ZPICs in Virginia, North Carolina and Elsewhere Around the Country are Increasing Their Use of Unannounced Site Visits. Are Your Medical Necessity, Coding and Billing Practices Compliant with Applicable Legal and Regulatory Requirements?

July 17, 2013 by  
Filed under Medicare Audits

tiny-target-crosshair(July 17, 2013):  Over the last few months, Zone Program Integrity Contractors (ZPICs) in the Eastern United States and throughout the South have steadily increased their use of “Unannounced Site Visits” (also sometimes referred to as “Unannounced Audits” in furtherance of their benefit integrity obligations as a contractor to the Centers for Medicare and Medicaid Services (CMS). 

I.          Background:

The size of the Medicare program is truly staggering – it has been estimated nearly one in three Americans was covered by either the Medicare or Medicaid programs.  According to CMS, the Medicare:

Medicare provides health insurance for more than 44.6 million elderly and disabled Americans.  Medicaid, a joint federal-state program, provides health coverage for some 50 million low-income persons, including 24 million children, and nursing home coverage for low-income elderly.[1]             

In addition to the Medicare and Medicaid programs, CMS is also responsible for administering the Children’s Health Insurance Program (CHIP).  Under CHIP, CMS began working with states around the country to provide health insurance coverage for needy, uninsured children in 1997.  Like Medicaid, the CHIP program is paid for by both federal and state funding and is managed by each state.  The program was reauthorized with the enactment and signing of the Children’s Health Insurance Program Reauthorization Act of 2009 (CHIPRA).[2]  CHIPRA appropriated funds to pay for care provided under CHIP through fiscal year (FY) 2013.  Over 5 million uninsured children are currently covered under the program. Together, CMS-administered health insurance programs cover over 90 million Americans.  Approximately 4.5 million Medicare claims alone are processed each day.[3]

II.         Despite the Extraordinary Size and Scope of these Entitlement Programs, CMS Manages to Operate these Programs with Less than 5,000 Employees.

Despite the extraordinary size and scope of CMS’ responsibilities, the agency employs less than 5,000 employeesTo accomplish these program obligations, CMS has contracted with various private entities to process and pay claims.  Additionally, these contractors serve as CMS’ representatives, interacting with health care providers regarding coverage questions and program participation issues.  CMS also relies on medical review and benefit integrity contractors (such as ZPICs and Recovery Audit Contractors (RACs)) to conduct medical reviews, site visits, and post-payment/pre-payment audits of Medicare claims.

III.        Current Assignment of ZPICs Around the Country:


ZPICs represent merely one of the nearly dozen various medical review / benefit contractors and governmental entities tasked with reviewing and auditing claims submitted to the Medicare program.  Seven ZPIC zones have been established and the following contractors have been awarded contracts by CMS to perform these duties around the country.  These seven zones cover the following states and / or territories:

  • Zone 1 – SafeGuard Services: CA, NV, American Samoa, Guam, HI and the Mariana Islands.
  • Zone 2 – Advancement (Health Integrity is reportedly serving as a subcontractor for Zone 2 at this time): AK, WA, OR, MT, ID, WY, UT, AZ, ND, SD, NE, KS, IA, MO.
  • Zone 3 – Cahaba SafeGuard: MN, WI, IL, IN, MI, OH and KY.
  • Zone 4 – Health Integrity: CO, NM, OK, TX.
  • Zone 5 – Advancement: AL, AR, GA, LA, MS, NC, SC, TN, VA and WV.
  • Zone 6 – SafeGuard Services: PA, NY, MD, DC, DE and ME, MA, NJ, CT, RI, NH and VT.
  • Zone 7 – SafeGuard Services: FL, PR and VI.

A map depicting these assignments is set out below:

ZPIC MAP 2 labeled












IV.        ZPIC Responsibilities:


ZPICs have traditionally asserted that, unlike their RAC counterparts, they are not “bounty hunters.”  ZPICs are not paid contingency fees like RACs but instead are directly compensated by CMS on a contractual basis.  Notably, ZPIC actions are not merely limited to post-payment overpayment audits.  In fact, their approach to reviews and audits has significantly changed over the last few years.  Rather than focus on post-payment audits, where CMS has already paid a health care provider for services rendered, ZPICs are now conducting reviews designed to identify wrong-doers and/or improper payments before monies have been paid to a provider out of the Medicare Trust Fund.

An overview of the current ZPIC review and audits activities we are seeing include, but are not limited to:

  • ZPIC representatives around the country (especially those in Zone 4, Zone 5 and Zone 6) appear to have increased their use of unannounced site visits of physician practices, clinics, home health agencies and Durable Medical Equipment (DME) suppliers)
  • ZPICs are expanding their use of pre-payment reviews to identify improper payment patterns and practices by physicians.  Understandably, the days of “Pay and Chase” are over – CMS has directed contractors to identify possible overpayment before they are ever paid in the first place. 
  • ZPICs are actively referring certain cases to State Medical Boards.
  • ZPICs are referring possible civil and criminal enforcement cases to law enforcement for investigation and possible prosecution.
  • ZPICs are recommending suspension and revocation actions to CMS.
  • Last but not least, it is important to keep in mind that even though ZPIC utilization of alternative review options (such as prepayment review), appear to be increasing, post-payment audits are, in fact, still taking place. When post-payment audits occur, ZPICs typically start by conducting either a post-payment probe audit or a more expansive post-payment audit of a “representative sample” of a health care provider’s claims previously paid by Medicare. After conducting a post-payment review of this representative sample, a ZPIC will then extrapolate the amount of alleged overpayments to the universe of claims previously identified by the contractor.


IV.        ZPIC Unannounced Site Visits / ZPIC Unannounced Audits:

Focusing on the “Unannounced Site Visit” / “Unannounced Audit” activities currently being performed by ZPICs in Zone 4, Zone 5 and Zone 5, it has been our observation that in most cases, a visit is conducted as a result of one of the two following activities:

(1)  Date Mining — A health care provider’s claim utilization practices have been identified as different from those of other professionals working in this specialty area.  As you will recall, the Medicare program has been in operation since 1965.  Since that time, the government has accumulated an impressive amount of data reflecting the use of certain medical services by health care providers of all types.  With this information, CMS (and its ZPIC contractors) can “slice and dice the data innumerable different ways in an effort to identify any “outliers.” At outlier is merely a health care provider whose coding and billing practices are different than those of other similarly-situated providers.

Despite aspersions to the contrary, an outlier is not necessarily someone engaged in improper or fraudulent conduct.  Rather, based solely on the information known at this stage of the process, an outlier is merely someone whose practices are out of the ordinary.  For example, the frequency of a health care provider’s Evaluation and Management (E/M) code may be higher or lower, than what one might expect to see when conducting an audit.  Importantly, there may be countless reasons why a health care provider’s utilization practices are irregular.  If, in fact, you determine that your coding and billings are different than those of your peers, you need to affirmatively review your practices and identity any possible reason(s) for these differences. As you conduct your internal review, it is important to keep in mind that one possibility is that you are, in fact, engaging in improper billing practices.  Should you find that you have improperly submitted one or more claims to Medicare for payment, you  must immediately report and return any overpayment identified.

(2)  Complaints — A second reason commonly identified as a catalyst for generating an unannounced audit / unannounced claims review is that a “Complaint” has been lodged against your organization.  Importantly, complaints can be lodged several ways:

  • Former Disgruntled Employee.
  • Current Employee.
  • Unhappy Patient.
  • A Competing Health Care Provider Organization. 
  • The Filing of a Whistleblower or Qui Tam Action.

Regardless of the underlying reason for an unannounced site visit, it can be quite unsettling when several auditors and investigators of the ZPIC assigned to your state shows up at your office and announces that it is conducting an audit.

How should you respond when an unannounced site visit occurs?  As we have previously discussed in our article examining recent holdings on an individual’s 5th Amendment Rights, there is an uneasy balance of one’s obligation to cooperate as a Medicare participating provider and one’s right to remain silent.  As we detail in our July 3rd article:

“At the outset, we readily recognize that these are very complex issues.  Ultimately, the best course of action is to implement and adhere to an effective Compliance Plan, thereby greatly reducing your likelihood of both an audit and of an error.  Nevertheless, despite your best efforts to do the right thing for the right reasons, your practice, clinic, home health agency, hospice or other health care organization may still be visited by an HHS-OIG agent or other Federal auditor who has questions.  In such an event, as a Medicare participating provider, you have an obligation to cooperate.  You should not lie, should not exaggerate and should not be evasive.  If you feel uncomfortable with the questions being presented, ask to speak with your attorney prior to responding.  Continue to cooperate and provide access to any requested medical records (after the auditor’s identity has been established, of course).  As previously discussed, choosing to remain silent during non-custodial questioning can expose you to a variety of administrative sanctions and could ultimately be used against you if a criminal case is later pursued.”  (emphasis added).

V.         Post-Visit Administrative Enforcement Actions:

It is quite common for a ZPIC to request two separate silos or categories of information when conducting an unannounced site visit.  These two categories of information include:

(1)   Coding and Billing Information – When they arrive, a representative of the ZPIC will often personally deliver a written request for medical records related to specific dates of service. ZPICs will sometimes even bring a scanner with them.  They will then take a scan of a portion of the records requested and will often ask that you forward the supporting documentation covering the remaining claims within 15 to 30 days. It is imperative that you request an extension of time if is needed to comply with the ZPIC’s request. The failure to submit this information within the time period requested could result in the denial of these claims.

(2)  Business Relationships and Practices —   In addition to the Medicare claims information requested, it is now quite common for a ZPIC to also ask for business arrangement related information.  This information often includes a request for any leases, Medicare Director agreements, and the identities / contact information for former employees.  Essentially, ZPICs are seeking to determine the following basic information:

  • Is there any indication that a health care provider is receiving or paying anything of value in exchange for the referral of Medicare-covered services?
  • Where do you get your referrals from?
  • Where do you send referrals?

After collectively assembling all of the above information, a ZPIC will determine whether any deficiencies noted should be referred to law enforcement (as a possible violation of the civil False Claims Act, the Anti-Kickback Statute, Stark or another health care statute) or whether an action should be pursued merely as an alleged overpayment at this point in the process.

VI.        Avoiding a ZPIC Audit in the First Place:

Depending on the facts in your case, a ZPIC audit may be inevitable.  For instance, if you are an Internal Medicine physician and you are the only one providing pain management services for the Medicare beneficiaries in three counties, there is a high likelihood that your utilization ratios will be higher than those of your peers (on a national basis).  As such, your practice is likely to be identified as an outlier and your coding and billing practices will be audited.  

All health care providers, regardless of whether or not their billing practices are those of an outlier, has an obligation to ensure that their medical necessity, coverage, documentation, coding and billing practices fully meet all applicable CMS regulations and CMS contractor guidance requirements.  Several of the questions you should consider in this regard include:

  • Are the care and treatment services “Medically Necessary”?
  • Do the services at issue meet the applicable “Coverage” requirements set out by the responsible payor?
  • Even though the care and treatment services may meet all other requirements for coverage and payment, are the services still otherwise “tainted” by the violation of a statutory or regulatory requirement?
  • Are the care and treatment services at issue fully and properly documented, consistent with all applicable CMS regulations and / or contractor guidance requirements?
  • Do the provider’s coding practices meet applicable statutory and regulatory requirements?
  • Do the provider’s billing activities meet applicable statutory and regulatory requirements?
  • Do the provider’s actions meet ethical and professional conduct standards required by the State Medical Board?

These steps constitute part, but not all, of the “gap analysis” process.  Providers examining these issues on an ongoing basis will be much less likely to inadvertently make coding / billing mistakes or fail to fully document the services they are providing.

Ultimately, the only way to try and avoid trouble is to develop, implement and adhere to the requirements set out in an effective Compliance Plan.  ZPICs, RACs and other CMS-contracted audited are doing their best to meet their contractual obligations to the government.  As a participating provider in the Medicare program, you also have a complex of obligations which must be met.

Robert W. Liles is Managing Partner at Liles Parker, a boutique health law practice representing health care providers around the country.  Should you have questions regarding the ZPIC audit or review process, please feel free to call us.  For a free consultation, call Robert at: (202) 298-8750.

[1] U.S. Department of Health and Human Services, available at

http://www.hhs.gov/about/whatwedo.html (last accessed July 17, 2013).

[2] Children’s Health Insurance Program Reauthorization Act of 2009, Pub. L. No. 111-3 (2009).

[3] Government Accountability Office, Medicare Recovery Audit Contracting: Lessons Learned to Address Improper Payments and Improve Contractor Coordination and Oversight, Report No. GAO-10-864T, available at http://www.gao.gov/new.items/d10864t.pdf (July 15, 2010) (last accessed February 2013).

  • Advertisement

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

ZPIC Audit Menu