Hospital Management
Physician Advisory

Dr. Ronald HirschJune 20, 2019

Practice Audit Targets Become Compliance Risks for Hospitals

Hand holding dart over bullseye

Twenty four percent of the federal budget was spent on Medicare and Medicaid in 2017.


The Medicare Trust Fund is forecast to be depleted in 2026. Over 8% of Medicare fee-for-service payments in 2017 were made in error. These factors have all led Congress to put more pressure to reduce the improper payment amount. While hospitals were the initial targets because of their higher reimbursement, recent efforts have shifted to physician billing.


Hospital and health systems continue to acquire physician practices, making them liable for the billing activities of physicians. And for physicians who remain independent, the cost and effort required to respond to audits and denials can be financially devastating, further demonstrating the importance of prevention.


This article will address some of the common audit targets and mistakes made by physicians and provide strategies for physician practices and health systems to respond to and ultimately avoid these denials. 

An internist asked an interesting question on Sermo, an online physician-only discussion group. He stated, “I received an inquiry from Medicare about E&M (evaluation and management) codes on two hospital days in early December 2014 for a patient. It asked for supporting documentation. I sent the hospital progress notes, labs and a letter explaining my services for her. 6 weeks later the explanation of benefits was received with full payment for those days. Yesterday I received a letter asking for refund of a $49 and some odd cents overpayment with no more info than the dates of hospital admission that match that same patient. Should I bother?”


So, Should the Doctor Bother?

While the answer to most readers is obvious, yes, the doctor should bother, the responses from the physician community were varying and enlightening. A radiologist who is also a lawyer stated, “It can be extrapolated back over other payments for that year, costing you a lot more than $49. Yes - you should bother.” A psychiatrist who has opted out of Medicare and clearly is not a fan of payers of any type provided a lengthy answer, stating, “The bureaucrats will spend $500 of taxpayer money to collect $50. One thing I've noticed is that when confronted personally they tend roll over easily. If you have time and are eager for some amusement, you can cause them a mountain of paperwork and they may likely back off.” And one family practitioner even wrote in jest (but reflecting a deep-seated sentiment), “Send $49 check back with an unknown white powder all over it.”


Billions at Risk

The U.S. government estimated that in 2017 8.1% of all fee-for-service Medicare payments are made in error, totally over $31 billion.1 While physician payments constitute only 20% of all Medicare payments, compared to 33% for hospital services2, many of the audit agencies tasked by the federal government at reducing improper payments view themselves as equal opportunity auditors, looking at all sources of improper payments, regardless of the value. Other than the Recovery Audit program where auditors are paid a contingency fee, auditors are paid to audit a specified number of claims, so value is not a consideration.


There are also a seemingly increasing number of audit agencies tasked by the government to audit. The Comprehensive Error Rate Testing (CERT) and the Payment Error Rate Measurement Program (PERM) are tasked with performing audits of random claims to look for areas with high error rates. The Medicare Administrative Contractors (MACs), the agency that processes and pays all claims, conducts periodic audits of issues referred to them by the CERT and discovered through their own analysis of claims. The Supplemental Medical Review Contractor (SMRC) reviews issues referred to them by the Centers for Medicare and Medicaid Services (CMS) directly. The Medicaid Fraud Control Unit (MFCU) audits Medicaid claims. The Recovery Audit Contractors (RAC) audits based on issues approved by CMS. The Unified Program Integrity Contractor (UPIC) seeks out fraud, waste, abuse throughout Medicare and Medicaid. And finally, the Office of the Inspector General (OIG) of the Department of Health and Human Services conducts targeted reviews to not only detect overpayments but also to detect fraud.


But for physicians, the times they are a changin’. While hospitals have always been under the audit gun, CMS has been collecting data on physicians, both passively in the form of billing data and actively beginning with the Physician Quality Reporting System, later inexplicably changed to the Physician Quality Reporting Initiative. Then the first public wakeup call for physicians came in 2014, when CMS released all physician billing data for 2012. While CMS released the data in huge unwieldy data files, several news organizations, such as the Wall Street Journal,3 reworked the data into a simple searchable database that allows any user to see a physician’s billing data in comparison to their peers. This gave not only patients insight into their physician’s billing patterns but opportunities for whistleblowers to look for outlier billing patterns. Around the same time, CMS developed a new policy (although it took them four tries), referred to as Transmittal 541, that allows CMS contractors to deny payment to physicians for a related claim if a payment to a hospital is denied.4


Audit Issues from Small to Large

The issues for physicians are myriad, ranging from $3 lab errors to denials of payment for major surgery. The first rule of audits is to respond to the audit. If a physician receives a request for records, not responding is not an option. It is the responsibility of the provider billing for the service to obtain the documentation to support the claim. When MACs perform audits, approximately 4% of hospitals do not send the requested documents, but this author has seen published audit results where up to 40% of physician claims were denied for lack of response. In many of those cases, the service was provided at the hospital and the office staff incorrectly assumed the hospital would send the records. One published CERT audit even indicated that the physician office staff even took the time to notify the auditor that they had no records and suggested the auditor contact the hospital. Even more egregious, one physician office responded to a CERT audit by demanding a $30 payment before the medical records would be sent. Ignoring requests for records, asking for payment for records and expecting the auditors to do the work to obtain the records from a third party are three strategies that no physician practice should adopt.


Let’s now look at some common audit targets. Staring at the low end of the spectrum, many physicians have in-office laboratories and therefore are permitted to bill Medicare for those tests. For any test billed to Medicare, there must be an order for that test or a notation in the record of the intent to perform the test. The medical record must also support the medical necessity to perform the test. The test performed must also match the test ordered, and that is the source of most denials. For example, if a physician orders a complete blood count (CBC), the lab should perform and bill for a CBC and not a CBC with differential, even if that is the test the doctor wanted. If the office is using an electronic health record and the physician usually intends to order a CBC with differential, this can be avoided by ensuring that the correct option is the most easily available to the physician on the lab order screens. Nurse visits, assigned a HCPCS code of 99211, are also scrutinized. It is not enough that a nurse performs a service such as a venipuncture, finger stick blood test or blood pressure check; the results must be relayed to the provider, action taken if appropriate and those activities documented.


It’s critical to get Critical Care Coding Correct

Critical care coding by physicians, HCPCS codes 99291 and 99292, are also commonly audited and denied. To use a critical care code, the patient must be both acutely critically ill and the physician must spend 30 or more minutes caring for the patient. The patient does not need to be in a critical care unit to receive critical care services; they can be provided in the office, the emergency department, or in any unit within the hospital. The auditors will be looking for documentation indicating that the patient is acutely critically ill, with an imminent threat to their health. The use of words such as “stable” or “continue present management” portray a patient who may have a serious illness but is not acutely ill. The overuse of critical care codes is prevalent; an audit performed by this author at one east coast hospital found an error rate of approximately 75%.


Does the Patient Need that Surgery?

Medical Necessity has always been an issue for hospitals, with the RACs scrutinizing the medical necessity of inpatient admissions since 2007, and an increasing number of auditors looking at high volume, high dollar surgeries such as spine surgeries and joint replacement surgeries. In 2011, First Coast Services became the first MAC to deny physician payment when it was determined that the surgery was not medically necessary. First Coast’s initial audit of total joint replacements had an astounding 92% denial rate. The medical director of the MAC did clarify that this did not mean that 92% of patients had a surgery they did not need; rather, the medical record contained insufficient information to determine that the surgery was medically necessary. In many cases, that documentation was present in the physician’s office record but was not incorporated into the hospital medical record.


To avoid these denials, many hospitals are now requiring copies of the physician office records before allowing the surgery to be scheduled. As an added incentive for the physician’s office to cooperate with these efforts, it should be noted that if the hospital and physician are denied, the physician must appeal their denial on their own; they cannot piggyback on the hospital’s denial. One CERT denial illustrates the risk of medical necessity issues. In denying a laminectomy, the CERT reviewer noted, “Per CERT Physician Specialist, disagree with procedure of lumbar laminectomy and admission as being reasonable and necessary. She had multiple post-operative complications including hypotension and respiratory failure which would have been avoided if she had not had surgery.” Performing a medically unnecessary surgery on a patient is a problem; having the patient develop life-threatening complications from that unnecessary surgery is indefensible.


Non-surgeons are not Immune to Medical Necessity Denials

Proceduralists such as gastroenterologists, cardiologists and electrophysiologists are similarly at risk for medical necessity denials. If a colonoscopy is performed sooner than recommended by the professional society guidelines, a cardiac stent placed in an artery without clinical justification, or a defibrillator placed in a patient that does not meet national coverage determination established by Medicare or the insurer, the physician can expect a denial of payment. Amazingly, a study published in 2011 found that over 22% of defibrillators placed in this country were inappropriate.5


And while the pain of having their professional fee recouped is bad, there are now cases where personal injury attorneys have recruited patients based on published audit results and have filed personal injury lawsuits, claiming the patient suffered harm undergoing an unnecessary procedure.6 It is clear that the medical record must have clear documentation of the medical necessity of the planned procedure, along with the discussion of the risks, benefits, and alternatives that took place.


Drugs Administration Billing Ripe for Audit

Medication administration in the physician office also poses significant compliance and financial risk. It is much more cost-effective for the payer and convenient for the patient if their medication can be administered in the physician office rather than in a hospital-based infusion center. But that also shifts the compliance and financial risk to the physician practice as they must acquire the medication, then properly bill for both the medication and the administration of the medication. While it would seem straightforward to be able to bill for 100 milligrams (mg) of a medication, billing rules specify how many milligrams are in one billing unit; that medication may be 5 mg per unit, so billing would be for 20 units.


There are also many medications that are dosed based on the patient’s body weight or surface area so there is the added step of ensuring the dose is calculated correctly. In an audit published by Palmetto GBA, a MAC, of claims for Bevacizumab (brand name- Avastin), a chemotherapy for several types of cancer, found that 40% of patients received an incorrect dose, 16% did not have documentation to support the medical necessity of the medication, 12% were billed with the incorrect number of units and 8% had no physician order for the medication. While some of these could be considered clerical errors, such as incorrect units or lack of an order, lack of documentation of medical necessity and incorrect dosing leads into the realm of the quality of the care itself.


FDA Approval is no Guarantee of Payment

The final risk to consider is the adoption of new technologies by physicians. Using the Food and Drug Administration’s (FDA) 510(K) process, there is a very low hurdle to get FDA approval for the use of new technologies; the manufacturer merely must show equivalence to an existing technology and is under no obligation to demonstrate that the technology improves patient outcomes. But FDA approval is completely independent of approval by CMS or commercial insurers for payment. Often these new technologies are assigned a new billing code and if the procedure and new code are not approved by the payer, the claim will be denied. Such is the case with the minimally invasive lumbar discectomy. While FDA-approved, it is considered non-covered by CMS and most commercial insurances, including United HealthCare, Anthem and Cigna. That means a physician may perform the procedure but there will be no reimbursement from the insurance. The facility will not get paid for the operating room time, the surgeon won’t get paid for performing the procedure, and the patient has no financial obligation, unless notified pre-operatively. To add insult to injury, the device manufacturer will still be paid for the use of their technology. The FDA’s 510(K) process has received a significant amount of publicity in the lay press since the publication of The Implant Files7, an international effort by a consortium of journalists to look at the safety of implanted medical devices.



The parallel increase in physician practice acquisition by hospitals and health systems and physician billing audits may be a coincidence but it’s also a huge new risk for hospitals. In general, doctors in private practice get no formal compliance training; they get our education in the physician’s lounge from other doctors. And you can imagine how reliable that is. And as hospitals and health systems continue to acquire up physician practices, the doctor’s usual way of doing things now becomes the hospital’s risk. Understanding these common errors is the first step to both increased compliance for physician practices, both independent and hospital-owned, and ensuring they properly bill for services and can keep the money they collect.


1, accessed June 3, 2019

2 accessed June 3, 2019


4 , accessed June 3, 2019

5 accessed June 3, 2019

6 accessed June 3, 2019

7 accessed June 3, 2019.

This article first appeared in The Journal of Medical Practice Management.

Author Bio: Ronald Hirsch, MD, FACP, CHCQM-PHYADV, CHRI, FABQAURP is vice president of the Regulations and Education Group at R1 Physician Advisory Services. Dr. Hirsch’s career in medicine includes many clinical leadership roles at healthcare organizations ranging from acute-care hospitals and home health agencies to long-term care facilities and group medical practices. In addition to serving as a medical director of case management and medical necessity reviewer throughout his career, Dr. Hirsch has delivered numerous peer lectures on case management best practices and is a published author on the topic.