Regulation of Medicine


Be Prepared: How to Effectively Respond to Commercial Payer Audits

By: Scott R. Grubman & Gregory A. Tanner, Chilivis, Cochran, Larkins & Bever, LLP
Executive Summary

As the number of medical malpractice insurance audits increases, it’s important that providers understand the process of commercial payer audits and what’s expected of them. Healthcare organizations also need to understand the pitfalls to avoid when involved in a commercial payer audit to reduce any accompanying risks. 

Recommended Actions: 
  • Conduct internal audits to ensure that your healthcare practice is complying with your specific payer’s rules and requirements for record keeping and billing.
  • Keep your EMR system up to date and periodically audit your electronic records to ensure they accurately reflect what you intended to document.
  • Make sure your practice has a policy in place for how your organization will respond to any record requests for a commercial payer audit and ensure that all staff are trained accordingly. 

No matter the size, type or specialty, all healthcare providers should anticipate and be prepared to be audited by commercial payers. Such audits are typically initiated when a payer sends a request for records to a provider. The records request could be for a random sample of patient charts, or it could be targeted at a specific billing pattern or procedure code.

Either way, by requesting records the payer has put the provider on notice that it is going to examine documentation and evaluate whether the provider’s records justify the claims submitted for reimbursement. The following are tips to follow when dealing with commercial payer audits:

Be Proactive

Don’t wait until a payer sends a records request. Be familiar with the rules and requirements that the payer expects providers to follow. Use resources such as the provider agreement, provider manual and any guidance or payment determinations that the payer has published.

After understanding what each payer expects and requires, providers should establish and implement policies and procedures to properly and completely document their services according to the payers’ rules. The payers’ rules and the provider’s policies for complying with the rules should also be regularly reviewed and updated. 
In addition, providers should consider options for performing self-audits (either conducted in-house or by an outside auditor) to identify and mitigate any potential issues before a payer initiates an audit.

Comply with Document Requests

It is standard for a commercial payer to reserve the right to conduct audits as a condition of a provider’s agreement with the payer. Information about how a commercial payer conducts such audits are usually contained in the payer’s Provider Agreement and/or Provider Manual. The payer is entitled to the records, and such disclosure does not violate HIPAA (although the provider should be sure to send the records in a HIPAA-compliant secured fashion). 
Whether a provider can charge a payer for making copies of the records depends on the payer’s specific policies and the provider agreement, although it is unlikely that the provider may charge the payer for such copies.

Submit Copies of Records

The records for a commercial payer audit should be produced in electronic format (such as pdfs). If some or all of the requested records are contained in hardcopy form, scan the records and make electronic copies to send instead of the originals. The provider should retain the original records. 

Know Your EMR System

There are numerous electronic medical records (EMR) systems on the market, and they are not all the same, but they are all customizable. Providers should be familiar with the specific options and customizable features of an EMR system and should ensure that the system’s output settings are properly configured so copies of electronic records will accurately reflect what the provider intended to document. 

Identify Potential Issues

Don’t wait for the commercial payer to conclude an audit to find out if there are any issues with the records that were submitted. While gathering the records, try to determine potential weaknesses needing corrective action and implement changes accordingly.

Do Not Alter Patient Records

Sometimes when gathering documents requested for an audit, providers discover an issue in the documentation that may be viewed as problematic. Such issues might be easily addressed by altering the documents such as adding something minor or taking out something that clearly was not intended. In such cases, providers should resist the temptation and NOT alter the records. Adding an addendum may be appropriate, but such an addendum must accurately indicate the date it was added.

Do Not Rely on E/M Calculators

Many EMR systems include built in E/M Calculators that automatically determine the code level for an office visit depending on the information selected when charting the encounter into the system. Do not trust such electronic calculators to sufficiently support the complexity of a physician’s medical decision-making or other elements considered when selecting the appropriate E/M level. Be sure the record contains all key components required to justify the appropriate E/M level to mitigate the risk of the auditor down-coding or disallowing the level of service billed.  

Provide Complete Records

A records request for a specific date of service potentially could involve other records that need to be included with the requested documents. These might include lab test results, other diagnostic services, orders for these services, referrals, consultation reports and other documents. Consider whether other documentation should be included that would support the services billed.

Produce the Documents by the Requested Deadline

Be mindful of the response deadline imposed by the payer. Do not risk having to pay back an overpayment just because the records are sent late. Start preparing to submit the records as soon as the audit request arrives, and if more time is needed to respond then reach out to the payer and ask for an extension. They are typically willing to give at least one reasonable extension. 

Lessons Learned 
  • Periodically review any provider manuals, specific guidance or payment determinations that your payers have published to ensure that your healthcare practice is following your payers’ specific rules and specifications. 
  • Err on the side of being more inclusive with medical record requests. For example, if the payer requests records for a particular procedure, consider sending along records from the visit at which you decided the procedure was necessary.
  • Document and keep copies of everything you send to the payer. 

Potential Damages

If the payer determines that your healthcare organization is not in compliance with its rules or billing practices, or finds any fraud, it can request a refund of a reimbursement. The frequency and severity of these commercial payer audits continue to increase. In the worst case scenario, the payer may even claim breach of contract against your practice.


1. I can change the medical records requested for a commercial payer audit if I discover an issue in the documentation.
2. I shouldn’t automatically rely on my EMR system’s built in E/M calculator, which determines the code level for an office visit depending on the information selected, when I chart an encounter into the system.
3. If my practice is late in responding to the payer’s audit request by the specified deadline, we risk having to pay back an overpayment just because the records are sent late.


Want to learn more?

Interested in how MagMutual can help?

View our products


The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.