Alesandra Hlaing
Associate Editor
Loyola University Chicago School of Law, JD 2020

The Centers for Medicare and Medicaid Services (CMS) have a multitude of resources to detect and protect against fraud and abuse in claims. Particularly, CMS has at least six types of contractors that provide different roles in the prevention, detection, and reporting of fraud and abuse in healthcare. This list includes Recovery Auditors, which serve to reduce fraud and abuse by detecting and collecting overpayments from entities and Comprehensive Error Rate Testing (CERT) Contractors, which determine rates of improper payments by reviewing claims under Medicare Fee-For-Service (FFS). Another auditor that providers should be particularly mindful of are the Zone Program Integrity Contractors (ZPICs). This article is an overview ZPICS, its role in Medicare, and outlines the steps providers should take when faced with an audit by ZPICs.

What is a Zone Program Integrity Contractor?

The primary goal of a ZPIC, as defined in Chapter 4 of the Medicare Program Integrity Manual, is to “identify cases of suspected fraud, develop them thoroughly and in a timely manner, and take immediate action to ensure that Medicare Trust Fund monies are not inappropriately paid out and that any mistaken payments are recouped.” ZPIC performs several functions in order to protect against fraud and abuse, including investigations, interviews, onsite visits, and medical reviews, as well as data analysis and referrals to law enforcement for civil or criminal prosecution. ZPICs have seven zones: 1) Safeguard Services (SGS) 2) AdvanceMed 3) Cahaba, 4) Health Integrity, 5) AdvanceMed 6) Under Protest, and 7) Safeguard Services (SGS). ZPICs can audit a variety of healthcare providers, including Medicare Part A and B providers, Medical Equipment, Prosthesis, Orthotics and Supplies companies, a Home Health or Hospice agency, or even pain and addiction clinics.

Though audits performed by ZPICs are conducted much like other CMS audits, a major difference is that ZPIC audits have potential Medicare fraud implications. Unlike routine audit requests performed by recovery auditors, ZPIC audits are not routine and more than likely result in the discovery of overpayment. Essentially, ZPICs are the “police” of the CMS, and are authorized to work and aid law enforcement in detecting fraud and abuse. ZPICs may refer detected cases of fraud and abuse to the Department of Health and Human Services, particularly to the Office of Inspector General Office of Investigations. The Office of Inspector General then has 90 days to reject or pursue the case to the Department of Justice.

What to do if facing a ZPIC Audit?

A ZPIC audit typically begins with a request of medical records or other documentation from the ZPIC without specifying a look-back period. Particularly, the document requests by ZPICs are not limited to a certain number, which can be overwhelming for providers to comply with. It is important to note that ZPIC audits typically occur once fraud is already suspected, through data analysis, complaints, or referrals. Providers should be alerted when a ZPIC auditor begins investigations, because ZPIC audits are not random, and it is important that providers comply with the requests made by ZPIC. In addition, ZPICs are not required to announce their onsite audits, and may appear unannounced to interview and request records.

ZPICs can take several adverse actions against a provider in addition to referring them to the DOJ, which may include recoupment and payment blocking or even exclusion from federal health care programs. In some cases, ZPIC audits and appeals can take a considerable amount of time, which may affect payments depending on the ZPIC’s determinations. If a ZPIC makes an adverse determination, every healthcare provider has the right to appeal a ZPIC’s determination. A recent case in Texas held that CMS could not withhold, recoup, or fail to pay a provider that was determined to be committing fraud by a ZPIC audit due to backlog slowing down the appeals process. Ultimately, it is important that providers keep all documents up to date, have a compliance plan, and employ legal counsel to ensure that the healthcare entity is prepared for ZPIC audits — whenever they may come.