Understanding several types of audits can help your practice prepare. If you are getting confused by all the different types of audits you hear that may be coming your practice's way, you aren't alone. There are multiple auditors that may ask to review your records for a variety of reasons. So how can you keep it all straight? Read on for the scoop on getting ready for five types of audits: four Medicare audits and Health Insurance Portability and Accountability Act (HIPAA) audits under the Office for Civil Rights (OCR) program to assess privacy and security. 1. Watch for ADS Letter From Your MAC Your Medicare Administrative Contractor (MAC) processes claims and can perform pre-payment and post-payment reviews. If your MAC identifies you for an audit, it will send you an Automated Development System (ADS) letter, typically asking you to submit specific documentation. Important: You may be asking yourself what the top improper payment culprit is that MACs see. "CMS has found that most Medicare improper payments happen because a provider did not comply with Medicare's coverage, coding, or billing rules," according to Sherrie Varner during a TrailBlazer Health webinar, "Medicare Documentation and Audits." 2. Focus on Post-Payment for CERT Audits The Comprehensive Error Rate Testing (CERT) audits are exclusively post-payment reviews. "The CERT program is CMS's process to determine how accurately Medicare contractors review and process claims," Varner said. Why does this apply to you? If the CERT finds errors involving money overpaid to your practice, it instructs your MAC to recoup the funds from you. In addition, errors that the CERT identifies can become issues of focus in future MAC and RAC audits. A "very common" CERT error is insufficient documentation, Varner said. 3. Distinguish Automated and Complex With Recovery Auditors Formerly known as Recovery Audit Contractors (RACs), recovery auditors perform only post-payment reviews. Recovery auditors can look back for three years from the date your claim was paid, but they can't review any claims paid before Oct. 1, 2007. These auditors perform two types of reviews -- automated and complex. During an automated review, the auditor will not request medical records from you, but will instead base the review on the claim information that you already submitted to Medicare. In the case of a complex review, the auditor will request records from your practice, which are subsequently reviewed by doctors, nurses, therapists, and coders. If documentation is missing or complete, the auditor might downcode or deny services, and can instruct your MAC to recoup money that was overpaid. Pointer: Another RAC audit focus area is overpayments due to providers incorrectly billing bilateral procedures on two lines -- once with modifier 50 (Bilateral procedure) (resulting in 200 percent payment) and once without modifier 50 (resulting in 100 percent payment), for a 300 percent total payment. Do this: 4. Raise a Red Flag If ZPICs Come Knocking The Zone Program Integrity Contractors (ZPICs) review potential Medicare fraud, Varner said, "so if you get a letter from them, it's not a good thing." Not only can the ZPICs perform medical reviews and data analysis, but they also investigate fraud and abuse, and refer cases to law enforcement, Varner said. 5. Form a Team to Prep for HIPAA Audits All covered entities and their business associates are eligible for a HIPAA audit. Your practice can take the following steps to be ready for an audit: Review what you do: Assess risk: Document: Read more about preparing for a HIPAA audit in "Get Your Privacy, Security Practices Up to Par Before HIPAA Auditors Show Up" on page 78.