CMS Audits Don’t Start With a Letter. They Start With a Spreadsheet.

Most dermatology practices think a CMS audit begins when the envelope arrives. By then, it has been underway for months.

What actually triggers it is a comparative report — a spreadsheet — where your billing utilization sits next to every other dermatology practice in your Medicare jurisdiction. Inside the peer band, nothing happens. Outside it, you get an educational letter. Then a Comparative Billing Report (CBR). Then, if the pattern holds, a Targeted Probe and Educate (TPE), a CERT review, or a UPIC investigation. Each step is a chance to course-correct that most practices either don’t see or don’t take.

We’ve watched this play out across the practices we run billing for. The audit risk isn’t random. It’s an arithmetic outlier flag in a comparative table you can’t see and your billing team isn’t watching.

What CMS Actually Sees

CMS evaluates dermatology utilization against peers in the same specialty and Medicare jurisdiction. Two recent comparative reports we’ve reviewed for clients:

Mohs surgery, CPT 17311. One provider billed 129 Mohs procedures per 100 Medicare beneficiaries. Peers in the same jurisdiction averaged 118. A 9.3% gap was enough to generate an educational letter recommending self-audit. The same provider had received a similar letter in an earlier period — CMS tracks trend, not single quarters.

Established patient Level 4 visits, CPT 99214. A different provider billed 431 of these per 100 patients. The peer average was 171. The 2.5× ratio triggered a comparative analysis and a recommendation to review billing practices.

Neither letter accuses the provider of fraud. They explicitly don’t. They are the system telling you, in writing, that your utilization is far enough outside the band that a closer look is warranted. The educational letter is the spreadsheet flag becoming visible.

The CERT Data Tells You Why Most Defenses Fail

When a comparative outlier turns into an actual record review — most commonly through a CERT review — what kills the defense isn’t the procedure choice. It’s the documentation. CMS’s published CERT findings break down improper payments as follows:

• 63.4% — incorrect coding
• 20.1% — missing documentation
• 16.5% — insufficient documentation

Add the last two: 36.6% of improper payments are documentation failures, not coding failures. A practice can have a defensible procedure pattern and still lose the record review because the documentation doesn’t demonstrate the medical necessity the codes implied.

The EMR Template Gap

This is the part most providers don’t see until it’s too late.

A dermatologist in a Level 4 follow-up visit might genuinely evaluate multiple chronic conditions, review pathology reports, modify prescription medications, discuss treatment risks, and coordinate follow-up across providers. That’s real Level 4 work, clinically.

But the EMR template might generate a note that reads:

“Patient seen for follow-up. Assessment completed. Treatment discussed. Follow-up in three months.”

To the clinician, the encounter happened. To the CMS reviewer pulling that chart in an audit two years later, none of the Medical Decision Making complexity is documented. Multiple chronic conditions being managed: not in the note. Prescription drug management: not in the note. Risk associated with treatment decisions: not in the note. Data reviewed: not in the note.

This is the gap that produces most CERT denials. The EMR template optimizes for clinical recording, not audit defensibility. Without explicit modification, a derm practice running through a high volume of Level 4 visits is building up a chart history that won’t survive a comparative-outlier review. The 2021+ E/M framework rebuilt level selection around MDM specifically because the old time-and-bullet approach let too many under-documented charts through.

What Actually Defends a Chart

Documentation that survives a CMS audit shares a few traits. None of them require longer notes — just more deliberate ones.

Make the MDM elements visible. If three chronic conditions were managed, name them. If two prescriptions were modified, note which ones and why. If pathology was reviewed and interpreted, document the finding and the decision it drove. The MDM framework is the language CMS uses to evaluate complexity. Speak it.

Document the risk explicitly. Treatment risk is one of three MDM pillars. A note that lists what was prescribed without mentioning risk profile gives the auditor nothing to weigh. One sentence — “discussed scarring, infection risk, and post-procedure care” — meets the requirement.

Note what data was reviewed. Pathology slides, prior images, outside records, lab results — if any of it was reviewed, the note should say so. Reviewing data and independently interpreting it is a Category 2 element under the 2021 E/M framework.

Document why the encounter required this level. The hardest one, and the one EMR templates skip. A single sentence — “Required Level 4 due to chronic management of three conditions, prescription changes, and pathology interpretation” — gives the reviewer the bridge between the work and the code.

What to Actually Do

If your practice hasn’t received a CBR or educational letter yet, the prevention window is open. If you have received one, the window is open but narrower.

1. Pull your utilization data and compare it to peer benchmarks. Your billing team or RCM partner can pull it; CMS publishes specialty-level data. If your 99213/99214 ratio, Mohs utilization, biopsy frequency, or modifier usage sits more than ~15% outside peer norms in your jurisdiction, you are in the band where comparative outreach starts.
2. Audit your last 25 highest-level visit notes against the 2021 E/M framework. Specifically: does the MDM section explicitly support the level billed? Most practices find that 5–10 of the 25 don’t, despite the underlying clinical work justifying the code.
3. Strengthen documentation templates at the EMR level. Build the MDM language into structured fields so the supporting elements are populated by default. Don’t rely on clinicians to remember audit language under time pressure.
4. If you’ve received a CBR or educational letter, respond to it. Do the self-audit it recommends. The fact that you took the recommendation seriously is part of what shapes whether a TPE follows.

Compliance Is Not Billing Less

The reflex when a CBR arrives is to bill more conservatively — drop a level on E/M visits, scale back utilization, hope the next comparison brings you back to the band. That’s the wrong move.

The right move is to bill for what was actually done and make the documentation reflect it. Most providers we audit aren’t billing wrong — they’re documenting incompletely. Closing that gap protects revenue and defensibility at the same time. Billing less just gives up revenue you earned and trains the practice to under-document going forward, which compounds the problem.

By the time the audit letter arrives, the opportunity to prevent it has passed. The opportunity opens every time a chart is documented. Practices that treat documentation as the first step of audit defense — not the last step of patient care — collect everything they earn, every year, regardless of who else gets a letter.