What Triggers a UPIC Audit? 6 Red Flags CMS Is Watching for in 2026

Written By Phoebe Gutierrez

A UPIC audit is typically triggered by one of two things: data analytics that flag your practice as a statistical outlier, or an external tip from an employee, patient, or law enforcement agency. CMS contractors run algorithms across millions of claims looking for billing patterns that deviate from specialty norms. If your practice shows up, you become a target — often before you have any idea something is wrong.

UPIC referrals to the U.S. Attorney’s Office have spiked. CMS has signaled a major 2026–2027 audit surge. And the practices getting flagged aren’t always committing fraud — they’re often the ones with documentation gaps, unusual growth patterns, or billing outliers they never benchmarked.

Here are the six triggers we see most often across the practices we support.

1. You’re a Statistical Outlier (and Don’t Know It)

UPICs don’t start with your practice. They start with data. CMS contractors run analytics across millions of claims to flag providers whose billing deviates from the norm for their specialty, geography, and patient mix.

Being an outlier doesn’t mean you’re doing anything wrong. You might serve a higher-acuity population or specialize in complex cases. But if you haven’t benchmarked your own billing data against specialty norms, you won’t know you’re flagged until the letter arrives.

What to do: Pull your claims data quarterly. Compare your most-used CPT codes, average reimbursement per visit, and total claims volume against CMS specialty benchmarks. If you’re an outlier in any category, document the clinical justification now — before anyone asks.

2. High-Cost, Frequently Repeated Procedures

CMS has been explicit about where investigators are looking: procedures that are expensive, frequently repeated, and have historically been associated with abuse. The biggest targets right now are skin substitute applications, molecular pathology and PCR testing, and high-level E/M coding.

Wound care practices are particularly exposed. The rapid growth of wound care clinics — especially those operating under MSO structures with aggressive growth targets — has put the entire specialty under heightened scrutiny. If your practice applies skin substitutes at high volume, your billing data is almost certainly being reviewed.

What to do: If your practice performs any high-target procedures, conduct a focused internal audit immediately. Review a sample of charts for each procedure type. Confirm that documentation supports medical necessity, coding matches the documentation, and utilization rates are clinically defensible.

3. Rapid Growth Without a Compliance Program

Growing your practice is not the problem. Growing your practice while your compliance infrastructure stays the same size — that’s the problem. CMS data models specifically flag sudden increases in claims volume.

This hits telehealth practices and multi-state operations especially hard. When you’re scaling fast, the operational infrastructure — credentialing, documentation standards, coding accuracy, compliance training — often lags behind patient volume. That gap is exactly where UPIC investigators look.

What to do: Match your compliance investment to your growth trajectory. If you’re scaling, you need a compliance officer (even fractional), regular internal audits, and documented policies that evolve with your operations. Growth without governance is the fastest path to a UPIC investigation.

4. Referral Patterns and Financial Relationships

UPICs don’t just look at your claims in isolation. They analyze the network of providers you refer to and receive referrals from. If there’s a financial relationship between referring and receiving providers — especially in an MSO-PC structure — and referral volume is high, it draws scrutiny under Anti-Kickback and Stark Law.

This doesn’t mean your arrangements are improper. But if your MSO has revenue-sharing models, management fees tied to volume, or collaborative agreements that create incentive structures that could be perceived as influencing referrals, those arrangements need to be airtight.

What to do: Review every financial relationship between your PC, your MSO, and any referring or receiving providers. Confirm management fees are set at fair market value, compensation is not tied to referrals, and all arrangements are documented with clear compliance rationale.

5. Whistleblower Complaints and External Tips

Not every UPIC audit starts with data. Some start with a phone call. Disgruntled employees, former partners, competitors, and patients can all file complaints with CMS, the OIG, or state Medicaid agencies.

The False Claims Act’s whistleblower provisions create a financial incentive for reporting — whistleblowers can share in recovered funds. FCA enforcement remains a top federal priority, and whistleblower-initiated cases continue at a steady pace regardless of administration.

What to do: Build an internal compliance culture where staff feel safe raising concerns through internal channels before they go external. Have a reporting mechanism. Address issues transparently. The cost of fixing a problem internally is a fraction of defending a UPIC investigation triggered by a whistleblower.

6. Escalation from a Routine MAC or RAC Audit

This is the trigger that blindsides people. A routine prepayment review by your MAC finds a high error rate. The MAC refers the case to the UPIC for further investigation. What started as a documentation problem is now a fraud inquiry.

The shift from MAC to UPIC is not always clearly communicated. You may not realize the nature of the investigation has changed until the UPIC starts requesting information about your business practices, referral sources, and organizational structure — not just medical records.

What to do: Take every prepayment review seriously, even small ones. A high error rate in prepayment review is a direct pipeline to UPIC. Fix documentation issues immediately, retrain providers, and conduct follow-up audits to demonstrate improvement.

The Compliance Consultation You Should’ve Had Last Year

By the time you get a UPIC letter, your options are limited and your costs are high. Healthcare attorneys, expert witnesses, statistical consultants, and the operational disruption of a federal investigation — it adds up fast.

The practices that navigate this successfully are the ones that invested in compliance infrastructure before the letter arrived. They know their billing patterns. They’ve audited their own charts. They have documentation showing a good-faith commitment to accuracy.

Phoebe Gutierrez
Previous

AI Compliance in Telemedicine and Health Tech: What the 2026 Regulatory Landscape Actually Looks Like
Next

What Is a UPIC Audit? Everything Private Practice Owners Should Know