CMS Audits
The Centers for Medicare and Medicaid Services (CMS) audits sponsors for strict compliance with the Medicare and Medicaid rules and requirements. If your organization is facing an audit, you will need experienced healthcare fraud defense counsel to help avoid unwarranted consequences.

CMS Audits Team Lead
Former DOJ Attorney

All healthcare providers and other entities that participate in the Medicare and Medicaid programs are subject to the oversight of the federal Center for Medicare and Medicaid Services (CMS). In order to enforce these programs’ requirements, CMS conducts targeted audits that involve an in-depth review of providers’ and other entities’ billing compliance.
As CMS’s website explains:
“CMS conducts program audits of [Medicare-Medicaid Plans (MMPs)], Medicare Advantage Organizations (MAOs), and Prescription Drug Plans (PDPs), collectively referred to as ‘sponsors’ to help drive the industry towards improvements in the delivery of health care services. CMS Medicare Advantage Parts C and D program audits for sponsors that include an MMP utilize the Center for Medicare Program Audit Protocols as well as two MMP-specific protocols designed to ensure compliance with three-way contract requirements . . . .”
This summary tells you pretty much everything you need to know: The CMS audit rules are dense, and the Medicare and Medicaid audit procedures are inordinately complicated. As a result, facing a CMS audit is a daunting prospect, and sponsors that are facing CMS audits must defend themselves effectively in order to avoid exclusion and other penalties.
Understanding the Scope of a CMS Audit
For sponsors that are facing CMS program audits, one of the first steps toward executing a strategic and effective defense is to understand the audit’s scope. CMS audits sponsors in numerous areas of compliance; and, within each of these areas, sponsors can expect to face scrutiny in virtually all aspects of their billing and recordkeeping operations. Currently, CMS audits sponsors in the following areas:
- Compliance Program Effectiveness (CPE)
- Part D Formulary and Benefit Administration (FA)
- Part D Coverage Determinations, Appeals, and Grievances (CDAG)
- Part C Organization Determinations, Appeals, and Grievances (ODAG)
- Special Needs Plans Model of Care (SNP-MOC)
- Medicare-Medicaid Plan (MMP) Service Authorization Requests, Appeals and Grievances (MMP-SARAG)
- Medicare-Medicaid Plan (MMP) Care Coordination and Quality Improvement Program Effectiveness (MMP-CCQIPE)
Understanding the Scope of the CMS Sponsor Audit Program
CMS conducts sponsor audits at the “parent” level, meaning that individual subsidiaries’ books and records are not separately reviewed for Medicare or Medicaid compliance. This allows CMS to audit a substantial percentage of all enrolled sponsors on an annual basis. For example, in 2019 (based on data from January 2020), CMS audited 71% of all Medicare Part C and D sponsors. All Medicare and Medicaid sponsors can expect to be audited by CMS on a regular basis; and, while this may make CMS audits “routine” in certain respects, each audit must be approached carefully and with detailed attention to the specific issues falling within its scope.
Overall, the average CMS audit score has dropped in recent years (as a lower score represents better audit performance). Average audit scopes for CPEs, FAs, CDAGs, PDAGs, MMP-SARAGs, and MMP-CCQIPEs all dropped from 2017 to 2019. However, SNP-MOCs have seen a significant increase in average audit scores; and, across all audit types, averages are not indicative of the risks individual sponsors face during their CMS audits.
Sponsors that receive unfavorable audit determinations can face immediate consequences in the form of civil monetary penalties (CMP). In 2019, CMS issued CMPs totaling more than $1.6 million, which an average penalty of just over $200,000. Depending on the circumstances involved, CMS audits can also lead to exclusion and other penalties, and may also result in a referral for a federal healthcare fraud investigation.
Understanding the CMS Audit Process
The CMS program audit process for sponsors is excruciatingly time-consuming and complex. CMS breaks its audit process down into four “Phases,” each of which has its own list of steps:
Phase I: Audit Engagement and Universe Submission
- Engagement Letter – CMS notification to sponsoring organization of audit selection; identification of audit scope and logistics; and instructions for audit submissions.
- Universe Submission – Sponsoring organization submission of requested universes and supplemental documentation to CMS. Deleted:
- Universe Integrity Testing – CMS integrity testing of sponsoring organization’s universe submissions.
- Audit Sample Selection – CMS selection of sample cases to be tested during audit field work.
- Entrance Conference – Discussion of CMS audit objectives and expectations; sponsoring organization voluntary presentation on organization.
- Webinar Reviews – CMS testing of sample cases and review of supporting documentation live in sponsoring organization systems via webinar.
- Onsite Audit of Compliance Program Effectiveness – Sponsoring organization presentation of compliance program tracer reviews and submission of supporting documentation (screenshots, root cause analyses, impact analyses, etc.); CMS documentation analysis.
- Preliminary Draft Audit Report Issuance – CMS issuance of a preliminary draft report to sponsoring organization identifying the preliminary conditions and observations noted during the audit.
- Exit Conference – CMS review and discussion of preliminary draft audit report with sponsoring organization.
- Condition Classification and Audit Scoring – CMS classification of non-compliance and calculation of sponsoring organization’s audit score.
- Notification of Immediate Corrective Action Required (ICAR) conditions (as applicable) – CMS notification to sponsoring organization of any conditions requiring immediate corrective action; sponsoring organization ICAR Corrective Action Plan (CAP) submission within three business days.
- Draft Audit Report Issuance – CMS issuance of draft audit report, inclusive of condition classification and audit score, to sponsoring organization approximately 60 calendar days after exit conference.
- Draft Audit Report Response – Sponsoring organization submission of comments to draft audit report within 10 business days of draft audit report receipt.
- Final Audit Report Issuance – CMS issuance of final audit report with CMS responses to sponsoring organization’s comments and updated audit score (if applicable) approximately 10 business days after receipt of sponsoring organization’s comments to draft audit report.
- Non-ICAR CAP Submission – Sponsoring organization’s submission of non-ICAR CAPs within 30 calendar days of final audit report issuance.
- CAP Review and Acceptance – CMS performance of CAP reasonableness review and notification to sponsoring organization of acceptance or need for revision.
- Validation Audit – Sponsoring organization demonstration of correction of audit conditions cited in the final audit report via validation audit within 180 calendar days of CAP acceptance.
- Audit Close Out – CMS evaluation of the validation audit report to determine whether conditions have been substantially corrected and notification of next steps or audit closure.
Phase II: Audit Field Work
Phase III: Audit Reporting
Phase IV: Audit Validation and Close Out
Despite CMS’s one-line summaries and the relatively small space they occupy within CMS’s sponsor audit framework, several of these steps are extraordinarily time-intensive, and they can present significant risks for sponsors if they are not handled appropriate. For example, prior to submitting the universe of requested records to CMS for review, sponsors must first: (i) ensure that the scope of the audit is appropriate and does not need to be challenged; (ii) ensure that they can comprehensively collect all responsive records; and, (iii) conduct an internal self-audit to determine whether and to what extent any of the records they are about to disclose to CMS present a risk for CMP or other penalties.
How to Handle a CMS Audit: Q&A with Our Senior Healthcare Fraud Defense Lawyers
Q: What should I do if I have received an audit engagement letter from CMS?
If you have received an audit engagement letter from CMS, you will need to carefully review the letter in detail in order to discern the scope and subject matter of the audit. At this time, you should also engage federal defense counsel to assist with preparing your organization’s “universe” of responsive documents and reviewing them prior to submission to CMS.
Q: What can (and should) sponsors do to protect themselves during CMS audits?
There are several steps that sponsors can take to protect themselves during CMS audits. For example, while sponsors must comply with audit requests in order to preserve their Medicare or Medicaid program eligibility, they must also ensure that the documentation they provide does not place them at risk for allegations of Medicare or Medicaid fraud. This is a delicate process that requires a clear understanding of all pertinent laws and regulations, and experienced federal defense counsel is required.
Q: What rights do sponsors have to object to practices and findings during CMS audits
If CMS’s auditors utilize outdated practices, make flawed assumptions, or otherwise conduct your organization’s audit in such a way that it is likely to lead to a flawed conclusion, your organization’s defense counsel can interject in the process and help ensure that the audit results in accurate determinations. Your organization’s defense counsel can also help ensure that overly-broad requests do not lead to the unnecessary disclosure of potentially-harmful information.
Q: What options are available if CMS imposes civil monetary penalties as the result of an audit?
If CMS imposes CMP or other penalties as a result of your organization’s audit, you will need to work with your organization’s counsel to determine how best to challenge the result. However, while this is an option, it is far better to take a proactive approach focused on achieving a favorable initial outcome.
Schedule a Complimentary CMS Audit Consultation with a Senior Healthcare Fraud Defense Lawyer
Are you preparing to face a CMS audit? If so, our senior federal healthcare fraud defense lawyers can advise you and represent your organization throughout the audit process. To get started with a complimentary initial consultation, please call 888-680-1745 or request an appointment online today.
Tag: CMS Audit & Appeals Defense | Federal Lawyer