Medical Billing Audit Checklist [2026]
A billing audit isn't a luxury — it's a financial survival tool. Medical practices lose an estimated 3–5% of total net revenue each year to preventable billing errors, according to industry analyses. For a practice billing $2 million annually, that's $60,000–$100,000 walking out the door through coding mistakes, missed charges, timely filing failures, and underpayments that nobody caught. Our medical billing cost guide breaks down where those dollars go and how to benchmark your spending.
Meanwhile, OIG enforcement is intensifying. CMS expanded its Recovery Audit Contractor (RAC) program in 2025 with 20 newly approved audit topics and is scaling its medical coder workforce from 40 to 2,000 reviewers. Practices that bill Medicare face growing scrutiny — and those without a documented audit process have no defense when questioned about their billing patterns.
This checklist gives you a structured, repeatable framework for auditing every dimension of your billing operation — from charge capture through collections. Use it quarterly to catch errors before payers and regulators do.
What this checklist covers
A comprehensive 60-point audit framework across 10 categories — with compliance-critical red flags marked, industry benchmarks referenced, and progress tracking built in. Based on OIG compliance guidance, HFMA MAP Key standards, and AAPC audit best practices.
60+
Audit checklist items
10
Audit categories
15
Red flag items
6
Key benchmarks
Q1–Q4
Recommended cadence
GetPracticeHelp.com is an independent comparison platform. Some of the services referenced in this guide are affiliate partners — we may earn a commission if you sign up through our links, at no extra cost to you. Our evaluations are based on publicly available information and verified product details, and affiliate relationships do not influence our rankings or recommendations.
Part 1: Why Conduct a Billing Audit
Billing audits aren't about finding fault — they're about finding money. Every healthcare practice, regardless of size, has revenue leakage hiding in its billing workflows. The question is whether you discover it proactively or a payer discovers it for you.
Stop revenue leakage
Industry data consistently shows practices lose 3–5% of net revenue to preventable billing errors. Undercoding alone — especially on E/M encounters — leaves significant legitimate revenue uncollected. A 2026 MGMA Stat poll found that 48% of practice leaders identified denials and appeals as their biggest revenue cycle leak, followed by front-end issues (23%) and coding errors (13%).
Compliance protection
The OIG's General Compliance Program Guidance lists internal auditing as one of seven essential compliance elements for physician practices. Documented self-audits demonstrate good faith to regulators and can significantly reduce penalties if billing irregularities are discovered. Practices without compliance programs face penalties 2–3x higher than those with documented efforts.
RAC and payer audit defense
CMS awarded new RAC contracts in 2025 (Cotiviti GOV Services for Regions 3–5) and approved 20 new audit topics. RACs use proprietary algorithms to flag billing outliers — practices whose coding patterns deviate from peers are targeted first. A regular internal audit lets you spot and correct the same patterns before RACs do.
Benchmark your performance
You can't improve what you don't measure. A billing audit establishes baseline metrics — clean claim rate, denial rate, days in A/R, coding accuracy — that you can track quarter over quarter. HFMA's MAP Key framework provides 29 standardized KPIs for exactly this purpose.
Identify training gaps
Audit findings reveal systemic issues: if Modifier 25 is consistently misused, that's a training problem, not a personnel problem. Targeted education based on audit data reduces repeat errors faster than generic compliance training. The OIG explicitly recommends role-specific training matrices mapped to job functions.
The 60-Day Rule: Under Section 6402 of the ACA, if your audit discovers Medicare overpayments, you are legally obligated to report and refund them within 60 days of identification. Failure to do so can be treated as a False Claims Act violation. This makes proactive auditing essential — you need a documented process for identifying and resolving overpayments before they become legal liabilities.
Part 2: When to Audit
A billing audit shouldn't be a once-a-year event triggered by panic. The most effective practices build auditing into their operational rhythm with a structured cadence and defined trigger events.
Recommended Audit Cadence
Quarterly comprehensive audits form the backbone: review 20–50 charts per provider per quarter, sampling across all payer types (Medicare, Medicaid, commercial, self-pay) and service categories (new vs. established visits, procedures, ancillary services). Stratify your sample to overrepresent high-risk areas — high-level E/M codes (99214–99215), frequently used modifiers, and high-dollar procedures.
Monthly spot-checks between quarterly audits keep drift in check. Focus on one high-risk area per month: E/M coding accuracy, modifier usage, charge capture completeness, or timely filing compliance. Review 10–15 claims per provider focused on that single dimension.
Annual external audit provides an unbiased outside perspective. An independent AAPC- or AHIMA-certified auditor reviews 100–200 charts, applying fresh eyes to patterns your internal team may be too close to see. Budget $3,000–$15,000 depending on practice size and specialty complexity.
Trigger Events That Demand Immediate Audit
Denial rate spike
If your denial rate exceeds 5% for two consecutive months — or jumps more than 2 percentage points in any single month — audit the specific denial categories immediately. Our guide to reducing claim denials covers the most effective prevention strategies.
New provider onboarding
Audit a new provider's first 30 days of billing within 60 days of start. Compare their coding distribution to established providers — outliers indicate training needs.
Payer or RAC audit notification
If you receive an ADR (Additional Documentation Request) from a RAC or MAC, immediately conduct a self-audit of the flagged service category before responding.
Billing system or EHR change
Any practice management system migration, EHR upgrade, or clearinghouse switch warrants a 90-day post-implementation audit to catch configuration errors.
Major code set update
After annual ICD-10 or CPT code set updates (effective January 1 and sometimes mid-year), audit the first month of claims for deprecated codes, new code adoption, and mapping errors.
Billing staff turnover
When key billing staff leave, audit their recent work within 30 days. Departing employees may have been compensating for — or causing — systemic issues that surface after they leave.
Pre-audit preparation: Before starting any audit, define your scope (which providers, payers, date range, and service types), pull your sample using a random or stratified method, and ensure you have access to the full medical record — not just the claim. Coding accuracy can only be assessed by comparing the billed codes against the clinical documentation.
Part 3: Key Metrics & Benchmarks
Every billing audit should measure your practice against these six core KPIs. The benchmarks below reflect 2025–2026 data from HFMA MAP Keys, MGMA DataDive, AAPC standards, and industry reporting. Track these quarterly and trend them over time — a single snapshot is useful, but the trajectory tells the real story.
Clean Claim Rate
≥96%
Target for physician practices
Excellent≥ 98%
Good96–97%
Average90–95%
Poor< 90%
Source: HFMA MAP Keys / Office Ally
Denial Rate
<5%
Best-practice ceiling
Best in class< 3%
Good3–4.9%
Average5–8%
Problem> 10%
MGMA 2023: 8% single-specialty avg. Industry avg: 5–10%
Days in A/R
<35 days
Target for physician practices
Excellent< 30 days
Good30–35 days
Acceptable36–45 days
Problem> 50 days
Source: MGMA DataDive / HFMA MAP
Net Collection Rate
≥95%
Target for most specialties
Excellent≥ 98%
Good95–97%
Average90–94%
Poor< 90%
Source: MGMA / Global Healthcare Resource
Coding Accuracy
≥95%
AHIMA national benchmark
Excellent≥ 97%
Meets standard95–96%
Below standard90–94%
Critical< 90%
Source: AHIMA / Journal of AHIMA
A/R > 120 Days
<12%
Of total outstanding A/R
Excellent< 8%
Good8–12%
Concern13–20%
Problem> 20%
Source: HFMA / MGMA DataDive
Part 4: Common Billing Errors Found in Audits
Understanding the most frequent billing errors helps you focus audit resources where they'll have the greatest impact. The following errors appear consistently across practice audits — each one represents both a revenue risk and a compliance exposure.
| Error Type | Description & Example | Risk Level | Financial Impact |
|---|---|---|---|
| Upcoding E/M Visits | Billing 99215 (high-complexity established visit) when documentation supports 99213 (low-complexity). Per the AMA, always report the E/M level based on the actual clinical encounter — not the specialty's typical complexity. One psychiatrist was fined $400,000 and excluded from Medicare for systematic upcoding of session lengths. | High — OIG priority | $50–$120 per visit overpayment; False Claims Act liability for patterns |
| Unbundling Procedures | Separately billing components that should be coded together. Example: billing a lesion excision (CPT 11602) and simple wound repair (CPT 12001) separately when the repair is included in the excision code per CPT guidelines. Triggers NCCI (National Correct Coding Initiative) edits automatically. | High — OIG priority | Full recoupment of unbundled charge + potential penalties |
| Modifier 25 Misuse | Appending Modifier 25 (significant, separately identifiable E/M service on same day as procedure) without documenting a distinct clinical encounter beyond the procedure's decision-making. This is the single most audited modifier per the AMA and AAPC — auditors specifically look for documentation that justifies the separate E/M service. | High — top audit trigger | $40–$150 per claim; recoupment of E/M portion |
| Diagnosis Code Specificity | Using unspecified ICD-10 codes when more specific options exist. Example: coding M54.5 (low back pain, unspecified) instead of M54.51 (vertebrogenic low back pain) or M54.59 (other low back pain) when documentation supports specificity. Missing laterality, encounter type, or disease stage reduces reimbursement. | Medium | Denial or reduced payment; flags practice for payer review |
| Modifier 59 Overuse | Using Modifier 59 (Distinct Procedural Service) to bypass NCCI edits without proper documentation of a truly separate service. CMS introduced X{EPSU} modifiers to replace 59 with more specific indicators — practices still defaulting to Modifier 59 face higher audit risk. | High | Full recoupment if modifier deemed inappropriate |
| Timely Filing Failures | Missing payer-specific filing deadlines. Medicare: 12 months from date of service. Medicaid: varies by state (90 days–12 months). Most commercial payers: 90–180 days. Claims filed after deadline cannot be recovered — this is permanent revenue loss with zero recourse. | High — irreversible | 100% loss of claim value; no appeal available |
| Missing Charge Capture | Failing to capture all billable services: injectable medications (J-codes), supplies, diagnostic tests ordered during the visit, or ancillary procedures. Especially common with vaccine administrations (CPT 90471–90474) and in-office labs where the provider performs the service but forgets to generate the charge. | Medium | $15–$500+ per missed charge; compounds across volume |
| Eligibility Verification Failures | Not verifying active insurance coverage and benefits before each visit. Outdated insurance information, terminated policies, and incorrect subscriber IDs cause avoidable denials at submission. AHA identifies this as one of the top causes of denied claims across all practice types. | Medium | Full denial; patient balance often uncollectable |
Copy-paste documentation risk: EHR copy-paste functionality can facilitate both upcoding and unbundling. When providers copy notes from previous visits, it can make every encounter appear to include the full range of prior diagnoses and treatments — inflating medical complexity documentation beyond what was actually addressed. Audit specifically for copy-paste patterns in your E/M documentation.
Part 5: Self-Audit vs. External Audit
Both internal and external audits serve critical purposes — the question is when each approach is appropriate and how to balance cost against rigor.
| Dimension | Internal Self-Audit | External Audit |
|---|---|---|
| Who conducts it | Billing manager, compliance officer, or designated internal auditor | Independent AAPC- or AHIMA-certified auditor or consulting firm |
| Sample size | 20–50 charts per provider per quarter | 100–200 charts across the practice; statistically valid sample |
| Typical cost | Staff time only — $0 incremental (allocated to existing positions) | $3,000–$15,000+ depending on practice size, specialty, and scope |
| Frequency | Quarterly (or monthly spot-checks on targeted areas) | Annually, or whenever a significant compliance concern is identified |
| Strengths | Fast turnaround; deep institutional knowledge; low cost; catches routine errors quickly; builds internal audit culture | Objective perspective; uncovers blind spots; carries more weight with regulators; identifies systemic patterns; provides benchmarking against industry standards |
| Limitations | May overlook systemic issues due to familiarity; less credibility with regulators; risk of confirmation bias | Higher cost; longer timeline; requires practice cooperation for record access; auditor may lack specialty-specific context initially |
| Best for | Ongoing compliance monitoring; catching individual errors; tracking quarterly KPI trends; new provider onboarding audits | Annual comprehensive review; post-incident assessment; pre- or post-payer audit preparation; baseline establishment for new compliance programs |
| Regulatory value | Demonstrates compliance culture; satisfies OIG guidance for ongoing monitoring element | Strongest evidence of compliance diligence; can be cited in response to government inquiries; supports OIG Self-Disclosure Protocol submissions |
Recommended approach: Conduct quarterly internal self-audits throughout the year supplemented by one comprehensive external audit annually. If your internal audit reveals a coding accuracy rate below 90% or a denial rate above 10%, escalate to an external audit immediately — don't wait for the annual cycle. For a deeper dive into the coding review process, see our medical coding audits guide.
The Complete Billing Audit Checklist
Check off each item as you audit it. The progress tracker updates automatically. Items marked with Compliance are compliance-critical — failure on these items requires immediate corrective action.
Audit Progress
0%
0 of 0 items completed
1. Charge Capture & Superbill Review
0/7
Superbill completeness audit Compliance
Verify that superbills include all required fields: patient name, date of service, provider name and NPI, ICD-10 diagnosis codes (to highest specificity), CPT/HCPCS procedure codes, modifiers, units, and place of service. Pull 25 random superbills and check for completeness — any field missing from more than 5% of sampled superbills indicates a template or workflow problem.
Charge-to-encounter reconciliation
Compare the number of patient encounters (from the scheduling system) against the number of charges generated in the billing system for the same period. A match rate below 98% suggests missed charges — services were provided but never billed. Focus on same-day add-on services, injections (J-codes), and in-office labs.
CPT code currency check
Confirm all CPT and HCPCS codes on superbills and charge tickets reflect the current code set (updated annually January 1, with occasional mid-year additions). Deleted or revised codes cause automatic rejections. Cross-reference your top 50 most-used codes against the current AMA CPT codebook and CMS HCPCS file.
Ancillary service capture
Audit for commonly missed ancillary charges: vaccine administrations (CPT 90471–90474), EKG interpretation (93000–93010), spirometry (94010), pulse oximetry (94760), nebulizer treatments (94640), and in-office point-of-care testing. These low-dollar charges compound significantly across patient volume — a missed $25 service across 20 patients/day is $10,000/month.
Injectable medication documentation
Verify that every injection administered in-office has both the drug code (J-code) and the administration code (96372 for therapeutic injection, 90471/90472 for immunizations) charged. Check that NDC numbers, lot numbers, and dosages are documented — Medicare requires NDC on claims for many Part B drugs.
Charge lag analysis
Measure the time between date of service and charge entry. Best practice: charges entered within 24–48 hours of service. Lag beyond 3 days increases timely filing risk and delays cash flow. Run a report showing average charge lag by provider — outliers indicate documentation or workflow bottlenecks specific to that provider.
Place of service code accuracy Compliance
Confirm correct Place of Service (POS) codes on all claims: 11 (office), 22 (hospital outpatient), 23 (ER), 02 (telehealth — patient at home). Incorrect POS codes trigger different payment rates — billing POS 11 for services rendered in a facility setting (POS 22) is a common error that results in overpayment and potential fraud allegations.
2. Coding Accuracy & Compliance
0/7
E/M level distribution analysis Compliance
Run a frequency distribution of E/M codes (99202–99205 for new patients, 99211–99215 for established) by provider. Compare against specialty benchmarks from CMS utilization data. A provider billing 99215 for more than 25–30% of established visits should have documentation audited — OIG and RAC algorithms specifically flag E/M level outliers.
ICD-10 specificity audit
Sample 30–50 claims and check that diagnosis codes are coded to the highest specificity available. Look for: missing laterality (right/left), missing encounter type (initial/subsequent/sequela), unspecified codes used when documentation supports specific codes. Example: M17.11 (primary osteoarthritis, right knee) is correct when documentation specifies the right knee; M17.9 (osteoarthritis of knee, unspecified) loses reimbursement and triggers edits.
Modifier accuracy review Compliance
Audit the use of high-risk modifiers: Modifier 25 (requires documented significant, separately identifiable E/M service), Modifier 59/X{EPSU} (distinct procedural service — must document separate site, session, or patient encounter), Modifier 50 (bilateral — don't apply to codes that already include bilateral description), and Modifier 22 (increased procedural services — requires supporting documentation explaining the additional work).
NCCI edit compliance check
Run your top 100 procedure code pairs through the CMS NCCI Procedure-to-Procedure (PTP) edit tables to verify no unbundling violations exist. Example: CPT 93000 (complete EKG) should not be billed alongside 93005 (EKG tracing) or 93010 (EKG interpretation) — 93000 is the comprehensive code that includes both components. Check quarterly as NCCI edits are updated each January 1, April 1, July 1, and October 1.
Documentation-to-code match
For a sample of 25–50 claims, compare the billed codes against the clinical documentation (progress note, operative report, or encounter record). Verify that every CPT code billed is supported by corresponding documentation and that every documented billable service was actually charged. Calculate your coding accuracy rate — the AHIMA benchmark is ≥95%.
Medical necessity linkage
Verify that the primary diagnosis code on each claim establishes medical necessity for every procedure billed. Check against LCD (Local Coverage Determination) and NCD (National Coverage Determination) policies for your MAC jurisdiction. Example: billing a comprehensive metabolic panel (CPT 80053) requires a supporting diagnosis — a general wellness visit code alone may not meet medical necessity criteria for the lab work.
Telehealth coding compliance Compliance
Audit telehealth visits for correct POS codes (02 for patient at home), appropriate modifiers (Modifier 95 or GT per payer requirements), and accurate time documentation. Verify audio-only visits are not billed as video consultations. OIG has identified telehealth billing as a high-priority enforcement area — providers with unusual telehealth utilization rates are flagged for targeted review.
3. Claims Submission Process
0/6
Pre-submission scrubbing effectiveness
Verify your claim scrubber is catching errors before submission. Pull your clearinghouse rejection report for the last 90 days — if more than 2–4% of claims are rejected at the clearinghouse level, your scrubbing rules need updating. Review the top 10 rejection reason codes and confirm each has a corresponding scrubber rule active.
Eligibility verification workflow
Confirm that insurance eligibility is verified electronically before every scheduled appointment — not just at initial registration. Check that your system flags changes in coverage, copay amounts, and deductible status. Audit 30 recent claims denied for eligibility reasons and trace back to determine whether verification was run and what data was available at the time of service.
Prior authorization tracking Compliance
Audit services requiring prior authorization to confirm: (1) authorization was obtained before service was rendered, (2) the authorization number is on the claim, (3) the authorized CPT code matches what was billed, and (4) the service was performed within the authorization window. Pre-auth failures are among the top denial categories per MGMA data.
Clean claim rate measurement
Calculate your clean claim rate (claims accepted on first submission without edits or rework) for the audit period. Use the HFMA MAP Key formula: claims passing all edits without manual intervention ÷ total claims accepted into the claims processing tool. Target: ≥96%. If below 90%, prioritize analysis of the top rejection/denial reason codes to identify systemic root causes.
Timely filing compliance Compliance
Run an aging report on unbilled charges. Identify any claims approaching payer-specific filing deadlines: Medicare (12 months), Medicaid (varies by state — some as short as 90 days), commercial payers (typically 90–180 days, check each contract). Claims filed after the deadline are permanent, unrecoverable revenue losses. Flag any claims within 30 days of their deadline for immediate action.
Secondary and tertiary billing workflow
Verify that secondary claims are submitted automatically after primary payer adjudication — not manually or on delay. Check that coordination of benefits (COB) information is current and that the correct primary/secondary/tertiary order is reflected on each claim. Audit for claims where the primary payer paid but no secondary was billed despite active secondary coverage.
4. Denial Management & Appeals
0/6
Denial rate by category
Calculate your overall initial denial rate (denied claims ÷ total submitted) and break it down by CARC (Claim Adjustment Reason Code) category. Target: below 5% overall. The most common categories per HFMA Claim Integrity Task Force data are: eligibility/COB issues, medical necessity, coding errors, missing information, and prior authorization failures. Identify your top 3 denial categories by volume and by dollar amount.
Appeal rate and success rate
Measure: (1) what percentage of denied claims are appealed (should be 90%+ for clinical denials), (2) your appeal overturn rate (target: 50%+ for well-documented appeals), and (3) average time from initial denial to appeal submission (target: within 5 business days). If your appeal overturn rate is below 40%, your appeal letters may need improvement or the underlying documentation is insufficient.
Denial write-off audit Compliance
Review all denial write-offs for the audit period. Verify that every write-off was reviewed before being written off — not auto-adjusted. HFMA MAP Key AR-6 tracks denial write-offs as a percentage of net patient service revenue. Excessive write-offs (>2% of NPSR) indicate either poor appeal processes or premature write-off of recoverable claims. Check that no one is writing off denied claims to avoid the work of appealing them.
Denial trending and root cause analysis
Review 90-day denial trends by payer, provider, CPT code, and denial reason. Look for patterns: Is one payer denying at a higher rate than others? Is one provider generating more coding-related denials? Are denials clustered around specific procedure codes or modifiers? Pattern identification drives targeted corrective action rather than generic training.
Corrected claim tracking
Audit your corrected claim (frequency type 7) and replacement claim (frequency type 7/8) volume. High volumes of corrected claims indicate upstream process failures. Track: how many claims required correction in the audit period, what the top correction reasons were, and the average time from original submission to corrected claim submission. Target: corrected claims should represent less than 3% of total submissions.
Payer-specific denial patterns
Compare denial rates across your top 5 payers. Medicare Advantage plans often have higher denial rates and longer payment cycles than traditional Medicare (30–45 days vs. 10–14 days per MGMA data). If a specific payer's denial rate is 2x or more your average, investigate whether their specific requirements (pre-auth, referral, modifier rules) are being met — or whether the payer's practices warrant escalation to your payer representative.
5. Payment Posting & Reconciliation
0/6
ERA/EOB posting accuracy
Sample 30–50 posted payments and compare the posted amount against the ERA (Electronic Remittance Advice) or EOB (Explanation of Benefits). Verify that contractual adjustments, co-pay amounts, deductible applications, and patient responsibility amounts are posted correctly. An error rate above 2% in payment posting introduces compounding inaccuracies in your A/R aging and financial reporting.
Underpayment identification Compliance
Compare actual payer reimbursement against your contracted fee schedule for 50+ claims across your top payers. Flag any payment that is more than $1 below the contracted rate. Systematic underpayments of even $5–$10 per claim compound into thousands of dollars monthly. Maintain a fee schedule comparison spreadsheet updated annually with each payer's contracted rates.
Contractual adjustment accuracy
Verify that contractual adjustments (the difference between billed charges and allowed amounts) are calculated correctly per each payer contract. Incorrect contractual write-offs inflate or deflate your net collection rate and can mask underpayment issues. Spot-check 20 claims per major payer — the adjustment should equal your billed charge minus the payer's contracted allowed amount, exactly.
Payment posting timeliness
Measure the average time from payment receipt to posting in your practice management system. Best practice: payments posted within 24–48 hours of receipt. Delays in posting create inaccurate A/R snapshots and can delay secondary billing and patient statement generation. Track electronic (ERA) and manual (paper EOB) posting separately — manual postings typically lag and should be prioritized for automation.
Bank deposit reconciliation
Reconcile total payments posted in your billing system against actual bank deposits for the audit period. Discrepancies can indicate unposted payments, duplicate postings, refund processing errors, or (in rare cases) misappropriation. This should be a monthly close process — if it isn't, implement it immediately. Cross-check ERA transaction totals against deposit amounts by date.
Credit balance resolution
Run a credit balance report and review all patient and insurance accounts showing credit balances. Credit balances represent either overpayments that need to be refunded (legally required for Medicare within 60 days) or posting errors that need correction. Practices with large unresolved credit balance inventories face compliance risk and audit exposure.
6. Patient Billing & Collections
0/6
Patient statement accuracy
Review 20 recent patient statements for accuracy: correct patient responsibility amount, clear description of services, dates of service, payments applied, and remaining balance. Confusing or inaccurate statements reduce patient collections — patients who don't understand their bill don't pay it. Verify that insurance payments are posted before statements are generated to avoid billing patients for amounts the payer will cover.
Point-of-service collection rate
Calculate the percentage of copays, coinsurance, and known deductible amounts collected at the time of service. Industry benchmark: collect at least 90% of known patient responsibility at check-in or checkout. Lower rates indicate front desk training gaps or lack of eligibility data at the point of service. Practices that shifted to pre-visit digital payment collection have seen 15–25% improvement in POS collection rates.
Statement cycle timing
Verify that patient statements are sent within 5–7 days of insurance adjudication — not batched monthly. Audit the time between EOB posting and first patient statement. Every additional week of delay reduces the probability of collection. Best practice: 3-statement cycle (statement, 30-day follow-up, final notice) with automated text or email reminders between statements.
Patient A/R aging review
Analyze patient balances by aging bucket (0–30, 31–60, 61–90, 91–120, 120+ days). Patient balances over 120 days have less than a 10% probability of collection. Identify your total patient A/R over 120 days — if it exceeds 15% of total patient A/R, your collection follow-up workflow needs immediate improvement. Consider payment plans or collections agency referral for balances over 90 days.
Payment plan compliance
Review active payment plans for adherence: how many are current, past due, or defaulted? Verify that payment plans have documented terms (total balance, monthly amount, duration, penalties for missed payments). Audit whether accounts on payment plans are being excluded from collections referral prematurely — a defaulted payment plan should trigger the next collection action, not sit idle.
Price transparency compliance Compliance
Verify compliance with the No Surprises Act and CMS price transparency requirements: good-faith estimates provided to uninsured/self-pay patients before scheduled services, machine-readable pricing files published (if applicable), and patient-facing price estimator tools functional. Non-compliance carries penalties of up to $10,000 per violation for hospitals and potential enforcement actions for physician practices.
7. Payer Contract Compliance
0/5
Fee schedule verification
For each major payer, compare your contracted fee schedule against your charge master. Verify that: (1) your billed charges are at or above contracted rates (billing below contracted rates leaves money on the table), (2) the payer's fee schedule has been updated to reflect the most recent contract terms, and (3) any annual rate escalators have been applied. Pull your top 20 CPT codes by volume and verify the contracted rate for each payer.
Contract term awareness
Maintain a payer contract calendar with auto-renewal dates, notice periods for termination or renegotiation, and fee schedule update effective dates. Verify that no contracts have auto-renewed under unfavorable terms because the notice window was missed. Many payer contracts auto-renew annually with a 90-day notice requirement for changes — missing that window locks you in for another year.
Prompt pay compliance audit
Audit payer payment timeliness against state prompt-pay laws and contract terms. Most states require commercial payers to pay clean claims within 30–45 days (e.g., Texas requires 45 days for non-electronic claims, 30 days for electronic). Medicare must pay within 30 days. Calculate average payment turnaround by payer and flag any payer consistently exceeding legal or contractual timeframes — this is recoverable with interest in many states.
Credentialing status verification Compliance
Confirm every rendering provider is currently credentialed and enrolled with every payer they're billing. Verify effective dates — services rendered before credentialing is complete are not reimbursable by most payers. Check for upcoming re-credentialing deadlines (typically every 2–3 years). A lapse in credentialing can result in months of unreimbursed services.
Carve-out and exclusion review
Review payer contracts for carve-out provisions — services excluded from the capitation or fee schedule that should be billed separately (e.g., some contracts carve out immunizations, preventive care, or specific high-cost procedures). Verify that your billing team is aware of and correctly billing carve-out services rather than writing them off or including them in the global rate.
8. Compliance & Documentation
0/6
OIG compliance program elements Compliance
Verify your practice has documented the seven OIG compliance program elements: (1) written policies and procedures, (2) designated compliance officer, (3) training and education programs, (4) effective communication channels (reporting mechanism/hotline), (5) internal monitoring and auditing, (6) disciplinary guidelines for non-compliance, and (7) prompt response to detected offenses. OIG guidance states practices without these elements face penalties 2–3x higher than those with documented programs.
HIPAA billing safeguards Compliance
Audit HIPAA compliance specific to billing operations: Are claims transmitted over encrypted channels? Do billing staff access only the minimum necessary PHI? Are clearinghouse BAAs (Business Associate Agreements) current? Is there an audit trail for who accessed billing records? The 2025 HIPAA Security Rule changes require MFA, enhanced encryption, and accelerated breach notification — verify your billing systems meet these updated requirements.
Excluded provider screening
Verify that all providers, billing staff, and any individual with access to billing systems have been screened against the OIG LEIE (List of Excluded Individuals/Entities) and the GSA SAM (System for Award Management) database. Screen at hire and monthly thereafter. Billing for services rendered by an excluded individual results in mandatory refund of all payments received during the exclusion period.
Documentation retention compliance
Confirm that medical records supporting billed claims are retained for at least 7 years (or longer per state law — some states require 10 years, and for minors the clock starts at age 18). Verify that billing records, EOBs, ERA files, and audit trails are included in your retention policy. RAC auditors can request records for claims up to 3 years old — if you can't produce the record, the claim is automatically deemed an overpayment.
Anti-Kickback and Stark Law awareness
Review any referral arrangements, physician compensation tied to volume, or financial relationships between the practice and entities to which it refers patients. Ensure all arrangements comply with Anti-Kickback Statute safe harbors and Stark Law exceptions. Particular attention to: lab referral relationships, medical director compensation, and DME supplier arrangements. OIG enforcement prioritizes these areas.
Incident reporting and corrective action log
Review your compliance incident log for the audit period. Verify that all reported incidents (billing errors, potential fraud, HIPAA concerns) were investigated, documented, and resolved with corrective actions. Check that corrective actions were actually implemented — not just documented. An incident log with entries but no follow-up actions is worse than no log at all for compliance purposes.
9. Reporting & KPIs
0/5
A/R aging report accuracy
Pull your A/R aging report and verify its accuracy by spot-checking 20–30 accounts. Confirm that: aging buckets are calculated from the date of service (not date of billing), accounts with active payment plans are properly flagged, and accounts referred to collections are excluded from active A/R. An inaccurate aging report leads to misguided follow-up priorities — your team may be chasing low-probability collections while high-probability accounts age out.
Monthly financial close process
Verify that a formal monthly close process exists and is being followed: all payments posted, bank reconciliation completed, adjustments reviewed and approved, financial reports generated, and variance analysis performed against budget and prior period. The close should occur within 10 business days of month-end. Late or incomplete closes mask financial problems and delay corrective action.
Provider productivity reporting
Review provider-level production reports for accuracy: charges, collections, RVUs, and encounter volumes by provider. Compare against specialty benchmarks from MGMA DataDive. Discrepancies between provider schedules (patient volume) and billed encounters indicate charge capture issues. Verify that reports break out by location if the practice operates from multiple sites.
Payer mix analysis
Analyze your payer mix by volume and by revenue — these often tell different stories. If Medicare Advantage represents 30% of your visits but only 20% of revenue, that reimbursement gap matters for contracting strategy. Track payer mix shifts quarter-over-quarter — a growing percentage of managed Medicaid or MA patients with lower reimbursement rates affects your revenue forecast even if patient volume is stable.
Dashboard and reporting automation
Evaluate whether your key billing KPIs (clean claim rate, denial rate, days in A/R, collection rate, charge lag) are available in a real-time dashboard or require manual report generation. Manual reporting introduces delays and human error. If reports are only generated monthly, key trends can develop undetected for 4–6 weeks. Target: automated daily dashboard with weekly leadership review.
10. Staff Training & Process
0/6
Annual compliance training documentation Compliance
Verify that all billing and coding staff have completed annual compliance training covering: HIPAA privacy and security, billing fraud and abuse awareness (False Claims Act, Anti-Kickback Statute), proper coding practices, and your practice's specific compliance policies. Training must be documented with dates, attendees, topics, and signed attestations. OIG explicitly requires documented training as a compliance program element.
Coding education and CEU tracking
Verify that certified coders (CPC, CCS, CCA) are maintaining their certification through required continuing education units. Track CEU completion dates and renewal deadlines. Uncertified or lapsed-certification coders represent both a quality and compliance risk. Best practice: fund at least 16 CEU hours per coder per year and provide access to AAPC or AHIMA educational resources.
Written billing policies and procedures
Confirm that written procedures exist and are current for: charge entry workflow, claim submission process, denial management protocol, payment posting procedures, patient billing and collections, refund processing, and write-off authorization levels. Policies should be reviewed and updated annually (or whenever workflow changes). Staff should acknowledge receipt of updated policies in writing.
Role-specific training matrix
Verify that a training matrix maps required training to each billing role: front desk (eligibility verification, copay collection, demographics entry), coders (coding updates, modifier usage, specialty-specific training), billers (claim submission, scrubber management, payer-specific requirements), and collections staff (patient communication, payment plan setup, regulatory limits). OIG recommends role-specific training over generic compliance education.
New hire onboarding audit
Review your onboarding process for new billing staff: Is there a documented training checklist? Is the new hire's work audited at a higher rate during their first 90 days? Do they shadow an experienced team member before working independently? An inadequately onboarded billing employee introduces errors that compound for months before they're caught in a quarterly audit.
Audit feedback loop
Verify that previous audit findings have been communicated to affected staff, corrective actions were implemented, and follow-up audits confirmed improvement. A billing audit that generates a report but no behavioral change is a waste of time. Track: finding → corrective action → responsible party → completion date → re-audit result. This closed-loop process is what transforms audits from a compliance exercise into a revenue improvement tool.
Interpreting Your Audit Results
Your completion percentage reflects how many items you've verified, not how many your practice "passes." The real value is in identifying the items you cannot check off — those are your corrective action priorities.
| Completion % | Rating | What It Means | Next Step |
|---|---|---|---|
| 90–100% | Excellent | Strong billing operations with comprehensive processes in place | Maintain quarterly cadence; focus on optimization and benchmarking against best-in-class peers |
| 75–89% | Good | Solid foundation with identifiable gaps to address | Prioritize unchecked items by category; create corrective action plan with 90-day deadlines |
| 50–74% | Needs Work | Significant process gaps; likely experiencing revenue leakage and compliance exposure | Engage billing manager for immediate remediation; consider external audit for unbiased assessment |
| 25–49% | At Risk | Fundamental billing process gaps exist across multiple categories | Escalate to practice leadership; external audit recommended; evaluate whether current billing model is adequate |
| Below 25% | Critical | Billing operations lack basic structure; significant revenue and compliance risk | Immediate external assessment required; consider outsourced billing partnership until internal processes are rebuilt |
Important: Any unchecked item with a Compliance badge requires immediate attention regardless of your overall score. Compliance-critical items represent direct regulatory risk that cannot be deferred to the next audit cycle.
Frequently Asked Questions
How often should a medical practice conduct a billing audit?
Best practice is to conduct a comprehensive billing audit quarterly — reviewing a statistically valid sample of 50–100 claims per provider per quarter. High-risk areas like E/M coding, modifier usage, and high-dollar procedures should be audited monthly with smaller, focused samples. Additionally, trigger events such as a spike in denial rates above 5%, a payer audit notification, or a new provider joining the practice should prompt an immediate focused audit regardless of the regular schedule.
What is an acceptable coding accuracy rate for a medical practice?
The national benchmark for medical coding accuracy is 95%, as established by AHIMA and widely adopted across the industry. Practices operating below 95% typically experience higher denial rates, increased rework costs, and greater compliance risk. High-performing practices target 97–98% accuracy. Each percentage point below the 95% benchmark translates to thousands of dollars in missed or delayed reimbursement annually. See our full breakdown in Part 3 above.
What are the most common billing errors that audits uncover?
The most frequently identified billing errors include: upcoding E/M visits (billing 99215 when documentation supports 99213), unbundling procedures that should be billed together (e.g., separately billing a wound closure included in an excision code), Modifier 25 misuse without proper documentation, missing or incorrect ICD-10 diagnosis code specificity, timely filing failures exceeding payer deadlines, and failure to verify insurance eligibility before each visit. For detailed examples with specific CPT codes, see Part 4.
What is the difference between a self-audit and an external billing audit?
A self-audit (internal audit) is conducted by your own billing staff or compliance officer, typically reviewing 20–50 charts per provider per quarter at no incremental cost. An external audit is performed by an independent AAPC- or AHIMA-certified auditor who reviews 100–200 charts with fresh eyes. External audits cost $3,000–$15,000+ depending on practice size but provide unbiased findings and carry more weight with regulators. We recommend quarterly internal audits supplemented by an annual external audit.
What billing KPIs should I track to know if my practice needs an audit?
Monitor these five core KPIs continuously: Clean Claim Rate (target ≥96%, concern below 90%), Denial Rate (target <5%, red flag above 10%), Days in A/R (target <35 days, concern above 50), Net Collection Rate (target ≥95%), and Coding Accuracy Rate (target ≥95%). If any single metric falls outside its target range for two consecutive months, initiate a focused audit on that area. A sudden change in any metric — even within acceptable range — also warrants investigation.
Can a billing audit trigger an OIG or payer investigation?
A properly conducted internal billing audit is a compliance best practice that the OIG explicitly encourages — it does not trigger investigations. The OIG's Compliance Program Guidance for Individual and Small Group Physician Practices lists internal auditing as one of its seven essential compliance elements. If your audit discovers overpayments, you are obligated to report and refund them within 60 days under the 60-Day Rule (Section 6402 of the ACA). Proactive self-disclosure through the OIG Self-Disclosure Protocol typically results in significantly lower penalties than those imposed after a government-initiated investigation.
How many charts should be reviewed in a billing audit?
For internal quarterly audits, review a minimum of 20–30 charts per provider, sampling across all payer types and service categories. For a comprehensive annual audit, review 50–100 charts per provider. External auditors typically review 100–200 charts total for a small-to-mid-size practice. The sample should be stratified by payer (Medicare, Medicaid, commercial), service type (new vs. established visits, procedures), and E/M level to ensure representative coverage.
What happens if a billing audit finds significant errors?
If your audit identifies a pattern of errors, take these steps: (1) Quantify the financial impact by extrapolating the error rate across your full claim volume, (2) Determine root causes — training gaps, EHR template issues, workflow breakdowns, or individual coder performance, (3) Implement corrective action plans with specific timelines, (4) For Medicare overpayments, report and refund within 60 days per the ACA's 60-Day Rule, (5) Re-audit the problem area within 90 days to verify improvement, and (6) Document everything — your corrective actions demonstrate good faith to regulators and payers if questions arise later.
Billing & Compliance Tools
Audit-proof your billing with the right software. Explore tools that help practices maintain coding accuracy and compliance.
Browse Recommended Partners →