AHLA's Speaking of Health Law
UPIC Audits: How Providers Should Respond
Unified Program Integrity Contractors (UPICs) are unlike other Medicare contractors. Lori Foley, Office Managing Principal, PYA, and Brenna Jenny, Partner, Sidley Austin LLP, discuss some of the basic responsibilities of UPICs, what differentiates UPIC audits from other CMS audits, how UPIC audits progress from probe to referral, recommendations for providers who receive a UPIC audit, whether UPICs are effective, and how providers can design robust compliance programs.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Unified Program Integrity Contractors (UPICs) are unlike other Medicare contractors. Lori Foley, Office Managing Principal, PYA, and Brenna Jenny, Partner, Sidley Austin LLP, discuss some of the basic responsibilities of UPICs, what differentiates UPIC audits from other CMS audits, how UPIC audits progress from probe to referral, recommendations for providers who receive a UPIC audit, whether UPICs are effective, and how providers can design robust compliance programs.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
<silence> This episode of A H L A speaking of health law is brought to you by A H L A members and donors like you. For more information, visit american health law.org. Hi, good afternoon. This is Lori Foley with p Y a, and I'm excited to be here today with Brenna . For a little background, I've been in healthcare for just over 30 years, working with physicians and hospitals on a number of operational compliance and regulatory matters. I lead Ya's Revenue and Compliance Advisory Service Lines . P y A is a national consulting and accounting firm with significant healthcare expertise, and I'm excited to be here today with , uh, Brenna Jenny , as we're talking more about Uix . Brenna, would you like to introduce yourself?
Speaker 2:Sure, thanks, Laurie . My name is Brenna Jenny , and I'm a partner at the law firm of Sidley Austin in Washington, dc . The bulk of my practice involves defending providers and healthcare companies in government investigations. And before I rejoined my firm a few years ago, I was at the Department of Health and Human Services, where I served as the Chief Legal Officer for C M s and the principal Deputy General Counsel for H H Ss . And then prior to that, I spent some time at the civil division of the Department of Justice, where I did a lot of work on false Claims Act cases, generally in the healthcare sector.
Speaker 1:Great. Brenna , I know, as you and I were talking, we are seeing a number of clients dealing with unified program integrity contractors or uick audits, and the uptick seems palpable in our conversations. You and I have been talking about how UPS are not like other Medicare contractors. What are some of the basic responsibilities of the uick ? So ,
Speaker 2:U Pick's replaced some Medicare contractors, but they continue to operate alongside others doing , um, investi investigatory and audit work. So in the mid , uh, 20 teens, C M SS began to revamp its contractor auditing program. C m s at the time was using different contractors to carry out program integrity audits. Those included the zone program integrity contractors or Z picks , and the program safeguard contractors or PSCs for Medicare. And then on the Medicaid side, Medicaid integrity contractors, a lot of cooks in the kitchen. So to streamline operations, C M SS developed the UPIC program, and the goal was to integrate into one entity all of the Medicare and Medicaid audit and investigation work that was at the time being performed by multiple entities. C M SS began awarding up I contracts in 2016, and then up I ss were phased in gradually and have been fully operational since 2019. Although c m s didn't update the program Integrity Manual until more recently, and that of course means that U picks were not around very long before Covid upended everything. And so I, I think Uix s are really kind of in their infancy in a lot of ways. Although uix have taken on work previously performed by other contractors, they don't have a monopoly on c m s auditing. For example, max still engage in some medical record reviews in addition to their core function of processing claims, recovery audit contractors or racks. Our regional auditors that focus on specific topics approved by C M S, the CERT program is still operating. So even though all of these entities , uh, in addition to uix s do engage in medical record reviews, though, it's important to keep in mind that their reviews each have a different goal than what you picked us . The focus of Mac reviews is to reduce coding error rates through education and feedback. The purpose of the RAC reviews is to identify and correct Medicare improper payments by detecting and collecting overpayments. The purpose of the CERT program is to estimate an improper payment rate for the Medicare Fee for Service program as a whole. And the focus of the UP I is different than all of these contractors. And this is CM S's own words. UIC reviews are uniquely focused on fraud detection and investigation. And it's also important to keep in mind that U Picks get priority as compared to all the other contracting auditors. Here's how that works. The Recovery Audit Contractor Data Warehouse is an online tool that was developed to track all rack activity as well as all other contractor activity. So in there, uix can mark off entire providers or a subset of a provider's claims as off limits to these other federal auditors if those claims are associated with Open U Pick investigations.
Speaker 1:Perfect. And I know, you know, a lot of folks just assume it's another government acronym that these are just another regular kind of audit. What are some differences on how U Pick auditors are are different than other Medicare contractors?
Speaker 2:So, U i's reactively investigate potential fraud in response to leads that they've received from other stakeholders. And in this way, they are like atypical Medicare auditor. But I wanna focus on two points of distinction between uix and traditional auditors. First, UICs are specifically tasked with proactively identifying potential fraud and then investigating those leads. So uix are not just passive contractors waiting for their next assignment. C M SS has made very clear that U picks are supposed to be entrepreneurial and bring new ideas to the table that the government hasn't thought of yet. So how are U Picks supposed to do this? Well, first and foremost, c m s directs U picks to engage in data mining to find leads. U picks have access to billing and claims data and their own repositories, and by working with Max , and they can look for patterns and outliers. C M S also expects uix to combine information from multiple sources, including the news media conferences, special fraud alerts C M S puts out and data analytics. So c m s wants to see a UIC take a c m s special fraud alert about a billing issue, and then go mine claims data to find providers who are outliers on that type of claim. The second point of distinction , uh, I wanna flag between uix and traditional Medicare contractors is that uix serve as a communications hub for the broader federal and state auditing and law enforcement community in a way that's really different from the function of other prior Medicare Medicaid contract auditors. When C M S started the UIX program, it also created what's called the Unified Case Management System, or the U C M. This is a national database that the Uix s use to track all of their data analysis projects, their leads, their investigations. Additionally, the U C M allows uix s to enter and track various administrative actions that are imposed on a provider by others, such as Max, for example, imposing , uh, pre or post payment reviews or a payment suspension , um, as well as requests for assistance and requests for information that U picks fulfill at the request of law enforcement C M s or other stakeholders. And it's important to keep in mind that UICs aren't just entering in the fact that a provider is the subject of a lead or an investigation. Each UIC is required to document all of the activities it has performed while working to substantiate allegations of potential fraud, waste or abuse, for example, onsite visits, medical reviews, data analysis. All of that is documented along with the applicable date of each of those actions. And it's not just uix who have access to these data, it's Max O I G C M S, state Partners, D O J F B I, all of these stakeholders can go in and pull up a provider and get a sense of all of their touchpoints with the auditing and oversight world. So, Lori , now that I've talked a little bit about the differences between uix and other Medicare contractors in terms of their function from the coding and, and kind of medical record review perspective, when a provider might get a request from a UIC auditor, what differentiates that request from some of the other c m s auditors I've been talking about?
Speaker 1:Definitely there are a number of, of , um, differences as you look at it. So for example, if we differentiate perhaps from a Upec audit , uh, from like a targeted probe and educate audit, you know, I think you mentioned the T P E is intended to increase accuracy in very specific areas. Medicare identifies those areas in advance based on high national error rate , significant misunderstanding about a , a rule or a code or a financial risk to Medicare, and then uses data to identify providers. They'll do a small sample, they'll provide education and then re-sample In that scenario. Providers or suppliers who have high claim error rates or really unusual billing practices would be an easy target for a , uh, a targeted probe and educate audit. But in that scenario, c m s is really intending to help the , uh, the provider understand the rules, improve their performance, and avoid any issues going forward. U pick audits on the other hand, as you mentioned, really are the results of a focused analysis and an investigation into the provider that's occurred in the background. For many providers, the first that they're aware of a U pick audit is concurrent with an audit letter. In some cases, it's a , we've had a client that, that received a concurrent , uh, payment suspension letter. So that was, you know, two different extremes as as they come to fruition. And , um, but it's a , uh, a linear progress. Uh , usually they'll see a small record request and , you know, maybe 10, 15 records. And then , um, if it, if they do well, you might not hear anything else. If you don't do well, then in a couple of weeks, the , the provider may receive a, a request for a much more broad scope. So, you know, 50 records or 60 records where , um, it may not be exactly clear what the government is looking at, but the fact that there's that second request, you are definitely on the radar for some additional analysis. We know that it's not always linear though, how the, how u picks progress from perhaps that probe where the client gets the letter , um, or where the provider gets the letter and they're starting to produce records. But Brenna , I know there's, there's a whole process in the background that has occurred. What does that behind the scenes activity look like?
Speaker 2:So, U pick's work begins with screening leads , um, and that is behind the scenes. So whether those leads were referred to the UP I or proactively generated by the uick , using things like data mining like I was talking about , um, that process determines the need for further investigation. Screening activities can include interviews with beneficiaries or a complainant data analysis coordination with Max to understand their prior activities with respect to a provider. But subject to narrow exceptions, one thing screening activities do not include is direct interaction between the U pick and the provider under review. So the provider is unlikely to know that this phase, this screening, the lead phase is going on at the conclusion of the screening process. A U pick , um, deter , uh, has to decide whether the provider appears to have engaged in fraud, waste or abuse , in which case , um, there's going to be a , a next step with C M S or if no, the U pick can decide perhaps to refer the provider to a MAC for education or a quality improvement organization if the UIC determines that a lead warrants further investigation. The UIC submits information about the lead to C M s through that U C M system. I mentioned using a designated vetting forms . It's A C M SS form. Uix are not permitted to transition to a full investigation until C M SS approves. I think historically there was some concern that Medicare contractors didn't have enough supervision from C M s, that they sometimes went off on their own investigations without c m s really knowing what was going on. So the u i , um, program does have this important process step in place. C m s must sign off in order for something to progress to a full investigation. If C M SS reviews the UICs initial findings from the screening phase and agrees with the UIC that additional investigation is appropriate, then the UIC can launch an investigation. Otherwise, uix s must close the lead and close the case. It is at the investigation stage that providers under scrutiny first come into direct contact with the up . So in addition to engaging in the same types of activities UICs can use at the screening stage, UICs can also take steps that now make their investigation apparent to the targeted provider, including importantly, by requesting and reviewing medical records and in , uh, interviewing potentially referring providers. Uh, before contacting a provider, though, the UPIC has to review the U C M to confirm there are no ongoing law enforcement activities regarding that provider. And so that's really important because if you get a medical record review request, you know that likely there isn't an ongoing law enforcement action , uh, with respect to that provider group, which of course is a good thing. Medical record reviews form really the core part of the investigative phase according to C M s. And C M SS specifically encourages UICs to undertake medical record reviews as early as possible in an investigation, recognizing that this can be a lengthy process. At the conclusion of this full investigation phase, the UPIC makes a decision about whether it thinks that there was potential fraud, waste, or abuse. If so, the UIC refers the matter to law enforcement, and if law enforcement accepts the case, they can pursue a variety of healthcare fraud charges, including a False Claims Act case. If law enforcement declines, the case U picks are supposed to work with c m S to implement potential administrative remedies including payment suspensions, denials of payment, recovery of overpayments, et cetera . If the U pick decides at this stage after the medical record review that the potential fraud, waste or abuse was not substantiated, then the UPIC can simply elect to refer that provider to the relevant Mac for additional education and training, or possibly just to , uh, seek a recruitment of the particular overpayments, if any, identified in the audit. So, Lori , obviously, as we've been talking about the medical record review phase is really important. Um, when a provider receives that request from a u pick , what tips can you share for how they can put their best foot forward in a response?
Speaker 1:So first off, it's important for the provider to realize that the audit is being undertaken. So , um, in some practices, you know, it's , it's people are busy, it could cross multiple desks before it gets to the right desk . And one thing we've observed these , uh, probe audits typically , um, and the , the more expanded audits really have a really fast turnaround time. So it's important for practices and, and organizations to have a strong process that these types of notifications get to the right person as soon as they are received . Once the request comes in and, and it's in the right hands , we really need to stop and evaluate that request. We need to identify the date that the responses do , look at the records that are being requested , um, identify, you know, really kind of creating a response timeline because that turnaround time is very short, and those record requests are pretty extensive. You would expect the normal documentation to support that the service was rendered. But when you look at all of the, the list of information that is requested, it goes beyond just , um, office progress notes and encounter forms , orders, labs , things like that to include , um, on the list of contractual agreements that might be applicable. Beneficiary notices of liabilities such as the advanced beneficiary notice signed , HIPAA privacy notification forms, consent to treat it . It's really a robust list of information that is requested copies of licenses , uh, for the individuals that are documenting in the record, for example. So this isn't your average medical record request that can just go to your , um, request for information team for them to fulfill and , and send off without some significant review. If you review the request and you determine that you can't meet the deadline , uh, there usually is an opportunity to request an extension, but you need to do that very judiciously. This is a good time to include counsel , by the way. Um, I think as you're evaluating all of that, if time permits, you want to build in plenty of time for , um, aggregating the records on the front end build in time for review, make sure that everything that supports the, the service and the data service, that patient is completely included in the record . Ideally, if time permits, having a third party review the records prior to being sent is helpful just to get an additional opinion as to , um, really looking for patterns. Can we tell from the request, what types of services might the up U pick be looking for? What types of patients, is it a particular provider? What patterns can we affirmatively tell from the data request to , to see what's going on ? There's a couple of reasons you wanna do that. One so that you can , um, understand and start to get your arms wrapped around both the risks that you might be facing through this review . But to identify if there's anything in your processes that you need to review , um, to identify errors. If you, if you find some , you want to understand why they happen and , and be able to identify steps to remediate during the review. You don't wanna wait till the end , um, for them to come tell you that there's a problem. You, you get much more favorable treatment if you are assessing and evaluating along the way. That may change the tone and tenor of some of your future conversations with the new pick on on those results. If you identify an issue and you've corrected it proactively when you're reviewing those particular records, again, you wanna make sure that they've got all of the services provided. A lot of times what we do , um, when we are con , sometimes it's concurrent. If there's not enough time for us as a third party to review them prior to being sent, we're reviewing concurrently and we find that the individual who pulled the records , um, you know, may not have gone to this particular location in the electronic medical record to pull this particular supporting factor information. That's, that's helpful. So having time to assess each record, evaluate that each of the components are covered to support all the services we're billed. If you've got disparate pieces of information that's not linear in the record, that this result is on page 20, and this result is on page 40, including a cover sheet that might point the auditor to key areas of the record to ensure that they don't overlook something will be especially helpful in those circumstances where it may not be readily apparent to the auditor where the information is in the record . So really tying it up in a bow, everything that you can do to ensure that you've provided all of the requested information in a logical, organized format so that you are essentially teeing it up so the auditor can follow along and, and really see where , um, where all of the information is, how things got coded, how it got documented , um, will really help as as the process goes along. Brenna , anything to add from your experience?
Speaker 2:Sure. I think kind of on the , on the back end , the tail end of that record review process you were describing , um, an important question is whether the provider has an obligation to make a broader repayment of overpayments. U picks generally issued letters to providers memorializing their findings for their version of the medical record review. Uh , and even in cases where there's no referral out to law Refor law enforcement, those letters often include language stating that the provider should consider itself on notice that it must exercise reasonable diligence under the 60 day overpayment rule to engage in a broader multi-year look back and return identified overpayments. The decision about the extent to which the provider needs to engage in a broader review, how much broader , um, all of that has potential implications under the False Claims Act because a failure to report and return identified overpayments , uh, and some, some courts have said identified , uh, can have a lower standard than truly actual knowledge. In other words, you can be put on constructive notice of overpayments that you have to find. Uh, so the decision on in this regard , um, is one that should be carefully considered with input from legal counsel.
Speaker 1:So , Brenna , how effective have U picks been?
Speaker 2:Unfortunately, c m s does not publish much in terms of metrics around the U Pick program. So we don't have crystal clear visibility, but we do have a couple little snapshots. In fiscal year 2020 , uh, C M SS put out a report covering Medicare and Medicaid program integrity activities, and that report has some relevant metrics. C M SS estimates that post-payment reviews implemented by UIX saved over $200 million alone just in fiscal year 2020. And that law enforcement referrals from UICs saved almost $75 million. The other glimpse we have into the effectiveness and the breadth of u i activities is from a report issued by the H H SS Office of Inspector General last fall. And for anyone issu , uh, interested in the topic of U iix , I definitely recommend pulling up this report. It has really interesting background on uix and some interesting statistics about their operations. H H S O I G ended up serving uix operations for calendar year 2019, and reported that again, just in that year, UPIC screened over 7,000 leads, opened over 4,500 investigations and referred $373 million in overpayments for recovery. Uh, and of course we can, I think, reasonably assume that, that the UIC program has only been growing and getting stronger , um, since those snapshots from 2019 and 2020 . So, Lori , do you have any war stories you can share relating to UICs the good, the bad, the ugly?
Speaker 1:Well, and I think they all fall into the bad and ugly, unfortunately. I though I, I have heard of one or two instances where someone has gone through a u pick audit , um, and, and not come out with a little bit of a , a burn along the way, but I would say the majority of the time, it , it is , it's just a painful experience. Um, one circumstance we've had a , uh, where an individual received a request for records, again, very small, three to five , uh, three to five records, or three to five patient records that were reviewed, second followed up by a , a more expansive review that ultimately resulted in, you know, almost a concurrent prepayment review where that provider was submitting records in you not until individually approved onset , another circumstance where the , uh, entity received a notice of payment suspension concurrent with the audit . And for most practices and , and entities , you know , Medicare is a significant payer in the market , and so having those payments cease while it is , uh, navigating the UICK audit is, is pretty painful. And the having the payment suspension lifted is, is its own process. In that particular situation, the client had some warning signs. There was a , a 70% plus denial rate on, on a previous audit. There was training provided and , and during several education sessions, but the UICK ultimately said that they did not see a material change after performing those education sessions . And so they determined that they had , um, credible allegations of fraud and , and therefore expanded the audit and , and did that , that payment suspension. So the, the, the challenge is in those circumstances where your , you know, your funds are tied up, which navigating these can be expensive, they're time consuming, they're stressful. Uh, so it's really important on the front end to, to do everything you can in your day-to-day operations and your compliance programs in order to avoid, you know, being on the radar for a U pick audit. Some things that come to mind, obviously is having a robust compliance program, regardless of the size of your organization, your program should be scaled to fit your risks , but it should still be a living and breathing program. In fact, I've seen some record requests for uix where they could request your, your compliance program. Remember that that's a , an obligation of , of being a Medicare or Medicaid provider. You can proactively track your record requests and audits and denials, not just from the government, but also from commercial payers, but use that as an opportunity to proactively look for patterns and areas of improvement. What are your results on those audits ? Are you getting any feedback related to a particular service or a particular documentation pattern? Make sure you take that feedback and go back, review your processes, determine if you need to update your training, update your policies and procedures, everything to really respond and , um, prevent it from continuing and or , um, occurring in the first place. And if it does that , you have those processes in place to identify it quickly so that you don't get upside down or in , you know, in a, in a , in a bad situation. That would include coding , uh, conducting documentation reviews , making sure you've got experienced , um, coders and , um, medical documentation specialists that you're providing provider and coder education, as well as conducting audits on both of those parties, both the providers at, at, you know, service at at bedside, if you will, but also those in the background who are reviewing that documentation and often selecting codes depending on the , the setting and the circumstances. That internal review is important, documenting that training, REM monitoring, all of those pieces are, are super important. A lot of times there's carrier publications and changes in the rules that that need to be identified and, and promulgated through the organization. So monitoring carrier publications, national coverage determinations, local coverage determinations are all important. And then again, having that robust process to aggressively quickly respond to audits and inquiries, not letting them get lost in the shuffle and, and realizing when something is, is, is a big something. Um, sometimes I think providers don't , uh, put themselves in the best position, mainly because they try to tackle these by themselves. And I , I do think this is a circumstance where , um, particularly in a u pick audit, Brenna , with the information that you're sharing and, and for our listeners as far as all of the stuff that happens in the background to get to this point, it's a big deal. And so if they are the recipient of one of these letters and one of these audits, again, that's a good time to , um, to avail yourself of counsel and, and just have some conversation, even if it's just, here's what I'm seeing, what are you seeing in the market? Because I, I know from talking to a number of colleagues that they can pretty readily predict, if you get this, then this is what's going to happen next. And knowing that information and having a a well-planned defense approach is going to be important to mitigate any, any long-term reaching effects . Well, Brenna , I really enjoyed , um, our conversation today . I hope it was useful for our listeners and , uh, we look forward to connecting again soon .
Speaker 3:Thank you for listening. If you enjoyed this episode, be sure to subscribe to a H L A speaking of health law wherever you get your podcasts. To learn more about a HLA and the educational resources available to the health law community, visit American health law.org.