Emergency Response

UPIC Audit Response: What to Do First (and What Not to Touch)

7 min read · Last reviewed May 23, 2026

If you received a UPIC (Unified Program Integrity Contractor) letter, treat it as a suspected-fraud investigation, not a routine audit. Engage healthcare counsel before responding. UPICs are authorized under the Medicare Program Integrity Manual, Chapter 4 (CMS Pub. 100-08) and can refer matters to OIG, DOJ, and criminal prosecution.

What a UPIC actually is

UPICs replaced the prior Zone Program Integrity Contractor (ZPIC) and Program Safeguard Contractor (PSC) structures starting in 2017. Five UPIC regions cover Medicare Parts A, B, DME, Home Health and Hospice, and Medicaid for many states. The UPICs and their territories are listed on the CMS Program Integrity Contractors page.

UPIC authority under Medicare Program Integrity Manual, Chapter 4, § 4.2 includes:

A UPIC letter looks similar to a MAC ADR. Read the letterhead, the regulatory citations in the letter, and the contact's title carefully. UPIC contacts often have "Senior Investigator" or "Program Integrity Investigator" titles, not "Medical Review Analyst."

First 24 hours

  1. Date-stamp and log the letter. Date received, contractor name, named investigator, claim count, services involved, response deadline.
  2. Engage outside healthcare counsel today. This is not optional. UPIC matters require counsel from the first letter.
  3. Issue an immediate litigation hold. Written notice to every workforce member, IT, billing, and vendor. No deletion of emails, no chart edits, no late-dated documentation. Preserve EHR audit logs, financial system records, scheduling system records, communications with vendors.
  4. Identify the named claims. Reconcile the UPIC's claim list against the billing system. Pull the relevant medical records but do not edit them.
  5. Identify the data-analysis basis. The letter usually telegraphs the pattern UPIC found (e.g., high E/M level distribution, modifier patterns, frequency of a specific procedure). This shapes the response strategy.
  6. Do not engage with the investigator informally. All communication runs through counsel. A "quick clarification call" with the investigator is not informal — it is a recorded statement.
  7. Brief leadership and the compliance committee. Under privilege via counsel. No casual discussion in unprotected channels.

What NOT to touch

This is the section that determines whether a UPIC matter resolves civilly or escalates criminally. Decisions made in the first 72 hours often define the matter.

  • Do not amend, late-date, or "clean up" medical records. Any amendment must follow the practice's records policy and be clearly identified as an addendum with the date and signature of the amendment. Back-dated entries discovered on review escalate civil overpayment matters into criminal fraud referrals.
  • Do not delete emails, even routine ones. The litigation hold is the practice's protection. Spoliation can be charged separately and is independently damaging.
  • Do not destroy notes, schedules, vendor communications, or financial records. Sample retention requirements at 42 CFR § 482.24 and 42 CFR § 422.504(d) apply to many record types; the litigation hold expands beyond these.
  • Do not coach or pressure staff about future interviews. Witness tampering is independently chargeable.
  • Do not refund or self-disclose without counsel coordination. A refund can be appropriate but should be timed and submitted strategically. An uncoordinated refund can become an admission.
  • Do not retaliate against any employee who has reported concerns. Whistleblower retaliation under 31 USC § 3730(h) and various state laws carries its own civil and criminal exposure.
  • Do not allow informal staff interviews on a UPIC site visit. Every interview must be on the record, scheduled, and counsel-coordinated.

Document production strategy

UPIC document requests typically demand:

  • Patient medical records for sampled claims
  • Billing records and claim submission detail
  • Provider schedules and time records
  • Personnel records for billing providers and coders
  • Compliance program documentation
  • Policy and procedure manuals
  • Training records
  • Internal audit results
  • Vendor contracts and BAAs
  • Financial records tied to the alleged scheme

Production should be Bates-numbered, indexed, and submitted with a cover letter from counsel describing the production. Privileged documents are logged on a privilege log; not produced.

For sampled claims, statistical sampling and extrapolation are likely. Counsel may need to engage a statistical expert to challenge the sample methodology. The Medicare Program Integrity Manual Chapter 8 lays out the standards; deviations from those standards are grounds for challenging the extrapolation.

Site visits

If the UPIC notifies of a site visit, the practice has the right to:

  • Receive the scope of the visit in writing before it occurs
  • Have counsel present throughout
  • Designate a single point of contact for the visit
  • Restrict the visit to the listed scope and personnel
  • Capture a written inventory of what was requested and provided

Brief every workforce member who might be on-site that day. They have the right to consult counsel before answering questions, the right to decline interviews until counsel is present, and an obligation to tell the truth when they do speak. Provide a 1-page card with the practice's UPIC visit policy.

Payment suspension exposure

Under 42 CFR § 405.371, CMS may suspend payments based on a credible allegation of fraud. The suspension is the financial pressure point that often forces practices into settlement before merits are decided. Initial suspension is up to 180 days, extendable.

Rebuttal rights are limited and procedural. Counsel must engage immediately on any suspension notice — the only practical relief is a rebuttal submission demonstrating that there is no good cause for the suspension under 42 CFR § 405.372.

Extrapolation and the universe

If the UPIC sampled claims and found errors, the contractor will likely extrapolate to a larger universe. The Medicare Program Integrity Manual (Chapter 8, § 8.4.1.2) sets the rules. Common grounds for challenging extrapolation:

  • Sample size insufficient for the universe
  • Sampling methodology not properly random or stratified
  • Improper universe definition (claims outside the alleged pattern included)
  • Failure to provide the practice with the sampling materials needed to verify the methodology

Successful extrapolation challenges have substantially reduced demand amounts in published Administrative Law Judge decisions; the HHS Departmental Appeals Board case docket has examples.

Outcomes and escalation paths

A UPIC matter can resolve in any of these ways:

  • No finding — relatively rare; document the closure and file in the audit binder
  • Educational letter — finding without overpayment demand; practice signs an acknowledgment
  • Overpayment demand with or without extrapolation — appealable through standard Medicare appeals
  • Recoupment via offset — affected future claims paid net of the overpayment
  • Payment suspension — under 42 CFR § 405.371
  • Revocation of Medicare billing privileges — under 42 CFR § 424.535
  • OIG referral — for civil monetary penalties under 42 CFR Part 1003
  • DOJ referral — for civil False Claims Act action or criminal prosecution

The escalation path is largely set by what the UPIC sees in the practice's response. Cooperative, well-documented, counsel-led responses tend to stay civil. Defensive, inconsistent, or obfuscatory responses tend to escalate.

State-law overlay

State Medicaid Fraud Control Units (MFCUs) often run parallel investigations on dual-eligible billing and state Medicaid claims. The OIG MFCU page lists each unit. California DHCS Audits and Investigations runs parallel matters under Welfare and Institutions Code § 14107. New York OMIG (Office of the Medicaid Inspector General) under 18 NYCRR Part 521 runs broad Medicaid integrity programs. Texas OIG investigates under Texas Government Code Chapter 531. State investigations have their own statutes of limitations, often longer than the federal six-year False Claims Act lookback.

How d3rx fits

d3rx maintains the audit-defense workflow inside the compliance binder: contractor log, document production tracker, claim-to-record map, interview coordination notes, and post-determination tracker. The binder is a source-grounded administrative aid. It does not represent the practice in any UPIC, OIG, or DOJ proceeding, does not provide legal advice, and does not replace counsel. See audit defense for broader audit support and the compliance binder overview for binder structure.

D3rx compliance guides are administrative documentation aids. They do not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.

Step 1 · Get the binder

Get the d3rx compliance binder for your practice

Pre-filled to address the gaps this guide coversUPIC Audit Response: What to Do First (and What Not to Touch). We will email you the section preview and your binder intake link.

No PHI required. We use your email to send the binder preview and intake link only.

Frequently asked

Is a UPIC audit the same as a RAC audit?

No. RACs identify and recover overpayments on a contingency-fee basis under the Medicare Program Integrity Manual Chapter 8. UPICs investigate suspected fraud, waste, and abuse under Chapter 4, with authority to refer to law enforcement, OIG, or DOJ. RACs send ADRs and overpayment demands; UPICs do those things plus interview staff, conduct unannounced site visits, recommend payment suspensions, and refer for criminal prosecution. A UPIC letter is materially more dangerous than a RAC letter.

Can a UPIC suspend my Medicare payments?

Yes. Under 42 CFR § 405.371, CMS may suspend Medicare payments based on a credible allegation of fraud, including UPIC recommendations. The initial suspension lasts up to 180 days, extendable. Payment suspension can be financially catastrophic and is one of the strongest signals a UPIC is treating the matter as a fraud investigation. Counsel must engage immediately on any suspension notice.

What if the UPIC requests a site visit?

The UPIC may conduct site visits under Medicare Program Integrity Manual Chapter 4 authority. The practice has the right to have counsel present, to receive the scope of the visit in writing, and to coordinate timing. Do not refuse the visit. Do not allow informal hallway interviews of staff. Designate a single point of contact, prepare staff for what to say and not say, and document what was requested and provided.

Can the UPIC interview my staff?

Yes, and this is one of the highest-risk moments. Staff interviews can produce statements that bind the practice. Every interview should be coordinated through counsel. Staff should be told they have the right to have counsel present (separate from practice counsel if their interests diverge), the right to consult counsel before answering, and what topics are off limits absent specific direction. Truthful responses only — no fabrication, no obfuscation, no destruction of documents referenced in the interview.

Does a UPIC matter trigger the 60-day overpayment rule?

The UPIC investigation does not itself start the 60-day clock at 42 CFR § 401.305. But UPIC findings frequently surface overpayments, and once the practice has identified and quantified an overpayment the 60-day clock runs independently of the UPIC process. Coordinate the overpayment refund and the UPIC response through counsel so the refund submission does not become an admission used against the practice.

How long does a UPIC investigation last?

Typical UPIC investigations run 12-24 months, with the most serious matters extending longer when referred to OIG, DOJ, or the relevant U.S. Attorney's Office. The Medicare Program Integrity Manual does not impose a closure deadline on UPIC contractors. Outcomes range from no finding (rare), to overpayment demand with extrapolation, to payment suspension, to OIG civil action, to DOJ criminal prosecution. The investigation length is one reason counsel involvement from the first letter is essential.

Turn this into a review-ready binder

The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.

Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. Medicare Program Integrity Manual, Chapter 4 (CMS Pub. 100-08)https://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Downloads/pim83c04.pdf
  2. CMS Program Integrity Contractors pagehttps://www.cms.gov/research-statistics-data-and-systems/monitoring-programs/medicare-ffs-compliance-programs/program-integrity-contractors-pic
  3. 42 CFR § 405.371https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-405/subpart-D/section-405.371
  4. 42 CFR § 424.535https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-424/subpart-E/section-424.535
  5. Medicare Program Integrity Manual Chapter 8, § 8.4https://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Downloads/pim83c08.pdf
  6. 42 CFR § 482.24https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-482/subpart-C/section-482.24
  7. 42 CFR § 422.504(d)https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-422/subpart-K/section-422.504
  8. 42 CFR § 405.372https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-405/subpart-D/section-405.372
  9. HHS Departmental Appeals Board case dockethttps://www.hhs.gov/about/agencies/dab/decisions/index.html
  10. 42 CFR Part 1003https://www.ecfr.gov/current/title-42/chapter-V/subchapter-B/part-1003
  11. OIG MFCU pagehttps://oig.hhs.gov/fraud/medicaid-fraud-control-units-mfcu/

Sources verified as of May 23, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides