How do you prepare a medical practice for a Medicare RAC audit?
Preparing for a Medicare Recovery Audit Contractor (RAC) audit comes down to documentation discipline, internal coding audits, and a defined response workflow. The RAC reviews paid claims to identify improper payments, and you have 45 days to respond to medical record requests. Practices that audit their own coding quarterly, retain documentation per CMS rules, and assign a clear point person handle RAC inquiries as routine; practices that do none of those things treat each request as a crisis.
Definition
A Medicare Recovery Audit Contractor (RAC) audit is a post-payment review of Medicare claims by a CMS-contracted auditor authorized to identify and recover improper payments to providers; RACs are paid on a contingency basis from the amounts they recover.
The detail
RACs review paid Medicare fee-for-service claims for overpayments and underpayments, focused on issues CMS has approved on its RAC issue list. Common targets in outpatient practice are evaluation and management (E/M) level upcoding, modifier 25 usage, medical necessity for high-cost procedures and imaging, duplicate billing, and incorrect place-of-service coding. Preparation has four layers. Layer one is documentation hygiene. CMS requires providers to retain medical records sufficient to support each claim for the period defined by federal regulation (commonly cited as 5 to 10 years depending on the issue and state law, with longer periods for false claims exposure). Templates that auto-populate documentation without provider review are a common audit failure point. Each note must independently support medical necessity, the level of service billed, and any modifiers applied. Layer two is internal coding audit. Run a quarterly internal audit on a sample of high-risk codes for your specialty: 99214/99215 mix, modifier 25 claims, imaging studies, infusions, procedures with shared E/M services. Have a certified coder (CPC or specialty equivalent) review documentation against the billed code and flag any that would not survive external review. Track the error rate and remediate. Layer three is response workflow. Designate a RAC point person, usually your billing manager or compliance officer. When a record request arrives, log it, calendar the 45-day response window, pull the requested records, and have the supporting provider sign off on the response. Send by tracked, traceable method and retain the audit trail. Late responses are an automatic loss. Layer four is appeal readiness. RAC findings can be appealed through five levels: redetermination, reconsideration, ALJ hearing, Medicare Appeals Council, and federal court. The first two levels are fast and inexpensive; ALJ hearings historically had multi-year backlogs. Practices that win on appeal typically do so because their documentation, not their argument, was strong. If you discover systemic upcoding or miscoding during prep, talk to a healthcare attorney about a voluntary self-disclosure to OIG; that is a separate decision with significant legal implications and should not be made unilaterally.
Providers have 45 days to respond to a RAC medical record request; failure to respond on time results in automatic overpayment determination.
Common RAC targets in outpatient practice include E/M level upcoding, modifier 25 usage, medical necessity for imaging and procedures, and place-of-service errors.
Medicare appeals process has five levels (redetermination, reconsideration, ALJ, Council, federal court); the first two are fast and inexpensive while ALJ historically had significant backlogs.
Source: CMS Medicare Appeals Process
What this means for clinic owners
From Sorso
A RAC audit is not a catastrophe if your documentation is honest and your coding is defensible. The work is upstream: clean templates, quarterly internal coding audits, a designated point person, and a defined 45-day workflow. Practices that build that discipline treat audit requests as a routine cost of operating in Medicare. Practices that hope to avoid scrutiny by staying small or quiet eventually pay for that hope with refunds, penalties, and provider time spent in appeals.
Continue with Sorso
How clinic owners typically work with us after a question like this
Fractional CFO
Strategic CFO for $3M–$50M clinics
Forecasts, location-level P&L, exit prep. Starts at $4,000/mo.
Explore Fractional CFO →Accounting
Healthcare-specialist accounting
Books done right by people who understand clinic finance. Starts at $2,000/mo.
Explore Accounting →Free Assessment
See where your clinic stands
4-minute, 15-question diagnostic. Personalized scorecard emailed to you.
Take the Free Assessment →Related questions
What records do I need to keep for an IRS audit?
Medical practices should keep complete tax records for at least 3 years (general statute of limitations), 6 years for substantial understatements, and indefinitely for assets, retirement plans, and HIPAA-related documentation.
What is modifier 25 used for?
Modifier 25 indicates that a significant, separately identifiable Evaluation and Management (E/M) service was performed by the same physician on the same day as a procedure, allowing both to be billed when properly documented.
What are the most common billing errors in healthcare?
The most common healthcare billing errors are eligibility verification failures, missing prior authorization, incorrect or missing modifiers (especially modifier 25 and 59), upcoding/downcoding, missing documentation for medical necessity, and timely filing failures.
Founder of Sorso. 19 years in corporate finance. Managed a $450M loan portfolio before building a fractional CFO firm exclusively for healthcare clinics.
Want to see how your practice measures up?
Take the 4-minute financial assessment. It is free, and it will show you where your practice is leaking money.