Zone Program Integrity Contractors (ZPICs) are federal contractors that work under the direction of the Centers for Medicare and Medicaid Services (CMS) to uncover fraudulent billings under Medicare. ZPICs have broad authority to conduct audits of Medicare-participating healthcare providers; and, following audits, ZPICs can directly impose sanctions and/or refer providers to CMS or the U.S. Department of Justice for further enforcement action.

Technically, ZPICs are tasked with identifying both overpayments and underpayments. Their “integrity” function is intended to ensure that both CMS and the providers that bill Medicare achieve fair outcomes. However, as “fee for service” contractors working with CMS, ZPICs are only financially incentivized to identify overpayments and seek recoupments, and this means that ZPIC audits usually only focus on determining whether these contractors can lodge accusations of fraud.

“ZPIC audits present significant risks for healthcare providers. ZPIC audit determinations are often misguided, and this makes it particularly important for providers to engage and defend themselves during the audit process.“ – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.

Recently, CMS overhauled its audit contractor program and replaced ZPICs with Unified Program Integrity Contractors (UPICs). However, some ZPICs are still operating at this time; and, for the foreseeable future, it is likely that the acronyms ZPIC and UPIC will be used interchangeably in the healthcare sector.

How ZPICs Choose Healthcare Providers to Audit

ZPICs choose healthcare providers to audit through four primary means. When facing a ZPIC audit, understanding what triggered the audit can be important for developing an informed defense strategy and determining what other measures (i.e. an internal Medicare compliance audit) may be necessary. The four primary triggers for ZPIC audits are:

• Data Analytics – ZPICs rely heavily on data analytics to identify healthcare providers to audit. When reviewing billing data, ZPICs look for outliers such as a high volume of billings for a particular service or lengths of stay outside of industry standards—which suggest that a provider might be overbilling Medicare. Of course, it is entirely possible (and often the case) that a provider’s “abnormal” billing practices are simply a result of the unique aspects of its practice.
• “Benefit Integrity” Investigations – ZPICs also conduct “billing integrity” investigations in order to identify circumstances in which invasive audits are warranted. Typically, this involves interviewing Medicare beneficiaries and analyzing billing data for individual providers. The problems (or some of the problems) with this approach are that (i) patients are not experts on the Medicare billing rules and regulations, and (ii) as indicated above, data don’t often tell the whole story about providers’ billing practices.
• Complaints from Patients and Employees – Similar to federal investigative agencies, ZPICs rely on members of the public to help them identify possible audit targets. In addition to conducting beneficiary interviews, ZPICs also accept complaints from patients and providers’ current and former employees. Again, however, patients typically don’t have a clear understanding of what is and isn’t permissible, and employees who file complaints typically have personal motives for doing so.
• Referrals from Federal Authorities – ZPICs may also receive referrals from CMS and other federal authorities that have identified possible instances of Medicare billing fraud. While multiple federal agencies conduct healthcare billing fraud investigations, in some cases they will determine that a ZPIC audit should be sufficient to recoup any potential overpayments and remedy any billing issues going forward.

The ZPIC Audit Process

ZPICs conduct three types of audits – automated audits, semi-automated audits, and complex audits – and the procedures involved in each type are different. As you can probably tell from the names, some ZPIC audits are more involved than others; however, all ZPIC audits present the same risks, and this means that providers need to devote the same level of effort to defending against all types of ZPIC audits.

1. Automated ZPIC Audits

Automated audits involve a review of the billing data that a provider has already submitted to Medicare. These audits typically result from ZPICs’ data analytics rather than external triggers. During an automated audit, ZPIC personnel simply review the provider’s billing data and then issue a determination. In order to prevent an unwarranted adverse determination (more on this below), a provider facing an automated audit should seek to intervene at the first available opportunity and insert itself into the audit process.

2. Semi-Automated ZPIC Audits

During a semi-automated audit, ZPIC personnel review the provider’s billing data submitted to Medicare and seek additional documentation from the provider. While providers must comply with ZPICs’ documentation requests in accordance with the pertinent Medicare rules, this does not necessarily mean that providers must comply wholesale. Frequently, ZPICs will request voluminous records that providers are not required to disclose, and preventing unwarranted recoupment demands will start with making sure that the scope of the audit is appropriately limited.

3. Complex ZPIC Audits

Complex audits involve document requests and often in-person review of providers’ billing records and practices. These audits typically result from verified complaints and referrals from federal authorities. Oftentimes, these audits will focus on allegations of one or more pervasive issues—such as billing without evidence of medical necessity or billing for non-reimbursable services. However, they can also target providers whose billing records suggest a lack of compliance policies and procedures or a culture of non-compliance.

Common Issues and Defenses During ZPIC Audits

During ZPIC audits, healthcare providers need to monitor for various issues that can lead to unwarranted penalties. Unfortunately, this is a common problem during ZPIC audits, and healthcare providers must actively defend themselves in order to minimize the risk of facing unjustified demands. Some examples of common issues and defenses during ZPIC audits include:

• Demands for Records that Aren’t Subject to Disclosure – In order to attempt to uncover as many unauthorized billings as possible, ZPICs will often request voluminous records from healthcare providers. But, providers often are not required to disclose all requested records. Once a provider discloses records, however, then those records become fair game for the ZPIC’s auditors. As a result, providers must be extremely careful to ensure that they are only disclosing the records that they are legally required to disclose.
• Review of Billings that Are No Longer Subject to Review – Providers’ Medicare billings are not subject to review indefinitely. If a ZPIC attempts to review billings that are no longer subject to review, then the provider should seek to put a stop to these efforts as well. While it may be possible to avoid invalid recoupment demands through the appeals process, it is far more efficient and less risky to prevent these demands during the audit process.
• Reliance on Outdated Medicare Billing Rules and Regulations – The Medicare billing rules and regulations change frequently. While ZPICs should remain up to date on the latest rules and regulations, they often fall behind. Reliance on outdated Local Coverage Determinations (LCDs), National Coverage Determinations (NCDs), and Medicare Policy Benefit Manual (MPBM) versions are common issues during ZPIC audits.
• Applying Current Rules and Regulations to Past Billings – ZPIC auditors also commonly make the mistake of applying the current Medicare billing rules and regulations to providers’ past billings. Billings are subject to the rules that are in place at the time they are submitted to Medicare, and providers cannot be held responsible for violating rules that were not in force at the relevant time.
• Reliance on Flawed Auditing Methodologies – Even if ZPIC auditors rely on the right set of rules and regulations, they can still come to flawed conclusions by relying on flawed methodologies. In fact, this is perhaps the most-common issue that leads to unwarranted recoupment demands during ZPIC audits. With this in mind, it is extremely important for providers to engage experienced ZPIC audit defense counsel to oversee the audit process and identify any flaws in real time.

The Appeals Process for Unfavorable ZPIC Audit Determinations

If a ZPIC audits your business or practice and imposes recoupments, pre-payment review, or other penalties, what’s next? There is a five-stage appeals process for ZPIC audits—only the last of which involves finally taking the ZPIC to court.

The first stage of the ZPIC audit appeals process is known as “redetermination.” Once a ZPIC makes its determination, the provider has 120 days to file a request for redetermination with its Medicare Administrative Contractor (MAC).

If the MAC agrees with the ZPIC, then the next stage is “reconsideration.” Providers have 180 days to request reconsideration of a MAC’s redetermination. Requests for reconsideration are filed with Qualified Independent Contractors (QICs).

After reconsideration, the next stage is to request a hearing before an administrative law judge (ALJ). These requests must be filed within 60 days of reconsideration, and ALJs have 90 days to issue a decision following the hearing. If the ALJ affirms the penalties imposed, the provider can then seek review from the Medicare Appeals Council, and then the final stage is to seek redress in federal district court.

As you can see, the appeals process for ZPIC audits is onerous, and it can easily take a year or longer to run its course. As a result, rather than relying on appeals, it is a far better approach to seek to prevent an unfavorable determination in the first place. This requires a proactive approach, and the first step is to engage defense counsel at the first sign of a ZPIC audit.