Preparing for a CMP Audit: A Small Practice Owner’s Checklist (42 CFR § 1003.133)

Civil Monetary Penalty (CMP) audits by the HHS Office of Inspector General (OIG) move fast, rely on documented facts, and can disrupt a small clinic’s operations if you are unprepared. While the title references 42 CFR § 1003.133, the controlling rules for CMP audit and adjudication procedures are located in 42 CFR Part 1003, including Subpart O (Procedures for the Imposition of CMPs, Assessments, and Exclusions) and related general/penalty sections (§§ 1003.120, 1003.140, 1003.210, 1003.220). For owners, the operational imperative is simple: know the procedural milestones (notice, hearing rights, settlement options, sampling, time limits), assemble the right evidence before a letter arrives, and drill your team on a 72-hour response. This guide turns the regulations into a practical checklist you can run with limited staff and budget.

If you bill federal healthcare programs, CMP exposure does not begin with fraud; it often begins with documentation gaps, policy drift, supervision missteps, or failure to refund overpayments. OIG’s CMP framework in 42 CFR Part 1003 allows penalties and assessments when the government can show specified conduct, such as false or fraudulent claims, patterns of nonmedical necessity, or certain referral or inducement violations. But whether you face penalties depends heavily on your records, timely assertions of rights, and the durability of your corrective actions. This article translates the CMP procedures into owner-level action: what to preserve, who speaks, which deadlines are non-negotiable, and how to stage a cost-effective “Go-Bag” that meets OIG’s evidentiary expectations.

Understanding Audit Preparation Under 42 CFR (Correcting § 1003.133 to the Governing Provisions)

Correct citation and scope. There is no current § 1003.133 in the CMP rules. CMP audits and case processing rely on:

• Subpart O (e.g., § 1003.1500 Notice of proposed determination; § 1003.1510 Failure to request a hearing; § 1003.1530 Settlement; § 1003.1540 Judicial review; § 1003.1570 Limitations; § 1003.1580 Statistical sampling; § 1003.1600 Reinstatement).

• Subpart A general provisions (§ 1003.120 Liability; § 1003.130 Assessments; § 1003.140 Determinations regarding the amount and period of exclusion).

• Subpart-specific penalty sections (e.g., § 1003.210 Amount of penalties and assessments; § 1003.220 Determinations for Subpart B).

• 45 CFR Part 102 (annual inflation adjustments to penalty amounts).

Why this matters for audit readiness. OIG’s procedural rules establish what notice must contain, how long you have to request a hearing, how statistical sampling may be used, how settlements are handled, and what limits may apply. Preparing your files and workflows around these steps reduces frantic, last-minute scrambles and helps you demonstrate cooperation, credibility, and corrective action quality, all of which influence outcomes. In short, aligning your preparation with the actual procedural framework reduces penalties and the likelihood of exclusion.

The heading is retained for format, but the authorities differ: OCR enforces HIPAA Privacy, Security, and Breach Notification rules. OIG investigates and imposes CMPs under 42 CFR Part 1003, including conducting audits, issuing notices of proposed determination, and managing settlements or referrals for hearing. Triggers for CMP scrutiny commonly include contractor data analytics, complaints or whistleblower tips, self-disclosures, credit-balance anomalies, and pattern outliers (ordering, coding, supervision). If an event involves both HIPAA and claim-integrity issues, OCR and OIG can proceed in parallel, but CMP audit preparation belongs to OIG’s process. Your internal playbook should therefore route privacy incidents to OCR protocols and CMP-relevant issues to an OIG-aligned response.

Below is a lean, owner-friendly sequence that maps to the CMP procedure milestones and can be executed with limited staff.

1) Assemble a CMP “Go-Bag” (document architecture you can deploy in a day).
How to comply. Pre-stage a binder or secure digital folder with tabs: (A) Organizational chart and delegations; (B) Policies tied to billing, supervision, medical necessity, refunds; (C) Training rosters; (D) Sampling memos and audit trails; (E) Overpayment files and refund proofs; (F) Recent corrective action plans (CAPs) and monitoring results; (G) Communications log template; (H) Counsel contact sheet.
Evidence. Index page with version dates; signed policies; dated training logs; copies of refunds and CAP tracking with completion dates.
Low-cost tip. Use a cloud drive with “read-only” permissions; keep a one-page index, so any manager can find exhibits fast.

2) Define a 72-Hour Audit Drill, who does what from Day 0 to Day 3.
How to comply. Write a micro-SOP that covers: receiving a notice; preserving records; appointing a single point of contact (SPOC); creating a hold on related claim releases; and scheduling a day-one huddle.
Evidence. Time-stamped receipt log; legal hold notice; SPOC designation; meeting notes with task owners and deadlines.
Low-cost tip. A one-page workflow with boxes for time “T+4, T+24, T+72” and space to note deliverables.

3) Build a Claim-Risk Heatmap before anyone asks.
How to comply. Rank service lines by risk: high-cost codes, incident-to and diagnostic tests requiring specified supervision, items with strict medical-necessity criteria, and prior denial hot spots.
Evidence. A table assigning red/yellow/green ratings, the applicable policy/CFR hook, and the owner responsible for remediation.
Low-cost tip. Start from payer policies and your top 20 CPT/HCPCS; add one risk control per month.

4) Prepare for notice, hearing, and settlement mechanics.
How to comply. Pre-write templates for: acknowledgment of the notice of proposed determination; a hearing request cover reviewed by counsel; and a settlement posture memo that summarizes facts, remediation, and monetary calculations.
Evidence. Template letters; deadlines calendar; escalation list to leadership and counsel.
Low-cost tip. Maintain a master deadline spreadsheet tied to your calendar with reminders at T-10, T-5, T-2 days.

5) Get good at statistical sampling (or know when to retain help).
How to comply. Document your approach: define universes, randomization, sample size rationales, extrapolation methods, and quality checks. Even if OIG uses its own sampling, having defensible internal methods speeds negotiation.
Evidence. Sampling plan memos; calculation worksheets; secondary review sign-offs; FAQ sheet explaining assumptions.
Low-cost tip. Use standard spreadsheet functions and a brief two-person check on formulas.

6) Stage overpayment response files and refund proofs.
How to comply. Maintain a standardized Overpayment File structure for each identified issue: trigger, scope, math, refund route, CAP, and monitoring closure.
Evidence. Copies of refund submission and acknowledgments; timeline of identification and 60-day return; CAP with dates; monitoring results.
Low-cost tip. Keep a reusable “Refund Packet” template to cut prep time.

7) Control communications, one voice, clean record.
How to comply. All outbound communication to OIG or contractors goes through the SPOC; maintain a contemporaneous log of calls, emails, and submissions.
Evidence. Communications log with date/time/participants/summary; copies of attachments.
Low-cost tip. Use a numbered log template and store PDFs immediately after each contact.

8) Prove durable fixes (the factor that often moves the needle).
How to comply. For each cited issue, show the root cause, the fix, and measurable durability (2–4 quarters).
Evidence. CAP document, before/after metrics, training sign-ins, EMR edit screenshots, and a closure memo.
Low-cost tip. Track one outcome metric and one process metric per fix.

Wrap-up: This sequence positions your practice to respond quickly, protect your rights, and demonstrate credible remediation, key considerations when penalties and periods of exclusion are determined.

Case Study

Trigger. A four-provider primary-care clinic receives a notice of proposed determination citing a pattern of diagnostic tests allegedly performed without the supervision level required by program rules. The notice identifies a proposed penalty and invites a response within strict timeframes.

Response. The clinic implements its 72-Hour Audit Drill. Day 0: leadership names a SPOC, issues a document hold, and acknowledges receipt. Day 1: the team assembles coverage logs, EMR supervision attestations, and schedules for the sampled dates. Day 2: a targeted internal review shows two days with incomplete coverage logs; claims for those days are identified. Day 3: the practice sends a preliminary fact sheet, commits to corrected processes, and requests a hearing to preserve rights while exploring settlement.

Remediation. The clinic voids or adjusts affected claims, updates the supervision policy to require a “Supervisor of Record” log, inserts an EMR hard stop for supervisor fields, and launches a 90-day monitoring plan. A sampling memo (with independent review) and a CAP summary are bundled into a settlement posture memo.

Outcome. OIG engages in settlement discussions. The clinic’s proactive refunds, documented process fixes, and clean communications record support a reduction from the proposed penalty and no exclusion. The matter closes with a manageable settlement and a commitment to ongoing monitoring.

Wrap-up: Each row aligns a precise readiness control to the governing procedure or determination provision, creating a defensible file that speeds resolution.

Common Pitfalls to Avoid Under the CMP Procedural Framework

Before the list, remember that OIG’s determinations consider the nature of the conduct, culpability, history, and corrective actions. The following pitfalls directly undermine audit outcomes.

• Treating the first letter as “informational”. A notice of proposed determination starts the clock; missing a deadline can waive hearing rights. Practical consequence: loss of leverage and likely higher financial impact.

• Scrambling for evidence you could have staged. Policies, training logs, and CAPs created post-notice may look reactive. Practical consequence: reduced credibility and tougher settlement posture.

• Sampling sloppiness. Undocumented universes or non-random selection erodes trust in your numbers. Practical consequence: agency reliance on its own (possibly less favorable) extrapolation.

• Fixing processes but ignoring tainted claims. If you do not void/adjust past claims, liability remains live. Practical consequence: continuing exposure and potential aggravation in penalty calculus.

• Multiple voices to the regulator. Conflicting statements from staff dilute credibility. Practical consequence: more document requests, longer timelines, and higher cost.

Wrap-up: Avoiding these mistakes preserves rights, increases negotiating credibility, and shortens the path to closure.

Small practices can make big gains with a few disciplined habits.

• Single Source of Truth (SSoT) binder. Keep one index that points to authoritative versions of policies, rosters, CAPs, refunds, and sampling memos. This prevents contradictory documents from circulating.

• “Owner’s Five”: Each month, personally review five charts from a high-risk service line for necessity, supervision, and documentation sufficiency.

• Micro-trainings over marathons. Fifteen-minute refreshers on documentation of medical necessity, supervision attestations, and refund triggers are more durable than annual lecture days.

• Pre-bill hard stops for key fields. If an order or test requires an indication or supervisor, claims cannot post without the field.

• Two-metric monitoring. For each fix, track one process measure (e.g., % charts with supervisor field complete) and one outcome measure (e.g., denial rate for the service).

Wrap-up: These practices turn compliance into routine, reproducible behaviors that satisfy both the letter and spirit of Part 1003 procedures.

Culture determines whether staff escalate on Day 1 or wait until a deadline passes.

Training. Use short, case-based sessions covering notice content, hearing timeframes, sampling basics, and when to refund or self-disclose. Tie each to your SSoT binder.
Policies. Keep policies short, versioned, and cross-referenced to the Claim-Risk Heatmap, so staff understand clinical and billing implications.
Leadership. Designate a SPOC and a two-person back-up; empower them to pause claim releases in affected service lines when issues surface.
Monitoring. Run a quarterly tabletop exercise on a hypothetical notice; time how long it takes to pull the exhibits. Shorten that time every quarter.

Wrap-up: When compliance is part of daily flow, not a special event, your clinic meets deadlines, documents fixes, and navigates audits with minimal disruption.

Summary. CMP audits turn on procedure as much as substance. Knowing Subpart O milestones, preserving your hearing and settlement options, and producing clean, dated evidence quickly are the levers that matter. For small practices, a CMP Go-Bag, a 72-Hour Audit Drill, and a Claim-Risk Heatmap deliver disproportionate value.

Advisers

• Use official OIG CMP authorities and Subpart O text to script your notice-through-settlement playbook.
• Consult eCFR Part 1003 for bases of liability, penalty amounts, and determination factors; check 45 CFR Part 102 each year for inflation updates.
• Keep the OIG Self-Disclosure Protocol bookmarked for circumstances where a structured disclosure is the safest path.

Next steps. Finalize your CMP Go-Bag this week; run a 60-minute table-top using the 72-Hour Audit Drill; hard-stop one high-risk field in your pre-bill workflow; and schedule the first quarterly SSoT binder audit.

A practical step to reinforce compliance is integrating a compliance system into your operations. These tools monitor requirements, perform ongoing risk reviews, and keep your practice prepared for audits, helping you avoid costly mistakes while presenting a proactive stance to oversight bodies.

• eCFR: 42 CFR Part 1003 — Civil Money Penalties, Assessments and Exclusions

• 42 CFR § 1003.200 — Basis for civil money penalties, assessments, and exclusions

• 42 CFR § 1003.210 — Amount of penalties and assessments

• 45 CFR Part 102 — Federal civil monetary penalty inflation adjustments