UPIC Claims Audits of Medicare Services are Underway! Are You Ready?

UPIC Claims Audits

(Updated March 20, 2020): Historically, the Centers for Medicare and Medicaid Services (CMS) has relied on a network of private contractors to handle the program integrity functions for both the Medicare and Medicaid programs. Over the years, these private contractors have taken on increasingly significant roles in the detection and audit of instances of fraud, waste and abuse in the Medicare and Medicaid programs. This article examines several of the program integrity contractors currently liable to audit your claims. These contractors include Unified Program Integrity Contractors (UPICs), Medicare Drug Integrity Contractor (MEDICs) and Supplemental Medical Review Contractors (SMRCs).

I. Early Historical Background of Fiscal Intermediaries (FIs) and Carriers:

The Medicare and Medicaid program were first enacted into law on July 30, 1965 by President Lyndon B. Johnson. When the programs were subsequently implemented in 1966, the government chose to use private health care payors to process the claims of Medicare beneficiaries. Private entities were awarded contracts to serve as “Fiscal Intermediaries” and “Carriers.” Fiscal Intermediaries were responsible for handling Part A claims. Generally, Part A claims include those associated with hospital care, skilled nursing facility care, non-custodial nursing home care, hospice care and home health services.[1] In contrast, Carriers were responsible for handling Part B claims. Unlike Part A, Medicare Part B covers a wide variety of medically necessary outpatient care and treatment services.[2] It also covered a number of preventative services. Additionally, Medicare Part B covers certain types of supplies and durable medical equipment. Until 2003, Fiscal Intermediaries and Carriers were responsible for fulfilling a number of Medicare program education, administrative processing and program integrity roles. As described below, upon the enactment of the Medicare Modernization Act (MMA) the duties and responsibilities of Fiscal Intermediaries and Carriers were assumed by Medicare Administrative Contractors (MACs).

II. Historical Background of Medicare Program Integrity Efforts:

Prior to 1996, funding for Medicare program integrity activities was included in Medicare’s general administrative budget. As such, it had to “compete,” so to speak, with all of the claims-related education and processing programs paid for out of Medicare’s general administrative budget. As you can imagine, this led to a variety of budgetary conflicts and counterproductive competition between programs to obtain an appropriate share of available program integrity funding. The General Accounting Office (GAO) issued reports in 1993 and 1995 calling for separate, dedicated funding for Medicare program integrity activities.[3]

III. Passage of Health Insurance Portability and Accountability Act (HIPAA) of 1996 – Establishment of Program Safeguard Contractors (PSCs):

On August 21, 1996, the Health Insurance Portability and Accountability Act (HIPAA) was enacted into law. While HIPAA is practically synonymous with medical privacy among both lay persons and most health care providers, law enforcement’s view of the statute was quite different. Under HIPAA, both the Department of Justice (DOJ) and the Department of Health and Human Services (HHS), Office of Inspector General (OIG) received sizeable, recurring funding that was to be used solely for the investigation and prosecution of cases involving health care fraud, waste and abuse.

Among its many provisions, HIPAA also established the Medicare Integrity Program (MIP). The MIP was created in an effort to further enhance the ability of the Health Care Financing Administration (HCFA) to detect and deter fraud, waste and abuse in the Medicare program. HCFA (later renamed the Centers for Medicare and Medicaid Services (CMS))[4] has traditionally relied on a network of private contractors to handle the program integrity functions for both the Medicare and Medicaid programs. As part of the MIP, HCFA created the Program Safeguard Contractor (PSC) program. From a program integrity standpoint, PSCs were a major step forward. Among their many duties, PSCs were expressly tasked with identifying potential cases of fraud and making referrals to OIG and DOJ, as appropriate

IV. Enactment of the Medicare Modernization Act (MMA) of 2003 – Creation of MACs and ZPICs:

The MMA was subsequently signed into law on December 8, 2003. The MMA greatly simplified the administrative processing of Medicare claims through its implementation of a comprehensive Medicare Fee-For-Service Contracting Reform program. Under this program, CMS used the competitive bidding process to replace the existing system of Fiscal Intermediaries (responsible for processing Part A claims) and Carriers (responsible for processing Part B claims) with unified administrative claims processing entities known as Medicare Administrative Contractors (MACs), responsible for handling both Part A and Part B claims.[5]

In addition to completely revising the administrative claims processing scheme (through the creation of MACs), the MMA also directed that newly-established Zone Program Integrity Contractors (ZPICs) would take over the responsibility for handling Medicare program integrity functions and activities. A total of seven ZPIC zones were created to work with the MACs in their jurisdiction. Each of these ZPICs were responsible for performing program integrity functions for Medicare Parts A and B claims.

V. Establishment of the Medicare Drug Integrity Contractor (MEDIC) Program:

Under the Balanced Budget Act of 1997, Congress authorized the Medicare+Choice program (Medicare Part C). Under Medicare Part C, CMS contracts with private organizations to provide several types of private health plan options, including managed care plans.[6] The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 subsequently established Medicare Part D, a voluntary outpatient prescription drug program. In FY 2007, CMS first awarded contracts to several regional MEDICs to address potential fraud and abuse related to the Part D benefit. These functions were later consolidated under a single contractor that is responsible for handling both Part C and D program integrity efforts nationwide, for all 50 states and Puerto Rico. The contractor responsible for handling Medicare Part C and Part D claims is known as the National Benefit Integrity Medicare Drug Integrity Contractor (NBI MEDIC). In 2018, CMS split the NBI MEDIC functions into two separate contracts, the NBI Medicare Drug Integrity Contract (NBI MEDIC) and the Investigations Medicare Integrity Contract (I-MEDIC). Generally, these contracts cover the following:

NBI Medicare Drug Integrity Contract (NBI MEDIC): The NBI MEDIC contract has been awarded to Qlarant. Under the NBI MEDIC contract, Qlarant is responsible for handling general plan sponsorship oversight and conducting data analytics designed to identify possible instances of fraud, waste and abuse with respect to the Part C and Part D programs.

Investigations Medicare Integrity Contract (I-MEDIC): The I-MEDIC contract has also been awarded to Qlarant. The overall strategy of this five-year contract is to detect, prevent and proactively deter fraud, waste and abuse in the Medicare Part C and Part D programs. As Qlarant notes:

“This work focuses primarily on complaint intake and response; data analysis; assessing leads from various sources; investigative actions; administrative remedies; referrals; and program integrity efforts related to potential FWA from prescribers, pharmacies, and beneficiaries.”

As we have previously noted, referrals from an NBI MEDIC and I-MEDIC (at this time, both of these contracts are held by Qlarant) are routinely made to the OIG, DOJ and to State Medical Boards whenever evidence of fraud, waste or abuse. Qlarant may also initiate an audit of your prescribing practices and / or recommend that your Medicare billing privileges be revoked. It is therefore essential that you contact a qualified health lawyer if you or your practice are audited or investigated by Qlarant (in its role under the NBI MEDIC or I-MEDIC contracts).

VI. Rise of the Unified Program Integrity Contractors (UPICs):

As detailed in the "Comprehensive Medicaid Integrity Plan. Fiscal Years 2014—2018", issued by CMS, Section 1936(d) of the Social Security Act requires that the HHS Secretary establish a comprehensive plan for ensuring the program integrity of the Medicaid program, on a recurring 5-fiscal year basis. To this end, CMS developed Unified Program Integrity Contractor (UPIC) program. Unlike earlier program integrity efforts, UPIC contractors have been tasked with conducting Medicare, Medicaid and Medi-Mal investigations and audits of participating health care providers and suppliers in their assigned jurisdictions. Contracts awarding integrated program integrity responsibilities have been awarded to the following UPICs:

  • UPIC Southwestern Jurisdiction Qlarant Integrity Solution, LLC qlarant.com (Colorado, New Mexico, Texas, Louisiana, Arkansas and Mississippi).

  • UPIC Western JurisdictionQlarant Integrity Solutions, LLC qlarant.com (American Samoa, Guam, Northern Mariana Islands, Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, North Dakota, Oregon, South Dakota, Utah, Washington and Wyoming).

  • UPIC Midwest JurisdictionCoventBridge Group com/midwest-upic/ (Iowa, Kansas, Missouri and Nebraska).

  • UPIC Northeast JurisdictionSafeguard Services, LLC safeguard-servicesllc.com/ (Maine, Vermont, New Hampshire, Massachusetts, Rhode Island, Connecticut, New York, Pennsylvania, New Jersey, Delaware, Maryland, District of Columbia, and the counties of Arlington and Fairfax and the city of Alexandria in Virginia).

  • UPIC Southeastern Jurisdiction -- Safeguard Services, LLC safeguard-servicesllc.com/ (Alabama, Florida, Georgia, North Carolina, Puerto Rico, South Carolina, Tennessee, U.S. Virgin Islands, Virginia and West Virginia).

Each of these UPIC contractors have years of experience supporting the government’s efforts to identify, deter, prevent, and reduce fraud, waste and abuse.

VII. UPIC Claims Audits of Medicare and Medicaid Services are Currently Underway:

A number of our clients around the country have already received requests for records from the UPIC handling their jurisdiction. One UPIC in particular, Qlarant has been especially active over the last year in sending out audit letters requesting copies of medical records, dental records and other documentation which supports the specific claims being assessed. As discussed below, a careful review of any request that you receive may give an indication of how the case arose and whether the contractor’s review is merely claims focused or also includes an assessment of the provider’s business relationships and practices.

Requests for documents sent by UPICs can vary in terms of scope, purpose and due date. There are several points that should be considered whenever a UPIC request for medical records or dental records is received by a Medicare or Medicaid provider:

  • When must the requested documents be sent to the UPIC? Over the last year, a number of UPIC requests for documents have required that the documentation must be submitted to the contractor within 15 days. This is really frustrating in light of the fact that as set out in the Medicare Program Integrity Manual (MPIM), Section 3.2.3.2 – Time Frames for Submission,[7] the contractor is supposed to give a health care provider 30 days to submit the documents being requested. Although most ZPICs will readily agree to an extension of time, if they only agree to extend the deadline to 30 days, they really are granting the provider anything, are they? To date, we have not seen UPIC claims audit requests seeking documents permitting more than 30 days for the documents to be submitted.
  • What types of documents are requested in contractor’s request? Carefully review the nature of the request. Is the UPIC only seeking administrative and claims-related medical records OR, is the contractor also seeking documentation related to a provider’s business relationships and / or business practices?
  • UPIC Claims Audits: Most audits (and claims reopenings) by UPICs are generated as a result of data mining. In these cases, a UPIC often restricts its review efforts (at least initially) to the claims being assessed, along with relevant, associated administrative materials. Examples of documents sought in these types of review include, but are not limited to:
    1. Copy of claim, if available;
    2. Beneficiary Notice of Liability;
    3. Authorization of Benefits;
    4. Consent for treatment;
    5. Signed HIPAA privacy notification forms;
    6. Signature card including names and signatures of all personnel documenting in the beneficiary’s chart.
    7. Electronic signature policy;
    8. Copy of face sheet with beneficiary contact information;
    9. Signed “Consent for Treatment” authorizing the medical service;
    10. A copy of the beneficiary’s Medicare card;
    11. A legend or list that defines acronyms, symbols or abbreviations used in the medical records;
    12. A completed Advanced Beneficiary Notice (ABN), as appropriate;
    13. Copies of licenses and / or certifications of any personnel documenting in the beneficiary’s medical records. This includes, physicians, nurse practitioners, physician assistants, nurses, and other caregivers that require licensure or certification;
    14. If electronic signatures are used, documentation which shows that the electronic signatures properly authenticated and dated. The UPIC will also typically ask for the provider to show that safeguards are in place to prevent unauthorized access;
    15. Physician orders;
    16. History and physical;
    17. Patient encounter / visit forms;
    18. Physician’s office and Progress Notes;
    19. Consultation reports (if applicable);
    20. Surgical reports (if applicable);
    21. Pathology reports (if applicable);
    22. Pathology reports (if applicable);
    23. Laboratory tests results (if applicable);
    24. Radiology reports (if applicable);
    25. Previous treatments received to include dates, diagnosis for treatment, treatments administered; and the patient’s response to treatment / progress made;
    26. Discharge notes (if applicable);
    27. Any additional medical records or findings that support the claim(s) or service(s) billed;
  • UPIC Requests for Business Records Along with UPIC Claims Audit Information: In addition to the claims-related documents above, if a UPIC also seeks documents related to a provider’s business practices and / or business relationships (i.e. where does the provider get its referrals AND where does the provider send its referrals), there is greater likelihood that other information has been received by the UPIC which suggests that the provider may be engaging in one or more improper business practices. Providers should exercise extreme caution if this type of information is being sought. To the extent that a UPIC finds evidence that a provider is engaging in wrongdoing, the contractor is required to make a referral to law enforcement (OIG and / or DOJ). Examples of the business-related documents that may be sought by the UPIC include:
    1. Copies of any leases;
    2. Please provide a listing of all patients seen on the dates of the claims requested in this audit;
    3. Copies of any Medicare Director agreements;
    4. Name of EHR software used (if applicable);
    5. Name and contact information for third-party billing company (if utilized);
    6. Please provide a sample of each encounter form utilized in your office;
    7. Copy of patient collections for the period at issue which reflects any copayments and / or deductibles collected from the beneficiary;
    8. Names, addresses and phone numbers and former positions of individuals who are no longer employed by the organization and left within the past three years;
    9. If you are associated with or a member of any assignment account, do you also bill under separate provider numbers? If so, list the numbers and describe the reasons for separate billing;
    10. Copies of any consulting agreements or other business agreements with laboratories, imaging centers or any other entity whose services are billed to Medicare;
    11. List all employees or contracted staff (physicians, therapists, physician assistants, nurses, etc.) who render services and bill Medicare under your provider number;
    12. List associates, partners, employees who bill under their own PTAN numbers;
    13. List associates, partners, employees who bill under your PTAN number;
    14. List the name of the manufacturer, model number and purpose of each piece of diagnostic or treatment equipment in your office, e.g. laboratory equipment, diagnostic equipment (x-ray, MRI, EMG, nerve conduction equipment, cardiac tests, other specialty diagnostic equipment, etc.), physical therapy equipment, chiropractic equipment;
  • How many Medicare claims are to be audited? If 10 or less postpayment claims are being reviewed, more than likely the UPIC is conducting a "Probe Sample" of the provider’s claims. The purpose of the probe sample is to see if there appears to be a potential problem with the provider’s medical necessity, documentation, coding or billing practices. If few problems are found, the UPIC will likely issue an "Education Letter" to the provider. If, however, a significant number of errors are identified, the UPIC will likely expand its audit and issue a subsequent request for the supporting documentation associated with 30 or more claims that have already been paid. If the UPIC’s initial request for records asks for records associated with 30 or more claims (usually billed over a two-year period), there is high likelihood that the UPIC have pulled these claims as part of a "Statistically Relevant Sample". As such, the UPIC intends to extrapolated the error rate found to the entire universe of claims.
  • How Should You Respond if Your Organization Receives a UPIC Records Request? If your medical practice, home health agency or hospice is subjected to a UPIC claims audit, we strongly recommend that you immediately contact a qualified health care lawyer. There are a number of steps you can take at this initial stage in the review that may have a significant impact on whether the UPIC determines that a more in-depth audit is needed. Moreover, the potential overpayment may also be greatly reduced (depending on the completeness of a provider’s medical records). Questions? Give us a call for a free consultation. We can be reached at (202) 298-8750 or toll-free at 1 (800) 475-1906.
Robert W. Liles is a health care attorney experienced in handling prepayment reviews and audits.
Robert W. Liles serves as Managing Partner at Liles Parker, Attorneys & Clients at Law. Our Firm represents health care providers and suppliers around the country in UPIC, ZPIC, RAC and MIC audits. We also work with providers to develop and implement an effective Compliance Program. Call Robert for a free consultation. He can be reached at: 1 (800) 475-1906.
  • [1] An overview of what is covered under Part A is provided at the following link: https://www.medicare.gov/what-medicare-covers/what-part-a-covers
  • [2] An overview of what is covered under Part B is provided at the following link: https://www.medicare.gov/what-medicare-covers/what-part-b-covers
  • [3] GAO, Medicare Spending: Modern Management Strategies Needed to Curb Billions in Unnecessary Payments, GAO/HEHS-95-210 (Washington, D.C.: Sept. 19, 1995); Medicare: Adequate Funding and Better Oversight Needed to Protect Benefit Dollars, GAO/T-HRD-94-59 (Washington, D.C.: Nov. 12, 1993); and Medicare: Funding and Management Problems Result in Unnecessary Expenditures GAO/T-HRD-93- 4 (Washington, D.C.: Feb. 17, 1993).
  • [4] On September 24, 2001, the Health Care Financing Administration (HCFA) was renamed the Centers for Medicare and Medicaid Services (CMS). A link to the announcement can be found here: https://www.cms.gov/Regulations-and-Guidance/Guidance/Transmittals/downloads/AB01133.pdf
  • [5] With the exception of home health, hospice or DME claims which are processed by specific MACs engaged by CMS to process these specific types of claims.
  • [6] Medicare Provisions in the Balanced Budget Act of 1997 (BBA 97, P.L. 105-33), Congressional Research Service, 97-802, issued August 18, 1997. As the report reflects, a Medicare+Choice plan may include:
    1. “ a coordinated care plan (including an HMO (with or without a point-of-service plan), a PPO, or a PSO),
    2. a private fee-for-service plan (private FFS),8 or
    3. a combination of a medical savings account (MSA) plan and contributions to a Medicare+Choice MSA.”
  • [7] Medicare Program Integrity Manual Section 3.2.3.2):
    “ZPICS shall notify providers that requested documents are to be submitted within 30 calendar days of the request.”
    Please note, prior to its most recent update, Chapter 4, Section 4.1, of the MPIM expressly stated:
    “. . . All references to ZPICs shall also apply to Unified Program Integrity Contractor (UPIC) unless otherwise specified in the UPIC [Statement of Work] SOW.”