Opinion: Beware the ZPIC Audit

Aug 09, 2017 at 12:10 pm by admin


While the Federal Government has many contracted auditors to assist in identifying overpayments to healthcare providers, by far the most dangerous of these auditors, from the provider's perspective, is the ZPIC. The Zone Program Integrity Contractors, or ZPICs, were created following the imposition of the Medicare Integrity Program with the Health Insurance Portability and Accountability Act.

The primary goal of the ZPIC is to investigate cases of suspected fraud, waste and abuse for CMS administrative imposition of civil money penalties or referral to law enforcement.

The ZPICs, armed with mountains of data provided to them by CMS, have a tremendous amount of power and discretion at their disposal and can recommend to CMS that a provider be suspended from participating in the Medicare program, recommend that a provider be excluded from participating in the Medicare program, and recommend that civil money penalties be imposed.

ZPIC audits are initiated based on results of data mining, complaints from Medicare beneficiaries, complaints to the OIG hotline, and on referrals from other contracted auditors such as the Recovery Audit Contractor ("RAC"). Thus the ZPIC audit is not a random audit and because of the great amount of authority given to the ZPICs, they "carry a big stick" and providers should take very seriously the imposition of a ZPIC audit. While ZPIC audits are conducted much like other CMS audits, they differ in one very important aspect-that is, a ZPIC audit has potential Medicare fraud implications.

The typical process followed by the ZPIC auditors begins with a request for medical records from a provider, keeping in mind that the ZPICs have the authority to audit Medicare Part A providers such as hospitals, Medicare Part B providers such as physician practices, DMEPOS (durable medical equipment prosthetics, orthotics, and supplies) providers, Home Health providers and Hospice providers.

Instead of sending a request for records by mail, the ZPIC auditors often show up unannounced at a provider's facility and hand deliver the request for records. As a part of the on-site audit, the ZPIC will often want to tour the provider's facility and likely will insist on interviewing certain employees of the provider. If possible, a provider that finds themselves in this situation should contact their legal counsel for guidance on how to handle the interview process. However, if the auditors insist on beginning their on-site immediately, do not hamper or attempt to delay their efforts.

If medical records are requested, the sample size that is requested is usually quite small, often 30-40 records, usually of the same or similar diagnosis or procedure. The provider is typically only given 14 days to submit the records. In reviewing the medical records, the ZPIC must determine if there is sufficient documentation in the record to substantiate that the services were provided and that they were medically necessary. The ZPIC must also determine if there are any patterns noted in the medical record documentation that indicate potential fraud, waste or abuse. Recently, the ZPIC auditors have focused also on whether the medical records contain identical or nearly identical documentation. Allegations of "cloning" in medical record documentation have been much more prevalent with the use of electronic medical record programs.

The ZPIC will also review the record for evidence of alteration, such as missing pages, inserted pages, and excessive late entries. Once the sample of records is reviewed, the ZPIC determines an error rate based on the sample size and then, using statistical sampling methods, extrapolates the error rate from the sample across the provider's entire claim universe for the particular code or procedure under review for a particular period of time. In my experience, it is not uncommon for a ZPIC review of 40 records to result in an alleged overpayment of millions!

After the medical review is completed, the ZPIC may refer the case to the OIG without even contacting the provider. Once the case is referred to the OIG, the OIG has 90 days to accept the case and if the OIG does not accept the case, the ZPIC may refer the case to the Department of Justice or to the FBI.

Another option open to the ZPIC is to recommend, based on the error rate determined from the sample review, to CMS that the provider be placed on Medicare payment suspension. For a small physician practice, such a suspension could damage the provider to the degree that it cannot continue to provide services. Even if there are no referrals to other agencies, the ZPIC will communicate to the Medicare Administrative Contractor ("MAC") the errors found and the amount of the overpayment alleged to have been received by the provider.

The MAC then begins the process of recouping the overpayment from the provider. While the provider has the ability to appeal the findings of a ZPIC audit, the provider will likely be forced to refund the alleged overpayment amount and then pursue the appeal in order to recover the funds. The appeals process takes a very long time and is one that is best pursued with the assistance of knowledgeable health care counsel.

Providers should consider designating a point person to coordinate all responses in the event of a ZPIC audit. Also, as soon as possible, the provider should conduct their own analysis of the records submitted to the ZPIC. In order to perform this review, it is vitally important that an exact copy of all information provided to the ZPIC be retained by the provider.

Following the provider review, the provider should calculate its own error rate and consider obtaining a review by an independent third party. If it is discovered that documentation was not included in the records that were submitted to the ZPIC, attempt to provide all relevant documentation to the ZPIC, even if it is provided after the initial submission.

A ZPIC audit can result in catastrophic results to a provider. Remember these are targeted and not random audits. Thus, it is imperative that providers be prepared to address a ZPIC audit timely and appropriately to avoid potentially disastrous results.


Lynda M. Johnson an attorney with Friday, Eldredge and Clark, LLP, of Little Rock, has practiced in the health law area since 1986, representing a wide variety of healthcare providers including hospitals, physicians, physician groups, nursing homes, and home health agencies. Recently, her practice has focused on the representation of hospitals and physicians in HIPAA compliance efforts and other areas of regulatory compliance.

Sections: Regulatory