Healthcare organizations face an increasingly complex audit landscape where Recovery Audit Contractor (RAC) audits and Risk Adjustment Data Validation (RADV) audits operate under different rules, target different vulnerabilities, and demand distinct preparation strategies. While both audit types can result in substantial recoupments, confusion about their fundamental differences leaves many organizations unprepared for either type.
Recovery Audit Contractors recovered over $2 billion in fiscal year 2021 alone from improper Medicare payments. Meanwhile, the Centers for Medicare and Medicaid Services (CMS) plans to audit all 550 eligible Medicare Advantage contracts annually through RADV, up from approximately 60 plans per year. Understanding which audit you face determines how you should respond.
RAC Audits Target Payment Accuracy Across All Fee for Service Claims
Recovery Audit Contractors exist to identify and correct improper Medicare payments on fee for service claims. Their scope encompasses any Medicare Part A or Part B claim where payment may have been calculated incorrectly, where services were not covered, or where documentation fails to support medical necessity.
RAC audits operate post payment, meaning auditors review claims that have already been paid. RACs can look back three years from the date a claim was paid, forcing healthcare organizations to defend billing decisions made years earlier using documentation and coding guidelines that may have since evolved. The audit process begins when the RAC identifies claims for review through either automated analysis or targeted selection. Automated reviews occur when the RAC has certainty that a claim violates Medicare policy without requiring medical record review. Complex reviews require human examination of medical records to determine whether documentation supports the billed service.
RACs contact providers through Additional Documentation Requests with 45 day response deadlines. Organizations that fail to respond within this window face automatic claim denials and recoupment. The stakes escalate quickly because RACs operate on contingency fees, earning percentages of recovered overpayments.
Common RAC audit targets reflect areas where Medicare historically identifies frequent errors. Patient status denials constitute a persistent problem, where RACs challenge whether inpatient admission was medically necessary or whether observation status was more appropriate. Medical necessity denials question whether documentation supports the level of service billed. Coding errors target situations where providers selected incorrect procedure codes or diagnosis codes that do not match documented services.
RADV Audits Verify Risk Adjustment Coding for Medicare Advantage
Risk Adjustment Data Validation audits serve a completely different purpose than RAC audits. While RAC audits verify fee for service payment accuracy, RADV audits validate risk adjustment data submitted by Medicare Advantage Organizations to justify capitated payment rates.
Medicare Advantage Organizations receive monthly payments for each enrolled beneficiary based on risk scores calculated from submitted diagnosis codes. Sicker patients with more chronic conditions generate higher risk scores and higher payments. RADV audits confirm that diagnosis codes submitted for risk adjustment are supported by medical record documentation from the relevant payment year.
The current RADV environment has become extraordinarily aggressive. CMS aims to complete all outstanding audits for payment years 2018 through 2024 by early 2026 while simultaneously expanding ongoing audit activity from 60 plans annually to 550. The agency is increasing its coder workforce from 40 to 2,000 reviewers and expanding sample sizes from 35 records per plan to between 35 and 200 records depending on plan size.
RADV audits target Hierarchical Condition Category (HCC) codes that drive risk adjustment. High value HCCs like major depressive disorder, diabetes with complications, and stroke receive particular scrutiny. Auditors verify that medical records contain documentation of the condition, show the condition was evaluated or addressed during the payment year, and demonstrate clinical management or impact on treatment decisions.
The financial exposure from RADV audits has intensified dramatically. The 2023 final rule allows CMS to extrapolate findings from sampled records across entire contract populations. Previously, CMS recouped only overpayments identified in reviewed sample records. Under extrapolation, if auditors find 10 percent of sampled HCCs unsupported, CMS can apply that error rate across all risk adjustment payments for the entire contract year.
Unlike RAC audits where providers directly receive audit notifications, RADV audit requests typically route through Medicare Advantage Organizations to their contracted providers. Providers may receive documentation requests from health plans rather than directly from CMS, creating potential confusion about audit type and urgency.
Why Generic Audit Preparation Fails Both Audit Types
Many healthcare organizations implement generic audit readiness programs that claim to address all audit types. This approach wastes resources preparing for risks that do not apply to specific audit circumstances.
RAC preparation that focuses exclusively on prospective review of claims before submission provides limited value for defending three year old coding decisions under challenge. By the time RAC audits arrive, the claims are long submitted and paid. Conversely, RADV preparation that emphasizes real time documentation improvement during patient encounters cannot retroactively fix records from payment years already closed.
The documentation standards differ substantially between audit types. RAC audits verify whether medical necessity and coding rules were followed as they existed when services were provided. RADV audits verify whether diagnosis codes meet specific CMS Hierarchical Condition Category coding requirements, which are more restrictive than standard International Classification of Diseases, Tenth Revision (ICD-10) coding guidelines. A diagnosis code that satisfies RAC medical necessity requirements may still fail RADV audit if documentation lacks elements showing the condition was Managed, Evaluated, Assessed, or Treated during the payment year.
Building RAC Specific Audit Response Capabilities
Effective RAC audit preparation requires systems that identify high risk claims before RAC selection occurs, respond efficiently when audits arrive, and appeal aggressively when RAC determinations are incorrect.
Proactive risk identification begins with analyzing your organization’s billing patterns against known RAC audit targets. CMS publishes approved RAC review topics monthly, providing transparency about what RACs can audit. Organizations should compare their claim distributions against these topics, identifying areas of high exposure. If your organization bills high volumes of inpatient admissions that could qualify as observation, those claims face elevated RAC risk regardless of whether coding was correct.
Pre audit claim validation for high risk categories catches potential problems before RAC reviewers do. Organizations can audit their own claims matching RAC approved topics, identifying documentation deficiencies or coding issues that would fail RAC scrutiny.
Documentation retrieval capabilities determine whether organizations can meet RAC response deadlines. When Additional Documentation Requests arrive with 45 day deadlines, organizations must locate medical records that may be archived or stored off site, particularly for claims from two or three years prior.
Appeal preparation should begin the moment RAC determinations arrive. RAC appeal success rates can reach 75 percent for certain claim types, making appeal investment worthwhile for claims where organizations believe their coding and documentation were correct. However, appeals require medical expertise to articulate why documentation supported billed services, coding expertise to demonstrate guideline compliance, and legal expertise to navigate Medicare appeal procedures.
Building RADV Specific Audit Response Capabilities
RADV audit preparation demands different capabilities focused on HCC coding accuracy, retrospective documentation validation, and coordination with Medicare Advantage Organization partners.
HCC specific audit protocols target the diagnosis codes that drive risk adjustment rather than auditing representative samples across all diagnosis types. Organizations should prospectively audit high dollar HCCs like major depressive disorder, morbid obesity, diabetes with complications, and vascular disease before submitting them for risk adjustment. The Office of Inspector General (OIG) has identified that approximately 70 percent of high risk HCC codes submitted by Medicare Advantage Organizations lack adequate documentation support.
Retrospective validation becomes essential when RADV audit notices arrive for closed payment years. Organizations must review historical medical records using the CMS-HCC model version that applied during the audited payment year. For payment year 2018 audits now being completed, that means applying CMS-HCC Version 22, which many current coders have never used.
Provider education about RADV specific documentation requirements prevents future audit exposure. Many providers understand general documentation principles but remain unfamiliar with RADV specific requirements that diagnosis codes must be Managed, Evaluated, Assessed, or Treated during each payment year.
Medicare Advantage Organization coordination requires clear communication protocols. When RADV audit notifications arrive, health plans coordinate responses across dozens or hundreds of contracted provider organizations. Organizations should establish dedicated RADV response contacts, document retention policies ensuring medical records remain accessible for closed payment years, and rapid response procedures when documentation requests arrive.
Leveraging Technology for Both Audit Types
While RAC and RADV audits require distinct preparation strategies, technology platforms can address requirements for both audit types within integrated compliance workflows.
Audit case management systems track both RAC and RADV audits through dedicated workflows. When audit requests arrive, these systems document what was requested, assign responsibility for gathering documentation, track submission deadlines, record audit determinations, manage appeals, and calculate financial exposure. Organizations handling multiple simultaneous audits across both RAC and RADV programs need centralized visibility to allocate resources effectively and ensure nothing falls through cracks.
Historical claim and documentation repositories enable efficient response to both audit types. RAC audits may request records from three years prior while RADV audits now reach back to 2018. Organizations that have transitioned between Electronic Health Record (EHR) systems, changed billing platforms, or modified documentation workflows must maintain access to historical data in legacy formats.
Predictive analytics identify future audit targets before official selection occurs. By analyzing which claim characteristics correlate with historical RAC audit selection and which HCC codes consistently appear in RADV audit samples, organizations can prioritize internal audit efforts toward highest risk areas.
What Organizations Should Do Now
Healthcare organizations cannot afford to wait until audit notifications arrive before building response capabilities. Both RAC and RADV audit volumes are expanding, and preparation gaps create immediate financial and operational risks.
Start by determining which audit types your organization faces. Fee for service providers primarily confront RAC audits. Providers contracted with Medicare Advantage Organizations face RADV audits. Large health systems with both fee for service and Medicare Advantage populations must prepare for both simultaneously.
Conduct baseline assessments of your current audit readiness. Can you identify and retrieve medical records from three years ago within 45 days? Do your coders understand HCC specific documentation requirements that exceed standard ICD-10 coding rules?
Implement audit specific workflows rather than generic compliance programs. RAC preparation should emphasize documentation completeness for billed services, medical necessity validation, and appeals expertise. RADV preparation should focus on HCC coding accuracy, retrospective chart validation, and Medicare Advantage Organization coordination.
Invest in technology that provides audit visibility and management capabilities. Manual tracking of audits through emails and spreadsheets inevitably results in missed deadlines, incomplete documentation submissions, and failure to appeal incorrect determinations. MDaudit’s platform enables organizations to manage both RAC and RADV audits through structured workflows that ensure nothing is overlooked.
Train staff on audit type differences so they can respond appropriately when requests arrive. Many healthcare organizations have experienced staff who understand one audit type but lack exposure to the other. Cross training ensures that someone within your organization can immediately recognize whether an incoming request represents a RAC audit requiring 45 day documentation submission or a RADV audit requiring retrospective HCC validation.
The expanding RAC and RADV audit landscape demands that healthcare organizations understand fundamental differences between audit types and prepare specifically for the risks each creates. Organizations that invest in audit type specific preparation, implement appropriate technology platforms, and train staff accordingly position themselves to defend their billing practices successfully while minimizing financial disruption from recoupments.
