6.1 Coding Compliance and Auditing

Coding Compliance and the Standards of Ethical Coding

Coding compliance means assigning ICD-10-CM/PCS and CPT/HCPCS codes that accurately reflect the documented services, and only those services. AHIMA's Standards of Ethical Coding are the profession's tested benchmark. Their core mandates: apply accurate codes based only on provider documentation; assign and report only codes that are clearly and consistently supported by the health record; query the provider for clarification when documentation is ambiguous, conflicting, or incomplete; and never change codes or the narrative simply to increase reimbursement or to misrepresent a patient's condition.

A coding compliance plan operationalizes these standards. A robust plan typically includes: a written policy adopting the Official Coding Guidelines and Coding Clinic/CPT Assistant as authoritative; defined query procedures; periodic auditing and education; a process to track and correct errors; and a non-retaliation policy so coders can raise concerns. The plan ties directly into the organization's broader corporate compliance program.

The OIG Work Plan and Audit Types

The HHS Office of Inspector General (OIG) Work Plan is updated throughout the year and lists the audits and evaluations the OIG is pursuing. RHITs use it to identify high-risk coding targets — historically upcoding, DRG creep, billing for services not rendered, and medically unnecessary services. From FY2014–FY2019 the share of inpatient stays billed at the highest severity level rose nearly 20%, drawing OIG scrutiny.

Audits fall into two timing categories:

Audits also vary by scope: focused (one DRG, service, or coder) versus random/comprehensive. Many compliance plans require a probe sample (often ~20–30 records) and expand the sample if the error rate exceeds a threshold.

Sampling, Accuracy, and Error Rates

Auditors measure coding accuracy at two levels. The record (case) accuracy rate = correctly coded records ÷ total records audited. The code-level accuracy rate counts individual code assignments, so a single record with one wrong code can still pass record-level review while lowering code-level accuracy. Many organizations set a benchmark of 95% accuracy.

Sampling must be defensible. A random sample supports extrapolation; a targeted/judgmental sample focuses on known risk but cannot be extrapolated to the whole population. The OIG's RAT-STATS is a common free tool for statistically valid sampling. When an audit finds a systemic overpayment, the 60-day rule under the ACA requires the overpayment be reported and returned within 60 days of identification.

Fraud vs. Abuse, and Coding Schemes

• Fraud — knowingly and willfully submitting false claims to obtain a payment to which the entity is not entitled. Intent is required.
• Abuse — practices inconsistent with sound fiscal or medical practice that cause unnecessary cost; no intent to deceive is required.

Key improper coding schemes the OIG targets: upcoding (billing a higher-level code than documented), unbundling (fragmenting a bundled service into separate codes for more pay), and DRG creep (systematically shifting the case mix toward higher-weighted MS-DRGs). The line between abuse and fraud is intent — repeated upcoding after education can convert an abuse finding into a fraud allegation.

Building and Running the Audit Program

A mature coding compliance program runs on a defined audit cycle. RHITs commonly distinguish a baseline audit (a one-time snapshot that establishes the organization's current accuracy and risk profile) from ongoing periodic audits scheduled in the annual work plan. New coders are often placed on a 100% pre-bill review until they demonstrate sustained accuracy, then moved to sampled review.

Every audit ends with feedback and education, not just a score. Findings are categorized — for example, DRG-affecting errors (the principal diagnosis, a comorbidity/complication, or a procedure that changes the MS-DRG) versus non-DRG-affecting errors (a secondary code that does not move payment). DRG-affecting errors carry the highest financial and compliance risk and are tracked separately.

Worked Example: Computing an Accuracy Rate

Suppose an auditor reviews 30 inpatient records and finds 3 records with at least one coding error. The record accuracy rate is (30 − 3) ÷ 30 = 90%, below a 95% benchmark, so the sample would be expanded per the compliance plan. 7%**. Reporting both rates prevents a misleading "all errors are equal" picture and focuses remediation on the high-dollar DRG-affecting mistakes. The auditor then documents root causes — ambiguous documentation, a missed query opportunity, or a coder knowledge gap — and assigns targeted education.

External Audits the RHIT Must Anticipate

Internal audits are not the only oversight. Several external programs review claims after payment, and HIM staff frequently coordinate the record responses:

• Recovery Audit Contractors (RACs) — paid on a contingency fee to find and recover Medicare overpayments (and underpayments); they conduct automated and complex reviews.
• Medicare Administrative Contractors (MACs) — process claims and run pre- and post-payment medical review.
• Comprehensive Error Rate Testing (CERT) — measures the Medicare fee-for-service improper payment rate.
• Unified Program Integrity Contractors (UPICs) — investigate suspected fraud.

When any of these requests an Additional Documentation Request (ADR), HIM must produce the complete, authenticated legal record within the deadline; a missing signature or an incomplete record can convert a clinically valid claim into a denied or overpaid one. Tracking ADR turnaround and appeal outcomes is part of a sound coding compliance program.