Healthcare audit season condenses a year’s worth of chart pulls, timelines, and portals into a few intense months. While Medicare claim reviews run year-round, health plans initiate HEDIS audits in late winter and spring, and risk programs (such as RADV) submit their own requests on separate timelines.
What makes healthcare audit season challenging isn’t only volume, but also juggling different due dates, submission channels, and privacy rules.
We’ll break down key audit types, discuss why HIM teams feel overwhelmed during healthcare audit season, and provide a step-by-step approach to stay in control.
Types of Healthcare Audits
Most organizations face more than one program during healthcare audit season, and each one plays by slightly different rules.
For every audit below, you’ll see who initiates it, what they’re looking for, how much time you typically have, and what happens if you miss a deadline. Where exact timelines vary, always follow the dates and instructions on the actual letter or portal notice.
Healthcare Audit Season Timelines
Most Medicare Additional Documentation Requests (ADRs) give you 45 calendar days to submit; UPIC requests are tighter at 30 calendar days. Prepayment and post-payment reviews use the same windows, keyed to the date on the letter.
Meanwhile, HEDIS chart pulls commonly ask for records within 5–14 business days so plans can hit late-April/May abstraction and early-to-mid-June submission deadlines.
Likelihood of Audit Requests by Month
(Red = High likelihood, Yellow = Moderate, Green = Low)
| Audit Type | Jan | Feb | Mar | Apr | May | Jun | Jul | Aug | Sep | Oct | Nov | Dec |
| HEDIS (Plans / Vendors) | 🟡 | 🔴 | 🔴 | 🔴 | 🔴 | 🟡 | 🟢 | 🟢 | 🟢 | 🟢 | 🟢 | 🟢 |
| MRA | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 | 🔴 | 🔴 | 🔴 | 🟡 | 🟡 | 🟡 |
| MAC / SMRC | 🟡 | 🟡 | 🔴 | 🔴 | 🔴 | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 |
| RAC | 🟡 | 🟡 | 🟡 | 🔴 | 🔴 | 🟡 | 🟡 | 🟡 | 🔴 | 🔴 | 🟡 | 🟡 |
| CERT | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 |
| TPE | 🟡 | 🟡 | 🔴 | 🔴 | 🔴 | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 |
| MIPS DVA | 🟢 | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 | 🟡 | 🟢 |
| RADV | 🟢 | 🟢 | 🟢 | 🟡 | 🟡 | 🟢 | 🟢 | 🟡 | 🔴 | 🔴 | 🔴 | 🟡 |
HEDIS Medical Record Request
Plans and vendors request charts for HEDIS audits to validate prior-year quality measures that drive ratings and incentives. During healthcare audit season, prepare standard page lists by measure and verify member identifiers before upload.
For Medicare Advantage, the same HEDIS documentation is also used to support Star Ratings. From the provider side, the requests are identical with short deadlines, targeted measure pulls, and portal submissions. The difference is in the outcome: HEDIS supports plan quality reporting across markets, while Star Ratings determine bonus payments and plan competitiveness.
Who sends it: The health plan or a HEDIS vendor
Why you got it: Quality measure validation for the prior measurement year
Response deadline: Plan specific; often 10 to 14 days. Examples include:
Lookback: Prior measurement year for the member and measure
Submission: Plan or vendor portal, SFTP, or approved onsite access
What to send: Minimum necessary pages that prove numerator, exclusion, or exception
If you miss it: Measures may not count and plan quality scores can decline
Stage work by measure and follow file-naming rules exactly to keep pace when healthcare audit season peaks.
MRA (Medical Record Review for Risk Adjustment)
Medicare Advantage and commercial plans run plan-administered MRA campaigns to validate diagnoses that map to HCCs for payment accuracy. During healthcare audit season, the group pulls by contract and product so you meet each portal’s file and naming rules.
MRA is distinct from CMS’s RADV audit, which is compliance-driven.
Who sends it: Medicare Advantage health plans or their risk-adjustment vendors
Why you got it: Diagnosis validation to support HCC risk scoring and payment
Response deadline: Plan specific; commonly 10 to 30 days per request set
Lookback: Prior measurement or payment year per plan instructions
Submission: Plan or vendor portal, SFTP, or encrypted upload; naming conventions are strict
What to send: Progress notes that clearly document the condition, assessment, and treatment within the valid date range, with provider signature, date, and credentials
If you miss it: Diagnoses may be rejected, reducing risk scores and triggering plan escalations
MAC or SMRC Audit
Medicare Administrative Contractors and the Supplemental Medical Review Contractor verify coverage, coding, and medical necessity for claims that trigger risk signals. During healthcare audit season, route incoming letters to a single intake path and begin assembling documentation immediately so work starts on day one.
Who sends it: Your Medicare Administrative Contractor or the SMRC
Why you got it: Outlier billing, data anomalies, new services, or policy focus identified through contractor data analysis and medical review strategy
Response deadline: 45 calendar days from the ADR date
Lookback: Issue-specific as stated in the letter; CMS uses a unified ADR letter format and inserts case-specific details
Submission: Contractor portal or esMD; otherwise, secure fax or mail per instructions
Extensions: Good-cause extensions may be available at contractor’s discretion
What to send: Orders, signed notes, diagnostics, operative reports, and required attestations tied to the billed dates
If you miss it: Denial or recoupment and increased likelihood of future targeting
Use a short checklist and consistent filenames. Save a PDF of each packet and proof of send to simplify follow-up during healthcare audit season.
RAC Audit
Recovery Audit Contractors perform post-payment reviews to correct over- and under-payments after claims are paid. In healthcare audit season, keep a tracker for open RAC items so they do not collide with other reviews.
Who sends it: Your regional Recovery Audit Contractor
Why you got it: CMS-approved issues identified by data analysis
Response deadline: 45 calendar days from the ADR date
Lookback: Up to 3 years from the initial paid date
Submission: RAC portal or esMD as instructed
What to send: Complete claim support proving coverage and medical necessity, including signature and order requirements where applicable
If you miss it: Expect an adverse determination. RACs may use statistical sampling and request extrapolated overpayments when applicable under the Program Integrity Manual
Label files by claim and date of service and keep an issue-specific evidence checklist to protect cash flow during healthcare audit season.
CERT Review
The Comprehensive Error Rate Testing program measures the Medicare Fee-for-Service improper payment rate using a statistically valid random sample. Treat CERT like any other ADR during healthcare audit season with tight routing and tracking.
Who sends it: The CERT contractor
Why you got it: Random selection for national error-rate measurement
Response deadline: 45 calendar days from the ADR date
Lookback: Sampled claim window only
Submission: The CERT C3HUB website or the channel named in the request
Extensions: Hardship extensions may be considered
What to send: Exactly the documentation that supports the sampled service, nothing extra
If you miss it: Non-response can result in claim adjustment and recoupment on the sampled claim
Maintain a CERT index that logs request date, due date, contents, and delivery confirmation to keep healthcare audit season orderly.
TPE Review
Targeted Probe and Educate pairs small samples with education to correct a defined error pattern. In healthcare audit season, plan capacity for multiple rounds and document improvements between them.
Who sends it: Your Medicare Administrative Contractor
Why you got it: Service-specific error pattern confirmed by data
Response deadline: 45 calendar days per ADR in each round
Structure: TPE rounds generally review fewer than 20 claims today; historically 20 to 40 was typical, and CMS may approve smaller probes. Most topics allow up to three rounds
Submission: MAC portal or esMD per instructions
Education required: Education sessions are expected and should be documented
What to send: Concise, policy-mapped packets that address the cited gaps and dates of service
If you miss it: Possible 100 percent prepayment review, extrapolation when allowed, referral to another contractor, or other actions
Document fixes between rounds and, for settings like skilled nursing facilities, note that some probes use five-claim samples so staffing aligns with scope during healthcare audit season.
MIPS Data Validation and Audit
MIPS DVA confirms that Quality, Promoting Interoperability, and Improvement Activity submissions match source evidence. Healthcare audit season often includes two phases, so schedule time for both.
Who sends it: A CMS contractor, commonly Guidehouse
Why you got it: Random or risk-based selection of MIPS submitters
Response deadline: 45 days for Phase 1 and 45 days for Phase 2
Lookback: Prior performance year
Submission: Secure portal or encrypted upload defined in the notice
Scope: Quality, Promoting Interoperability, and Improvement Activities
What to send: Source reports, screenshots, logs, policies, and attestations that reproduce reported values
If you miss it: Risk of negative payment adjustment
Save exports and screenshots at submission time, then organize by measure so healthcare audit season responses are fast and consistent.
RADV Audit
Risk Adjustment Data Validation ensures that the corresponding medical records support Medicare Advantage diagnoses used for payment. In healthcare audit season, follow the schedule exactly and prepare for strict formatting.
Who sends it: CMS or a plan contractor
Why you got it: Medicare Advantage risk-adjustment validation
Response deadline: Set by the payment-year schedule
Lookback: Payment-year rules defined by CMS or the plan
Submission: Plan portal with strict naming conventions and attestations
What to send: Records that support each HCC with correct dates, signatures, and credentials
If you miss it: Contract-level exposure through extrapolation
Align documentation and coding before upload, maintain a file index, and run a final quality check so healthcare audit season deliverables land cleanly.
Healthcare Audit Season Playbook: Three Moves to Stay in Control
Healthcare audit season brings many record requests at once, each with its own due date and submission method. Your aim is simple: one list, clean packets, on-time sends. Use this plan to stay in control without extra steps.
- Stand up the clock board, assign owners, and calendar the next three sends.
- Rebuild one active packet in the recommended order and save the receipt with the file.
- Run the capacity math; escalate or request time if you’re ≥20% short.
1) Control the Clocks During Healthcare Audit Season
Make the schedule visible and owned during healthcare audit season. Put every request (mail, portal, email, and fax) into one list and sort by the earliest due date. Group items into three lanes based on fulfillment speed requirements:
- 5 to 14-day deadlines
- 30-day deadlines
- 45-day deadlines
Assign each request a primary owner and a backup, schedule a quick quality control check, and plan to send the final record at least one business day before the deadline. Meet regularly during healthcare audit season to address any blockers that may require an extension.
Note that HEDIS is a quality sample, while ADR-driven audits review claims. Treat timelines and risk accordingly.
Create a simple clock board with:
- Requestor
- Patient/Claim
- Dates of Service
- Due Date • Owner
- Channel
- Status
- Notes
For each new request, log the letter date and due date, choose the allowed channel (secure upload/portal preferred), and set the QC and send times.
Send only the minimum necessary and save a receipt number or screenshot as proof of delivery (what shows when and how you sent it).
2) Build Review-Ready Packets
Make it easy for reviewers to find what they need during healthcare audit season. Start with the request letter, add a short cover sheet (patient, dates of service, contact), a simple contents list, and only the clinical pages that were actually requested.
Use a secure upload/portal when possible, check file type and size limits, and split files if needed. Next, prepare audit packets in the following order:
- Request letter
- Cover sheet (patient, dates of service, contact)
- Contents list (what’s inside and where)
- Core clinical pages (only what was requested)
- Signatures if needed
- Proof of delivery (receipt/log/screenshot)
Before uploading any records, confirm the names and dates on every page, ensure the pages are readable and in order, and keep everything within the requested date range. Only include sensitive records (such as psychotherapy notes or substance use treatment) when the letter specifically asks for them and if you have proper authorization.
If you receive a denial, read it line by line and add the exact pages that resolve each point. Include a brief cover note that maps each issue to the page number, submit within the stated timeline, and save the new confirmation.
3) Handle Medical Record Request Surges Without Burnout
Healthcare audit season can significantly increase staff stress and lead to burnout without proper support. Estimate hours before you start so you can match workload to staff capacity. Multiply items by minutes per item to get total hours, then compare that to staff hours this week.
A simple way to estimate the time cost of each audit is: total hours = (charts × minutes ÷ 60) + (claims × minutes ÷ 60).
For example, 300 charts at 12 minutes each is about 60 hours, and 40 claims at 50 minutes each is about 33 hours. This results in a time cost of approximately 93 hours.
Do the most urgent, highest-risk work first, batch simple tasks, and schedule the rest. Sort the work as follows:
- Urgent + High Risk (dollars/compliance): Do first.
- Urgent + Low Risk: Batch together.
- Non-urgent + High Risk: Pre-assemble and schedule.
- Non-urgent + Low Risk: Bundle or defer.
You should seek additional help and/or request an extension when forecasted hours exceed available staff hours by at least 20 percent, when your backlog grows for two days in a row, or when the same packet type fails QC more than once in a day.
How ChartRequest Supports Healthcare Audit Season
If healthcare audit season is stretching your HIM team thin, ChartRequest helps you replace ad hoc scrambling with a predictable, compliant workflow. You centralize intake, standardize packet assembly, and keep every request moving with clear SLAs, audit logs, and proof of send. The result is faster cycle times, fewer handoffs, and less rework.
With ChartRequest, HIM directors can:
- Centralize intake, tracking, and SLAs. Use HIPAA-compliant dashboards and reports to monitor request turnaround by hour, day, week, or month and filter by site, requester, and audit type.
- Prove every action. Access detailed, immutable audit logs that show who did what and when, supporting HIPAA audit-log requirements and internal QA.
- Handle bulk audit pulls without clogging queues. Fulfill high-volume requests from payors and audit vendors through a dedicated workflow that keeps routine ROI work on track.
- Submit securely and minimize risk. Exchange PHI through secure electronic delivery with configurable permissions that align with HIPAA security expectations.
- Implement quickly in your current environment. Stand up ChartRequest without heavy IT lift. The platform is EMR-agnostic and supports integrations where available.
- Scale with audit season peaks. Add capacity when volumes spike, maintain visibility across sites, and keep HIPAA alignment as plan and contractor requests grow.
If healthcare audit season is already on your mind, now is the time to simplify it.
