CERT Postpayment Audits: An Overview of the Audit Process

CERT Postpayment

(March 12, 2011): Health care providers around the country are finding their practices and clinics subjected to Medicare post-payment audits by Zone Program Integrity Contractors (ZPICs), Program Safeguard Contractors (PSCs) and Comprehensive Error Rate Testing (CERT) Contractors. While all post-payment audits should be taken seriously, there are real differences between both the contractors and the post-payment audits they are conducting. This is the first of three articles examining these differences. Starting with the CERT audit program, we will be examining each of the Medicare contractors conducting CERT postpayment audits and review of provider claims for services and devices.

I. Historical Background of the CERT Postpayment Audit Program:

With the passage of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (P.L.104 -191), the Department of Health and Human Services, Office of Inspector General (OIG) initiated work in an effort to estimate the improper payment error rate of Medicare Fee-For-Service (FFS) claims. From 1996 through 2002, OIG continued to manage this program. In 2002, the “Improper Payments Information Act” (IPIA) was enacted. The Centers for Medicare and Medicaid Services (CMS) subsequently began working with the OIG in 2003, and worked to further refine the estimated Medicare FFS error rate so that the program would comply with the requirements of the IPIA. These efforts became known as the “Comprehensive Error Rate Testing” (CERT) program.[1] Unlike early efforts, the CERT program does not only estimate a national improper payments error rate for Medicare FFS claims. As Timothy Hill, OIG’s Chief Financial Officer testified before the Senate, the CERT program examines a number of essential aspects of the overall error rate of Medicare FFS claims:

“Contractor-specific improper payment rates – which measure the accuracy of our claims processors.

Provider-type specific improper payment rates – which measure how well the providers who care for our beneficiaries are preparing and submitting claims to the program; and

Other management related information - which provides insight into payment errors by region and reason.”[2]

Notably, the CERT program was designed to provide a comprehensive assessment of the improper payments being made to specific types of Medicare providers, along with the improper payment decisions being made by various Medicare contractors. In doing so, the CERT program was set up to serve as an integral management tool to be used by CMS. Once problem areas were identified, CMS was able to monitor specific problem areas (and in some cases, specific Medicare contractors making erroneous payment decisions) so that corrective action could be taken.

II. Contractors Performing CERT Postpayment Audits:

CMS has selected private contractors to administer various aspects of the CERT audit program. There are two basic types of CERT contractors, a “CERT Review Contractor” (CRC) and a “CERT Documentation Contractor” (CDC). As an initial step, the CRC will first select random samples of claims from each Medicare claims processing contractor. The CDC will then take the list of claims selected by the CRC and request the relevant documentation related to these claims from the health care provider who provided, billed and was paid for the services. Once received, the CDC then forwards the documentation to the CRC.

A. Livanta – CDC.

CMS has awarded the CDC contract to a private company named “Livanta, LLC” (Livanta), located in Annapolis Junction, Maryland. Notably, Livanta has also been awarded the “Statistical Contractor” (SC) portion of the Payment Error Rate Measurement (PERM) program. The PERM program is designed to measure improper payments in both the Medicaid program and the State Children's Health Insurance Program (SCHIP).

Focusing on Livanta’s duties as CDC, the contractor typically proceeds as follows when completed its duties as a CERT contractor:

  • Once a provider has been identified, the CDC will contact the provider regarding the audit. In a number of cases, the CDC will first call the provider by telephone and then follow-up with a fax or written request for the documents sought.
  • If a provider has not forwarded the documents requested to the CDC by day 30, both telephone and written follow-ups are made by the CDC to the provider.
  • If the records are not received by day 45, the CDC will again both call and fax or write the provider to ascertain the status of the requested documentation.
  • If the requested documentation still has been received by day 60, a letter is sent to the provider again inquiring on the status of the missing documents.
  • If no documentation is received by day 76, the claims associated with the missing documentation is denied and scored as an “error” based on the missing documentation.

B. AdvanceMed – CRC.

Once the CDC has requested and received the claims documentation from the provider, it is forwarded to the “CERT Review Contractor” (CRC). CMS has awarded the contract to serve as CRC to AdvanceMed. As CRC, AdvanceMed must carefully review the documentation received and determine whether the services qualify for coverage and payment. The CRC then compares its assessment to that of the Medicare contractor who originally reviewed and paid the claims (the contractor is typically a Medicare Administrative Contractor (MAC) who is responsible for review of the Part A or Part B claims). If the CRC finds that the Medicare contractor incorrectly billed, paid or processed the services at issue, the claim is noted to be an “error”

III. Sample CERT Postpayment Audit Program Results From the Fourth Quarter of 2010:

Each quarter, Highmark Medicare Services (Highmark) reports on the most recent “errors” identified by the CERT contractor in connection with the CERT program audit. During the Fourth Quarter of 2010, 508 CERT errors were found in connection with the Part A claims reviewed. The 508 errors can be broken down as follows:

  • 311 errors were due to “insufficient documentation.” Notably, a majority of the errors in this category were because the medical record “did not contain a valid physician’s signature” or because a diagnostic test performed “did not contain a valid physician’s order” or an identification of the provider who rendered the service.
  • 132 errors were due to “lack of medical necessity” based on the medical documentation submitted.
  • 37 errors were due to “incorrect coding” (primarily related to laboratory testing).
  • 10 errors were due to “invasive procedures that were assessed to be without medically necessity.”
  • 9 errors were due to an “incorrect procedure code” used when billing the service.
  • 6 errors were the result of “billing for services that were not rendered.”
  • 2 errors were due to “other errors.”
  • 1 error was due to an “incorrect discharge code being used.”

In addition to the Part A errors identified, a separate error report covering Part B claims is also detailed on Highmark’s website. [3]

IV. Responding to a CERT Postpayment Audit Request for Documents:

Should you receive a CERT postpayment audit request for documents from a CDC, it is important to keep in mind that your practice or clinic is not being accused of fraud or wrongdoing. Fundamentally, a CERT postpayment audit is primarily designed to identify deficiencies and mistakes made by Medicare contractors. As Compliance Officer, upon receipt of a CERT postpayment audit request, you should carefully review the request and take steps to assemble a complete set of documentation covering the specific claims at issue. As Highmark also notes, when dealing with notes that are difficult to decipher, it is recommended that a transcription of the notes be made and submitted with the documentation.

V. Appealing CERT Denials:

The results of a CERT postpayment audit are likely to be set out in Medicare’s electronic Fiscal Intermediary Standard System (FISS) computer system. It is imperative that you monitor the status of the claims selected for CERT review. If the CRC finds that one of more of your paid claims did not qualify for coverage and payment you will have to decide whether or not you agree with the denial decision that has been issued. Should you dispute the denial, you will need to file for administrative appeal within the standard, established timeframes. CERT denials are appealed in the same manner as any other claims denial would be appealed.

VI. Comparison of CERT Postpayment Audits and ZPIC Postpayment Audits:

As reflected above, CERT postpayment audits are fundamentally different from ZPIC audits, both in terms of fundamental purpose and in terms of likely financial liability. At its core, a CERT postpayment audit is really an attempt by CMS to learn whether or not its contractors (typically MACs) are properly assessing and processing claims submitted by Medicare providers for review and payment. If a CERT contractor finds that a provider’s claims should not have been paid, it primarily reflects on the MAC, not necessarily the provider. Having said that, claims denied by a CERT contractor should still be appealed if the provider believes that the claims do, in fact, qualify for coverage and payment. While denied claims will still contribute to a provider’s overall error rate (possibly increasing the likelihood that a provider could be subjected to later audits), damages associated with CERT postpayment audits are not typically extrapolated. As a result, the overall damages associated with CERT postpayment audits are relatively modest, especially when compared to the potential damages alleged in ZPIC and PSC “big-box” cases. Additionally, unlike ZPIC and PSC audits, most CERT postpayment audits are solely concerned with the coverage and payment of the particular claims under review. In contrast, ZPIC postpayment audits can lead to suspension, revocation or even referral to OIG or DOJ in cases where fraud may be evident.

Despite the limited scope of liability inherent in CERT postpayment audits, it is imperative that Medicare providers diligently work to respond to requests for documentation in a timely fashion. Notably, other contractors (including ZPIC, PSC and RAC auditors) may review CERT postpayment audit findings for targeting purposes.

The bottom line is fairly simple -- if you owe money to the Medicare program, pay it back. If not, you should challenge unwarranted denials of claims by CERT auditors.

Robert Liles Healthcare Layer

Robert W. Liles, J.D. serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law. Liles Parker attorneys represent health care providers around the country in connection with postpayment CERT audits and program integrity reviews by ZPICs and other Medicare contractors. Should your practice, clinic or company be subjected to a post-payment audit, give us a call for a complimentary consultation. We can be reached at: 1 (800) 475-1906.

  • [1] Guidance regarding the CERT program can be found in the “Medicare Program Integrity Manual, Chapter 12 – The Comprehensive Error Rate Testing Program.”
  • [2] This information was discussed by Timothy Hill, OIG’s Chief Financial Officer, as part of his sworn testimony regarding “Medicare and Medicaid Improper Payments” in front of the Senate Committee on Homeland Security and Governmental Affairs, Subcommittee on Federal Financial Management, Government Information and International Security, on Thursday, March 29, 2007. A transcript of Mr. Hill’s testimony may be found at:http://www.hhs.gov/asl/testify/2007/03/t20070329a.html
  • [3] Highmark Medicare Services’ CERT audit report covering Part A and Part B errors identified during the Fourth Quarter of 2010 can be found at: https://www.highmarkmedicareservices.com/cert/errors/a-cert-dec10.html