The RAC Audit Is Coming: How to Prepare Your Small Practice for Recovery Audit Contractors (42 CFR § 421.304)

Recovery Audit Contractors (RACs) are independent firms hired by CMS to find and correct improper Medicare payments, including both overpayments and underpayments. Under the authority of section 1893(h) of the Social Security Act and implemented through Medicare contractor rules in 42 CFR Part 421, including 42 CFR 421.304, RACs mine paid claims for errors and then seek recoupment when they identify overpayments. 

For a small practice, a single RAC audit can feel overwhelming, especially when you receive dense letters referencing unfamiliar regulations and tight deadlines. RAC determinations, however, are not random; they are the predictable outcome of how your documentation, coding, and billing align with Medicare coverage rules and contractor responsibilities. 

This article explains how the RAC program works, why 42 CFR 421.304 matters to your practice, and how to set up simple controls so a RAC audit becomes a manageable business process, not an existential threat. It provides a practical survival guide, a self audit checklist, and a governance model you can implement with minimal new cost.

RAC audits sit at the intersection of your clinical documentation, billing workflows, and Medicare’s drive to control improper payments. CMS is required to use recovery audits as a tool to identify and correct errors in the Medicare fee for service program, and RACs are paid a contingency fee based on the overpayments they recover. 

For small practices with lean staff, that payment structure matters. It means each RAC region is strongly motivated to find billings that do not line up with Medicare coverage, coding, or documentation criteria. The RAC may review thousands of your historical claims using data analytics, select a sample for medical record review, and then propose recoupment for all similar claims in the look back period if it identifies a pattern. 

Understanding RAC rules is not just an abstract legal exercise. It affects whether your practice survives a sudden demand letter that seeks to recoup tens of thousands of dollars for services already delivered and paid. This guide translates the contractor rules in 42 CFR 421.304 into concrete steps you can take now to prepare, respond, and appeal when appropriate. 

Understanding Legal Framework & Scope Under 42 CFR 421.304

The RAC program draws authority from statute and regulation. Section 1893(h) of the Social Security Act directs the Secretary of Health and Human Services to use recovery audit contractors to identify underpayments and overpayments in the Medicare program and to recoup overpayments. 

Regulatory structure for contractors lives in 42 CFR Part 421. Section 421.304 describes functions that CMS may assign to Medicare administrative contractors, including determining amounts of payments, performing medical necessity and utilization reviews, conducting audits of provider records, and furnishing consultative services to providers.  While RACs are a distinct contractor type, they operate within this broader framework of delegated claims review and program integrity functions.

Key pieces of the legal framework your practice should understand are:

• The RAC program is a post payment review program for Medicare fee for service claims. RACs reexamine paid claims to identify improper payments, which may include services that were not medically necessary, not supported by documentation, incorrectly coded, or billed under the wrong provider number.

• RACs must follow Medicare coverage, coding, and payment policies that were in effect on the date of service, including national coverage determinations, local coverage determinations, and manual provisions.

• RAC determinations are subject to the regular Medicare appeals process under 42 CFR Part 405, which provides several levels of review, from redetermination by the Medicare administrative contractor through judicial review.

Federal law sets the requirement that CMS use recovery audits and defines contractor functions. CMS guidance and contracts then spell out operational details such as record request limits and look back periods. Your state law does not directly modify RAC authority, although state scope of practice and licensure rules can influence whether services are considered allowable.

When you understand this framework, RAC activity feels less arbitrary. It becomes clear that the contractor is checking whether your past claims were consistent with Medicare’s own rules and whether the administrative contractor performed its functions accurately under 42 CFR 421.304. That clarity is powerful; it helps you focus your compliance efforts on the exact documentation and billing elements that will withstand post payment review.

The RAC program is overseen by CMS, specifically through its Center for Program Integrity, under statutory authority in section 1893 of the Social Security Act and implementing regulations in 42 CFR Part 421.  RACs themselves are private entities contracted by CMS to perform defined functions, such as identifying and recouping improper fee for service payments in a geographic region.

Important jurisdictional points for small practices:

• RACs do not replace Medicare administrative contractors (MACs). MACs still process claims, issue remittance advice, and handle the first level of appeal (redetermination). RACs operate alongside them to retrospectively review claims.

• RACs typically have a multi-year look back period within which they can review paid claims and propose recoupment for overpayments. The exact period is set by CMS and is subject to change, so practices should verify current limits in CMS guidance.

• RAC findings are not the final word. Providers retain full appeal rights through the five level Medicare claims appeals process, which is governed by 42 CFR Part 405 and related CMS manuals.

Common triggers for RAC focus include:

• Data outliers, such as unusually high billing volume for specific codes compared to peers.

• Historically error-prone services, such as certain inpatient admissions, therapy services, or diagnostic tests with complex medical necessity criteria.

• Patterns of past improper payment identified by the Office of Inspector General or prior CMS audits.

Recognizing these triggers helps your practice proactively strengthen risk areas before a RAC focuses on them.

For small practices, the best RAC defense is a simple, repeatable playbook that everyone follows whenever a letter arrives. The controls below translate contractor responsibilities under 42 CFR 421.304 and appeals rules under 42 CFR Part 405 into day to day actions for your team. 

1. Centralize RAC mail and designate a RAC lead

• Implementation: Assign one person, often the practice manager, as the RAC lead and route all mail from CMS, MACs, and RACs to that individual. Train front desk staff to recognize RAC letters and immediately hand them to the lead, and have the billing vendor notify the same person of any electronic correspondence.

• Evidence to retain: Written designation of the RAC lead, mail routing instructions, and a small policy excerpt describing how external audit mail is handled.

• Low cost approach: Use a simple one-page standard operating procedure and a shared folder in your EHR or local drive for scanned copies of all RAC letters, labeled by date. This supports your ability to show CMS that you have an organized response process consistent with contractor communication expectations in 42 CFR 421.304.

2. Maintain a RAC Response Log for every request and decision

• Implementation: Create a spreadsheet with columns for date received, due date, RAC issue number, claim numbers, dollar amounts, status, responsible staff, and appeal level. The RAC lead updates the log whenever a new letter arrives or an action is taken.

• Evidence to retain: The log itself, plus emails or internal notes referencing actions taken. This log will be invaluable if you later argue that you met CMS timeframes under the appeals process in 42 CFR Part 405.

• Low cost approach: Use a cloud spreadsheet with conditional formatting that turns a cell red when an item is due within five days.

3. Collect complete, organized medical records for each Additional Documentation Request (ADR)

• Implementation: When a RAC ADR arrives, the RAC lead assigns a specific staff member to pull the chart and verify that all required elements are present, including signed orders, notes, test results, and any prior authorization information. A licensed clinician should perform a brief reasonableness check to confirm that the documentation supports medical necessity under applicable Medicare coverage policies.

• Evidence to retain: Copies of the documentation package sent to the RAC, a transmittal log, and mailing or upload confirmation.

• Low cost approach: Use a standard “RAC packet” cover sheet that lists required components so staff can check items off quickly.

4. Align RAC responses with Medicare coverage and coding rules that applied on the date of service

• Implementation: For each challenged claim, identify the relevant national or local coverage determinations and manual provisions, and cross-check them against your documentation. Build short, focused summaries that cite those rules, then include them with your record submission or appeal.

• Evidence to retain: Printouts or PDFs of the coverage policies with highlighting and your written summary.

• Low cost approach: Keep a library of your most commonly referenced policies in a shared folder, organized by code range or service type.

5. Use the full Medicare appeals ladder when you disagree with RAC decisions

• Implementation: When a RAC identifies an overpayment, and you disagree, follow the Medicare appeals process: request redetermination by the MAC, then reconsideration, administrative law judge hearing, Medicare Appeals Council review, and judicial review if warranted, all within the timeframes in 42 CFR Part 405.

• Evidence to retain: Copies of appeal requests, proof of timely filing, and decision letters at each level.

• Low cost approach: Reuse standard appeal letter templates with fillable sections for each case. This reduces drafting time while maintaining quality.

6. Conduct focused internal reviews on RAC issue categories that hit your practice

• Implementation: When a RAC identifies a specific issue (for example, a certain code combination or setting), pull a small internal sample of similar claims and assess whether the same error pattern exists. If so, consider self correction and voluntary refunds beyond the RAC sample, which can demonstrate good faith if CMS or OIG review your practice later.

• Evidence to retain: Internal review worksheets, sampling methodology, and any corrective action plans.

• Low cost approach: Use your billing system to generate lists of similar claims and have a clinician and coder jointly review a small subset.

Together, these controls turn RAC audits from chaotic emergencies into a structured workflow. They show that your practice understands how Medicare contractors operate under 42 CFR 421.304 and that you are taking concrete steps to respond appropriately.

Case Study

A three physician internal medicine clinic participates in Medicare fee for service and relies heavily on a single biller who also handles scheduling. Over several years, the clinic’s billing for certain high level office visit codes rises above regional peers. CMS’ data analytics flag the pattern, and the regional RAC selects the clinic for a post payment review focusing on those codes. 

The clinic receives a RAC letter requesting medical records for 40 sampled claims. Because there is no designated RAC lead, the letter sits unopened in a general mail basket for ten days. When staff finally see it, there are only a few days left before the documentation deadline. Under pressure, they submit incomplete charts; several notes are missing signatures, and some lacks clear medical necessity rationale tied to specific symptoms and exam findings.

After reviewing the limited records, the RAC issues a determination letter, finding that 70 percent of sampled claims were over coded relative to the documented complexity. Using its authority to identify and recoup improper payments under the Medicare Integrity Program and CMS contracts, the RAC extrapolates the sample error rate to several hundred similar claims within the look back period.  The result is a demand for repayment of 85,000 dollars.

Financially, the clinic faces immediate strain. The repayment demand arrives shortly after a major equipment purchase, and cash reserves are thin. The partners consider taking out a line of credit simply to satisfy the recoupment while they consider appeals. Reputationally, the clinic worries that patients or local payers might infer that it was “under investigation,” even though RAC reviews are routine.

At this point, the clinic retains outside consulting help and implements many of the controls described in the survival guide:

• A practice manager becomes the RAC lead, creates a RAC Response Log, and puts mail routing instructions in writing.

• A physician lead and the biller review the RAC’s cited coverage policies and appeal rights under 42 CFR Part 405, then file a timely redetermination with stronger documentation, including late located notes and better explanations of decision-making.

• The clinic conducts an internal review of similar E/M claims, revises templates to better capture complexity, and educates clinicians about documentation expectations.

On appeal, some of the overpayment findings are reversed because the fuller documentation shows medical necessity and proper coding. The extrapolated amount is reduced, cutting the financial impact in half. More importantly, the clinic’s new controls position it to respond quickly and coherently if the RAC or another contractor reviews additional services in the future.

This scenario shows how the absence of basic RAC readiness turns a routine contractor review into a near crisis, and how a practical playbook grounded in the contractor framework of 42 CFR 421.304 can restore control.

The tasks below help a small practice verify that it is ready for RAC activity and that its internal processes align with Medicare contractor functions under 42 CFR 421.304 and appeals procedures under 42 CFR Part 405. 

Reviewing this checklist at least once a year and after any RAC finding helps ensure that your practice stays aligned with contractor expectations and is ready to defend its claims.

Common Audit Pitfalls to Avoid Under 42 CFR 421.304

Because RACs operate within the broader Medicare contractor framework, many costly errors stem from not understanding how contractors review and document their work. The pitfalls below are specific, high impact mistakes that small practices can avoid.

• Letting RAC letters sit unopened or untracked, leading to missed deadlines and automatic denials. When you do not respond by the deadline, the RAC will typically treat the claim as unsupported and proceed with recoupment consistent with its contractor functions under 42 CFR 421.304, which can force repayment even when documentation exists. Practical consequence: you lose the chance to have the claim fairly reviewed on its merits.

• Sending incomplete or disorganized records that do not clearly support medical necessity. If records are missing or poorly organized, the RAC may conclude that the service does not meet Medicare coverage criteria, and the MAC may uphold that view on redetermination under 42 CFR Part 405. Practical consequence: overpayment findings that might have been avoidable with better documentation packaging.

• Ignoring RAC issue descriptions and failing to review similar non sampled claims. When you treat each RAC finding as an isolated event rather than a signal that similar claims may be at risk, you ignore the program’s purpose under Social Security Act 1893(h) to systematically identify improper payments. Practical consequence: additional future recoupments and possible escalation to other contractors.

• Not using appeal rights when you have a defensible position. Some practices write checks as soon as they receive a RAC demand, even when coverage policies and documentation support payment. This misses the structured appeal path in 42 CFR Part 405 that can overturn incorrect determinations. Practical consequence: unnecessary revenue loss and a signal to contractors that your claims will not be defended.

• Failing to integrate RAC lessons into everyday billing and documentation practices. Treating audits as one-off events instead of feedback on system weaknesses undermines the preventive function envisioned in Medicare contractor rules under 42 CFR 421.304. Practical consequence: the same errors recur, and future audits become more painful and costly.

Addressing these pitfalls turns RAC interaction into an engine for continuous improvement rather than a recurring source of surprise losses. When your team recognizes contractor logic and uses its rights under the governing regulations, your overall risk profile improves significantly.

RAC readiness is not just a billing project; it is a small but important part of your overall governance culture. A few simple structural choices can embed RAC awareness into daily operations without heavy cost.

First, define roles clearly. The RAC lead handles mail, the billing lead manages the Response Log and generates claim lists, and a designated clinician serves as the medical necessity advisor for audit responses. Tying these roles to job descriptions and annual goals shows that the practice takes contractor oversight seriously, consistent with the functions laid out in 42 CFR 421.304. 

Second, set a light but regular training cadence. A short annual in-service can walk staff through the most recent RAC findings nationally and any issues that have affected your specialty. Front office staff can be reminded how to route audit mail, while clinicians and coders review examples of documentation that passed or failed medical necessity review.

Third, adopt simple monitoring metrics. Examples include the number of open RAC requests, the percentage of responses submitted on time, the proportion of overpayment determinations that are overturned on appeal, and the number of internal audits completed after a RAC finding. Reviewing these metrics quarterly keeps the topic on leadership’s radar without overwhelming anyone.

Finally, integrate RAC performance into your broader compliance plan. RAC results should inform your risk assessment and corrective action planning, particularly when they identify systemic documentation or coding issues.

RAC audits are now a permanent feature of the Medicare landscape. They exist because Congress required HHS to use recovery audits to identify improper payments, and CMS implemented that requirement through contractor rules like 42 CFR 421.304 and related guidance. 

For a small practice, the goal is not to eliminate all risk of review but to be prepared so that any RAC letter triggers a calm, practiced response rather than panic. By understanding how RACs operate, how their authority links to Medicare contractor functions, and how your appeal rights work, you can protect both your revenue and your reputation.

Here are immediate, concrete next steps:

1. Assign a RAC lead, document mail routing, and set up a simple RAC Response Log this week.

2. Identify your top five Medicare service categories by revenue, and confirm that coverage policies and documentation expectations for each are readily available to clinicians and billers.

3. Draft or update a brief RAC response and appeal template that references applicable Medicare rules and the appeals process under 42 CFR Part 405.

4. Conduct a small internal review of a handful of high risk claims, such as high level E/M visits or frequently audited procedures, and correct any obvious documentation gaps.

5. Place RAC metrics on your quarterly leadership agenda so that audit activity and lessons learned are reviewed alongside financial and quality measures.

Recommended compliance tool: Shared RAC Response Log with basic dashboards for open items and deadlines. Advice: Choose your RAC lead today and give that person explicit authority to coordinate every audit response from the moment a letter arrives.

• 42 CFR 421.304 Functions of Medicare administrative contractors
  

• Section 1893 of the Social Security Act Medicare Integrity Program
  

• Medicare Fee for Service Recovery Audit Program
  

• Medicare Claims Appeal Procedures 42 CFR Part 405 Subpart I
  

• Medicare Recovery Audit Contractor Program Overview (CRS or CMS background document)