How to Respond to a CMS Audit: Step-by-Step Guide, Timeline, and Sample Letter

Understanding CMS Audits

A Centers for Medicare & Medicaid Services (CMS) audit examines whether your claims, coding, and medical records meet Medicare audit guidelines. Expect reviewers to test medical necessity, billing accuracy, and documentation compliance against the CMS audit protocol.

Common audit types include:

• MAC probe/education audits for targeted billing issues.
• RAC (Recovery Audit Contractor) reviews for improper payments, often with extrapolation.
• UPIC and ZPIC integrity investigations focused on potential fraud, waste, or abuse.
• SMRC and CERT projects evaluating error trends and documentation gaps.

Typical phases follow a clear audit response timeline: notice/ADR, record submission, technical review, preliminary findings, opportunity to clarify or rebut, final determination, and (if needed) the appeal path.

Preparing for the Audit

As soon as you receive an audit letter, read it closely, log all deadlines, and map a day-by-day audit response timeline. Note the claims in scope, the submission method (portal, mail, encrypted media), formatting rules, and the exact due date.

Assemble a response team: a lead coordinator, compliance officer, HIM/medical records, coding, revenue cycle, and (as appropriate) counsel and clinical champions. Assign owners for each claim.

Preserve evidence immediately. Lock down relevant EHR data and billing files, suspend auto-deletes, and avoid post-dated edits unless properly addended. Set up a centralized workspace, define a single point of contact, and capture all questions for early clarification with the auditor.

Document Collection and Organization

Pull complete, legible records that prove documentation compliance for each claim under review. Confirm that every required element is signed, dated, and supports medical necessity and coding.

• Clinical record: H&P, progress notes, orders, diagnostics, therapy notes, operative reports, discharge summaries, and signatures.
• Billing record: UB-04/1500, itemized bill, modifiers, charge detail, and relevant remittance advice.
• Administrative/support: prior authorization, ABN (if applicable), referrals, plan of care, treatment logs, time sheets, and credentials.
• Coverage support: citations to applicable NCD/LCD criteria referenced in your narrative.
• System artifacts: EHR audit trail or access logs if requested.

Organize materials so reviewers can find proof fast. Create a claim-level index with a table of contents and page ranges. Use consistent file names, paginate or Bates-stamp, and include a crosswalk that ties each denial reason to specific pages.

Quality-check every packet for legibility, dates, and signatures. Follow the letter’s format rules, encrypt PHI when shipping, and obtain submission receipts or portal confirmations.

Responding to Audit Findings

When you receive preliminary results or a determination, verify the facts. Validate sampling frames, medical-necessity standards, coding rationales, and any statistical extrapolation. Correct obvious misunderstandings with concise, evidence-backed explanations.

Your written response should be structured, respectful, and complete. Include an executive summary, claim-by-claim analyses, pinpoint citations to records, references to Medicare audit guidelines, and a clear statement of the outcome you seek.

• Address each finding with page-level citations and supporting clinical rationale.
• Submit additional clarifying documents if permitted and highlight exactly where they answer the issue.
• If errors exist, outline immediate fixes and a high-level corrective action plan.

If you disagree, follow the audit dispute process. Use any rebuttal or discussion window noted in the letter (often 15–30 days) and proceed through the five Medicare appeal levels as applicable: Redetermination (commonly within 120 days), Reconsideration (commonly within 180 days), OMHA ALJ hearing (typically requested within 60 days and subject to an amount-in-controversy threshold), Council review (about 60 days), and Federal District Court (about 60 days, threshold applies). Always verify the exact deadlines and recoupment rules stated in your notice.

Communicating with CMS

Designate one spokesperson to streamline inquiries and keep all communications professional, factual, and timely. Confirm calls in writing, track commitments and due dates, and document every submission and receipt.

Request clarification early when instructions are ambiguous, and use concise summaries to guide reviewers to the right pages. Be proactive, responsive, and solution-focused throughout.

Sample Audit Response Letter Template

Date: [Month Day, Year]

To: [CMS Contractor Name and Address]
Re: Response to CMS Audit — Audit ID [####], NPI [##########], TIN [########]

Dear [Auditor Name or “Audit Team”],

We acknowledge receipt of your letter dated [Date] regarding the review of [number] claim(s) for [service type/date range]. Enclosed is our complete response and supporting documentation, submitted in accordance with the CMS audit protocol.

Summary of Response:
• We affirm that the services were medically necessary and correctly coded based on the attached records.
• For each claim, we provide page-specific citations addressing the noted issues.
• Where clarification was requested, we include additional materials responsive to your questions.

Claim Narratives and Citations:
• Claim [#]: [Concise rationale with page references].
• Claim [#]: [Concise rationale with page references].
• Claim [#]: [Concise rationale with page references].

Enclosures (Index):
1. Claim-level table of contents and crosswalk
2. Medical records and signatures
3. Billing records and itemized statements
4. Coverage criteria references (NCD/LCD excerpts as cited)
5. Any additional clarifying documentation

We respectfully request that you consider this information and update the findings accordingly. If helpful, we are available for a discussion to walk through the materials.

Please direct future correspondence to: [Name, Title, Phone, Secure Email]. Thank you for your review.

Sincerely,
[Authorized Signer Name, Title]
[Organization]

Using an audit letter template like the above helps you present a clear narrative, precise citations, and a professional tone while meeting the auditor’s format requirements.

Implementing Corrective Actions

When issues surface, translate them into a targeted corrective action plan. Tie each root cause to a specific fix, owner, and deadline, then verify effectiveness with measurable checkpoints.

• Policy/process updates that address the exact failure mode.
• Coder and clinician education with competency checks.
• Template/EHR tweaks to capture required elements without overdocumentation.
• Retrospective claim review and refunds, when appropriate.
• Ongoing monitoring: sample audits, error-rate metrics, and executive reporting.
• Escalation criteria and a closure definition for each action item.

Following Up After the Audit

Maintain a comprehensive audit file: notice letters, indexes, submissions, receipts, findings, decisions, and appeal records. Track status dates, interest accrual (if any), and your next actions to avoid missed deadlines.

• Confirm that CMS or the contractor received and accepted your materials.
• Log additional document requests and respond promptly.
• Monitor recoupment timelines and coordinate finance planning.
• Brief leadership and the compliance committee on results and CAP progress.
• Update your risk assessment and future audit readiness plan.

A disciplined approach—clear organization, timely communication, precise citations, and a living corrective action plan—keeps you on track from first notice through final resolution.

FAQs

What is the typical timeline for responding to a CMS audit?

Many ADRs require records within 30–45 calendar days, with discussion or rebuttal windows often 15–30 days after preliminary findings. Formal appeals commonly follow Medicare timelines such as 120 days for redetermination and 180 days for reconsideration. Always follow the exact dates in your letter.

How should I organize documents for a CMS audit?

Create a claim-level index and crosswalk, paginate or Bates-stamp, and use consistent file names. Place medical, billing, and administrative proof in the same packet, provide page-level citations in your cover letter, and validate legibility, signatures, and dates to ensure documentation compliance.

What steps should I take if I disagree with CMS audit findings?

Request a discussion or submit a rebuttal within the short window in your notice, then pursue the formal appeal levels as needed. Challenge factual errors and extrapolation methods with data, provide pinpoint citations, and follow the audit dispute process and timelines to protect your rights.

How can I prevent future CMS audit issues?

Embed a continuous readiness program: targeted education, pre-bill reviews for high-risk services, spot audits against Medicare audit guidelines, and dashboards that track error trends. When gaps appear, implement a corrective action plan with owners, deadlines, and effectiveness checks.