October 13, 2025
What to Expect from a UPIC Audit: Guidance for Clinics and Providers
- by Gene Good, JD, CEO
Table of Contents
- Introduction
- UPICs at a Glance
- Why Providers and Clinics Receive UPIC Audits
- What a UPIC Notice Looks Like
- The UPIC Audit Workflow from First Notice to Determination
- Statistical Sampling and Extrapolation in UPIC Audits
- Payment Suspension and Timelines
- How UPICs Work with MACs, SMRCs, and Other Program Integrity Teams
- Building a Response Plan That Stands Up to Review
- Documentation, Coding, and Medical Necessity Expectations
- Legal Readiness and Appeals Pathways
- Preventive Controls That Mirror UPIC Triggers
- Role Clarity for Compliance Officers and Practice Leaders
- Frequently Asked Questions
- Conclusion and Call to Action
- Curated Sources and Further Reading
Introduction
If your organization participates in Medicare or Medicaid, a Unified Program Integrity Contractor audit can feel daunting. UPICs investigate potential fraud, waste, and abuse across federal health programs. They also examine patterns of noncompliance and may coordinate with state Medicaid agencies. Understanding the process and being prepared for it removes mystery and helps your team respond in a timely, accurate, and confident manner.
The Office of Inspector General emphasizes that an effective compliance program includes routine auditing and monitoring. Its General Compliance Program Guidance explains core elements of a modern compliance infrastructure and points leaders to practical tools for building and measuring effectiveness. That guidance is not only foundational. It also prepares clinics and provider groups to respond to external reviews such as UPIC activities. (Office of Inspector General)
On the operational side, the Centers for Medicare and Medicaid Services publish the Medicare Program Integrity Manual. This manual explains how contractors develop leads, verify potential errors, perform medical review, and when they may use statistical sampling to estimate overpayments. Chapter Four outlines program integrity operations that involve UPICs. Chapter Eight explains administrative actions and statistical sampling. Knowing this structure helps you anticipate what a reviewer will ask for and how your records will be evaluated. (CMS)
For a broader leadership playbook on day to day compliance inside a practice, these companion resources from the Doctors Management blog pair well with the guidance in this article.
• The Role of the Healthcare Compliance Officer in Modern Medical Practices
• Best Practices to Oversee Your Billing and Collections (DoctorsManagement)
UPICs at a Glance
Unified Program Integrity Contractors integrate several legacy CMS investigative functions. They operate across five geographic jurisdictions in the United States and perform investigations for Medicare and for Medicaid in coordination with federal and state partners. CMS maintains a public directory that describes UPIC jurisdictions and the broader family of review contractors. (CMS)
Public pages from the current UPIC contractors provide useful orientation. CoventBridge describes its Midwest UPIC contract and the eleven states it covers. Qlarant outlines the UPIC contract for the Western Jurisdiction and lists the states and territories in scope. SafeGuard Services describes its UPIC work in the Northeast and the Southeast. These pages help clinics confirm which company covers their state and what program areas fall within each contract. (coventbridge.com)
UPICs collaborate with other program integrity contractors under the direction of the CMS Center for Program Integrity. They coordinate with Medicare Administrative Contractors for claim processing and routine medical review, with the Supplemental Medical Review Contractor for targeted reviews, and with the Medicare Drug Integrity Contractor for Part C and Part D program integrity. (CMS)
Why Providers and Clinics Receive UPIC Audits
UPICs receive leads from many sources. CMS policy explains that contractors use data analytics, referrals from MACs, complaints from beneficiaries, information from state Medicaid agencies, and open source reporting. Leads are vetted, triaged, and scoped based on potential risk to the Medicare Trust Fund and the Medicaid program. (CMS)
Public education from Medicare contractors describes the kinds of analytics that often trigger review. Examples include outlier volumes for certain codes, rapid spikes in paid amounts, unusual place of service patterns, or code distributions that differ markedly from peer providers in the same region. While the specifics of proprietary algorithms are not public, the direction is clear. If your patterns look atypical, a contractor may take a closer look. (Noridian Medicare)
For clinics that serve Medicaid populations, coordination with state program integrity units means that some record requests may include both Medicare and Medicaid claims. CMS’s central program integrity resource hub for states highlights the active collaboration that supports these efforts. (CMS)
What a UPIC Notice Looks Like
First contact usually arrives as a written request for records. The letter identifies the contractor and cites the legal authority for the request. It lists the claims under review, sets a deadline, and explains acceptable submission formats. Although each letter is unique, the common elements reflect requirements in the Program Integrity Manual. Expect clear instructions for organizing and labeling your files, as well as reminders that incomplete responses may result in adverse action. (CMS)
Provider education pages from Medicare contractors show the type of materials reviewers expect. These resources emphasize complete clinical records, signed documentation or authenticated entries, orders where required, interpretation for diagnostic tests when applicable, and any certifications that apply to the service. They also stress following the return instructions exactly as written. (Noridian Medicare)
The UPIC Audit Workflow from First Notice to Determination
Although the details vary by case, most engagements follow a similar path.
Lead development and case opening. Data analysis, tips, and referrals converge. The contractor opens a case and defines the scope. The Program Integrity Manual describes this intake and triage process. (CMS)
Records request and medical review. The provider receives a list of claims and a deadline for production of the associated documentation. Reviewers evaluate coverage, coding, and medical necessity against applicable policy. The manual sets expectations for the review process and for documentation of findings. (CMS)
Sampling and extrapolation if conditions are met. If error rates are present and Medicare Program Integrity Manual Chapter Eight criteria are satisfied, the contractor may select a statistically valid sample and extrapolate to a larger universe. The manual specifies methodological requirements and documentation standards for statisticians. (CMS)
Draft findings and overpayment determination. The contractor issues findings. If an overpayment is identified, the determination explains the result, references the policy applied, and outlines repayment and appeal rights. (CMS)
Statistical Sampling and Extrapolation in UPIC Audits
Statistical sampling allows a contractor to review a subset of claims and estimate an overpayment for a larger claim universe. Chapter Eight of the Medicare Program Integrity Manual explains when sampling can be used, how frames and strata are defined, and how estimates and confidence intervals are calculated. It also sets documentation requirements for the statistician and for the review team, including maintenance of a sampling file that supports independent replication. (CMS)
CMS has periodically updated these rules. A 2018 transmittal revised sections of Chapter Eight and clarified instructions for UPICs, Recovery Audit Contractors, and the Supplemental Medical Review Contractor. While you should always rely on the current manual chapter as primary authority, this change request offers helpful detail about sampling steps and the content that must appear in the record for the estimate to stand. (CMS)
Contractor education pages give providers a plain language overview of sampling terms they will see in letters. These pages typically summarize key concepts such as frame, sample unit, variance, and precision, and they point back to the Program Integrity Manual chapters as the controlling references. (Noridian Medicare)
What this means for your clinic is simple. Keep a copy of the sampling documentation that accompanies any extrapolated findings. Verify that the universe and frame match the scope of services under review. Confirm that sample selection, estimation method, and confidence intervals are consistent with Chapter Eight. Engage a qualified statistician as needed.
Payment Suspension and Timelines
In some circumstances CMS may approve payment suspension while a review or investigation proceeds. The Program Integrity Manual describes the types of suspensions and sets expectations for contractor timelines, including the goal to complete the medical review and any related activities within the initial one hundred eighty day period for a general suspension. These timeframes help providers understand how long a suspension may last and when to expect updates from the contractor. (CMS)
Recent transmittals have also updated operational steps within Chapter Four to reflect current UPIC and MEDIC processes. Leaders should monitor CMS transmittals that revise program integrity chapters so that response plans remain aligned with current instructions. (CMS)
How UPICs Work with MACs, SMRCs, and Other Program Integrity Teams
UPICs do not work in isolation. Medicare Administrative Contractors handle routine claims processing, provider education, and many forms of prepayment or postpayment medical review. Issues that present significant risk or potential fraud can be referred to a UPIC for investigation. The Supplemental Medical Review Contractor performs targeted reviews that focus on specific areas of vulnerability. The Medicare Drug Integrity Contractor focuses on program integrity for Part C and Part D. A clinic that understands these roles can route letters to the right internal owners and avoid confusion about who is asking for what. (CMS)
If you are unsure which entities cover your state, the CMS interactive directory provides maps and links to contractors by jurisdiction. Individual contractor pages also list the states they cover and their contact channels for provider communications. (CMS)
Building a Response Plan That Stands Up to Review
A calm, complete, and well documented response is your best first step. Use a repeatable playbook that your team can follow every time a request arrives.
Acknowledge receipt and calendar the due date. Log the letter on the day it is received. If additional time is needed, request it in writing through the method the letter specifies.
Assemble a clean record. Pull the full clinical record and the claim file. Include orders, progress notes, test results, interpretive reports, certifications or recertifications where applicable, and signatures or authenticated entries that confirm authorship.
Label and index. Follow the contractor instructions precisely. Match claim identifiers, date ranges, and file naming conventions. Provide a clear index that maps each requested item to the relevant page or file.
Offer factual cover notes when helpful. For complex services, a brief explanatory sheet can cite the applicable coverage policy and highlight where each requirement appears in the record. Keep the tone factual and avoid advocacy in the record submission.
Preserve a copy. Maintain a complete mirror of what was sent, including your transmittal letter and any tracking numbers.
These steps line up with the documentation expectations that appear in contractor education and in the Program Integrity Manual. They also make it easier for your team to address questions quickly if the reviewer requests clarification. (CMS)
To connect your response planning with everyday operations, pair this playbook with practical guidance on billing oversight and provider documentation improvement.
• Best Practices to Oversee Your Billing and Collections
• Your Care Is Personal- Your Note Should Be Too (DoctorsManagement)
Documentation, Coding, and Medical Necessity Expectations
UPIC reviewers evaluate whether your documentation supports coverage, coding, and medical necessity. The Program Integrity Manual explains that medical review assesses whether a service is reasonable and necessary for the diagnosis or condition, and whether the billed code accurately reflects the service performed and documented. The manual also directs contractors to apply applicable national or local coverage determinations and other CMS policy during review. (CMS)
Common documentation issues include weak linkage between diagnoses and services, copied content that does not reflect the encounter, missing orders or absent interpretations for diagnostic tests, and unsigned or unauthenticated entries. To reduce risk, review templates and macros to ensure they capture clinical reasoning without adding language that could be read as boilerplate.
For clinic leaders who want to improve documentation quality without overwhelming providers, targeted microlearning and quick refreshers can help. The Doctors Management article on medical note creation above offers practical, provider friendly coaching on writing notes that tell the real clinical story and align with current evaluation and management rules. (DoctorsManagement)
Legal Readiness and Appeals Pathways
A determination letter will explain your rights to appeal. While the steps in the Medicare appeals process are beyond the scope of this article, your preparation should include three elements that are repeatedly emphasized in CMS instructions and contractor education.
Respond on time at every level. Calendar each deadline and submit within the required window. Untimely responses can foreclose later options.
Base arguments on the record and on policy. Anchor your position in the documentation already submitted, in the controlling coverage policy, and in the Program Integrity Manual sections that apply to the review or to the statistical methodology.
Preserve the sampling file when extrapolation is used. Chapter Eight sets explicit expectations for the statistician and for how the estimate is calculated and presented. A challenge to methodology must reference those requirements. (CMS)
For executive teams who want a concise overview of how UPIC work fits into the larger enforcement picture, the OIG provides evaluations and summaries that explain contractor roles and tools. These materials help boards and senior leaders appreciate why a strong internal compliance program is not optional. (Office of Inspector General)
Preventive Controls That Mirror UPIC Triggers
Prevention is the most reliable defense. The following controls map directly to the way contractors identify risk.
Run internal analytics that resemble contractor screens. Track volumes, paid amounts, code distributions, and place of service patterns over time. Compare your trends against peers where benchmark data is available. Spikes or outliers deserve immediate review. This approach reflects the analytics that feed leads to program integrity teams. (Noridian Medicare)
Audit high risk services on a cadence. Choose a cadence that matches the dollar value and the historical denial experience of each service family. Your checklists should mirror the policy elements that reviewers check during medical review. (CMS)
Understand sampling mechanics before you need them. If your practice performs high volume services, learn the basics of sampling and keep essential references from Chapter Eight handy for your response team. (CMS)
Educate providers with short, targeted refreshers. Focus on the top two or three errors that appear in your internal checks. Keep sessions practical and brief to improve adoption.
Maintain a ready kit for record production. Include letter templates, an index template, secure file transfer steps, and a current list of contacts. A reliable kit reduces the chance of missed pieces or late submissions.
For leaders who want a structured plan that keeps these elements coordinated, the Doctors Management blog provides detailed guidance on building practical oversight and on setting up audit plans that actually work in busy clinics.
• Best Practices to Oversee Your Billing and Collections
• Five Steps to Build an Audit Plan That Actually Works (DoctorsManagement)
Role Clarity for Compliance Officers and Practice Leaders
Strong performance during a UPIC review depends on clear internal roles. Decide in advance who will perform each task.
- Intake and logging of audit letters
- Record retrieval and quality control
- Policy and coverage research
- Drafting of explanatory cover sheets and indices
- Secure transmission of records and confirmation of receipt
- Calendar management for deadlines and follow up milestones
- Appeals coordination when needed
In many organizations, the compliance officer coordinates these steps with support from coding, billing, and clinical leadership. If your practice is formalizing the role, this practical guide from Doctors Management outlines modern responsibilities and the skills that matter most.
• The Role of the Healthcare Compliance Officer in Modern Medical Practices (DoctorsManagement)
Frequently Asked Questions
Conclusion and Call to Action
A UPIC audit does not need to derail your operations. When your team understands how cases are selected, what letters require, how sampling and suspension work, and what appeals look like, you can respond with clarity and speed. The most reliable protection is a steady internal compliance program that audits documentation and coding, teaches providers through short and practical refreshers, and monitors patterns that mirror contractor analytics.
If you want expert help building a UPIC readiness plan or responding to a current request, our team is ready to support you. Start a conversation with the Doctors Management compliance team so we can tailor a defense minded audit and education program that fits your specialty and your risk profile. (DoctorsManagement)
Curated Sources and Further Reading
Primary policy and program references
- Medicare Program Integrity Manual. Chapter Eight on administrative actions and statistical sampling. Chapter Four on program integrity operations involving UPICs. (CMS)
- CMS Review Contractor Directory. Interactive view of UPIC jurisdictions and other review contractors. (CMS)
- Who are the MACs. Orientation to MAC roles and jurisdiction maps. (CMS)
- CMS Transmittals updating PIM chapters. Sampling guidance and Chapter Four updates. (CMS)
UPIC contractors and provider education
- CoventBridge Midwest UPIC page. Jurisdiction overview and scope. (coventbridge.com)
- Qlarant UPIC West page and contracts list. Jurisdiction overview and active federal contracts. (qlarant.com)
- Noridian education pages, including UPIC overview and outreach resources. Useful provider oriented explanations and links. (Noridian Medicare)
Compliance program resources
- OIG General Compliance Program Guidance and Compliance Toolkits. Frameworks, references, and effectiveness measures for compliance programs. (Office of Inspector General)
Doctors Management internal resources for readers
- The Role of the Healthcare Compliance Officer in Modern Medical Practices
- Best Practices to Oversee Your Billing and Collections
- Your Care Is Personal- Your Note Should Be Too
- Five Steps to Build an Audit Plan That Actually Works (DoctorsManagement)
