51 JFK Parkway, Short Hills, NJ 07078
Healthcare Audit Defense · PBM · Medicare · Medicaid · Commercial Payor · Nationwide

Healthcare Audit Defense Attorneys

PBM, Medicare, Medicaid, and commercial payor audits, nationwide.

Healthcare audits arrive from three categories of payors. PBM audits (OptumRx, CVS Caremark, Express Scripts, Humana, Prime, MedImpact, Navitus) operate under network participation contracts and produce recoupment demands plus network termination risk.

Medicare audits (UPIC, RAC, MAC, SMRC, CERT, MEDIC) operate under the CMS Program Integrity Manual and produce statutory recoupment plus referral exposure to HHS-OIG and DOJ. Commercial payor and state Medicaid audits operate under their own contracts and regulations. Each audit type has its own procedural framework, its own appeal track, and its own enforcement consequences.

Health Law Alliance defends healthcare audits across pharmacies, physicians, hospitals, home health, hospice, DME, and wound care providers nationwide. Our defense framework runs from the document request response through every applicable appeal track and any parallel False Claims Act or criminal referral that follows.

5,000+
Federal & State Healthcare Matters
100+
Combined Years at DOJ, HHS-OIG & CMS Co's
5
Levels of Medicare Appeal Through Federal Court
24/7
Response, From Document Request to ALJ
Healthcare Audit Defense Hotline · Direct Line
(800) 345 - 4125
Speak with counsel who has defended healthcare audits across PBM, Medicare, Medicaid, and commercial payor matters. Privileged. Available 24/7.
Former officials from the agencies investigating your matter
U.S. Department of Justice
DOJ
FBI
FBI
HHS OIG
HHS-OIG
DEA
DEA
OptumRx
OptumRx
McKesson
McKesson
NAMFCU
NAMFCU
U.S. Treasury
Treasury
The Stakes
A healthcare audit compounds three exposures at once: cash flow, recoupment, and the network or program-integrity referral

Prepayment review can stop cash flow on every new claim within days. Postpayment review with statistical extrapolation turns a 30-claim sample into a multi-million dollar recoupment demand across the full claim population. The auditor's referral authority (PBM to network termination committee; CMS contractor to HHS-OIG and DOJ; commercial payor to state Medicaid Fraud Control Unit) converts what looks like a billing audit into a network exit, an FCA matter, or criminal exposure. The defense posture has to address all three from the document request response forward.

  • Prepayment review and network suspension: cash flow stops
  • Postpayment recoupment: extrapolation across the full claim population
  • Network termination and program-integrity referral
Case files binders
Case files
01
Prepayment review and network suspension: cash flow stops

Medicare prepayment review means CMS pauses payment on every new claim until the contractor reviews and approves it (60 to 180 days per claim, sometimes 18 to 36 months in multi-year postures). PBM "audit-pending" status produces a similar cash flow effect on the PBM side, with claims held until the audit closes. Most pharmacies and practices cannot operate through extended cash flow suspension without external financing. The defense focuses on getting off prepayment or audit-pending status as quickly as the substantive defense allows, often through a sustained low error rate showing or a corrective action plan that the auditor accepts as resolution.

Cash Flow Exposure
02
Postpayment recoupment: extrapolation across the full claim population

Both Medicare contractors and PBMs use statistical extrapolation in postpayment review. The auditor reviews a sample (often 30 to 50 claims), calculates an error rate, and extrapolates the error rate across the full claim population for the audit window. A $50,000 sample finding can produce a $5M to $20M recoupment demand after extrapolation. CMS withholds payment on incoming Medicare claims and PBMs offset future reimbursement to recoup, both of which compound the cash flow exposure. The largest dollar defense in most postpayment matters is the statistical methodology challenge: sample frame defects, sample size deficiencies, methodology errors, and statistical formula objections.

Recoupment Exposure
03
Network termination and program-integrity referral

PBM audit findings above an internal threshold materially increase the probability of network termination, either at the next contract renewal or through an immediate "for cause" termination. Medicare contractor findings can be referred to HHS-OIG, the DOJ Civil Division, and the local U.S. Attorney when the findings produce evidence of intent. The civil FCA referral surfaces as a Civil Investigative Demand. The criminal referral surfaces as a grand jury subpoena or a target letter. The audit is rarely the end of the matter when the findings cross the referral threshold; coordinating audit defense with parallel network, FCA, and criminal defense from day one is essential.

Network & Referral Exposure
Why Healthcare Audit Defense Is Different
Four structural features make healthcare audits fundamentally distinct from general commercial litigation

Healthcare audits operate under the specific regulatory or contractual framework of the payor that issued them. PBM audits run under the network participation contract and applicable state PBM laws. Medicare audits run under the CMS Program Integrity Manual and the federal administrative appeal track. Each track has its own statistical methodology, its own deadlines, and its own referral authority. Defense counsel that does not know the framework misreads the procedural posture and the realistic exposure.

Factor 01
PBM, Medicare, and commercial audits have different rules.
PBM audits operate under network participation contracts; remedies are contractual (recoupment, network termination), and procedural protections come from the contract terms and any applicable state PBM law (over 30 states have enacted PBM regulation since 2023). Medicare audits operate under federal regulation; remedies are statutory (CMS recoupment, prepayment review, OIG/DOJ referral), and procedural protections come from the 5-level Medicare appeal track. Commercial payor audits operate under state insurance contracts and state regulation. The defense framework that protects the practice has to match the audit type that arrived; treating a PBM audit like a Medicare audit (or vice versa) misses critical procedural defenses.
Factor 02
Statistical extrapolation is the largest dollar issue across all audit types.
Both Medicare contractors and PBMs use statistical extrapolation to convert sample-claim findings into multi-million dollar recoupment demands. The CMS Program Integrity Manual requires Medicare contractors to use statistically valid sampling and the RAT-STATS software. PBM extrapolation follows the network contract and any applicable state PBM law (some states limit or prohibit extrapolation under specified conditions). In both cases, defense counsel can challenge the methodology on sample frame defects, sample size deficiencies, methodology errors, or statistical formula objections. A successful extrapolation challenge can reduce a multi-million dollar recoupment to the actual sample-claim amount.
Factor 03
Strict appeal deadlines apply at every level.
Medicare appeals run through five statutory levels with specific deadlines (120 days for redetermination, 180 days for QIC reconsideration, 60 days for ALJ hearing, then Medicare Appeals Council and federal district court). PBM appeals run through the network's internal process (typically 30 to 60 days for written response after findings) and any applicable external arbitration or state regulatory complaint. State Medicaid appeals run through state administrative procedures. Missing any deadline at any track waives the appeal at that level and usually forecloses the next level. The defense framework has to identify the right appeal track on day one and meet every deadline.
Factor 04
Audits cascade across payors and tracks.
A single underlying issue (a documentation gap, a coding pattern, a kickback indicator) often triggers parallel audits from multiple payors. PBM audit findings can produce CMS contractor referrals on the Medicare side. Medicare contractor findings can produce state Medicaid Fraud Control Unit cross-referrals. Commercial payor findings can produce federal investigations. The defense framework has to anticipate the cross-track exposure and produce documents that defend against the worst-case forum, not just the immediate one. Counsel that handles only one audit at a time usually misses the cascade exposure.
"A healthcare audit notice is the first procedural opportunity in the matter. The production response shapes everything that follows."
Protect Your Practice Now →
The HLA Healthcare Audit Defense Process
A four-stage protocol that adapts to the audit type, the payor framework, and the appeal track

Our bench includes a former Assistant U.S. Attorney with DOJ Director's Award recognition and senior healthcare-company counsel. We have defended audits from PBMs (OptumRx, CVS Caremark, Express Scripts, Humana, Prime), CMS contractors (UPIC, RAC, MAC, SMRC, CERT), and commercial payors. We have produced statistical extrapolation reductions in postpayment matters, network termination reversals, and coordinated audit defense with parallel False Claims Act and criminal exposure. This is the protocol.

  • Document request response and audit scope evaluation
  • Initial determination engagement and statistical methodology challenge
  • Formal appeals: redetermination, QIC reconsideration, ALJ hearing
  • Parallel FCA and criminal coordination if the contractor refers
Conference room
Where defense is built
01
Document request response and audit scope evaluation

From the day the contractor's notice arrives: identify the contractor type (UPIC, RAC, MAC, SMRC, CERT), evaluate the audit type (prepayment review, postpayment review, focused medical review, automated review), the claim window covered, and the document request as written. Most document requests can be narrowed through written response on scope and timing. We conduct a privileged pre-production review of every document before it leaves the practice, which preserves defenses for the appeal track and avoids producing material that becomes evidence in any subsequent FCA or criminal matter.

02
Initial determination engagement and statistical methodology challenge

When the contractor issues findings: respond on the substantive defense for each flagged claim and challenge the statistical methodology where postpayment extrapolation is used. The methodology challenge focuses on sample frame defects, sample size deficiencies, RAT-STATS application errors, and Cochran formula objections. A successful methodology challenge at this stage often reduces the recoupment demand by a meaningful percentage before the matter reaches the formal appeal track.

03
Formal appeals: redetermination, QIC reconsideration, ALJ hearing

The Medicare appeal track requires the right record at every level. We draft and file the redetermination request to the MAC within the 120-day window, prepare the QIC reconsideration with the substantive and statistical record, and present to the Administrative Law Judge with witness preparation, expert testimony where applicable, and a procedural record built to support the ALJ's decision. The record built at the redetermination and QIC stages is the record the ALJ reviews; defense counsel that skips ahead loses the procedural foundation.

04
Parallel FCA and criminal coordination if the contractor refers

When Medicare audit findings produce a referral to HHS-OIG, the DOJ Civil Division, or the local U.S. Attorney's office: civil FCA defense (CID response, intervention or declination engagement, Rule 9(b) motion practice) and criminal defense (target letter response, attorney proffer, grand jury subpoena management) run in parallel with the Medicare appeal. Our former-federal-prosecutor bench coordinates the Medicare appeal, the civil FCA matter, and the criminal track as one matter to avoid locking in admissions in one forum that hurt the defense in another.

Common Healthcare Audit Triggers
The six patterns that put a healthcare audit in motion

PBMs, CMS contractors, and commercial payors all use data analytics and external referrals to identify providers for audit. The triggers below are the most common predicates across audit types.

01
Data analytics flags from peer comparator analysis.
CMS provides contractors with claims data and peer comparator analytics. Providers whose billing patterns fall in the top decile of their peer group on a specific code, code combination, or modifier usage face elevated review frequency. Common high-risk patterns include high E/M code distribution (CPT 99214 and 99215 over 80% of visits), high modifier 25 utilization, high modifier 59 utilization, and outlier reimbursement per beneficiary on Part B drug administration.
02
Qui tam relator or whistleblower complaint referral.
A qui tam complaint filed with DOJ under seal can produce a contractor referral when the DOJ Civil Division wants the contractor's billing analysis to support the FCA case. Internal whistleblower hotline reports, when escalated outside the company, can produce the same referral pipeline. The contractor's document request often does not identify the underlying relator complaint, but the document scope tracks the relator's allegations closely enough that experienced defense counsel can identify the underlying matter.
03
Prior contractor findings cascade across review tracks.
A RAC overpayment determination, a MAC medical review with high error rate, an SMRC focused review with adverse findings, or a CERT sample finding can produce a downstream UPIC review. Each contractor inherits the prior contractor's findings as the starting point for its own review and can expand the scope materially. Providers who have closed a prior contractor matter without a clean record should anticipate the next contractor's follow-up.
04
Specialty-specific enforcement initiatives.
CMS contractors run focused enforcement initiatives targeted at specific specialties or service lines. Recent examples include skin substitute applications following the Apex Medical $309M FCA settlement, debridement coding following the Vohra $45M settlement, hospice eligibility review, home health face-to-face documentation, and remote patient monitoring billing. Providers operating in an initiative-targeted area face elevated review regardless of individual billing patterns.
05
Medicare Drug Integrity Contractor (MEDIC) referral on Part D.
For Part D matters (pharmacies dispensing Medicare prescription drug benefit claims), the Medicare Drug Integrity Contractor identifies suspicious patterns and refers them to the UPIC for parallel medical review. The MEDIC and UPIC tracks coordinate, which means a Part D investigation at the pharmacy level can produce a UPIC review at the prescriber level (or vice versa). Cross-track exposure is common in opioid, GLP-1, and specialty drug dispensing patterns.
06
State Medicaid Fraud Control Unit (MFCU) cross-referral.
State MFCUs investigate Medicaid fraud and refer matters to CMS contractors for parallel Medicare review when the provider participates in both programs. The MFCU investigation can produce a Medicare review that the provider did not anticipate. The state-federal coordination is increasingly tight, and defense counsel that handles only one side often misses procedural exposure on the other.
Recent Medicare Audit Defense Outcomes
Representative Case Results

Outcomes are summarized for confidentiality. Client names, precise geography, and identifying facts are redacted.

Case files Recoupment Reversed
Statistical Extrapolation Challenge Reduces Recoupment by Substantial Margin.

Provider received a postpayment review finding with statistical extrapolation across a multi-year claim window. Health Law Alliance challenged the contractor's sample frame, sample size methodology, and RAT-STATS application errors at the redetermination and QIC reconsideration stages. The extrapolated recoupment demand was reduced to the actual sample-claim amount, a small fraction of the original number. The procedural record built at the redetermination level supported the QIC's reduction without requiring an ALJ hearing.

Federal · Healthcare provider · 2024
Washington DC DOJ Declination
DOJ Declines Civil and Criminal Action After Medicare Audit Referral.

Healthcare company received a Medicare contractor referral that produced a Civil Investigative Demand from the DOJ Civil Division covering alleged $6M in false claims. Health Law Alliance produced documents under a negotiated rolling schedule, presented the factual rebuttal of the government's theory in a meeting with the line attorneys, and prepared a written submission addressing the materiality and falsity defects. DOJ declined both civil intervention and criminal referral. Pre-unsealing engagement, when the matter surfaces through other channels, is the highest-leverage window in any FCA matter.

National scope · Healthcare company · 2024
Federal courtroom Indictment Dismissed
Federal Healthcare Fraud Indictment Following Medicare Audit Referral Collapses.

Solo physician faced a multi-count federal indictment that included healthcare fraud counts following an upstream Medicare contractor referral to the local U.S. Attorney. Health Law Alliance filed responsive motions, built the procedural record, and challenged the government's theory through pre-trial motion practice; the indictment collapsed before trial. The Medicare-audit-to-criminal escalation risk is real in matters where the contractor's findings include intent evidence; a unified defense across the appeal track and the parallel criminal track is the most efficient way to avoid the criminal exposure.

Northeast · Solo physician · 2025

Attorney advertising. Prior results do not guarantee a similar outcome. Case summaries are generalized for confidentiality and are not a substitute for legal advice on your specific matter.

The Firm
We Used to Work for Them.
Now We Fight for You.
Client Reviews
What Clients Say
  1. Anthony's background as a former federal prosecutor and executive for major healthcare companies provided a level of expertise and insight that made all the difference. His deep understanding of healthcare law, particularly in litigation and compliance matters, helped navigate complex legal issues with ease.
Healthcare Audit Defense FAQ
Frequently Asked Questions

Seven questions that come up on almost every first call. The answers below are general; specific situations require privileged consultation.

What is a healthcare audit and what types of payors conduct them? +
A healthcare audit is a payor-initiated review of a pharmacy or provider's claims to verify accuracy, medical necessity, and contract compliance. Three primary payor categories conduct healthcare audits. PBMs (OptumRx, CVS Caremark, Express Scripts, Humana, Prime, MedImpact, Navitus) audit pharmacies under the network participation contract. CMS contractors (UPICs, RACs, MACs, SMRCs, CERT, MEDIC) audit Medicare and Medicaid claims under the Program Integrity Manual. Commercial payors and state Medicaid programs audit under their own contracts and regulations. Each payor type has its own procedural framework, its own appeal track, and its own enforcement consequences. The audit framework that protects the practice has to match the audit type that arrived.
What is the difference between a PBM audit and a Medicare audit? +
PBM audits operate under the network participation contract and produce contractual remedies: recoupment, network termination, and exclusion from the PBM's network. The procedural framework is set by the PBM's audit policy and the contract terms. State PBM laws in over 30 states add procedural protections (limits on extrapolation, written findings requirements, appeal procedures with specified timing). Medicare audits operate under the federal Medicare regulatory framework and produce statutory remedies: overpayment recovery through CMS, prepayment review, and referrals to HHS-OIG, the DOJ Civil Division, or the local U.S. Attorney. The procedural framework is set by the CMS Program Integrity Manual and includes the 5-level Medicare appeal track ending in federal district court. The defense framework, the leverage points, and the realistic exposure differ materially between the two.
Can a healthcare audit lead to a False Claims Act case or criminal prosecution? +
Yes, both. Medicare contractor audits and CMS investigations regularly produce referrals to HHS-OIG, the DOJ Civil Division, and the local U.S. Attorney when the audit findings produce evidence of intent rather than billing errors. PBM audits can produce parallel referrals to state Attorneys General, state Medicaid Fraud Control Units (MFCUs), and federal authorities when the dispensing pattern crosses an enforcement threshold. The civil False Claims Act track surfaces as a Civil Investigative Demand. The criminal track surfaces as a grand jury subpoena or a target letter. The healthcare audit is rarely the end of the matter when the findings cross the referral threshold. Coordinating the audit defense with parallel FCA and criminal defense from the first contact is essential because evidence developed in one track is admissible in the others.
What is statistical extrapolation in a healthcare audit? +
Statistical extrapolation is the methodology auditors use to convert a small sample of audited claims into a much larger recoupment demand across the full claim population. The contractor or PBM reviews a sample (often 30 to 50 claims), calculates an error rate from the sample findings, and extrapolates that error rate across the provider's full claim universe for the audit window. A $50,000 sample finding can produce a $5M to $20M extrapolated recoupment demand. Medicare extrapolation must follow the CMS Program Integrity Manual and use the RAT-STATS software. PBM extrapolation follows the network contract and any applicable state PBM law. Defense counsel can challenge the extrapolation on sample frame defects, sample size deficiencies, methodology errors, and statistical formula objections. A successful methodology challenge often reduces the demand to the actual sample-claim amount.
How do I appeal a healthcare audit finding? +
Appeal mechanics depend on the audit type. Medicare audits run through five statutory appeal levels: redetermination by the MAC (120-day deadline), reconsideration by a Qualified Independent Contractor (180 days), Administrative Law Judge hearing (60 days), Medicare Appeals Council review, and federal district court review under 42 USC § 405(g). PBM audit appeals run through the network's internal appeal process (typically 30 to 60 days for written response after findings) and, in some matters, an external arbitration or state regulatory complaint track. State Medicaid audits run through state administrative procedures. Each track has strict statutory or contractual deadlines; missing any deadline waives the appeal at that level. The defense framework has to identify the right appeal track and meet every deadline from the first contact forward.
What documentation does a healthcare audit typically require? +
Documentation requirements depend on the audit type and the claim universe under review. For Medicare audits: physician orders, medical records, prior authorization files, signature logs, prescriber chart notes, billing records, and any documentation tied to the specific HCPCS codes or DRGs at issue. For PBM audits: prescription hardcopy records, signature logs, prior authorization approvals, dispensing records, prescriber records, and any documentation supporting the medical necessity and dispensing accuracy. For specialty drug audits (GLP-1, oncology, biologics): contemporaneous prescriber chart notes documenting the indication and supporting clinical criteria. The 2026 audit posture across most payors expects contemporaneous documentation rather than retrospective attestation. Defense counsel can identify which documentation actually supports the defense and which documentation creates exposure if produced.
When should I engage counsel in a healthcare audit? +
Before responding to the audit notice or document request. The first procedural opportunity in the audit is the document production response, and that response shapes everything that follows: which documents the auditor reviews, what claim universe the sample is drawn from, what the realistic findings range will be, and whether the auditor sees patterns that escalate to network termination, FCA referral, or criminal referral. A document production made without privileged counsel can produce material that becomes evidence in subsequent litigation, and procedural defenses available later (extrapolation challenges, appeal arguments) can be foreclosed by an inadequate or over-inclusive production. The earlier counsel is engaged, the more leverage the defense has across the audit, the appeal track, and any parallel matters.
Speak with Healthcare Audit Defense Counsel Today

A healthcare audit notice is the first procedural opportunity in the matter — the production response shapes everything that follows

Before you produce documents to the auditor, before the sample is drawn for extrapolation, before the matter escalates to a network termination or DOJ referral, have a privileged conversation with attorneys who defend healthcare audits across PBM, Medicare, Medicaid, and commercial payor matters. Free, confidential, no retainer.

"The auditor sent a document request covering three years of claims. Health Law Alliance was on the call within two hours, walked us through the production framework, and ran a privileged pre-production review of every document before it left the practice. When the findings came back with extrapolation, the methodology challenge at the first appeal level reduced the recoupment demand to a small fraction of the original number. The procedural record built at the first stage carried through every subsequent appeal." - Practice administrator, multi-location practice (anonymized client, 2024)
Healthcare audit notice? The production response shapes everything.