits

 

Audit Type	Purpose	Conducted By	Focus	Key Differences
RAC (Recovery Audit Contractor)	Identifies overpayments & underpayments in Medicare claims	Private contractors hired by CMS	Post-payment reviews of claims using data analytics	Primarily financial, focuses on billing errors and improper payments
CERT (Comprehensive Error Rate Testing)	Measures improper payment rates in Medicare & Medicaid	CERT contractors on behalf of CMS	Random sampling of claims to assess error rates	Used for statistical reporting, not for direct recoupment of payments
UPIC (Unified Program Integrity Contractor)	Investigates fraud, waste, and abuse	Specialized CMS contractors	Pre-payment and post-payment reviews, often triggered by suspected fraud	More aggressive, can lead to referrals for law enforcement action
MAC (Medicare Administrative Contractor)	Oversees claims processing, provider education, and local audits	Various MACs based on jurisdiction (e.g., Palmetto GBA, Noridian, NGS, WPS)	Pre-payment & post-payment reviews, appeals processing	Conducts focused reviews but does not primarily focus on fraud detection
SMRC	Performs specialized claim audits based on CMS directives	Noridian Healthcare Solutions	Identifies high-risk providers, medical necessity reviews, targeted claim audits	Typically focused on specific provider types or services flagged by CMS
OIG	Detects fraud and program abuse through investigations and audits	U.S. Department of Health & Human Services (HHS) OIG	Compliance violations, financial mismanagement, improper claims	Often leads to criminal/civil penalties or exclusion from Medicare

 

How Are They Related and Not Related?

Related: All audits are CMS-driven and aim to ensure compliance, reduce improper payments, and maintain program integrity. They can overlap in reviewing the same providers or claims.

Not Related: They serve different purposes—RAC audits focus on payment recovery, CERT audits on error rate measurement, and UPIC audits on fraud and abuse investigations.

 

Should They Be Handled the Same Way?

No, but with some similarities. While proper documentation and compliance are critical for all audits, RAC audits typically allow for appeals to dispute payment recoveries, while UPIC audits can lead to serious consequences such as payment suspensions or criminal investigations.

CERT audits require no direct appeal, as they do not result in payment recoveries. Instead, the data collected informs future CMS policies and payment rules.

 

Best Approach for Handling Different CMS Audits

• RAC Audits: Respond promptly, submit requested documentation, appeal denials when appropriate.
• CERT Audits: Provide accurate documentation but recognize that findings will not lead to direct recoupment.
• UPIC Audits: Take them very seriously, consult legal/compliance experts if necessary, and prepare for possible enforcement actions.
• MAC Audits: Stay proactive by reviewing CMS guidelines, responding to pre-payment reviews quickly, and utilizing the appeals process if claims are denied.
• SMRC Audits: Understand the reason for selection, submit complete medical documentation, review findings carefully, and use results to improve compliance.
• OIG Audits: Treat these audits with urgency, seek legal counsel immediately, and ensure full compliance to mitigate risks of penalties.

 

The RAC program identifies over and under payments selecting random samples of claims and requesting corresponding medical records focusing on billing errors and incorrect payments. The primary RAC contractors responsible for these reviews are:

 

1. Region 1 (Northeast)

RAC Contractor: Performant Recovery, Inc. https://www.performantcorp.com/home/default.aspx

• MAC Coverage: Covers the northeastern part of the U.S., including:
• J6 MAC: National Government Services (NGS) – Serving states like Connecticut, Maine, Massachusetts, New Hampshire, New York, Rhode Island, Vermont.
• JK MAC: National Government Services (NGS) – New York and New England area.

2. Region 2 (Midwest)

• RAC Contractor: Cotiviti, LLC https://www.cotiviti.com/
• MAC Coverage: Primarily covers states in the Midwest:
• J8 MAC: Wisconsin Physicians Service Insurance Corporation (WPS) – Includes states like Indiana, Michigan.
• J5 MAC: Wisconsin Physicians Service Insurance Corporation (WPS) – Serving Iowa, Kansas, Missouri, and Nebraska.

3. Region 3 (South) 

• RAC Contractor: Performant Recovery, Inc. https://www.performantcorp.com/home/default.aspx
• MAC Coverage: Covers the Southern states, including:
• JH MAC: Novitas Solutions – Includes states like Texas, Arkansas, Louisiana, Mississippi, and Oklahoma.
• JJ MAC: Palmetto GBA – Serving Alabama, Georgia, Tennessee, and South Carolina.
• JF MAC: Noridian Healthcare Solutions – Serving states like North Carolina, Virginia.

4. Region 4 (West)

• RAC Contractor: Cotiviti, LLC https://www.cotiviti.com/
• MAC Coverage: Covers the Western states:
• JF MAC: Noridian Healthcare Solutions – Serving states like Arizona, Montana, North Dakota, South Dakota, Utah, and Wyoming.
• JE MAC: Noridian Healthcare Solutions – Includes California, Nevada, and Hawaii.
• J15 MAC: CGS Administrators – Serving Ohio and Kentucky.

5. National RAC for Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS)

• RAC Contractor: Performant Recovery, Inc. https://www.performantcorp.com/home/default.aspx
• MAC Coverage: Nationwide coverage for DMEPOS claims.

 

CMS employs various contractors to ensure the integrity of Medicare payments and services. Among these are the Comprehensive Error Rate Testing (CERT) contractors and Unified Program Integrity Contractors (UPICs), each serving distinct roles and covering specific geographical areas.

 

Comprehensive Error Rate Testing (CERT) Contractors:

The CERT program measures the accuracy of Medicare Fee-for-Service (FFS) payments by selecting random samples of claims and requesting corresponding medical records to verify proper payment. The primary CERT contractors responsible for these reviews are:

 

1. Empower AI, Inc. https://www.empower.ai/

• Responsible for selecting random samples of processed claims and reviewing the associated medical records to determine compliance with Medicare coverage, coding, and billing rules.

2. The Lewin Group, Inc. https://managementconsulted.com/consulting-firm/lewin-group/

Conducts statistical analysis on the claims reviewed to calculate improper payment rates and identify error patterns.

 

Unified Program Integrity Contractors (UPICs):

1. Midwestern Jurisdiction:

• Contractor: AdvanceMed (a subsidiary of NCI, Inc.) https://www.gao.gov/products/b-414373.3
• Coverage Area: Includes states such as Illinois, Indiana, Iowa, Kansas, Kentucky, Michigan, Minnesota, Missouri, Nebraska, Ohio, and Wisconsin.

2. Western Jurisdiction:

• Contractor: Qlarant https://www.qlarant.com/solutions/
• Coverage Area: Encompasses states like Alaska, Arizona, California, Hawaii, Idaho, Nevada, Oregon, and Washington.

3. Southeastern Jurisdiction:

• Contractor: Safeguard Services
• Coverage Area: Covers states such as Alabama, Florida, Georgia, North Carolina, South Carolina, and Tennessee.

4. Northeastern Jurisdiction:

• Contractor: CoventBridge https://www.healthplanalliance.org/assnfe/cv.asp?ID=602249
• Coverage Area: Includes states like Connecticut, Maine, Massachusetts, New Hampshire, New Jersey, New York, Pennsylvania, Rhode Island, and Vermont.

5. Southwestern Jurisdiction:

• Contractor: Qlarant https://www.qlarant.com/solutions/
• Coverage Area: Encompasses states such as Arkansas, Colorado, Louisiana, New Mexico, Oklahoma, and Texas.

 

Summary

• For detailed contact information and to identify the specific UPIC assigned to your state, CMS provides a https://www.cms.gov/data-research/monitoring-programs/medicare-fee-service-compliance-programs/review-contractor-directory-interactive-map allowing providers to access state-specific CMS contractor details.
• Understanding the roles and jurisdictions of these contractors is essential for healthcare providers to ensure compliance and effectively address any inquiries or audits initiated by CMS.
• Most importantly, even if you have not faced a CMS audit yet, it is crucial to be prepared for when that day comes. Maintaining compliance is not just about passing audits – it is about ensuring accuracy, integrity, and adherence to regulations every single day.

References: CMS

 

StreamlineMD provides Revenue Cycle Solutions to Radiology & Interventional Specialists. Our Mission is to Improve Healthcare for All Americans.  Our Core Values that guide us on our mission are Service Quality, Teamwork, Accountability, Efficiency, Adaptability, Communication, and Integrity. Proud winner of the Great Place To Work award. Learn more about us at streamlineMD.com.