Business of Medicine


Billing Audit Advice for MagMutual PolicyOwners

In this episode of the MagMutual podcast, Steve Adubato, PhD, speaks with Matt Catoe, an Assessment Analyst who specializes in managing cyber and regulatory proceedings for MagMutual PolicyOwners. Matt discusses the different types of billing audits that providers may receive as well as how providers may be selected and notified about an audit investigation. He also advises MagMutual policyholders on the first steps to take, should their practice become notified of an audit.

Release Date: 9/6/2023; Recorded Date: 4/27/2023

Podcast Transcript

ADUBATO:  Welcome to the MagMutual Podcast. This is Steve Adubato. The MagMutual Podcast deals with a range of healthcare topics and trends. Our goal, for those of you who’ve been following us or for first-time listeners, is to ensure a safer practice environment for all physicians. We’re joined today by Matt Catoe, who works in the claims department at MagMutual. Matt assists physicians with allegations against their practices and care. He specializes in cyber and federal regulatory proceedings, specifically, and also deals with CMS audits. You’re going to explain all these acronyms in just a moment. AKS/FCA allegations and alleged Stark law violations. Matt, it’s good to have you with us.

CATOE: It’s good to be here.

ADUBATO: There are a lot of acronyms with the government, correct?

CATOE: Just a little bit of alphabet soup for everybody to get started the first thing in the morning.

ADUBATO:  Let’s do this. CMS is?

CATOE:  CMS is the Centers for Medicare and Medicaid Services. They’re the big federal regulatory body that oversees Medicare and Medicaid billing.


CATOE:  The AKS is the Ant-Kickback Statute. It’s basically one of the big no-no words you don’t ever want to see come across your desk.

ADUBATO:  FCA allegations? 

CATOE:  The False Claims Act. It’s usually part and parcel with the Anti-Kickback Statute. It provides the federal government most of its authority to investigate alleged improper billing with Medicare and Medicaid.

ADUBATO:  Now, the Stark law, I’m going to assume, is named after a member of Congress?

CATOE: We would wish. No, the Stark law is actually named its preeminent case, but it deals with basically positions of ownership and authority for outside clinics and testing labs. The government frowns upon having a physician working at a clinic and owning an outside vendor that they refer patients to. It’s kind of double-dipping, for want of a better term.

ADUBATO:  I stand corrected. Thank you, Matt, for clarifying. Describe your role at MagMutual 

CATOE:  I am an assessment analyst with MagMutual’s claims department. Like we mentioned, my specialty is in cyber and regulatory proceedings. My job is to help with the first contact of a claim. I let the providers know that we have it, we’ve seen it and we’re working on it, and I also help them understand the claims process, the documents they’re looking at and the next steps of dealing with an incident, whether that’s retaining counsel, waiving a bill or anything in between.

ADUBATO:  Let’s talk about audits. There are all kinds of different audits. Billing audits, right? First of all, what’s a billing audit?

CATOE:  There are multiple types of billing audits that providers will receive, especially if they’re sending claims to Medicare, Medicaid or any state variation of that. The billing audit is the government sending a letter, saying that you, the provider, or the practice, have been identified as an outlier, and they have a reason to question your billing. They are going to take another look at your medical records.

ADUBATO:  All right. Let’s go through this. How does a physician get selected to be audited?

CATOE: So the first thing is usually that a physician will be selected based on the data that they’re providing to Medicare or Medicaid. What you have to understand about the federal regulatory system is that it’s not just one person behind a desk, even though it feels like it sometimes. It’s multiple agencies working together, sharing data, talking to one another, and what happens when audits come down the line is – at least one, maybe multiple, agencies, have said, “This doctor’s billing is standing out to us. They’re seeing a lot of patients in one day, or this code for this particular medicine is used pretty frequently as compared to their peers in the field.” Those usually change into one of two types of audits that we see here at MagMutual, a targeted probe and education audit or a full billing and overpayment audit. 

ADUBATO:  How exactly does a physician get notified? How does the physician know that they are “involved” in an audit?

CATOE:  The first thing that the physician is going to receive is a letter from CMS or one of their agencies. It may have something like CMS, Peach State or WellCare on the letterhead. It will come across as an initial medical record request, and it will say, “CMS has identified some kind of irregularity in your billing. We want the medical records to back up that billing.” That’s going to be the first letter that comes across someone’s desk. 

ADUBATO:  Okay, so we’ll talk in a moment about how a physician or how most physicians do respond and react and what they should do about it. Are there different types or different “levels” of audits?   

CATOE:  Yes. In the federal realm, they’ll either see the TPE, the targeted probe and education, or CMS post-payment audits. Occasionally, there’s a prepayment audit, if the government is really saying, “No. Hold on. The paperwork you submitted says you’re seeing 300 patients in one day. That’s just not feasible. There’s no way that’s happening.” If you go down to the state level, for example, Georgia Medicaid overpayment audits also exist. They function really similarly to their federal counterparts, and they have a couple of nuances, depending on whether or not it’s an automated audit, complex desk, complex onsite or special. It’s a whole bunch of words that basically say how involved the government actor is being when they’re reviewing the audit. Are they looking just at the medical records? Are they cross-referencing with the billing paperwork? Do we have someone who’s quite literally on the other end of the line, waiting to get these documents? The last kind is commercial payer audits. These are kind of what we see a lot of nowadays at MagMutual. They’re fairly common and usually involve at least one scrutinized CPT billing code. Doctors submit these codes alongside their Medicare and Medicaid billing to CMS, and those codes refer to specific practices or medicines that doctors were using. A good example in recent years is the opioid epidemic. That was tied to a specific CPT code. Now, we’re seeing a large increase in amniotic product testing in the southeast region, specifically. That CPT code has also come under high scrutiny from the federal government.

ADUBATO:  You know, Matt, you’ve identified a variety of different types of audits and levels of audits, so I know that the answer to this is going to vary depending upon the level or kind of audit we’re talking about. But overall, how concerned should a physician be if they are notified that they are, in fact, being audited?

CATOE:  Physicians should be able to appreciate the seriousness of when CMS shows up.  They’re kind of the big, scary, federal bogeyman. It’s a serious matter, and it should be treated as such. It’s not panic-worthy just because the letter comes in the door. MagMutual is equipped to handle this as the provider’s insurance carrier, and we have plenty of counsel who specialize in these matters specifically. They’re aware of any and all legal deadlines, what we should and shouldn’t say to whom and when. We treat it very seriously, but the provider shouldn’t panic at the same time.

ADUBATO:  Talk to the insured physicians of MagMutual who are listening right now. What should their first steps be, if they are in fact audited?

CATOE:  The best first step is to send an incident report to MagMutual. You can send that to [email protected] along with an accompanying incident report, and you can mark on that incident report, “Hey, this looks like an audit.” It’ll come to my desk, and I’ll review it and will be able to provide an informed response. It may be “Yes, this is an audit and here’s what we’re going to do to help you” or “No, this is a general medical record request, but we appreciate the scrutiny.” From there, if we have to get counsel involved, I’d be happy to do that on their behalf, and we can all evaluate as a team what the next steps are and how serious we need to be about approaching this.

ADUBATO:  The bottom line, as I’m listening to you, Matt, is that MagMutual has the team that can help any physician who’s unsure how to handle that communication from the government.

CATOE:  That’s correct. We can handle it, and we’ll be happy to look at it. If it does turn out to be just a standard medical request, we’ll let you know. If it’s an audit, we’ll be happy to help you on the other end and explain that this is what you’re looking at and here’s where we go from here.

ADUBATO:  How long does it usually take, and I know it depends upon the type of audit, for a so-called “typical audit”? How long does it usually take to go through the process?

CATOE:  Your average timing nowadays is about five years. CMS and all of their buddies, as big as they like to make themselves out to be, are under a multi-year backlog. We can expect a lot of periods of hurry up and wait, hurry up and wait. They’ll send letters requesting documents, billing records, patient profiles and anything they think they need. We, as the respondents, are under a tight deadline for that. Then it goes radio silent for the better part of two, three, four months. However long it takes them to turn it back around. On average, you can expect about five years, if not longer, depending on how complex the audit is.

ADUBATO:  Last question from my perspective, and I bet there are a whole range of physicians who are tempted – I don’t know if this is true, but say someone blows it off? Say someone says, “You know, I’m not sure if this is real or not.” So they don’t respond in a timely manner. What are the potential consequences of frankly not responding quickly and appropriately?

CATOE:  That is a very big concern. Both the timeliness and the appropriateness of their responses have to be taken into consideration. Audits usually escalate into, at the very least, a small fraud investigation, which is referred to the Office of the Inspector General and the Department of Justice to check to make sure that the physicians and the providers aren’t intentionally defrauding the Medicare and Medicare system. Now, again, if the provider reports it to MagMutual and we get counsel on it, we can nip that in the bud and say, “Look, at worst, this is an “oops.” You know, someone forgot to carry the one or pull over the two.” But if you leave it completely unanswered, the federal government can begin recoupment proceedings against Medicare/Medicaid billing. They can cut reimbursement on patients, and ultimately, eventually, an agent is going to show up from OIG at the door and say, “Hello, we’re investigating for fraud.” That’s kind of a next-level proceeding that you really don’t want to have happen. 

ADUBATO:  Matt, you’ve covered a lot of bases in a short period of time. You responded directly, clearly, concisely and in a very helpful way. Thank you so much for joining us. We appreciate it.

CATOE: Of course. I’m happy to help. 

ADUBATO:  That’s Matt Catoe of the claims department at MagMutual, and this has been the MagMutual Podcast. On behalf of the great team at MagMutual, this is Steve Adubato.  Thank you so much for listening.


Want to learn more?

Interested in how MagMutual can help?

View our products


The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.