A medical audit is a structured review of healthcare practices, patient records, or billing claims to measure how well current performance matches established standards. The term covers two distinct worlds: clinical audits, which focus on the quality of patient care, and financial or billing audits, which check whether healthcare services were coded and billed correctly. Both follow systematic processes, but they serve different goals and are carried out by different people.
Clinical Audits vs. Financial Audits
Clinical audits are part of a continuous quality improvement process. They measure a clinical outcome or a care process against well-defined standards built on evidence-based medicine. The goal is always to improve the care provided to patients. A hospital might audit how consistently its staff follows hand-hygiene protocols, or whether patients with a specific condition are receiving the recommended treatment within the right time window. The comparison point is a clear, published guideline or local hospital standard, not a billing code.
Financial audits, by contrast, focus on whether a provider’s claims accurately reflect the services that were actually delivered. Insurance payers, including Medicare, use these audits to identify overpayments or underpayments. The Centers for Medicare and Medicaid Services runs a Recovery Audit Program specifically designed to detect and correct improper payments across all 50 states. Recovery Audit Contractors conduct both automated reviews at the system level and complex reviews that require a qualified person to examine individual medical records. When a complex review is needed, the contractor issues a formal request for the medical record and supporting documentation.
Both types of audit share a core principle: compare what is happening to what should be happening, identify the gap, and act on it.
The Five Stages of a Clinical Audit
Clinical audits follow a repeating cycle with five stages: preparing for audit, selecting criteria, measuring performance, making improvements, and sustaining those improvements.
Preparation starts with identifying a specific problem and the local resources available to investigate it. Topic selection typically focuses on care processes that have been shown to produce the best outcomes for patients. Once you have a topic, you define audit criteria, which are explicit statements describing the outcome or process you intend to measure. These criteria come from clinical guidelines, local hospital protocols, or national best-practice standards. You also set a target standard, usually expressed as a percentage. For example, “90% of patients presenting with chest pain should receive an ECG within 10 minutes.”
Data collection comes next. You define which patients to include, what time period to cover, and where the data will come from. Some of it may sit in electronic health records; some may need to be gathered by hand. The results are then compared to the target standard to see where performance falls short.
The most important and most difficult stage is implementing change. Data collection on its own changes nothing. After presenting results to the relevant team, you agree on specific recommendations, record them in an action plan, and assign responsibility for each item with a deadline. The cycle then repeats: you re-audit the same criteria to see whether the changes actually worked.
What Triggers a Financial Audit
Healthcare providers can face financial audits for several reasons. Billing patterns that look unusual compared to peers are a common trigger. The U.S. Office of Inspector General has flagged cases where home health agencies billed single-discipline visits lasting more than four hours, when nationwide data shows the average home health visit runs about 45 minutes. That kind of statistical outlier draws attention.
Other red flags include a sudden spike in the volume of high-complexity services, consistently billing at the highest reimbursement levels, or patterns that suggest upcoding (billing for a more expensive service than what was provided). Medicare’s Recovery Audit Contractors use automated systems to scan claims data for these patterns before deciding which providers to review more closely.
Internal and External Audits
Audits can be initiated from inside or outside an organization. Internal audits are run by a hospital’s own staff or quality team, often in preparation for an external review. They give organizations a chance to spot problems and fix them before an outside body arrives. Clinical audits carried out as a local initiative by healthcare professionals also fall into this category.
External audits are conducted by outside organizations to assess compliance with external criteria, such as accreditation, certification, or regulatory requirements. Research into how these audits work over time reveals an important pattern: externally initiated audits tend to create strong quality-improvement awareness at first, but their impact on actual improvement diminishes with each passing year. Organizations typically invest heavily to satisfy an initial accreditation visit and benefit from the resulting changes, but after three to ten years, the learning curve levels off. This suggests that external audits work best as a catalyst, not a long-term engine of improvement.
Do Clinical Audits Actually Improve Care?
The evidence is mixed but encouraging in specific areas. One study of internal patient safety audits in hospitals found that the rate of patients experiencing at least one adverse event dropped from 36.1% to 31.3% after auditing, and preventable adverse events fell from 5.5% to 3.6%. Those reductions sound meaningful, but they were not statistically significant within the 15-month follow-up period. What did improve significantly was medication safety and information security on clinical wards.
The takeaway is that a single audit cycle rarely transforms an organization overnight. Audits work best as part of an ongoing process where repeated cycles gradually tighten adherence to standards. The gains tend to show up in specific, targeted areas rather than across the board, which is why choosing the right audit topic matters so much.
How Patient Privacy Is Protected
Medical audits require access to patient records, which raises obvious privacy concerns. Under HIPAA, conducting or arranging for medical reviews, audits, or legal services (including fraud detection and compliance programs) is classified as a “health care operation.” Covered entities are permitted to use and disclose protected health information for their own treatment, payment, and health care operations activities without needing individual patient authorization. Quality assessment, performance evaluation, credentialing, and accreditation activities all fall under this same umbrella. The information accessed during an audit is still subject to all other HIPAA protections, including minimum necessary standards, meaning auditors should only access the specific records relevant to the audit’s scope.
How Audit Samples Are Selected
No audit reviews every single claim or patient record. Instead, auditors use statistical sampling to select a representative subset. In U.S. government audits, current guidelines recommend using the lower limit of a one-sided 90% confidence interval to estimate total overpayments, which gives a conservative figure that protects against overestimating what a provider owes.
Auditors often use stratified sampling, which separates the population of claims into smaller, more homogeneous groups before drawing samples from each group. This approach can produce more precise estimates than pulling records at random. The specific sample size depends on the characteristics of the claims being reviewed, including how much variation exists in payment amounts across different service types. For financial audits, the goal is to balance the cost of reviewing records against the expected recovery, essentially optimizing the net gain from the audit within a set budget.
Who Performs Medical Audits
Clinical audits are typically led by healthcare professionals within a department or hospital, sometimes with support from a dedicated quality improvement team. Financial and coding audits are often performed by certified professionals. The Certified Professional Medical Auditor (CPMA) credential, offered by the AAPC, requires at least two years of medical coding experience along with a solid understanding of medical terminology, anatomy, and pathophysiology. These auditors review medical records alongside the corresponding billing claims to verify that the codes submitted accurately reflect the documentation.
Large payer organizations like Medicare contract with specialized firms to handle audit work at scale. Recovery Audit Contractors operate across defined geographic regions, each covering multiple Medicare Administrative Contractor jurisdictions, creating a layered system where different organizations handle claims processing and claims review separately.