Medical Coding Audit Services: What They Are and How to Buy One

A medical coding audit takes a sample of your billed claims and asks one question of each chart: does the documentation support the codes that were submitted? An auditor — ideally an AAPC- or AHIMA-credentialed coder who is independent of the person who originally coded the chart — pulls the encounter note, operative report, or other source documentation and re-codes it blind, then compares their result to what was billed.

The review covers four code families on every chart:

1. Diagnosis codes (ICD-10-CM). Is each diagnosis documented, coded to the correct specificity, and sequenced correctly? Unspecified codes where a specific one was documented are a common finding.
2. Procedure / service codes (CPT and HCPCS). Does the documentation support the level of service billed? For E/M codes, do the time or medical-decision-making elements meet the 2021+ E/M guidelines for the level submitted?
3. Modifiers. Were modifiers like 25, 59, 24, and the X-modifiers (XE, XS, XP, XU) used correctly and supported by documentation? Modifier misuse is one of the highest-frequency audit findings.
4. Medical necessity and linkage. Is each procedure linked to a diagnosis that establishes medical necessity, consistent with applicable LCD/NCD policy?

The deliverable is not just 'you made mistakes.' A real audit produces a scored error rate, a categorized list of findings (by type, by provider, by code), the financial exposure (over- and under-billed dollars), and a corrective-action plan. If a vendor hands you a pass/fail with no error rate and no findings detail, you bought a spot-check, not an audit. For the document-by-document version of this process, see our medical billing audit checklist.

The single most important decision in scoping a coding audit is timing — whether you review claims before they are submitted (prospective) or after they have been paid (retrospective). Most mature compliance programs run both.

Prospective audits are the safest place to catch a problem because nothing has been billed yet — you fix the code, not a paid claim. They are the right choice for onboarding a new provider, rolling out a new service line, or watching a code that has burned you before. The trade-off is that holding claims for review slows cash on the sampled charts.

Retrospective audits are how you measure where you actually stand and how you satisfy the OIG's expectation of periodic monitoring. The catch every buyer must understand: under the ACA 60-day overpayment rule, once a retrospective audit identifies an overpayment, the practice generally must report and return it within 60 days of identification. That is a feature, not a bug — it is how a voluntary audit protects you from a False Claims Act problem — but it means a retrospective audit can create an affirmative obligation to refund money. Scope it with that in mind, and run it under your compliance officer (and, for high-risk findings, attorney-client privilege).

The second scoping decision is how charts are selected. A random audit measures overall coding health; a focused audit investigates a specific suspected problem. The OIG's compliance guidance contemplates both, and a strong program alternates between them.

Random/baseline audits are your annual physical. They tell you the practice-wide accuracy rate and whether you are above or below the OIG-referenced 95% target. Because the sample is random, the result is generalizable to your whole population — that is what makes it a defensible compliance artifact.

Focused audits are diagnostic. You run one when something is already pointing at a risk: a provider whose E/M distribution skews far higher than peers, a CPT code with an abnormal denial rate, a modifier 25 pattern, or a code that appears on the current OIG Work Plan or a CERT/RAC target list. Because every chart in a focused audit shares the risk factor, the error rate will (correctly) look higher than a random sample — you chose the charts most likely to be wrong. Do not compare a focused error rate to the 95% benchmark; the benchmark is for random samples.

In our coding audits we typically start a new client with a small random probe across providers to find where the risk concentrates, then convert to focused reviews on the one or two providers or codes that drive most of the exposure. That sequence finds more recoverable and at-risk dollars per audit hour than auditing everyone equally.

Coding errors are not all the same kind of problem. A good audit report sorts findings into categories, because each category has a different financial and compliance meaning.

Upcoding — billing a higher-paying code than the documentation supports (for example, a level-5 E/M, 99215, when the note only supports a level 3, 99213). Upcoding is the highest-compliance-risk finding because it represents money the practice was overpaid; sustained upcoding is the classic False Claims Act exposure and the reason E/M distribution is on nearly every OIG Work Plan.

Undercoding — billing a lower code than the documentation supports. Buyers often ignore this, but it is lost revenue you earned and did not collect, and a pattern of undercoding can paradoxically still draw scrutiny. A real audit reports undercoding dollars right alongside overcoding so you see net exposure in both directions.

Modifier misuse — appending (or omitting) a modifier the documentation does not support. The usual suspects are modifier 25 (significant, separately identifiable E/M on a procedure day) used as a reflex, and modifier 59 / the X-modifiers used to unbundle without distinct-service documentation. Modifier 25 and 59 misuse are perennial OIG and payer audit targets.

Unbundling — billing component codes separately when an NCCI Procedure-to-Procedure edit requires them to be billed as one, or splitting a single comprehensive service into parts. Unbundling typically surfaces in production as a CARC 97 or CARC 236 denial; an audit finds the pattern before the payer does.

The categories matter for what you do next: overcoding and unbundling create refund obligations and need corrective billing; modifier and documentation findings need provider education; undercoding needs a revenue-recovery (and re-bill where timely) workflow.

A coding audit is not just an operational exercise — it is a documented element of a compliance program, and the OIG has been explicit for decades about what it expects.

The OIG compliance-program baseline. The HHS Office of Inspector General's compliance-program guidance (originally issued for physician practices and updated in the OIG's 2023 General Compliance Program Guidance) names auditing and monitoring as one of the core elements of an effective compliance program. The practical read: the OIG expects practices to periodically audit their own coding, document the results, and act on findings. A practice that runs and acts on audits is in a far stronger position if a payer or government audit ever lands.

The 95% accuracy benchmark. The widely cited compliance target — referenced in OIG-era guidance and used across the industry — is a 95% coding accuracy rate. Score below it and the standard expectation is corrective action plus a follow-up audit; the OIG's historical framing was that a 5% or higher error rate, or any pattern of upcoding, warrants further review and potential disclosure. Treat 95% as a floor, not a goal.

The CMS audit context you are insulating against. Independent coding audits exist partly to keep you off the wrong end of CMS's own programs: the Comprehensive Error Rate Testing (CERT) program that measures the Medicare fee-for-service improper-payment rate, the Recovery Audit Contractor (RAC) program that claws back overpayments, and the Targeted Probe and Educate (TPE) reviews that focus on outlier providers. A voluntary internal audit finds and fixes the same errors these programs look for, on your terms and timeline.

Independence and credentials. For an audit to be defensible, the auditor should be independent of the original coder and hold a recognized credential (AAPC CPC/CPMA or AHIMA CCS/RHIT). An auditor grading their own work is not an audit. When evaluating coding audit vendors, ask who codes, what credential they hold, and whether the reviewer is separate from your day-to-day coding team.

The 60-day rule, again. Because retrospective findings can create a refund obligation within 60 days of identification, many practices run higher-risk audits under their compliance officer and, where warranted, attorney-client privilege. That does not let you ignore findings — it structures how identification and the resulting obligation are handled.

Two numbers define an audit's rigor: how many charts are reviewed and what error rate triggers escalation. Buyers should ask about both before signing.

Sample size. There is no single legally mandated number, but the field has settled on a few defensible reference points:

• The OIG probe sample — 20 to 40 records per provider. The OIG's historical guidance referenced a baseline audit of a sample of claims per provider; 20-40 charts per provider is the commonly used range for a baseline read. Small enough to be affordable, large enough to surface a real pattern.
• The CMS Targeted Probe and Educate (TPE) sample — CMS reviews a sample of claims per round (commonly described as 20-40 claims per provider per round). Useful as a mental model for what a focused regulatory look feels like.
• Statistically valid random samples for extrapolation — when an audit's findings will be projected across a whole population (as RAC and OIG extrapolations do), the sample must be large enough for statistical validity, typically 30+ randomly selected units and sometimes far more. If a vendor will extrapolate overpayments, the sample design must support it.

For a routine compliance audit you are usually in the 20-40-charts-per-provider range. For a focused look at one code or one risk, the sample is 'all charts matching the risk' up to a manageable cap.

Error-rate thresholds. Score the audit two ways and report both:

1. Coding accuracy rate = charts coded fully correctly ÷ charts reviewed. The 95% accuracy target applies here. Below 95% on a random sample = corrective action + re-audit.
2. Financial error rate = net dollars miscoded ÷ dollars reviewed. This is what a payer extrapolates from, and it can differ sharply from the accuracy rate if a few high-dollar charts drive the error.

A finding of sustained upcoding, an accuracy rate below 95% on a random sample, or any single error pattern that repeats across providers should trigger a corrective-action plan, provider education, and a follow-up audit to confirm the fix held.

Pricing for medical coding audit services is one of the least transparent line items in revenue cycle — most vendors quote 'it depends.' Here is the actual structure, with the ranges we see in the market. Treat these as planning numbers and verify against your own scope, specialty, and chart complexity.

What raises the price: surgical and interventional specialties (operative-note review is slower than office E/M), prospective timing (charts are reviewed individually before billing), extrapolation-grade statistical design, included provider-education sessions, and faster turnaround.

What to make sure is in scope before you sign: a written error rate (accuracy and financial), categorized findings by type and provider, the over- and under-billed dollar figures, a corrective-action plan, and a debrief. The cheapest per-chart quote that returns a spreadsheet with no scored error rate and no corrective plan is not a compliance-grade audit — it is data entry. The audit you can hand to a payer, your board, or your attorney is the one with independence, credentials, methodology, and a defensible sample behind it. Pair the audit with ongoing medical coding services and the corrective-action loop closes instead of recurring next quarter.

A coding audit pays for itself not only through recovered and protected dollars but by killing the recurring denials that the same coding errors generate week after week. These are the named denial codes a coding audit most often traces back to a fixable coding pattern.

The pattern is consistent: a coding audit converts a stream of recurring denials into a handful of root-cause fixes. When an audit flags that 30% of a provider's level-5 E/M visits do not support the level, fixing the documentation pattern eliminates the downstream denials and the audit exposure in one move. For the denial-side workflow that complements the audit, see our denial management guide and the full CARC denial codes list. When the audit's corrective-action plan needs an owner, outsourced medical billing audit services can run the audit, the fix, and the re-audit end to end.