Medical Necessity 101: The Checklist Small Practices Need to Survive a Post-Payment Audit (42 CFR § 405.980)

Post-payment audits are no longer rare events reserved for large hospital systems. For small practices, a single Medicare post-payment review can trigger reopenings of older claims under 42 CFR 405.980, leading to thousands of dollars in recoupments if medical necessity is not well documented.

Under Title XVIII of the Social Security Act, section 1862(a)(1)(A), Medicare only pays for services that are reasonable and necessary for diagnosis or treatment. When contractors review claims after payment, they are not only checking codes; they are evaluating whether the record supports this standard. If they conclude that medical necessity is not documented, they can reopen determinations within 1 year for any reason, within 4 years for good cause, and at any time for fraud or similar fault under 42 CFR 405.980(b).

This article breaks down how small practices can build a simple, repeatable medical necessity checklist that stands up in a post-payment audit. It ties daily documentation habits to the legal standards in 42 CFR 405.980 and the underlying medical necessity statute, so your team knows exactly what to do when an Additional Documentation Request arrives.

For many small practices, “medical necessity” feels like a vague idea until a Medicare contractor sends a letter asking for records on claims paid 18 months ago. At that moment, 42 CFR 405.980 determines how far back the contractor can reopen those claims and on what basis. If the documentation does not clearly show why each service was reasonable and necessary, the practice can face recoupments, interest, and ongoing monitoring.

Medical necessity is not solely a coding issue. It is the story your documentation tells: why the patient came in, what you found, what you did, and why that was the right level of service under accepted standards of care. Medicare’s authority to deny payment for services that are not reasonable and necessary flows from section 1862(a)(1)(A) of the Social Security Act, and contractors apply that standard during post-payment medical review.

This guide focuses on building a practical “Medical Necessity 101” checklist tailored to small practices. It is designed to reduce your risk of unfavorable reopenings under 42 CFR 405.980 by making every chart audit-ready from day one.

Understanding Legal Framework & Scope Under 42 CFR 405.980

To survive a post-payment audit, a small practice needs to understand both what Medicare means by medical necessity and how reopenings work. These are separate but tightly related concepts.

Section 1862(a)(1)(A) of the Social Security Act provides that Medicare will not pay for items or services that are not reasonable and necessary for the diagnosis or treatment of illness or injury or to improve the functioning of a malformed body member. This is the bedrock standard that contractors rely on when they review your documentation.

On the procedural side, 42 CFR 405.980 lays out the rules for reopening Medicare initial determinations and redeterminations. Key features include:

• A contractor may reopen a determination within 1 year of the date of the initial determination for any reason.

• A contractor may reopen within 4 years for good cause, as defined in 42 CFR 405.986 (for example, new and material evidence or error on the face of the evidence).

• A contractor may reopen at any time if there is reliable evidence that the initial determination was procured by fraud or similar fault.

These rules give contractors a multi-year window to revisit paid claims. The Medicare Program Integrity Manual confirms that reopening is a foundational tool for post-payment review activities and instructs contractors on how to use data analysis and medical review to identify potential overpayments.

Federally, the framework for reopenings is uniform. However, how medical necessity criteria are applied can vary based on National Coverage Determinations (NCDs) and Local Coverage Determinations (LCDs) issued by each Medicare Administrative Contractor. Understanding which NCDs and LCDs govern your high-volume services is essential, but the overarching reopening timeframes in 42 CFR 405.980 remain the same across jurisdictions.

By understanding this structure, small practices can align documentation, record retention, and internal audit practices with the timeframes and standards contractors use to revisit claims. That alignment reduces denials, recoupments, and the administrative friction of disputing audit findings years after services were rendered.

Multiple entities participate in Medicare post-payment review and can trigger reopenings under 42 CFR 405.980. CMS relies on a network of contractors, including:

• Medicare Administrative Contractors (MACs), which process claims and conduct targeted medical review.

• Comprehensive Error Rate Testing (CERT) contractors, which assess improper payment rates and request supporting records.

• Unified Program Integrity Contractors (UPICs), which focus on potential fraud, waste, and abuse and can initiate post-payment reviews and reopenings.

• Recovery Audit Contractors (RACs), which identify and recover improper payments on a contingency-fee basis.

Common triggers for post-payment review and reopening include:

• Data analysis showing aberrant billing patterns, such as unusually high utilization of certain codes.

• Complaints from beneficiaries or other providers about questionable billing.

• Focused initiatives in areas with historically high error rates (for example, particular diagnostic tests or therapy services).

• Random sampling to measure improper payment rates.

Once a claim is selected, contractors issue an Additional Documentation Request (ADR). CMS guidance stresses that documentation submitted in response to ADRs is central to determining whether services were reasonable and necessary. If the documentation does not support coverage criteria, the contractor may reopen the determination under 42 CFR 405.980 and issue an overpayment demand.

For small practices, the practical takeaway is simple: your medical necessity checklist is your first line of defense against post-payment recoupment. It must be built to withstand the scrutiny of MACs, UPICs, RACs, and other review entities operating under the reopening rules.

Even though 42 CFR 405.980 is a Medicare regulation rather than a HIPAA rule, the same discipline that protects you in HIPAA security audits applies here: documented, repeatable controls. This section turns legal standards into concrete steps that small practices can implement without new headcount, directly tied to the reopening and medical necessity framework.

1. Build a “Medical Necessity Core Elements” Template

   Every visit and test should answer the same core questions: why today, what changed, what you did, and why it was necessary. These elements line up with Medicare’s requirement that services be reasonable and necessary under section 1862(a)(1)(A).

   • How to implement: Add a standard template to your EHR note for high-volume services, prompting for chief complaint, history relevant to the test or service, objective findings, differential/assessment, and rationale for the chosen service.

   • Evidence to retain: Examples of completed notes showing all elements, plus a copy of your internal template or EHR configuration screenshot.

   • Low-cost method: Use existing EHR custom fields or simple macros; if using paper, add a one-page “medical necessity cover sheet” that providers complete for targeted services.

   When contractors reopen claims under 42 CFR 405.980, they will evaluate this record to decide whether medical necessity was supported. A consistent template makes it easier to show that your practice met the statutory standard.

2. Link Each Ordered Service to a Specific Diagnosis and Coverage Policy

   Contractors often look for a clear connection between the billed service, the diagnosis code, and applicable coverage criteria such as NCDs or LCDs.

   • How to implement: For recurrent tests (imaging, labs, therapies), build a quick-reference list of acceptable diagnosis ranges based on NCDs and LCDs, and configure your EHR to prompt for that linkage at order entry.

   • Evidence to retain: A copy of your quick-reference list, EHR screenshots demonstrating decision support prompts, and internal emails or training slides describing the process.

   • Low-cost method: Maintain a shared spreadsheet or simple PDF with links to relevant coverage policies and distribute it during staff meetings.

   When claims are reopened, being able to show that each order was intentionally matched to recognized coverage criteria reduces the risk that contractors will deem the services not reasonable and necessary.

3. Create an ADR Response Playbook

   Since ADRs are the primary mechanism for gathering documentation in post-payment reviews, your ability to respond quickly and completely can determine whether Medicare pursues reopening and recoupment.

   • How to implement: Draft a one-page ADR workflow that specifies who retrieves records, who quality-checks them, and who sends the packet. Include a checklist for each claim: complete clinical note, test orders, consent forms if applicable, and any prior authorization or referral documentation.

   • Evidence to retain: Copies of completed ADR packets (with PHI de-identified for training), a log of response dates, and the written ADR workflow.

   • Low-cost method: Use a secure shared drive folder named “ADR Packets” with subfolders for each request, and a simple spreadsheet to track deadlines and confirmation of submission.

   This control aligns with 42 CFR 405.980 because timely, organized responses may reduce the need for contractors to reopen determinations and minimizes the risk of adverse inferences due to missing documentation.

4. Flag High-Risk Services for Pre-Submission Review

   Program Integrity guidance encourages contractors to focus on services with high improper payment rates. Practices can mirror this approach internally by subjecting some high-risk claims to pre-submission documentation review.

   • How to implement: Identify three to five codes that are frequently audited nationally (for example, certain imaging tests, therapy services, or high-level E/M visits) and require a second review of documentation before claims are released.

   • Evidence to retain: A log of pre-submission reviews, including any corrections made before billing, and periodically sampled records showing improvements in documentation.

   • Low-cost method: Have one clinician or experienced biller spend one hour per week reviewing a handful of charts from this high-risk list.

   By tightening documentation before claims go out, you reduce the likelihood that a contractor’s later data analysis will flag your practice for reopenings under 42 CFR 405.980.

5. Align Record Retention with Reopening Windows

   Because contractors can reopen claims for up to 4 years for good cause and longer in fraud cases, record retention policies should at least match or exceed these windows.

   • How to implement: Set a baseline policy to retain all documentation supporting Medicare claims for at least 7 years, aligning with many state law and overpayment look back expectations while comfortably covering the reopening timeframe.

   • Evidence to retain: Written record retention policy, IT back up logs, and any vendor contracts covering EHR data retention.

   • Low-cost method: Use existing EHR storage plus low-cost cloud backup; ensure that scanned paper records are indexed by date of service and claim number.

   This control ensures that when a post-payment audit occurs within the reopening window, your practice can actually produce the documentation needed to support medical necessity, rather than losing by default due to missing records.

Together, these controls form a compact but powerful survival guide for small practices facing Medicare post-payment review under 42 CFR 405.980.

Case Study

A small internal medicine practice provided ongoing evaluation and management visits, periodic cardiac stress tests, and advanced imaging for a panel of older patients. Eighteen months after a high-volume year, the practice received an ADR from its MAC for a sample of 60 claims involving stress tests and imaging.

The contractor’s medical review team evaluated the submitted records against the statutory reasonable and necessary standard in section 1862(a)(1)(A), relevant NCDs and LCDs, and local coverage criteria. They found that in many cases, the documentation did not clearly reflect:

• Why the test was ordered at that specific point in time.

• What prior conservative management or diagnostic work-up had already occurred.

• How the test result would change management.

Based on this, the MAC concluded that a significant subset of the reviewed services was not medically necessary. Under 42 CFR 405.980, the MAC reopened the initial determinations within the 4-year good cause window, citing medical review findings and data analysis as new and material evidence. The practice received an overpayment demand totaling more than $75,000, plus interest.

After this initial blow, the practice implemented the controls outlined in the previous section: a medical necessity template, explicit linkage of tests to diagnoses and coverage policies, and a structured ADR response process.

When a second wave of ADRs arrived two years later, the story was different. The new records showed clear rationale, consistent documentation of prior management, and direct linkage to applicable coverage criteria. The contractor’s medical review found a much lower error rate, and no broad reopening was initiated for that later period.

This case illustrates how weak documentation can turn 42 CFR 405.980 into a painful recoupment tool, while disciplined use of a medical necessity checklist can protect a small practice from the financial shock of post-payment audits.

Use this table as a practical self-audit tool to confirm that your practice is aligned with 42 CFR 405.980 and the underlying medical necessity standard before a post-payment audit occurs.

Completing this checklist regularly keeps your documentation and processes synchronized with the legal standards that govern reopenings and medical review, reducing the likelihood of costly post-payment recoupments.

Common Audit Pitfalls to Avoid Under 42 CFR 405.980

Before a post-payment audit hits, it helps to know where similar practices stumble. Each of the following pitfalls has been associated with unfavorable reopenings and overpayment findings.

• Treating medical necessity as a coding exercise rather than a documentation standard, leading to notes that do not fully explain why services were reasonable and necessary under section 1862(a)(1)(A).

• Ignoring NCDs and LCDs that restrict coverage for certain tests, resulting in patterns of care that are inconsistent with Medicare coverage rules and easily flagged in data analysis.

• Failing to respond completely or on time to ADRs, which can prompt contractors to deny claims or conclude that services are not supported when they reopen determinations.

• Keeping record retention periods that are shorter than the reopening window, so critical documentation is missing when a contractor reviews claims 3 or 4 years later.

• Relying on inconsistent office processes, where some clinicians document rationale thoroughly while others rely on shorthand that does not satisfy medical review expectations.

By proactively fixing these pitfalls, your practice reduces the likelihood that contractors will use 42 CFR 405.980 to reopen large volumes of claims and maximizes the chance that any post-payment review will confirm, rather than challenge, your billing.

Sustainable protection against post-payment audits requires more than a one-time clean-up project. It requires a culture that treats medical necessity documentation as part of patient care and revenue integrity.

Leadership should assign clear ownership for Medicare compliance, including responsibility for monitoring relevant changes in coverage policies, CMS manual updates, and audit trends. Staff training should occur at least annually and whenever major policy changes occur, focusing on real examples from your own charts and emphasizing how reopenings under 42 CFR 405.980 work.

Simple metrics can help: the percentage of sampled charts that contain a clear medical necessity statement, the number of ADRs received and successfully closed, and the proportion of overpayment findings overturned on appeal. Tracking these indicators aligns your governance activities with the legal framework and keeps the practice audit-ready without heavy bureaucracy.

Post-payment audits and reopenings are a reality for small practices participating in Medicare. Under 42 CFR 405.980, contractors have years to revisit claims and recover payments when they believe services were not medically necessary. By grounding your processes in the statutory standard at section 1862(a)(1)(A) and the practical guidance in CMS manuals, you can transform medical necessity from an abstract risk into a manageable checklist.

Immediate next steps for a small clinic:

1. Select one high-volume, high-risk service and run a mini-audit of 10 recent charts using the “medical necessity core elements” checklist.

2. Document and implement a basic ADR response workflow, assigning names and backup roles.

3. Confirm that your record retention practices cover at least the 4-year reopening window, and preferably 7 years.

4. Build a short list of applicable NCDs and LCDs for your top five Medicare services and share it with clinicians and coders.

5. Schedule a brief staff huddle to explain how reopenings under 42 CFR 405.980 work and why complete documentation protects both patients and the practice.

Recommended compliance tool: 

A one-page “Medical Necessity & Reopening Risk” checklist posted in provider work areas and embedded in the EHR for high-risk services.

Advice: Before you submit another high-risk Medicare claim, confirm that the note clearly answers why the service was reasonable and necessary today based on the patient’s condition and applicable coverage criteria.

• 42 CFR § 405.980 – Reopening of initial determinations, redeterminations, reconsiderations, decisions, and reviews
  

• 42 CFR Part 405 – Federal Health Insurance for the Aged and Disabled
  

• 42 CFR § 405.980 – Text at Cornell Law School LII
  

• CMS Medicare Program Integrity Manual – Chapter 8 (PDF) referencing 42 CFR 405.980