Thirteen years after the Department of Health and Human Services (HHS) implemented a new framework for reducing improper payments nationwide, the program remains divisive, with proponents pointing to its outsize success in recovering overpayments but critics blasting a “bounty hunter” model which they say disadvantages providers.

At the center of the program are Recovery Audit Contractors (RACs), independent entities charged by the Centers for Medicare & Medicaid Services (CMS) with identifying and correcting improper payments made under Medicare Parts A and B.
RACs have outperformed public sector auditing bodies while allowing CMS to shift the administrative burden addressing improper payments. But RAC opponents complain that the financial incentives that define the program put healthcare providers at financial risk after they have delivered services.

Improper payments

CMS defines improper payment as “payments that do not meet program requirements.” While improper payments may include fraud or abuse, the majority result from unintentional errors or insufficient payment documentation. Importantly improper payments include underpayments to providers as well as overpayments.

Between 2012 and 2022, the improper payments under the Medicare Fee-For-Service (FFS) program ranged from a high of 12.7 percent in 2014 to a low of six percent of in 2020.

History

RACs originated under a demonstration project in the Medicare Fee-For-Service Recovery Audit program under the Medicare Prescription Drug, Improvement and Modernization Act of 2003.

The demonstration began in 2005 and originally included California, Florida, and Texas—states with proportionately large Medicare populations. The original RACs returned $54.1 million to the Medicare Trust Funds in the first 12 months of operation, a promising result at a time when conservatives were eager for the Bush administration and Republican-led Congress to demonstrate the potential of the private sector in reducing healthcare costs.

The project was subsequently expanded to Arizona, Massachusetts, and South Carolina. The program was made permanent with the passage of the Tax Relief and Healthcare Act of 2006, requiring the Secretary of the Department of Health and Human Services to expand the program to all 50 states by 2010.

RAC model

There are five geographic regions identified under the RAC program. The first four consist of roughly equal divisions of U.S. states and territories. The fifth region is inclusive of the entire United States.

One RAC contract is awarded for each region under an open bidding process. Successful bidders secure the right to conduct post-payment reviews for payments made under Medicare Part A and Part B in their specified region—except for durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS) and home health/hospice. Under the contract for the fifth region, a single RAC is responsible for review of DMEPOS and home health and hospice nationwide.
While there is only one RAC per region, a RAC may be awarded contracts for multiple regions. For example, Cotiviti, LLC is currently the RAC for Regions 2 and 3,

RAC Process

Individual RACs use proprietary software and algorithms to identify billing and reimbursement trends which indicate the possibility of improper payments. While an audit might feel personal, one RAC specifies that its mission is to “target audit concepts, not providers”. And, in fact, RACs are limited to reviewing a limited list of topics or issues. CMS posts lists of both Approved and Proposed RAC Topics on its website, specifying the mechanism under which each can be reviewed. RACs are also limited to a three year “look back” period determined by the date a claim was paid.

RAC audits take one of two forms: automated or complex.

Automated audits entail analysis of claims data at the systems level. This data mining identifies violations of “clear policies” including statutes or regulations and national and local coverage determinations.

Although a RAC will not contact a provider directly during an automated audit, it is required to post notification of the audit through a provider portal. The date of this notice initiates a 30-day window during which the provider under audit may submit a formal “Discussion Request” and any documentation which they believe could change the outcome of the process.

In a complex audit, a RAC contacts a provider directly to request medical records to support specific claims. The RAC must also outline the rationale for the request. Upon receipt, the records are reviewed by a team of clinicians and certified coders to confirm medical necessity as well as proper documentation.

The request for medical records is called an “additional documentation request” (ADR) and specifies that the provider must submit the requested documentation within 45 days unless they request and receive an extension during that timeframe. A sample letter is available here.

Documentation may be submitted electronically through a RAC portal, digitally through password protected discs or thumb drives, or in paper format.
CMS uses a formula based upon a provider’s volume of Medicare claims within a preceding 12-month period to establish the maximum number of medical records a RAC may request from a provider. RACs are also prohibited from making documentation requests more frequently than every 45 days.

Upon completion of a complex audit, a RAC will typically send the provider one of three forms of communication: a review results letter identifying the amount of an overpayment or under payment and outlining the next steps in the process; a letter of no findings; or a notice of non-receipt saying that the claim(s) in question has been denied owing to lack of requested documentation.

If payment is owed, the provider will receive a demand letter from its Medicare Administrative Contractor, advising them that an overpayment has been identified by a RAC, the amount of the payment due, the timeline for payment, and the process for appeal.

RACs are paid on a contingency basis, receiving a percentage of each improper payment identified and corrected. Although they receive a percentage of payments reimbursed to providers, the vast majority of their revenue comes from recovering overpayments. The percentage received is set during the bidding process.

RACs receive payment after the monies have been collected from providers and are required to refund payment if a provider wins an appeal.

Mixed Reviews

RACs have allowed CMS to shift the administrative burden of addressing improper payments. But some providers believe the program has imposed unnecessary administrative burdens on them.

The American Hospital Association (AHA) and the American Medical Association (AMA) have both criticized the contingency model under which RACs operate, with the AMA characterizing it as offering “bounty-hunter-like” incentives.

The AHA has accused RACs of “overzealous audit behavior” driven by “misaligned financial incentives.” In addition to campaigning for changes to make the RAC process less burdensome, the organization offers guidance to members on appealing adverse RAC determinations. And, although it stopped offering RAC Trac webinars in 2017, it still offers a “RACs Run Amok” infographic on its website.

Despite their critics, RACs have arguably proven more effective than government programs at recovering overpayments.

The RAC program identified approximately $265.9 million in overpayments in FY 2020, the majority in outpatient claims. RACs recovered approximately $220.25 million (82.8%) of this amount. Comparatively, the RAC program identified only $19.67 million in underpayments in FY 2020, with one RAC identifying no underpayments at all.

By contrast in a 2022 report by the Office of the Inspector General (OIG) of HHS, CMS reported collecting just over half of the $498 million in Medicare overpayments identified by OIG audits.

According to CMS, in addition to recovering overpayments, the RAC program serves as a valuable tool in identifying opportunities for system improvement that may ultimately reduce claims errors and improper payments.