ZPIC Audit Responsibilities Have Been Transferred to UPICs Around the Country

ZPIC Audits are Ongoing Around the Country. Is your practice involved in a ZPIC Audit? Call Us! 1 (800) 475-1906.(Updated January 4, 2021): In April 2014, the Centers for Medicare and Medicaid Services (CMS) issued an an Umbrella Statement of Work for the the awarding of program integrity contracts by new organizations known as "Unified Program Integrity Contractors" (UPICs). UPICs took over the responsibilities of Zone Program Integrity Contractors (ZPICs) and Medicaid Integrity Contractors (MICs). Today, a few legacy ZPICs are still working on CMS projects but for the most part, all of their program integrity duties have been transferred over to UPICs around the country. For a detailed discussion of the current UPIC program, we recommend you review our page titled "A UPIC Audit is Serious Business — Is Your Office Prepared?"

For background purposes, our original article examining the the now-defunct ZPIC program is set out below.

I. Background of the ZPIC Program

On December 8, 2003, the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) was signed into law. Under this legislation:

The Centers for Medicare and Medicaid Services (CMS) was required to use competitive measures to replace the current Medicare Fiscal Intermediaries (Part A) and Carriers (Part B) contractors with Medicare Administrative Contractors (MACs);

After setting up the new MAC regions, CMS was required to create new entities, called Zone Program Integrity Contractors (ZPICs)[1]; and

CMS worked to consolidate its existing program integrity efforts. Since the enactment of MMA, ZPICs have largely taken over the program integrity duties previously handled by Program Safeguard Contractors (PSCs). [2]

At the time of transition, there were twelve PSCs that had been awarded umbrella contracts by CMS. When the contracts expired, CMS transferred the PSCs’ fraud detection and deterrence functions over to ZPICs around the country. To date, CMS has awarded all of the ZPIC contracts and is close to completing the transition over from the PSC system.

II. Listing of ZPICs Previously Operating Under a Contract with CMS

ZPIC audits of Medicare claims can lead to prepayment audits, postpayment audits, suspension, revocation or even a referral to DOJ for the investigation of possible Medicare fraud.

  • Zone 1 SafeGuard Services: California, Hawaii, Nevada and the territories of American Samoa, Guam, the Northern Mariana Islands, Palau, the Marshall Islands and the Federal States of Micronesia.
  • Zone 2 AdvanceMed (an NCI Company): Alaska, Arizona, Idaho, Montana, North Dakota, Oregon, South Dakota, Utah, Washington and Wyoming.
  • Zone 3 AdvanceMed (an NCI Company): Illinois, Indiana, Kentucky, Michigan, Minnesota, Ohio and Wisconsin. .
  • Zone 4 – Health Integrity: CO, NM, OK, TX.
  • Zone 5 AdvanceMed (an NCI Company): Alabama, Arkansas, Georgia, Louisiana, Mississippi, North Carolina, South Carolina, Tennessee, Virginia and West Virginia.
  • Zone 6SafeGuard Services: Pennsylvania, New York, Maryland, District of Columbia, Delaware, Maine, Massachusetts, New Jersey, Connecticut, Rhode Island, New Hampshire and Vermont.
  • Zone 7 SafeGuard Services: Florida, Puerto Rico and

    the U.S. Virgin Islands.

Notably, ZPICs have traditionally asserted that, unlike their Recovery Audit Contractor (RAC) counterparts, they are not “bounty hunters.” They base this argument on the fact that unlike RACs, ZPICs are not paid on a contingency basis. Instead, ZPICs are directly compensated by CMS on a contractual basis. Nevertheless, common sense tells us that if ZPICs are unsuccessful at identifying alleged overpayments, the chances of a ZPIC’s government contract being renewed are likely to be diminished. Additionally, experience has shown us that despite the fact that ZPICs are expected to adhere to applicable Medicare coverage guidelines, a ZPIC’s interpretation and application of these coverage requirements may greatly differ from your understanding of the same provisions. In recent years, ZPICs have been aggressively pursuing a wide variety of enforcement actions.

III. ZPIC Responsibilities

  • As CMS has described its role, the “ZPIC is responsible for preventing, detecting, and deterring fraud, waste and abuse in both the Medicare program and the Medicaid program through the collaboration of the Medicare-Medicaid Date Match Program (Medi-Medi).” [2] To accomplish these responsibilities, ZPICs are tasked with:
  • Preventing fraud by identifying program vulnerabilities;
  • Proactively identifying incidents of potential fraud, waste, and abuse that exist within its service area and taking appropriate action on each case;
  • Investigating (determining the factual basis of) allegations of fraud made by beneficiaries, providers / suppliers, CMS, the Office of Inspector General (OIG), and other sources;
  • Exploring all available sources of fraud leads in its zone, including the state Medicaid agency and the Medicaid Fraud Control Unit (MFCU);
  • Initiating appropriate administrative actions where there is reliable evidence of fraud, including, but not limited to, payment suspensions and revocations;
  • Referring cases to the OIG’s Office of Investigations (OI) for consideration of civil and criminal prosecution and/or application of administrative sanctions;
  • Referring any necessary provider / supplier and beneficiary outreach to the Provider Outreach and Education staff at the MAC;
  • Initiating and maintaining networking and outreach activities to ensure effective interaction and exchange of information with internal components as well as outside groups;
  • Partnering with state Medicaid Program Integrity units to perform the above activities for the Medi-Medi program; or
  • Working closely with CMS on joint projects, investigations and other proactive, anti-fraud activities.[3]

IV. How Does a ZPIC Choose Which Provider to Audit?

Since its enactment in 1965, the Medicare program has processed countless covered beneficiary claims for medical services and supplies. As the size of the program and the number of participating beneficiaries have grown, the government has increased its reliance on private contractors to process and pay Medicare claims. As part of their contractual obligations with CMS, ZPICs are required to develop and implement sophisticated and effective methods, procedures and practices to assist the contractor in identifying providers and suppliers who may be committing fraud, wasting program resources or otherwise abuses aspects of the Medicare program or its beneficiaries. ZPICs use a wide variety of techniques to identify and / or address incidents of potential Medicare fraud. They also utilize both proactive and reactive leads to identify potential targets. In late 2016 CMS published guidance that further elaborates on the nature of proactive leads that may be identified or self-initiated by a ZPIC. As this guidance reflects, ZPIC proactive leads include, but are not limited to:

  • ZPIC date analysis that uncovers inexplicable aberrant utilization practices that appear to indicate potentially fraudulent, wasteful or abusive billing for specific providers / suppliers;
  • The discovery of a new lead by a ZPIC during a provider / supplier or beneficiary interview; and
  • The combining of information from a variety of sources to create a new lead.[4]

V. Sources of Information Utilized by ZPICs When Conducting Data Mining

There are a number of data sources that ZPICs are expected to utilize in the performance of their contractual obligations. Primary data sources to be used by ZPICs include the National Claims Data system and local data compiled by the contractor in an effort to identify and target fraudulent, wasteful or abusive activities. Most providers and suppliers are identified for audit and / or investigation through an analysis of their billing practices. It has been our experience that approximately 80% to 90% of the providers we have represented in ZPIC audits were first targeted through data mining. Simply put, an analysis of billing and claims data has shown that a particular provider’s coding or billing practices are either different than those of their peers OR appear to suggest one or more improper billing practices. Secondary data sources[5] relied on by ZPICs include, but are not limited to:

  • Reports issued by OIG and the General Accounting Office (GAO);
  • OIG Fraud Alerts;
  • Complaints from beneficiaries and their families, physicians and other providers;
  • Referrals by Medicare Quality Improvement Organizations (QIOs), other CMS contractors, CMS components, State Medicaid Fraud Control Units (MFCUs), the Department of Justice (DOJ) (including U.S. Attorney’s Offices), and other federal health benefit programs;
  • Referrals from State Medical Licensing Boards; and Overpayment data;
  • Peer Review Reports;
  • Comparative billing reports;
  • Provider cost reports;
  • Provider Statistical and Reimbursement (PS&R) System data;
  • Enrollment data;
  • Overpayment data;
  • MedLearn Matters articles and Quarterly Provider Compliance Newsletters,
  • Listings of distinct providers or suppliers and / or bills (prepared by CMS) that require medical review

VI. What Steps Does a ZPIC Take When Conducting an Investigation?

Once a provider or supplier has been identified as a potential target for audit, there are a number of investigative methods that may be used by a ZPIC. In almost every case, an analysis of the provider’s claims or billing practices will be conducted. ZPICs will also typically verify the license of any physician, nurse practitioner, physician assistant, nurse, therapist or other licensed professional whose services are being billed to the Medicare program. CMS has expressly directed ZPICs to exercise discretion when interviewing Medicare beneficiaries. As set out in the Medicare Program Integrity Manual:

Interview a small number of beneficiaries. Do not alarm the beneficiaries or imply that the provider did anything wrong. The purpose is to determine whether there appear to be other false potentially inappropriate claims or if this was a one-time occurrence;[6]

When conducting an investigation, ZPICs are also supposed to review a provider’s correspondence files to determine whether prior audits of a specific provider or supplier has been audited or provided educational letters in the past by one or more CMS contractors.

In recent years, unannounced onsite visits by ZPIC representatives have become commonplace. While every case is different, many ZPICs have used this visit as an opportunity to deliver a written request for medical records. Typically, the ZPIC representative will ask for a handful of records at the time of the visit and allow the provider to forward the remaining records at a later date.

After assembling sufficient data to make an informed assessment of the provider’s billing practices and conduct, the ZPIC will decide whether the information is indicative of a mere billing error, potential fraud, waste or abuse. If no fraud is substantiated, the ZPIC will normally close out the matter and treat it as overpayment. The ZPIC will then refer the matter to the MAC for further administrative action.

VII. ZPIC Referrals for Civil and Criminal Enforcement

CMS has directed ZPICs to make a referral to law enforcement (typically OIG[7], the Federal Bureau of Investigation (FBI) or to the U.S. Attorney’s Office) if it has identified substantiated allegations of fraud. Examples of substantiated allegations of fraud include, but are not limited to:

  • Engaged in a pattern of improper billing.
  • Submitted improper claims to Medicare for payment, where it is suspected that the provider had knowledge that the claims were false.
  • Submitted improper claims to Medicare for payment, where it is suspected that the provider acted with either “reckless disregard” or “deliberate ignorance” of the truth or falsity of the claim.

Prior to making the referral to law enforcement, a ZPIC is required to take all other appropriate administrative actions (such as recommend that a provider’s billing privileges be suspended). Notably, if a case is being referred to law enforcement, ZPICs are NOT supposed to seek collection of an identified overpayment (unless otherwise directed by CMS). However, just because a referral to law enforcement is made doesn’t mean that it will be prosecuted. In many instances, OIG and / or DOJ will decline to open a case for a variety of reasons (such as lack of evidence, insufficient damages, etc.). As ZPICs continue to refer cases to law enforcement, it is becoming even more essential that Compliance Officers continue to update and enforce their organization’s Compliance Program.

VIII. Possible Administrative Sanctions Pursued by ZPICs

Depending on the facts in a case, a ZPIC may initiate a number of administrative sanctions against a provider or supplier. Examples of typical sanctions and / or corrective actions that may be taken include, but are not limited to:

  • Issuance of written educational letters, advising a provider or supplier of the ZPIC’s concerns with the provider’s billing practices or conduct;
  • Revocation of a provider’s assignment privileges[8].
  • Placement of a provider on prepayment review;
  • Suspension of a provider’s payments;
  • Pursuit of alleged overpayments; and
  • Referral to state licensing boards and other professional societies.

A brief overview of the overpayment identification process, the suspension of a provider’s payments and the revocation of a provider’s billing privileges are outlined below.]

XI. Medicare ZPIC Suspension Actions

The number of suspension actions recommended to CMS by ZPICs has steadily increased in recent years. We expect to see the number of suspension actions to continue to grow. Under the Affordable Care Act (ACA) the suspension authority of CMS has greatly expanded. Historically, CMS has been empowered to suspend payments to Medicare providers in three circumstances:

  1. Fraud or willful misrepresentation;
  2. An overpayment of an undetermined amount has been identified; or
  3. Payments that have been made (or are scheduled to be made) may be incorrect. (42 C.F.R. §405.371(a)(1).

Under the ACA, CMS may also suspend payments based on a “credible allegation of fraud.” Even if a credible allegation of fraud exists, CMS may choose not to suspend payments if there is “good cause” for doing so. CMS may also suspend a Medicare provider based on allegations from any source, including, but not limited to fraud hotline complaints, claims data mining, provider audits, or law enforcement investigations.

IX. ZPIC Prepayment Reviews / Medicare Overpayment Assessments

Unlike postpayment overpayment assessments, there is not an effective administrative appeals process for health care providers placed on prepayment review. We recommend that you consult with legal counsel if your practice is placed on prepayment review. There are three points to keep in mind in such cases:

  • First, it is often in your best interest to continue to submit claims for review and not hold them. Even if they are denied, at least you can initiate the postpayment appeals process as soon as possible and hopefully begin to restore cash flow. Perhaps most importantly, you can use this process to identify potential deficiencies in your documentation practices so that remedial steps can be taken to improve your compliance with applicable, medical necessity, coverage, documentation, billing and coding requirements. Having said that, you need to keep in mind that every denial that is logged into the system will increase your overall error rate and could be used a support for suspending your Medicare payments.
  • Second, it may be helpful to engage an outside consultant to review your claims and generate a report that can be sent to the ZPIC, advising the contractor that a third-party found that your claims qualify for coverage and payment,; and
  • Third, you need to outside of the box—no provider can survive on prepayment review for a long period if a significant portion of their payor mix is reimbursed by Medicare.

Brief Overview of a ZPIC, First Contacting You Company and Then Conducting an Initial Audit of Your Medicare Claims. "

X. ZPIC Postpayment Audits / Medicare Overpayment Assessments

While the number of ZPIC postpayment audits has declined in recent years as a result of government’s efforts to avoid “pay and chase” scenarios whenever possible, in some sectors (such as home health and hospice), we have not seen much of a reduction. Most “big-box” cases handled by ZPICs have utilized statistical sampling when estimating alleged damages paid during the period at issue. A brief outline of the postpayment audit process is set out below:

Brief Overview of the Initial ZPIC Overpayment Determination and the Subsequent Medicare Administrative Appeals Process

XII. Medicare ZPIC Revocation Actions

Over the last year, we have seen a sharp increase in the number of Medicare revocation actions taken. The reasons for revocation have varied but have typically been associated with alleged violations of the participation agreement. In some cases, the ZPIC contractors found that the provider had moved addresses and had not properly notified Medicare. In other cases, a provider was not alleged not have been cooperative during a site visit. Finally, there were a number of instances where the provider allegedly did not meet the “core” requirements necessary for their facility to remain certified. As Compliance Officer, it is essential that you review your facility’s participation agreement and ensure that your organization is continuing to meet its obligations under the program.

XIII. How do ZPICs view the Professional Opinions and Recommendations of Ordering and / or Treating Physicians and Other Medical Professionals?

ZPICs conduct reviews of medical records to determine, among other things, whether the service submitted for payment by Medicare was actually provided. Even if the service was provided, the documentation should reflect that the service was medically reasonable and necessary. ZPICs can, based on their findings, affirm coverage and payment, downcode the claim, or wholly deny the claim.

ZPICs are not required to have a physician review a claim in order to deny coverage. In fact, most of the denied claims we have challenged on behalf of a client have been assessed by a registered nurse. Further complicating the situation is the fact that over the past decade, the weight given to the opinions of treating physicians and other providers (often referred to as the “Treating Physician Rule”) has slowly eroded.

As early as 1986, Courts referred to the “well-settled principle that the opinion of the treating [physician] is, in fact, entitled to special deference unless it is contradicted by substantial evidence.[9] The Bowen Court further held that the opinion of a medical advisor representing the government was not sufficient to equal the substantial evidence necessary to overcome the opinion of treating physicians. Despite this clear support for the “Treating Physician Rule,” a number of later cases have questioned whether this rule even applies to Medicare claims.

The only clear holding involving Medicare Part B claims[10] suggests that the “Treating Physician Rule” could apply to Medicare Part B claims. One federal appellate circuit court appears to uphold the rule. As the Second Circuit held in Holland v. Sullivan:[11]

Though the considerations bearing on the weight to be accorded a treating physician's opinion are not necessarily identical in the disability and Medicare contexts, we would expect the Secretary to place significant reliance on the informed opinion of a treating physician and either to apply the treating physician rule, with its component of "some extra weight" to be accorded to that opinion, or to supply a reasoned basis, in conformity with statutory purposes, for declining to do so” (emphasis added).

Similarly, in Keefe v. Shalala,[12] the Second Circuit suggested that the “Treating Physician Rule” likely applies to Medicare cases. Despite the fact that several courts have indicated that the rule applies, contractors can point to an equal number of cases that take a contrary position on this issue.

Ultimately, the issue for an Administrative Law Judge (ALJ) will be to decide how much weight, if any, should be given to the professional medical views of a treating provider when evaluating the care decisions previously made. Despite conflicting views regarding the applicability of the “Treating Physician Rule” to Medicare claims, there can be little doubt that Congress intended for the decision-making role of a treating physician to be substantial. As the Code of Federal Regulations expressly states:

. . . [t]he physician has a major role in determining utilization of health services furnished by providers. The physician decides upon admissions, orders tests, drugs, and treatments, and determines the length of stay” (emphasis added).[13]

As such, we generally ask that an ALJ consider the treating physician’s unique opportunity to personally examine and assess the condition of the patients at issue in a case. Logically, there can be little doubt that the treating physician was (and remains) far more familiar with the clinical needs of his or her patients than a reviewer whose assessment has been based solely on medical records often rendered years after the services were administered. To decide otherwise would effectively ignore the fact that there is truly no substitute for a personal, face-to-face evaluation of a patient by his or her treating provider.

XIV. Limitations on Contractor Liability

Over the years, in cases where a provider has ultimately prevailed in an administrative overpayment case, issues of contractor negligence (and potentially, contractor liability) our client has asked us to seek indemnification from the ZPIC. Unfortunately, Congress has made it very difficult to prevail in a case against a ZPIC or their employees. Under 42 C.F.R. § 421.316(a):

“Limitation on Medicare integrity program contractor liability.

(a) A MIP contractor, a person or an entity employed by, or having a fiduciary relationship with, or who furnishes professional services to a MIP contractor is not in violation of any criminal law or civilly liable under any law of the United States or of any State (or political subdivision thereof) by reason of the performance of any duty, function, or activity required or authorized under this subpart or under a valid contract entered into under this subpart, provided due care was exercised in that performance and the contractor has a contract with CMS under this subpart.”

As a result, program integrity contractors (such as ZPICs), their employees, and professional consultants are typically protected from criminal or civil liability as a result of the activities they perform under their contracts as long as they use due care. While it is conceivable that you could become involved in a program integrity enforcement case, most of the cases you will likely see will involve another contractor working for CMS.

XV. Responding to a ZPIC Audit or Inquiry

It is essential that you proactively review your compliance with applicable medical necessity, coverage, documentation, coding, and billing practices requirements in order to better ensure that statutory and regulatory requirements have been met. It is equally important to remember that while the actual amount in controversy is always a focus, every denied claim increases your overall claims denial rate. After all, it is entirely likely that ZPICs target providers with higher claims denial rates.

XVI. What Should You Expect as the ZPIC Audit Process Transitions Over to the Replacement UPIC Audit Process?

As discussed in our article on Uniform Program Integrity Contractors (UPICs), the steady implementation of the UPIC contracts will ultimately result in a discontinuation of ZPIC audit operations. Please keep in mind, if prior history is any indication, the transition process could take YEARS! As of May 2018, one of the legacy PSC contracts was still active. There really isn't any way to predict how long it will take to completely transition over to the UPIC audit program.

NATIONWIDE REPRESENTATION -- Call for Free Consultation: 1 (800) 475-1906

If your practice or health care organization is placed on prepayment review or receives a request for medical records, it is imperative that you take affirmatively take steps to show the contractor that your claims qualify for coverage and payment. A number of Liles Parker attorneys are also "Certified Professional Coders" and / or “Certified Medical Reimbursement Specialists.”
Is your health care organization currently being investigated or audited by a UPIC? If so, please give us a call for a complimentary consultation. We can be reached at: 1 (800) 475-1906.


[1] Prior to the passage of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), CMS relied heavily on fraud detection efforts by Fiscal Intermediaries (Part A) and Carriers (Part B) to identify providers suspected of engaging in wrongful coding and billing practices. These private companies were also responsible for processing millions of Medicare claims submitted by health care providers and suppliers to the program for payment each day.

Among its far-reaching provisions, HIPAA established the Medicare Integrity Program (MIP). This program was established in an effort to strengthen CMS’s ability to reduce fraud and abuse in the Medicare program. Under MIP, CMS began transferring much of the responsibility for detecting and deterring Part A and Part B fraud and abuse to Program Safeguard Contractors (PSCs). Duties and responsibilities of the PSCs included, but were not limited to:

  • Identifying and researching problem claims.
  • Placing providers on pre-payment review.
  • Conducting post-payment claims reviews of providers.
  • Conducting overpayment determinations of claims reviewed.
  • Developing potential fraud cases and referring them to HHS-OIG.
  • Responding to requests from law enforcement and other entities.
  • Conducting pre-payment review of providers on suspension.
  • Conducting provider education activities related to fraud activities.
  • Conducting data analysis activities in support of fraud detection and investigation.

PSCs aggressively pursued alleged Medicare overpayments made to physicians, home health agencies, hospice companies and other health care providers around the country. By and large, PSC contracts have been discontinued and the program integrity responsibilities previously handled by these contractors have been transitioned over to ZPICs.

[2] Medicare Program Integrity Manual, Chapter 4, §4.2.2.

[3] See generally, MPIM, Chapter 4, §4.2.2.

[4] Id.

[5] Medicare Program Integrity Manual, Chapter 2, §2.3.

[6] Medicare Program Integrity Manual, §4.7.1.

[7] If a ZPIC makes a referral to OIG and does not receive a response within 60 calendar days, the ZPIC is supposed to make a subsequent referral to the FBI, if the facts warrant such an action. If the FBI declines the case or fails to respond within 45 days, the ZPIC can forward the referral to another law enforcement agency or treat the matter as an overpayment action.

[8] CMS can revoke the right of a provider to receive assigned payment for physician services for a number of reasons. For instance if the provider violates the terms of assigned payment (such as attempting to collect more than the allowable amount), or failing to provide evidence of compliance with the assignment rules when requested by CMS or one of its contractors.

[9] Marsh v. Bowen, No. Civ. H-85-893, 1986 WL 69272 (D. Conn. 1986).

[10] Klementowski v. Sec’y of HHS, 801 F.Supp 1022 (W.D. N.Y. 1992).

[11] 927 F.2d 57 (2d Cir. 1991).

[12] 71 F.3d 1060, 1064 (2d Cir. 1995).

[13] 42 C.F.R. § 424.10(a) (2010).

[i] As of March 20, 2017, a couple of legacy PSC contracts were still in effect.