The deadline for states to implement their Medicaid Recovery Audit Contractor (RAC) program was January 12, 2012, as required in the Final Rule published in the Federal Register on September 16, 2011.

This does not necessarily mean that all states will be up and running by that date but that they should have signed contracts with their selected RAC vendors in place. According to the Centers for Medicare & Medicaid Services (CMS), recoveries may begin anywhere between 12 and 18 months from the start of the program, even though some states-but "very few," says CMS-may receive exemptions.

In early January, CMS issued a document containing more than 50 frequently asked questions (FAQs) about the Medicaid RAC program, which are divided into the following sections:

• Operational guidance
• Procurements and conflicts of interest
• Appeals process
• State reporting of improper payments identified by Medicaid RACs
• Audit coordination
• Program exceptions
• Contingency fees
• Stakeholder inquiries and general information

Many of the FAQs relate to provider concerns, and an equal number relate to the operational details of other key players, such state Medicaid plan managers. Those of most interest to providers are summarized below.

Setting Expectations for States

CMS urged states to practice "transparency" about their RACs' activities. For example, before audits begin, states should inform providers of the following:

• RAC vendor's name and contact information
• The date by which the RAC will begin working to identify overpayments and underpayments
• A general description of the scope of work.

However, providers should not expect any advance notice of the state-focused RAC audit areas. When the time comes for an audit, the Medicaid RACs will notify the provider about the specific type of claims that will be reviewed, so they can prepare.

Sticking to Review Guidelines

When auditors come to town, providers often ask just how many records they will have to produce, and while CMS suggests a possible limit of 300 records for an inpatient hospital audit, it is only a suggestion. In the FAQs, the agency indicates that auditors must set limits on the number and frequency of records for review but gives them flexibility in those numbers.

Medicaid RACs must not review claims that are more than three years from the date the claim was filed, unless they receive state approval. The state, in turn, must obtain CMS's approval through the state plan amendment (SPA) process. An example of this would be if a look-back period is less than three years because the state's system can retain only two years' worth of claims data.

The states and Medicaid RACs must agree on the specific target areas as well as the look-back period. In addition to gathering state-specific data to determine the audit topics, findings from the federal watchdogs, such as the Office of Inspector General or Government Accountability Office, will be considered.

Keeping Tabs on Activities

The steps CMS intends to take to monitor and evaluate all activities include the following:

• Conduct a program-integrity review.
• Collect State Program Integrity Assessments (SPIAs) (first national data-collection on state Medicaid program integrity activities).
• Review the overpayments that each state collects in connection with its filings via the CMS-64 form (a statement of expenditures for which states are entitled to federal reimbursement).

"A key to the overall success of the Medicaid RAC program...is to assess effectiveness and efficiencies, identify program vulnerabilities, and implement corrective action when necessary," CMS says. When auditors uncover these "program vulnerabilities," states will review and determine whether the problems are individual to the provider or more widespread. In any case, CMS would expect states to issue provider education on how to prevent the billing errors uncovered.