The Complete Guide to Recovery Audit Contractor (RAC) Audits

Nov 16, 2021 | Articles, Audit and Compliance

Table Of Contents:

Introduction: What is a RAC Audit?

Medicare Recovery Audit Contractor Audits (RACs, or RAs) were introduced beginning in 2005 to identify and recover improper payments made in Medicare and Medicaid transactions between providers and payors. They were (and are) conducted by Recovery Audit Contractors (also known as RACs).

These contractors reach out to providers to review specifically requested claims and confirm all parties were compensated fairly. If the auditor determines a payment was improperly made, and one party was over or underpaid, funds exchange hands to correct the payment based on the auditor’s findings.

Over the years, the role of RAC audits has diminished. Recovery Audits have become less frequent and intense, but they have not disappeared entirely. Providers within the healthcare space should still be aware of best practices for RAC audit response and how to translate those tactics into an optimized response to other audit types.

Chapter One: History of Recovery Audits

RAC audits were introduced in 2005, peaked around 2010 and experienced a slowdown from that point on. To understand the role of RAC audits in today’s healthcare finance space, it’s important to know how they started and why they have diminished.

A history of recovery audit contractors

Introducing the RAC Audit Program

In 2006, Congress authorized the Centers for Medicare & Medicaid Services (CMS) to initiate the Recovery Audit Contractor (RAC, now RA) program in three states: New York, Florida, and California. Audits originally focused on detecting incorrect coding, duplicated services, fraud and more.

Arizona, Massachusetts, and South Carolina were added to the project in 2007, and Congress expanded the RAC program nationwide in 2010.

Problems with Recovery Audit Contractors

When the RAC program was rolled out nationwide, it presented three key challenges that providers found difficult to overcome.

    1. Overly aggressive RACs: RAC audit fees were (and still are) paid out by CMS on a contingency fee basis, meaning the more dollars they denied and “recovered,” the higher the fees they collected. This model essentially incentivizes RACs to be aggressive in their audit approach, especially in regard to hospitals with high-value claims.
    2. More paperwork, less time: Most providers were not prepared for the onslaught of medical record requests and often sustained denials simply because they were not able to respond and submit records on time.
    3. Overwhelmed appeals process: Over a short period of time, the Medicare appeals process became overwhelmed with provider claims at all levels. Appeals response became extremely slow.

With all these issues causing providers grief in the RAC audit process, change was inevitable and RAC audits began to slow. There are conflicting anecdotes and explanations as to why, but whatever the case, CMS noticeably backed down in terms of RAC audit frequency and document requests in the mid-2010s.

A new era of RAC audits

CMS re-launched the RAC audit program in 2018 with new rules and guidelines for audits. The biggest changes included:

    1. Reduction in the number of documents a Recovery Audit Contractor could request in a certain time frame. This meant fewer audits with fewer document requests per audit.
    2. Increase in CMS’s willingness to engage in mass settlements. The backlog in the appeals process became so overwhelming, that CMS began to settle appeals to save time.

With these key changes in place, RAC audits started back up with a bit less chaos. These audits ran as usual before pausing in March 2020 as a result of the declaration of a national health emergency due to the COVID pandemic. After a brief break, RAC audits began again in August of 2020 and continue today. They are now often referred to as just “RAs.”

Dive deeper: What Does a Recovery Audit Contractor Do?

Chapter Two: Types of RAC Audits

Before we look at the specific types of Recovery Audit Contractor audits, let’s review where they lie in the overall audit landscape.

At a high level, there are two main types of healthcare audits that providers face: internal and external.

The different types of healthcare audits

Internal audits in healthcare

An internal audit takes place entirely inside the hospital facility. Hospitals can commission an internal examination of finances to either identify problems that may be standard of care based or patient safety based. They also perform audits for process improvement reasons.

External auditing in healthcare

An external healthcare audit is an examination of a hospital’s services and reimbursements or processes. The audit works to determine if the proper standard of care was followed and if the provider was paid appropriately. Audits find either underpayments, where the hospital did not receive enough payment form the payor, or overpayments, where the hospital actually owes money back to the payor.

There are two main entities that conduct external audits: commercial insurance companies and the U.S. government. Many of these audits are performed by third-party contractors.

Commercial insurance healthcare audits

When a hospital establishes its contract with an insurance company, it assumes the company will conduct audits. Contracts establish parameters around what can be audited and how the hospital must respond to that audit.

Government healthcare audits

Unlike commercial audits, which are based on negotiated contract parameters, government audits are based upon federal and state laws and regulations. There are two types of government-sponsored health programs: Medicare and Medicaid. Both can be audited by RACs.


Medicare audits are conducted on a federal level by third-party Recovery Audit Contractors (RACs).


Medicaid audits are conducted by many of the same third-party RAC auditors. The biggest difference is that any RAC auditors conducting Medicaid audits must possess acute knowledge of a state’s Medicaid laws. Medicaid laws and frequency of audits vary from state to state, so knowledge and experience is key to identifying improper payments.

Types of RAC audits

There are two primary types of RAC audits: automated and complex.

• Automated RAC audits

An automated RAC audit does not require submission of medical documentation, instead using claims data analysis and knowledge of federal policies and regulations to make a judgment. There are also semi-automated audits in which medical documentation is not required, but providers have the option to submit it if they choose.

• Complex RAC audits

A complex RAC audit goes beyond policy analysis and almost always requires uploading medical documentation to make a final judgment on the audit outcome.

If you aren’t sure which RAC audit type you’re working with, consult the initial communication received from the Recovery Audit Contractor. If the initial letter requests documentation, it is most likely a complex review.

Dive deeper: The Types of Healthcare Audits

Chapter Three: RAC Audit FAQ

With so many levels and types, it’s clear that audits can be complex. Adding in government legislation doesn’t necessarily make the process easier. The following frequently asked questions can provide additional clarity on the why and how of RAC audits.

Q: Who is subject to a RAC audit?

Any healthcare provider that submits claims to Medicare or Medicaid is subject to RAC audits.

Q: Who is subject to a RAC audit?

The Centers for Medicare and Medicaid Services (CMS) contracts with private companies who conduct RAC audits. There is one RAC auditor award per RAC region and each audit contractor is a full-service firm, not one person. You can find a list of the five current Recovery Audit Contractors here.

Q: How many RAC regions are there?

There are currently five RAC regions. Four are composed of a specific group of geographically located states. The fifth is nationwide. The nationwide RAC audit region is dedicated to reviewing Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS) and Home Health / Hospice claims only, while the remaining four review all other claims.
RAC audit regions

Q: How far back can RAC audits go?

RAC audits can look back up to three years from the date the claim was originally paid. Originally, auditors could look back up to four years, but this was changed to three shortly after the program rolled out nationwide.

Q: What triggers a Medicare audit?

To trigger the start of an audit, the payor will usually send an official letter of intent to audit and request documentation (ADR). The audit starts based on the date indicated in the letter, regardless of when the provider received the request. This notification process can also now come electronically through the esMD Gateway.

Chapter Four: The Audit Process

The timing of an audit is dependent entirely upon the payor. If a RAC auditor wishes to conduct an audit, the provider must comply. Once an audit begins, the initial response process is largely the same regardless of whether it was triggered by a RAC auditor, commercial payor or other audit contractors.

RAC Audit

1. Receive the Additional Document Request (ADR)
Whether via paper mail or e-mail, the auditor will send an ADR to start the audit. At this point, every action you take is considered time-sensitive.

2. Collect documentation
Work with your health information management (HIM) department to pull the proper medical records required for your audit response. You will also need to pull associated documentation like physician’s notes to be thorough.

3. Review collected documentation
Once you have collected all your required medical records, conduct a final review to double-check your work and verify the documents correspond with the ADR from the payor. Triple-check your work if possible.

4. Submit all documentation
Finally, submit all documentation to officially respond to the audit in a timely manner. With RAC audits, the payor provides a standard number of days to submit needed materials. With commercial insurance audits, the number of days you have to respond to an audit depends on the requirements in the payor contract.

5. Receive audit results
Audit results usually come in the same form of communication as the ADR, oftentimes an official letter. The audit may find no discrepancies in the process and conclude that the transaction was processed correctly. If this is the case, the healthcare audit process ends here.

However, the audit may also uncover a discrepancy in the transaction in the form of over or underpayment. If this is the case, the payment adjustment will be reflected in your next payment by the specific payor.

6. Decide whether to appeal results
If you were found to have been overpaid on an audit and disagree with the results, you are able to appeal the decision.

The appeal process is where things start to diverge with RAC audits and commercial audits. While RAs have clearly defined appeals processes and levels, commercial insurance companies will be based on individual contracts. Review your contract carefully to make sure you understand and correctly follow your appeals process, should you choose to take this route.

7. If appealing, repeat steps 2-4
Appealing essentially involves repeating steps 2-4. Like the original audit, the appeal will be time-bound and require its own set of paperwork. At this point, you will once again have to wait on audit results. If the results turn in your favor, the process ends.

If the results of a RAC audit appeal remain the same and you continue to feel strongly that they should be different, you can appeal to higher and higher levels. This is not always the case with commercial insurance companies. Check your individual contracts to determine whether you can appeal further.

Once you settle your appeal one way or another, it’s back to business as usual. You will continue to receive new ADRs, return to step one and repeat the process over again.

Dive deeper: The Healthcare Insurance Audit Process

Chapter Five: What Can You Do To Improve Your RAC Audit Process?

Before the ADR even arrives on your doorstep, you can take steps to train your team and implement processes designed to simplify your response process.

RAC Audit

• Read up on the audit process

The first way to prepare is reading resources like this article and others across the web. Credible sources can provide authentic accounts of what to expect based on their own experiences. Sources like Becker’s Hospital Review, the Health Care Compliance Association (HCCA) and RAC Monitor are excellent for keeping up with breaking news and developments in the audit space.

• Consult colleagues in other organizations

Speaking with colleagues in the industry at conferences, networking events or even in online forums and groups can also be helpful. Ask about their experiences with audits in their organization and how they handled any roadblocks.

• Build your team

Define roles within the audit response process. A good team, at minimum, consists of:

  • Documentation lead
  • Project manager
  • Doctor or nurse
  • Quality assurance team member

Include as many employees as your organization needs to send a timely, complete audit response.

• Try a mock audit

Because audits are best learned by doing, rather than reading, some teams also choose to conduct mock audits, especially during new employee onboarding. These fake audits help identify weak spots early on and allow for course correction prior to the real deal.

• Set up appropriate technology

Some teams use several spreadsheets or offline systems for monitoring audit response procedures. We recommend investing in technology designed to handle tracking from day one.

A “backbone platform” is a technology-based solution dedicated to managing your audit response process. The proliferation of workflow management systems and related software systems means that mistakes are fewer and further between. An audit backbone brings all audit workflows into one system and keeps everything in order, among other benefits.

• Opt-in electronically, if possible

Leveraging electronic document communication between your organization and the auditing party can save valuable time and money. It can also increase security and compliance and help your organization find its footing in a newly remote world perpetuated by the events of 2020.

While electronic audit requests are relatively new in the world of healthcare, this change to electronic documentation has become easier to implement since the release of the esMD Gateway system. For a better audit response, engage with a health information handler in advance to take advantage of electronic communication options.

Note that many of the backbone technology solutions mentioned in the previous point include a system for easy document submission. Investing in such software is a simple workaround to the complex world of developing and integrating your own electronic submission capability.

• Develop an appeals strategy

Treating every audit result as unique and taking the time to examine it and decide whether or not to appeal is a full-time job. To save time, many organizations establish criteria for audit appeals in advance.

Dive deeper: 4 Strategies to Improve Your Audit Process

RAC Audit Response Best Practices

Feel prepared? Good. Once you receive notice you’re being audited by a Medicare Recovery Contractor, implement the following best practices during and after the audit response process.

• Track audits as quickly as possible

Whether you’re using software or a spreadsheet system, make sure you’re logging the audit and kicking off the response process as soon as possible. For letters, track the issue date, the date you received the letter initially and the date it is being entered into your tracking system.

• Take QA reviews seriously

Establish your QA review for a complete and thorough audit response. Skipping a review can mean spending extra money to appeal after a denial, so make sure your QA reviewer is capable of understanding and confirming that the audit response tells a complete story.

Dive deeper: 8 Tactics To Take Your Healthcare Audit Response to the Next Level

• Do your financial due diligence

If hundreds of accounts are reimbursed at once, it can be difficult to determine the impact of individual audits. It’s helpful here to have technology that can automatically monitor each outcome in connection with initiated audit activity and generate a report on audit results within a certain time period.

• Make use of reporting

The point of doing your financial due diligence and tracking everything from the audit letter issue date to the status of all denials is to gather data on your performance. Hard numbers are the best way to determine your success rate and identify areas for improvement in future processes. Keeping track of your data and comparing it month over month helps you stay on top of current trends and any increases in financial exposure, new audits and lost reimbursement.

Dive deeper: Reporting on Healthcare Audit KPIs Should Be Non-Negotiable: Here’s Why

Chapter Six: Technology as an Audit Management Solution

When RAC audits were introduced, providers received an unmanageable volume of audit requests from payors. Now, changes in Recovery Audits have led to fewer audits and less paperwork, giving hospitals the opportunity to focus more broadly on all types of payor audits.

But still, every year, review contractors issue an estimated 2 million requests to healthcare providers for medical documentation and records. All too often, these requests are fulfilled through cumbersome manual processes. The sheer volume of activity reveals workflow gaps and efficiencies in a process that can be up to 90% manual and at risk for data quality issues.

These inefficiencies are only exacerbated by tightening labor markets and a shortage of team members in hospital finance departments nationwide. With fewer people to do the same amount of work, teams are prone to error.

RAC Audits

To manage what is still quite a high volume of audit requests among a persistent labor shortage, smart hospitals and audit response teams should turn to high-tech software solutions.

Dive deeper: A Good Healthcare Audit Response Process Starts With Great Software

The best Recovery Audit software solution

Finding an ideal technology-based solution that fits your organization’s needs can take a bit of research up front. The best audit management systems should provide the following features and benefits.

1. Enhanced case management

Good audit and compliance software should offer, at base, overall enhanced case management. There are several ways to define “enhanced,” but the most useful tools include status models, intuitive work queues, activity notifications and an electronic repository for documents.

2. Full automation
Audit Management

Good audit management software not only automatically enters data, it then uses that data to improve workflows and automate processes. A great solution should have the ability to provide custom electronic interfaces with specific commercial payors, provided they are willing to accept electronic documentation.

By integrating with HIS systems, audit management systems can pull claims and payment data and use that information to populate required fields in the audit management process.

With automated audit management technology, a team can take its process from 90% manual to 93% automated, requiring no human involvement whatsoever. (The other 7% encompasses things that aren’t data or numbers-driven, like dates verification, notes, etc.)

It’s this automation that allows teams with limited resources to do their jobs efficiently. Challenges brought on by labor shortages are no match for departments with the right technology.

3. Customizable tools

Not all audits are created equal. A great audit management software will allow for customization and optimization based on the type of audit you’re working with and the requirements within your audit contract.

4. Electronic document transmission
A good software solution should work with esMD to submit and receive audit documentation from CMS wherever possible.

5. Comprehensive reporting
It’s not just denied dollars that should be tracked and reported on regularly. A great audit management solution provides real-time, comprehensive reporting on clearly organized dashboards that can be shared between staff.

Dive deeper: 5 Things the Best Health Insurance Audit Management Systems Do

Choosing the right partner

Beyond the technical requirements of a solution, it’s essential the vendor with which you choose to partner understands the complexity of the audit landscape and can facilitate the continued evolution of required processes, especially within Recovery Audits.

This means finding an expert vendor that has the ability to look ahead, identify potential impacts on the workflows and proactively make appropriate system enhancements to continue to drive a seamless and efficient audit management process.

If you’re looking for a vendor with these qualities that can provide all the audit management software features in this article and more, look no further than Bluemark’s Blueway Tracker.

Blueway Tracker is a cloud-based audit management platform developed to support Medicare (including RAC audits), Medicaid and commercial payor audits. It is the most powerful audit management and response solution available on the market today.

RAC Audits