CMP Audit Preparation: The 5 Required Documents (42 CFR § 1003.133)

Civil Monetary Penalties (CMP) investigations by the HHS Office of Inspector General (OIG) move quickly and focus on whether claims were false or fraudulent, whether items or services were not medically necessary, and how the organization responded once issues were identified. While some articles reference 42 CFR § 1003.133, the operative CMP authorities are found throughout 42 CFR Part 1003, particularly § 1003.200 (bases for CMPs) and § 1003.210 (amount of penalties and assessments), with annual inflation updates in 45 CFR Part 102.

For small practices, CMP readiness does not depend on complex software or large compliance teams. It depends on maintaining five audit-ready document packets that demonstrate claim truthfulness, appropriate supervision and scope, timely correction, and durable controls. These five documents form the backbone of a credible CMP response and often determine whether an inquiry closes administratively or escalates.

OIG CMP reviews may be triggered by data analytics, contractor referrals, complaints, or self-disclosures. Once initiated, investigators typically ask three core questions:

1. Were the claims truthful and payable?

2. If problems existed, did the practice act promptly and responsibly?

3. Do controls exist to prevent recurrence?

Small clinics succeed in CMP audits by answering these questions with clear, well-organized evidence tied directly to the claims at issue. This article translates the CMP framework into five document packets that any small practice can assemble and maintain with minimal cost and effort.

Understanding the Five Documents Under the CMP Framework

Although titles sometimes cite individual sections, CMP authority is governed broadly by 42 CFR Part 1003. Two provisions explain why auditors ask for specific records:

• 42 CFR § 1003.200 — sets forth the bases for CMPs, including false or fraudulent claims and patterns of not medically necessary services.

• 42 CFR § 1003.210 — establishes penalty and assessment amounts, with annual adjustments under 45 CFR Part 102.

Operationally, each document packet should help answer at least one CMP question: claim truthfulness, responsible remediation, or prevention of recurrence.

This section is retained for format consistency. CMPs under 42 CFR Part 1003 are enforced by the HHS Office of Inspector General (OIG). The HHS Office for Civil Rights (OCR) enforces HIPAA Privacy, Security, and Breach Notification Rules. OCR is not the CMP enforcement authority unless privacy or security violations are discovered alongside billing issues. CMP determinations related to claims, medical necessity, and penalties remain exclusively within OIG’s jurisdiction.

Document 1: The Claims & Coding Packet (Allegation Period)

How to comply
 Assemble the complete universe of claims under review, including dates of service, CPT/HCPCS codes, ICD-10 codes, modifiers, and payers.

Evidence to include

• Claim export (CSV or spreadsheet)

• Clearinghouse submission and acceptance logs

• Remittance advices

• Internal coding or edit notes

• Void, adjustment, or rebill records

Low-cost build
 Export directly from the practice management system and include a “read-me” tab describing fields and filters.

Document 2: The Medical Necessity & Standards Dossier

How to comply
 For each service type reviewed, assemble the medical-necessity criteria and evidence that the criteria were met.

Evidence to include

• Coverage policies or clinical standards

• Order-set indications and contraindications

• Three to five de-identified exemplar charts per code

• For tests, minimum performance or quality criteria

Low-cost build
 Create one bookmarked PDF per service type organized as: criteria → exemplars → outcomes.

Document 3: The Supervision, Scope, and Credentialing File

How to comply
 Demonstrate that services were ordered, performed, and supervised by individuals permitted to do so.

Evidence to include

• Supervision matrix by service

• “Supervisor of Record” logs with time blocks

• Scope-of-practice grid

• Current licenses, NPIs, and credentials

Low-cost build
 Use a laminated supervision chart and weekly scans of sign-in or coverage logs.

Document 4: The Exception Ledger and Corrective Action Plan (CAP) Bundle

How to comply
 Maintain a running log of deviations and link each to a documented corrective action.

Evidence to include

• Exception entries (date, service, issue, owner)

• CAP steps and completion dates

• Training rosters and maintenance records

• Monitoring results and closure memos

Low-cost build
 A single spreadsheet with filters and a one-page CAP template.

Document 5: The Overpayment and Disclosure Record

How to comply
 When non-payable claims are identified, document calculation, repayment, and any disclosures.

Evidence to include

• Claim lists and overpayment calculations

• Proof of voids, adjustments, or refunds

• Correspondence with payers or OIG, if applicable

Low-cost build
 Reusable calculation sheets and standardized cover memos stored by payer.

Case Study

A payer flags a spike in bundled laboratory panels. OIG requests records for six months. The clinic produces a complete Claims & Coding Packet within 72 hours, followed by a Medical Necessity Dossier showing indications and outcomes. The Supervision File documents staffing changes mid-period. The Exception Ledger identifies one week of equipment calibration issues; the CAP shows repair, retraining, and three months of monitoring. The Overpayment Record confirms voluntary refunds for affected claims. The review closes with no penalty escalation.

• Claims & Coding Packet current

• Medical Necessity Dossier updated for top services

• Supervision and credentialing logs complete

• Exception Ledger tied to CAPs

• Overpayment records documented

• Ability to produce all five packets within 72 hours

Common Pitfalls to Avoid

• Producing charts without a defined claim universe

• Citing policies without evidence of application

• Vague supervision attestations

• Open exceptions without closure documentation

• Refunds lacking calculations or confirmation

Each weakens credibility under 42 CFR Part 1003.

• Standardize file naming and packet indexes

• Organize evidence by question, not by source

• Include read-me tabs in spreadsheets

• Conduct internal “mock productions” annually

• Maintain a written 72-hour response plan

Treat the five document packets as living artifacts. Assign owners, refresh cycles, and escalation authority. Conduct brief “evidence drills” and track readiness metrics such as time to first production and number of open exceptions. Consistency, not technology, determines CMP outcomes.

CMP audits under 42 CFR Part 1003 test claim truthfulness and the seriousness of a provider’s response. The fastest path to resolution is maintaining five standing document packets: Claims & Coding, Medical Necessity & Standards, Supervision/Scope/Credentialing, Exception Ledger & CAP, and Overpayment & Disclosure. Small practices that keep these documents current respond quickly, credibly, and defensibly.

To further strengthen your compliance posture, consider using a compliance regulatory tool. These platforms help track and manage requirements, provide ongoing risk assessments, and keep you audit-ready by identifying vulnerabilities before they become liabilities, demonstrating a proactive approach to regulators, payers, and patients alike.

• eCFR: 42 CFR Part 1003 — Civil Money Penalties, Assessments and Exclusions
  

• 42 CFR § 1003.200 — Basis for civil money penalties, assessments, and exclusions
  

• 42 CFR § 1003.210 — Amount of penalties and assessments
  

• 45 CFR Part 102 — Federal civil monetary penalty inflation adjustments