How Inpatient Coding Audits Work and What Triggers CMS Scrutiny

 

The letter arrives from a Recovery Audit Contractor. Sixty inpatient records have been selected for complex medical review. The hospital has 45 days to respond. Each chart requires pulling the full admission record, utilization review documentation, and physician notes going back two years. The compliance team drops everything else.

That scenario repeats thousands of times each year across U.S. hospitals. And for the organizations it hits, the cost is never just the potential recoupment on the records under review. It is the staff hours absorbed, the appeals workload that follows, the disruption to ongoing billing operations, and the elevated scrutiny that tends to continue once a hospital has been identified as a review target.

 

Understanding how inpatient coding audits work, which audit programs are currently active, and what patterns in a hospital's billing data draw CMS attention is not a compliance department exercise. It is a financial risk management question that revenue cycle leaders, CFOs, and coding managers should be able to answer before an audit notice arrives rather than after.

 

The Audit Landscape: Who Is Reviewing Inpatient Claims and Why

 

Inpatient hospital billing operates under a layered oversight structure. Multiple federal programs conduct different types of reviews, with different scopes, different timelines, and different financial consequences. Knowing which program is reviewing what, and why, shapes how a hospital should approach both its internal compliance posture and its response to external audit activity.

 

Recovery Audit Contractors

 

Recovery Audit Contractors, or RACs, are private auditing firms contracted by CMS to identify Medicare overpayments and underpayments on a contingency fee basis. RACs earn a percentage of the overpayments they recover, which creates a structural incentive to target high-dollar claim categories. Inpatient claims, with their larger per-claim values relative to outpatient billing, are a consistent RAC focus.

 

RACs conduct two types of reviews. Automated reviews use data analytics to identify claims that appear to have been billed incorrectly based on the claim data alone, without reviewing the underlying medical record. Complex reviews require the hospital to submit medical records, which an auditor then reviews against clinical documentation standards. Complex reviews on inpatient admissions most commonly target medical necessity, MS-DRG coding accuracy, and admission status determinations.

 

CMS publishes the approved audit issues that RACs are authorized to review. Inpatient MS-DRG coding validation has been a continuously active RAC audit topic. Hospitals with high frequencies of MCC-level DRG assignments relative to their diagnosis mix, or with DRG assignment patterns that diverge from peer hospitals in their region, are statistically more likely to draw RAC selection.

 

Medicare Administrative Contractors

 

Medicare Administrative Contractors, or MACs, administer Medicare Part A and Part B claims processing for their designated jurisdictions. MACs conduct their own probe and educate reviews, prepayment reviews, and targeted post-payment reviews independent of RAC activity. MAC prepayment reviews, which require additional documentation before a claim is paid, apply to inpatient claims that the MAC's automated systems flag as potentially non-compliant before payment is issued.

 

MAC reviews on inpatient claims frequently focus on two-midnight rule compliance, admission order documentation, and the presence of a formal physician certification supporting the inpatient admission. When a MAC places a hospital on prepayment review status, the administrative burden of responding to documentation requests before payment applies to every flagged claim until the review is resolved.

 

Office of Inspector General

 

The Office of Inspector General publishes an annual Work Plan that identifies the audit and evaluation priorities CMS and HHS are focusing on for the coming year. For inpatient hospital billing, OIG Work Plan items relevant to coding and documentation have historically included inpatient MS-DRG coding accuracy at the highest severity levels, hospital billing for services that should have been provided in less intensive settings, and documentation supporting the medical necessity of specific high-cost procedures.

 

OIG audits differ from RAC audits in scope and consequence. OIG findings can result in recommendations that CMS implement systemic changes to oversight processes, referrals to the Department of Justice, or voluntary self-disclosure obligations when a hospital's internal audit identifies a billing practice that may constitute a False Claims Act violation. The OIG's published findings on individual hospital audits are publicly available and often cite specific documentation failures as the root cause of identified overpayments.

 

Targeted Probe and Educate

 

CMS's Targeted Probe and Educate program, administered through the MACs, conducts focused reviews on specific billing patterns at individual providers. Unlike RAC audits, TPE reviews are framed as educational interventions: the MAC selects a sample of claims in a target category, reviews them, provides feedback to the provider, and re-reviews to assess whether the identified issues have been corrected. For hospitals identified in TPE reviews, the program can trigger escalating levels of oversight if initial reviews reveal systemic billing accuracy problems.

 

What CMS Audit Programs Are Currently Targeting

 

The specific inpatient billing patterns that draw audit attention shift year to year as CMS, OIG, and RAC priorities evolve. Understanding the current focus areas helps hospitals assess their exposure before an audit notice arrives.

 

Several inpatient billing categories have drawn consistent CMS attention in recent years and remain active areas of review. Hospital compliance and revenue cycle teams should assess their own claim data against each of these patterns to identify whether their billing reflects practices that auditors are currently reviewing in their peer group:

 

1. Inpatient medical necessity and two-midnight documentation. The two-midnight rule requires that a physician's expectation of a medically necessary hospital stay spanning at least two midnight periods support every inpatient admission. RAC and MAC reviews on this issue consistently find that the documentation supporting the admission decision, specifically the physician's recorded clinical reasoning at the time of admission, does not meet the standard required to defend the admission under retrospective review. The care itself may have been entirely appropriate. The documentation does not survive audit.
2. MS-DRG coding validation at the highest severity levels. OIG and RAC reviews have consistently identified higher error rates on claims assigned to the highest MS-DRG severity tiers. Claims coded with MCCs attract disproportionate audit selection because the financial stakes are higher and the coding accuracy requirements are more demanding. A hospital that codes a high proportion of its inpatient stays at MCC level relative to regional peers will draw statistical scrutiny regardless of whether the individual claims are accurate.
3. Admission status misclassification. Claims where a patient received inpatient-level care but the documentation does not support inpatient status, or conversely where a patient in observation status was billed under Part A, represent a category of billing error that RACs have targeted aggressively. The two-midnight rule and Medicare Advantage plan coverage determinations both require clear, contemporaneous documentation of the status decision at the time of admission.
4. Short-stay inpatient admissions. Inpatient admissions with a length of stay under two midnights face heightened medical necessity scrutiny. CMS expects that short-stay inpatient admissions reflect genuinely complex clinical presentations that required inpatient-level management. When short-stay admissions appear frequently in a hospital's billing data without documentation supporting the clinical complexity, auditors interpret the pattern as potential misclassification of cases that should have been managed in observation.
5. High-cost inpatient procedures and implants. Claims for specific high-cost inpatient procedures, implantable devices, and newer surgical techniques have appeared on OIG Work Plans and RAC approval lists in recent years. The review typically focuses on whether the clinical documentation supports both the medical necessity of the procedure and the specific procedural coding used, particularly where ICD-10-PCS specificity requirements are most demanding.
6. Post-acute transfer payment adjustments. When an inpatient patient is discharged to a post-acute care facility before the average length of stay for the assigned DRG, CMS applies a per-diem payment calculation rather than the full DRG rate. RAC automated reviews routinely identify claims where the full DRG payment was made on transfers that should have triggered the per-diem adjustment, and issue demand letters for the difference.

 

How an Inpatient Coding Audit Actually Proceeds

 

Most hospital administrators know that audits happen. Fewer have a detailed understanding of how the audit process unfolds from initial selection through resolution, which matters because the hospital's options at each stage depend on the stage it is in.

 

Claim Selection

 

RAC and MAC audits begin with claim selection driven by data analytics. Automated systems compare a hospital's billing patterns against expected patterns derived from peer group data, national benchmarks, and CMS's own claims history. Specific triggers include DRG assignment frequencies that differ from regional peers, high ratios of MCC-coded admissions, patterns of short-stay inpatient claims in specific diagnosis categories, and claim characteristics that the auditor's algorithms identify as statistically associated with billing errors in prior reviews.

 

Hospitals are not typically notified before claim selection occurs. The first indication that a review is underway is usually a records request or a demand letter. For prepayment reviews, the flag occurs before payment is processed, and the hospital receives a development request requiring additional documentation before the claim is adjudicated.

 

Records Request and Submission

 

For complex reviews, the RAC or MAC requests the medical records supporting the selected claims. Hospitals generally have 45 days to submit records in response to a RAC additional documentation request. The submission must include all documentation relevant to the audit issue: admit orders, physician certifications, clinical notes from the full admission, utilization review documentation, and any other records the auditor specifies.

 

The quality of the documentation submitted at this stage largely determines the audit outcome. Auditors review the records against the specific compliance standard at issue. For medical necessity reviews, they assess whether the contemporaneous documentation at the time of admission reflects the clinical reasoning required under the two-midnight rule. For DRG coding reviews, they assess whether the coded diagnoses and procedures are supported by the clinical record.

 

Determination and Demand

 

When a RAC or MAC auditor determines that a claim was overpaid, the contractor issues a demand letter requiring repayment of the identified overpayment amount, typically with interest from the date of the original payment. The hospital has the right to appeal the determination through a multi-level appeals process that begins with a redetermination request to the contractor and can proceed through Administrative Law Judge review, the Medicare Appeals Council, and federal court.

 

The appeals process is time-limited at each level, and the hospital's ability to introduce new documentation or arguments narrows as the appeal progresses. Evidence not submitted at the redetermination level may not be introducible at subsequent levels. This is why hospitals whose billing operations are reactive to audits face structural disadvantages compared to those whose documentation standards were built to withstand review from the outset.

 

Extrapolation

 

In cases where a sample audit finds a statistically significant error rate, the auditor may extrapolate the error rate across the full universe of similar claims paid during the audit period. Extrapolation can convert a finding on a sample of 50 records into a recoupment demand that covers thousands of claims. For hospitals with systemic documentation problems in a specific billing category, extrapolation is the mechanism by which a manageable audit becomes a major financial event.

 

Internal Audit Programs: The First Line of Protection

 

The most effective protection against external audit findings is an internal audit program that identifies the same documentation and coding problems before they appear in a demand letter. A hospital that already knows its compliance gaps, has corrected them, and can document the remediation is in a fundamentally different position under external review than one that first learns of the problem from an auditor.

 

Inpatient coding compliance programs at well-run hospitals typically include both prospective and retrospective audit components. Each serves a different purpose, and neither alone is sufficient to maintain the documentation standards that CMS currently requires.

 

A complete internal inpatient coding audit program covers the following components, each addressing a distinct part of the compliance risk surface:

 

1. Prebill audit of high-risk claims. Prospective review of inpatient claims before submission identifies DRG coding errors, missing documentation, and admission status issues while there is still time to correct them. AAPC guidelines recommend a second-level prebill review process for high-risk inpatient situations as a standard component of clean claim production. Claims corrected before submission never generate a demand letter.
2. Concurrent CDI review against two-midnight standards. Clinical documentation improvement specialists reviewing inpatient records during the admission, while the treating physician is still available for queries, can resolve documentation gaps before discharge. Retrospective CDI review after discharge produces corrections that require a more formal physician query process and cannot amend documentation for claims already submitted.
3. DRG validation audit against peer benchmarks. Comparing a hospital's MS-DRG assignment distribution against CMS peer data for the same diagnosis mix identifies categories where the hospital's coding diverges from expected patterns. Divergence in either direction, high or low, represents audit exposure. High MCC rates relative to peers attract RAC attention. Low MCC rates may indicate documentation gaps that are costing the hospital legitimate reimbursement.
4. Admission status review. Regular internal review of short-stay inpatient admissions against two-midnight documentation standards catches misclassification before RAC automated systems identify the same pattern externally. When internal review identifies systemic misclassification, corrective action through the voluntary refund process is both less costly and less damaging than recoupment under a RAC demand.
5. Post-payment sampling by denial reason code. Tracking denial patterns from external audits and payer reviews by specific reason code identifies the documentation and coding issues generating the most audit exposure. When a specific denial type appears repeatedly, the root cause is almost always a process gap that internal audit can identify and address before the pattern draws broader scrutiny.

 

How ADS Supports Inpatient Coding Compliance

 

ADS has supported hospital and health system revenue cycle operations since 1977. The combination of high per-claim dollar values, complex coding requirements, and concentrated federal oversight that defines inpatient billing requires a billing infrastructure specifically designed for that environment, not adapted from a general outpatient platform.

 

Organizations like New Bridge Medical Center have used ADS infrastructure to manage the documentation workflow alignment between clinical care, CDI, and billing that inpatient coding compliance requires. The ADSRCM platform processes nearly 50 million EDI transactions annually and maintains a nearly 99% first-pass clean claim rate by building compliance validation into the pre-submission workflow rather than the denial recovery cycle.

 

For inpatient billing specifically, that means admission status validation, two-midnight documentation screening, DRG coding review against documentation support, and pre-submission claim scrubbing are applied before claims leave the system. The result is a billing operation where the documentation standard that survives external audit is the same standard that governs every claim at submission, not a retrospective standard applied after a demand letter arrives.

 

Hospitals evaluating their current inpatient coding compliance posture can explore the ADS approach at adsc.com/revenue-cycle-management. The team at 1-800-899-4237 ext. 2264 answers in under two minutes.

 

Ready to see what 49 years of inpatient revenue cycle expertise looks like applied to your coding compliance and audit readiness?

 

Request a Live Demonstration and see how ADSRCM builds audit-ready documentation standards into your inpatient billing workflow. Call 1-800-899-4237 ext. 2264 and a real person answers in under two minutes.

 

Sources

 

CMS Recovery Audit Contractor Program (cms.gov) | OIG Work Plan (oig.hhs.gov) | AAPC Knowledge Center (aapc.com) | American Hospital Association (aha.org) | Advanced Data Systems Corporation (adsc.com)