What Is a RAC Audit? And How to Protect your Medical Practice Before CMS Comes Knocking
You just finished a long week of seeing patients. Paperwork is piling up. And then — a letter arrives from a Recovery Audit Contractor.
Your stomach drops.
If you have ever wondered what a RAC audit actually is, what happens if one lands on your desk, or how to make sure your practice never gets blindsided — this guide is for you.
We are going to walk through everything in plain, honest language. No jargon. No fluff. Just the facts you need to protect the practice you have worked so hard to build.
What Is a RAC Audit? (The Simple Answer)
A RAC audit — short for Recovery Audit Contractor audit — is a review of your medical claims by a private contractor hired by the Centers for Medicare & Medicaid Services (CMS).
Think of it like this: the government hires these private companies — called Recovery Audit Contractors — to go back through old Medicare and Medicaid claims and look for overpayments. If they find money they think was paid incorrectly, they want it back.
The RAC program was made permanent in 2010 under the Affordable Care Act, after a pilot program showed it could recover billions of dollars in improper payments. Since then, it has collected over $10 billion in Medicare overpayments from healthcare providers across the country.
That number tells you one thing clearly: this is very real, and it happens to practices of all sizes — from solo family doctors to large hospital systems.
Quick definition for a 9-year-old: Imagine you borrowed $20 from your mom, but she later thinks she gave you $25 by mistake. A RAC audit is like her sending someone to check your records and get the extra $5 back — even if you are sure you only got $20.
For the official CMS explanation of the RAC program, you can visit the CMS Recovery Audit Program page directly.
How Does a RAC Audit Actually Work?
Here is the step-by-step process — from the moment a RAC targets your practice to the final resolution.
Step 1: The RAC Selects Your Claims
RAC auditors do not pick claims randomly. They use data analytics to identify patterns. They look for:
- Claims with unusually high billing amounts compared to similar practices
- Services billed more frequently than average
- Diagnosis codes that do not match the service billed
- Procedures that are commonly upcoded or miscoded in your specialty
- Claims with missing or incomplete documentation
If your billing patterns look unusual compared to thousands of other practices in their database, you move up the list.
Step 2: They Send an Additional Documentation Request (ADR)
Before they can demand any money back, RACs must send you an Additional Documentation Request (ADR). This is a formal letter asking you to send supporting documentation for specific claims they want to review.
You have 45 days to respond to an ADR. This is not optional — missing this deadline is one of the fastest ways to lose a RAC audit case, even if your original billing was completely correct.
The ADR will specify:
- Which patient claims are being reviewed
- The dates of service in question
- Exactly what documentation they need
- The deadline for your response
Step 3: The RAC Reviews Your Documentation
Once they receive your records, RAC auditors review them. They are looking for two main things:
- Automated review — software catches clear coding errors, duplicate claims, and mathematical mistakes
- Complex review — actual clinical reviewers (nurses, doctors, coders) examine whether the documentation supports the services billed
If they find a problem, they will issue a demand letter telling you how much you owe back.
Step 4: Overpayment Demand
If the RAC determines you received an overpayment, they send a formal demand letter. You now have two main choices:
- Pay the amount — Medicare will offset future payments or you can write a check
- Appeal the decision — if you believe the finding is wrong, you can challenge it
Most practices that work with experienced billing advocates win a significant portion of their RAC audit appeals. That is why having professional support before and during an audit matters so much.
Step 5: The Appeal Process
The Medicare appeals process has five levels. Each level has its own timeline and requirements:
| Appeal Level | Who Decides | Timeline |
|---|---|---|
| Level 1: Redetermination | Medicare Administrative Contractor (MAC) | 60 days to file |
| Level 2: Reconsideration | Qualified Independent Contractor (QIC) | 180 days to file |
| Level 3: ALJ Hearing | Office of Medicare Hearings and Appeals | 60 days to file |
| Level 4: Medicare Appeals Council | DAB Medicare Appeals Council | 60 days to file |
| Level 5: Federal Court | U.S. District Court | 60 days to file |
You do not always need to go to federal court. Many practices successfully win at Level 1 or Level 2 when they have proper documentation and a knowledgeable advocate supporting them.
For more detail on your official appeal rights, the CMS Medicare Appeals page outlines each level in full.
What Do RAC Auditors Actually Look For?
Knowing what triggers a RAC audit is the first line of defense. Here are the most common issues RAC auditors find — and that you should be reviewing right now in your own practice.
1. Medical Necessity Issues
This is the number one finding in RAC audits. The documentation in the patient chart does not support why the service was medically necessary. A doctor may have performed a legitimate procedure, but if the notes do not explain why it was needed for that specific patient, the RAC can call it an overpayment.
Fix: Every claim needs to tell a story. The diagnosis, the patient history, and the treatment plan must all connect clearly.
2. Incorrect Place of Service Codes
Billing a service as if it was performed in a hospital when it was actually done in an office — or vice versa — is a common error that RAC auditors catch immediately. Different places of service have different reimbursement rates, so even an honest mistake can look like fraud to an auditor.
3. Upcoding
This means billing for a higher-level service than what was actually performed. For example, billing a Level 4 office visit (99214) when the visit only supported a Level 3 (99213). Sometimes this happens by accident. Sometimes a provider does not know the difference. Either way, RACs flag it.
4. Unbundling
This happens when a provider bills separately for services that should be combined under one billing code. Some procedures have a global payment code that covers everything, and billing the parts separately is considered improper.
5. Duplicate Claims
Submitting the same claim more than once — whether by accident or because of a system glitch — shows up immediately in automated RAC review. These are among the easiest findings to avoid with good billing software and clean processes.
6. Services Not Covered by Medicare
Billing Medicare for a service that is specifically excluded from Medicare coverage. This is often a simple knowledge gap rather than intentional fraud, but the financial consequences are the same.
Which Specialties Get Audited Most Often?
While any practice that bills Medicare or Medicaid can face a RAC audit, certain specialties consistently appear at the top of CMS audit lists. If you practice in one of these areas, your risk is higher:
- Cardiology — high-value procedures, complex coding
- Oncology — chemotherapy infusion codes, drug billing
- Orthopedics — surgical procedures, post-op billing
- Wound Care — debridement codes are frequently audited
- Mental Health — documentation requirements are strict
- Family Practice / Internal Medicine — high volume of E&M codes
If your practice falls into one of these specialties, you can read our detailed billing guides for Cardiology and Wound Care to understand the billing nuances that matter most.
How Far Back Can a RAC Audit Go?
This is one of the most common questions we hear from doctors.
The official answer: RAC auditors can look back up to 3 years from the date of service.
Some providers assume they are safe if a claim is more than a year old. That is not how it works. A claim from 2023 can still be audited and result in an overpayment demand in 2026.
This is exactly why maintaining clean, complete documentation for every patient visit — for at least 7 years — is considered best practice in healthcare compliance.
The Real Cost of a RAC Audit — Beyond the Overpayment
The demand letter tells you one number. But the true cost of a RAC audit is much higher when you add everything up.
Direct costs:
- Overpayment amount demanded
- Interest charges if repayment is delayed
- Legal or consulting fees for appeals
Hidden costs:
- Staff time spent pulling records, organizing documentation, and responding to requests
- Disruption to your practice workflows
- Delayed payments while the audit is ongoing
- The emotional stress on you and your team
One medium-sized practice that faced a RAC audit reported spending over 200 staff hours responding to a single audit cycle — before the appeal was even filed. For a small practice, that kind of disruption can be crippling.
This is why the smartest investment is not reacting to an audit — it is preventing one from becoming a disaster in the first place.
7 Steps to Protect Your Practice from a RAC Audit (Right Now)
You cannot stop CMS from selecting your practice for a review. But you can make sure that when an audit happens, your documentation is airtight, your team is ready, and your exposure is minimal.
Here is what you can do starting today.
Step 1: Conduct a Self-Audit Right Now
Before any external auditor touches your records, do your own internal review. Pull a random sample of 20–30 claims from the past 12 months across your most common services. Ask:
- Does the diagnosis code match the service?
- Is there clear documentation of medical necessity?
- Are all required signatures and dates present?
- Do the dates of service match the progress notes?
If you find problems in your own sample, fix the underlying process now — before a RAC auditor finds the same pattern across hundreds of claims.
Step 2: Train Your Coding Team Regularly
Medical coding accuracy is the foundation of audit protection. A coder who is using last year’s CPT guidelines on this year’s claims is creating silent risk every single day. Require your coding team to complete annual training updates. The American Medical Association releases CPT code updates every January — your team needs to know every relevant change.
Step 3: Create a Document Checklist for Every Visit Type
For each type of service you commonly bill, create a checklist of what documentation is required. Make it a standing rule: if it is not documented, it did not happen. And if it did not happen in the chart, you cannot bill for it — regardless of whether it happened clinically.
Step 4: Respond to ADRs Immediately
When an Additional Documentation Request arrives, treat it as an emergency. Assign one person as your ADR coordinator. Their job is to:
- Log the ADR the day it arrives
- Pull all requested records within 5 business days
- Organize them clearly with a cover letter
- Submit via certified mail or the requested method
- Track the submission confirmation
Do not let an ADR sit in a pile. The 45-day deadline is not flexible.
Step 5: Appeal Everything You Disagree With
Many practices pay RAC overpayment demands without pushing back — even when the finding is wrong. That is a mistake. Studies from industry groups have shown that a significant percentage of RAC findings are overturned at the first or second appeal level when practices submit a well-documented response.
You have a right to appeal. Use it.
Step 6: Review Your HIPAA Compliance Regularly
RAC audits are sometimes the trigger that leads to broader compliance reviews. If an audit reveals documentation problems, CMS may refer the case to other oversight bodies. Having your HIPAA compliance program current and documented adds a layer of protection. It shows regulators that your practice operates with integrity.
Step 7: Work With a Professional Billing Advocate
This is the most impactful step. A professional medical billing team with RAC audit experience will:
- Monitor your claims data for patterns that could trigger an audit
- Ensure your documentation standards meet CMS requirements
- Respond to ADRs on your behalf with speed and accuracy
- Build your appeal letters with clinical and regulatory arguments
- Represent your interests through the entire process
The medical billing and practice management team at Pro Health Care Advisors works specifically with small and individual practices — the ones that often have no in-house compliance staff and need the most support.
Meet MD Audit Shield — Built Specifically for This Problem
Most billing companies offer general billing services. Very few offer dedicated RAC audit protection.
MD Audit Shield is Pro Health Care Advisors’ specialized service designed to protect small and individual medical practices from the financial and operational damage of a CMS Recovery Audit.
Here is what MD Audit Shield includes:
Pre-Audit Monitoring We review your billing patterns on an ongoing basis using the same types of data analytics that RAC contractors use. If something in your claims profile looks like a red flag, we catch it first — before an auditor does.
ADR Response Management When a documentation request arrives, we handle the entire response. We know exactly what CMS auditors look for, and we know how to present your records in the strongest possible way.
Appeal Representation If a RAC auditor issues an overpayment finding, we build your appeal case. We understand the clinical and regulatory arguments that work at each level of the Medicare appeal process.
Staff Education We work with your front desk, nursing, and clinical staff to close the documentation gaps that create audit risk. Prevention is always less expensive than defense.
Ongoing Compliance Reviews Quarterly audits of your own claims, before any external reviewer touches them. Think of it as a regular check-up for your billing health.
If your practice bills Medicare or Medicaid — and most practices do — you cannot afford to be without audit protection. Contact our team today to learn how MD Audit Shield can be customized for your practice.
How Is a RAC Audit Different from Other Medicare Audits?
CMS runs several different audit programs. If you have heard other terms and felt confused, here is a quick comparison:
| Audit Type | Full Name | Who Runs It | Focus |
|---|---|---|---|
| RAC | Recovery Audit Contractor | Private contractors | Overpayments & underpayments |
| MAC | Medicare Administrative Contractor | Processes Medicare claims | Day-to-day claims processing |
| ZPIC/UPICs | Unified Program Integrity Contractors | Private contractors | Fraud & abuse investigations |
| CERT | Comprehensive Error Rate Testing | CMS contractor | Random sample to measure error rates |
| OIG | Office of Inspector General | Federal government | Systemic fraud & criminal investigations |
The RAC program focuses on payment accuracy — both overpayments and underpayments. A ZPIC or UPIC investigation is more serious and typically signals suspected fraud. If you ever receive contact from a ZPIC or OIG, consult legal counsel immediately.
For guidance on what the OIG considers in compliance programs, their official guidance documents are a valuable resource.
What Happens If You Ignore a RAC Audit?
Do not do this. Ignoring a RAC audit does not make it go away — it makes everything worse.
If you do not respond to an ADR, the RAC will assume the worst and issue a demand for the full amount of the claims they requested. If you then ignore the demand letter, CMS will begin offsetting your future Medicare payments — meaning they will simply deduct the amount you allegedly owe from every payment they send you, until the debt is paid.
In serious cases, continued non-compliance can escalate to referral to the OIG, which opens the door to fraud investigations, exclusion from Medicare, and civil monetary penalties.
The best response to a RAC audit is always a fast, organized, professional response. If you do not have the internal resources to do that, get help immediately.
RAC Audit Red Flags Checklist — Print This Out
Use this checklist in your practice right now. If you answer “no” to more than three of these questions, your practice has meaningful audit exposure.
- We document medical necessity clearly in every patient note
- Our coders completed training on 2026 CPT and ICD-10 updates
- We have a written policy for how to respond to ADRs
- We keep all patient records for at least 7 years
- We have reviewed our place-of-service codes for accuracy
- We run internal claim audits at least once per quarter
- We do not bill separately for procedures that should be bundled
- Our diagnosis codes always match the clinical documentation
- We have a professional billing advocate monitoring our claims
- We know all five levels of the Medicare appeals process
If you found gaps, the team at Pro Health Care Advisors can help you close them — before a RAC auditor finds them first.
Frequently Asked Questions About RAC Audits
Q: How will I know if my practice has been selected for a RAC audit?
A: The first official notice is an Additional Documentation Request (ADR) letter from the Recovery Audit Contractor. There is no prior warning. This is why ongoing monitoring and clean documentation are so important — you prepare as if an audit could arrive any day.
Q: Can a RAC audit target a practice that has never had billing problems before?
A: Absolutely. RAC selection is largely data-driven. A practice with a clean history can still be selected if their billing profile looks statistically unusual compared to peers — even if every claim is completely legitimate. Being selected does not mean you did anything wrong.
Q: What is the difference between a RAC audit and an OIG investigation?
A: A RAC audit reviews payment accuracy and asks for overpayments back. An OIG investigation is a federal fraud inquiry that can result in criminal charges, civil penalties, and exclusion from Medicare and Medicaid. They are very different in scope and seriousness.
Q: How long does a RAC audit typically take?
A: From the initial ADR to final resolution — including any appeals — a RAC audit can take anywhere from a few months to several years. Complex cases with multiple appeal levels often take 18 to 36 months. This is another reason to have professional support: managing a multi-year audit process while running a practice is extremely difficult without help.
Q: Can I refuse to respond to an ADR?
A: Technically, you can choose not to respond — but you should never do this. Ignoring an ADR results in automatic unfavorable findings for all claims requested, plus CMS will begin offsetting your future payments. Always respond, and always respond on time.
Q: Is MD Audit Shield only for large practices?
A: No — and that is specifically why we built it. Large hospital systems have compliance departments, legal teams, and internal audit staff. Solo practitioners and small group practices often have none of those resources. MD Audit Shield was designed exactly for small and individual practices that need professional-level protection without the overhead of a full compliance department. Contact us to get a quote for your practice size.
Q: What should I do if I discover a billing error before an audit?
A: Self-disclosure is almost always better than being caught. CMS has a Self-Referral Disclosure Protocol (SRDP) and other mechanisms for voluntary disclosure. Proactively correcting and reporting errors typically results in significantly reduced penalties compared to being found through an audit. Work with your billing team or legal counsel before taking action.
Q: Does physician credentialing affect RAC audit risk?
A: Yes, indirectly. Providers who are not properly credentialed with the payers they are billing create claim validation errors that can trigger closer scrutiny. Keeping your physician credentialing current is part of a comprehensive compliance strategy.
