Is Your Home Care Agency Ready for a Medicaid Audit? Here's How to Find Out

Most home care agency owners don't think about Medicaid audits — until one lands on their doorstep. Then the scramble begins: digging through paper files, tracking down missing signatures, and hoping that the caregiver who left six months ago kept accurate visit notes. It's a stressful, expensive situation that can put your entire agency's revenue at risk.
Here's the reality: Medicaid audits are not rare, and they are not random. State Medicaid programs and their contracted auditors — including RACs (Recovery Audit Contractors) and MICs (Medicaid Integrity Contractors) — are actively looking for billing errors, documentation gaps, and compliance failures. In 2022 alone, the federal government recovered over $1.7 billion in Medicaid fraud, waste, and abuse. Home health and personal care agencies are consistently among the top audit targets.
The good news? With the right systems and habits in place, a Medicaid audit doesn't have to be a crisis. It can be a routine administrative process that your agency moves through with confidence. This guide walks you through exactly how to prepare — before the auditors come calling.
Understanding What Medicaid Auditors Are Actually Looking For

Before you can prepare for an audit, you need to understand what triggers one and what auditors scrutinize most closely. Home care agencies are typically flagged for audits based on billing patterns, complaint reports, or routine program integrity reviews.
When auditors arrive — whether in person or via a records request — they're typically examining:
- Authorization records: Does every billed service have a valid prior authorization? Is the authorization current and within the approved units?
- Plan of care documentation: Is there a physician-signed plan of care on file that supports the services rendered?
- Electronic Visit Verification (EVV) data: Do your EVV records show accurate visit start times, end times, and locations that match what was billed?
- Caregiver credentials: Are all caregivers properly trained, background-checked, and credentialed per your state's requirements?
- Visit notes and service logs: Do caregiver visit notes reflect the tasks completed and align with the authorized plan of care?
- Billing accuracy: Are the procedure codes, units, and dates of service on your claims accurate and supported by documentation?
The most common audit finding is not fraud — it's documentation that doesn't support billing. In other words, the service may have been delivered perfectly, but if the paperwork doesn't prove it, you may be required to repay those claims.
Step 1: Conduct an Internal Audit Before They Do

The single most powerful thing you can do to prepare for a Medicaid audit is to audit yourself first. Don't wait for a state contractor to identify your gaps — find them yourself and fix them proactively.
How to run an internal records audit:
- Pull a random sample of claims from the past 12 months — aim for at least 10-15% of your total Medicaid claims. Include a mix of high-dollar claims and routine visits.
- Cross-reference each claim against the supporting documentation: authorization, plan of care, EVV data, caregiver visit notes, and billing records.
- Flag any mismatches — missing signatures, expired authorizations, visit notes that don't match billed codes, or EVV data gaps.
- Document your findings and create a correction plan. For overpayments you identify, consult with a healthcare attorney about voluntary repayment options, which can significantly reduce penalties if an audit follows.
This kind of self-audit not only prepares you for external scrutiny — it often reveals billing inefficiencies that are costing your agency money right now.
Step 2: Get Your EVV Compliance Airtight
Electronic Visit Verification is no longer optional. The 21st Century Cures Act requires EVV for all Medicaid-funded personal care and home health services, and states have been rolling out enforcement with increasing intensity. Non-compliant EVV data is one of the fastest ways to trigger an audit — or fail one.
What EVV compliance actually means in practice:
- Every visit must be verified at the point of care — caregivers cannot clock in from the office or a client's driveway
- The six required EVV data elements must be captured: type of service, individual receiving service, date of service, location, caregiver identity, and start/end times
- Your EVV data must be transmitted to your state's aggregator in the required format and on the required schedule
- Rejected or unverified visits must be resolved promptly — a backlog of unverified visits is a red flag for auditors
Platforms like BridgeCare OS have built-in EVV that automatically captures all required data elements and integrates with state aggregators, so your compliance isn't dependent on manual processes or caregiver memory.
Step 3: Standardize Your Documentation Processes
Inconsistent documentation is one of the most preventable audit risks. When every caregiver documents visits differently — or when some aren't documenting at all — you create a patchwork of records that falls apart under scrutiny.
Build a documentation standard that includes:
- Templated visit notes that prompt caregivers to document specific tasks, client status observations, and any incidents or changes in condition
- Required fields for every visit record — no visit should be closeable in your system without the essential documentation elements
- Real-time documentation — encourage or require caregivers to complete notes at the point of care, not hours or days later
- Supervisor sign-off protocols for high-risk clients or complex cases
- Clear policies on late documentation — late is better than never, but you need a process for handling and flagging it
"Documentation is the language of compliance. If it isn't written down, it didn't happen — and if it didn't happen on paper, you could be paying back money for services you absolutely delivered."
Step 4: Keep Authorization Tracking Front and Center
Billing beyond authorized units is one of the most common — and costly — Medicaid audit findings. It often happens not because of intentional fraud, but because agencies lose track of where they are in the authorization cycle, especially when managing dozens or hundreds of clients simultaneously.
Best practices for authorization management:
- Maintain a master authorization log with start dates, end dates, authorized units, and units used to date
- Set internal alerts when a client reaches 80% of their authorized units — this gives you time to request a renewal before you accidentally bill beyond the limit
- Never schedule services beyond the authorization period without written confirmation of renewal
- Keep copies of every authorization document in the client's record, dated and easily accessible
- Reconcile authorizations against billing at least monthly
Authorization management is one area where having an integrated home care platform pays for itself quickly. When your scheduling, billing, and authorization tracking live in the same system, over-authorization billing becomes nearly impossible.
Step 5: Organize Your Physical and Digital Records for Quick Retrieval
When a Medicaid audit request arrives, you typically have a short window — often 10 to 30 days — to produce the requested records. If your documentation is scattered across email threads, paper files, and multiple software platforms, meeting that deadline becomes an emergency.
Organize your records so you can respond in hours, not weeks:
- Maintain a complete, organized digital record for every active and recently discharged Medicaid client
- Each client file should contain: signed intake forms, plan of care, all authorizations, caregiver assignment history, all visit notes, incident reports, and billing records
- Store records for at least 7 years (10 years is safer for Medicare/Medicaid services in many states)
- Back up all digital records regularly and ensure they are accessible in a readable format — auditors will not accept records they can't open
- Designate one person in your agency as the audit response coordinator, responsible for knowing where everything is
Step 6: Train Your Team on Audit Readiness
Audit preparedness is not just an owner or administrator responsibility. Your caregivers, schedulers, and billing staff all play a role in creating the documentation trail that either protects you or exposes you.
Incorporate audit readiness into your regular training by covering:
- Why accurate documentation matters — and what the consequences of gaps can be
- How to complete visit notes that are specific, timely, and aligned with the plan of care
- The importance of accurate EVV clock-in/clock-out procedures
- How to report and document incidents, changes in client condition, and missed visits
- What to do if a state auditor contacts them directly (generally: be polite, take notes, and refer them to agency administration)
Step 7: Build a Relationship With a Healthcare Compliance Advisor
No software platform or internal checklist replaces expert legal and compliance guidance. If your agency bills more than $500,000 per year in Medicaid, consider retaining a healthcare attorney or compliance consultant for at least periodic reviews. They can help you:
- Interpret your state's specific Medicaid provider manual requirements
- Respond appropriately if you receive a formal audit notice
- Navigate voluntary disclosure if your internal audit uncovers overpayments
- Develop a formal compliance program — which can serve as a mitigating factor if violations are found
What to Do If You Receive an Audit Notice
Even with perfect preparation, audit notices happen. If yours arrives:
- Don't panic — acknowledge receipt promptly and note all deadlines
- Contact a healthcare attorney immediately before responding to anything
- Preserve all records relevant to the audit period — do not delete or modify anything
- Pull the requested records and review them internally before submitting
- Respond completely and on time — missing deadlines can result in automatic repayment demands
- Document every interaction with auditors, including dates, names, and what was discussed
Compliance Is a Daily Practice, Not a One-Time Event
The agencies that sail through Medicaid audits aren't lucky — they're disciplined. They've built systems, habits, and cultures that make accurate documentation and billing the default, not the exception. They've invested in technology that captures compliance data automatically, so their team isn't manually tracking authorizations on spreadsheets or chasing down visit notes after the fact.
If you're ready to build that kind of compliance infrastructure for your agency, BridgeCare OS brings scheduling, EVV, billing, and client documentation into one HIPAA-compliant platform — so you always have the records you need, when you need them. Start your 14-day free trial today and see how much easier compliance can be when your systems are working together.
A Medicaid audit doesn't have to be your worst nightmare. With the right preparation, it can be the moment your agency proves just how well it's run.
Ready to modernize your home care agency?
BridgeCare OS unites scheduling, EVV, billing, and family transparency on one platform. Start your 14-day free trial — no credit card required.
Start Free Trial →