Healthcare organizations face an increasingly complex audit landscape where Recovery Audit Contractor (RAC) audits and Risk Adjustment Data Validation (RADV) audits operate under different rules, target different vulnerabilities, and demand distinct preparation strategies. While both audit types can result in substantial recoupments, confusion about their fundamental differences leaves many organizations unprepared for either.
Recovery Audit Contractors recovered over $2 billion in fiscal year 2021 alone from improper Medicare payments. Meanwhile, Centers for Medicare & Medicaid Services (CMS) plans to audit all 550 eligible Medicare Advantage contracts annually through RADV, up from approximately 60 plans per year. With hospitals operating on median margins of just 4.4 percent, unexpected recoupments from either audit type create severe financial stress.
Understanding which audit you face determines how you should respond. Organizations that prepare generically for audits rather than specifically for RAC or RADV characteristics waste resources addressing wrong risks.
RAC Audits Target Payment Accuracy Across All Fee for Service Claims
Recovery Audit Contractors exist to identify and correct improper Medicare payments on fee for service claims. Their scope encompasses any Medicare Part A or Part B claim where payment may have been calculated incorrectly, where services were not covered, or where documentation fails to support medical necessity.
RAC audits operate post payment, meaning auditors review claims that have already been paid. RACs can look back three years from the date a claim was paid, forcing healthcare organizations to defend billing decisions made years earlier using documentation and coding guidelines that may have since evolved.
The audit process begins when the RAC identifies claims for review through either automated analysis or targeted selection. RACs contact providers through Additional Documentation Requests with 45 day response deadlines. Organizations that fail to respond within this window face automatic claim denials and recoupment.
Common RAC audit targets reflect areas where Medicare historically identifies frequent errors. Patient status denials constitute a persistent problem, where RACs challenge whether inpatient admission was medically necessary or whether observation status was more appropriate. Medical necessity denials question whether documentation supports the level of service billed. Coding errors target situations where providers selected incorrect procedure codes or diagnosis codes that do not match documented services.
RADV Audits Verify Risk Adjustment Coding for Medicare Advantage
Risk Adjustment Data Validation audits serve a completely different purpose than RAC audits. While RAC audits verify fee for service payment accuracy, RADV audits validate risk adjustment data submitted by Medicare Advantage Organizations to justify capitated payment rates.
Medicare Advantage Organizations receive monthly payments for each enrolled beneficiary based on risk scores calculated from submitted diagnosis codes. Sicker patients with more chronic conditions generate higher risk scores and higher payments. RADV audits confirm that diagnosis codes submitted for risk adjustment are supported by medical record documentation from the relevant payment year.
The current RADV environment has become extraordinarily aggressive. CMS aims to complete all outstanding audits for payment years 2018 through 2024 by early 2026 while simultaneously expanding ongoing audit activity from 60 plans annually to 550. The agency is increasing its coder workforce from 40 to 2,000 reviewers and expanding sample sizes from 35 records per plan to between 35 and 200 records depending on plan size.
RADV audits target Hierarchical Condition Category (HCC) codes that drive risk adjustment. High value HCCs like major depressive disorder, diabetes with complications, and stroke receive particular scrutiny. Auditors verify that medical records contain documentation of the condition, show the condition was evaluated or addressed during the payment year, and demonstrate clinical management or impact on treatment decisions.
The financial exposure from RADV audits has intensified dramatically. The 2023 final rule allows CMS to extrapolate findings from sampled records across entire contract populations. Previously, CMS recouped only overpayments identified in reviewed sample records. Under extrapolation, if auditors find 10 percent of sampled HCCs unsupported, CMS can apply that error rate across all risk adjustment payments for the entire contract year, transforming modest sample findings into massive recoupments.
Why Generic Audit Preparation Fails Both Audit Types
Many healthcare organizations implement generic audit readiness programs that claim to address all audit types. This approach wastes resources preparing for risks that do not apply to specific audit circumstances.
RAC preparation that focuses exclusively on prospective review of claims before submission provides limited value for defending three year old coding decisions under challenge. By the time RAC audits arrive, the claims are long submitted and paid. Prospective auditing helps prevent future RAC exposure but does nothing to prepare documentation and appeals for claims already under review.
Conversely, RADV preparation that emphasizes real time documentation improvement during patient encounters cannot retroactively fix records from payment years already closed. For the current RADV backlog covering 2018 through 2024, organizations must work with documentation as it existed during those payment years. Retrospective chart review, gap analysis, and documentation validation become critical RADV preparation activities.
The documentation standards differ substantially between audit types. RAC audits verify whether medical necessity and coding rules were followed as they existed when services were provided. RADV audits verify whether diagnosis codes meet specific CMS HCC coding requirements, which are more restrictive than standard ICD-10 coding guidelines. A diagnosis code that satisfies RAC medical necessity requirements may still fail RADV audit if documentation lacks elements showing the condition was Managed, Evaluated, Assessed, or Treated during the payment year.
Building RAC Specific Audit Response Capabilities
Effective RAC audit preparation requires systems that identify high risk claims before RAC selection occurs, respond efficiently when audits arrive, and appeal aggressively when RAC determinations are incorrect.
Proactive risk identification begins with analyzing your organization’s billing patterns against known RAC audit targets. CMS publishes approved RAC review topics monthly, providing transparency about what RACs can audit. Organizations should compare their claim distributions against these topics, identifying areas of high exposure.
Pre audit claim validation for high risk categories catches potential problems before RAC reviewers do. Organizations can audit their own claims matching RAC approved topics, identifying documentation deficiencies or coding issues that would fail RAC scrutiny.
Documentation retrieval capabilities determine whether organizations can meet RAC response deadlines. When Additional Documentation Requests arrive with 45 day deadlines, organizations must locate medical records that may be archived or stored off site, particularly for claims from two or three years prior.
Appeal preparation should begin the moment RAC determinations arrive. RAC appeal success rates can reach 75 percent for certain claim types, making appeal investment worthwhile for claims where organizations believe their coding and documentation were correct.
External Audit Workflow capabilities centralize RAC audit management, tracking which claims are under review, what documentation has been submitted, where appeals stand, and what recoupment amounts are at stake. Without structured workflow management, RAC audits become chaotic fire drills where staff scramble to respond without visibility into organizational exposure.
Building RADV Specific Audit Response Capabilities
RADV audit preparation demands different capabilities focused on HCC coding accuracy, retrospective documentation validation, and coordination with Medicare Advantage Organization partners.
HCC specific audit protocols target the diagnosis codes that drive risk adjustment rather than auditing representative samples across all diagnosis types. Organizations should prospectively audit high dollar HCCs like major depressive disorder, morbid obesity, diabetes with complications, and vascular disease before submitting them for risk adjustment. The Office of Inspector General (OIG) has identified that approximately 70 percent of high risk HCC codes submitted by Medicare Advantage Organizations lack adequate documentation support.
Retrospective validation becomes essential when RADV audit notices arrive for closed payment years. Organizations must review historical medical records using the CMS HCC model version that applied during the audited payment year. For payment year 2018 audits now being completed, that means applying CMS HCC Version 22, which many current coders have never used.
Provider education about RADV specific documentation requirements prevents future audit exposure. Many providers understand general documentation principles but remain unfamiliar with RADV specific requirements that diagnosis codes must be Managed, Evaluated, Assessed, or Treated during each payment year. A patient with chronic kidney disease documented in the problem list but not addressed during the current year fails RADV audit even if the diagnosis is clinically accurate.
Audit Workflows configured for HCC auditing enable systematic review of risk adjustment submissions before they reach payers. These workflows apply OIG identified risk criteria, flag diagnosis codes lacking documented clinical management, and route questionable cases to clinical documentation improvement teams for provider queries before submission.
Leveraging Technology for Both Audit Types
While RAC and RADV audits require distinct preparation strategies, technology platforms can address requirements for both audit types within integrated compliance workflows.
Charge Analyzer capabilities identify billing patterns that create RAC audit risk by comparing your organization’s claim distributions against benchmarks. When your rate of inpatient admissions or high complexity Evaluation and Management coding significantly exceeds peer norms, those outliers attract RAC attention.
Audit case management systems track both RAC and RADV audits through dedicated workflows. When audit requests arrive, these systems document what was requested, assign responsibility for gathering documentation, track submission deadlines, record audit determinations, manage appeals, and calculate financial exposure.
Historical claim and documentation repositories enable efficient response to both audit types. RAC audits may request records from three years prior while RADV audits now reach back to 2018. Organizations that have transitioned between Electronic Health Record (EHR) systems, changed billing platforms, or modified documentation workflows must maintain access to historical data in legacy formats.
Proactive auditing of high risk claims before external auditors select them allows correction of errors while time remains to prevent submission or establish defensible positions.
What Organizations Should Do Now
Healthcare organizations cannot afford to wait until audit notifications arrive before building response capabilities. Both RAC and RADV audit volumes are expanding, and preparation gaps create immediate financial and operational risks.
Start by determining which audit types your organization faces. Fee for service providers primarily confront RAC audits. Providers contracted with Medicare Advantage Organizations face RADV audits. Large health systems with both fee for service and Medicare Advantage populations must prepare for both simultaneously.
Conduct baseline assessments of your current audit readiness. Can you identify and retrieve medical records from three years ago within 45 days? Do your coders understand HCC specific documentation requirements that exceed standard ICD-10 coding rules?
Implement audit specific workflows rather than generic compliance programs. RAC preparation should emphasize documentation completeness for billed services, medical necessity validation, and appeals expertise. RADV preparation should focus on HCC coding accuracy, retrospective chart validation, and Medicare Advantage Organization coordination.
Invest in technology that provides audit visibility and management capabilities. Manual tracking of audits through emails and spreadsheets inevitably results in missed deadlines, incomplete documentation submissions, and failure to appeal incorrect determinations. MDaudit enables organizations to manage both RAC and RADV audits through structured workflows that ensure nothing is overlooked.
Train staff on audit type differences so they can respond appropriately when requests arrive. Cross training ensures that someone within your organization can immediately recognize whether an incoming request represents a RAC audit requiring 45 day documentation submission or a RADV audit requiring retrospective HCC validation.
The expanding RAC and RADV audit landscape demands that healthcare organizations understand fundamental differences between audit types and prepare specifically for the risks each creates. Organizations that invest in audit type specific preparation, implement appropriate technology platforms, and train staff accordingly position themselves to defend their billing practices successfully while minimizing financial disruption from recoupments.
