UPIC and ZPIC Audits Defense: What Healthcare Providers Need to Know

Zone Program Integrity Contractors (ZPICs) and Unified Program Integrity Contractors (UPICs) are federal contractors who work under the direction of the Centers for Medicare and Medicaid Services (CMS) to uncover fraudulent billings under Medicare. CMS recently overhauled its audit contractor program and replaced ZPICs with UPICs. However, some ZPICs are still operating at this time, and for the foreseeable future, the acronyms ZPIC and UPIC will likely be used interchangeably in the healthcare sector.

ZPICs and UPICs have broad authority to conduct audits of Medicare-participating healthcare providers. After completing audits that result in findings of noncompliance, they can directly impose sanctions and/or refer providers to CMS or the U.S. Department of Justice for further enforcement action.

“ZPIC and UPIC audits present significant risks for healthcare providers. ZPIC and UPIC auditors’ determinations are often misguided, and this makes it particularly important for providers to engage and defend themselves during the audit process.“ – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.

Technically, ZPICs and UPICs are tasked with identifying both overpayments and underpayments. Their “integrity” function ensures that CMS and the providers that bill Medicare achieve fair outcomes. However, as “fee for service” contractors working with CMS, ZPICs, and UPICs are only financially incentivized to identify overpayments and seek recoupments—and this means that ZPIC and UPIC audits typically focus solely on determining whether these contractors can make accusations of Medicare fraud.

How ZPICs and UPICs Choose Which Healthcare Provider to Audit

ZPICs and UPICs choose healthcare providers to audit through four primary means. When facing a UPIC or ZPIC audit process, understanding what triggered the audit can be important for developing an informed defense strategy and determining what other measures (i.e. an internal Medicare compliance audit) may be necessary. The four primary triggers for ZPIC and UPIC audits are:

• Data Analytics – ZPICs and UPICs rely heavily on data analytics to identify health care providers to audit. During billing data analysis, they look for outliers such as a high volume of billings for a particular service or lengths of stay outside of industry standards—which suggest that a provider might be overbilling Medicare. Of course, it is entirely possible (and often the case) that a provider’s “abnormal” billing practices are simply a result of the unique aspects of its practice.
• “Benefit Integrity” Investigations – ZPICs and UPICs also conduct “benefit integrity” investigations to identify circumstances where invasive audits are warranted. Typically, this involves interviewing Medicare beneficiaries and analyzing billing data for individual providers. The problems (or some of the problems) with this approach are that (i) patients are not experts on the Medicare billing regulations, and (ii), as indicated above, data don’t often tell the whole story about providers’ billing practices.
• Complaints from Patients and Employees - Similar to federal investigative agencies, ZPICs, and UPICs rely on members of the public to help them identify possible audit targets. In addition to conducting beneficiary interviews, ZPICs and UPICs also accept complaints from providers’ patients and their current and former employees. Again, however, patients typically don’t have a clear understanding of what is and isn’t permissible, and employees who file complaints typically have personal motives for doing so.
• Referrals from Federal Authorities – ZPICs and UPICs may also receive referrals from CMS and other federal authorities that have identified possible instances of federal Medicare fraud charges. While multiple federal agencies conduct healthcare billing fraud investigations, in some cases, they will determine that a ZPIC or UPIC audit should be sufficient to recoup any potential overpayments and remedy any billing issues going forward.

The ZPIC Audit and UPIC Audit Processes

ZPICs and UPICs conduct three types of audits – automated, semi-automated, and complex – and the procedures involved in each type are different. As you can probably tell from the names, some audits are more involved than others; however, all audits present the same risks, meaning that providers must devote the same effort to defending against all types of ZPIC and UPIC audits.

1. Automated ZPIC and UPIC Audits

Automated audits involve reviewing the billing data that a medical provider, including home health agencies and durable medical equipment (DME) companies has already submitted to Medicare. These audits typically result from ZPICs’ and UPICS’ data analytics rather than external triggers. During an automated audit, ZPIC or UPIC personnel simply review the provider’s billing data and then issue a determination. To prevent an unwarranted adverse determination (more on this below), a provider facing an automated audit should seek to intervene at the first available opportunity and insert itself into the audit process.

2. Semi-Automated ZPIC and UPIC Audits

During a semi-automated audit, ZPIC or UPIC personnel review the provider’s billing data submitted to Medicare and seek additional documentation from the provider. While providers must comply with ZPICs’ and UPICs’ documentation requests by the pertinent Medicare rules, this does not necessarily mean that providers must comply wholesale. Frequently, ZPIC and UPIC auditors will request voluminous records that providers are not required to disclose, and preventing unwarranted recoupment demands will start with making sure that the scope of the audit is appropriately limited.

3. Complex ZPIC and UPIC Audits

Complex audits involve document requests and often in-person reviews of providers’ billing records and practices. These audits typically result from verified complaints and referrals from federal authorities. Frequently, these audits will focus on allegations of one or more pervasive issues—such as billing without evidence of medical necessity or for non-reimbursable services. However, they can also target providers whose billing records suggest a lack of detailed compliance program and procedure or a culture of non-compliance.

Common Issues and Defenses During ZPIC and UPIC Audits

When undergoing ZPIC and UPIC audits, healthcare providers must monitor for various issues that can lead to unwarranted recoupments and other penalties. Unfortunately, this is a common problem during ZPIC and UPIC audits, and healthcare providers must actively defend themselves to minimize their risk of facing unjustified demands. Some examples of common issues and defenses during ZPIC and UPIC audits include:

• Demands for Records that Aren’t Subject to Disclosure – To uncover as many unauthorized billings as possible, ZPICs and UPICs will often request voluminous records from healthcare providers. However, providers often are not required to disclose all requested medical records. Once a provider discloses records, however, then those records become fair game for the ZPIC’s or UPIC’s auditors. As a result, providers must be extremely careful to ensure that they are only disclosing the records that they are legally required to disclose.
• Review of Billings that Are No Longer Subject to Review – Providers’ Medicare billings are not subject to review indefinitely. If a ZPIC or UPIC attempts to review billings that are no longer subject to review, then the provider should seek to put a stop to these efforts as well. While it may be possible to avoid invalid recoupment demands through the appeals process, it is far more efficient and less risky to prevent these demands during the audit process.
• Reliance on Outdated Medicare Billing Rules and Regulations – The Medicare billing rules and regulations change frequently. While ZPIC and UPIC auditors should remain up to date on the latest rules and regulations, they often fall behind. Reliance on outdated Local Coverage Determinations (LCDs), National Coverage Determinations (NCDs), and Medicare Policy Benefit Manual (MPBM) versions are common issues during ZPIC and UPIC audits.
• Applying Current Rules and Regulations to Past Billings – ZPIC and UPIC auditors also commonly make the mistake of applying the current Medicare billing rules and regulations to providers’ past billings. Billings are subject to the rules that are in place at the time they are submitted to Medicare, and providers cannot be held responsible for violating rules that were not in force at the relevant time.
• Reliance on Flawed Auditing Methodologies—Even if ZPIC or UPIC auditors rely on the right set of rules and regulations, they can still come to flawed conclusions by relying on flawed methodologies. In fact, this is perhaps the most common issue that leads to unwarranted recoupment demands during ZPIC and UPIC audits. With this in mind, providers need to engage experienced ZPIC/UPIC audit defense counsel to oversee the audit process and identify any flaws in real-time.

The Appeals Process for Unfavorable ZPIC Audit and UPIC Audit Determinations

If a ZPIC or UPIC audits your healthcare business or practice and imposes recoupments, pre-payment review, or other penalties, what’s next? There is a five-stage appeals process for ZPIC and UPIC audits—only the last of which involves finally taking the ZPIC or UPIC to court.

The first stage of the ZPIC/UPIC audit appeals process is “redetermination.” Once a ZPIC or UPIC determines, the provider has 120 days to file a request for redetermination with its Medicare Administrative Contractor (MAC).

If the MAC agrees with the ZPIC or UPIC, the next stage is “reconsideration.” Providers have 180 days to request reconsideration of a MAC’s redetermination. Requests for reconsideration are filed with Qualified Independent Contractors (QICs).

After reconsideration, the next stage is to request a hearing before an administrative law judge (ALJ). These requests must be filed within 60 days of reconsideration, and ALJs have 90 days to issue a decision following the hearing. If the ALJ affirms the penalties imposed, the provider can seek review from the Medicare Appeals Council, and then the final stage is to seek redress in federal district court.

As you can see, the appeals process for ZPIC and UPIC audits is onerous, and it can easily take a year or longer to run its course. As a result, rather than relying on appeals, it is a far better approach to seek to prevent an unfavorable determination in the first place. This requires a proactive approach, and the first step is to engage defense counsel at the first sign of a ZPIC audit or UPIC audit.

Preparing for Success When Facing a ZPIC Audit or UPIC Audit

With all of this in mind, what can (and should) healthcare providers and businesses do to prepare for success when facing a ZPIC or UPIC audit? Some of the key steps for avoiding unnecessary adverse outcomes include:

• Promptly Locate the Business’s or Practice’s Medicare Compliance Documentation – The ZPIC’s or UPIC’s auditors will likely request access to your business’s or practice's Medicare compliance documentation. It is important to have this documentation readily available—not only to provide it to ZPIC or UPIC personnel if necessary but also to review it to assess your business’s or practice’s compliance.
• Conduct an Internal (and Attorney-Client Privileged) Medicare Billing Compliance Assessment – Providers and businesses should not assume that a ZPIC’s or UPIC’s findings will be accurate. Instead, they should promptly conduct an internal Medicare billing compliance assessment upon learning of an impending audit. Working with legal counsel during this process will help ensure not only that your conclusions are accurate but that the attorney-client privilege protects them.
• Be Actively Involved from the Outset of the ZPIC Audit or UPIC Audit Process – Targeted healthcare providers and businesses need to play an active role in the audit process from its earliest stages. Intervening in the process to ensure that auditors do not overreach or reach flawed conclusions is essential.
• Avoid Making Any Assumptions About Compliance – Providers and businesses facing ZPIC and UPIC audits must avoid making assumptions about compliance. This applies not only to their own Medicare billing compliance record but to auditors’ compliance with the relevant auditing rules and Medicare billing guidelines as well.
• Rely on the Advice and Representation of Experienced Legal Counsel - Relying on the advice and representation of experienced legal counsel is essential when facing a ZPIC or UPIC audit. Healthcare providers and businesses facing audits should promptly engage a healthcare defense law firm whose attorneys have extensive experience representing clients in both audits and appeals.