Most value-based care organizations center their compliance programs on Medicare Advantage, and for good reason. Risk adjustment in MA drives financial performance, and documentation gaps there can quickly undermine revenue. But RAC audits are a reminder that liability does not stop with MA. Providers also carry exposure in Medicare fee-for-service, Medicaid, and other lines of business.

If your team views RACs as a “fee-for-service problem,” you may be underestimating the ripple effects these audits can have across the entire enterprise.

The mechanics of post-payment reviews

Post-payment reviews are exactly what they sound like: audits of claims after CMS has already reimbursed providers. Unlike pre-payment edits, these reviews allow Medicare to circle back, scrutinize the medical record, and determine whether the services billed were supported and medically necessary.

If documentation doesn’t hold up, CMS has one straightforward remedy: take the money back. And these aren’t hypothetical risks. Health systems and medical groups across the country have faced millions in recoupments when auditors uncover gaps in documentation or unsupported diagnoses. In other words, the “final” payment wasn’t final at all. That reality is precisely why RACs exist in the first place.

The role of Recovery Audit Contractors

To scale these reviews, CMS relies on Recovery Audit Contractors (RACs). Their job is simple: find overpayments. The more they identify, the more they earn.

RACs use sophisticated data-mining techniques to flag claims that appear out of line with national or regional patterns. From there, they request charts, review the clinical documentation, and decide whether the claim stands or whether repayment is required.

For providers, this means RACs are not passive reviewers. They are incentivized hunters, financially motivated to spot discrepancies. Even an innocent documentation gap can trigger a repayment demand.

And the financial impact is not theoretical. It’s visible in real-world data.

RAC programs: A case study in dollars

The scale of this effort is massive. The Government Accountability Office (GAO) reported:

“Our analysis found that during fiscal year 2021, 16 states participated in the program. According to CMS, these states recovered and returned $161.1 million of Medicaid overpayments to the federal government through their RAC programs in fiscal year 2021.” (GAO Report, GAO-23-106025)

This number represents just Medicaid RACs in a single fiscal year, demonstrating how aggressively CMS leverages post-payment reviews to recover funds. For providers, it underscores a sobering reality: every chart is fair game, and every claim remains vulnerable long after payment is made.

Which leads to the most important takeaway: when an audit uncovers gaps, the financial hit usually falls on the health plan and its healthcare partners. For providers in private practice, that liability can be direct. More often, employed clinicians face risks such as job consequences or even legal action if fraud is suspected.

Provider liability: Why documentation is everything

Here’s the crucial point: even though RACs and other contractors work on behalf of CMS, repayment liability usually falls on Medicare Advantage plans and their healthcare partners. When auditors determine that a diagnosis is not supported, the payment is taken back from the organization. For individual providers, the impact is less about direct repayment and more about job consequences, performance reviews, or potential legal exposure if fraud is suspected.

This liability extends beyond money. Repeated findings can damage payer relationships, spark compliance investigations, and trigger cascading audits from other CMS programs. Providers may also face delays in reimbursement as claims are tied up in review cycles, creating a ripple effect on cash flow and financial stability.

Legal exposure is another underappreciated risk. If CMS determines that patterns of unsupported diagnoses rise above simple error into negligence—or worse, intent—then audits can quickly escalate into False Claims Act cases or even Department of Justice investigations. In those scenarios, penalties can soar far beyond repayment and enter the realm of treble damages or civil monetary penalties.

Sign up to our DoctusTech VBC Hub to receive tailored content recommendations direct to your inbox.

In short: your documentation is your only defense. The strength of a provider’s notes doesn’t just determine today’s reimbursement, but tomorrow’s compliance standing.

The problem is, audits look backward. Providers need a way to look forward.

Consider a scenario: When a small gap becomes a big problem

Picture a multi-specialty provider group that runs a strong Medicare Advantage compliance program but pays less attention to fee-for-service Medicare. During a RAC review, auditors flag a series of visits where procedures were billed but documentation was incomplete or inconsistent with coverage requirements. The clinic had assumed that their strong MA compliance program would cover their bases. The RAC review proves otherwise.

The result is millions in repayment demands, strained relationships with commercial payers who hear about the findings, and a scramble to divert compliance resources away from population health programs.

The group’s value-based strategy was centered on MA, but a gap in FFS documentation rippled across the entire enterprise. This is the reality of RACs. Their reach extends far beyond the program they are auditing.

Where technology and AI make the difference

The challenge for providers is that RAC reviews often look back years after care was delivered. By that time, it’s impossible to “fix” a chart that was incomplete on the day of service. That’s why more organizations are turning to technology and AI-powered tools that ensure compliance in real time.

AI can:

- Surface missing diagnoses or documentation gaps before the claim is submitted.
- Flag whether a note meets MEAT (Monitor, Evaluate, Assess, Treat) standards.
- Aggregate patient data across visits and specialists, so nothing slips through.
- Provide education at the point of care, reinforcing coding accuracy without adding burden.

In other words, technology gives providers a way to stay compliant before RACs come knocking.

The advantage of these tools is that they embed compliance directly into daily workflows. Instead of chasing down problems years later, providers can close gaps at the source, when the patient is still in the room.

Looking ahead: Turning compliance into strength

What RAC audits make clear is that compliance is no longer optional, nor can it be left to chance. As CMS expands its oversight, the organizations that succeed will be those that treat compliance not as a cost center but as a strategic investment.

RACs are not just a fee-for-service issue. For value-based care organizations, their impact stretches far beyond the audited program.

When documentation is airtight, audits become less threatening. Instead of scrambling to defend revenue years later, providers can face reviews with confidence, knowing their records reflect the true complexity of patient care. The right tools shift compliance from reactive to proactive, from a liability to a strength.

This is precisely what DoctusTech was built to do. Our AI-powered Patient Diagnosis Assist Platform (PDAP) and MEAT Sensor catch documentation gaps in real time, long before claims are ever reviewed. Paired with our mobile learning app, clinicians gain the knowledge and tools to stay compliant while keeping their focus on patient care.

In a healthcare landscape where RACs are always looking backward, DoctusTech helps you look forward, protecting revenue, reducing risk, and turning compliance into an advantage.

Ready to protect your organization? Schedule a demo today.