The Jumble of Medicare and Medicaid Integrity Review Contractors
The Center for Medicare and Medicaid Services (CMS) is the division within the Department of Health and Human Services (HHS) that administers and oversees the Medicare and Medicaid programs.[1] The CMS is tasked with preventing fraud, waste, and abuse within Medicare and Medicaid programs, and with ensuring the long-term sustainability of the Medicare Trust Fund. In order to accomplish this goal, CMS outsources its investigatory duties to private entities, called “integrity contractors,” who select healthcare providers and suppliers to audit and conduct prepayment and post-payment reviews of medical claims.
CMS tasks various private entities with performing these integrity audits, including Medicare Administrative Contractors (MACs), Zone Program Integrity Contractors (ZPICs), Recovery Auditor Contractors (RACs), Unified Program Integrity Contractor (UPICs), Comprehensive Error Rate Testing Program contractors (CERTs), and Medicaid Integrity Contractors (MICs). This jumble of integrity contractors, combined with each contractor’s unique audit process, responsibilities, and powers, can confuse the most seasoned healthcare professionals. This article provides an overview of these various CMS contractors.
MACs
Medicare Administrative Contractors (MACs) are private contractors hired by CMS to audit and process claims submitted by healthcare providers. MACs conduct both prepayment reviews and post-payment audits of claims.
RACs
Recovery Auditor Contractors (RACs)[5] are private contractors tasked with identifying and recouping Medicare overpayments made to healthcare providers. Every few years, RACs select “problem” areas with historically high rates of claim submission errors or fraud on which to focus their investigatory efforts.[6] RACs are organized into five geographic regions within the U.S. Upon reviewing a provider’s or medical entity’s submitted claims, the private insurer or CMS contractor can determine that the claims were improperly paid and seek recoupment from the provider. Some of the common reasons for adverse post-payment determinations include:
Missing provider signature (e.g., using a stamp signature in place of a handwritten signature on paper records or missing an electronic signature on electronic health records);
Missing provider Medicare or Medicaid identification number
Missing beneficiary Medicare or Medicaid identification number
Missing page numbers in medical records
Duplicate claim submissions
Dates of service in medical record that do not match dates of service in claim form
Services provided by an ineligible provider (e.g., provider who is not enrolled with the insurer)
Failing to record the medical necessity of the goods or services provided
Billing for medical goods or services which are not covered by the insurer
Billing for services which were not provided
Billing bundled services as separate unbundled services
Submission of claims using the improper claims form (e.g., not using CMS 1500, 2006 ADA Dental or UB04 claim form)
Improper use of Current Procedural Terminology (CPT) or Current Dental Terminology (CDT) codes
Improper or insufficiently specific ICD-10 diagnosis (10th Revision of the International Classification of Diseases)
The RAC may then extrapolate its findings from the sample of reviewed claims to all of the claims which the provider or supplier had billed during the review period. For example, if the RAC finds that 50 of out 200 (25%) of the sample claims which were reviewed were improperly billed, the contractor can apply the 25% error rate to all of the claims which the provider billed to that payer during the period under review.
The process of appealing a denied Medicare claim or adverse RAC audit for Medicare Part A and Part B consists of five levels:
First Level of Appeal: Redetermination by a Medicare carrier, fiscal intermediary (FI), or Medicare Administrative Contractor (MAC)
Second Level of Appeal: Reconsideration by a Qualified Independent Contractor (QIC)
Third Level of Appeal: Hearing before an Administrative Law Judge (ALJ) in the Office of Medicare Hearings and Appeals (OMHA)
Fourth Level of Appeal: Review by the Medicare Appeals Council
Fifth Level of Appeal: Judicial Review in Federal District Court
Although Medicare contractors cannot recoup payment for claims which they deemed improperly billed at the first and second levels of appeal, they can recoup payments at the third to fifth level of appeal.
ZPICs
Zone Program Integrity Contractors (ZPICs) are responsible for identifying and preventing fraud and abuse within the Medicare system by conducting benefit integrity prepayment and post-payment reviews of Medicare providers. A ZPIC can initiate the review process on its own or commence it after the MAC has flagged a provider or supplier for suspected fraud or abuse. In the event that a ZPIC concludes that fraud had occurred, it can refer the matter to the OIG or to the FBI, which can bring a variety of civil, administrative and criminal actions against the provider or supplier.
The ZPIC post-payment audit begins when the ZPIC mails an Additional Documentation Request (ADR) to the provider or medical supplier. The provider or supplier is asked to submit the medical records and documentation requested in the ADR. After receiving the requested documents, the ZPIC conducts a review to determine whether overpayment had occurred. The ZPIC then sends its determination to the MAC, which mails a Remittance Advice (RA) outlining the ZPIC’s findings to the provider or medical supplier. The provider or supplier must then either repay the alleged amount of overpayment or appeal the adverse determination to the Office of Medicare Hearings and Appeals (OMHA).
CERTs
The Comprehensive Error Rate Testing (CERT) contractor conducts post-payment audits to identify the percentage of improperly submitted Medicare claims, or the Medicare Fee-for-Service (FFS) improper repayment rate. In order to calculate the FFS improper repayment rate, CERT contractors review a sample of randomly selected Medicare claims to determine whether the sample claims comply with Medicare’s coding and billing requirements. If the CERT contractor concludes that the sample claims do not satisfy Medicare requirements or if the provider fails to submit medical records in support of the billed claim, the claim may be deemed an improper payment and recouped from the provider.
UPICs
The CMS created the Unified Program Integrity Contractor (UPIC) program in order to increase information sharing amongst contractors, obtain more comprehensive claim and payment data, and prevent the duplication of efforts caused when two or more contractors audit the same claims.[7] To date, UPICs have replaced many of the duties of Zone Program Integrity Contractors (ZPICs), Medicaid Integrity Contractors (MICs), and Program Safeguard Contractors (PSCs), and have become a primary mechanism for investigating fraud and abuse.[8] There are currently five UPIC jurisdictions within the U.S., with each jurisdiction covering seven to twelve states.[9]
UPICs have broad authority to investigate fraud and abuse and to review claims submitted to Medicare, Medicaid and Medicare-Medicaid plans, and use various methods to fulfill their duties, including:[10]
Conducting prepayment reviews;
Calculating overpayment determinations;
Requesting medical records and documentation;
Interviewing Medicare beneficiaries, complainants, and providers;
Conducting on-site visits of providers or suppliers;
Collaborating with the federal, state, and local governments, as well as law enforcement and other CMS contractors to investigate and prosecute waste, fraud and abuse.
UPIC Audit Triggers
UPICs select healthcare providers or suppliers for review as a result of consumer or employee complaints of waste, fraud and abuse or due to data mining which reveals patterns of irregular billing practices. When determining which leads to investigate, UPICs prioritize allegations which concern:[11]
patient abuse or harm;
multi-state fraud;
high dollar amounts of potential overpayment,
payment suspensions and revocation;
likelihood of future fraud expansion;
law enforcement requests for assistance that involve responding to court-imposed deadlines;
law enforcement requests for assistance in ongoing investigations that involve national interagency (HHS-DOJ) initiatives or projects; and
fraud, waste or abuse complaints brought by Medicare Supplemental Insurers.[12]
Examples of situations which would trigger a UPIC investigation include:[13]
Complaints that the provider or supplier accepts or offers kickbacks;
Complaints that the provider or supplier routinely waives co-payments;
A finding that the provider or supplier falsified certificates of medical necessity, plans of care and other records:
A finding that the provider or supplier had billed for goods or services which were not provided;
Complaints that the provider or supplier misrepresented a patient’s diagnosis to obtain payment; and
Complaints that the provider or supplier provided goods or services to individuals who used the same Medicare benefits card.
The UPIC Review Process
Prior to beginning a service-specific review, the UPIC will mail the provider or supplier a letter to inform them of the ongoing investigation.[14] The UPIC may also mail an additional documentation request (ADR) requiring the provider or supplier to provide specified documentation for the claims under review.[15] After conducting its review, the UPIC will mail the provider or supplier a Final Results letter outlining the findings of its investigation. If the UPIC identifies overpayments, it will forward its findings to the MAC, which will issue a demand letter in the amount of the estimated overpayment.[16] If the UPIC identifies evidence of fraud or abuse, it may refer the matter to various government agencies, including the OIG and the FBI. If the OIG or FBI accepts the referral for investigation, the UPIC will collaborate with the agencies and law enforcement to bring a case against the provider or supplier.
Targeted Probe and Educate (“TPE”) Program
The Targeted Probe and Educate (“TPE”) Program, formerly known as the Progressive Correction Action (“PCA”) Program, was created by the CMS to reduce Medicare claim denials and claim submission errors by providing providers and suppliers (collectively, “providers”) with education and assistance. The CMS tasks the Medicare Administrative Contractors (“MACs”) with conducting the TPEs, selecting specific subject areas for review, and choosing providers for the TPE review. Some of the common oversights which can convince the MAC to place the provider on a TPE include:
Missing provider signature
Insufficient documentation
Patient encounter notes which do not support eligibility requirements
Missing or incomplete certifications or recertification.
A provider who has been selected for a TPE will receive a letter from the MAC[17] requesting copies of 20 to 40 medical claims (and supporting medical records) which the provider had submitted for reimbursement.[18] The MAC will then review the submitted documentation to identify and errors in the submission process. If the MAC identifies any such errors, it will invite the provider to participate in a one-on-one education session[19] during which the MAC will review the identified errors and assist the provider with correcting them. The meeting will also permit providers to ask questions regarding their claims and relevant CMS policies which were reviewed. After completing the one-on-one education session, the provider will be given 45 days to improve their claim submissions. When the 45-day period expires, the MAC will review another 20 to 40 sample medical claims to discern whether the provider had improved their claim accuracy. It is important for the provider to use the one-on-one session(s) to become familiar with CMS documentation requirements and to ensure that it avoids making similar errors in the future. These proactive actions are important because if the provider fails to improve its claim accuracy after three education sessions, it may be placed on prepayment review or a post-payment audit.
SMRCs
The Supplemental Medical Review Contractor audit (“SMRC audit”) is a relatively new kind of post-payment audit that has gained prevalence over the last several years.[20] The SMRC audit is a nation-wide review of selected medical services and provider specialties associated with Medicare Part A, Part B, and Durable Medical Equipment (DME) claims.[21] The CMS selects which services and/or provider specialties will be reviewed by the audit from vulnerabilities identified by CMS’ internal data analysis, national claims data collected by Federal agencies, including the Office of Inspector General (OIG) and the Government Accountability Office (GAO), the Comprehensive Error Rate Testing (CERT) program, and professional organizations.[22]
In order to implement the SMRC audit, the CMS employs a Supplemental Medical Review contractor (“SMRC”) to conduct the audit.[23] In order to accomplish this objective, the SMRC evaluates the extent to which the Medicare claims billed by the healthcare provider or supplier comply with coverage, coding, payment and billing practices, as determined by the relevant statutes, laws, regulations, national and local coverage determination policies (LCDs), and coding guidance.[24] Specifically, the SMRC conducts three kinds of project reviews:
(1) the Healthcare Fraud Prevention Partnership Support Review, which focuses on fraud, waste, and abuse trends;
(2) the Program Integrity Support Review, which evaluates possible falsification or alterations of medical record documentation[25]; and
(3) the Provider Compliance Group Review, which evaluates the beneficiary’s information and supporting medical records to ensure that payment is made only for services that meet all Medicare coverage, coding, and medical necessity requirements.[26]
The SMRC Audit Process
The SMRC will mail the healthcare provider or medical supplier who is selected for an SMRC audit an Additional Documentation Request (ADR) requesting supporting documentation related to the specific Medicare claims under review.[27] The provider or supplier has 45 calendar days from the date of the ADR letter to submit the requested documents[28] or to request an extension to submit the documents.[29] After the provider submits the response, the SMRC will review the provider’s supplementary documentation to determine whether improper payments were made and mail the provider a Final Results letter outlining its findings.[30] If the provider agrees with the SMRC’s findings, it will undergo the standard overpayment recovery process.[31] If the provider disagrees, however, it can request a Discussion and Education Session (D&E)[32] with the SMRC and/or notify the SMRC of its intent to submit additional documentation in support of payment for the reviewed claims.[33] The provider or supplier must inform the SMRC of its intent to submit additional documentation or to request a D&E Session within 14 days of the date of the Final Results letter.[34] In addition, the SMRC must receive the additional documentation within 30 days of the date of the Final Results letter.[35] If the provider or supplier submits the additional documentation within the required time period, the SMRC will review the supplemental documents and issue a Revised Final Results letter.[36] If the SMRC concludes that improper payments were made, it will notify the CMS, who will begin the overpayment recovery process. Specifically, the CMS will instruct the provider or supplier’s Medicare Administrative Contractor (MAC) to adjust future claim payments or seek recoupment of the alleged overpayments. The MAC will then mail the provider or supplier a notice of overpayment which must be paid or appealed through the Department of Health and Human Services (HHS).[37]
The SMRC Audit Appeals Process
The healthcare provider can appeal the SMRC’s overpayment findings through the Department of Health and Human Services after it receives an overpayment demand letter from its MAC.[38] The SMRC does not handle appeals and the provider or supplier must conduct the appeal through its MAC.[39] The appeal is a multi-level process within the Department of Health and Human Services (HHS) which consists of (a) redetermination,[40] (b) reconsideration,[41] (c) administrative law judge (ALJ) hearing,[42] and (d) Office of Medicare Hearings and Appeals.[43]
Responding to an ADR from an SMRC
A provider or supplier who receives an ADR letter from an SMRC must reply to the request within 45 days of the letter’s issuance. To that effect, the provider should attempt to compile and submit the requested documentation as promptly as possible. Most ADR letters will include a specific list of requested documentation, such as requests for copies of the physician order, lab and other diagnostic test results, the procedure note(s), plan of care, discharge notes, the claim form, or patient billing statement. The provider should ensure that its response to the ADR includes every document which is requested. The provider or supplier failure to provide the requested documentation by the 45-day deadline is one of the main reasons that the CMRC assesses overpayments. In addition, the provider should organize the requested documentation in the most appropriate chronological order, guiding the auditor through the patient’s plan of care, and that the pages are consecutively numbered. The provider should include a copy of the ADR and the contact information of a designated point of contact in the beginning of the response packet, in front of the actual medical records. Finally, the provider should submit the entire packet via mail, fax, or electronically, and retain a copy for its records.[44]
MICs
Medicaid Integrity Contracts (MICs) audit and review Medicaid claims submitted by health care provider and entities. Although MICs serve a similar function to Medicare RACs, they have different operational requirements and procedures. MICs are permitted to review Medicaid claims as far back as permitted under the laws of the state in which they operate. The period of time that a contractor is permitted to review when auditing a healthcare provider or supplier is called the “look back period.”
Unlike ZPICs, which are limited in the number of claims that they can select to review during an audit, MICs can request and review an unlimited number of claims. In addition, they can require the provider or supplier who is under review to produce the requested documentation in as little as two weeks. After reviewing the claims and corresponding medical documentation that is submitted by the provider or supplier, the MIC issues a determination regarding the amount of overpayment, if any, which occurred. If the provider or supplier disagrees with the amount of overpayment that the MIC assesses in its final audit report, the provider or supplier may appeal the MIC’s findings. Unlike other CMS audit contractors, such as RACs and ZPICs, which must follow specific appeal processes set forth in federal regulations, providers’ appeal rights for MIC denials are determined by the laws of the particular state Medicaid program. The likelihood that your appeal will succeed depends on the which agencies control the Office of Administrative Hearings in your state. In North Carolina, for instance, a provider stands a good chance of overturning a Medicaid claim denial when filing an appeal with the Office of Administrative Hearings because the OAH is not controlled by the same agency which issued the initial claim denials. In New Mexico, on the other hand, it is significantly more difficult for the provider to win an appeal before the OAH because the judges at the administrative agency are hired by the Human Services Department, the same entity which originally denied the claim. In addition, depending on the state, the auditor may or may not seek recoupment from the provider during the appeal process.
[1] Although the Medicare program is entirely managed by the Federal government, the Medicaid program is jointly managed by the state and federal governments.
[4] The post-payment review can prove especially damaging for the healthcare provider because the contractor can extrapolate the alleged overpayments of the selected sample of claims to all of the claims which the provider billed during the audit period, significantly increasing the amount which the provide may owe in overpayments.
[5] The RAC program became permanent in 2006, with the passage of theTax Relief and Health Care Act.
[6] Examples of recent RAC targets include DME, home health, and hospice claims.
[7] Anne Grizzle and Julia Tamulis, An Introduction to Health Law Litigation Based on Contract and Government Claims, 1, 93.
[8] See supra note 5.
[9] Each UPIC jurisdiction is aligned with the previously established MAC zones, and include Puerto Rico, Guam, the
Virgin Islands, American Samoa, and the Northern Marianas Islands.
[10] See Noridian Healthcare Solutions, DME Jurisdiction D, UPIC (last visited April 18, 2020),
https://med.noridianmedicare.com/web/jddme/cert-reviews/upic.
[11] See Medicare Program Integrity Manual, Section 4.2.2.1.
[12] CMS requires a UPIC which receives a referral from a Medigap insurer that a provider or supplier is engaging in fraud to immediately conduct a data run to determine possible Medicare losses and to refer the case to the OIG. Id.
[13] See Medicare Program Integrity Manual, Section 4.2.1.
[14] Id. at Section 3.2.2(B).
[15] Id. at Section 3.2.3(A).
[16] Id. at Section 3.6.4(D).
[17] The letter will be sent by the MAC which is charged with overseeing the jurisdiction in which the provider operates.
[18] It is crucial for a provider who has is selected for a TPE to timely comply with the MAC’s documentation requests. If the provider complies with the MAC’s request, the provider will not be reviewed again for at least another year regarding the subject which triggered the review.
[19] This session will usually be provided using webinar or teleconference.
[20] See Don Romano and Jennifer Colaiovanni, In this Issue, the Alphabet Soup of Medicare and Medicaid Contractors, 27 Health Lawyer *1, at *11-12 (Aug. 2015).
[21] Medicare Program Integrity Manual, Pub. 100-08, Chapter 1, Section 1.3.1.
[22] See supra note 4 at *12.
[23] The current SMRC is Noridian Healthcare Solutions, which was retained by CMS on February 13, 2018. A properly billed claim is one in which the underlying medical treatment was: (1) provided economically and only when, and to the extent, medically necessary; (2) of a quality which meets professionally recognized standards of health care; and (3) supported by evidence of medical necessity and quality. See 42 U.S.C.S.§ 1320(c)(5).
[24] See Supplemental Medical Review Contractor, Noridian Healthcare Solutions (last visited April 16, 2020),
https://www.noridiansmrc.com/.
[25] Examples of evidence of document falsification or alteration include but are not limited to: including, but not limited to: obliterated sections; missing pages, inserted pages, white out; and excessive late entries; evidence that service billed for was actually provided and/or provided as billed; or, patterns and trends that may indicate potential fraud, waste, and abuse.
[26] See Current Projects, Noridian Healthcare Solutions SMRC (last visited April 18, 2020),
https://www.noridiansmrc.com/current-projects/.
[27] See CMS Internet Only Manual (IOM), Publication 100-08, Medicare Program Integrity Manual, (last visited Apr. 19, 2020), https://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Internet-Only-Manuals-IOMs-Items/CMS019033?DLPage=1&DLEntries=10&DLSort=0&DLSortDir=ascending; Supplemental Medical Review Contractor, Noridian Healthcare Solutions SMRC (last visited on April 20, 2020), https://www.noridiansmrc.com/; Provider Compliance Group Medical Review Process Flowchart, Noridian Healthcare Solutions SMRC (last visited Apr. 20, 2020), https://www.noridiansmrc.com/documentation-requests/provider-compliance-group-pcg-medical-review-process-flowchart/.
[28] The provider or supplier can submit the requested documentation by mailing hard copies, faxing the records, electronically sending the records by CD/DVD, or electronically submitting the records through Noridian’s SMRC website. For detailed submission instructions, see How to Respond to an ADR, Noridian Healthcare Solutions SMRC, https://www.noridiansmrc.com/documentation-requests/how-to-respond-to-an-adr/.
[29] Id.
[30] Id.
[31] See Discussion and Education Period, Noridian Healthcare Solutions SMRC, https://www.noridiansmrc.com/discussion-education-period/.
[32] A Discussion and Education Session is a meeting in which the provider meets with the SMRC reviewer to discuss the auditor’s rationale for the medical review findings, to receive education about coverage, coding and payment policies for the subject claim to avoid further denials, and to submit additional documentation. I
[33] Id.
[34] Id.
[35] Id.
[36] Id.
[37] See The Alphabet Soup of Medicare and Medicare Contractors at *12.
[38] See Completed Projects, Noridian Healthcare Solutions SMRC, https://www.noridiansmrc.com/completed-projects/.
[39] Id.
[40] The provider must file the request for redetermination within 120 days of the SMRC’s final decision, and within 30 days to avoid being liable for overpayments (i.e., recoupment).
[41] The provider must file the request for reconsideration within 180 days of the SMRC’s final decision, and within 60 days to avoid being liable for overpayments (i.e., recoupment).
[42] The provider must file request the ALJ appeal within 60 days of the decision regarding the request for reconsideration. The CMS will recoup any alleged overpayment during this and following stages of appeal.
[43] The provider has 60 days from the issuance of the ALJ decision to file an appeal with the Medicare Appeals Council (MAC).
[44] See Submission Guidelines: How to Respond to an ADR, Noridian Healthcare Solutions SMRC (last visited April 18, 2020), https://www.noridiansmrc.com/documentation-requests/how-to-respond-to-an-adr/.
