Applied Policy has previously reported on the work of Recovery Audit Contractors (RACs), independent contractors sometimes characterized as “bounty hunters” for their pursuit of improper payments in the Medicare fee-for-service program.

This month we turn our focus to a the “detectives” of the Centers for Medicare & Medicaid Services’ (CMS’s) program integrity activities—the unified program integrity contractors, or UPICs.

Overview

Like RACs, UPICs are independent contractors, working on behalf of CMS to protect government healthcare program payments. But their mission, jurisdictions, and tactics are different.

RACs, which were established under the Medicare Prescription Drug, Improvement and Modernization Act of 2003, are charged with identifying and correcting improper payments made under Medicare Parts A and B. UPICs, which have only been in existence since 2016, and which have assumed responsibilities previously performed by Zone Program Integrity Contractors (ZPICs) and Medicaid Integrity Contractors (MICs), are charged with deterring fraud, waste and abuse in Medicare Parts A and B, Durable Medical Equipment (DME), Home Health, Hospice, Medicaid and the Medicare-Medicaid (Medi-Medi) data match programs.[1]

CMS contracts with a single UPIC for each of five geographic jurisdictions: Midwest, Northeast, West (inclusive of American Samoa, Guam, and the Northern Mariana Islands), Southeast (inclusive of Puerto Rico and the Virgin Islands), and Southwest. While there is only one UPIC per region, a UPIC may be awarded contracts for multiple jurisdictions.

UPICs work under indefinite delivery, indefinite quantity (IDIQ) contracts, with funding for each UPIC based on the jurisdiction’s historic workload. Annual funding for each of the five individual UPICs ranged from $16.5 million to $24.5 million in 2019, but a five-year contract extension awarded to one UPIC in 2022 for $154 million indicates that program funding is increasing.

Unlike RACs, which receive a percentage of the improper payments they identify, UPICs do not work on a contingency basis. However, CMS is authorized to adjust payments to UPICs if their workloads increase significantly and to award individual performance-based bonus payments.

While UPICs work on program integrity activities such as waste and abuse, most of their work is focused on fraud. This may include “upcoding” in which a provider/supplier deliberately misrepresents procedures or diagnoses in order to maximize reimbursement, “double billing” in which providers/suppliers bill Medicare and a patient or other insurer for the same service or item, and “phantom billing” in which a bill is submitted for services or items a patient never received.

In their efforts to identify fraud, UPICs conduct both pre-payment medical reviews and post-payment audits. Like RACs, individual UPICs employ proprietary software in their data analysis and data mining to identify unusual billing patterns or practices. Red flags can include comparatively high utilization rates or higher than expected billing rates for high-priced services.

UPICs may also be alerted to the potential existence of fraud by outside entities and individuals, including law enforcement agencies, Medicare Administrative Contractors (MACs), provider/supplier staff, or individual beneficiaries. The Federal Trade Commission, the Department of Justice, private insurers, advocacy organizations, and individual states have joined CMS in outreach programs enlisting Medicare beneficiaries in efforts to identify and report suspected fraud.

Essentially deputized by CMS, UPICs exercise a wide degree of latitude in conducting their investigations. They are authorized to make site visits unannounced, conduct interviews with any interested parties, and to request medical records and other documentation for review.

Importantly, UPICs are allowed to extrapolate loss from small but statistically significant sample sizes. This means that even their seemingly most innocuous records request can be consequential.

Program authority

UPICs are empowered to initiate CMS-approved payment suspensions in coordination with the MAC when they credibly suspect fraud, have reliable information that an overpayment exists, or when providers/suppliers fail to comply with requests for documentation. UPICs can also recommend the revocation of a provider’s or supplier’s Medicare enrollment.

UPICs work closely with law enforcement agencies including the Federal Bureau of Investigation and the Department of Justice. The Medicare Integrity Program Manual specifies both that UPICs should be available to serve as a point of reference for agencies which may not be familiar with healthcare issues and that they retain staff who are qualified to testify in both criminal and civil cases.

Program requirements

While UPICs enjoy relative discretion and authority in their outward-facing activities, they work under specific constraints.

They are required to bill costs to the individual program—Medicare, Medicaid, or Medi-Medi Data Match—for which any work is conducted. They must also enter information regarding their investigations into the Unified Case Management System, a centralized database which serves as a repository for leads and investigations.

UPICs may undertake requests for assistance (RFAs), and requests for information (RFIs) at the request of law enforcement, CMS, or other stakeholders.

Performance to date

UPIC post payment reviews in 2020 resulted in $200.2 million in savings to the Medicare program; UPIC recoveries in Medicaid and CHIP programs lead to $7.4 million in savings for the federal government. And in last year’s review, the Office of the Inspector General of the Department of Health and Human Services concluded that the program holds “promise to enhance program integrity across Medicare and Medicaid.”

Like RACs, UPICs have been accused of being overzealous in their program integrity efforts, with providers and auditors frequently disagreeing on what qualifies as an improper payment. As UPICs have ramped up their activities after a brief pause at the start of the pandemic, some argue that their audits present unnecessary financial and administrative burdens for providers. They have also been criticized for unfairly leveraging their authority in what has been characterized as a “suspend-and-grab” approach to payment recovery.

There have been instances in which the announcement of a UPIC’s intention to initiate a post-payment review has been enough to prompt a provider to admit their error and initiate repayment. And the very authority which can strike fear in the heart of an offender can also make communications from UPICs intimidating for even the most compliant of providers and suppliers.

UPIC representatives advise against panic in response to their communications and point to their efforts on behalf of providers. Among these is the Victimized Provider Project, which provides advice to providers who may be the victims of identity theft and could be liable for repayment for services, tests, or equipment billed in their name.

In addition, UPICs can assist providers/suppliers by identifying program weaknesses that may make them vulnerable to abuse and act as partners in the development of program integrity initiatives.

A focus on Medicare

Given the previously mentioned educational outreach, it is not surprising that 82% of the leads received by UPICs are specific to Medicare. And this is reflected in their work. In a review of UPICs released in October 2022, the OIG identified “substantial differences in results between Medicare and Medicaid program integrity activities.”

The adage “If you’ve seen one Medicaid program, you’ve seen one Medicaid program” seems particularly appropriate in assessing the challenges UPICs face in working across state programs. The variation between state Medicaid policies, programs, and data systems makes it difficult for UPICs to implement model programs across states. CMS even specifies that UPICs, which are not subject to any look back restrictions in investigating Medicare fraud, must defer to the look back period specified in each state when conducting Medicaid audits or investigations.

The pandemic may have exacerbated this difference, as Medicaid enrollment and spending increased under the federal government’s continuous enrollment requirements.

Looking forward

It remains to be seen what impact, if any, provider complaints about UPIC audits may have on the exercise of authority by individual contractors. However, with its proven record for recovery, endorsement from the OIG, and commitment from CMS to address program weakness, the UPIC program is positioned to continue and likely to grow.

********

[1] Mandated by the Social Security Act, the Medicare-Medicaid Data Match program (Medi-Medi program) “enables program safeguard contractors (PSC) and participating State and Federal Government agencies to collaboratively analyze billing trends across the Medicare and Medicaid programs to identify potential fraud, waste, and abuse.”