Specialty Compliance

DME Documentation Requirements: Surviving a DMEPOS Audit

8 min read · Last reviewed May 23, 2026

DMEPOS documentation is governed by the supplier standards at 42 CFR § 424.57, the medical-review procedures in CMS Pub. 100-08 Chapter 5, and the LCD/policy article for each HCPCS category. UPIC, SMRC, RAC, and TPE audits sample DMEPOS claims more frequently than almost any other Medicare category. The exposure is real: a typical DME audit produces 15-30% denial rates and recoupment demands that can exceed the practice's quarterly revenue.

What CMS actually requires for a DMEPOS supplier

The DMEPOS Supplier Standards at 42 CFR § 424.57(c) enumerate 30 standards a supplier must meet to bill Medicare. The core operational standards a documentation program must support:

  • Maintain accreditation by a CMS-approved accreditation organization under 42 CFR § 424.57(c)(22) — three-year cycle, on-site survey by an approved AO
  • Hold a surety bond of $50,000 per location under 42 CFR § 424.57(c)(26)
  • Operate from a physical facility on an appropriate site under 42 CFR § 424.57(c)(7)
  • Maintain a complaint resolution process under 42 CFR § 424.57(c)(21), with written records of every complaint and resolution
  • Submit only claims for items the supplier provided directly and meets the medical-necessity documentation for under 42 CFR § 424.57(c)(11)

The medical-review framework lives in CMS Pub. 100-08 (Program Integrity Manual). Chapter 5 governs DMEPOS-specific medical review. Chapter 3 governs general medical-review principles. Chapter 4 governs benefit-specific procedures.

What DME practices most often miss is the relationship between the LCD, the policy article, and the SWO. The Local Coverage Determination defines the medical-necessity criteria for the HCPCS category. The policy article (separate document published with the LCD) defines the documentation required to prove those criteria are met. The SWO must reflect the ordering provider's clinical determination that the LCD criteria are satisfied. A claim where the SWO is on file but the underlying chart documentation does not support the LCD criteria will deny on review.

The documents you must maintain

A DMEPOS supplier audit binder should produce, per claim, on demand:

  • Standard Written Order (SWO) under 42 CFR § 410.38(d) — beneficiary, date, item description, prescribing provider NPI, signature
  • Detailed Written Order (DWO) where required by the LCD — itemized order with quantity, frequency, duration
  • Proof of Delivery (POD) meeting 42 CFR § 424.57(c)(12) — beneficiary signature, date, HCPCS or item description, address
  • Medical records from the treating provider supporting the LCD coverage criteria for the specific HCPCS
  • Continuing medical-need documentation where the item is rented or has a defined coverage interval (e.g., CPAP compliance documentation under the LCD for E0601)
  • ABN (Advance Beneficiary Notice) under Form CMS-R-131 where item-coverage is uncertain
  • Refund and complaint log under 42 CFR § 424.57(c)(21) — every complaint logged, investigated, resolved, documented
  • Supplier file with the accreditation certificate, surety bond, NPI verification, all owner/managing employee CMS-855S elements
  • Inventory tracking from receipt through dispense, supporting the 42 CFR § 424.57(c)(7) physical-facility standard

Retention: seven years from claim payment date. Some state Medicaid programs require longer.

How DMEPOS audits actually work

Five entities audit DMEPOS claims:

  1. DME MACs (Noridian Jurisdictions A and D; CGS Jurisdictions B and C) conduct Targeted Probe and Educate (TPE) under CMS Pub. 100-08 Chapter 3. TPE samples 20-40 claims per provider per round, returns findings, requires education, and can refer to RAC/UPIC for severe issues.
  1. UPICs (Unified Program Integrity Contractors) conduct fraud investigations under 42 CFR § 421.300 et seq.. UPICs can request medical records, conduct on-site visits, and refer to OIG or DOJ. Recoupment can be extrapolated under CMS Pub. 100-08 Chapter 8.
  1. RACs (Recovery Audit Contractors) conduct post-payment review under CMS Pub. 100-08 Chapter 5. RAC findings can be appealed through the standard five-level Medicare appeals process.
  1. SMRC (Supplemental Medical Review Contractor) conducts medical-record-only review under CMS Pub. 100-08 Chapter 6. SMRC does not recoup; it refers to RAC or UPIC.
  1. CERT (Comprehensive Error Rate Testing) samples claims annually to produce the Medicare improper-payment rate. CERT findings often drive RAC and UPIC targeting for the next cycle.

What we have seen drive DME audit denials, in order:

  • Missing or insufficient face-to-face evaluation documentation supporting the LCD criteria. The SWO is on file, the chart note exists, but the chart does not document the specific criteria the LCD requires.
  • POD missing the beneficiary signature or showing a signature where a shipping log was the only delivery evidence.
  • SWO predating the face-to-face evaluation — the order was written before the provider documented the medical necessity.
  • Item-quantity mismatch between SWO, claim, and POD.
  • Continuing medical-need documentation missing for rentals or capped-rental items at the renewal interval defined in the LCD.
  • ABN missing for items where Medicare coverage was uncertain and the supplier billed Medicare anyway.

Common gaps unique to DMEPOS

The gaps we see most often in DME audit defense:

  • Accreditation lapse during a renewal cycle — the supplier kept billing during a gap.
  • Surety bond expiration not tracked. Surety expiration triggers automatic revocation under 42 CFR § 424.57(c)(26).
  • CMS-855S not updated within 30 days of an ownership change, address change, or managing-employee change. This is a 42 CFR § 424.516 violation independent of documentation issues.
  • Treating physician clinical records held by the prescribing physician but never retrieved into the supplier file. The supplier owns the burden of producing all supporting records under 42 CFR § 424.516.
  • Telehealth-originated SWOs without the additional documentation required when face-to-face was conducted via telehealth.
  • POD delivered to a third-party shipping address (e.g., a relative's address) without documenting why and obtaining proper signature authority.
  • Complaint log treated as a generic customer-service log instead of the supplier-standard log required by 42 CFR § 424.57(c)(21).

Maintenance cadence

  • At every dispense: SWO on file before delivery (or before claim, depending on item category), POD signed and dated, item-quantity verified, ABN issued if coverage uncertain.
  • Monthly: Sample 10-20 dispensed claims for SWO, POD, and supporting chart documentation completeness. Review the complaint log and verify every complaint has a documented resolution.
  • Quarterly: Reconcile inventory; review denied claims by reason; refresh staff training on any LCD changes published in the quarter.
  • At each LCD revision: Update the supplier's internal documentation checklist for that HCPCS category. The DME MACs publish LCD revisions on a defined schedule.
  • Annually: Re-verify accreditation expiration date (target 90 days before expiration to start the renewal), surety bond status, CMS-855S accuracy, and all owner/managing-employee elements.
  • Every three years: Accreditation renewal survey by the AO.
  • Always: When an audit letter arrives, the seven-year retention file produces the requested claim documentation within the audit response window (typically 30-45 days for TPE/RAC, with extensions available).

State preemption to watch

State Medicaid DME programs layer additional documentation on top of Medicare DMEPOS:

  • California: Medi-Cal DME has its own Treatment Authorization Request (TAR) process under DHCS rules; HCPCS coverage often differs from Medicare.
  • Texas: Texas Medicaid DME requires prior authorization on most HCPCS through TMHP; documentation retention is 5 years for Texas Medicaid, but Medicare's 7-year DMEPOS rule controls when both apply.
  • New York: Medicaid DME prior-authorization through eMedNY; documentation rules in 18 NYCRR Part 504 and Medicaid manuals.
  • Florida: Florida Medicaid DME uses the Florida Medicaid Provider General Handbook; AHCA conducts its own DME audits independent of Medicare contractors.

Suppliers billing both Medicare and Medicaid maintain documentation to the stricter standard.

How d3rx fits

The d3rx compliance binder includes a DMEPOS section that names the SWO and POD templates, the LCD-by-HCPCS-category documentation matrix, the complaint log, the supplier-standards checklist tied to 42 CFR § 424.57, and the audit-response workflow for TPE, RAC, UPIC, and SMRC requests. See the compliance binder overview or the audit defense surface for the broader audit-response structure.

D3rx compliance guides are administrative documentation aids. They do not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.

Step 1 · Get the binder

Get the d3rx compliance binder for your practice

Pre-filled to address the gaps this guide coversDME Documentation Requirements: Surviving a DMEPOS Audit. We will email you the section preview and your binder intake link.

No PHI required. We use your email to send the binder preview and intake link only.

Frequently asked

What is a Standard Written Order (SWO) and when does it have to be on file?

The SWO requirements are codified at [42 CFR § 410.38(d)](https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-410/subpart-B/section-410.38) and implemented through CMS Pub. 100-08 Chapter 5. The SWO must include the beneficiary name, order date, item description, prescribing provider's NPI, and provider signature. For most DMEPOS items the SWO must be received by the supplier before delivery or claim submission, except for certain dispensed items where the SWO can be received before claim submission. The exact pre-delivery vs. pre-claim distinction depends on the item category.

What is Proof of Delivery (POD) and what specifically must it show?

POD requirements live in CMS Pub. 100-08 Chapter 4 Section 4.26 and the DMEPOS supplier standards at [42 CFR § 424.57(c)(12)](https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-424/subpart-D/section-424.57). POD must include the beneficiary's name, delivery address, HCPCS code(s) or narrative description, item quantity, delivery date, and the signature of the beneficiary or designee. Direct-to-beneficiary deliveries require a signature. Shipping-company deliveries require the shipping log plus a delivery confirmation. POD must be retained for 7 years.

How long must I retain DMEPOS documentation?

Seven years from the date the claim was paid, under the DMEPOS supplier standard at [42 CFR § 424.57(c)(7)](https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-424/subpart-D/section-424.57) and the CMS retention guidance. Many practices misremember as 6 years (the False Claims Act lookback) — DMEPOS specifically requires 7. Some state Medicaid programs require longer.

What triggers a UPIC or SMRC audit on a DME supplier?

Pattern signals in the CERT or RAC findings, beneficiary complaints, OIG referrals, claims data anomalies (high denial rates, unusual volume per HCPCS), or accreditation-organization referrals. The UPICs operate under [42 CFR § 421.300 et seq.](https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-421/subpart-G) and have broad investigative authority. The SMRC operates under CMS Pub. 100-08 Chapter 6 and conducts medical-review-only audits without immediate recoupment authority.

If a DMEPOS supplier number is revoked, can I still bill?

No. A revocation under [42 CFR § 424.57(d)](https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-424/subpart-D/section-424.57) terminates Medicare billing authority effective on the revocation date, and the reenrollment bar is set under [42 CFR § 424.535(c)](https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-424/subpart-D/section-424.535) — typically 1 to 10 years depending on the basis. (42 CFR § 424.530 is the enrollment-application denial regulation, not the revocation reenrollment-bar provision.) Claims with dates of service before the revocation can still be billed if filed within timely-filing limits, but reenrollment after revocation is lengthy and the supplier must satisfy § 424.535(c).

Are accreditation organizations the same as the DME MAC?

No. The DME MACs (Noridian, CGS) process claims and conduct medical review. Accreditation organizations (BOC, ABC, ACHC, others) certify that suppliers meet the DMEPOS Quality Standards under [42 CFR § 424.57(c)(22)](https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-424/subpart-D/section-424.57). Accreditation is required to bill Medicare; the accrediting organization conducts its own surveys on a three-year cycle independent of the DME MAC.

Turn this into a review-ready binder

The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.

Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 42 CFR § 424.57https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-424/subpart-D/section-424.57
  2. CMS Pub. 100-08 (Program Integrity Manual)https://www.cms.gov/regulations-and-guidance/guidance/manuals/internet-only-manuals-ioms-items/cms019033
  3. 42 CFR § 410.38(d)https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-410/subpart-B/section-410.38
  4. Form CMS-R-131https://www.cms.gov/medicare/forms-notices/cms-forms
  5. 42 CFR § 421.300 et seq.https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-421/subpart-G
  6. 42 CFR § 424.516https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-424/subpart-D/section-424.516
  7. 18 NYCRR Part 504https://regs.health.ny.gov/

Sources verified as of May 23, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides