This is a gray area, it really is going to go on a case by case situation not an across the board answer. I am not an attorney, the following information is based on my years of experience. If you are facing an external audit and the results aren't good I would suggest you reach out to a healthcare attorney for further guidance.
Regardless of how the issue happened, if it was done at the direction of the provider, the provider will always have some if not all the responsibility. When I say at the direction of, I mean they knew about the process. If a providers information is stolen and used without their knowledge that is a different story.
Healthcare is a business and your are required to know your business. This doesn't mean they have to know everything but they do have the responsibility to hire competent persons who do know what they are doing when people are brought on to do portions of the work.
As a coder, yes, you can be held liable as well. This is why we have professional liability insurance on ourselves. Generally our employers carry it but if you are self employed you would need to take out your own policy.
As to failing an external audit, that too is a case by case situation. Generally speaking the payer will take back money they determine to have been paid in error. What happens next depends on the issue, the severity, and the payer. Sometimes you get placed on pre-pay audits, sometimes they just do a follow-up audit in the future. They could end their contract, they could take you to court. They could do a much larger audit or they could call the results educational and seemingly walk away without any further action. It is really hard to predict how it will go after a bad audit from a payer.
Hopefully this is helpful,
Laura, CPC, CPMA, CPC-I, CANPC, CEMC