Healthcare organizations face an increasingly complex audit landscape where Recovery Audit Contractor (RAC) audits and Risk Adjustment Data Validation (RADV) audits operate under different rules, target different vulnerabilities, and demand distinct preparation strategies. While both audit types can result in substantial recoupments, confusion about their fundamental differences leaves many organizations unprepared for either.
Recovery Audit Contractors recovered over $2 billion in fiscal year 2021 alone from improper Medicare payments. Meanwhile, CMS plans to audit all 550 eligible Medicare Advantage contracts annually through RADV, up from approximately 60 plans per year. With hospitals operating on median margins of just 4.9 percent in 2024, unexpected recoupments from either audit type create severe financial stress.
Understanding which audit you face determines how you should respond. Organizations that prepare generically for audits rather than specifically for RAC or RADV characteristics waste resources addressing wrong risks.
RAC Audits Target Payment Accuracy Across All Fee for Service Claims
Recovery Audit Contractors exist to identify and correct improper Medicare payments on fee for service claims. Their scope encompasses any Medicare Part A or Part B claim where payment may have been calculated incorrectly, where services were not covered, or where documentation fails to support medical necessity.
RAC audits operate post payment, meaning auditors review claims that have already been paid. RACs can look back three years from the date a claim was paid, forcing healthcare organizations to defend billing decisions made years earlier using documentation and coding guidelines that may have since evolved.
The audit process begins when the RAC identifies claims for review through either automated analysis or targeted selection. Automated reviews occur when the RAC has certainty that a claim violates Medicare policy without requiring medical record review, such as duplicate billing or incorrect code combinations. Complex reviews require human examination of medical records to determine whether documentation supports the billed service.
RACs contact providers through Additional Documentation Requests with 45 day response deadlines. Organizations that fail to respond within this window face automatic claim denials and recoupment. The stakes escalate quickly because RACs operate on contingency fees, earning percentages of recovered overpayments. This payment structure incentivizes aggressive audit activity.
Common RAC audit targets reflect areas where Medicare historically identifies frequent errors. Patient status denials constitute a persistent problem, where RACs challenge whether inpatient admission was medically necessary or whether observation status was more appropriate. Medical necessity denials question whether documentation supports the level of service billed. Coding errors target situations where providers selected incorrect procedure codes or diagnosis codes that do not match documented services.
The financial impact extends beyond individual claim recoupments. Organizations that demonstrate patterns of incorrect billing face expanded RAC scrutiny, increased future audit likelihood, and potential referral to more serious enforcement entities if patterns suggest systematic compliance failures rather than isolated errors.
RADV Audits Verify Risk Adjustment Coding for Medicare Advantage
Risk Adjustment Data Validation audits serve a completely different purpose than RAC audits. While RAC audits verify fee for service payment accuracy, RADV audits validate risk adjustment data submitted by Medicare Advantage Organizations to justify capitated payment rates.
Medicare Advantage Organizations receive monthly payments for each enrolled beneficiary based on risk scores calculated from submitted diagnosis codes. Sicker patients with more chronic conditions generate higher risk scores and higher payments. RADV audits confirm that diagnosis codes submitted for risk adjustment are supported by medical record documentation from the relevant payment year.
The current RADV environment has become extraordinarily aggressive. CMS aims to complete all outstanding audits for payment years 2018 through 2024 by early 2026 while simultaneously expanding ongoing audit activity from 60 plans annually to 550. The agency is increasing its coder workforce from 40 to 2,000 reviewers and expanding sample sizes from 35 records per plan to between 35 and 200 records depending on plan size.
RADV audits target Hierarchical Condition Category codes that drive risk adjustment. High value HCCs like major depressive disorder, diabetes with complications, and stroke receive particular scrutiny. Auditors verify that medical records contain documentation of the condition, show the condition was evaluated or addressed during the payment year, and demonstrate clinical management or impact on treatment decisions.
The financial exposure from RADV audits has intensified dramatically. The 2023 final rule allows CMS to extrapolate findings from sampled records across entire contract populations. Previously, CMS recouped only overpayments identified in reviewed sample records. Under extrapolation, if auditors find 10 percent of sampled HCCs unsupported, CMS can apply that error rate across all risk adjustment payments for the entire contract year, transforming modest sample findings into massive recoupments.
Unlike RAC audits where providers directly receive audit notifications, RADV audit requests typically route through Medicare Advantage Organizations to their contracted providers. Providers may receive documentation requests from health plans rather than directly from CMS, creating potential confusion about audit type and urgency.
Why Generic Audit Preparation Fails Both Audit Types
Many healthcare organizations implement generic audit readiness programs that claim to address all audit types. This approach wastes resources preparing for risks that do not apply to specific audit circumstances.
RAC preparation that focuses exclusively on prospective review of claims before submission provides limited value for defending three year old coding decisions under challenge. By the time RAC audits arrive, the claims are long submitted and paid. Prospective auditing helps prevent future RAC exposure but does nothing to prepare documentation and appeals for claims already under review.
Conversely, RADV preparation that emphasizes real time documentation improvement during patient encounters cannot retroactively fix records from payment years already closed. For the current RADV backlog covering 2018 through 2024, organizations must work with documentation as it existed during those payment years. Retrospective chart review, gap analysis, and documentation validation become critical RADV preparation activities, while prospective improvements protect only future payment years.
The documentation standards differ substantially between audit types. RAC audits verify whether medical necessity and coding rules were followed as they existed when services were provided. RADV audits verify whether diagnosis codes meet specific CMS Hierarchical Condition Category coding requirements, which are more restrictive than standard ICD-10 coding guidelines. A diagnosis code that satisfies RAC medical necessity requirements may still fail RADV audit if documentation lacks elements showing the condition was Managed, Evaluated, Assessed, or Treated during the payment year.
Audit response timelines create additional preparation differences. RAC audits provide 45 days to submit requested documentation, followed by discussion periods and standard Medicare appeals processes. RADV audits flowing through Medicare Advantage Organizations may have faster turnaround requirements as health plans coordinate responses across multiple provider partners to meet CMS deadlines.
Building RAC Specific Audit Response Capabilities
Effective RAC audit preparation requires systems that identify high risk claims before RAC selection occurs, respond efficiently when audits arrive, and appeal aggressively when RAC determinations are incorrect.
Proactive risk identification begins with analyzing your organization’s billing patterns against known RAC audit targets. CMS publishes approved RAC review topics monthly, providing transparency about what RACs can audit. Organizations should compare their claim distributions against these topics, identifying areas of high exposure. If your organization bills high volumes of inpatient admissions that could qualify as observation, those claims face elevated RAC risk regardless of whether coding was correct.
Pre-audit claim validation for high risk categories catches potential problems before RAC reviewers do. Organizations can audit their own claims matching RAC approved topics, identifying documentation deficiencies or coding issues that would fail RAC scrutiny. When internal audits find problems, organizations can implement corrective action plans demonstrating good faith compliance efforts, which carry weight during appeals if RACs later challenge similar claims.
Documentation retrieval capabilities determine whether organizations can meet RAC response deadlines. When Additional Documentation Requests arrive with 45 day deadlines, organizations must locate medical records that may be archived or stored off site, particularly for claims from two or three years prior. Delayed responses result in automatic upholding of RAC findings and immediate recoupment.
Appeal preparation should begin the moment RAC determinations arrive. RAC appeal success rates can reach 75 percent for certain claim types, making appeal investment worthwhile for claims where organizations believe their coding and documentation were correct. However, appeals require medical expertise to articulate why documentation supported billed services, coding expertise to demonstrate guideline compliance, and legal expertise to navigate Medicare appeal procedures.
External Audit Workflow capabilities centralize RAC audit management, tracking which claims are under review, what documentation has been submitted, where appeals stand, and what recoupment amounts are at stake. Without structured workflow management, RAC audits become chaotic fire drills where staff scramble to respond without visibility into organizational exposure.
Building RADV Specific Audit Response Capabilities
RADV audit preparation demands different capabilities focused on HCC coding accuracy, retrospective documentation validation, and coordination with Medicare Advantage Organization partners.
HCC specific audit protocols target the diagnosis codes that drive risk adjustment rather than auditing representative samples across all diagnosis types. Organizations should prospectively audit high dollar HCCs like major depressive disorder, morbid obesity, diabetes with complications, and vascular disease before submitting them for risk adjustment. The OIG has identified that approximately 70 percent of high risk HCC codes submitted by Medicare Advantage Organizations lack adequate documentation support.
Retrospective validation becomes essential when RADV audit notices arrive for closed payment years. Organizations must review historical medical records using the CMS-HCC model version that applied during the audited payment year. For payment year 2018 audits now being completed, that means applying CMS-HCC Version 22, which many current coders have never used. Coding to outdated model versions creates accuracy challenges that require specialized training or external coding support.
Provider education about RADV specific documentation requirements prevents future audit exposure. Many providers understand general documentation principles but remain unfamiliar with RADV specific requirements that diagnosis codes must be Managed, Evaluated, Assessed, or Treated during each payment year. A patient with chronic kidney disease documented in the problem list but not addressed during the current year fails RADV audit even if the diagnosis is clinically accurate.
Audit Workflows configured for HCC auditing enable systematic review of risk adjustment submissions before they reach payers. These workflows apply OIG identified risk criteria, flag diagnosis codes lacking documented clinical management, and route questionable cases to clinical documentation improvement teams for provider queries before submission.
Medicare Advantage Organization coordination requires clear communication protocols. When RADV audit notifications arrive, health plans coordinate responses across dozens or hundreds of contracted provider organizations. Providers that respond slowly or incompletely jeopardize the entire health plan’s audit defense. Organizations should establish dedicated RADV response contacts, document retention policies ensuring medical records remain accessible for closed payment years, and rapid response procedures when documentation requests arrive.
Leveraging Technology for Both Audit Types
While RAC and RADV audits require distinct preparation strategies, technology platforms can address requirements for both audit types within integrated compliance workflows.
Charge Analyzer capabilities identify billing patterns that create RAC audit risk by comparing your organization’s claim distributions against benchmarks. When your rate of inpatient admissions or high complexity Evaluation and Management coding significantly exceeds peer norms, those outliers attract RAC attention. Early identification allows organizations to investigate whether outlier patterns reflect case mix differences or coding accuracy problems requiring intervention.
Audit case management systems track both RAC and RADV audits through dedicated workflows. When audit requests arrive, these systems document what was requested, assign responsibility for gathering documentation, track submission deadlines, record audit determinations, manage appeals, and calculate financial exposure. Organizations handling multiple simultaneous audits across both RAC and RADV programs need centralized visibility to allocate resources effectively and ensure nothing falls through cracks.
Historical claim and documentation repositories enable efficient response to both audit types. RAC audits may request records from three years prior while RADV audits now reach back to 2018. Organizations that have transitioned between EHR systems, changed billing platforms, or modified documentation workflows must maintain access to historical data in legacy formats. Technology solutions that aggregate and index historical information regardless of source system dramatically accelerate audit response.
Predictive analytics identify future audit targets before official selection occurs. By analyzing which claim characteristics correlate with historical RAC audit selection and which HCC codes consistently appear in RADV audit samples, organizations can prioritize internal audit efforts toward highest risk areas. Proactive auditing of these high risk claims before external auditors select them allows correction of errors while time remains to prevent submission or establish defensible positions.
What Organizations Should Do Now
Healthcare organizations cannot afford to wait until audit notifications arrive before building response capabilities. Both RAC and RADV audit volumes are expanding, and preparation gaps create immediate financial and operational risks.
Start by determining which audit types your organization faces. Fee for service providers primarily confront RAC audits. Providers contracted with Medicare Advantage Organizations face RADV audits. Large health systems with both fee for service and Medicare Advantage populations must prepare for both simultaneously.
Conduct baseline assessments of your current audit readiness. Can you identify and retrieve medical records from three years ago within 45 days? Do your coders understand HCC specific documentation requirements that exceed standard ICD-10 coding rules? Does your organization have established relationships with external coding consultants who can assist with retrospective RADV validation using outdated CMS-HCC models?
Implement audit specific workflows rather than generic compliance programs. RAC preparation should emphasize documentation completeness for billed services, medical necessity validation, and appeals expertise. RADV preparation should focus on HCC coding accuracy, retrospective chart validation, and Medicare Advantage Organization coordination.
Invest in technology that provides audit visibility and management capabilities. Manual tracking of audits through emails and spreadsheets inevitably results in missed deadlines, incomplete documentation submissions, and failure to appeal incorrect determinations. MDaudit’s platform enables organizations to manage both RAC and RADV audits through structured workflows that ensure nothing is overlooked.
Train staff on audit type differences so they can respond appropriately when requests arrive. Many healthcare organizations have experienced staff who understand one audit type but lack exposure to the other. Cross training ensures that someone within your organization can immediately recognize whether an incoming request represents a RAC audit requiring 45 day documentation submission or a RADV audit requiring retrospective HCC validation.
Monitor audit trends within your organization. Are RAC audits increasing in frequency? Are particular specialties or service lines receiving disproportionate attention? Is your Medicare Advantage partner requesting RADV documentation for specific HCC categories more often? Trend analysis reveals where additional internal audit, coder education, or documentation improvement should focus.
The expanding RAC and RADV audit landscape demands that healthcare organizations understand fundamental differences between audit types and prepare specifically for the risks each creates. Generic audit readiness provides false confidence that crumbles when actual audits arrive demanding specialized knowledge and capabilities. Organizations that invest in audit type specific preparation, implement appropriate technology platforms, and train staff accordingly position themselves to defend their billing practices successfully while minimizing financial disruption from recoupments.
