Why Providers Can’t Ignore CMS Audits

Let’s clear up a common misconception: when CMS audits a health plan, providers aren’t off the hook. In fact, the opposite is true. If you’re the one writing the notes, it’s your documentation that decides whether money flows in or gets clawed back.

As a physician, I’ve worked as both a clinician and a manager in primary care, always within organizations at downside risk in value-based care. And in every role, one thing was clear: documentation accuracy was critical in shaping financial performance and quality outcomes.

When CMS audits a Medicare Advantage plan, it’s essentially auditing the physician group by reviewing the very charts you submitted. If your notes don’t meet compliance standards, the plan is penalized, and that penalty comes back to you.

Audits are only increasing. This year, CMS confirmed that under the  RADV final rule, it has hired 2,000 new auditors and launched an aggressive plan to expand Medicare Advantage oversight. The result? More clawbacks. More scrutiny of your notes.

And the data backs it up: in 2023, CMS audited 79% of plans, the highest rate yet. Persistent miscoding in conditions such as diabetes with complications, COPD, heart failure, and arrhythmias drove significant payment adjustments.

But audits are just for health plans — not my clinic, right?

Audits happen across CMS programs, no matter your patient mix. Even if your panel is mostly commercial or Medicaid patients, your notes can still be pulled into review.

In Medicare Advantage (MA), the insurer contracts directly with CMS, and RADV audits indeed target the plan. But those audits rely on your medical records to validate diagnosis codes. 

The latest 2023 Benefit Year HHS-RADV results confirm the trend: nearly 8 in 10 issuers were audited — the highest rate yet — and high-risk conditions continue to be miscoded. For example, diabetes with complications was unvalidated in 679 cases, COPD in 420, heart failure in 617, and arrhythmias in 540.

And it’s not just MA. In traditional Medicare, ACOs, the Shared Savings Program, and even Medicaid, providers are on the hook. For example, in FY 2024, Medicaid estimates 79.11% of improper payments were attributed to insufficient documentation, highlighting how often paperwork gaps, rather than fraud, drive payment errors. Alongside this, RAC auditors and other program integrity reviews routinely identify unsupported diagnoses and recoup associated payments.

The bottom line: documentation compliance isn’t “the health plan’s problem.” Whether through RADV, RACs, UPICs, or Medicaid reviews, your notes are the evidence CMS uses, and they can be audited across programs.

And here’s the part many forget: even if you aren’t being audited today, CMS can look back up to seven years. 

Therefore, you can’t rely only on health plans or billing companies to protect you. Their reviews cover only a fraction of charts, leaving high-risk notes and much of your panel exposed. Recognizing these limitations is the first step toward truly audit-proofing your organization.

But my health plan and billing company already audit my notes — isn’t that enough?

Not quite. Even if you aren’t being audited directly, your documentation is still at risk. Many clinicians assume payer or billing reviews fully protect them, but that’s a risky assumption.

Audits aren’t about claims processing; they’re about the accuracy of the notes you write every day. And like any system, insurance and billing audits have pros, cons, and limitations you should understand before relying on them. Let’s break those down.

Insurance company audits

When insurers audit charts, their goal is to protect their bottom line by catching documentation gaps. They typically review a sample of records to confirm diagnoses and risk-adjustment codes are supported. This can help identify errors, but it doesn’t guarantee CMS compliance. 

Coder strictness also varies; what one overlooks, CMS may flag. And because audit findings often apply across larger populations, even a few missed diagnoses can trigger recoupments.

• Pros: Improves claim accuracy, prevents obvious errors, and reduces over- and underpayments.
• Cons: Limited to samples, dependent on coder interpretation, and often misses high-risk errors CMS targets (e.g., carried-over acute codes, active vs. history-of).
• Limitations: A sample-based safety net. Insurer audits don’t ensure every note is compliant, and CMS may review records your plan never touched.

Billing company audits

Billing company audits are about keeping the revenue cycle flowing. Their focus is on ensuring services billed match the documentation so claims get paid with fewer denials. They check charge capture, coding accuracy, and formatting, but not whether your documentation would withstand a regulatory audit. That means fewer billing errors, but no protection from clawbacks.

• Pros: Prevents billing errors and claim rejections, supports smoother cash flow.
• Cons: Focuses only on coding-to-claim matching, without clinical review or protection against CMS audits. Does not verify whether diagnoses meet supporting documentation standards (e.g., MEAT, DST).
• Limitations: Helpful for revenue flow, not compliance defense. Billing audits protect against rejections, but not clawbacks or recoupments.

The bottom line: Insurance and billing company audits catch surface issues, but neither makes your documentation audit-ready. Relying on them alone is like locking the front door while leaving the back door wide open. If CMS reviews your notes, the gaps will show, and the revenue risk will fall on you.

So what’s the next step? Proactive audits with technology.

The most reliable approach is to audit notes proactively, not wait for CMS to uncover problems. With AI, every note can be reviewed in real time, flagging documentation gaps or unsupported diagnoses. Errors get caught early, reviews scale across all notes instead of just samples, and your team saves time compared to manual reviews.

In a typical group, a coder might review 10–25 charts an hour, depending on complexity. Scaling that across an entire organization quickly becomes overwhelming. Technology changes the equation: it allows smaller coding teams to review every note at only incremental cost.

Given CMS’s increasing audit activity and the limitations of payer and billing audits, this is the strategy to follow. With the right tools, you can protect revenue and reduce risk. But tools alone aren’t enough. Lasting change depends on leadership alignment, treating compliance as a core part of culture and workflow.

But audit-proofing is work we don’t have time for?

At the end of the day, it doesn’t matter what your patient mix looks like; your notes can and will be pulled into audits. Waiting until CMS is at your doorstep isn’t a strategy — it’s a risk. Now is the moment to get ahead of it. The signals from CMS are clear, and the reality is that audits are no longer a question of if, but when. 

The good news is that technology has shifted the equation: what once would have required costly FTEs can now be scaled across every chart with ease. That means you can protect revenue without breaking operations, but only if teams are aligned. Compliance has to be part of the culture, not a side project, so that documentation is seen for what it truly is, not a way to chase more dollars, but a way to ensure the right dollars for the work actually being done. 

When you approach compliance the right way, you don’t just safeguard revenue; you strengthen your reputation and your mission.

Photo: Thanakorn Lappattaranan, Getty Images

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.