Schedule a Consultation

In May 2025, CMS expanded its Medicare Advantage audit program from roughly 60 plans to all 550 eligible contracts and grew its medical coder workforce from 40 to 2,000, working through a backlog of audits spanning payment years 2018 through 2024. If your healthcare organization operates in a risk-sharing or capitated arrangement, that exposure flows directly from plan to provider. This guide covers what the expanded RAC and RADV audit environment means for your revenue cycle, which audit triggers are rising in 2026, and the compliance disciplines that separate clinics that absorb recoupments from those that prevent them.

In May 2025, CMS announced it would expand its Medicare Advantage audit program from roughly 60 plans a year to all 550 eligible contracts, reviewed annually, while growing its medical coder workforce from 40 to 2,000. For healthcare organizations in risk-sharing or capitated arrangements, that financial exposure flows directly downstream from plan to provider. If your organization has not already re-evaluated its HCC documentation accuracy, coding audit protocols, and RAC response workflows, you are already a full audit cycle behind. This article explains what has changed, what it means for your revenue cycle, and what to do about it now.

A Recovery Audit Contractor (RAC) audit is a post-payment review, conducted by private contractors authorized by CMS, that identifies and recovers improper Medicare payments, both overpayments and underpayments, from healthcare providers. RACs are paid on a contingency fee basis: their compensation is a percentage of the improper payments they identify. A Risk Adjustment Data Validation (RADV) audit is a related but distinct program. It is CMS’s mechanism for verifying that the diagnosis codes Medicare Advantage plans submit for risk-adjusted payments are actually supported by clinical documentation. As of 2025, CMS audits all 550 eligible MA contracts annually, making RADV exposure a routine operational risk for any provider in a Medicare Advantage risk-sharing arrangement. With over 2 decades of legacy in US healthcare RCM, blueBriX understands that navigating this landscape demands more than just reacting to denials – it requires foresight, precision, and proactive strategy.

This isn’t just about avoiding penalties; it’s about protecting your financial health, ensuring uninterrupted patient care, and maintaining your reputation. So, what exactly should your hospital be watching now, and how can you transform potential threats into opportunities for operational excellence?

Common triggers for RAC audits

RACs don’t select claims at random – they target patterns and billing practices that suggest possible errors or non-compliance. Some common triggers and causes for RAC audits include:

Triggers for RAC Audits

  • Upcoding or coding errors: Billing with codes that yield higher payment than supported (upcoding) or other incorrect coding practices can raise red flags. For instance, routinely billing high-level evaluation & management codes or improper use of certain modifiers may trigger a review.
  • Lack of medical necessity: Claims for services that may not be medically necessary, or that were provided in an inappropriate setting, are prime RAC targets. An example is an inpatient hospital admission for a condition that could safely be managed outpatient – RACs often scrutinize inpatient vs. outpatient decisions and other medical necessity judgments.
  • Insufficient documentation: Even if care was appropriate, incomplete or missing documentation to support the billed services can lead to an audit finding. RACs look for documentation to justify the level of service, treatments, and diagnoses billed; charts lacking key details (e.g. physician orders, progress notes, or justification for therapy intensity) are vulnerable.
  • Duplicate or unwarranted billing: Submitting claims for the same service more than once (duplicates) or billing for services not actually rendered will attract RAC attention. RAC data analysis can quickly spot duplicate claim submissions or overlaps that suggest an error or fraud.
  • Irregular billing patterns and high-cost claims: Medicare providers whose billing patterns deviate significantly from peers may be audited. Examples include unusually high volumes of certain procedures, excessive use of certain billing codes, or a spike in high-cost outlier claims. Services that the OIG and CMS have flagged for frequent fraud/abuse are also targets – RACs receive approved issue lists (e.g. specific DRGs, durable medical equipment, or therapy services) that focus their audits on known problem areas.

It’s worth noting that RAC audit issues can vary by provider type. For example, hospitals often face audits for inpatient medical necessity and DRG coding validation, physician practices might be reviewed for coding levels of office visits, and post-acute providers (home health, hospice, skilled nursing facilities) frequently see audits on therapy documentation or patient eligibility criteria. Being aware of the common risk areas in your practice setting can help in focusing your compliance efforts.

The evolving audit horizon: key shifts for hospitals

Medicare’s Recovery Audit Contractors (RACs) were established to identify and correct improper Medicare payments. While their core mission remains, the strategies and intensity of their audits are evolving dramatically, especially for 2025 and beyond.

Medicare advantage (RADV) audits intensifying

This is arguably the biggest game-changer. CMS is aggressively expanding its Risk Adjustment Data Validation (RADV) audits for Medicare Advantage (MA) plans.

  • Unprecedented scope: CMS plans to audit all eligible MA contracts annuallyβ€”a staggering increase from approximately 60 to over 550 plans per year.
  • Accelerated backlog clearance: CMS aims to complete all outstanding RADV audits for Payment Years 2018 through 2024 by early 2026, meaning retroactive scrutiny will be intense.
  • Increased sample sizes: Expect auditors to review significantly more records per plan (from 35 to potentially 200), exponentially increasing the documentation workload for both MA plans and, crucially, their provider partners.
  • Massive workforce expansion: CMS is scaling its medical coder workforce from a mere 40 to an astonishing 2,000 by September 1, 2025, signaling a serious commitment to manual review and recoupment.
  • Direct impact on hospitals: While audits target MA plans, the financial burden often flows down to hospitals, especially those in risk-sharing or capitated arrangements. Unsupported diagnoses can lead to direct recoupments from providers.

Note: In September 2025, a federal court (N.D. Tex., Humana Inc. v. Becerra) vacated portions of the 2023 RADV Final Rule β€” including the extrapolation methodology CMS intended to use to apply small-sample audit findings across an entire MA contract β€” on procedural grounds, finding CMS had not followed required notice-and-comment rulemaking[2]. CMS appealed the ruling in November 2025[3]. In a January 2026 memorandum, CMS confirmed it will comply with the court’s order for as long as it remains in effect, meaning extrapolation is currently paused even as CMS continues its accelerated audit schedule and record requests[4]. Most Medicare Advantage plans and their provider partners are continuing full audit preparation on the assumption that extrapolated exposure will return as a long-term program reality once the appeal or a new rulemaking is resolved. Confirm current litigation status with legal counsel before adjusting your compliance posture or responding to a RADV-related audit finding.

The AI revolution in auditing

Auditors are no longer solely reliant on manual reviews.

  • Sophisticated data analysis: Medicare auditors are increasingly leveraging Artificial Intelligence (AI) and advanced data analytics tools to scrutinize vast volumes of claims data. These tools flag unusual patterns, anomalies, and potential improper billing practices with unprecedented speed and accuracy.
  • Predictive capabilities: AI can identify high-risk areas, predict audit vulnerabilities, and even pinpoint specific diagnosis codes or Hierarchical Condition Categories (HCCs) that warrant deeper investigation.
  • What this means for You: Errors or inconsistencies that might have slipped through the cracks in the past are now more easily detected, demanding a proactive, technology-driven defense.

OIG’s unwavering gaze

The Office of Inspector General (OIG) continues its relentless pursuit of fraud, waste, and abuse, influencing RAC focus areas.

  • High-cost services under scrutiny: Expect enhanced focus on high-cost services like surgeries, specialty treatments, and long-term care, where higher reimbursements make them prime targets for potential billing errors.
  • Telehealth compliance: As telehealth becomes an entrenched mode of care delivery, audits will increasingly scrutinize documentation and adherence to specific regulations for virtual visits.
  • Clinical diagnostic lab tests: A new OIG Work Plan item for 2025 specifically targets Medicare payments for clinical diagnostic laboratory tests, emphasizing medical necessity and proper documentation[5].

The persistent burden

Despite advancements, the fundamental challenges of RAC audits persist.

  • Cash flow disruption: Post-payment audits often result in recoupments for claims that are years old, creating significant and often sudden cash flow disruptions for hospitals already operating on thin margins.
  • Administrative drain: Responding to audits, gathering documentation, preparing appeals, and managing the lengthy appeals process consumes immense administrative resources, diverting staff time and focus from critical patient care.
  • Uncertainty: The multi-year lookback period creates prolonged financial planning uncertainty, making it difficult for hospital leaders to budget and allocate resources effectively.

Key performance indicators (KPIs) for RAC audit readiness

Monitoring key performance indicators (KPIs) is critical for hospital administrators to effectively manage RAC audits. These metrics provide a clear, actionable framework for measuring the effectiveness of audit readiness and compliance programs. By tracking these KPIs, hospitals can move beyond simply reacting to audits, enabling proactive monitoring, early identification of weaknesses, and targeted interventions. These indicators transform abstract compliance goals into concrete, measurable objectives that can be tracked over time, demonstrating improvement and justifying necessary investments in RCM and compliance infrastructure.

  • Overall denial rate – Measures the percentage of claims denied by RACs (by volume and dollar amount). It helps identify systemic issues and prioritize areas for improvement. For example, if a hospital submits 10,000 claims and 1,200 are denied, the denial rate is 12%. If the total value of denied claims is $1.2 million out of $10 million billed, the dollar-based denial rate is also 12%.
  • Appeal success rate – Tracks the percentage of appealed claims that result in favorable outcomes. This indicates the effectiveness of the appeals process and quality of documentation. For example, out of 500 appealed claims, 300 are overturned in favor of the hospital. The appeal success rate is 60%.
  • Administrative cost per audit – Calculates total labor and resource costs for responding to audits and appeals. It reveals hidden burdens and opportunities for efficiency gains. As an illustration: if a healthcare organization spends $55,000 annually on staff time, legal fees, and documentation for 500 audits, the cost per audit is $110.
  • Cash flow impact – Assesses the direct financial effect of recoupments on hospital operations. This is essential for managing liquidity and preparing for financial shortfalls. For example, RAC audit could result in a recoupment of $500,000, affecting the hospital’s ability to meet payroll or purchase equipment, causing a temporary liquidity shortfall.
  • Response time – Measures the average time taken to respond to RAC documentation requests. This is critical for maintaining compliance and avoiding technical denials. As an illustration: if the average response time to RAC documentation requests is 12 days, and the compliance window is 14 days, there’s little margin for error.
  • Staff productivity metrics – Evaluates efficiency of staff handling audit-related tasks (e.g., cases per auditor). It helps optimize resource allocation and identify training needs. For example: if each auditor processes 25 cases per week and productivity drops to 15 cases due to complex audits, it signals a workflow bottleneck.
  • Overall coding accuracy – Tracks the percentage of correctly coded claims (diagnostic, procedural, modifiers). This directly influences denial rates and reflects coding quality and training effectiveness. For example, if out of 5,000 claims reviewed, 4,600 are correctly coded, the coding accuracy rate is 92%, indicating strong coding practices but room for improvement

The figures above are illustrative examples meant to show how each KPI is calculated, not national benchmarks. Actual denial rates, appeal outcomes, and administrative costs vary significantly by clinic size, payer mix, and state, so use your own historical data, not these examples, to set internal targets.

Tracking these KPIs not only highlights the challenges hospitals face during RAC auditsβ€”it also underscores the urgent need for a proactive, technology-driven solution. That’s where blueBriX RCM comes in, offering a strategic defense against audit risks by transforming reactive processes into resilient, data-informed operations.

Get ahead of your next audit

CMS is not slowing down. With all 550 eligible Medicare Advantage plans now under annual audit and its coder workforce scaled to 2,000, the window to find and fix documentation gaps before an auditor does is narrowing. blueBriX works with healthcare organizations to run the internal audit first, identifying HCC coding gaps, medical necessity documentation weaknesses, and appeals process bottlenecks before they turn into recoupments.

Schedule a demo

blueBriX RCM: your proactive defense against audit risks

At blueBriX RCM, audit defense is not a separate function bolted onto billing. It runs through documentation, coding, and claims submission from the start. With over 2 decades of experience in the US healthcare market, we partner with clinics to turn the specific risks outlined above, RADV exposure, inpatient medical necessity, and DRG validation, into a managed, monitored part of the revenue cycle rather than a recurring surprise.

Precision documentation & coding

RADV audits turn on whether an HCC code is backed by clean documentation. blueBriX’s coding and clinical documentation improvement (CDI) teams check each diagnosis against current risk adjustment models, including the ongoing V24 to V28 transition, before a claim goes out.

  • HCC and risk adjustment coding: Dedicated review of HCC and risk-adjustment coding, built around CMS’s evolving HCC categories to reduce the documentation gaps that trigger RADV scrutiny.
  • Clinical documentation improvement (CDI): CDI teams confirm that each diagnosis submitted for risk adjustment is backed by MEAT-level documentation (monitor, evaluate, assess, treat) before it reaches a claim.
  • Real-time claim scrubbing: Automated scrubbing checks codes against a comprehensive code library and flags gaps before submission, contributing to blueBriX’s 98% clean claim rate.

Proactive internal audits

The same categories RACs target, inpatient medical necessity, DRG validation, and coding accuracy, are the categories blueBriX’s internal audit program reviews first.

  • Continuous monitoring: Ongoing internal review of medical necessity, DRG validation, and coding accuracy, applying the same criteria RAC auditors use.
  • Data-driven risk assessment: Analytics surface billing patterns and peer-benchmark outliers, so a coding drift gets corrected internally before it becomes an external audit finding.

Empowered workforce

Documentation gaps usually show up at the seam between clinical and billing staff, not within either team alone.

  • Ongoing education: Regular training for coding, billing, and clinical staff on current Medicare rules, HCC model changes, and common audit triggers.
  • Interdepartmental collaboration: Structured communication between clinical and administrative teams so documentation is written to support the code from the start, rather than reconstructed after a denial.

AI and automation for claims and RADV readiness

Payers and RACs are already using AI to flag claims for review. blueBriX applies the same discipline on the provider side: AI-suggested codes and documentation gaps are checked against CMS compliance requirements and payer-specific rules before they reach a chart or a claim.

  • AI-assisted coding review: AI-suggested HCC codes and documentation gaps are flagged for human review rather than submitted automatically, keeping a compliance check on every AI-assisted coding decision.
  • Governed denial management: Denial identification and analysis are automated, with resolution suggestions checked against payer rules before your team acts on them.
  • Predictive analytics: Dashboards track coding gaps and audit risk indicators, so your team can act on emerging exposure rather than discover it during an audit.

Structured appeals management

When a finding does occur, response time matters as much as the argument itself.

  • Response protocols: Clear, documented protocols for responding to RAC and RADV audit requests within CMS’s compliance windows.
  • Appeals support: Guidance through the Medicare appeals process as a finding moves through each level of review.
  • Performance reporting: Reporting on denial rates, appeal outcomes, and recovery status to inform internal audit priorities going forward.

Why clinics can't afford to wait

The stakes are higher than ever. With median healthcare organizations operating margins now at just 1.3% adjusted year-to-date β€” the lowest benchmark in recent years outside the COVID disruption period β€” and hundreds of rural healthcare organizations at risk of closure, unexpected recoupments can be devastating. healthcare organizations spend hundreds of thousands, if not millions, annually on audit appeals and denials. While appeal success rates can be high (some historical data suggests up to 75% for certain cases), navigating the appeals process is an arduous, time-consuming endeavor.

Financial impact:

  • Cash flow disruptions: RACs target claims up to three years old, forcing hospitals to repay funds already spent.
  • Thin margins: With a median operating margin of just 1.3% adjusted year-to-date in 2025 (Kaufman Hall, February 2026), clinics have little to no buffer for unexpected costs[6]. For rural and safety-net healthcare organizations in particular, margins are frequently at or below zero.
  • Large recoveries: Over $2 billion was recovered in FY 2021 alone, with a sharp rise in overpayments since 2010.
  • RuralΒ healthcare organizationsΒ risk: Over 700 rural hospitals face closure, with RAC recoupments potentially pushing many into insolvency[7].

Note: Beyond audit recoupments, the broader legislative and regulatory environment compounds this financial pressure. The One Big Beautiful Bill Act (H.R. 1), signed into law in July 2025, reduces federal Medicaid spending by more than $900 billion over ten years, according to Congressional Budget Office estimates, through new work requirements, more frequent eligibility redeterminations, and new limits on the state-directed payments many clinics rely on[8]. Separately, the expiration of the ACA’s enhanced premium tax credits at the end of 2025 is projected to cost rural healthcare organizations an additional $1.6 billion annually in patient revenue, according to the Commonwealth Fund (February 2026)[9]. For clinics CFOs and revenue cycle teams, RAC and RADV exposure now sits alongside this broader funding pressure rather than as an isolated compliance line item.

Administrative burden:

  • High costs: Hospitals spend hundreds of thousands to millions annually on RAC-related appeals and audits.
  • Resource diversion: Staff time is redirected from patient care to managing audits and appeals.
  • Uncertainty: The three-year lookback period complicates long-term financial planning.
    Balancing Financial and Administrative Burdens in Hospitals

Appeals and accuracy issues:

  • Appeal success: Hospitals often succeed in overturning denials (e.g., 56% at MAC level in 2019).
  • Discrepancy in accuracy: CMS RAC annual reports to Congress cite self-reported accuracy rates of 94.6% to 99.6%. Yet in 2019, providers who appealed RAC denials at the first level (the Medicare Administrative Contractor, or MAC) succeeded in having 56% of those denials overturned, partially or fully, in their favor. Clinic associations and industry analysts have long pointed to that gap as evidence that RAC self-reported accuracy overstates real-world review quality.
  • Incentive misalignment: RACs earn commissions on denials, encouraging aggressive claim rejections.

The true burden of RAC audits lies not just in financial recoupments but in the hidden costs of administrative strain and resource diversion. A proactive audit management strategy is essential to mitigate these impacts. This isn’t a problem that will solve itself; it’s an escalating challenge that demands immediate, strategic action.

Don't just react. lead.

The future of healthcare RCM is proactive, data-driven, and relentlessly compliant. As RAC audits intensify and the technological arms race in auditing accelerates, your hospital’s financial stability hinges on its ability to adapt and innovate.

Partner with blueBriX RCM to turn audit readiness from a recurring cost into a predictable one.

Schedule your free revenue cycle assessment to see where your clinic’s HCC coding, documentation, and appeals workflows stand today, before your next RAC or RADV request arrives.

 

About the author

Suresh Kumar M

Suresh Kumar serves as Vice President of Revenue Cycle Strategy at ZH, bringing more than 17 years of experience in healthcare revenue operations and medical coding services. With a strong background in healthcare IT and a track record of measurable financial results, he helps organizations turn complex revenue challenges into scalable, system-wide improvements.

References

  1. CMS. “CMS Rolls Out Aggressive Strategy to Enhance and Accelerate Medicare Advantage Audits.” CMS Newsroom, May 21, 2025. https://www.cms.gov/newsroom/press-releases/cms-rolls-out-aggressive-strategy-enhance-accelerate-medicare-advantage-audits
  2. United States District Court, Northern District of Texas. Humana Inc. et al. v. Becerra et al., No. 4:24-cv-00909-O, Order on Motion for Summary Judgment, Sept. 25, 2025. https://litigationtracker.law.georgetown.edu/wp-content/uploads/2023/09/Humana-Inc._2025.09.25_ORDER-ON-MOTION-FOR-SUMMARY-JUDGMENT.pdf
  3. Crowell & Moring LLP. “CMS Appeals Humana v. Becerra.” Client Alert, Nov. 2025. https://www.crowell.com/en/insights/client-alerts/cms-appeals-humana-v-becerra
  4. Dentons. “CMS Issues Proposed Changes to MA Risk Adjustment Process and RADV Audit Update.” Dentons On Call, Jan. 2026. https://www.dentonshealthlaw.com/cms-issues-proposed-changes-to-ma-risk-adjustment-process-and-radv-audit-update/
  5. HHS Office of Inspector General. “Medicare Payments for Clinical Diagnostic Laboratory Tests in 2025.” OIG Work Plan https://oig.hhs.gov/reports/work-plan/browse-work-plan-projects/medicare-payments-for-clinical-diagnostic-laboratory-tests-in-2025/
  6. Kaufman Hall. “Hospitals Face the 2026 ‘New Normal’: Rising Expenses & Shifting Revenue Mix.” National Hospital Flash Report, Feb. 10, 2026. https://www.kaufmanhall.com/news/hospitals-face-2026-new-normal-rising-expenses-and-shifts-revenue-mix
  7. Center for Healthcare Quality and Payment Reform. “Rural Hospitals at Risk of Closing.” https://chqpr.org/downloads/Rural_Hospitals_at_Risk_of_Closing.pdf
  8. Congressional Research Service. “Health Coverage Provisions in One Big Beautiful Bill Act (H.R. 1).” Congress.gov, R48569. https://www.congress.gov/crs-product/R48569
  9. Haught, R., Dobson, A., McGuire, C., Coleman, A. “Without Renewal of Enhanced Premium Tax Credits, Rural Hospital Revenues Will Drop by $1.6 Billion.” Commonwealth Fund, Nov. 2025 https://www.commonwealthfund.org/blog/2025/without-renewal-enhanced-premium-tax-credits-rural-hospital-revenues-will-drop-16-billion

Frequently Asked Questions

The financial impact is substantial and multifaceted:

  • Significant Recoupments: RACs recover billions of dollars annually. For instance, in FY 2021, over $2 billion in improper payments were recovered across various CMS programs. In earlier periods, RACs collected $75.4 million in FY 2010, $797.4 million in FY 2011, and $986.2 million in the first six months of FY 2012 alone.
  • Cash Flow Disruption: Because audits often target claims up to three years old, clinics are forced to return funds that have long since been accounted for, leading to sudden and severe cash flow disruptions. This is particularly challenging for healthcare organizations with median operating margins of just 1.3% adjusted year-to-date in 2025 (Kaufman Hall National Hospital Flash Report, February 2026).
  • Risk of Insolvency: For financially vulnerable institutions, especially the over 700 rural hospitals at risk of closure (Advisory Board, February 2025), unexpected recoupments can be the final blow, pushing them into insolvency.
  • Administrative Costs: Beyond direct recoupments, hospitals incur significant administrative costs in responding to audits. Estimates suggest hospitals spend hundreds of thousands to millions annually on managing RAC appeals, audits, and denials. This includes staff time, legal fees, and technology to manage the process. A 2014 survey indicated the average cost to appeal a RAC audit was about $110 per claim.

Providers who appeal RAC denials succeed at meaningful rates, particularly at the first level. According to 2019 CMS data, providers won 56% of appeals at the Medicare Administrative Contractor (MAC) level, 33% at the Qualified Independent Contractor (QIC) level, and 37% at the Administrative Law Judge (ALJ) level. Some case types have shown overturn rates as high as 75% (Applied Policy, August 2023)KFF. “Over 80% of Prior Authorization Appeals Succeed. Why Aren’t There More?” cited via American Medical Association, Oct. 2024, analyzing CMS data 2019–2022. That gap between the 94.6% to 99.6% accuracy RACs self-report and what providers actually win on appeal is a large part of why a structured appeals strategy matters, even though the process is resource-intensive.

Hierarchical Condition Categories (HCCs) are a system used by CMS to assign a “risk score” to patients in Medicare Advantage (MA) plans, based on their diagnoses. This risk score determines the monthly payment MA plans receive from CMS for each enrollee.

Payment Impact: Patients with more complex or severe conditions (reflected in higher HCC scores) result in higher payments to MA plans, as they are expected to incur higher healthcare costs.

Audit Relevance: RADV audits primarily focus on validating the diagnoses submitted by MA plans that generate these HCCs. If the medical record documentation does not adequately support a submitted diagnosis, CMS considers the associated payment an overpayment.

Provider Responsibility: MA plans rely heavily on provider documentation to support these diagnosis codes. Therefore, accurate, thorough, and timely documentation of diagnoses by clinics and other providers is critical to ensure that MA plans can withstand RADV audits and avoid recoupments that could then flow down to the providers. Incorrect coding, especially if it leads to inflated risk scores, can have severe compliance implications.

blueBriX prepares healthcare organizations for RADV audits primarily through clinical documentation improvement (CDI) and dedicated HCC and risk-adjustment coding review, confirming that each diagnosis submitted for risk adjustment is backed by MEAT-level documentation (monitor, evaluate, assess, treat) before it reaches a claim. Combined with real-time claim scrubbing against a comprehensive code library, this is designed to catch the documentation gaps that RADV audits are built to find.

Yes. Real-time claim scrubbing checks codes against a comprehensive code library and flags coding errors and documentation gaps before a claim goes out, which is a key contributor to blueBriX’s 98% clean claim rate. For HCC and risk-adjustment coding specifically, that scrubbing works alongside blueBriX’s CDI and coding review teams so gaps are caught before submission, not after a RADV audit finding.