HCAC Audit and Inspection Procedures
Audit and inspection procedures within healthcare compliance frameworks govern how regulatory bodies, accrediting organizations, and internal compliance functions verify adherence to established standards across facilities, programs, and covered entities. These procedures determine how evidence is gathered, how deficiencies are classified, and what triggers corrective action or enforcement. Understanding the structural mechanics of audits and inspections is essential for compliance officers, facility administrators, and legal counsel operating in federally regulated healthcare environments. This page covers the definition, operating structure, classification logic, and common procedural misconceptions associated with HCAC-aligned audit and inspection activity.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
Definition and scope
An audit, in the healthcare compliance context, is a systematic, documented examination of records, processes, and operational evidence against a defined standard or regulatory requirement. An inspection extends this examination into physical facilities, clinical environments, and observed practice — often combining document review with on-site observation and staff interviews.
The scope of HCAC-aligned audit and inspection activity spans federal programs including Medicare and Medicaid (administered under 42 CFR Parts 400–699), facilities subject to the Centers for Medicare & Medicaid Services (CMS) Conditions of Participation (CoPs), and entities overseen by accrediting organizations granted CMS deeming authority — including The Joint Commission (TJC), DNV Healthcare, and HFAP. OSHA (29 CFR Part 1910) and the Office of Inspector General (OIG) maintain independent audit authority over occupational health conditions and fraud, waste, and abuse respectively.
At the federal level, the Health Care Financing Administration's successor, CMS, operates the State Survey Agency (SSA) network, which conducts certification surveys — a specific category of inspection — for hospitals, nursing homes, home health agencies, and hospices. As of the CMS State Operations Manual (SOM), Chapter 1, all Medicare-certified providers must undergo standard recertification surveys. The OIG additionally conducts audits through the Office of Audit Services (OAS), producing publicly available audit reports that establish binding findings.
Entities subject to hcac-compliance-requirements must recognize that audit scope is not limited to federal actors — state health departments, accrediting bodies, and internal compliance programs each operate overlapping but legally distinct audit authorities.
Core mechanics or structure
Healthcare audits and inspections follow a four-phase lifecycle: pre-engagement preparation, active evidence collection, findings analysis, and disposition (which may include corrective action, penalty, or clearance).
Pre-engagement: For announced inspections, the inspecting authority issues advance notice — typically 10 calendar days for standard CMS surveys under specific conditions, though unannounced surveys are the default for nursing facilities under 42 CFR §488.308. Audits by the OIG or Recovery Audit Contractors (RACs) typically begin with a document request letter specifying record types, date ranges, and submission deadlines.
Evidence collection: On-site inspections involve three primary data streams — document review, physical environment observation, and staff/patient interviews. Surveyors assess compliance against Interpretive Guidelines (IGs) published in the CMS SOM. Document-based audits conducted by RACs or OIG focus on medical records, billing codes, and claims data matched against Medicare coverage criteria.
Findings analysis: Deficiencies are coded against specific regulatory citations. For CMS surveys, findings are classified using the scope-and-severity grid — a 12-cell matrix combining the breadth of noncompliance (isolated, pattern, widespread) with the severity of harm (potential, minimal, actual). This matrix is described in CMS SOM, Appendix P for long-term care facilities.
Disposition: Findings result in one of four outcomes: no deficiency cited; deficiency with plan of correction (PoC) required; condition-level deficiency triggering enhanced monitoring or termination proceedings; or immediate jeopardy (IJ) designation requiring removal within hours to days. OIG audit findings may result in repayment demands, exclusion referrals, or referral to the Department of Justice.
Causal relationships or drivers
The frequency, intensity, and scope of audits are driven by identifiable structural inputs rather than arbitrary scheduling.
Complaint volume: CMS SSAs prioritize complaint-driven investigations. Facilities with unresolved complaint investigations — defined under 42 CFR §488.332 — are subject to expedited on-site surveys. The CMS Nursing Home Care Compare data shows that facilities with substantiated complaints receive follow-up surveys at elevated rates.
Prior deficiency history: The CMS Special Focus Facility (SFF) program targets nursing homes with persistent serious quality problems. Facilities on the SFF list receive surveys approximately every 6 months rather than the standard 9–15 month interval (CMS SOM, Chapter 7).
Claims anomalies: RAC audits are triggered by statistical outliers in billing patterns. Under the RAC program authorized by the Tax Relief and Health Care Act of 2006 (Pub. L. 109-432), contractors receive contingency fees for identified overpayments, creating a structural incentive for audit volume in high-billing specialties.
OIG Work Plan priorities: The OIG publishes an annual Work Plan identifying active and planned audits by program area. Hospital outpatient billing, durable medical equipment, and skilled nursing facility consolidated billing have been recurrent focus areas.
Understanding these drivers informs the hcac-risk-assessment process for internal compliance planning.
Classification boundaries
Not all audit and inspection activity carries equivalent legal force or triggers the same remedial obligations.
| Activity Type | Authority | Binding Force | Primary Output |
|---|---|---|---|
| CMS Certification Survey | SSA / CMS | Federal regulatory | Statement of Deficiencies (Form CMS-2567) |
| Accreditation Survey (TJC/DNV) | Deeming organization | Contractual + regulatory | Accreditation decision + findings report |
| RAC Audit | CMS-contracted RAC | Federal claims statute | Demand letter / repayment notice |
| OIG Audit | HHS OIG | Federal statute | Public audit report + referral authority |
| Internal Compliance Audit | Facility compliance program | Internal policy | Internal report + corrective action |
| State Licensure Inspection | State health department | State law | State inspection report |
Deeming authority — granted by CMS to accrediting organizations — means a TJC or DNV survey can substitute for a standard CMS survey, but does not substitute for complaint investigations or OIG audits. The distinction is established under 42 CFR §488.5.
Tradeoffs and tensions
Announced vs. unannounced surveys: Unannounced surveys produce more representative compliance snapshots but create operational disruption. CMS policy defaults to unannounced surveys for nursing homes (42 CFR §488.308) precisely because announced inspections distort observed practice. Accrediting bodies such as TJC shifted toward unannounced surveys in 2006 for the same reason, yet critics note that even unannounced inspections of large hospital systems may not capture routine floor-level conditions.
Scope vs. depth: RAC audits conduct high-volume, narrow-scope reviews of claims data — optimized for identifying billing errors at scale but unable to assess systemic process failures. CMS certification surveys assess broader operational compliance but are resource-constrained, producing surveys that may last only 1–3 days for facilities with hundreds of residents.
Internal audit privilege tensions: Healthcare entities may claim attorney-client privilege or work-product protection over internal compliance audits conducted at the direction of legal counsel. However, voluntary disclosure programs administered by the OIG and CMS create incentives to disclose findings. The OIG's Provider Self-Disclosure Protocol offers reduced multipliers on repayment but requires disclosure of the underlying audit findings, creating tension between legal protection and compliance cooperation.
Deficiency classification subjectivity: The scope-and-severity grid applied in CMS surveys requires surveyors to make judgment calls on harm level and breadth. Academic literature and CMS's own reports have documented inter-surveyor variability in how the same condition is classified — a tension that affects hcac-enforcement-actions and appeals outcomes.
Common misconceptions
Misconception 1: Accreditation equals federal compliance clearance.
Accreditation by a CMS-deemed organization demonstrates compliance with Conditions of Participation as assessed by that body, but does not immunize a facility from CMS complaint surveys, state inspections, or OIG audits. The CMS retains independent oversight authority regardless of accreditation status, as codified in 42 CFR §488.5(b).
Misconception 2: A Plan of Correction resolves the deficiency.
Submission of a Plan of Correction (PoC) acknowledges the deficiency and commits to remediation — it does not constitute CMS acceptance of compliance. The SSA validates PoC completion through revisit surveys or desk reviews. Until validated, the deficiency remains open in the CMS enforcement record.
Misconception 3: RAC audits only target hospitals.
Recovery Audit Contractors audit the full range of Medicare Part A and Part B providers, including physician practices, durable medical equipment suppliers, home health agencies, and outpatient therapy providers. CMS expanded RAC authority to Medicaid under the Affordable Care Act (ACA) Section 6411, establishing Medicaid RAC programs in participating states.
Misconception 4: Unannounced inspections must begin during business hours.
CMS regulations permit unannounced surveys to begin outside standard business hours when the inspecting agency has reason to believe conditions may differ at off-peak times. The SOM explicitly authorizes evening and weekend entry for nursing home surveys.
Checklist or steps (non-advisory)
The following sequence reflects the procedural phases documented in CMS survey protocols and OIG audit methodology. This is a structural description, not compliance guidance.
- Trigger identification — Determine whether the audit or inspection is complaint-driven, scheduled recertification, post-PoC revisit, or data-driven (e.g., claims outlier flagged by RAC).
- Scope documentation — Identify the regulatory citations, CoP tags, or claims categories that define the audit's boundaries.
- Document request fulfillment — Compile and organize medical records, policies, staffing logs, training records, and incident reports corresponding to the audit period and scope.
- Facility/environment preparation — Confirm physical spaces, equipment, and observable processes are in operating condition consistent with normal operations.
- Staff notification protocols — Ensure relevant staff are aware of their rights and responsibilities during surveyor interviews, consistent with facility policy.
- Surveyor entrance conference — Participate in the opening conference; document the surveyor's stated scope, team composition, and anticipated duration.
- Real-time tracking — Assign a compliance staff member to accompany surveyors, document observations, and flag potential citation areas during the visit.
- Exit conference documentation — Record all preliminary findings stated by surveyors at the exit conference; note which CoP tags are referenced.
- Statement of Deficiencies review — Upon receipt of Form CMS-2567, map each cited deficiency to the applicable regulatory citation and scope-severity designation.
- PoC development and submission — Prepare the Plan of Correction addressing the root cause, corrective measures, monitoring mechanism, and completion date for each cited deficiency. PoC must be submitted within 10 calendar days of receiving the CMS-2567 (42 CFR §488.402).
- Revisit preparation — Implement corrective measures and prepare documentation demonstrating completed correction prior to the validation revisit.
- Findings archive — Retain all audit-related documents, correspondence, and correction records in accordance with applicable retention schedules.
Reference table or matrix
CMS Scope and Severity Grid — Summary
| Severity Level | Isolated (A/D/G/J) | Pattern (B/E/H/K) | Widespread (C/F/I/L) |
|---|---|---|---|
| No actual harm, potential for minimal harm | A | B | C |
| No actual harm, potential for more than minimal harm | D | E | F |
| Actual harm, not immediate jeopardy | G | H | I |
| Immediate jeopardy | J | K | L |
Source: CMS State Operations Manual, Appendix P
Deficiency levels J, K, and L trigger mandatory enforcement — CMS must impose remedies. Levels G through I permit discretionary enforcement. Levels A through F typically require a PoC but not automatic civil money penalties.
Audit Authority Comparison by Program
| Regulatory Body | Primary Statute | Audit Type | Penalty Authority |
|---|---|---|---|
| CMS / SSA | 42 CFR Part 488 | Certification survey | CMPs, termination, denial of payment |
| OIG / OAS | 42 USC §3520 (Inspector General Act) | Performance/financial audit | Exclusion referral, repayment demand |
| RAC Program | ACA §6411; Tax Relief Act 2006 | Claims audit | Overpayment demand |
| The Joint Commission | CMS Deeming (42 CFR §488.5) | Accreditation survey | Accreditation revocation |
| State Health Departments | State licensure statutes | Licensure inspection | License suspension/revocation |
| OSHA | 29 CFR Part 1910 | Safety inspection | Civil penalties up to $15,625/violation (OSHA penalty adjustments) |
References
- CMS State Operations Manual (SOM) — Centers for Medicare & Medicaid Services
- 42 CFR Part 488 — Survey, Certification, and Enforcement Procedures — Electronic Code of Federal Regulations
- 42 CFR Parts 400–699 — Public Health — Electronic Code of Federal Regulations
- 29 CFR Part 1910 — Occupational Safety and Health Standards — OSHA / eCFR
- OIG Provider Self-Disclosure Protocol — HHS Office of Inspector General
- OIG Annual Work Plan — HHS Office of Inspector General
- CMS Recovery Audit Program — Centers for Medicare & Medicaid Services
- [OSHA Penalty Adjust
📜 5 regulatory citations referenced · ✅ Citations verified Feb 25, 2026 · View update log