What Is a UPIC Audit? Everything Private Practice Owners Should Know

A UPIC audit is a federal investigation conducted by Unified Program Integrity Contractors on behalf of CMS to detect fraud, waste, and abuse in Medicare and Medicaid billing. Unlike routine billing reviews, UPIC audits can lead to overpayment demands, suspension of billing privileges, referral to the Office of Inspector General or Department of Justice, and criminal prosecution. If your private practice bills Medicare or Medicaid, understanding how UPIC audits work — and how to prepare for one — is essential to protecting your livelihood.

This guide answers the questions we hear most often from practice owners, telehealth operators, and MSO-PC structures navigating the current enforcement environment.

What Is a UPIC Audit?

UPIC stands for Unified Program Integrity Contractor. These are private companies contracted by the Centers for Medicare and Medicaid Services (CMS) to investigate suspected fraud, waste, and abuse in federal healthcare programs.

UPICs replaced the older Zone Program Integrity Contractors (ZPICs) starting in 2016. The consolidation gave investigators access to broader data, better analytics tools, and more authority to act quickly when billing patterns look suspicious.

Five UPIC contractors cover the entire United States, each assigned to a CMS geographic region: SafeGuard Services handles the Midwest and Northeast, Qlarant Integrity Solutions covers the Southwest and Southeast, and Noridian Healthcare Solutions manages the West.

How Is a UPIC Audit Different from a RAC or MAC Audit?

This is the most important distinction practice owners miss. There are several types of CMS audits, and they are not interchangeable.

MAC audits (Medicare Administrative Contractors) handle claims processing and routine billing reviews. RAC audits (Recovery Audit Contractors) focus on identifying and recovering overpayments. Both are essentially about whether claims were billed correctly.

UPIC audits investigate whether fraud is occurring. That means the potential consequences are fundamentally different. A RAC audit might result in a repayment demand. A UPIC audit can result in referral to the OIG, the Department of Justice, payment suspension during the investigation, revocation of Medicare billing privileges, and in serious cases, criminal prosecution.

Bottom Line

RAC and MAC audits ask: "Did you bill this correctly?" UPIC audits ask: "Are you committing fraud?" Your response strategy needs to reflect that difference.

What Triggers a UPIC Audit?

UPIC investigations typically start in one of two ways: data analytics or external tips.

Data-Driven Triggers

UPICs use sophisticated data modeling to scan millions of claims and flag statistical outliers. If your billing patterns deviate significantly from what CMS considers normal for your specialty, your region, and your patient population, you become a target. Common data triggers include:

• Billing volume or dollar amounts significantly higher than specialty peers in your geographic area

• Rapid increases in claims volume, especially for high-cost or frequently repeated procedures

• Heavy utilization of specific CPT codes flagged as audit targets — particularly skin substitutes, PCR/molecular testing, and high-level E/M codes

• Patterns suggesting unbundling or upcoding

• Unusual referral patterns, especially where financial relationships exist between referring and receiving providers

External Triggers

• Complaints or tips from employees, patients, competitors, or law enforcement

• Media reports, online advertising, or social media content that raises compliance questions

• Escalation from a MAC prepayment review that found a high error rate

• Referrals from state Medicaid agencies or other federal agencies

That last category — escalation from routine audits — is the one that catches practices off guard. A high error rate during prepayment review can be referred to the UPIC, turning what started as a documentation issue into a fraud investigation.

[Related: What Triggers a UPIC Audit? 6 Red Flags CMS Is Watching for in 2026 → /what-triggers-a-upic-audit]

What Happens During a UPIC Audit?

The process unfolds in stages, and your response at each stage determines whether the situation escalates or resolves.

Stage 1: The Letter

A UPIC audit usually starts with a letter requesting specific documentation — medical records, billing records, administrative documents — for a defined set of claims or date range. You typically get 30 calendar days to respond, though some requests give as few as 15 days.

Do not miss this deadline. Failure to respond results in automatic denial of the claims under review and can lead to penalties including revocation of Medicare billing privileges. If you need more time, request an extension immediately — most UPICs will grant reasonable extensions if you communicate early.

Pay Attention to What They’re Asking For

If the UPIC only requests medical records and billing documentation, they may be conducting a focused claims review. If they’re also requesting information about your business practices, referral sources, and organizational structure, the investigation is likely broader — and more serious.

Stage 2: Medical Record Review

Reviewers examine whether services were medically necessary, properly documented, and correctly coded. They look for patterns: templated notes that suggest copy-paste documentation, the same diagnoses across a disproportionate number of patients, and misalignment between records and billed services.

Reviewers compare your documentation against Local Coverage Determinations (LCDs) and National Coverage Determinations (NCDs). Misinterpretation of these policies by UPIC reviewers is common — which is why having someone on your team who understands the specific policies is critical.

Stage 3: Statistical Sampling and Extrapolation

If errors are found in the sample, UPICs may use statistical sampling to estimate the total overpayment across your entire claims universe for a given time period. A handful of documentation deficiencies in a 30-claim sample can be extrapolated into a six- or seven-figure overpayment demand.

The sampling methodology is often challengeable, but you need qualified statistical and legal expertise to mount an effective challenge.

Stage 4: Findings

The UPIC issues a results letter with findings, error rates, and denial bases. Outcomes range from provider education letters (best case) to overpayment demands, prepayment review enrollment, referral to the OIG or DOJ, and exclusion from federal health programs (worst case).

Can a UPIC Audit Lead to Criminal Charges?

Yes. This is what separates UPIC audits from every other type of Medicare audit. UPICs coordinate directly with the HHS Office of Inspector General, state Medicaid Fraud Control Units, and law enforcement agencies. If the UPIC determines that fraud — not just billing errors — has occurred, the case can be referred for civil or criminal prosecution under the False Claims Act.

In practice, most UPIC audits do not result in criminal charges. Many result in overpayment demands, corrective action plans, or enhanced monitoring. But the possibility of criminal referral is real, which is why the way you respond matters enormously.

How Do You Respond to a UPIC Audit?

If you get a UPIC audit notice, here is what to do — in order.

1. Read the letter carefully. Identify exactly what’s being requested, the deadline, and how many claims are under review. If it’s 10 or fewer claims, this is likely a probe sample. If it’s 30 or more, expect statistical extrapolation.

2. Engage a healthcare compliance consultant and/or healthcare attorney immediately. This is not a billing department problem. You need someone who understands UPIC processes, federal fraud and abuse law, and your specialty’s documentation standards.

3. Protect communications under attorney-client privilege. All internal discussions about the audit should go through counsel.

4. Designate one UPIC liaison. One person coordinates all communication. Mixed messages from multiple contacts create confusion and risk.

5. Submit records strategically. Don’t dump your EHR export. Organize records to clearly demonstrate medical necessity, proper documentation, and coding accuracy. Include supporting documentation like lab results, imaging, and referral notes.

6. Review findings critically. UPIC reviewers make errors. LCD/NCD misinterpretation, improper sampling methodology, and factual mistakes are all grounds for appeal.

7. Appeal if warranted. The appeals process goes through multiple levels, including Administrative Law Judge hearings. Strong appeals supported by clinical documentation and expert testimony can significantly reduce or eliminate overpayment demands.

How Long Does a UPIC Audit Take?

UPIC audits typically take 6 to 12 months from the initial letter to final resolution, though complex investigations can take longer. During this period, CMS may suspend your payments, which creates severe financial pressure.

The timeline depends on the scope of the review, whether sampling and extrapolation are involved, and whether you appeal. Each level of appeal adds time but may also reduce or eliminate the overpayment demand.

How to Protect Your Practice Before a UPIC Audit

The best response to a UPIC audit is the one you never have to use. The practices that survive this enforcement environment invest in compliance infrastructure before CMS comes knocking.

• Conduct internal coding and billing audits at least quarterly, focusing on your highest-volume and highest-dollar CPT codes

• Benchmark your billing patterns against specialty norms — if you’re an outlier, document the clinical justification now

• Train every provider on documentation standards, not just billing staff — the clinical note is the foundation of every claim

• Implement a compliance officer role, even if fractional — someone has to own this function

• Create internal reporting channels so staff can raise concerns before they become whistleblower complaints

• Monitor your U.S. mail — UPIC notices arrive by physical mail, and missing one can cost you your billing privileges

• Keep your compliance program documented and current — a program that exists only on paper demonstrates awareness without action, which is worse than no program at all

Who Should Be Most Concerned Right Now

CMS has signaled a 2026–2027 audit surge targeting high-cost, frequently repeated procedures. If your practice bills for skin substitutes, PCR/molecular testing, high-level E/M services, split/shared billing, or critical care coding — or if you operate a telehealth practice with rapid growth — your compliance program should be audit-ready today.

Need help getting audit-ready? Schedule a compliance consultation with us.

Camino Strategy Group provides compliance consulting, audit readiness assessments, and fractional compliance officer services for private practices, telehealth companies, and MSO-PC structures nationwide.