In May 2025, CMS expanded its Medicare Advantage audit program from roughly 60 plans to all 550 eligible contracts and grew its medical coder workforce from 40 to 2,000, working through a backlog of audits spanning payment years 2018 through 2024. If your healthcare organization operates in a risk-sharing or capitated arrangement, that exposure flows directly from plan to provider. This guide covers what the expanded RAC and RADV audit environment means for your revenue cycle, which audit triggers are rising in 2026, and the compliance disciplines that separate clinics that absorb recoupments from those that prevent them.
In May 2025, CMS announced it would expand its Medicare Advantage audit program from roughly 60 plans a year to all 550 eligible contracts, reviewed annually, while growing its medical coder workforce from 40 to 2,000. For healthcare organizations in risk-sharing or capitated arrangements, that financial exposure flows directly downstream from plan to provider. If your organization has not already re-evaluated its HCC documentation accuracy, coding audit protocols, and RAC response workflows, you are already a full audit cycle behind. This article explains what has changed, what it means for your revenue cycle, and what to do about it now.
A Recovery Audit Contractor (RAC) audit is a post-payment review, conducted by private contractors authorized by CMS, that identifies and recovers improper Medicare payments, both overpayments and underpayments, from healthcare providers. RACs are paid on a contingency fee basis: their compensation is a percentage of the improper payments they identify. A Risk Adjustment Data Validation (RADV) audit is a related but distinct program. It is CMS’s mechanism for verifying that the diagnosis codes Medicare Advantage plans submit for risk-adjusted payments are actually supported by clinical documentation. As of 2025, CMS audits all 550 eligible MA contracts annually, making RADV exposure a routine operational risk for any provider in a Medicare Advantage risk-sharing arrangement. With over 2 decades of legacy in US healthcare RCM, blueBriX understands that navigating this landscape demands more than just reacting to denials β it requires foresight, precision, and proactive strategy.
This isn’t just about avoiding penalties; it’s about protecting your financial health, ensuring uninterrupted patient care, and maintaining your reputation. So, what exactly should your hospital be watching now, and how can you transform potential threats into opportunities for operational excellence?
Common triggers for RAC audits
RACs donβt select claims at random β they target patterns and billing practices that suggest possible errors or non-compliance. Some common triggers and causes for RAC audits include:

- Upcoding or coding errors: Billing with codes that yield higher payment than supported (upcoding) or other incorrect coding practices can raise red flags. For instance, routinely billing high-level evaluation & management codes or improper use of certain modifiers may trigger a review.
- Lack of medical necessity: Claims for services that may not be medically necessary, or that were provided in an inappropriate setting, are prime RAC targets. An example is an inpatient hospital admission for a condition that could safely be managed outpatient β RACs often scrutinize inpatient vs. outpatient decisions and other medical necessity judgments.
- Insufficient documentation: Even if care was appropriate, incomplete or missing documentation to support the billed services can lead to an audit finding. RACs look for documentation to justify the level of service, treatments, and diagnoses billed; charts lacking key details (e.g. physician orders, progress notes, or justification for therapy intensity) are vulnerable.
- Duplicate or unwarranted billing: Submitting claims for the same service more than once (duplicates) or billing for services not actually rendered will attract RAC attention. RAC data analysis can quickly spot duplicate claim submissions or overlaps that suggest an error or fraud.
- Irregular billing patterns and high-cost claims: Medicare providers whose billing patterns deviate significantly from peers may be audited. Examples include unusually high volumes of certain procedures, excessive use of certain billing codes, or a spike in high-cost outlier claims. Services that the OIG and CMS have flagged for frequent fraud/abuse are also targets β RACs receive approved issue lists (e.g. specific DRGs, durable medical equipment, or therapy services) that focus their audits on known problem areas.
Itβs worth noting that RAC audit issues can vary by provider type. For example, hospitals often face audits for inpatient medical necessity and DRG coding validation, physician practices might be reviewed for coding levels of office visits, and post-acute providers (home health, hospice, skilled nursing facilities) frequently see audits on therapy documentation or patient eligibility criteria. Being aware of the common risk areas in your practice setting can help in focusing your compliance efforts.
The evolving audit horizon: key shifts for hospitals
Medicareβs Recovery Audit Contractors (RACs) were established to identify and correct improper Medicare payments. While their core mission remains, the strategies and intensity of their audits are evolving dramatically, especially for 2025 and beyond.
Medicare advantage (RADV) audits intensifying
This is arguably the biggest game-changer. CMS is aggressively expanding its Risk Adjustment Data Validation (RADV) audits for Medicare Advantage (MA) plans.
- Unprecedented scope: CMS plans to audit all eligible MA contracts annuallyβa staggering increase from approximately 60 to over 550 plans per year.
- Accelerated backlog clearance: CMS aims to complete all outstanding RADV audits for Payment Years 2018 through 2024 by early 2026, meaning retroactive scrutiny will be intense.
- Increased sample sizes: Expect auditors to review significantly more records per plan (from 35 to potentially 200), exponentially increasing the documentation workload for both MA plans and, crucially, their provider partners.
- Massive workforce expansion: CMS is scaling its medical coder workforce from a mere 40 to an astonishing 2,000 by September 1, 2025, signaling a serious commitment to manual review and recoupment.
- Direct impact on hospitals: While audits target MA plans, the financial burden often flows down to hospitals, especially those in risk-sharing or capitated arrangements. Unsupported diagnoses can lead to direct recoupments from providers.
Note: In September 2025, a federal court (N.D. Tex., Humana Inc. v. Becerra) vacated portions of the 2023 RADV Final Rule β including the extrapolation methodology CMS intended to use to apply small-sample audit findings across an entire MA contract β on procedural grounds, finding CMS had not followed required notice-and-comment rulemaking[2]. CMS appealed the ruling in November 2025[3]. In a January 2026 memorandum, CMS confirmed it will comply with the court’s order for as long as it remains in effect, meaning extrapolation is currently paused even as CMS continues its accelerated audit schedule and record requests[4]. Most Medicare Advantage plans and their provider partners are continuing full audit preparation on the assumption that extrapolated exposure will return as a long-term program reality once the appeal or a new rulemaking is resolved. Confirm current litigation status with legal counsel before adjusting your compliance posture or responding to a RADV-related audit finding.
The AI revolution in auditing
Auditors are no longer solely reliant on manual reviews.
- Sophisticated data analysis: Medicare auditors are increasingly leveraging Artificial Intelligence (AI) and advanced data analytics tools to scrutinize vast volumes of claims data. These tools flag unusual patterns, anomalies, and potential improper billing practices with unprecedented speed and accuracy.
- Predictive capabilities: AI can identify high-risk areas, predict audit vulnerabilities, and even pinpoint specific diagnosis codes or Hierarchical Condition Categories (HCCs) that warrant deeper investigation.
- What this means for You: Errors or inconsistencies that might have slipped through the cracks in the past are now more easily detected, demanding a proactive, technology-driven defense.
OIG’s unwavering gaze
The Office of Inspector General (OIG) continues its relentless pursuit of fraud, waste, and abuse, influencing RAC focus areas.
- High-cost services under scrutiny: Expect enhanced focus on high-cost services like surgeries, specialty treatments, and long-term care, where higher reimbursements make them prime targets for potential billing errors.
- Telehealth compliance: As telehealth becomes an entrenched mode of care delivery, audits will increasingly scrutinize documentation and adherence to specific regulations for virtual visits.
- Clinical diagnostic lab tests: A new OIG Work Plan item for 2025 specifically targets Medicare payments for clinical diagnostic laboratory tests, emphasizing medical necessity and proper documentation[5].
The persistent burden
Despite advancements, the fundamental challenges of RAC audits persist.
- Cash flow disruption: Post-payment audits often result in recoupments for claims that are years old, creating significant and often sudden cash flow disruptions for hospitals already operating on thin margins.
- Administrative drain: Responding to audits, gathering documentation, preparing appeals, and managing the lengthy appeals process consumes immense administrative resources, diverting staff time and focus from critical patient care.
- Uncertainty: The multi-year lookback period creates prolonged financial planning uncertainty, making it difficult for hospital leaders to budget and allocate resources effectively.
Key performance indicators (KPIs) for RAC audit readiness
Monitoring key performance indicators (KPIs) is critical for hospital administrators to effectively manage RAC audits. These metrics provide a clear, actionable framework for measuring the effectiveness of audit readiness and compliance programs. By tracking these KPIs, hospitals can move beyond simply reacting to audits, enabling proactive monitoring, early identification of weaknesses, and targeted interventions. These indicators transform abstract compliance goals into concrete, measurable objectives that can be tracked over time, demonstrating improvement and justifying necessary investments in RCM and compliance infrastructure.
- Overall denial rate – Measures the percentage of claims denied by RACs (by volume and dollar amount). It helps identify systemic issues and prioritize areas for improvement. For example, if a hospital submits 10,000 claims and 1,200 are denied, the denial rate is 12%. If the total value of denied claims is $1.2 million out of $10 million billed, the dollar-based denial rate is also 12%.
- Appeal success rate – Tracks the percentage of appealed claims that result in favorable outcomes. This indicates the effectiveness of the appeals process and quality of documentation. For example, out of 500 appealed claims, 300 are overturned in favor of the hospital. The appeal success rate is 60%.
- Administrative cost per audit – Calculates total labor and resource costs for responding to audits and appeals. It reveals hidden burdens and opportunities for efficiency gains. As an illustration: if a healthcare organization spends $55,000 annually on staff time, legal fees, and documentation for 500 audits, the cost per audit is $110.
- Cash flow impact – Assesses the direct financial effect of recoupments on hospital operations. This is essential for managing liquidity and preparing for financial shortfalls. For example, RAC audit could result in a recoupment of $500,000, affecting the hospitalβs ability to meet payroll or purchase equipment, causing a temporary liquidity shortfall.
- Response time – Measures the average time taken to respond to RAC documentation requests. This is critical for maintaining compliance and avoiding technical denials. As an illustration: if the average response time to RAC documentation requests is 12 days, and the compliance window is 14 days, there’s little margin for error.
- Staff productivity metrics – Evaluates efficiency of staff handling audit-related tasks (e.g., cases per auditor). It helps optimize resource allocation and identify training needs. For example: if each auditor processes 25 cases per week and productivity drops to 15 cases due to complex audits, it signals a workflow bottleneck.
- Overall coding accuracy – Tracks the percentage of correctly coded claims (diagnostic, procedural, modifiers). This directly influences denial rates and reflects coding quality and training effectiveness. For example, if out of 5,000 claims reviewed, 4,600 are correctly coded, the coding accuracy rate is 92%, indicating strong coding practices but room for improvement
The figures above are illustrative examples meant to show how each KPI is calculated, not national benchmarks. Actual denial rates, appeal outcomes, and administrative costs vary significantly by clinic size, payer mix, and state, so use your own historical data, not these examples, to set internal targets.
Tracking these KPIs not only highlights the challenges hospitals face during RAC auditsβit also underscores the urgent need for a proactive, technology-driven solution. Thatβs where blueBriX RCM comes in, offering a strategic defense against audit risks by transforming reactive processes into resilient, data-informed operations.
Get ahead of your next audit
CMS is not slowing down. With all 550 eligible Medicare Advantage plans now under annual audit and its coder workforce scaled to 2,000, the window to find and fix documentation gaps before an auditor does is narrowing. blueBriX works with healthcare organizations to run the internal audit first, identifying HCC coding gaps, medical necessity documentation weaknesses, and appeals process bottlenecks before they turn into recoupments.
Schedule a demoblueBriX RCM: your proactive defense against audit risks
At blueBriX RCM, audit defense is not a separate function bolted onto billing. It runs through documentation, coding, and claims submission from the start. With over 2 decades of experience in the US healthcare market, we partner with clinics to turn the specific risks outlined above, RADV exposure, inpatient medical necessity, and DRG validation, into a managed, monitored part of the revenue cycle rather than a recurring surprise.
Precision documentation & coding
RADV audits turn on whether an HCC code is backed by clean documentation. blueBriX’s coding and clinical documentation improvement (CDI) teams check each diagnosis against current risk adjustment models, including the ongoing V24 to V28 transition, before a claim goes out.
- HCC and risk adjustment coding: Dedicated review of HCC and risk-adjustment coding, built around CMS’s evolving HCC categories to reduce the documentation gaps that trigger RADV scrutiny.
- Clinical documentation improvement (CDI): CDI teams confirm that each diagnosis submitted for risk adjustment is backed by MEAT-level documentation (monitor, evaluate, assess, treat) before it reaches a claim.
- Real-time claim scrubbing: Automated scrubbing checks codes against a comprehensive code library and flags gaps before submission, contributing to blueBriX’s 98% clean claim rate.
Proactive internal audits
The same categories RACs target, inpatient medical necessity, DRG validation, and coding accuracy, are the categories blueBriX’s internal audit program reviews first.
- Continuous monitoring: Ongoing internal review of medical necessity, DRG validation, and coding accuracy, applying the same criteria RAC auditors use.
- Data-driven risk assessment: Analytics surface billing patterns and peer-benchmark outliers, so a coding drift gets corrected internally before it becomes an external audit finding.
Empowered workforce
Documentation gaps usually show up at the seam between clinical and billing staff, not within either team alone.
- Ongoing education: Regular training for coding, billing, and clinical staff on current Medicare rules, HCC model changes, and common audit triggers.
- Interdepartmental collaboration: Structured communication between clinical and administrative teams so documentation is written to support the code from the start, rather than reconstructed after a denial.
AI and automation for claims and RADV readiness
Payers and RACs are already using AI to flag claims for review. blueBriX applies the same discipline on the provider side: AI-suggested codes and documentation gaps are checked against CMS compliance requirements and payer-specific rules before they reach a chart or a claim.
- AI-assisted coding review: AI-suggested HCC codes and documentation gaps are flagged for human review rather than submitted automatically, keeping a compliance check on every AI-assisted coding decision.
- Governed denial management: Denial identification and analysis are automated, with resolution suggestions checked against payer rules before your team acts on them.
- Predictive analytics: Dashboards track coding gaps and audit risk indicators, so your team can act on emerging exposure rather than discover it during an audit.
Structured appeals management
When a finding does occur, response time matters as much as the argument itself.
- Response protocols: Clear, documented protocols for responding to RAC and RADV audit requests within CMS’s compliance windows.
- Appeals support: Guidance through the Medicare appeals process as a finding moves through each level of review.
- Performance reporting: Reporting on denial rates, appeal outcomes, and recovery status to inform internal audit priorities going forward.
Why clinics can't afford to wait
The stakes are higher than ever. With median healthcare organizations operating margins now at just 1.3% adjusted year-to-date β the lowest benchmark in recent years outside the COVID disruption period β and hundreds of rural healthcare organizations at risk of closure, unexpected recoupments can be devastating. healthcare organizations spend hundreds of thousands, if not millions, annually on audit appeals and denials. While appeal success rates can be high (some historical data suggests up to 75% for certain cases), navigating the appeals process is an arduous, time-consuming endeavor.
Financial impact:
- Cash flow disruptions: RACs target claims up to three years old, forcing hospitals to repay funds already spent.
- Thin margins: With a median operating margin of just 1.3% adjusted year-to-date in 2025 (Kaufman Hall, February 2026), clinics have little to no buffer for unexpected costs[6]. For rural and safety-net healthcare organizations in particular, margins are frequently at or below zero.
- Large recoveries: Over $2 billion was recovered in FY 2021 alone, with a sharp rise in overpayments since 2010.
- RuralΒ healthcare organizationsΒ risk: Over 700 rural hospitals face closure, with RAC recoupments potentially pushing many into insolvency[7].
Note: Beyond audit recoupments, the broader legislative and regulatory environment compounds this financial pressure. The One Big Beautiful Bill Act (H.R. 1), signed into law in July 2025, reduces federal Medicaid spending by more than $900 billion over ten years, according to Congressional Budget Office estimates, through new work requirements, more frequent eligibility redeterminations, and new limits on the state-directed payments many clinics rely on[8]. Separately, the expiration of the ACA’s enhanced premium tax credits at the end of 2025 is projected to cost rural healthcare organizations an additional $1.6 billion annually in patient revenue, according to the Commonwealth Fund (February 2026)[9]. For clinics CFOs and revenue cycle teams, RAC and RADV exposure now sits alongside this broader funding pressure rather than as an isolated compliance line item.
Administrative burden:
- High costs: Hospitals spend hundreds of thousands to millions annually on RAC-related appeals and audits.
- Resource diversion: Staff time is redirected from patient care to managing audits and appeals.
- Uncertainty: The three-year lookback period complicates long-term financial planning.

Appeals and accuracy issues:
- Appeal success: Hospitals often succeed in overturning denials (e.g., 56% at MAC level in 2019).
- Discrepancy in accuracy: CMS RAC annual reports to Congress cite self-reported accuracy rates of 94.6% to 99.6%. Yet in 2019, providers who appealed RAC denials at the first level (the Medicare Administrative Contractor, or MAC) succeeded in having 56% of those denials overturned, partially or fully, in their favor. Clinic associations and industry analysts have long pointed to that gap as evidence that RAC self-reported accuracy overstates real-world review quality.
- Incentive misalignment: RACs earn commissions on denials, encouraging aggressive claim rejections.
The true burden of RAC audits lies not just in financial recoupments but in the hidden costs of administrative strain and resource diversion. A proactive audit management strategy is essential to mitigate these impacts. This isn’t a problem that will solve itself; it’s an escalating challenge that demands immediate, strategic action.