CMS Pub. 100-08, ch. 4
Table of Contents (Rev. 13821; Issued: 06-09-26)
4.1 - Introduction
4.2 - Medicare Program Integrity
4.2.1 - Examples of Medicare Fraud
4.2.2 - Unified Program Integrity Contractors
4.2.2.1 - Unified Program Integrity Contractor
4.2.2.2 - Investigations Medicare Drug Integrity Contractor
4.2.2.3 – Organizational Requirements
4.2.2.4 - Liability of Program Integrity Contractor Employees
4.2.2.4.1 - Maintain Controlled Filing System and Documentation
4.2.2.5 – Anti-Fraud Training
4.2.2.5.1 – Training for Law Enforcement Organizations
4.2.2.6 – Procedural Requirements
4.2.2.6.1 – Maintain Controlled Filing System and Documentation
4.2.2.6.2 – File/Document Retention
4.2.2.7 – Program Integrity Security Requirements
4.2.2.8 – Program Integrity Contractor Coordination
4.2.2.8.1 – Program Integrity Contractor Coordination with Other Unified Program Integrity Contractors and Other Entities
4.2.2.8.1.1 – Coordination with the Office of Inspector General
4.2.2.8.1.2 – Joint Operating Agreement
4.2.2.8.1.3 – MAC and UPIC Coordination on Voluntary Refunds
4.2.2.8.1.4 – Contractor Coordination and Suppression and Exclusion Upload Requirements
4.2.3 – Durable Medical Equipment Medicare Administrative Contractor Functions
4.3 - Complaints
4.3.1 – Definition of a Complaint
4.3.2 – Complaint Screening
4.3.2.1 – Contact Center Operations
4.3.2.2 – OIG Hotline
4.3.2.3 – MAC Complaint Screening
4.3.2.4 – Referrals to the UPIC
4.8.3 – Initial and Routine Communication with Providers, Suppliers and Authorized Representatives
4.8.4 – Escalation of Inquiries
4.8.4.1 – Congressional Inquiries
4.8.4.2 – Escalated Inquiries Involving Investigative Outcomes and Administrative Actions
4.8.4.3 – Escalated Inquiries Involving Payment Suspensions
4.8.4.4 – Providers on Zone Restrictions
4.9 - Referrals
4.9.1 - Immediate Advisements to the OIG/OI
4.9.2 - Referral of Cases to the OIG/OI
4.9.2.1 – OIG/OI Referral and Summary Report
4.9.2.2 – Take Administrative Action on Cases Referred to and Declined/Returned by OIG/OI
4.9.2.3 – Continue to Monitor Provider and Document Case File
4.9.3 - Referral to Other Law Enforcement Agencies
4.9.4 - Referral to Other Entities
4.9.4.1 – Referral to State Agencies or Other Organizations
4.9.4.2 – UPICs and QIOs
4.9.4.3 – Referral of Cases to the MAC
4.10 - Administrative Sanctions
4.10.1 - Unified Program Integrity Contractor’s and Medicare Administrative Contractor’s Role
4.10.2 - Authority to Exclude Practitioners, Providers, and Suppliers of Services
4.10.2.1 - Basis for Exclusion Under §1128(b)(6) of the Social Security Act
4.10.2.2 - Identification of Potential Exclusion Cases
4.10.2.3 - Contents of Sanction Recommendation
4.10.2.4 - Notice of Administrative Sanction Action
4.10.2.4.1 - Notification to Other Agencies
4.10.2.5 - Denial of Payment to an Excluded Party
4.10.2.5.1 - Denial of Payment to Employer of Excluded Physician
4.10.2.5.2 - Denial of Payment to Beneficiaries and Others
4.10.3 - Appeals Process
4.10.4 - Reinstatements
4.10.4.1 - Monthly Notification of Sanction Actions
4.11 - Civil Monetary Penalties
4.11.1 - Basis of Authority
4.11.2 – Administrative Actions
4.11.3 – Enforcement
4.11.4 - Documents
4.11.5 - Civil Monetary Penalty Authorities
4.16.4 - Risk-Based Provider Payment: Necessary Factors for Protected Discounts
4.17 – Participation Agreement and Limiting Charge Violations
(Rev. 11962; Issued: 04-21-23; Effective: 05-22-23; Implementation: 05-22-23)
The CMS Pub. 100-08, Program Integrity Manual (PIM), reflects the principles, values, and priorities of the Medicare Integrity Program (MIP). The primary principle of program integrity (PI) is to pay claims correctly. To meet this goal, Unified Program Integrity Contractors (UPICs), Investigations Medicare Drug Integrity Contractor (I-MEDIC), Supplemental Medical Review Contractors (SMRC) and Medicare Administrative Contractors (MACs) must ensure that Medicare pays the right amount for covered and correctly coded services rendered to eligible beneficiaries by legitimate providers. The focus of the UPICs, SMRCs and MACs shall be to ensure compliance with Medicare regulations, refer suspected fraud and abuse to our Law Enforcement (LE) partners, and/or recommend revocation of providers that are non-compliant with Medicare regulation and policies. The Centers for Medicare & Medicaid Services (CMS) follows four parallel strategies in meeting this goal:
1. Prevent fraud through effective enrollment and education of providers/suppliers and beneficiaries;
2. Encourage early detection (through, for example, the Fraud Prevention System (FPS), medical review (MR) and data analysis);
3. Coordinate closely with partners, including other UPICs, SMRCs, MACs, LE agencies, and State PI units; and
4. Enact fair and firm enforcement policies.
The UPICs shall coordinate with their Contracting Officer's Representative(s) (COR) and their Business Function Lead(s) (BFL) to fulfill all direction as described in the PIM. For all guidance and instruction described in this chapter, the UPIC shall directly contact the appropriate UPIC BFL, with a copy to the UPIC COR, for any Technical issues and/or questions (i.e. process related issues/inquiries, workload prioritization, etc.). Additionally, the UPIC shall directly contact the UPIC COR, with a copy to the appropriate UPIC BFL, for any Business issues and/or questions (i.e., level of effort concerns, funding issues, etc.).
The UPICs shall follow the PIM to the extent outlined in their respective task orders' Statement of Work (SOW). The UPICs shall only perform the functions outlined in the PIM as they pertain to their own operation. The UPICs, in partnership with CMS, shall be proactive and innovative in finding ways to enhance the performance of PIM guidelines.
For this entire chapter, any reference to UPICs shall also apply to the I-MEDIC, unless otherwise noted or identified in the Contractors' SOW. MACs shall follow the PIM in accordance with their SOW.
To facilitate understanding, the terms used in the PIM are defined in PIM Exhibit 1. The acronyms used in the PIM are listed in PIM Exhibit 23.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
This section applies to UPICs, SMRCs and MACs, as indicated.
The primary goal of the UPIC is to identify cases of suspected fraud, waste and abuse, develop them thoroughly and in a timely manner, and take immediate action to ensure that Medicare Trust Fund monies are not inappropriately paid. Payment suspension and denial of payments and the recoupment of overpayments are examples of the actions that may be taken in cases of suspected fraud. Once such actions are taken, cases where there is potential fraud are referred to LE for consideration and initiation of criminal or civil prosecution, civil monetary penalties (CMP), or administrative sanction actions.
Preventing and detecting fraud, waste, and abuse involves a cooperative effort among beneficiaries; UPICs; SMRCs; MACs; providers/suppliers; quality improvement organizations (QIOs); and federal agencies such as CMS; the Department of Health and Human Services (DHHS); the Office of Inspector General (OIG); the Federal Bureau of Investigation (FBI); and the Department of Justice (DOJ).
Each investigation is unique and shall be tailored to the specific circumstances. These guidelines are not to be interpreted as requiring the UPIC to follow a specific course of action or establish any specific requirements on the part of the government or its agents with respect to any investigation. Similarly, these guidelines shall not be interpreted as creating any rights in favor of any person, including the subject of an investigation.
When the UPIC makes the determination of potential fraud, waste, and/or abuse, the UPIC shall effectuate all appropriate administrative actions and refer the case to LE, if appropriate. When the UPIC makes the determination that a matter is not potential fraud, waste, and/or abuse, the UPIC shall close the matter, or de-escalate the matter to the appropriate unit at the MAC, QIO, or other entity, when appropriate.
This section applies to UPICs, SMRCs and MACs.
The most frequent kind of fraud arises from a false statement or misrepresentation made, or caused to be made, that is material to entitlement or payment under the Medicare program. The violator may be a provider/supplier, a beneficiary, an employee of a provider/supplier, or some other person or business entity, including a billing service or a contractor employee.
Providers/suppliers have an obligation, under law, to conform to the requirements of the Medicare program. Fraud committed against the program may be prosecuted under various provisions of the United States Code and could result in the imposition of restitution, fines, and, in some instances, imprisonment. In addition, a range of administrative sanctions (such as exclusion from participation in the program) and CMPs may be imposed when facts and circumstances warrant such action.
Fraud may take such forms as (this is not an exhaustive list):
overbills for services, and the MAC employee then generates adjustments with little or no awareness on the part of the beneficiary);
Examples of cost report fraud include (this is not an exhaustive list):
Making improper payments to physicians for certain hospital-based physician arrangements;
Paying amounts to owners or administrators that have been determined to be excessive in prior cost report settlements;
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The UPIC is responsible for preventing, detecting, and deterring fraud, waste, and abuse in both the Medicare program and the Medicaid program. The UPIC:
fraud, including, but not limited to, payment suspensions and revocations;
The UPIC is required to use a variety of techniques, both proactive and reactive, to address any potentially fraudulent, wasteful, or abusive billing practices based on the various leads they receive.
Proactive leads are leads identified or self-initiated by the UPIC. Examples of proactive leads include, but are not limited to: (1) UPIC data analysis that uncovers inexplicable aberrancies that indicate potentially fraudulent, wasteful, or abusive billing for specific providers/suppliers; (2) the discovery of a new lead by a UPIC during a provider/supplier or beneficiary interview; and (3) the combining of information from a variety of sources to create a new lead. The UPIC shall pursue leads identified through data analysis (UPICs shall follow PIM Chapter 2, Section 2.3 for sources of data), the Internet, the Unified Case Management system (UCM), news media, industry workgroups, conferences, etc. For workload reporting purposes, the UPIC shall only identify as proactive those investigations and cases that the UPIC self-initiated.
The UPIC shall take prompt action after scrutinizing billing practices, patterns, or trends that may indicate fraudulent billing, (i.e., reviewing data for inexplicable aberrancies and relating the aberrancies to specific providers/suppliers, identifying “hit and run” providers/suppliers, etc.).
Fraud leads from any external source (e.g., LE, CMS referrals, beneficiary complaints, and the FPS) are considered to be reactive and not proactive. However, taking ideas from external sources, such as Fraud Alerts, and using them to look for unidentified aberrancies within UPIC data is proactive.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The Investigations Medicare Drug Integrity Contractor (I-MEDIC) is a task order under the UPIC Umbrella Statement of Work (USOW). The primary purpose of the I-MEDIC is to investigate Medicare Parts C and D prescriber, pharmacy, and beneficiary suspected FWA, develop investigations thoroughly and in a timely manner, and take immediate action to ensure that the Medicare Trust Fund is protected. The I-MEDIC shall coordinate with staff from the Centers for Medicare & Medicaid Services (CMS), CMS contractors, and other stakeholders as needed and as directed by the CMS Contracting Officer’s Representative (COR), in collaboration with Business Function Leads (BFLs) to perform this program integrity work.
(Rev. 11962; Issued: 04-21-23; Effective: 05-22-23; Implementation: 05-22-23)
This section applies to UPICs and MACs, as indicated.
UPIC program integrity (PI) managers shall have sufficient authority to guide PI activities and establish, control, evaluate, and revise fraud-detection procedures to ensure their compliance with Medicare requirements.
The UPIC shall follow the requirements in its UPIC SOW for prioritizing leads. UPIC PI managers shall prioritize work coming into the UPIC to ensure that investigations with the greatest program impact and/or urgency are given the highest priority. The UPIC shall prioritize all work on an ongoing basis as new work is received.
Allegations having the greatest program impact and priority would include investigations cases involving, but not limited to:
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
This section applies to UPICs.
Under the terms of their contracts (refer to 42 CFR §421.316(a)), UPICs, their employees, and professional consultants are protected from criminal or civil liability as a result of the activities they perform under their contracts as long as they use due care. If a UPIC or any of its employees or consultants is named as defendants in a lawsuit, CMS will determine, on a case-by-case basis, whether to request that the U.S. Attorney's office offer legal representation. If the U.S. Attorney's office does not provide legal representation, the UPIC will be reimbursed for the reasonable cost of legal expenses it incurs in connection with defense of the lawsuit, as long as funds are available and the expenses are otherwise allowable under the terms of the contract.
If a UPIC is served with a complaint, the UPIC shall immediately contact its chief legal counsel and the COR. The UPIC shall forward the complaint to the HHS Office of the Regional Chief Counsel (the CMS regional attorney) who, in turn, will notify the U.S. Attorney's office. The HHS Office of the Regional Chief Counsel and/or the COR will notify the UPIC whether legal representation will be sought from the U.S. Attorney's office prior to the deadline for filing an answer to the complaint.
(Rev. 851, Issued: 12-14-18, Effective: 10-22-18, Implementation: 10-22-18)
The UPIC shall maintain files on providers/suppliers who have been the subject of complaints, prepayment edits, UPIC investigations, OIG/OI and/or DOJ investigations, U.S. Attorney prosecution, and any other civil, criminal, or administrative action for violations of the Medicare or Medicaid programs. The files shall contain documented warnings and educational contacts, the results of previous investigations, and copies of complaints resulting in investigations.
The UPIC shall set up a system for assigning and controlling numbers at the initiation of investigations, and shall ensure that:
It is important to establish and maintain histories and documentation on all fraud, waste, and abuse investigations and cases. The UPIC shall conduct periodic reviews of data over
the past several months to identify any patterns of potential fraud, waste, or abusive billings for particular providers. The UPIC shall ensure that all evidentiary documents are kept free of annotations, underlining, bracketing, or other emphasizing pencil, pen, or similar marks.
The UPIC shall establish an internal monitoring and investigation review system to ensure the adequacy and timeliness of fraud, waste, and abuse activities. The UPIC shall maintain their workload in the Unified Case Management (UCM) system, unless otherwise directed by CMS.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11–21)
This section applies to UPICs.
All levels of UPIC employees shall know the goals and techniques of fraud detection and control in general, and as they relate to their own areas of responsibility and the level of knowledge required (i.e., general orientation for new employees and highly technical sessions for existing staff). All UPIC staff shall be adequately qualified for the work of detecting and investigating situations of potential fraud, waste, and abuse.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
This section applies to UPICs.
The FBI agents, OIG, and DOJ attorneys need to understand Medicare. The UPIC shall conduct special training programs for them upon request. The UPIC should also consider inviting appropriate DOJ, OIG, and FBI personnel to existing programs for orienting employees about UPIC operations or provide the aforementioned personnel with briefings on specific cases or Medicare issues.
(Rev. 11962; Issued: 04-21-23; Effective: 05-22-23; Implementation: 05-22-23)
This section applies to UPICs and MACs, as indicated.
The MAC personnel conducting each segment of claims adjudication, MR, and professional relations functions shall be aware of their responsibility for identifying potential fraud, waste, or abuse and be familiar with internal procedures for forwarding potential fraud, waste, or abuse instances to the UPIC. Any area within the MAC (e.g., MR, enrollment, screening staff) that refers potential fraud, waste, and abuse to the UPIC shall maintain a log of all these referrals. At a minimum, the log shall include the following information: provider/physician/supplier name, beneficiary name, Health Insurance Claim Number (HICN), nature of the referral, date the referral is forwarded to
the UPIC, name and contact information of the individual who made the referral, and the name of the UPIC to which the referral was made.
The MAC shall provide written procedures for personnel in various contractor functions (claims processing, MR, beneficiary services, POE, cost report audit, etc.) to help identify potential fraud situations. The MAC shall include provisions to ensure that personnel shall:
The UPIC shall ensure the performance of the functions below and have written procedures for implementing these functions:
Investigations:
Communications/Coordination:
meetings/conferences and inform, as well as, include all appropriate parties in these meetings/conferences. These meetings/conferences include, but are not limited to, health care fraud task force meetings, conference calls, and industry- specific events;
shall UPIC personnel accompany LE in situations in which their personal safety is in question; and
Training:
The MACs shall ensure the performance of the functions below and have written procedures for these functions:
4.2.2.6.1 - Maintain Controlled Filing System and Documentation (Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The UPIC shall maintain files on providers/suppliers who have been the subject of complaints, prepayment edits, UPIC investigations, OIG/OI and/or DOJ investigations,
U.S. Attorney prosecution, and any other civil, criminal, or administrative action for violations of the Medicare or Medicaid programs. The files shall contain documented warnings and educational contacts, the results of previous investigations, and copies of complaints resulting in investigations.
The UPIC shall set up a system for assigning and controlling numbers at the initiation of investigations, and shall ensure that:
It is important to establish and maintain histories and documentation on all fraud, waste, and abuse investigations and cases. The UPIC shall conduct periodic reviews of data over the past several months to identify any patterns of potential fraud, waste, or abusive billings for particular providers. The UPIC shall ensure that all evidentiary documents are kept free of annotations, underlining, bracketing, or other emphasizing pencil, pen, or similar marks.
The UPIC shall establish an internal monitoring and investigation review system to ensure the adequacy and timeliness of fraud, waste, and abuse activities. The UPIC shall maintain their workload in the Unified Case Management (UCM) system, unless otherwise directed by CMS.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
Files/documents shall be retained for 10 years. However, files/documents shall be retained indefinitely and shall not be destroyed if they relate to a current investigation or litigation/negotiation; ongoing Workers' Compensation set aside arrangements, or documents which prompt suspicions of fraud, waste, and/or abuse of overutilization of services. This will satisfy evidentiary needs and discovery obligations critical to the agency's litigation interests.
For UPIC's in transition, all existing electronic files for all years shall be transferred into UCM. Any hard copy files (that do not need to be retained indefinitely) older than 10 years shall be destroyed.
For UPICs in operation, all paper/hard copy files older than 10 years (that do not need to be retained indefinitely) shall be destroyed.
Any hard copy files older than 10 years that are part of a current investigation or litigation may be scanned as an electronic copy. After certification that it has been properly scanned, it shall be destroyed. All scanned/electronic copies shall be transferred to the UCM.
(Rev. 13821; Issued:06-09-26; Effective: 02-26-26; Implementation: 02-26-26)
This section applies to UPICs.
To ensure a high level of security for the UPIC functions, the UPIC shall develop, implement, operate, and maintain security policies and procedures that meet and conform to the requirements of the Business Partners System Security Manual (BPSSM) and the CMS Informational Security Acceptable Risk Safeguards (ISARS). Further, the UPIC shall adequately inform and train all UPIC employees to follow UPIC security policies and procedures so that the information the UPIC obtain is confidential.
Note: The data UPICs collect in administering UPIC contracts belong to CMS. Thus, the UPICs collect and use individually identifiable information on behalf of the Medicare program to routinely perform the business functions necessary for administering the Medicare program, such as MR and program integrity activities to prevent fraud, waste, and abuse. Consequently, any disclosure of individually identifiable information without prior consent from the individual to whom the information pertains, or without statutory or contract authority, requires CMS' prior approval.
This section discusses broad security requirements that UPICs shall follow. The requirements listed below are in the BPSSM or ARS. There are several exceptions. The first is requirement A (concerning UPIC operations), which addresses several broad requirements; CMS has included requirement A here for emphasis and clarification. Two others are in requirement B (concerning sensitive information) and requirement G (concerning telephone security). Requirements B and G relate to security issues that are not systems related and are not in the BPSSM.
3.1.2, 4.2, 4.2.5, and 4.2.6 of the BPSSM.
Refer to ARS Appendix B PE-3 and CMS-1 for definitions of sensitive and investigative material.
In addition, the UPIC shall follow the requirements provided below:
to protect information residing on portable and mobile information systems.
The UPIC shall also adhere to the following:
Where more specialized instructions do not prohibit UPIC employees, they may retain sensitive and investigative materials at their desks, in office work baskets, and at other points in the office during the course of the normal work day. Regardless of other requirements, the employees shall restrict access to sensitive and investigative materials, and UPIC staff shall not leave such material unattended.
The UPIC staff shall safeguard all sensitive or investigative material when the materials are being transported or sent by UPIC staff.
The security officer shall take such action as is necessary to correct breaches of the security standards and to prevent recurrence of the breaches. In addition, the security officer shall document the action taken and maintain that documentation for at least seven (7) years.
Actions shall include:
Refer to section 3.1 of the BPSSM and Attachment 1 of this manual section (letter from Director, Office of Financial Management, concerning security and confidentiality of UPIC data) for additional requirements.
The UPIC shall perform thorough background and character reference checks, including at a minimum credit checks, for potential employees to verify their suitability for employment. Specifically, background checks shall at least be at level 2- moderate risk. (People with access to sensitive data at CMS have a level 5 risk). The UPIC may require investigations above a level 2 if the UPIC believes the higher level is required to protect sensitive information.
At the point the UPIC makes a hiring decision for a UPIC position, and prior to the selected person's starting work, the UPIC shall require the proposed candidate to fill out a conflict of interest declaration, as well as a confidentiality statement.
Annually, the UPICs shall require existing employees to complete a conflict of interest declaration, as well as a confidentiality statement.
At least once a year, the UPICs shall thoroughly explain to and discuss with employees the special security considerations under which the UPIC operates. Further, this training shall emphasize that in no instance shall employees disclose sensitive or investigative information, even in casual conversation. The UPIC shall ensure that employees understand the training provided.
Refer to section 2.0 of the BPSSM and ARS Appendix B AT-2, AT-3, AT-4, SA-6, MA-5.0, PE-5.CMS.1, IR2-2.2, CP 3.1, CP 3.2, CP 3.3, and SA 3.CMS.1 for additional training requirements.
Refer to section 2.3.4 of the BPSSM for requirements regarding access to UPIC information.
The UPIC shall notify the OIG if parties without a need to know are asking inappropriate questions regarding any investigations. The UPICs shall refer all requests from the press related to the Medicare Integrity Program to the CMS contracting officer with a copy to the CORs and BFLs for approval prior to release. This includes, but is not limited to, contractor initiated press releases, media questions, media interviews, and Internet postings.
Refer to section 4.1.1 of the BPSSM for the computer security requirements.
The UPICs shall implement phone security practices. The UPICs shall discuss investigations only with those individuals who need to know the information and shall
not divulge information to individuals not known to the UPIC involved in the investigation of the related issue.
Additionally, the UPICs shall only use CMS, the OIG, the DOJ, and the FBI phone numbers that they can verify. To assist with this requirement, UPIC management shall provide UPIC staff with a list of the names and telephone numbers of the individuals of the authorized agencies that the UPICs deal with and shall ensure that this list is properly maintained and periodically updated.
Employees shall be polite and brief in responding to phone calls but shall not volunteer any information or confirm or deny that an investigation is in process. However, UPICs shall not respond to questions concerning any case the OIG, the FBI, or any other LE agency is investigating. The UPICs shall refer such questions to the OIG, the FBI, etc., as appropriate.
Finally, the UPICs shall transmit sensitive and investigative information via facsimile (fax) lines only after the UPIC has verified that the receiving fax machine is secure. Unless the fax machine is secure, UPICs shall make arrangements with the addressee to have someone waiting at the receiving machine while the fax is transmitting. The UPICs shall not transmit sensitive and investigative information via fax if the sender must delay a feature, such as entering the information into the machine's memory.
Each UPIC and I-MEDIC shall develop and utilize a fax cover sheet with standardized elements to ensure consistency in messaging and to facilitate sender validation.
A standardized fax cover sheet shall include several key elements to verify the legitimacy of the fax sent by the UPIC and/or I-MEDIC. These elements shall include:
See example at Exhibit 50 – UPIC and I-MEDIC Fax Cover Sheet.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
This section applies to UPICs.
The UPIC shall coordinate with UPICs in other jurisdictions, as directed in the USOW and Task Order Statement of Works (SOWs).
The UPIC shall establish and maintain formal and informal communication with state survey agencies, the OIG, the DOJ, state Medicaid agency, other Medicare contractors, other UPICs, and other organizations as applicable to determine information that is available and that should be exchanged to enhance program integrity activities.
If the UPIC identifies a potential quality problem with a provider or practitioner in its area, it shall refer such cases to the appropriate entity, be it the QIO, state medical board, state licensing agency, etc. Any provider-specific information shall be handled as confidential information.
(Rev. 11962; Issued: 04-21-23; Effective: 05-22-23; Implementation: 05-22-23)
The UPICs shall establish regular (i.e., monthly or quarterly) teleconference meetings with Regional LE from OIG and CMS for the purpose of discussing:
Other agenda topics may include a discussion regarding areas of concern in the UPIC and/or Regional LE respective region, case/project developments (including planned provider onsite reviews to ensure the proposed activities do not negatively affect any ongoing LE efforts), and other topics. In preparation for the meeting, the UPIC shall set the agenda and prepare any additional documents or reports for the participants at least three (3) business days prior to the meeting.
However, at no time shall a referral be made as a result of discussions during these regular meetings. If OIG expresses interest, the contractor shall discuss the case with the BFL, with a copy to the COR, to determine if it should be added to the next case coordination meeting with CMS.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
This section applies to UPICs, SMRCs, MACs, RACs, and QICs, as indicated.
A JOA is a document developed between two entities (CMS contractors) that delineates the roles and responsibilities of each entity regarding their interactions with each other on CMS contracts.
The UPICs shall have JOAs with the entities as outlined in their Statement of Work. As
it applies to the UPIC’s task orders, the JOA with the MACs shall, at a minimum, provide information on assigned responsibilities, timeframes, processes and procedures, and coordination. Additional detail related to this information is referenced in the UPIC Statement of Work.
Periodically, there are instances in which the UPIC is in need of the requested information in a shorter timeframe than 30 calendar days. To account for these instances, the UPICs and MACs may add language to their JOA that allows for a shorter timeframe for the MAC to furnish the requested information (i.e. 48 hours, 72, hours, etc.).
This section applies to UPICs and MACs, as indicated.
Voluntary refund checks payable to the Medicare program shall not be returned to the provider/supplier, regardless of the amount of the refund. The UPIC shall communicate with the MAC staff responsible for processing voluntary refunds to obtain information on the checks received. The MAC shall refer to Pub. 100-06, Financial Management Manual, for instructions on processing and reporting unsolicited/voluntary refunds received from providers/physicians/suppliers.
The UPIC shall perform an investigation on any voluntary refund where there is suspicion of inappropriate payment or if a provider/supplier is under an active investigation.
Should the UPIC receive a voluntary refund check in error, the UPIC shall coordinate the transfer of voluntary refund checks to the MAC through the JOA.
Through the JOA, the UPIC shall establish a mechanism whereby the MAC notifies the UPIC on a regular basis of all voluntary refunds it received. The UPIC or MAC shall send one letter annually (calendar year) to any provider/supplier that submits a voluntary refund during that calendar year, advising the provider/supplier of the following:
“The acceptance of a voluntary refund in no way affects or limits the rights of the Federal Government or any of its agencies or agents to pursue any appropriate criminal, civil, or administrative remedies arising from or relating to these or any other claims.”
The UPIC and MAC shall establish in the JOA which contractor sends the above language. The MACs may send the language above on a voluntary refund acknowledgement letter or on a Remittance Advice, if this capability exists.
The UPIC shall refer to section 4.8 of this chapter for law enforcement requests for voluntary refund information.
This section applies to all medical review contractors (UPIC, RAC, MAC, CERT, SMRC) uploading suppression and exclusions into the RACDW unless otherwise noted.
The CMS utilizes the RAC Data Warehouse (RACDW) to track review contractor activity. The RACDW allows contractors that perform medical reviews to prevent duplicative claim reviews by using the Suppressions and Exclusions process.
For assistance with file errors, contact the system administrators at helpdesk.RACDW@koniag-gs.com. Current suppression/exclusion file layouts are available by download from the RACDW itself.
Suppressions are used by Non-RAC entities to identify a set of claims as temporarily off-limits for selection by other review entities. The set of claims are identified by using the current suppression file layout, which utilizes parameters to narrow the universe of suppressed claims.
Suppressions shall be entered using the most current suppression file layout found in the RACDW. All required fields shall be submitted upon initial upload. The Suppression file layout does not allow the suppression of claims with a paid date older than 3 years. Individual NPIs or legacy numbers shall be entered for each suppression. If a provider has multiple NPIs or legacy numbers, the RACDW will only suppress uploaded NPIs or legacy numbers. Any error codes generated from the system shall be corrected by the uploading entity before successful upload can be completed. Unless other parameters have been included on the initial upload, all suppressions will automatically expire within 12 months of the date they were entered into the RACDW. If a suppression is required for longer than 12 months, the contractor shall re-new the suppression prior to the expiration date. The individual user that uploaded a suppression file shall be responsible for releasing any suppressions in that file that are no longer valid within 2 business days. Data entered in the situational fields in the suppression file layout shall require an additional narrative in the comments field for final approval. The contractor shall be responsible for correcting and re-uploading any disapproved suppressions within 2 business days of the disapproval.
Exclusions are claims that have been previously reviewed by a medical review entity (or that are part of an extrapolated settlement universe). They are identified by specific
claim number uploaded into the RACDW utilizing the current exclusion file layout and are permanently flagged as unavailable for additional review by a review contractor.
Exclusions shall be entered using the most current version of the exclusion file layout found in the RACDW. All required fields shall be submitted upon initial upload. Any error codes generated from the system shall be corrected before successful upload can be completed.
The UPIC shall enter suppressions in the RACDW as soon as the investigation begins, no later than 2 business days after the investigation is opened. UPICs can renew any active suppressions that are within 30 days of their expiration date. To do so, the UPIC shall provide a new date, add 'Renewal' in the justification space, and resubmit the entry for approval in the RACDW. The UPIC shall release suppressions within 2 business days of the underlying investigations/cases being closed.
In the event that the UPIC is unable to determine at the time of review whether any overpayments that are identified will be extrapolated to the parent claim universe, the UPIC shall enter a suppression utilizing the current file layout. If the UPIC does ultimately assess an extrapolated overpayment, the UPIC shall release the suppression and exclude the entire universe. If the overpayment is computed based only on the sampled claims (i.e., the overpayment is not projected to the entire universe), the UPIC shall release the suppression and exclude only the sample claims that were actually reviewed.
If a provider is under review by another contractor (RAC, MAC, CERT, SMRC), the UPIC shall contact that contractor to determine which entity should continue to review that provider and how to proceed with the current medical review, such as closing it out or completing the medical review and then referring it to the UPIC.
(Rev. 11962; Issued: 04-21-23; Effective: 05-22-23; Implementation: 05-22-23)
The UPICs shall process all complaints alleging DMEPOS fraud and abuse that are filed in their regions/zones in accordance with requirements of PIM Chapter 4, §4.6.
The PI unit manager has responsibility for all PI unit activity, including the coordination with outside organizations as specified in the PIM, chapter 4, §4.2.2.8.
Since the Medicare program has become particularly vulnerable to fraudulent activity in the DMEPOS area, each UPIC shall:
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
This section applies to UPICs and MACs.
A complaint is a statement, oral or written, alleging that a provider, supplier, or beneficiary billed for and/or received a Medicare reimbursement or benefit to which he or she is not entitled under current Medicare law, regulations, or policy. Included are allegations of misrepresentation and violations of Medicare requirements applicable to persons or entities that bill for covered items and services. Examples of complaints include (this is not an exhaustive list):
Medicare for the same item or service;
The following are not examples of a fraud complaint (this is not an exhaustive list):
Complaints alleging malpractice or poor quality of care may or may not involve a fraudulent situation. These complaints shall be reviewed and determined on a case-by-case basis. The UPIC shall refer complaints alleging poor quality of care to the Medicare/Medicaid survey and certification agencies and the QIOs within two (2) business days. The UPIC shall forward any medical records to the QIO upon receipt from the provider, when appropriate. Any complaints involving allegations of fraud shall be screened to determine if further investigation by the UPIC is necessary.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
This section applies to UPICs, Beneficiary Contact Center, and MACs, as indicated.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The Contact Center Operations (CCO) is a CMS managed contact center which provides beneficiaries with personalized Medicare information and accepts both inquiries and complaints regarding a variety of topics including, but not limited to, billing errors, the provision of services/tests, and coverage guidelines.
The Customer Service Representatives (CSRs) at the CCO shall try to resolve as many complaints or inquiries as possible with data available in their desktop systems. The following are some scenarios that a CSR may receive and resolve in the initial phone call rather than refer to the MAC for additional screening (this is not an all-inclusive list):
the practice location address where services were rendered. Many times the Medicare Summary Notice will show the billing address, causing the beneficiaries to think the billing might be fraud.
The CSRs shall use proper probing questions and shall use claim history files to determine if the complaint or inquiry needs to be referred to the MAC for additional screening.
Any provider/supplier inquiries regarding potential fraud, waste, and abuse shall be referred immediately to the MAC for handling and screening.
Immediate advisements (IA) shall be referred immediately to the MAC for handling and screening. These advisements include inquiries or allegations by beneficiaries or providers/suppliers concerning kickbacks, bribes, or a crime by a federal employee (e.g., altering claims data or manipulating them to create preferential treatment to certain providers/suppliers; improper preferential treatment collecting overpayments; or embezzlement). Indicators of contractor employee fraud shall be forwarded to the CMS Compliance Group.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The OIG Hotline is an OIG managed system that accepts tips and complaints from all sources about potential fraud, waste, abuse in the Medicare, Medicaid and CHIP programs. Complaints and any relevant documents originating from the OIG Hotline will be sent to CMS by the OIG. CMS will conduct an initial screening of the complaints received to determine which MAC should receive the complaint referral (Initial screening of the complaint and assignment to the MAC will be based solely upon the information provided to CMS by the OIG). CMS will then email the complaint to the appropriate MAC via the OIG Hotline Referral mailbox established by the relevant MAC. The email will contain the OIG Hotline Complaint Referral Template and any supporting documentation, if available. The OIG Hotline Complaint Referral Template will be populated with information relevant to the complaint. Due to the varying information obtained from each complaint, some fields within the template may appear blank because the information for the specific data field was not reported to the OIG Hotline. Should the UPIC receive an OIG Hotline complaint directly from the OIG, the UPIC shall proceed with the necessary screening, vetting, and investigative steps, as described in sections 4.5, 4.6, and 4.7 of this chapter.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The MAC shall only screen potential fraud, waste, and abuse complaints, inquiries referred by the CCO with a paid amount of $100 or greater (including the deductible as payment), or three (3) or more beneficiary complaints or inquiries, regardless of dollar
amount, about the same provider/supplier. Complaints or inquiries that do not meet the above threshold for screening shall be closed.
Prior to proceeding with the adjustment of a claim as the result of a second-level screening, the MAC shall check the Recovery Audit Contractor (RAC) Data Warehouse (RACDW) for suppressions and/or exclusions. If a suppression and/or exclusion is present, the MAC shall not adjust the claim and the complaint or inquiry shall be closed. However, if the MAC determines that the complaint or inquiry indicates potential fraud, and a suppression and/or exclusion is not present, the MAC shall make a referral to the UPIC, using the referral guidelines established in 4.3.2.4 – Referrals to the UPIC.
Each complaint or inquiry shall be tracked and retained for one (1) year. Beneficiaries inquiring about complaints should be advised that they are being tracked and reviewed. The MAC shall perform a more in-depth review if additional complaints or inquiries are received. The MAC shall enter all potential fraud, waste, and abuse complaints or inquiries received from beneficiaries into their internal tracking system. The MAC shall maintain a log of all potential fraud, waste, and abuse complaints or inquiries received from the CCO. At a minimum, the log shall include the following information:
The MAC staff may call the beneficiary or the provider/supplier, check claims history, and check provider/supplier correspondence files for educational or warning letters or
contact reports that relate to similar complaints or inquiries, to help determine whether or not there is a pattern of potential fraud, waste, and abuse. The MAC shall request and review certain documents, such as itemized billing statements and other pertinent information, as appropriate, from the provider/supplier. If the MAC is unable to make a determination on the nature of the complaint or inquiry (e.g., fraud, waste, and abuse, billing errors) based on the aforementioned contacts and documents, the MAC shall order medical records and limit the number of medical records ordered to only those required to make a determination. The MAC shall only perform a billing and document review on medical records to verify that services were rendered. If fraud, waste, and abuse are suspected after performing the billing and document review, the medical records shall be forwarded to the UPIC for review in accordance with the referral timeframe identified below.
When a complaint meeting the criteria of an IA or potential fraud, waste or abuse is received, the MAC shall not perform any screening but shall prepare a referral package within ten (10) business days of when the inquiry or IA was received, except for instances of potential patient harm, of which a referral package shall be prepared by the end of the next business day after the inquiry or IA was received, and send it to the UPIC during the same timeframe using the guidelines established in section 4.3.2.4 – Referrals to the UPIC. Once the complaint has been referred to the UPIC, the MAC shall close the complaint in its internal tracking system.
The MAC shall screen every OIG Hotline complaint received from CMS to determine if the complaint can be closed, resolved, other appropriate action taken by the MAC, or referred to either another contractor, a State Medicaid Agency, or Marketplace Integrity. If the MAC determines that a referral shall be made, the MAC shall adhere to the referral guidelines established below and in 4.3.2.4 – Referrals to the UPIC.
All OIG Hotline complaints sent to the MAC by CMS shall be reviewed, determinations shall be made, and final action shall be taken within 45 business days from the date the complaint is received, unless medical records have been requested and the MAC is pending receipt of the records. The MAC shall use the date contained in the e-mail from CMS as the start of the 45 business day timeframe.
If, the MAC requests medical records and those records are not received within 45 business days, the MAC shall deny the claim(s) or keep the request open beyond the 45 business day timeframe to allow for receipt of the requested records, whichever is appropriate.
If fraud is suspected when medical records are not received or the MAC determines otherwise that the complaint or inquiry indicates potential fraud, waste, and abuse, the MAC shall forward it to the UPIC for further development within 45 business days of the date of receipt from CMS or within 30 business days of the date of receipt of medical records and/or other documentation, whichever is later. If a referral shall be made, the
MAC shall adhere to the referral guidelines established below and in 4.3.2.4 – Referrals to the UPIC.
If the MAC determines that the complaint or inquiry is not a fraud and/or abuse issue, and if the MAC discovers that the complaint or inquiry has other issues (e.g., MR, enrollment, claims processing), it shall be referred to the appropriate department and then closed.
When a complaint meeting the criteria of an IA or potential fraud, waste or abuse is received, the MAC shall not perform any screening but shall prepare a referral package within ten (10) business days of when the inquiry or IA was received, and send it to the UPIC during the same timeframe using the guidelines established in 4.3.2.4 – Referrals to the UPIC. Once the complaint has been referred to the UPIC, the MAC shall close the complaint in its internal tracking system.
If the MAC receives a complaint from CMS that has been erroneously assigned to the MAC, the contractor shall transfer the erroneously assigned complaint to the appropriate MAC within 10 business days from the date it determined that the complaint was erroneously assigned.
MACs may receive complaints alleging fraud, waste or abuse in the Medicaid program. Upon receipt, the MAC shall refer the complaints to the appropriate Program Integrity Unit (PIU) within the State Medicaid Agency (SMA) noted in Exhibit 47.
The MAC shall identify and refer complaints alleging fraud, waste, or abuse in the Medicare Part C or Part D programs to the MEDIC. This includes complaints that do not have a credible allegation of fraud.
The MAC shall identify and refer complaints alleging fraud, waste, or abuse involving the Federal Marketplace and State-Based Exchanges, insurance agents/brokers marketing Marketplace plans, and Marketplace consumers to the following email address: marketplaceintegrity@cms.hhs.gov, with a copy to the MAC CORs. The MAC shall close the complaint in its internal tracking system. These referrals shall be done in accordance with the timeframes established above.
The MAC shall only be required to close a complaint from the OIG Hotline in its internal tracking system and will no longer refer complaints that do not allege fraud, waste, or abuse involving CMS programs to the OIG.
If the MAC receives duplicate complaints, the second duplicate complaint shall be closed and cross-referenced to the original complaint. Subsequent complaints will be thoroughly reviewed to ensure that any new information is added to the original complaint. This will ensure all items in question related to the complaint are addressed. When the complaint is closed, monetary actions (if involved) shall only be claimed on the primary complaint.
(Rev. 12772; Issued: 08-09-24; Effective: 09-20-24; Implementation: 09-20-24)
MACs that refer a complaint to the UPIC shall notify the UPIC via e-mail that a complaint is being referred as potentially fraudulent. The MAC shall develop a referral package (see below for what should be included in the referral package) for all complaints being referred to the UPIC and shall send the complaint via a secure method such as e-mail or mail directly to the UPIC.
Complaints shall be forwarded to the UPIC for further review under the circumstances listed below (this is not an exhaustive list):
payments;
Note: Since this is not an all-inclusive list, the UPIC has the right to request additional information in the resolution of the complaint referral or the subsequent development of a related case (e.g., provider/supplier enrollment information).
When the above situations occur requiring that the complaint be referred to the UPIC for review, the MAC shall prepare a referral package that includes, at a minimum, the following:
If a provider/supplier is found to be previously referred to the UPIC and on an active Payment Suspension, it is important to appropriately close the complaint in the applicable system(s) (i.e., Next Generation Desktop (NGD), MAC system(s), etc.) and ensure the information is communicated to the UPIC. The following actions shall occur in cases where a complaint is received for a provider/supplier previously referred to the UPIC and on an active Payment Suspension:
Continue to report new claims identified in subsequent complaints to the UPIC;
Close complaints in the applicable system(s) (i.e., NGD, MAC system(s), etc.; however, do not cancel them) with a note that references this PIM section;
It is very important that UPICs are promptly notified of these subsequent complaints. Each MAC should work with its respective UPIC(s) to identify what additional details are needed and how best to communicate these complaints since they will not be communicated via formal referral. At a minimum, complaints that fall under this category should be communicated monthly.
NOTE: Since this is not an all-inclusive list, the UPIC has the right to request additional information in the resolution of the complaint referral or the subsequent development of a related case (e.g., provider/supplier enrollment information).
The MAC shall maintain a copy of all referral packages.
(Rev. 11218; Issued: 01-27-2022; Effective: 02-28-2022; Implementation: 02-28-2022)
This section applies to MACs who process Home Health claims.
Prior to January 1, 2022, under the Prospective Payment System (PPS) Medicare made a split percentage payment for most Home Health PPS episode periods. The first payment was for a Request for Anticipated Payment (RAP), and the last was for a claim. As of January 01, 2022, Home Health Agencies (HHA) shall no longer submit RAPs for any Home Health period of care with a “from” date on or after January 1, 2022. Instead, for each admission to home health, the HHA notifies the Medicare systems via submission of an NOA. See Pub 100-04, Medicare Claims Processing Manual, Chapter 10, Home Health Agency Billing, for more detailed information regarding the processing of NOAs.
MACs may identify instances where an HHA’s use of NOAs indicates potential fraud, waste or abuse. Upon identifying misuse of NOAs, the MAC shall initiate corrective action. Corrective action includes, but is not limited to, education, warnings, Corrective Action Plans, and referrals to the UPIC.
(Rev. 11218; Issued: 01-27-2022; Effective: 02-28-2022; Implementation: 02-28-2022)
In monitoring the use of NOAs and Home Health claims, a MAC may identify potential misuse that is not significant enough to warrant immediate implementation of a Corrective Action Plan, but may indicate the need for additional education and monitoring. The MAC shall educate the HHA on the appropriate use of NOAs. Appropriate steps include calling the HHA to discuss the concerns identified, distributing educational materials to the HHA, and/or sending correspondence to the HHA. At a minimum, the MAC shall make clear to the HHA that:
Once the monitoring period has ended, the MAC shall inform the HHA of the outcome. This may include no additional action being taken, the monitoring period being extended or the implementation of additional corrective action, including but not limited to a Corrective Action Plan as detailed in Section 4.4.3.
(Rev. 11218; Issued: 01-27-2022; Effective: 02-28-2022; Implementation: 02-28-2022)
In monitoring an HHA's activities, a MAC may identify misuse of NOAs that warrants immediate implementation of a Corrective Action Plan (CAP). The purpose of the CAP is to ensure adherence to CMS regulations and that an HHA is implementing processes/internal controls to improve billing practices.
(Rev. 11218; Issued: 01-27-2022; Effective: 02-28-2022; Implementation: 02-28-2022)
A MAC shall notify the HHA in writing that a CAP is required based on non-compliant billing practices; detail the misuse the MAC identified; indicate the anticipated length of the CAP.
(Rev. 11218; Issued: 01-27-2022; Effective: 02-28-2022; Implementation: 02-28-2022)
The HHA must submit the CAP within 14 calendar days from the date of the MAC's letter. In the CAP, the HHA must address the following:
If an HHA fails or refuses to submit a CAP, the MAC shall take immediate action to refer the HHA to the UPIC in accordance with Section 4.4.5.
The MAC shall provide the UPICs a list of HHAs with pending or accepted CAPs on a regular basis, i.e., at least monthly. The submission or acceptance of a CAP does not preclude the UPIC from opening an investigation for potential fraud.
(Rev. 11218; Issued: 01-27-2022; Effective: 02-28-2022; Implementation: 02-28-2022)
The MAC shall notify the HHA once the CAP has been reviewed and accepted. The MAC shall convey the length of time the CAP will be in place. Normally, CAPs will be implemented for a minimum of 30 calendar days, but the MAC may require a longer implementation period based on the specific problems/weaknesses. The MAC shall periodically monitor the HHA's progress toward the proposed solutions prior to the end of the implementation period.
If the MAC is unable to accept the CAP, the MAC has discretion to allow the HHA an additional period not to exceed 14 calendar days to resubmit. If the HHA is unable to resolve the issues with the CAP, the MAC shall consider additional corrective action, including referral to the UPIC.
(Rev. 11218; Issued: 01-27-2022; Effective: 02-28-2022; Implementation: 02-28-2022)
Once the monitoring period has ended, the MAC shall formally inform the HHA of the outcome. This includes no additional action being taken, the monitoring period being extended or the implementation of additional corrective action, including but not limited to a Corrective Action Plan as detailed in Section 4.4.3, based on other misuse identified. Upon request by a UPIC, the MAC shall provide information regarding a CAP.
(Rev. 11218; Issued: 01-27-2022; Effective: 02-28-2022; Implementation: 02-28-2022)
Throughout the monitoring of Home Health claims, the MAC shall coordinate with the UPIC to determine if there is an open investigation concerning the HHA and appropriate next steps. If there is an open investigation on the HHA, the MAC shall immediately refer their findings to the UPIC and take no further action unless otherwise agreed upon.
A MAC may determine that an HHA's misuse of NOAs and/or other conduct, such as an HHA's failure to respond to requests/queries during periods of increased monitoring, CAPs, etc., warrants immediate referral to the appropriate UPIC. MACs and UPICs shall coordinate in accordance with Pub 100-08, Medicare Program Integrity Manual, Chapter 4, Program Integrity and their Joint Operating Agreements.
(Rev. 12127; Issued: 07-21-23; Effective: 08-21-23; Implementation: 08-21-23)
This section applies to UPICs.
Screening is the initial step in the review of a lead (described in section 4.2.2.1 of this chapter) to determine the need to perform further investigation based on the potential for fraud, waste, or abuse. Screening shall be completed within 45 calendar days after receipt of the lead.
The receipt date of the lead is generally determined by the date the UPIC receives a complaint. If the lead resulted from data analysis conducted by the UPIC, the receipt of the lead shall be the date the lead was referred from the UPIC data analysis department to its investigation or screening unit. For a new lead that is identified from an active or current UPIC investigation, the receipt of the lead shall be the date the new lead was identified by the UPIC investigator.
Note: If criteria for an IA are met during evaluation of the lead, the UPIC shall forward the IA to LE and continue to screen the lead, if deemed appropriate.
Activities that the UPIC may perform in relation to the screening process include, but are not limited to:
UPICs are authorized to check the doors. As such, the UPIC shall assess the environment and use sound judgement to determine when it is appropriate to check locked doors.
Any screening activities shall not involve contact with the subject provider/supplier or implementation of any administrative actions (i.e., post-payment reviews, prepayment reviews/edits, payment suspension, and revocation). However, if the lead is based solely on a potential assignment violation issue, the UPIC may contact the provider directly to resolve only the assignment violation issue. If the lead involves potential patient harm, the UPIC shall immediately notify CMS within two (2) business days.
As it relates to the UPIC's handling of potential assignment violations, if the UPIC is unable to make contact with the provider at least five (5) attempts, the UPIC shall refer the assignment violation issue to the appropriate CMS Regional Office for resolution.
After completing its screening, the UPIC shall close the lead if it does not appear to be related to fraud, waste, or abuse. Prior to closing the lead, the UPIC shall take any appropriate actions (i.e., referrals to the MAC, RA, state, or QIO). For example, if a lead does not appear to be related to potential fraud, waste, or abuse but the lead needs to be referred to the MAC, the date that the UPIC refers the information to the MAC is the last day of the screening.
At a minimum, the UPIC shall document the following information in its case file:
The number of leads received to date regarding this provider/supplier, including the present lead. This information is useful in identifying providers/suppliers that are involved in an undue number of complaints; and
Any documentation associated with the UPIC's activities (i.e., referrals to other entities).
Additionally, if the screening process exceeds 45 calendar days, the UPIC shall document the reasons, circumstances, dates, and actions associated with the delay in the UCM and its monthly reporting in CMS ARTS.
If the UPIC identifies specific concerns while screening a lead that warrants contact with a specific provider/supplier, the UPIC shall contact the BFL, with a copy to the COR, for further guidance (e.g., UPIC determines that provider/supplier contact is needed in order to determine if the case warrants further investigation).
(Rev. 13821; Issued:06-09-26; Effective: 02-26-26; Implementation: 02-26-26)
This section applies to the UPICs and the MACs.
When a complaint is received from the MAC screening staff, the UPIC shall further screen the complaint, resolve the complaint, or make referrals, as needed, to the appropriate entity.
The MAC shall screen and forward the complaints within 45 business days from the date of receipt by the screening staff, or within 30 business days of receiving medical records and/or other documentation, whichever is later, to the UPIC. The UPIC shall send the acknowledgement letter within 15 calendar days of receipt of the complaint referral from the MAC screening staff, unless it can be resolved sooner. The letter shall be sent on UPIC letterhead and shall contain the telephone number of the UPIC analyst handling the case.
If the MAC refers a DME provider/supplier that was previously referred to the UPIC, is under active investigation, is on an active Payment Suspension, has been referred to law enforcement and is under active law enforcement investigation, or is under an active zone restriction, the UPIC shall not send the following letters to the beneficiary/complainant.
The UPIC shall document the MAC referral/complaint in the active investigation file (CSE) in UCM as well as upload the referral/complaint in the Documents section of the
active CSE. Should the UPIC need additional beneficiary interviews, the UPIC should consider interviewing beneficiaries that have filed a complaint.
If the UPIC staff determines, after screening the complaint, that it is not a potential fraud, waste, and/or abuse issue, but involves other issues (e.g., MR, enrollment, claims processing), the complaint shall be referred back to the MAC area responsible for screening. The MAC screening staff shall track the complaints returned by the UPIC. However, the UPIC shall send an acknowledgement to the complainant, indicating that a referral is being made, if applicable, to the appropriate MAC unit for further action. The UPIC shall track complaints referred by the MAC screening area in the UPIC’s internal tracking system. The UPIC shall send the complainant a resolution letter within seven (7) calendar days of resolving the complaint investigation.
This section applies to UPICs who receive identified potential user abuse of MBI Lookup Tools in MAC portals.
When CPI identifies potential user abuse in the MBI Lookup tool, CPI will enter a case in the UCM, screen and vet as needed, and tag the case as an MBI Lookup violation. CPI will advise the applicable UPIC(s) of the details of the case and request an investigation into inappropriate claim submissions, if applicable.
This section applies to the I-MEDIC.
When a complaint is received by the I-MEDIC complaint screening staff, an acknowledgement letter shall be sent to the complainant within five (5) calendar days. The I-MEDIC complaint screening staff shall screen, resolve, or if warranted, escalate the complaint to the screening team at the I-MEDIC within 30 calendar days from the date of receipt.
Once a complaint has been escalated to lead screening, the I-MEDIC shall further screen the lead, open an investigation, or make referrals, as needed, to the appropriate entity within 45 days.
The I-MEDIC shall track all complaints received by its complaint screening staff in an internal tracking system. All complaints that have escalated to a lead status shall be tracked in the UCM.
The I-MEDIC complaint screening staff shall send the complainant a resolution letter within five (5) calendar days of resolving the complaint investigation.
(Rev. 13821; Issued:06-09-26; Effective: 02-26-26; Implementation: 02-26-26)
All leads and any new subjects that the UPIC determines warrant further investigation shall be vetted through CMS for approval before advancing to an investigation. The UPIC shall vet all applicable National Provider Identifiers (NPIs) and Provider
Identifiers associated with the provider or supplier’s tax identification number when initially vetting the lead with CMS. The UPIC shall submit the lead on each subject to CMS via UCM within two (2) business days of the UPIC determining that the lead should be transitioned into an investigation.
For the submission to CMS, the UPIC shall submit subjects to the UCM queue for CMS vetting, ensuring that each subject includes: NPI and the provider/supplier name.
The UPIC shall only open investigations into leads that have been approved by CMS. Once CMS approves the lead, the subject will be marked with the vetting determination date and determination type in UCM. If CMS instructs the UPIC to close the lead without further action, the UPIC shall do so within two (2) business days. These subjects will be marked with the HHS/OIG Vetting Determination Date in UCM with a red system ‘chip’.
If the screening results in a new investigation or becomes part of an existing investigation, that screening information shall be included in the investigation file. If, during a UPIC investigation, it is determined that additional subject(s) should be incorporated into the ongoing investigation, the UPIC shall vet each additional subject with CMS, using the approved CMS process described above, before implementing any investigative actions related to the additional subject(s). For any new investigations, the UPIC shall complete the appropriate updates in the UCM within seven (7) calendar days.
(Rev. 11358; Issued: 04-21-2022; Effective: 05-23-2022; Implementation: 05-23-2022)
This section applies to UPICs.
An investigation is the expanded analysis performed on leads once such lead is vetted and approved by CMS to be opened as an investigation. The UPIC shall focus its investigation in an effort to establish the facts and the magnitude of the alleged fraud, waste, or abuse and take any appropriate action to protect Medicare Trust Fund dollars within 210 calendar days, unless otherwise specified by CMS.
For any investigative activities that require preapproval by CMS (i.e., activities referenced in Section 4.7.1.2), the UPIC shall submit those requests to CMS for approval with a copy to its COR and BFLs for approval when initiating those actions.
Prioritization of the investigation workload is critical to ensure that the resources available are devoted primarily to high-priority investigations. The UPIC shall ensure that all investigations originating from an Accountable Care Organization (ACO) referral or involving ACOs, ACO participants or ACO providers/suppliers are provided a heightened level of priority and are promptly reviewed and investigated to ensure the appropriate administrative or other action(s) are taken in an expeditious manner.
The UPIC shall maintain files on all investigations. The files shall be organized by provider or supplier and shall contain all pertinent documents including, but not limited to, the original referral or complaint, investigative findings, reports of telephone contacts, warning letters, documented discussions, documented results of any investigative activities, any data analysis or analytical work involving the potential subject or target of the investigation, and decision memoranda regarding final disposition of the investigation (refer to section 4.2.2.6.2 of this chapter for information concerning the retention of these documents).
Under the terms of their contract, the UPICs shall investigate potential fraud, waste, or abuse on the part of providers, suppliers, and other entities that receive reimbursement under the Medicare program for services rendered to beneficiaries. The UPICs shall refer potential fraud cases to LE, as appropriate, and provide support for these cases. In addition, the UPICs may provide data and other information related to potential fraud cases initiated by LE when the cases involve entities or individuals that receive reimbursement under the Medicare program for services rendered to beneficiaries. For investigations that the providers/suppliers are subject to prior authorization by the MAC, the UPIC may request the MAC to release the prior authorization requirement prior to pursuing the investigation further.
For those investigations that are national in scope, CMS will designate a lead UPIC, if appropriate, to facilitate activities across the zones.
(Rev. 11962; Issued: 04-21-23; Effective: 05-22-23; Implementation: 05-22-23)
The UPIC shall, unless otherwise advised by CMS, use one or more of the following investigative methods (this is not an exhaustive list):
Additionally, the UPICs shall coordinate with LE partners prior to making contact with any provider/supplier, when it knows there is or was a LE case on the provider/supplier.
The UPIC shall review the Unified Case Management (UCM) system prior to contacting any provider/supplier to verify the following:
If the UPIC identifies prior LE activity within the past 24 months, the UPIC shall communicate with the LE contact person identified in the UCM to determine if making contact with a provider/supplier will impact its case. If the UPIC is not able to identify the LE contact person in UCM, the UPIC shall consult with its BFL for further guidance. Once the UPIC contacts LE, it shall document the results of the conversation, including the date, time, name of the individual, and the specific LE agency in UCM prior to contacting the provider/supplier. If the UPIC has attempted to contact LE on multiple occasions within five (5) business days, but does not receive a response, the UPIC shall notify its BFL, with a copy to the COR, for CMS escalation to the appropriate LE contacts.
For any investigative activities that require approval by CMS (i.e., Payment Suspension or revocation/deactivation requests), the UPIC shall submit those requests through its current processes (i.e., via UCM) and coordinate subsequent actions with the appropriate points of contact within CMS.
After reviewing the provider's/supplier's background, specialty, and profile, the UPIC decides whether the situation involves potential fraud, waste, or abuse, or may be more accurately categorized as a billing error. For example, records might indicate that a physician has billed, in some instances, both Medicare and the beneficiary for the same service. Upon review, the UPIC may determine that, rather than attempting to be paid twice for the same service, the physician made an error in his/her billing methodology. Therefore, this error would be considered a determination of incorrect billing, rather than potential fraud, waste, or abuse involving intentional duplicate billing. If the UPIC determines that an overpayment exists solely on data analysis, the UPIC shall obtain BFL approval prior to initiating the overpayment.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
This section applies to UPICs.
A UPIC may determine that the resolution of an investigation does not warrant administrative action and that an educational meeting with the provider/supplier is more appropriate. The UPIC shall inform the provider/supplier of the questionable or improper practices, the correct procedure to be followed, and that continuation of the improper practice may result in administrative actions. The UPIC shall document
contacts and/or warnings with written reports and correspondence to the provider/supplier and place them in the investigation file in the UCM.
If the provider/supplier continues aberrant billing practices, the UPIC shall initiate the appropriate administrative actions. If the UPIC meets with a provider/supplier, the UPIC shall prepare a detailed report for the investigation file in the UCM. The report shall include the information in A, B, and C below:
The UPIC shall include a list of all enterprises in which the subject had affiliations, the states where the provider/supplier is licensed, all past complaints, and all prior educational contacts/notices.
The UPIC shall include a report of the subject provider's/supplier's total Medicare earnings for the past 12 months.
The report shall include the following:
The UPIC shall include in the detailed report, to be placed in the investigative file, the number and type of reviews performed, as well as the specific information outlined below:
The UPIC shall include information pertaining to the meeting(s) conducted with the provider/supplier. This report shall include the following:
Per the abuse of billing authority under 42 C.F.R. § 424.535(a)(8)(ii) for a pattern or practice of submitting claims that do not meet Medicare requirements and in an effort to fully inform providers of the potential administrative actions that may be imposed based on continued violations of Medicare policy, the below statement should be included in all post payment correspondence that include an error rate, and if applicable, other communications that identify non-compliant billings and inform the provider/supplier of their non-compliance with Medicare requirements.
In addition, we remind you that our regulation at 42 CFR § 424.535 authorizes us to revoke Medicare billing privileges under certain conditions. In particular, we note that per 42 CFR § 424.535(a)(8)(ii), CMS has the authority to revoke a currently enrolled provider's or supplier's Medicare billing privileges if CMS determines that the provider or supplier has a pattern or practice of submitting claims that fail to meet Medicare requirements.
(Rev. 11218; Issued: 01-27-2022; Effective: 02-28-2022; Implementation: 02-28-2022)
UPICs shall discuss their top investigations with CMS during regularly scheduled case coordination meetings.
The purpose of these meetings is to ensure that the contractor's top investigations are shared with all relevant stakeholders to ensure the appropriate parties handle a specific case as expeditiously as possible. In addition, CPI identified the following types of investigations that shall be discussed during the case coordination meetings:
(Rev. 13485; Issued: 12-23-25; Effective: 01-26-26; Implementation: 01-26-26)
This section applies to the I-MEDIC.
As part of the investigative process conducted by the I-MEDIC (regardless of the complaint source), the contractor shall, as appropriate, contact the Medicare Advantage (MA) plan to determine if they have requested and received medical records from the
provider. The I-MEDIC shall then request a copy of these records to assist in investigation development. Furthermore, if the MA plan does not possess the requested records, the I-MEDIC may directly request the records from the provider.
Before requesting records from a provider, the I-MEDIC shall notify the MA plan. If the I-MEDIC determines that it is inappropriate to request medical records from the plan sponsors, the I-MEDIC shall document its rationale in the Unified Case Management (UCM) system. If the I-MEDIC requests records from a plan sponsor, whose associated entities decline to provide the requested record(s), the I-MEDIC shall promptly notify its BFLs and COR within two (2) business days.
42 CFR §§ 422.504(i)(2)(i) stipulates the requirement for plan sponsors and their associated providers under Part C, to furnish medical records to I-MEDIC upon request. Moreover, the CFRs specify that if Part C plan sponsors are initially informed, the I-MEDIC may request medical records directly from the providers. The only instance in which submitting medical records to the I-MEDIC is voluntary is when the provider is out-of-network.
If the plan and its providers fail to submit medical records upon request by the I-MEDIC, CMS’ Center for Medicare (CM) has the authority to take compliance action against the plans for violating their contract with CMS.
(Rev. 11962; Issued: 04-21-23; Effective: 05-22-23; Implementation: 05-22-23)
This section applies to UPICs.
For purposes of this chapter, a “compromised number” is a beneficiary or provider/supplier number that has been stolen and used by unauthorized entities or individuals to submit claims to, i.e., bill, the Medicare program.
The UPICs shall investigate the alleged theft of provider identities, and report validated compromised numbers into the UCM Compromised Number Records module, in accordance with the applicable instruction and guidance documents (Of note, the instruction and guidance documents are located in the “Job Aids” and “Release Notes” section of the UCM Documentation Storage site. These documents are updated each time updates/enhancements occur.). An example of provider identity theft may include a provider’s identity having been stolen and used to establish a new Medicare enrollment or a new billing number (reassignment) under an existing Medicare enrollment, or updating a current Medicare provider identification number with a different electronic funds transfer (EFT) payment account causing inappropriate Medicare payments to unknown person(s) and potential Medicare overpayment and eventually, U.S. Department of Treasury (UST) debt issued to the victimized provider.
The UPICs shall discuss the identity theft case with the BFL. If claims are still being submitted and Medicare payments are being made, the UPIC should pursue strategies to prevent likely overpayments from being disbursed, such as prepayment reviews, auto-denial edits, Do Not Forward (DNF) requests, or immediate payment suspensions. The purpose of these administrative actions is to stop the payments. The UPICs are not authorized to request the MAC to write-off any overpayments related to the ID theft. Prior to any enrollment actions, the UPIC should be aware of the suspected victim’s reassignments and consider the effect of Medicare enrollment enforcement actions on the alleged ID theft victim’s current employments.
If an actual financial harm exists as a result of the ID theft (i.e., existence of Medicare debt or overpayment determination), the UPIC will follow the Victimized Provider Project (VPP) procedures, which include the following:
○ Based on the information gathered and the investigation conducted, the UPICs will state their recommendation as part of the package and provide the reason for the recommendation. Two recommendations are possible:
Hold provider liable for debt.
The UPIC will submit the complete VPP packet to the CMS CPI VPP team. In ID theft cases in which the victimized providers are located in multiple states and served by different UPICs, the UPIC jurisdiction in which the perpetrator’s trial was located will be the lead UPIC that will coordinate with the other UPICs and submit a completed VPP packet to the CMS CPI VPP team.
The VPP team will validate and remediate all facts and information submitted by the UPIC. Part of the VPP team review may involve consultation with the HHS Office of General Counsel. This consultation may include, but may not be limited to, consideration of supporting documentation or lack thereof to support a decision that the provider is an actual victim of ID theft as well as compliance with federal statutes and regulations related to ID theft policies, debt collection and recall of overpayments.
The VPP team will make a final determination if the alleged ID theft victim is a true victim and approve a rescindment of Medicare overpayments reported in the name of the confirmed ID theft victim.
When calculating the actual overpayments related to the fraudulent claims under each provider victim, there may be situations in which discrepancies exist between LE and contractor loss calculation data. In these situations, the final figures used in making overpayment determinations should come from MAC data on amounts paid out in the name of the victimized providers using the cleared payments transmitted to the fraudulent bank accounts established in the DOJ case.
Once a final decision is made by the VPP team, the UPIC or Lead UPIC, as appropriate, will be informed.
If the provider victim is determined to be a true victim of ID theft, the UPIC will send out a letter using the template in the IOM Pub. #100-08 Exhibits chapter informing the provider of the favorable decision and that the assessed overpayment against the victim will be rescinded ((IOM Pub. #100-08; Exhibit 8 – Letter 2). This decision shall then flow through the UPIC to the MAC for a recall of the associated debt. (NOTE: The MAC’s instructions for processing providers’ debts that have been confirmed as identity theft are found in the Medicare Financial Management Manual Chapter 4, Section 110 – Confirmed Identity Theft). The MAC shall follow the process for making adjustments to the claims system and recall the debt registered under the victimized provider from the US Department of Treasury.
If the decision is not positive (i.e. ID theft is not confirmed), the UPIC shall correspond directly with the provider to inform him/her that CMS did not have sufficient information to confirm that identity theft has occurred. The UPIC shall send Letter 3 from the IOM Pub. #100-08 Exhibits chapter to the provider with a copy to the MAC.
(Rev. 11962; Issued: 04-21-23; Effective: 05-22-23; Implementation: 05-22-23)
Since the Medicare program has become particularly vulnerable to fraudulent activity in the DMEPOS area, each UPIC shall:
(Rev. 11797; Issued: 01-19-23; Effective: 02-21-23; Implementation: 02-21-23)
This section applies to UPICs. This section is applicable to DME MACs, RACs, SMRC, and CERT MR contractors, as noted in Ch. 5, Section 5.8. Suppliers are required to maintain proof of delivery documentation in their files. Proof of delivery documentation must be maintained in the supplier’s files for seven years (starting from the date of service).
Section 1833(e) grants Medicare contractors the authority to request any information necessary to determine the amounts due. This includes proof of delivery in order to verify that the beneficiary received the DMEPOS item and thus to determine the amounts due to the provider. Proof of delivery is also one of the supplier standards as noted in 42 CFR § 424.57(c)(12). If the UPIC has reason to be concerned that Medicare was billed for an item that was not received (such as a complaint from a beneficiary about non-receipt), the UPIC shall request proof of delivery from the supplier. Proof of delivery documentation must be made available, within the prescribed timeframes, to the UPIC upon request. For any items that do not have proof of delivery from the supplier, such claimed items shall be denied by the UPIC and overpayments recovered. Suppliers that consistently do not provide documentation to support that their items were delivered may be referred to the OIG or NPE for investigation and/or imposition of sanctions.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
This section applies to UPICs. This section is applicable to DME MACs, RACs, SMRC, and CERT medical review contractors, as noted in Ch. 5, Section 5.8. For the purpose of the delivery methods noted below, designee is defined as:
“Any person who can sign and accept the delivery of durable medical equipment on behalf of the beneficiary.”
Suppliers, their employees, or anyone else having a financial interest in the delivery of the item are prohibited from signing and accepting an item on behalf of a beneficiary (i.e., acting as a designee on behalf of the beneficiary). The signature of the designee should be legible. If the signature of the designee is not legible, the supplier/shipping service should note the name of the designee on the delivery slip.
Three methods of delivery are:
The date of delivery may be entered by the beneficiary, designee or the supplier. As a general Medicare rule, the date of service shall be the date of delivery. Exceptions are made for suppliers who use a delivery/shipping service. If the supplier uses a delivery/shipping service, the supplier may use the shipping date as the date of service on the claim. The shipping date may be defined as the date the delivery/shipping service label is created or the date the item is retrieved for delivery; however, such dates should not demonstrate significant variation. (See Pub. 100-08, chapter 5, section 5.2.4 for further information on written orders prior to delivery.)
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
This section applies to UPICs. This section is applicable to DME MACs, RACs, SMRC, and CERT MR contractors, as noted in Ch. 5, Section 5.8.
Exceptions to the preceding statements concerning the date(s) of service on the claim occur when the items are provided in anticipation of discharge from an inpatient facility that does not qualify as the beneficiary’s home. A supplier may deliver a DME, prosthetics, or orthotics item (but not supplies) to a beneficiary in an inpatient facility that does not qualify as the beneficiary’s home, for the purpose of fitting or training the beneficiary in the proper use of the item. This delivery may be done up to two (2) days prior to the beneficiary’s anticipated discharge to their home. The supplier must bill the
date of service on the claim as the date of discharge and the supplier must ensure that the beneficiary takes the item home, or the supplier picks up the item at the facility and delivers it to the beneficiary's home on the date of discharge. The item must be medically necessary on the date of discharge, i.e., there is a physician's order and corroborating medical documentation to support a stated initial date of need that is no later than the date of discharge for home use, and the item must be for subsequent use in the beneficiary's home.
(See IOM Pub. 100-04, Chapter 20, Section 110.3, for the policy and billing procedures regarding the circumstances under which a supplier may deliver durable medical equipment, prosthetics, and orthotics (but not supplies) to a beneficiary who is in an inpatient facility that does not qualify as the beneficiary's home.)
In some cases, it would be appropriate for a supplier to deliver a medically necessary item of durable medical equipment (DME), a prosthetic, or an orthotic (but not supplies) to a beneficiary's home in anticipation of discharge to a Place of Service that qualifies as home. A supplier may deliver an item of DME, a prosthetic or an orthotic to a beneficiary's home in anticipation of a discharge from a hospital or nursing facility. The supplier may arrange for actual delivery of the item no sooner than two (2) days prior to the beneficiary's anticipated discharge to their home. The supplier shall bill the date of service on the claim as the date of discharge and shall use the Place of Service (POS) as 12 (Patient's Home).
Delivery of the immunosuppressive drugs may be made to the beneficiary's home (i.e., his/her own dwelling, an apartment, a relative's home, a home for the aged, or some other type of institution— such as an assisted living facility, or an intermediate care facility for individuals with intellectual disabilities (ICF/IID) but not a hospital or skilled nursing facility). In certain cases, a beneficiary who has received a transplant does not return home immediately after discharge. In order to ensure timely beneficiary access to prescribed immunosuppressive medications at the time of discharge, suppliers may deliver the initial prescriptions of a beneficiary's immunosuppressive drugs to an alternate address, such as the inpatient hospital that performed the transplant or alternative location where the beneficiary is temporarily staying (e.g., temporary housing), instead of delivering the drugs to the beneficiary's home address.
To allow payment for the first immunosuppressive drug claim after the beneficiary is discharged from an inpatient stay, the immunosuppressive drug may be mailed by a supplier no earlier than two (2) days before a beneficiary is discharged from an inpatient facility. The supplier must enter the date of discharge as the date of service on the claim.
Note that this is an optional, not mandatory, process. If the supplier chooses not to mail the immunosuppressive drug(s) prior to the beneficiary's date of discharge from the hospital, they may wait for the beneficiary to be discharged before delivering the drugs,
and follow all applicable Medicare and DME MAC rules for immunosuppressive drug billing (for example, the date of service will be the date of delivery). If the supplier ships immunosuppressive drugs to an alternate address, all parties involved, including the beneficiary and the transplant facility, must agree to the use of this approach. The supplier will not receive additional payment for delivery to an alternate location. Early and/or direct delivery to the transplant facility does not change the facility's responsibility to provide all immunosuppressive drugs required by the beneficiary for the duration of the beneficiary's inpatient stay.
(See IOM Pub. 100-04, Chapter 17, Section 80.3.3 for additional information.)
No billing may be made for any day prior to the date of discharge. A supplier may not bill for drugs or other DMEPOS items used by the beneficiary prior to the beneficiary's discharge from a stay in an inpatient facility that does not qualify as the beneficiary's home. Billing the DME MAC for surgical dressings, urological supplies, or ostomy supplies that are provided during a stay in an inpatient facility that does not qualify as the beneficiary's home is not allowed. These items are payable to the facility under Part A of Medicare. This prohibition applies even if the item is worn home by the beneficiary from the inpatient facility. Any attempt by the supplier and/or facility to substitute an item that is payable to the supplier for an item that, under statute, should be provided by the facility, may be considered to be fraudulent.
Separate payment will also not be available from either Medicare or the beneficiary if, for any reason, redelivery is necessary. All other applicable Medicare and DME MAC billing requirements continue to apply.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
This section applies to UPICs. [This section is applicable to DME MACs, RACs, SMRC, and CERT MR contractors, as noted in Ch. 5, Section 5.8.]
Medicare does not automatically assume payment for a DMEPOS item that was covered prior to a beneficiary becoming eligible for the Medicare FFS program. When a beneficiary receiving a DMEPOS item from another payer becomes eligible for the Medicare FFS program, the beneficiary may continue to receive such items only if
Medicare requirements are met for such DMEPOS items. The DME MAC shall educate the supplier community that the supplier must submit an initial or new claim for the item and the necessary documentation to support Medicare payment, upon request, even if there is no change in the beneficiary's medical condition. The first day of the first rental month in which Medicare payments are made for the item serves as the start date of the reasonable useful lifetime and period of continuous use. The contractor shall consider
the proof of delivery requirements met for this type of beneficiary by instructing the supplier to obtain a statement, signed and dated by the beneficiary (or beneficiary's designee), that the supplier has examined the item. The DME MAC shall educate the supplier that the supplier must also attest to the fact that the item meets Medicare requirements.
(Rev. 11358; Issued: 04-21-2022; Effective: 05-23-2022; Implementation: 05-23-2022)
Medical Review (MR) for Program Integrity (PI) is one of the parallel strategies of the Medicare Integrity Program (MIP) to encourage the early detection of fraud, waste, and abuse. The primary task of the UPIC is to identify suspected fraud, develop investigations and cases thoroughly and in a timely manner, and take immediate action to ensure that Medicare Trust Fund monies are not inappropriately paid out and that any improper payments are identified. For this reason, it is recommended that MR is integrated early into the development of the investigative process. The focus of PI MR includes, but is not limited to:
The statutory authority for the MR program includes the following sections of the Social Security Act (the Act):
The remainder of Section 1862(a), which describes all statutory exclusions from coverage;
The regulatory authority for the MR program rests in:
Data analysis is an essential first step in determining whether patterns of claims submission and payment indicate potential problems. Such data analysis may include simple identification of aberrancies in billing patterns within a homogeneous group, or much more sophisticated detection of patterns within claims or groups of claims that might suggest improper billing or payment. The UPIC's ability to make use of available data and apply innovative analytical methodologies is critical to the success of MR for PI purposes. Refer to PIM chapter 2 in its entirety for MR and PI data analysis requirements.
The UPIC and the MAC MR units shall have ongoing discussions and close working relationships regarding situations identified that may be signs of potential fraud, waste, or abuse. MACs shall also include the cost report audit unit in the on-going discussions. MAC MR staff shall coordinate and communicate with their associated UPICs to ensure coordination of efforts, to prevent inappropriate duplication of review activities, and to assure contacts made by the MAC are not in conflict with program integrity related activities, as defined by the Joint Operating Agreement (JOA).
It is essential that MR is integrated early in the investigative plan of action to facilitate the timeliness of the investigative process. Before deploying significant MR resources to examine claims identified as potentially fraudulent, the UPIC may perform a limited prepayment MR to help identify signs of potential fraud, waste, or abuse. The general recommendation for a provider/supplier specific edit would be to limit the prepayment MR to specific procedure codes, a specific number of claims, or based on a particular subset of beneficiaries identified through the UPIC's analysis. Another option may be
for the UPIC to perform a MR probe to validate the data analysis or allegation by selecting a small representative sample of claims. The general recommendation for a provider/supplier-specific probe sample is 20-40 claims. This sample size should be sufficient to determine the need for additional prepayment or post-payment MR actions. MR resources shall be used efficiently and not cause a delay in the investigative process. In addition, development of an investigation shall continue while the contractor is awaiting the results of the MR.
If a provider/supplier appears to have knowingly and intentionally furnished services that are not covered, or filed claims for services not furnished as billed, or made any false statement on the claim or supporting documentation to receive payment, the MAC or RAC personnel may discuss potential referral of the matter to the UPIC. If the UPIC agrees that there is potential fraud, waste, and/or abuse, the MAC or RAC personnel shall escalate and refer the matter to the UPIC.
Provider/supplier documentation that shows a pattern of repeated misconduct or conduct that is clearly abusive or potentially fraudulent, despite provider/supplier education and direct contact with the provider/supplier to explain identified errors, shall be referred to the UPIC.
The focus of MAC MR is to reduce the error rate through MR and provider/supplier notification and feedback. The focus of the RAC is to identify and correct Medicare improper payments through detection and collection of overpayments. The focus of the UPIC is to address situations of potential fraud, waste, and abuse.
The UPICs are also responsible for preventing and minimizing the opportunity for fraud. The UPICs shall identify procedures that may make Medicare vulnerable to questionable billing or improper practices and take appropriate action.
CMS has implemented recurring edit modules in all claims processing systems to allow UPICs and/or CMS to monitor specific beneficiary and/or provider/supplier numbers and other claims criteria. When appropriate, the UPIC may request the MAC to install a prepayment or auto-denial edit. The MACs shall comply with requests from UPICs and/or CMS to implement those edits. The MACs shall implement parameters for those edits/audits within the timeframe established in the MAC and UPIC JOA, which shall not exceed more than 15 business days.
When MAC MR staff is reviewing a medical record for MR purposes, its focus is on making a coverage and/or coding determination. However, when UPIC staff is performing MR for PI purposes, its focus may be different (e.g., looking for possible falsification). The UPIC shall follow all chapters of the PIM as applicable unless otherwise instructed in this chapter and/or in its Umbrella Statement of Work (USOW). Of note, should the UPIC have evidence that services were not performed (i.e., from beneficiary interview(s), provider attestation(s), etc.), the UPIC may deny the service(s) based on that evidence without the need for medical review.
Chapter 3 of the PIM outlines the procedures to be followed to make coverage and coding determinations.
1. The UPIC shall maintain current references to support MR determinations. The review staff shall be familiar with the below references and be able to track requirements in the internal review guidelines back to the statute or manual. References include, but are not limited to:
2. The UPIC shall have specific review parameters and guidelines established for the identified claims. Each claim shall be evaluated using the same review guidelines. The claim and the medical record shall be linked by patient name, HICN, diagnosis, Internal Control Number (ICN), and procedure. The UPIC shall have access to provider/supplier tracking systems from MR. The information on the tracking systems shall be used for comparison to UPIC findings. The UPIC shall also consider that the MR department may have established internal guidelines (see PIM, chapter 3).
3. The UPIC shall evaluate if the provider specialty is reasonable for the procedure(s) being reviewed. As examples, one would not expect to see chiropractors billing for cardiac care, podiatrists for dermatological procedures, and ophthalmologists for foot care.
4. The UPIC shall evaluate and determine if there is evidence in the medical record that the service submitted was actually provided, and if so, if the service was medically reasonable and necessary. The UPIC shall also verify diagnosis and match to age, gender, and procedure.
5. The UPIC shall determine if patterns and/or trends exist in the medical record that may indicate potential fraud, waste, or abuse or demonstrate potential patient harm. Examples include, but are not limited to:
6. The UPIC shall evaluate the medical record for evidence of alterations including, but not limited to, obliterated sections, missing pages, inserted pages, white out, and excessive late entries. The UPIC shall not consider undated or unsigned entries handwritten in the margin of a document. These entries shall be excluded from consideration when performing medical review. See chapter 3 for recordkeeping principles.
7. The UPIC shall document errors found and communicate these to the provider/supplier in writing when the UPIC's review does not find evidence of questionable billing or improper practices. A referral may be made to the POE staff at the MAC for additional provider/supplier education and follow up, if appropriate (see PIM, chapter 3).
8. The UPIC shall adjust the service, in part or in whole, depending upon the service under review, when medical records/documentation do not support services billed by the provider/supplier.
9. The UPIC shall thoroughly document the rationale utilized to make the MR decision.
Quality assurance activities shall ensure that each element is being performed consistently and accurately throughout the UPIC's MR for PI program. In addition, the UPIC shall have in place procedures for continuous quality improvement in order to continually improve the effectiveness of their processes.
1. The UPIC shall assess the need for internal training on changes or new instructions (e.g., through minutes, agendas, sign-in sheets) and confirm with staff that they have participated in training as appropriate. The UPIC staff shall be able to request training on specific issues.
2. The UPIC shall evaluate internal mechanisms to determine whether staff members have correctly interpreted the training (training evaluation forms, staff assessments) and demonstrated the ability to implement the instruction (internal quality assessment processes).
3. The UPIC shall have an objective process to assign staff to review projects, ensuring that the correct level of expertise is available. For example, situations dealing with therapy issues may include review by an appropriate therapist or use of a therapist as a consultant to develop internal guidelines. Situations with complicated or questionable medical issues, or where no policy exists, may require a physician consultant (medical director or outside consultant).
4. The UPIC shall develop a system to address how it will monitor and maintain accuracy in decision making (inter-reviewer reliability) as referenced in chapter 3 of the PIM. The UPIC shall establish a Quality Improvement (QI) process that verifies the accuracy of MR decisions made by licensed health care professionals. UPICs shall include inter-rater reliability and/or peer-review assessments in their QI process and shall report these results as directed by CMS.
5. When the UPIC evaluation results identify the need for prepayment edit placement at the MAC, the UPIC shall have a system in place to evaluate the effectiveness of those edits on an ongoing basis as development continues. The MAC may provide the claims data necessary to the UPIC to evaluate edits submitted at the request of the UPIC. The evaluation of edits shall consider the timing and staffing needs for reviews. The UPIC may submit an inquiry to the MAC to verify that a new edit is accomplishing its objective of selecting claims for MR 30 business days after an edit has been implemented or placed into production. The UPIC shall use data analysis of the selected provider’s claims history to verify possible changes in billing patterns.
Automated edits shall be evaluated annually.
Prepayment edits shall be evaluated on a quarterly basis. They shall be analyzed in conjunction with data analysis to confirm or re-establish priorities. For example, a prepayment edit is implemented to stop all claims with a specific diagnostic/procedure code and the provider stops submitting claims with that code to circumvent the edit.
Data analysis shall be used to identify if the provider’s general billing pattern has changed in volume and/or to another/similar code that may need to be considered/evaluated to revise the current edit in question and/or expansion of the current investigation.
(Rev. 13821; Issued:06-09-26; Effective: 02-26-26; Implementation: 02-26-26)
When the UPIC denies a claim and the provider, supplier, physician or beneficiary appeals the denial, the MAC shall request the medical records and documentation that the UPIC used in making its determination. The UPIC shall assemble the case file and send it to the MAC within five (5) business days. If the MAC request is received outside of normal business hours or on an observed holiday that the UPIC is closed for business, the first business day will not be counted until the first business day after receipt of the request (i.e., if received on Saturday, the following Monday will be counted as the first business day). If the 5th business day falls on an observed holiday where either the UPIC or MAC is closed for business, documentation shall be sent on the next business day.
The UPIC shall include any position papers or rationale and support for its decision so that the appeals adjudicator can consider it during the appeals process. However, UPICs shall be aware that an appeals case file is discoverable by the appellant. This means that the appellant can receive a complete copy of the case file. Since the provider may receive the case file, the UPIC shall consult with law enforcement before including any sensitive information relative to a case.
When submitting documents to Office of Medicare Hearing and Appeals, UPICs shall use (OMHA's) e-Appeal Portal (Portal) for electronic submission of documents related to a Level 3 appeal. Submitting documents through the Portal is generally faster and more reliable than sending them via mail, fax, or email. Additionally, OMHA cannot accept documents containing Personally Identifiable Information (PII) and Protected Health Information (PHI) via email, so utilizing the Portal will resolve any concern about accidental, unsecure transmission of PII or PHI via email. Therefore, all UPICs shall use the Portal for electronic document submission.
Examples of Level 3 Appeal related documents that UPICs shall upload to the Portal, as applicable, may include, but are not limited to Position Papers, Curricula Vitae (CVs), Evidence, Written Testimony, etc. Once uploaded to the Portal, these documents are automatically attached to the appeal in OMHA's Electronic Case Adjudication and Processing Environment (ECAPE). The Portal provides immediate confirmation (on the website and via email) that submissions are received, and the ALJ team assigned to an appeal receives an alert whenever a document is uploaded to that appeal via the Portal. While the Portal shall be the primary method of document submission by the UPICs, circumstances may arise when the Portal is not available or practical. For example, on rare occasions, the Portal may be unavailable due to maintenance. In these circumstances, the UPICs may submit Level 3 Appeal related documents via email, fax, or mail, if all PII and PHI have been redacted or removed.
The Portal is available at hhs-ecape-portal.entellitrak.com. To enter the Portal, UPIC representatives must first create an account. Refer to Exhibit 49.1 for instructions on
How to Access the Portal. Once an account is created, the UPIC representative may upload relevant Level 3 Appeal documents. Refer to Exhibit 49.2 for instructions on How to Upload Documents Via the Portal.
Note: Contractors and appellants may also use the Portal to check the status of an existing ECAPE appeal.
If the UPIC would like to be notified of an Administrative Law Judge (ALJ) hearing on a particular case, the UPIC shall put a cover sheet in the case file before sending it to the MAC. The cover sheet shall state that the UPIC would like to be notified of an ALJ hearing and list a contact name with a phone and fax number where the contact can be reached. The cover sheet shall also include language stating, “PLEASE DO NOT REMOVE” to ensure it stays on the case file should the file be sent to the Quality Improvement Contractor. If the UPIC receives a notice of hearing, the UPIC shall contact the Qualified Independent Contractor (QIC) immediately.
The QICs are tasked with participating in ALJ hearings; therefore, they are the primary Medicare contractor responsible for this function. UPICs may participate in an ALJ hearing, but they shall work with the QIC to ensure that duplicative work is not being performed by both the UPIC and the QIC in preparation for the hearing. UPICs shall never invoke party status. If the UPIC participates in a hearing, it shall be as a non-party. An ALJ cannot require participation in a hearing, whether it is party or non-party. If a UPIC receives a notice that appears contrary to this instruction, the UPIC shall contact the QIC and their BFL, with a copy to the COR, immediately.
(Rev. 11962; Issued: 04-21-23; Effective: 05-22-23; Implementation: 05-22-23)
If a case is still pending at the OIG, FBI, or AUSA, and denials are reversed by an Administrative Law Judge (ALJ), the UPIC should recommend to CMS that it consider protesting the ALJ’s decision to the DHHS Appeals Council, which has the authority to remand or reverse the ALJ’s decision. UPICs should be aware, however, that ALJs are bound only by statutory and administrative law (federal regulations), CMS rulings, and National Coverage Determinations.
The UPIC shall consult with its BFL, with a copy to the COR, before initiating a protest of an ALJ’s decision. They should be aware that the Appeals Council has only 60 days in which to decide whether to review an ALJ’s decisions. Thus, CMS needs to protest the ALJ decision within 30 days of the decision, to allow the Appeals Council to review within the 60-day limit. The UPIC shall notify all involved parties immediately if it learns that claims/claim denials have been reversed by an ALJ in a case pending prosecution.
(Rev. 13000; Issued: 12-12-24; Effective: 12-10-24; Implementation: 12-10-24)
This section applies to UPICs.
The UPIC shall collaborate with the Medical Review Accuracy Contractor (MRAC) to assure correct claims payment, and to address situations of potential fraud, waste, and abuse (FWA). The UPIC shall establishment of a JOA with the MRAC for the purpose of facilitating an efficient process for communication. The JOA shall be designed to establish guidelines and shared expectations within which the MRAC and the UPIC will conduct operations.
In addition to establishing a JOA with the MRAC, the UPICs shall comply with the processes/guidelines outlined in the steps below. These steps explain the UPIC's responsibility to provide the required information/documents for the medical review of the UPIC's Medicare and Medicaid claims for Program Integrity (PI) to the MRAC and/or CMS within the allotted time frames.
The UPIC shall supply the MRAC with one file that lists the universe of cases, including all reviewed claims, that were subjected to MR on a post-payment basis within the previous 30 calendar days, in accordance with the Deliverable Schedule and the approved MRAC Reporting Template. This universe shall contain open and closed Medicare and/or Medicaid cases from the previous 30 calendar days. Claims will only be selected from a postpayment sample for completed medical review. For Medicaid claims (excluding any claims reviewed for the Medicaid Managed Care Project), only include, in the universe, closed audits from the previous 30 calendar days. For medical review purposes, when a Final Findings Report (FFR) is issued, a Medicaid case is considered closed after CMS has issued the FFR to the State Medicaid Agency, and the UPIC has closed the case in UCM. In addition, the following Medicaid cases that were medically reviewed shall also be included in the universe submitted to the MRAC:
1. Any case that was discontinued (and therefore closed) in the previous 30 calendar days.
2. Any case that was closed in the previous 30 calendar days due to Insufficient Potential Recovery (i.e. the case did not qualify for an Initial Findings Report).
3. Any case that required a PEER review (medical review was completed by a specialty provider). The UPICS shall identify the peer review claims in the universe list that's submitted to the MRAC.
For PI reviews, claims that are going through the appeals process/selected by LE will be excluded from the review. If at any time the UPIC becomes aware that a claim is under appeal, it shall notify the UPIC COR, the MRAC Point of Contact (POC) and MRAC
COR immediately. The MRAC will stop reviewing the claim(s) and they will be removed from the universe/sample.
The completed universe of investigations/claims shall be sent via an approved format designated by CMS (i.e., encrypted CD, email or other CMS system/platform) to the MRAC with a copy to the MRAC COR and the PI BFL on or before the required submission date. If the UPIC anticipates a delay, they shall notify the MRAC as well as their UPIC COR, the MRAC COR and PI BFL by email.
Using random sampling, the MRAC shall select a sample of claims to be reviewed from the universe of investigations/claims submitted by the UPIC. The number of medical records/claims requested will vary for the purpose of reaching the required number of medical records/claims as per the MRAC SOW. The MRAC will notify the UPIC of the sample of investigations selected via an approved format designated by CMS to the UPIC POCs.
The UPIC shall submit the complete documentation package to the MRAC within seven business days of receiving the encrypted email for each of the investigations/claims selected by the MRAC. This documentation package shall include:
1. Medical records and documentation;
2. Summary of findings report for each claim reviewed that includes the MR review decisions, observations and FWA patterns and/ or trends identified;
3. The UPIC's UCM notes for each investigation selected;
4. A list of all Medicare references (policies, NCDs, LCDs) used to make the MR determination for each claim; and
5. A copy of all Medicaid policies and the State's interpretation (obtained by the UPIC) to make the MR determination for each claim.
The MRAC will be required to establish user identifications, onboarding, and login assistance for the UPIC's points-of-contact (POCs). The UPIC shall update/provide one (1) POC per contract jurisdiction for onboarding/access to the MRAC SFTP server. The POC shall be the individual responsible for sending medical records to the MRAC. If the UPIC has more than one jurisdiction with one POC sending medical records, a back-up POC may be submitted. This will allow the POC to access a secure folder, only accessible to their POC(s) and the MRAC, to transfer medical records.
POC information shall include: full name, email address, and direct cell phone number (for multi-factor authentication). This information shall be emailed to the designation MRAC POC/email with a cc to the CMS UPIC COR and MRAC COR.
The UPIC's POC will require the below software to be installed on their workstation to access the MRAC SFTP server:
The UPIC's POC must work with their IT Team to edit their local host configuration file to resolve the IP address of the SFTP server.
The UPIC's POC must have direct access to a cellular phone for multi-factor authentication when logging in. Instructions and user login credentials will be provided to the POC during onboarding.
For any individuals that are new to this process or would like a re-fresher, a virtual training/technical demonstration for accessing the SFTP server and ensuring all users are able to connect successfully will occur at a date and time to be determined once onboarding of POCs is in progress.
Technical assistance issues can be sent via email to mrac_support@religroupinc.com or via phone at (443) 961-2549. MRAC Technical Support will be available Monday-Friday 8:30AM - 5:30PM EST.
All files uploaded must still be encrypted and password protected, meeting all applicable CMS data security parameters. Notification after upload shall still be submitted to mracmail@religroupinc.com with a copy to the MRAC COR and your UPIC COR.
The MRAC will conduct reviews of the sampled claims, utilizing the documentation applied by the UPIC in reaching its decision, to evaluate the accuracy of the UPIC medical record review determination. In other words, the independent reviewers will review these claims to determine whether the UPIC made accurate claim decisions in compliance with Medicare and/or Medicaid coverage, coding, payment, and billing policies and noted whether Medicare and Medicaid claims contained patterns and/or trends which may support an allegation of potential FWA.
The MRAC will review each investigation in the representative sample and determine whether the UPIC’s payment decision was correct and whether claims contain patterns and/or trends which may support an allegation of potential FWA, such as, evidence of alterations including, but not limited to: obliterated sections, missing pages, inserted pages, white out, and excessive late entries.
If the MRAC detects patterns and/or trends which may support an allegation of potential FWA during the review of records for any of the UPICs that was not recognized or documented, this will be documented as a finding for the UPIC and referred back to the UPIC COR, MRAC COR and PI BFL for review/follow-up with the specific UPIC. The portion of the review process related to the detection of these patterns/trends will be evaluated/reported as pass or fail for each investigation. The MRAC will complete these reviews within 20 business days.
When the MRAC disagrees with the UPIC’s payment decision or MR rationale on a claim, or identifies unaddressed patterns and/or trends (i.e. the UPIC failed the FWA review portion of the investigations) which may support an allegation of potential FWA, the MRAC will report the results of the accuracy reviews via the Accuracy Review Disagreement Worksheet. The disagreement worksheets will be sent to the MRAC COR/PI BFL via encrypted CD within five business days. If a problem is identified, the PI BFL will notify the UPIC COR.
The UPIC has five business days, from the day it receives the disagreement worksheet(s) from the MRAC to submit their rebuttal to the MRAC POC via an approved format with a copy to the PI BFL, the MRAC COR/Alternate COR. The MRAC will have seven business days from receipt of the rebuttal to complete the review. Once it’s completed, the MRAC will send the Accuracy Review Disagreement worksheets to the UPICS and MRAC COR/PI BFL. The MRAC will also provide CMS with the medical records. If the UPIC requires additional time to submit the rebuttal, the UPIC shall submit a request for extension with justification to the MRAC COR/PI BFL for approval. The UPIC COR shall be included in all correspondence.
The UPIC has five business days from the day it receives the disagreement worksheets from the MRAC to submit their rebuttal to the MRAC POC via email with a copy to the PI BFL, the MRAC COR and the UPIC’s COR. If the MRAC upholds its decision, the UPIC has five business days to request a dispute review with CMS. Once a final determination is made, the UPIC and the MRAC POC will be notified via email by CMS.
In addition to the processes above, the COR shall request assistance from the PI BFL to review a representative sample of agree and disagree claims to evaluate the accuracy of the MRACs' medical record review decisions including the identification of FWA patterns/trends.
If the UPIC's claim decision is found to be erroneous through the accuracy review process and the UPIC has verified with the MAC or SMA that the claim has not been appealed, CMS suggests that for Medicare claims, the UPIC reaches out to their MAC to inform them of the revised claim decision. For Medicaid claims, the UPIC shall reach out to their Medicaid BFL and COR for next steps. Regardless of the claim type, it is up to the MAC or SMA to decide if a claim warrants a re-review. If the claim has been appealed, the appeal decision shall be considered the final decision of the claim. If the investigation has been referred to/accepted by LE, all overpayment activities will be at the direction of LE and shall be referred to the BFL for further guidance.
(Rev. 11962; Issued: 04-21-23; Effective: 05-22-23; Implementation: 05-22-23)
This applies to the UPICs.
The UPICs shall be aware of Federal Emergency Management Agency (FEMA) declared natural disasters that occur in their jurisdiction(s). In the immediate aftermath of these occurrences, the UPICs shall assess the circumstances with each provider in declared disaster areas before pursuing investigative activities.
Due to the nature of fraud, waste and abuse that exists in the Medicare program and the potential for emerging trends specific to FEMA declared natural disasters, contractors should remain vigilant in their oversight, monitoring, and proactive/reactive analysis but follow the guidance identified below:
1) Should the contractor confirm that medical record loss resulted from this disaster to the point where administrative relief from medical review requirements is necessary to allow the provider sufficient time to retrieve copies of, or restore damaged, medical documentation, the contractors shall delay the request for medical records for a period of 60-days beginning on the date designated by FEMA/as advised by the COR and ending as directed by their COR. The contractors are permitted to respond to inquiries, requests, or complaints that are submitted by a provider or beneficiary during this 60-day period;
2) The contractors shall consult with their BFL, with a copy to the COR, on any time sensitive issues that must be resolved involving contact with a provider or beneficiary in the areas affected by FEMA declared natural disasters;
3) The contractors shall closely monitor Technical Direction Letters (TDLs)
and Change Requests (CRs) issued to the MACs related to FEMA designated disaster relief efforts; and
4) The contractors are reminded to contact their COR and BFL prior to granting specific relief based on any TDL guidance or PIM requirement. Each contractor shall maintain a list of cases/investigations/complaints to which any exception is granted or applied and must include the basis (TDL or PIM reference) and the actual exception applied.
During a governmentally declared disaster, whether manmade or otherwise, the UPIC shall continue every effort to identify cases of potential fraud, waste, and abuse. If the UPIC suspects fraud of a provider/supplier who cannot furnish medical records in a timely manner due to a disaster, the UPIC shall ensure that the provider/supplier is not attempting to harm the Medicare Trust Fund by taking an unreasonable amount of time to furnish records. The UPIC shall request and review verification documentation in all instances where fraud is suspected.
In the case of complete destruction of medical records/documentation in which backup records exist, the UPIC shall accept reproduced medical records from microfiche, microfilm, or optical disk systems that may be available in larger facilities, in lieu of the original document. In the case of complete destruction of medical records in which no backup records exist, the UPICs shall consult with its BFL, with a copy to the COR, to determine the appropriateness of the request to reconstruct the medical records. If the BFL determines that MR is appropriate, the UPIC shall instruct providers/suppliers to reconstruct the records as completely as possible with whatever original records can be salvaged. Providers/suppliers should note on the face sheet of the completely or partially reconstructed medical record: 'This record was reconstructed because of disaster.'
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
This section applies to UPICs.
Medicare Part A includes a hospice benefit for terminally ill patients. Congress has established a retrospective 'cap' on the aggregate amount that Medicare will reimburse hospice providers each year. Historically, PI contractor reviews of hospices have overlapped with the MAC review of the benefit cap liability for those same hospices; resulting in a potential double recovery for the government. Therefore, the following communication and process between the UPICs and MACs shall be followed, in order to minimize the occurrence of these double recoveries, and check the RAC Data Warehouse to ensure the provider is not under suppression.
hospice review, the UPIC shall coordinate with the MAC to determine whether the hospice is subject to any finalized or ongoing cap liability reviews (self- reported, final, and/or re-opening) for the applicable period of the UPIC's audit.
If there are no cap liability determinations, the UPIC shall proceed with its review. Upon identification of an overpayment, the UPIC shall coordinate with the MAC to ascertain whether in the intervening period (from the claims selection period to the overpayment determination) the hospice had become subject to any cap liability proceedings for that same period.
The UPIC shall finalize its review and issue the findings to the hospice and refer any overpayment to the MAC for collection. The MAC shall take into account the cap liability and adjust as appropriate.
If it is determined that the hospice is subject to any finalized or ongoing cap liability reviews (self-reported, final, and/or re-opening), the UPIC shall consult with the MAC and design a statistical sampling for overpayment estimation (SSOE) for those specific year(s) according to the cap determinations to assist with reconciling cap overpayments. The UPIC shall finalize its review and issue the findings to the hospice and refer any overpayment to the MAC. The MAC shall take into account the overpayments submitted by the UPIC and apply these to any subsequent, ongoing cap overpayments (self-reported, final, and/or reopening). This process ensures that a provider is not penalized for the same beneficiary twice.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
An investigation shall be closed if it is referred to LE (i.e., it is referred to OIG, DOJ, FBI, or AUSA) and there are no pending administrative actions. In addition, an investigation may be closed due to the following circumstances:
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The UPIC shall monitor future claims and related actions of the provider at least 6 months after the UPIC has closed its investigation to ensure the propriety of future payments. In addition to internal screening of the claims, if previous experience or future billings warrant, they shall periodically interview a sampling of the provider's patients to verify that billed services were actually furnished.
If, at the end of a 6-month period, there is no indication of a continuing aberrant pattern, the UPIC shall discontinue the monitoring.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
After completion of the investigation and appropriate legal action, all determined overpayments are recouped by either direct refund or offset against payments being held in suspense. Once recoupment is completed, UPICs shall release any suspended monies that are not needed to recoup determined overpayments and, if applicable, penalties.
UPICs shall monitor future claims and related actions of the provider for at least 6 months, to assure the propriety of future payments. In addition to internal screening of the claims, if previous experience or future billings warrant, they shall periodically interview a sampling of the provider's patients to verify that billed services were actually furnished.
If, at the end of a 6-month period, there is no indication of a continuing aberrant pattern, UPICs shall discontinue the monitoring.
(Rev. 12333; Issued: 10-26-23; Effective: 11-28- 23; Implementation: 11-28-23)
This section applies to UPICs.
Federal, state, and local LE agencies may seek beneficiary and provider/supplier information to further their investigations or prosecutions of individuals or businesses alleged to have committed health care fraud and other crimes for which medical records may be sought as evidence. When these agencies request that a UPIC disclose beneficiary records or provider/supplier information, the responsive disclosure shall comply with applicable federal law as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Business Associate provision of the UPIC's contract. Federal law will dictate whether, and how much, requested information can be disclosed. The determination regarding disclosure will be contingent on the purpose for which it is sought and whether information is sought about beneficiaries or providers/suppliers. For example, certain general information that does not include specific beneficiary identifiers may be shared with a broader community, including private insurers. The information may include that of a general nature of how fraudulent
practices were detected, the actions being taken, and aggregated data showing trends and/or patterns.
The UPIC may release information, in accordance with the requirements specified in Sections A – G below, to the following organizations:
Requests for information from entities not listed above shall be submitted to the COR for approval, with a copy to the BFL.
In deciding to share information voluntarily or in response to outside requests, the UPIC shall carefully review each request to ensure that disclosure would not violate the requirements of the Privacy Act of 1974 (5 U.S.C. §552a) and/or the Privacy Rule (45 CFR, Parts 160 and 164) implemented under the HIPAA. Both the Privacy Act and the Privacy Rule seek to strike a balance that allows the flow of health information needed to provide and promote high-quality health care while protecting the privacy of people who seek this care. In addition, both statutes provide individuals with the right to know with whom their personal information has been shared, necessitating the tracking of any disclosures of information by the UPIC. The UPIC shall direct questions concerning what information may be disclosed under the Privacy Act or Privacy Rule to the CMS Regional Office Freedom of Information Act /privacy coordinator. Ultimately, the authority to release information from a Privacy Act System of Records to a third-party rests with the system manager/business owner of the system of records.
The HIPAA Privacy Rule establishes national standards for the use and disclosure of individuals’ health information (also called protected health information [PHI]) by organizations subject to the Privacy Rule (which are called “covered entities”). As “business associates” of CMS, UPICs are contractually required to comply with the HIPAA Privacy Rule. The Privacy Rule restricts the disclosure of any information, in any form, that can identify the recipient of medical services; unless that disclosure is expressly permitted under the Privacy Rule. Two of the circumstances in which the Privacy Rule allows disclosure are for “health oversight activities” (45 CFR §164.512(d)) and for “law enforcement purposes” (45 CFR §164.512 (f)), provided the disclosure meets all the relevant prerequisite procedural requirements in those subsections.
Generally, PHI may be disclosed to a health oversight agency (as defined in 45 CFR
§164.501) for purposes of health oversight activities authorized by law, including administrative, civil, and criminal investigations necessary for appropriate oversight of the health care system (45 CFR §164.512(d)). The DOJ, through its U.S. Attorneys' Offices and its headquarters-level litigating divisions; the FBI; the HHS OIG; and other federal, state, or local enforcement agencies, are acting in the capacity of health oversight agencies when they investigate fraud against Medicare, Medicaid, or other health care insurers or programs.
The Privacy Rule also permits disclosures for other LE purposes that are not health oversight activities but involve other specified LE activities for which disclosures are permitted under HIPAA, which include a response to grand jury or administrative subpoenas and court orders, and for assistance in locating and identifying material witnesses, suspects, or fugitives. The complete list of circumstances that permit disclosures to a LE agency is detailed in 45 CFR §164.512(f). Furthermore, the Privacy Rule permits covered entities and business associates acting on their behalf to rely on the representation of public officials seeking disclosures of PHI for health oversight or LE purposes, provided that the identities of the public officials requesting the disclosure have been verified by the methods specified in the Privacy Rule (45 CFR §164.514(h)).
The Privacy Act of 1974 protects information about an individual that is collected and maintained by a federal agency in a system of records. A 'record' is any item, collection, or grouping of information about an individual that is maintained by an agency. This includes, but is not limited to, information about educational background, financial transactions, medical history, criminal history, or employment history that contains a name or an identifying number, symbol, or other identifying particulars assigned to the individual. The identifying particulars can be a finger or voiceprint or a photograph. A 'system of records' is any group of records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identification assigned to the individual. For example, Medicare beneficiary data used by UPICs are maintained in a CMS 'system of records' covered by the Privacy Act.
Information from some systems of records may be released only if the disclosure would be consistent with 'routine uses' that CMS has issued and published. Routine uses specify who may be given the information and the basis or reason for access that must exist.
Routine uses vary by the specified systems of record, and a decision concerning the applicability of a routine use lies solely in the purview of the system's manager for each system of record. In instances where information is released as a routine use, the Privacy Act and Privacy Rule remain applicable. For example, the HHS has published a routine use that permits the disclosure of personal information concerning individuals to the DOJ, as needed for the evaluation of potential violations of civil or criminal law and for detecting, discovering, investigating, litigating, addressing, or prosecuting a violation or potential violation of law, in health benefits programs administered by CMS. Refer to 63 Fed. Reg. 38414 (July 16, 1998).
The 1994 Agreement and the 2003 form letter (refer to PIM Exhibits 35 and 25 respectively) are consistent with the Privacy Act. Therefore, requests that appear on the 2003 form letter do not violate the Privacy Act. The Privacy Act of 1974 requires federal agencies that collect information on individuals that will be retrieved by the name or another unique characteristic of the individual to maintain this information in a system of records.
The Privacy Act permits disclosure of a record without the prior written consent of an individual if at least one (1) of 12 disclosure provisions apply. Two of these provisions, the “routine use” provision and/or another “law enforcement” provision, may apply to requests from the DOJ and/or the FBI.
Disclosure is permitted under the Privacy Act if a routine use exists in a system of records.
Both the Fiscal Intermediary Shared System (FISS) #8 and #10, the Multi-Carrier System (MCS), and the VIPS Medicare System (VMS) contain a routine use that permits disclosure to:
“The Department of Justice for investigating and prosecuting violations of the Social Security Act to which criminal penalties attach, or other criminal statutes as they pertain to Social Security Act programs, for representing the Secretary, and for investigating issues of fraud by agency officers or employees, or violation of civil rights.”
The CMS Utilization Review Investigatory File, System No. 09-70-0527, contains a routine use that permits disclosure to “The Department of Justice for consideration of criminal prosecution or civil action.”
The latter routine use is more limited than the former, in that it is only for “consideration of criminal or civil action.” It is important to evaluate each request based on its applicability to the specifications of the routine use.
In most cases, such routine uses will permit disclosure from these systems of records; however, each request should be evaluated on an individual basis.
Disclosure from other CMS systems of records is not permitted (i.e., use of such records compatible with the purpose for which the record was collected) unless a routine use exists or one (1) of the 11 other exceptions to the Privacy Act applies.
The LE provision may apply to requests from the DOJ and/or the FBI. This provision permits disclosures “to another agency or to an instrumentality of any jurisdiction within or under the control of the U.S. for a civil or criminal LE activity if the activity is authorized by law, and if the head of the agency or
instrumentality has made a written request to the agency that maintains the record specifying the particular portion desired and the LE activity for which the record is sought.”
The LE provision may permit disclosure from any system of records if all of the criteria established in the provision are satisfied. Again, requests should be evaluated on an individual basis.
To be in full compliance with the Privacy Act, all requests must be in writing and must satisfy the requirements of the disclosure provision. However, subsequent requests for the same provider/supplier that are within the scope of the initial request do not have to be in writing. The UPICs shall refer requests that raise Privacy Act concerns and/or issues to the CORs for further consideration.
Generally, UPICs may furnish information on a scheme (e.g., where it is operating or specialties involved). Neither the name of a beneficiary or suspect can be disclosed. If it is not possible to determine whether or not information may be released to an outside entity, the UPIC shall contact its COR and BFL for further guidance.
The UPICs may furnish requested specific information concerning ongoing fraud investigations and individually identifiable PHI to any UPIC, SMRC or MAC. The UPICs, SMRCs and MACs are “business associates” of CMS under the Privacy Rule and thus are permitted to exchange information necessary to conduct health care operations. If the request concerns investigations already referred to the OIG/OI, the UPIC shall notify the OIG/OI of the RFI received from another UPIC and notify the requesting UPIC that the case has been referred to the OIG/OI.
When a QIC receives a request for reconsideration on a claim arising from a UPIC review determination, it shall coordinate with the MAC to obtain all records and supporting documentation that the UPIC provided to the MAC in support of the MAC’s first level appeals activities (redeterminations). As necessary, the QIC may also contact the UPIC to discuss materials obtained from the MAC and/or obtain additional information to support the QIC’s reconsideration activities. The QIC shall send any requests to the UPIC for additional information via electronic mail, facsimile, and/or telephone.
These requests should be minimal. The QIC shall include in its request a name, phone number, and address to which the requested information shall be sent and/or follow-up questions shall be directed. The UPIC shall document the date of the QIC’s request and
send the requested information within seven (7) calendar days of the date of the QIC's request. The date of the QIC's request is defined as the date the phone call was made (if a message was left, it is defined as the date the message was left), the date the facsimile was received, or the date of the e-mail request.
Note: Individually identifiable beneficiary information shall not be included in an e-mail. If a QIC identifies a situation of potential fraud, waste, and abuse, it shall immediately refer all related information to the appropriate UPIC for further investigation. Refer to PIM Exhibit 38 for QIC task orders and jurisdictions.
The UPIC may furnish requested specific information concerning ongoing fraud investigations containing personally identifiable information to the QIOs and state survey and certification agencies. The functions QIOs perform for CMS are required by law; thus the Privacy Rule permits disclosures to them. State survey and certification agencies are required by law to perform inspections, licensures, and other activities necessary for appropriate oversight of entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; thus the Privacy Rule permits disclosures to them. If the request concerns cases already referred to the OIG/OI, UPICs shall refer the requestor to the OIG/OI.
The UPIC may furnish requested specific information on ongoing fraud investigations to state Attorneys General and to state agencies. Releases of information to these entities in connection with their responsibility to investigate, prosecute, enforce, or implement a state statute, rule, or regulation may be made as a routine use under the Privacy Act of 1974, as amended; 5 USC §552a(b)(3) and 45 CFR Part 5b Appendix B (5). If individually identifiable PHI is requested, the disclosure shall comply with the Privacy Rule. (Refer to subsection H below and PIM Exhibit 25 for guidance on how requests should be structured to comply with the Privacy Rule.)
The UPIC may, at its discretion, share PIM Exhibit 25 with the requestor as a template to assist them in preparing their request. If the request concerns cases already referred to the OIG/OI, the UPIC shall refer the requestor to the OIG/OI.
Under current Privacy Act requirements applicable to PI investigations, the UPIC may respond to requests from MFCUs for information on current investigations. Releases of information to MFCUs in connection with their responsibility to investigate, prosecute, enforce, or implement a state statute, rule or regulation may be made as a routine use under the Privacy Act of 1974, as amended; 5 USC §552a(b)(3) and 45 CFR Part 5b Appendix B (5). Refer to Subsection H below for further information regarding the
Privacy Act requirements. If individually identifiable PHI is requested, the disclosure shall comply with the Privacy Rule. Refer to subsection H below and PIM Exhibit 25 for guidance on how requests should be structured to comply with the Privacy Rule.
The UPIC may, at its discretion, share PIM Exhibit 25 with the requestors as a template to assist them in preparing their request. If the request concerns cases already referred to the OIG/OI, the UPIC shall refer the requestor to the OIG/OI.
The UPIC shall provide the OIG/OI with requested information and shall maintain cost information related to fulfilling these requests. An RFI shall consist of requests to run data for the OIG (including OnePI national data for suppliers and entities whose billed claims span across multiple jurisdictions), extract of records, or a request to furnish any documentation or reports (see below for requests for assistance). Such requested information may include LE requests for voluntary refund data (see section 4.2.2.8.1.3 of this chapter). The UPIC shall not fulfill a request if there is a substantial impact (i.e., 40 hours or more) on the budget without prior COR approval. The UPIC shall copy the BFL on these requests for approval from the COR. These requests generally fall into one of the following categories:
Priority I – This type of request is a top priority request requiring a quick turnaround. The information is essential to the prosecution of a provider/supplier. The request shall be completed with the utmost urgency. Priority I requests shall be fulfilled within thirty (30) calendar days when the information or material is contained in the UPIC’s files unless an exception exists as described below.
The UPIC shall provide the relevant data, reports, and findings to the requesting agency in the format(s) requested within 30 calendar days or sooner, when possible. The MAC shall furnish requested information to the UPIC within 20 calendar days of receipt of the request from the UPIC unless there are extenuating circumstances. The MAC shall communicate any extenuating circumstances to the UPIC and the MAC COR as soon as they become known. The UPIC shall communicate these extenuating circumstances to its COR.
Periodically, there are instances in which the OIG/OI is in need of the requested information in a shorter timeframe than (30) calendar days. To account for these instances, the UPIC and MAC may add language to their Joint Operating Agreement (JOA) that allows for a shorter timeframe for the MAC to furnish the requested information (i.e. 48 hours, 72, hours, etc.). In these instances, the OIG/OI must provide justification as to why the requested information is needed in a shorter timeframe than the standard Priority I request.
Otherwise, the UPIC shall follow-up with other contractors, and document all communication with contractors to ensure the request is not delayed unnecessarily. If extenuating circumstances exist that prevent the UPIC from meeting the thirty (30) day
timeframe, the UPIC shall inform the requestor what, if any, portion of the request can be provided within thirty (30) days. The UPIC shall notify the requesting office as soon as possible (but not later than thirty (30) days) after receiving the request. The UPIC shall also document all communication with the requesting office regarding the delay, and shall include an estimate of when all requested information will be supplied.
Priority II – This type of request is less critical than a Priority I request. An RFI shall consist of requests to run data for the OIG, extract of records, or a request to furnish any documentation or reports (see below for requests for assistance). Based on the review of its available resources, the UPIC shall inform the requestor what, if any, portion of the request can be provided. The UPIC shall provide the relevant data, reports, and findings to the requesting agency in the format(s) requested.
The UPICs shall respond to such requests within 45 calendar days or sooner, when possible. The MAC shall furnish requested information to the UPIC within 30 calendar days of receipt of the request from the UPIC unless there are extenuating circumstances. The MAC shall communicate any extenuating circumstances to the UPIC and the MAC COR as soon as they become known. The UPIC shall communicate these extenuating circumstances to its COR. The UPIC shall follow-up with other contractors, and document all communication with contractors to ensure the request is not delayed unnecessarily. If extenuating circumstances exist that prevent the UPIC from meeting the 45-day timeframe, the UPIC shall inform the requestor what, if any, portion of the request can be provided within 45 calendar days. The UPIC shall notify the requesting office as soon as possible (but not later than 45 calendar days) after receiving the request. The UPIC shall also document all communication with the requesting office regarding the delay, and shall include an estimate of when all requested information will be supplied.
Request for Assistance (RFA) – An LE RFA is a type of RFI and shall consist of any LE requests that do not include running data and reports but include requests such as the review and interpretation of medical records/medical documentation, interpretation of policies, and reviewing cost reports. The timeframes for RFIs specified in Priority I and II do not apply to RFAs. Due dates shall be negotiated with the requesting entity and documented appropriately along with the reasons for not meeting the agreed upon timeframes. The UPIC shall contact the COR if an agreement cannot be reached on the timeframe for completion. Disclosures of information to the OIG shall comply with the Privacy Rule and Privacy Act. When the OIG makes a data request, the UPIC shall track these requests and document the following: (1) nature/purpose of the disclosure (cite a specific investigation and have a general description); (2) what information was disclosed; and (3) the name of the individual and the agency. The aforementioned information shall be maintained in a secure file and made available to CMS upon request through a secure means.
The CMS has established a level of effort limit of 40 hours for any individual request for support RFIs and RFAs. If the estimated level of effort to fulfill any one request is likely to meet or exceed this figure, the UPIC shall contact its COR for approval to proceed. A
CMS representative will contact the OIG to explore the feasibility of other data search and/or production options.
The UPIC shall obtain approval from the COR regarding requests started by the UPIC that it subsequently anticipates will exceed that 40-hour level of effort. The UPIC shall not exceed the 40-hour level of effort until it receives COR approval.
In April 1994, CMS entered into an interagency agreement with the OIG and the DOJ that permitted UPICs to furnish information that previously had to be routed through OIG (refer to PIM Exhibit 16) including data related to the investigation of health care fraud matters directly to the DOJ that previously had to be routed through OIG (refer to PIM Exhibit 35). This agreement was supplemented on April 11, 2003, when in order to comply with the HIPAA Privacy Rule, the DOJ issued procedures, guidance, and a form letter for obtaining information (refer to PIM Exhibit 25). CMS and the DOJ have agreed that the DOJ's requests for individually identifiable health information will follow the procedures that appear on the form letter (refer to PIM Exhibit 25). The 2003 form letter must be customized to each request. The form letter mechanism is not applicable to requests regarding Medicare Secondary Payer (MSP) information, unless the DOJ requestor indicates he or she is pursuing an MSP fraud matter.
The PIM Exhibit 25 contains the entire document issued by the DOJ on April 11, 2003. The UPIC shall familiarize itself with the instructions contained in this document. Data requests for individually identifiable PHI related to the investigation of health care fraud matters will come directly from those individuals at the FBI or the DOJ who are involved in the work of the health care oversight agency (including, for example, FBI agents, Assistant U.S. Attorneys, or designees such as analysts, auditors, investigators, or paralegals). For example, data may be sought to assess allegations of fraud; examine billing patterns; ascertain dollar losses to the Medicare program for a procedure, service, or time period; determine the nature and extent of a provider's/supplier's voluntary refund(s); or conduct a random sample of claims for MR. The LE agency should begin by consulting with the appropriate Medicare contractor (usually the UPIC, but possibly also the MAC) or CMS to discuss the purpose or goal of the data request. Requests for cost report audits and/or associated documents shall be referred directly to the appropriate MAC.
The UPIC shall discuss the information needed by the DOJ and determine the most efficient and timely way to provide the information. When feasible, the UPIC shall use statistical systems to inform the DOJ of the amount of dollars associated with its investigation, and the probable number of claims to expect from a claims-level data run. The UPIC shall obtain and transmit relevant statistical information to the DOJ (as soon as possible but no later than five (5) calendar days). The UPIC shall advise the DOJ of the anticipated volume, format, and media to be used (or alternative options, if any) for fulfilling a request for claims data.
The UPIC shall provide the DOJ with the requested information and shall maintain cost information related to fulfilling these requests. An RFI shall consist of requests to run data for the DOJ (including national data for suppliers and entities whose claims billings span across multiple jurisdictions), extract of records, or a request to furnish any documentation or reports.
The DOJ will confirm whether a request for claims data remains necessary based on the results of statistical analysis. If so, the DOJ and CMS will discuss issues involving the infrastructure and data expertise necessary to analyze and further process the data that CMS will provide to the DOJ.
If the DOJ confirms that claims data are necessary, the DOJ will prepare a formal request letter to the UPIC with existing DOJ guidance (Exhibit 25).
The UPIC shall provide data to the DOJ, when feasible, in a format to be agreed upon by the UPIC and the DOJ. Expected time frames for fulfilling the DOJ claims-level data requests will depend on the respective source(s) and duration of time for which data are sought, with the exception of emergency requests, which require coordination with Headquarters, the DOJ, and CMS staff. These are as follows:
Emergency Requests - Require coordination with Headquarters DOJ and CMS staff.
Priority I – This type of request is a top priority request requiring a quick turnaround. The information is essential to the prosecution of a provider/supplier. A RFI shall consist of requests to run data for the DOJ, extract of records, or a request to furnish any documentation or reports (see below for requests for assistance). The request shall be completed with the utmost urgency. Priority I requests shall be fulfilled within thirty (30) calendar days when the information or material is contained in the UPIC’s files unless an exception exists as described below.
The UPIC shall provide the relevant data, reports, and findings to the requesting agency in the format(s) requested within 30 calendar days or sooner, when possible. The MAC shall furnish requested information to the UPIC within 20 calendar days of receipt of the request from the UPIC unless there are extenuating circumstances. The MAC shall communicate any extenuating circumstances to the UPIC and the MAC COR as soon as they become known. The UPIC shall communicate these extenuating circumstances to its COR.
Periodically, there are instances in which the DOJ is in need of the requested information in a shorter timeframe than (30) calendar days. To account for these instances, the UPIC and MAC may add language to their JOA that allows for a shorter timeframe for the MAC to furnish the requested information (i.e. 48 hours, 72, hours, etc.). In these instances, the DOJ must provide justification as to why the requested information is needed in a shorter timeframe than the standard Priority I request.
Otherwise, the UPIC shall follow-up with other contractors, and document all communication with contractors to ensure the request is not delayed unnecessarily. If extenuating circumstances exist that prevent the UPIC from meeting the thirty (30) day timeframe, the UPIC shall inform the requestor what, if any, portion of the request can be provided within thirty (30) days. The UPIC shall notify the requesting office as soon as possible (but not later than thirty (30) days) after receiving the request. The UPIC shall also document all communication with the requesting office regarding the delay, and shall include an estimate of when all requested information will be supplied.
Priority II Requests – This type of request is less critical than a Priority I request. An RFI shall consist of requests to run data for the DOJ, extract of records, or a request to furnish any documentation or reports (see below for requests for assistance). Based on the review of its available resources, the UPIC shall inform the requestor what, if any, portion of the request can be provided. The UPIC shall provide the relevant data, reports, and findings to the requesting agency in the format(s) requested.
The UPIC shall respond to such requests within 45 calendar days or sooner, when possible. The MAC shall furnish requested information to the UPIC within 30 calendar days of receipt of the request from the UPIC unless there are extenuating circumstances. The MAC shall communicate any extenuating circumstances to the UPIC and the MAC COR as soon as they become known. The UPIC shall communicate these extenuating circumstances to its COR. The UPIC shall follow-up with other contractors, and document all communication with contractors to ensure the request is not delayed unnecessarily. If extenuating circumstances exist that prevent the UPIC from meeting the 45-day timeframe, the UPIC shall inform the requestor what, if any, portion of the request can be provided within 45 calendar days. The UPIC shall notify the requesting office as soon as possible (but not later than 45 calendar days) after receiving the request. The UPIC shall also document all communication with the requesting office regarding the delay, and shall include an estimate of when all requested information will be supplied.
RFA – A LE RFA is a type of RFI and shall consist of any LE requests that do not include running data and reports, but include requests such as the review and interpretation of medical records/medical documentation, interpretation of policies, and reviewing cost reports. The timeframes for RFIs specified in Priority I and II do not apply to RFAs. Due dates shall be negotiated with the requesting entity and documented appropriately along with the reasons for not meeting the agreed upon timeframes. The UPIC shall contact the COR if an agreement cannot be reached on the timeframe for completion.
Disclosures of information to the DOJ shall comply with the Privacy Rule and Privacy Act. When DOJ makes a data request, the UPIC shall track these requests and document the following: (1) nature/purpose of the disclosure (cite a specific investigation and have a general description); (2) what information was disclosed; and (3) name of the individual and the agency. The aforementioned information shall be maintained in a secure file and made available to CMS upon request through a secure means.
The CMS has established a level of effort limit of 40 hours for any individual request for support (RFIs and RFAs). If the estimated level of effort to fulfill any one request is likely to meet or exceed this figure, the PI contractor shall contact its COR for approval to proceed. A CMS representative will contact the OIG to explore the feasibility of other data search and/or production options.
The UPIC shall obtain approval from the COR regarding requests started by the UPIC that it subsequently anticipates will exceed that 40-hour level of effort. The UPIC shall not exceed the 40-hour level of effort until it receives COR approval.
If the UPIC receives duplicate or similar RFIs from OIG and DOJ, the UPIC shall notify the requestors. If the requestors are not willing to share the information, the UPIC shall ask the BFL, with a copy to the COR, for assistance.
For each data request received from the DOJ and the OIG, the UPIC shall maintain a record that includes:
The UPIC shall not send document request letters or go onsite to providers/suppliers to obtain medical records solely at the direction of LE. However, if LE furnishes the medical records and requests the UPIC to review and interpret medical records for them, the UPIC shall require LE to put this request in writing. At a minimum, this request shall include the following information:
The UPIC shall present the written request to the COR, and copy its BFL prior to fulfilling the request. Each written request will be considered on a case-by-case basis to
determine whether the UPIC has resources to fulfill the request. If so, the request may be approved.
If LE requests the UPIC to perform MR on all investigations the UPIC initiates, the UPIC shall perform MR if it deems it necessary, on a case-by-case basis. The UPIC shall inform the COR and copy its BFL of such requests by LE.
It is recommended that the MR Manager be included in the evaluation of the Request for MR to provide input as to:
If LE requests the UPIC to perform an audit of a Medicare provider's cost report for fraud, the UPIC shall consult with the MAC to inquire if an audit of the cost report has already been performed. The UPIC shall also consult with the COR and BFL. The UPIC shall provide its COR and copy its BFL with the basis for the LE request and a detailed cost estimate to complete the audit. If the COR approves the audit, the UPIC shall perform the audit within the timeframe and cost agreed upon with LE.
If a UPIC receives a RFI from LE that crosses several UPIC zones, the UPIC shall contact its BFL, with a copy to the COR. In the event that multiple zones are providing information in connection with the request, each UPIC shall enter a separate entry into the UCM as described in Section 4.12 of this chapter. The BFL may assign a lead UPIC to process these requests that will coordinate with the other UPICs to obtain the necessary data and consolidate the information into one comprehensive response for the requestor. The lead UPIC may be the UPIC that initially received the request; however, the nature of the RFI should be considered when assigning a lead UPIC.
The UPIC shall assist CMS in processing requests from members of the public for records/information in accordance with the Freedom of Information Act (FOIA) (5 U.S.C. 552). Specifically, the UPIC shall adhere to FOIA policy, procedure, and instructions contained within Department of Health and Human Services FOIA regulations at 45 CFR Part 5, the HIPAA Regulations at 45 CFR 164.508, Chapter 6 of Program Manual Pub 100-1, the FOIA Policy and Procedural Guide, and any supplemental guidance issued by the Centers for Medicare & Medicaid Services (CMS) Freedom of Information Officer. FOIA guidelines can be found at
http://www.cms.gov/FOIA/.
Should the UPIC directly receive a FOIA request from any external requestors and/or CMS components other than their CPI BFL(s) or COR(s), they shall submit the FOIA request to the CMS Office of Strategic Operations and Regulatory Affairs (OSORA) FOIA Mailbox (FOIA_Request@cms.hhs.gov) for processing.
Once the FOIA request is received by the OSORA FOIA Mailbox, it will be logged and assigned to the appropriate CPI component. Once assigned to CPI, should the FOIA request require UPIC investigative and/or audit materials, the appropriate CPI component will request the materials from the UPIC, with a copy to the applicable COR.
Upon receipt of the FOIA request, the UPIC shall provide all relevant investigative information as requested in the FOIA request letter to their BFL through an agreed upon delivery method (i.e., email, Box, etc.), with a copy to their COR, by an agreed upon date between both parties. The UPIC shall include a cover letter with their response, of which outlines the information that is included in their response package and any recommended FOIA exemptions, as described at https://www.sec.gov/foia/nfoia.htm.
If the UPIC determines that FOIA costs will have a budgetary impact that will affect their contract line-item value, the UPIC shall notify the COR immediately.
If a case is still pending at the OIG, FBI, or AUSA, and denials are reversed by an Administrative Law Judge (ALJ), the UPIC should recommend to CMS that it consider protesting the ALJ's decision to the DHHS Appeals Council, which has the authority to remand or reverse the ALJ's decision. UPICs should be aware, however, that ALJs are bound only by statutory and administrative law (federal regulations), CMS rulings, and National Coverage Determinations.
The UPIC shall consult with its BFL, with a copy to the COR, before initiating a protest of an ALJ's decision. They should be aware that the Appeals Council has only 60 days in which to decide whether to review an ALJ's decisions. Thus, CMS needs to protest the ALJ decision within 30 days of the decision, to allow the Appeals Council to review within the 60-day limit. The UPIC shall notify all involved parties immediately if it learns that claims/claim denials have been reversed by an ALJ in a case pending prosecution.
(Rev. 11962; Issued: 04-21-23; Effective: 05-22-23; Implementation: 05-22-23)
When the UPIC denies a claim and the provider, supplier, physician or beneficiary appeals the denial, the MAC shall request the medical records and documentation that the UPIC used in making its determination. The UPIC shall assemble the case file and send it to the MAC within five (5) calendar days. If the MAC request is received outside of normal business hours or on an observed holiday that the UPIC is closed for business, the first calendar day will not be counted until the first business day after receipt of the request (i.e. if received on Saturday, the following Monday will be counted as the first calendar day).
The UPIC shall include any position papers or rationale and support for its decision so that the appeals adjudicator can consider it during the appeals process. However, UPICs shall be aware that an appeals case file is discoverable by the appellant. This means that the appellant can receive a complete copy of the case file. Since the provider may receive the case file, the UPIC shall consult with law enforcement before including any sensitive information relative to a case.
If the UPIC would like to be notified of an ALJ hearing on a particular case, the UPIC shall put a cover sheet in the case file before sending it to the MAC. The cover sheet shall state that the UPIC would like to be notified of an ALJ hearing and list a contact name with a phone and fax number where the contact can be reached. The cover sheet shall also include language stating, 'PLEASE DO NOT REMOVE' to ensure it stays on the case file should the file be sent to the QIC. If the UPIC receives a notice of hearing, the UPIC shall contact the QIC immediately.
The QICs are tasked with participating in ALJ hearings; therefore, they are the primary Medicare contractor responsible for this function. UPICs may participate in an ALJ hearing, but they shall work with the QIC to ensure that duplicative work is not being performed by both the UPIC and the QIC in preparation for the hearing. UPICs shall never invoke party status. If the UPIC participates in a hearing, it shall be as a non-party. An ALJ cannot require participation in a hearing, whether it is party or non-party. If a UPIC receives a notice that appears contrary to this instruction, the UPIC shall contact the QIC and their primary BFL, with a copy to the COR, immediately.
(Rev. 13821; Issued:06-09-26; Effective: 02-26-26; Implementation: 02-26-26)
This section applies to UPICs and the I-MEDIC.
UPICs and the I-MEDIC shall use a central, non-specific contractor mailbox for standard communications with providers, suppliers, and/or their authorized representatives. In addition, routine written communication related to investigative activities and administrative actions, including Medical Record Request letters, Notice of Payment Suspension letters, and Final Findings Letters from the UPIC, should contain a point of contact, contractor e-mail/mailbox information, and/or phone numbers for the point of contact should a provider or supplier have questions.
(Rev. 13821; Issued:06-09-26; Effective: 02-26-26; Implementation: 02-26-26)
This section applies to UPICs and the I-MEDIC, outlining the protocol to be followed when a provider, supplier, or their authorized representative requests to speak with the UPIC or I-MEDIC management or has escalated a matter related to an investigation or administrative action through direct outreach to CMS, Congressional Offices or other external entities.
(Rev. 13821; Issued:06-09-26; Effective: 02-26-26; Implementation: 02-26-26)
If a UPIC directly receives a Congressional Inquiry from any external requestor and/or CMS components other than CPI, they shall immediately submit the Congressional Inquiry for processing to the appropriate CMS BFL or designated staff person (dependent upon the nature of the Congressional Inquiry; i.e. investigation related, payment suspension related, etc.). The UPIC shall also send a copy of the communication to their COR.
Once the Congressional Inquiry is received by CMS, it will be logged, reviewed, and assigned to the appropriate UPIC(s), as needed. Upon UPIC receipt of a Congressional Inquiry assignment, the UPIC shall prepare all relevant information as requested in the Congressional Inquiry, and submit the information to the appropriate CMS BFL or
designated staff person, with a copy to their COR, by an agreed upon date and delivery method. The UPIC shall not respond directly to the Congressional Office. Upon CMS receipt of the UPIC's relevant information, CMS will coordinate internally and respond to the inquiry as needed
(Rev. 13821; Issued:06-09-26; Effective: 02-26-26; Implementation: 02-26-26)
If a matter is escalated, such as when a provider, supplier, and/or their authorized representative requests to speak with UPIC or I-MEDIC management through verbal or written communication, the contractor shall contact the inquiring party in a manner which they deem most appropriate to acknowledge the inquiry or concern and provide a response within 3 business days unless circumstances prevent this, and/or CMS has already advised on the same topic. This ensures transparency and responsiveness once a matter reaches a heightened level of concern. The contractor representative shall ensure all mailboxes and phone messages are checked at least twice each business day for incoming communication.
Escalated inquiries referred to CMS directly by the provider, supplier, or their authorized representative will be responded to by the designated Business Function Lead(s) (BFLs) in the Division of Provider Investigations (DPI) after clearance through the Fraud Investigations Group Front Office (FIG FO) in accordance with current guidelines.
(Rev. 13821; Issued:06-09-26; Effective: 02-26-26; Implementation: 02-26-26)
This section only applies to UPICs. For payment suspension matters that have been escalated:
(Rev. 13821; Issued:06-09-26; Effective: 02-26-26; Implementation: 02-26-26)
To maintain the integrity of the investigation, UPICs generally, unless otherwise advised, do not respond to provider and supplier inquiries when the provider or supplier is placed on full zone restriction by law enforcement (LE). However, UPICs are encouraged to communicate with the LE contact in such situations to determine the best and appropriate course of action. For partial zone restrictions, UPICs may conduct certain investigative activities in accordance with directives by LE; however, communication and responses to inquiries regarding the case or status by the provider or supplier should not be conducted unless otherwise directed by LE.
All communication between the UPICs/I-MEDIC and a provider, supplier, or their authorized representative, including receipt of inquiry, coordination with CMS, and response to the inquirer, shall be documented in the appropriate UCM CSE(s).
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The UPIC shall refer investigations to law enforcement when it has substantiated allegations of fraud including, but not limited to, documented allegations that a provider, beneficiary, supplier, or other subject: (a) engaged in a pattern of improper billing, (b) submitted improper claims with suspected knowledge of their falsity, or (c) submitted improper claims with reckless disregard or deliberate ignorance of their truth or falsity. Prior to making such referrals, the UPIC shall follow the direction as outlined in § 4.9.2 Referral of Cases to the OIG/OI, unless otherwise instructed by CMS.
(Rev. 11962; Issued: 04-21-23; Effective: 05-22-23; Implementation: 05-22-23)
The UPIC shall notify the OIG/OI of an immediate advisement as quickly as possible, but not more than four (4) business days after identifying a lead or investigation that meets the following criteria. The UPIC shall maintain internal documentation on these advisements when it receives allegations with one or more of the following characteristics:
Confirmation of forged documentation during the course of an investigation, include, but is not limited to:
o identification of forged documents through medical review; and/or
IAs should be referred to the OIG/OI only when the above criteria are met, unless prior approval is given by the BFL.
Should local LE have specific parameters or thresholds in place that do not allow them to accept certain IAs, the UPIC shall notify its BFL, with a copy to the COR, and request exemption from the applicable IA criteria in that particular jurisdiction.
When IA criteria are met, the UPICs shall perform an initial assessment to identify and document dollars currently pending payment to the provider. Should high dollar amounts be identified with either scenario, the UPIC shall notify CMS immediately, but not to exceed two (2) business days from date of identification.
Once the criteria for an IA are met, the UPIC shall notify the OIG/OI via phone or email to determine if a formal IA referral should be sent to the OIG/OI. If the IA is related to a provider/supplier that spans multiple jurisdictions, the UPIC shall notify any impacted UPIC and/or I-MEDIC Program Directors of the potential IA, allegation, and IA criteria.
The UPIC shall document this communication in UCM. The UPIC shall also send notification to its appropriate BFL, with a copy to the COR, of the potential IA. If the UPIC does not receive a response from the OIG/OI within two (2) business days (5 business days for the I-MEDIC), it shall notify its appropriate BFL, with a copy to the COR, and await further instructions. If the OIG/OI confirms that a formal IA should be sent, the UPIC shall provide all available documentation, including billed/paid amounts for the YTD and the previous year, to the OIG/OI within four (4) business days of receiving the response from OIG/OI. Upon submission of the IA to the OIG/OI, the UPIC shall request written and/or email confirmation from the OIG/OI acknowledging receipt of the IA. Simultaneously, the UPIC shall notify the CMS identified Strike Force points of contacts, if the notification includes providers/suppliers located within a Strike Force jurisdiction. Additionally, the UPIC shall notify and send a copy of the IA to its COR/BFL and the case coordination team, at CPIMCCNotifications@cms.hhs.gov, the same day the advisement is made to OIG/OI. In this notification to CMS, the UPIC shall advise if it has any other potential administrative actions it may want to pursue related to the provider(s)/supplier(s). The provider(s)/supplier(s) identified in an accepted IA shall be added to the UPIC's next scheduled case coordination meeting.
If the OIG/OI determines that a formal IA is not needed, the UPIC shall advise its appropriate BFL, with a copy to the COR, and immediately continue its investigation. In instances where an IA is related to a Plan employee whistleblower, the I-MEDIC does not have to notify the case coordination team of the IA nor does the IA have to be discussed at a case coordination meeting. Rather, the I-MEDIC shall close the complaint upon acceptance and/or declination of the IA due to these complaint types being outside of the I-MEDIC's SOW.
If the IA is related to a provider/supplier that spans multiple jurisdictions, the UPIC shall send a notification to the other UPIC and/or I-MEDIC Program Directors on the same date the formal IA is sent to OIG/OI. The UPIC shall copy its COR/BFL on such communication. Upon receipt of the notification from the primary UPIC, the other UPICs and/or I-MEDIC shall provide confirmation to the primary UPIC and its COR/BFL that the notification has been received, and it is ceasing activity as instructed below. Upon receipt of acceptance or declination of the IA from the OIG/OI, the primary UPIC shall notify the other UPIC and/or I-MEDIC Program Directors of the outcome.
Upon identification and submission of an IA to the OIG/OI, unless otherwise directed, all impacted UPICs and/or I-MEDIC shall cease all investigative and administrative activities, with the exception of screening activities, data analysis, etc., until the OIG/OI responds with its acceptance or declination of the IA. If the UPIC does not receive an immediate response from the OIG/OI, the UPIC shall contact OIG/OI after two (2) business days from the date of the IA notification and document the communication in the UCM system. If the UPIC does not receive a response from the OIG/OI within five (5) business days from the date of the IA notification, the UPIC shall contact its appropriate BFL, with a copy to the COR, for further guidance.
If the OIG/OI declines or accepts the IA, the UPIC shall document the decision in UCM and follow the processes described in Chapter 4, § 4.5, 4.6, and 4.7 of the PIM, unless otherwise directed by CMS.
Additionally, until the necessary updates are made in the UCM, if the UPIC submits an IA based on the updated criteria, it shall select all six (6) IA options on the “External Stakeholders” page of the UCM, and notate the justification of the IA in the Record Summary section of the UCM.
During the case coordination meeting, the UPIC may receive additional guidance from CMS related to subsequent actions related to the IA. If the UPIC has questions following the case coordination meeting, the UPIC shall coordinate with its appropriate BFL, with a copy to the COR.
(Rev. 11962; Issued: 04-21-23; Effective: 05-22-23; Implementation: 05-22-23)
The UPIC shall identify cases of potential fraud and shall make referrals of such cases, as appropriate, to the OIG/OI, regardless of dollar thresholds or subject matter. Matters shall be referred when the UPIC has documented allegations including, but not limited to, a provider, beneficiary, supplier, or other subject, a) engaged in a pattern of improper billing, b) submitted improper claims with suspected knowledge of their falsity or c) submitted improper claims with reckless disregard or deliberate ignorance of their truth or falsity.
If the UPIC believes a case should be referred to LE, the UPIC shall discuss the matter with its BFL. If the BFL agrees that referral to LE is appropriate, the UPIC shall update the UCM appropriately to ensure the provider/supplier is included in the next case coordination meeting discussion for final approval. If it is determined an investigation should be referred to LE, the UPIC shall refer the matter to the designated OIG/OI Special Agents-in-Charge (SAC), Department of Justice Assistant United States Trial Attorneys, or other parties identified during the case coordination discussion. In such instances, the UPIC shall make immediate referrals to the designated parties within seven (7) calendar days, unless otherwise specified by its BFL.
Referrals to LE shall include all applicable information that the UPIC has obtained through its investigation at the time of the referral. The UPIC shall utilize the “LE Referral Template” available in PIM Exhibit 16.1 Additionally, if the referral is related to a multi-jurisdiction or national provider/supplier, the UPIC shall coordinate and collect all applicable investigative information from the other UPICs that have an open investigation on that same provider/supplier. The UPIC shall then send one comprehensive referral with all the UPICs’ investigative findings to LE. Once the referral package is complete, the UPIC shall submit the referral to LE and copy its COR and BFL. Upon submission of the referral to LE, the UPIC shall request written and/or email confirmation from LE acknowledging receipt of the referral. UCM shall be updated with the date the referral was sent, the name of the agent acknowledging receipt
of the referral, and the date of receipt. In the event that written confirmation is not received, the UPIC shall notify the appropriate BFL, with a copy to the COR.
As previously instructed, the UPIC shall continue to refrain from implementing any additional administrative actions against the provider/supplier without CMS approval during the 60-day window OIG/OI and/or DOJ has to respond to the referral.
If OIG/OI and/or DOJ declines the case, the UPIC shall notify its COR and respective CPI points of contact within two (2) business days in order to move forward with the secondary administrative actions identified during the case coordination meeting. Following this notice, the UPIC shall work with its respective BFL or suspension team member on developing the appropriate documentation for the designated secondary actions.
Regarding LE Referrals that are declined and/or returned to the I-MEDIC to take appropriate administrative action to the extent possible, should there be an outstanding overpayment that the Medicare Part C Plan Sponsor(s) could develop, upon receipt of LE's Referral declination/return, the I-MEDIC shall notify the appropriate Medicare Part C Plan Sponsor(s) of the status of the LE Referral and the outstanding overpayment, and advise the Medicare Part C Plan Sponsor(s) to move forward with the overpayment recovery efforts.
This notification shall take place within five (5) business days upon receipt of the declination/return of the LE Referral. In addition, the I-MEDIC shall document this communication in the UCM REF record, indicating the date of the LE Referral declination/return, outstanding overpayment amount, if appropriate. The I-MEDIC shall also document the Medicare Part C Plan Sponsors impacted, the date the notification was issued to the Medicare Part C Plan Sponsors, as well as the point-of-contact at the Medicare Part C Plan Sponsor(s) who received the notification. Upon submission of this notification to the Medicare Part C Plan Sponsor(s), the I-MEDIC shall close the REF record as required.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The UPIC shall use the Referral Fact Sheet Template when preparing referrals to the OIG/OI. The UPIC shall forward the referral directly to the OIG, shall send a copy of the referral to its BFL(s) and COR(s), and shall retain a copy of the referral in the investigation case file.
The Referral Fact Sheet Template can be found in PIM Exhibit 16.1.
(Rev. 11962; Issued: 04-21-23; Effective: 05-22-23; Implementation: 05-22-23)
The UPICs take immediate action to implement appropriate administrative remedies, including the suspension or denial of payments, and the recovery of overpayments (see PIM, chapter 3). Because the case has been rejected by LE, UPICs shall consult with the BFL or Suspension SME concerning the imposition of suspension. They pursue administrative and/or civil sanctions by OIG where LE has declined a case.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
Unless no additional administrative action and/or investigation is warranted, the UPIC shall not close a case simply because it is not accepted by OIG/OI. Since the subject is likely to continue to demonstrate a pattern of fraudulent activity, they shall continue to monitor the situation and to document the file, noting all instances of suspected fraudulent activity, complaints received, actions taken, etc. This will strengthen the case if it is necessary to take further administrative action or there is a wish to resubmit the case to OIG/OI at a later date. If the UPICs do resubmit the case to OIG/OI, they shall highlight the additional information collected and the increased amount of money involved.
(Rev. 11962; Issued: 04-21-23; Effective: 05-22-23; Implementation: 05-22-23)
If the OIG/OI declines a case that the UPIC believes has merit, the UPIC shall first implement any identified secondary administrative action, and then advise their BFL, with a copy to the COR, to determine if referral to another law enforcement agency, such as the FBI, DEA, Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), RRB/OIG, and/or MFCU, is appropriate. The UPIC must receive BFL approval prior to submitting a referral to another law enforcement agency, of which the UPIC shall document in the UCM.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
(Rev. 11962; Issued: 04-21-23; Effective: 05-22-23; Implementation: 05-22-23)
The UPIC shall refer instances of apparent unethical or improper practices or unprofessional conduct to state licensing authorities, medical boards, the QIO, or professional societies for review and possible disciplinary action.
Additionally, referrals should be made to the Medicare survey and certification agency which exist in each state, typically within the state's Department of Health. The survey agency has a contract with CMS to survey and certify institutional providers, indicating whether they meet or do not meet applicable Medicare health and safety requirements, called 'conditions of participation.' Providers not meeting these requirements are subject to a variety of adverse actions, including bans on new admissions to termination
of their provider agreements. These administrative sanctions are imposed by the Regional Office, typically after an onsite survey by the survey agency.
The UPIC’s and the MAC’s MR staffs shall confer before such referrals, to avoid duplicate referrals. The UPIC shall gather available information and leave any further investigation, review, and disciplinary action to the appropriate professional society or State board. Consultation and agreement between the UPIC’s and the MAC’s MR staffs shall precede any referral to these agencies.
The UPIC shall notify its BFL, with a copy to the COR, of these referrals.
(Rev. 11962; Issued: 04-21-23; Effective: 05-22-23; Implementation: 05-22-23)
Communication with the QIO is essential to discuss the potential impact of efforts to prevent abuse, as well as ensure efforts are made to improve quality of care and access to such care.
If potential patient harm is discovered during the course of screening a lead or through the investigation process, the UPIC shall refer those instances to the QIO, state medical board, or state licensing agency. In addition to making the appropriate referrals, the UPIC shall notify the BFL, with a copy to the COR, within two (2) business days once the potential patient harm issue is discovered.
If the UPIC refers a provider to the State licensing agency or medical society (i.e., those referrals that need immediate response from the State licensing agency), the UPIC shall also send a copy of the referral to the QIO.
If a claim has been reviewed by the QIO, the decision made is final and binding on CMS, and the specific decision rendered by the QIO shall not be overturned by the UPIC.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
There are certain instances when the UPIC may refer cases to the MAC for review and additional education. At any time during the course of a review of a provider, the UPIC may determine that referral to the MAC is appropriate. Under certain circumstances, CMS may direct the UPIC to initiate a referral to the MAC at any time if deemed appropriate.
The following are examples of when it may be appropriate for the UPIC to submit a referral to the MAC:
waste, or abuse issue (e.g. MR, enrollment, claims processing). - During lead screening, the UPIC determines that the risk for fraud, waste, or abuse is extremely low. Such a determination could be made based upon a low total amount of dollars at risk, information that the erroneous billing was unintentional or without a significant pattern. - During the investigation, the only available outcome deemed appropriate by the UPIC at the time is the identification of an overpayment and no referral to law enforcement or other administrative actions are contemplated (i.e. revocation, payment suspension, etc.). The UPIC shall complete their review, calculate the overpayment, and refer the matter to the MAC for issuance of the overpayment and for potential education and/or MAC medical review
If the UPIC refers a provider/supplier to the MAC, but subsequently receives additional information of potential fraud, waste, and/or abuse that warrants further UPIC review, the UPIC shall inform the MAC that they are re-opening the investigation of the provider/supplier.
There are certain instances when the UPIC may determine that it is not appropriate to refer cases to the MAC for review. During the investigation, the UPIC may determine that the provider has been previously educated on the same issue(s) and there is a potential for the UPIC to pursue other administrative actions and/or referral to law enforcement. In those instances, the UPIC shall continue to monitor for fraud, waste, and/or abuse.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The term “sanctions” represents the full range of administrative remedies and actions available to deal with questionable, improper, or abusive practices of practitioners, providers, and suppliers under the Medicare and Medicaid programs or any state health care programs as defined under §1128(h) of the Act. There are two purposes for these sanctions. First, they are designed to be remedial, to ensure that questionable, improper, or abusive practices are dealt with appropriately. Practitioners, providers, and suppliers are encouraged to correct their behavior and operate in accordance with program policies and procedures. Second, the sanctions are designed to protect the programs by ensuring that improper payments are identified and recovered and that future improper payments are not made.
The primary focus of this section is sanctions authorized in §1128 and §1128A of the Act (exclusions and CMPs). Other, less severe administrative remedies may precede the more punitive sanctions affecting participation in the programs. The corrective actions UPICs, SMRCs, and MACs shall initially consider are:
• Provider education and warnings; • Revocation of assignment privileges; • Suspension of payments (refer to PIM, chapter 3); • Recovery of overpayments (refer to PIM, chapter 3); and
Referral of situations to state licensing boards or medical/professional societies.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The MAC shall be responsible for:
• Ensuring that no payments are made to provider/suppliers for a salaried individual who is excluded from the program. OIG, as it becomes aware of such employment situations, notifies providers that payment for services furnished to Medicare patients by the individual is prohibited and that any costs (salary, fringe benefits, etc.) submitted to Medicare for services furnished by the individual will not be paid. A copy of this notice is sent to the UPIC and to the appropriate RO.
The UPIC and the MAC shall work out the following in their JOA:
• Furnishing any available information to the OIG/OI with respect to providers/suppliers requesting reinstatement. • Reporting all instances where an excluded provider/supplier submits claims for which payment may not be made after the effective date of the exclusion.
The UPIC shall also be responsible for:
• Contacting OIG/OI when it determines that an administrative sanction against an abusive provider/supplier is appropriate. • Providing OIG/OI with appropriate documentation in proposed administrative sanction cases.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
Section 1128 of the Act provides the Secretary of DHHS the authority to exclude various health care providers, individuals, and businesses from receiving payment for services that would otherwise be payable under Medicare, Medicaid, and all federal health care programs. This authority has been delegated to the OIG.
When an exclusion is imposed, no payment is made to anyone for any items or services in any capacity (other than an emergency item or service provided by an individual who
does not routinely provide emergency health care items or services) furnished, ordered, or prescribed by an excluded party under the Medicare, Medicaid, and all federal health care programs. In addition, no payment is made to any business or facility, e.g., a hospital, that submits claims for payment of items or services provided, ordered, prescribed, or referred by an excluded party.
The OIG also has the authority under §1128(b)(6) of the Act to exclude from coverage items and services furnished by practitioners, providers, or other suppliers of health care services who have engaged in certain forms of program abuse and quality of care issues. In order to prove such cases, the UPICs shall document a long-standing pattern of care in which educational efforts have failed to change the abusive pattern. Isolated instances and statistical samples are not actionable. Medical doctors must be willing to testify.
Authority under §1156 of the Act is delegated to OIG to exclude practitioners and other persons who have been determined by a QIO to have violated their obligations under §1156 of the Act. To exclude, the violation of obligation under §1156 of the Act must be a substantial violation in a substantial number of cases or a gross and flagrant violation in one or more instances. Payment is not made for items and services furnished by an excluded practitioner or other person. Section 1156 of the Act also contains the authority to impose a monetary penalty in lieu of exclusion. Section 1156 exclusion actions and monetary penalties are submitted by QIOs to the OIG/OI.
Payment is not made for items and services furnished by an excluded practitioner or other person.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
Exclusions under §1128(b)(6) of the Act are effected upon a determination that a provider has done one of the following:
For purposes of the exclusion procedures, “furnished” refers to items or services provided or supplied, directly or indirectly, by any individual or entity. This includes items or services manufactured, distributed or otherwise provided by individuals or entities that do not directly submit claims to Medicare, Medicaid or other Federal health care programs, but that supply items or services to providers, practitioners or suppliers who submit claims to these programs for such items or services.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The UPIC shall review and evaluate abuse cases to determine if they warrant exclusion action. Examples of abuse cases suitable for exclusion include, but are not limited to:
Also, §1833(a)(1)(D) of the Act provides that payment for clinical diagnostic laboratory tests is made on the basis of the lower of the fee schedule or the amount of charges billed for such tests. Laboratories are subject to exclusion from the Medicare program under §1128(b)(6)(A) of the Act where the charges made to Medicare are substantially in excess of their customary charges to other clients. This is true regardless of the fact that the fee schedule exceeds such customary charges.
Generally, to be considered for exclusion due to abuse, the practices have to consist of a clear pattern that the provider/supplier refuses or fails to remedy in spite of efforts on the part of the UPIC, SMRC, MAC, or QIO groups. An exclusion recommendation is implemented only where efforts to get the provider/supplier to change the pattern of practice are unsuccessful. The educational or persuasive efforts are not necessary or desirable when the issues involve life-threatening or harmful care or practice.
If a case involves the furnishing of items or services in excess of the needs of the individual or of a quality that does not meet professionally recognized standards of
health care, the UPIC shall make every effort to obtain reports confirming the medical determination of its MR from one or more of the following:
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The UPIC shall include in the sanction recommendation (to the extent appropriate) the following information:
NOTE: A minimum of 10 examples shall be submitted in support of a sanction recommendation under §1128(b)(6)(B). In addition, none of the services being used to support the sanction recommendations shall be over 2 years old.
Documentation supporting the case referral, e.g., records reviewed, copies of any letters or reports of contact showing efforts to educate the provider, profiles of the provider who is being recommended for sanction, and relevant information provided by other program administrative entities.
Copies of written correspondence and written summaries of the meetings held with the provider regarding the violation.
NOTE: All documents and medical records should be legible.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
When OIG receives the sanction recommendation, it is reviewed by medical and legal staff to determine whether the anticipated sanction action is supportable.
OIG then develops a proposal and sends it to the provider, advising it of the recommended sanction period, the basis for the determination that excessive or poor-quality care has been provided, and its appeal rights. The provider is also furnished with a copy of all the material used to make the determination. This is the material that was previously forwarded to OIG with the initial sanction recommendation.
The provider has 30 days from the date on the proposal letter to submit:
OIG may extend the 30-day period. All additional information is reviewed by OIG, as well as by medical and/or legal personnel when necessary. In the event the provider requests an in-person review, it is conducted by OIG in Washington, D.C.
When a final determination is made to exclude a provider, OIG sends a written notice to the provider at least 20 days prior to the effective date of the action (see 42 CFR §1001.2003 for exceptions to the 20 day notice). The notice includes:
The earliest date on which OIG accepts a request for reinstatement, and the requirements and procedures for reinstatement.
Appeal rights.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
Concurrent with the mailing of the notice to the provider, OIG sends a notice to the state agency administering or supervising the administration of each state health care program, the appropriate state licensing board, and CMS. CMS is responsible for ensuring proper effectuation of sanction actions.
OIG also notifies the appropriate licensing agency, the public, and all known employers of the sanctioned provider.
The effective date of exclusion is 20 days from the date of the notice to the provider (see 42 CFR §1001.2003 for exceptions to the 20 day notice).
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The UPICs shall not recommend payments to the AC or MAC, and ACs and MACs shall not make payment on any excluded individual or entity for items or services furnished, ordered, or prescribed in any capacity on or after the effective date of exclusion, except in the following cases:
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
If an excluded physician is employed in a hospital setting and submits claims for which payment is prohibited, the MAC surveillance process usually detects and investigates the situation.
However, in some instances an excluded physician may have a salary arrangement with a hospital or clinic, or work in group practice, and may not directly submit claims for payment. If this situation is detected, MACs:
Upon referral from the MAC, the UPIC shall finalize the case and refer it to the OIG.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
If claims are submitted after the effective date of the exclusion by a beneficiary for items or services furnished, ordered, or prescribed by an excluded provider in any capacity, ACs and MACs shall:
If claims are submitted by a laboratory or DME supplier for any items or services ordered by a provider in any capacity excluded under §1156, or any items or services ordered or prescribed by a physician excluded under §1128, ACs and MACs shall handle the claims as above.
To ensure that the notice to the beneficiary indicates the proper reason for denial of payment, ACs and MACs shall include the following language in the notice:
“We have received your claim for services furnished or ordered by __ on __. Effective __, __ was excluded from receiving payment for any items and services furnished in any capacity to Medicare beneficiaries. This notice is to advise you that no payment will be made for any items or services furnished by ___ if rendered more than 20 days from the date of this notice.”
The Medicare Patient and Program Protection Act of 1987 provides that payment is denied for any items or services ordered or prescribed by a provider excluded under §§1128 or 1156. It also provides that payment cannot be denied until the supplier of the items and services has been notified of the exclusion.
If claims are submitted by a laboratory or a DME company for any items or services ordered or prescribed by a provider excluded under §§1128 or 1156, ACs and MACs shall:
To ensure that the notice to the supplier indicates the proper reason for denial of payment, ACs and MACs shall include the following language in the notice:
“We have received your claim for services ordered or prescribed by __ on __. Effective __, __ was excluded from receiving payment for items or services ordered or prescribed in any capacity for Medicare beneficiaries. This notice is to advise you that no payment will be made for any items or services ordered or prescribed by ___ if ordered or prescribed more than 20 days from the date of this notice.”
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
An excluded provider may try to have the decision reversed or modified, through the appeals process. The Departmental Appeals Board is responsible for processing hearing requests received from sanctioned providers except in very limited circumstances. Exclusions remain in effect during the appeals process (see 42 CFR §§1001.901 (false claims), 1001.951 (kickbacks), 1001.1601 (violations of the limitation on physician charges), or 1001.1701 (billing for services of assistant-at-surgery during cataract operations)).
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
A provider may apply for reinstatement when the basis for exclusion has been removed, at the expiration of the sanction period, or any time thereafter. UPICs shall refer all requests they receive for reinstatement to the Office of Investigation of the OIG. Also, they furnish, as requested, information regarding the subject requesting reinstatement. OIG notifies the UPIC in the State where the subject lives/practices of all reinstatements.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The Medicare Exclusion Database (MED) is a standard format, cumulative exclusion database that contains information on all exclusions and reinstatement actions in Medicare, Medicaid, and other Federal health care programs. CMS receives this information from the OIG monthly.
The UPICs, SMRCs and MACs shall use the information contained in the MED and the Government Accountability Office (GAO) Debarment list to:
The dates reflected on the MED are the effective dates of the exclusion. Exclusion actions are effective 20 days from the date of the notice. Reinstatements or withdrawals are effective as of the date indicated.
The MED shows the names of a number of individuals and entities where the sanction period has expired. These names appear on the MED because the individual or entity has not been granted reinstatement. Therefore, the sanction remains in effect until such time as reinstatement is granted.
The UPICs, SMRCs and MACs shall check their systems to determine whether any physician, practitioner, provider, or other health care worker or supplier is being paid for items or services provided subsequent to the date they were excluded from participation in the Medicare program. In the event a situation is identified in which inappropriate payment is being made, the contractors shall notify OIG and take appropriate action to correct the situation. In addition, UPICs shall consider the instructions contained in the CMP section of the PIM (PIM, chapter 4, §4.11).
The UPICs and SMRCs shall work with the MACs to document a process in the JOA to make the MAC aware of any payments to an excluded provider.
The MACs shall ensure that no payments are made after the effective date of a sanction, except as provided for in regulations at 42 CFR 1001.1901(c) and 489.55.
The MACs shall check payment systems periodically to determine whether any individual or entity who has been excluded since January 1982 is submitting claims for which payment is prohibited. If any such claims are submitted by any individual in any capacity or any entity who has been sanctioned under §§1128, 1862(d), 1156, 1160(b) or 1866(b) of the Act, UPICs shall forward them to OIG/OI.
In addition, MACs shall refer to the RO all cases that involve habitual assignment violators. In cases where there is an occasional violation of assignment by a provider, they shall notify the provider in writing that continued violation could result in a penalty under the CMP Law.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
In 1981, Congress added §1128A (42 U.S.C. 1320a-7a) to the Social Security Act to authorize the Secretary of Health and Human Services to impose civil monetary penalties (CMPs). Since the enactment of the first CMP authority in 1981, Congress has increased both the number and types of circumstances under which CMPs may be imposed. Most of the specific statutory provisions authorizing CMPs also permit the Secretary to impose an assessment in addition to the CMP. An assessment is an additional monetary payment in lieu of damages sustained by the government because of the improper claim. Also, for many statutory violations, the Secretary may exclude the individual or entity violating the statute from participating in Medicare and other federal health care programs for specified periods of time.
In October 1994, the Secretary realigned the responsibility for enforcing these CMP authorities between the Centers for Medicare & Medicaid Services and the Office of the Inspector General. CMS was delegated the responsibility for implementing CMPs that involve program compliance. The OIG was delegated the responsibility for implementing CMPs that involve threats to the integrity of the Medicare or Medicaid programs, i.e., those that involve fraud or false representations. On August 21, 1996, the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) was enacted. This law provides for higher maximum CMPs ($10,000 per false item or service on a claim or instance of non-compliance, instead of $2,000 per item or service), and higher assessments (three times the amount claimed, instead of twice the amount) for some of the violations.
(Rev.: 11696; Issued: 11-09-22; Effective: 12-12-22; Implementation: 12-12-22)
The UPICs, SMRCs and MACs shall ensure that the program rules and regulations are being appropriately followed. If violations are noted (either through internal reviews or through a complaint process), the contractor shall take the appropriate steps to inform and educate the provider of the non-compliance and encourage future compliance.
For MACs, if, after a period of time, there is no significant change by the provider (the non- compliance continues), then a final warning notice of plans to propose a corrective action (such as a CMP) shall be issued. This notice shall be sent by certified mail (return receipt required), other courier service with a signature required, or provider/ Electronic
Submission of Medical Documentation (esMD) portal (with evidence of receipt). The notice shall indicate that previous notifications sent to the provider failed to correct the problem, and that this is a final warning. Additionally, it shall indicate that any further continuation of the non-compliance will result in the matter being forwarded to CMS or the OIG for administrative enforcement. While not specifically assessing a monetary penalty amount, the notice shall indicate that this is one type of sanction that may be applied.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
An essential part of enforcement is that potential violations be discovered at the earliest possible time. Every alleged violation should be identified, developed, and processed in a timely manner. Delays in developing and/or processing the violations affect the program in several ways. First, such delays may permit an unsafe medical condition to prevail if prompt corrective action is not taken. Second, delays tend to improperly de-emphasize the seriousness of the violation. Lastly, delays diminish the deterrent effect.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
Documentary evidence is extremely important in the CMP process. It is not only the evidence needed to support the administrative actions, but also a tool used for cross-referencing, verifying statements, and/or providing backup or background information.
Documentary evidence shall be identified, accounted for, and protected from loss, damage, or alteration. When copies of documents are made, care shall be taken to ensure that all copies are legible and accurate. Wherever possible, documents or copies shall be preserved in their original state; making marks on the face of the documents shall be avoided. If marks or explanations are necessary for explanation or clarification, include an additional copy of the document with marks on the copy.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The following sections list the authorities under which CMS's Program Integrity Group and the OIG may impose civil money penalties, assessments, and/or exclusions for program non-compliance.
(Rev.: 11696; Issued: 11-09-22; Effective: 12-12-22; Implementation: 12-12-22)
The following is a brief description of authorities from the Social Security Act:
statement describing each item or service requested by a Medicare beneficiary.
• Sections 1834(h)(3) and 1842(j)(2) - Any supplier of durable medical equipment, prosthetics, orthotics, and supplies charging for a covered prosthetic device, orthotic, or prosthetic (furnished on a rental basis) after the rental payment may no longer be made (except for maintenance and servicing). (This violation may also cause an assessment and an exclusion.)
• Section 1834(h)(3) - Unsolicited telephone contacts by any supplier of durable medical equipment, prosthetics, orthotics to Medicare beneficiaries regarding the furnishing of prosthetic devices, orthotics, or prosthetics. (This violation may only cause an exclusion.)
request for payment or bill submitted on a non-assigned basis.
standards. (This violation may cause an assessment and an exclusion.)
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The following is a brief description of authorities from the Social Security Act:
| Section 1128(a)(1)(A), (B) | False or fraudulent claim for item or service including incorrect coding (upcoding) or medically unnecessary services. |
|---|---|
| Section 1128A(a)(1)(C) | Falsely certified specialty. |
| Section 1128A(a)(1)(D) | Claims presented by excluded party. |
| Section 1128A(a)(1)(E) | Pattern of claims for unnecessary services or supplies. |
| Section 1128A(a)(2) | Assignment agreement, Prospective Payment System (PPS) abuse violations. |
| Section 1128A(a)(3) | PPS false/misleading information influencing discharge decision. |
| Section 1128A(a)(4) | Excluded party retaining ownership or controlling interest in participating entity. |
| Section 1128A(a)(5) | Remuneration offered to induce program beneficiaries to use particular providers, practitioners, or suppliers. |
| Section 1128A(a)(6) | Contracting with an excluded individual. |
| Section 1128A(a)(7) | Improper remuneration; i.e., kickbacks. |
| Section 1128A(b) | Hospital physician incentive plans. |
| Section 1128A(b)(3) | Physician falsely certifying medical necessity for home health benefits. |
| Section 1128E(b) | Failure to supply information on adverse action to the Health Integrity and Protection Data Bank (HIPDB). |
| Section 1140(b)(1) | Misuse of Departmental symbols/emblems. |
| Section 1819(b)(3)(B) Section 1919(b)(3)(B) | False statement in assessment of functional capacity of skilled nursing facility (SNF) resident. |
| Section 1819(g)(2)(A) Section 1919 (g)(2)(A) | Notice to SNF/nursing facility of standard scheduled survey. |
| Section 1857(g)(1)(F) | Managed care organization (MCO) fails to comply with requirements of §1852(j)(3) or §1852(k)(2)(A)(ii). (Prohibits MCO interference with the provider's advice to an enrollee; mandates that providers not affiliated with the MCO may not bill or collect in excess of the limiting charge.) |
| Section 1860D-31(i)(3) | Engaged in false or misleading marketing practices under the Medicare prescription drug discount card program; or overcharge prescription drug enrollees; or misuse of transitional assistance funds. |
|---|---|
| Section 1862(b)(3)(c) | Financial incentives not to enroll in a group health plan. |
| Section 1866(g) | Unbundling outpatient hospital costs. |
| Section 1867 | Dumping by hospital/responsible physician of patients needing emergency medical care. |
| Section 1876(i)(6)(A)(i) Section 1903(m)(5)(A)(i) Section 1857(g)(1)(A) | Failure by Health Maintenance Organization (HMO)/competitive medical plan/MCO to provide necessary care affecting beneficiaries. |
| Section 1876(i)(6)(A)(ii) Section 1903(m)(5)(A)(ii) Section 1857(g)(1)(B) | Premiums by HMO/competitive medical plan/MCO in excess of permitted amounts. |
| Section 1876(i)(6)(A)(iii) Section 1903(m)(5)(A)(iii) Section 1857(g)(1)(C) | HMO/competitive medical plan/MCO expulsion/refusal to re-enroll individual per prescribed conditions. |
| Section 1876(i)(6)(A)(iv) Section 1903(m)(5)(A)(iii) Section 1857(g)(1)(D) | HMO/competitive medical plan/MCO practices to discourage enrollment of individuals. |
| Section 1876(i)(6)(A)(v) Section 1903(m)(5)(A)(iii) Section 1857(g)(1)(E) | False or misrepresenting HMO/competitive medical plan/MCO information to Secretary. |
| Section 1876(i)(6)(A)(vi) Section 1903(m)(5)(A)(v) Section 1857(f) | Failure by HMO/competitive medical plan/MCO to assure prompt payment for Medicare risk-sharing contracts only or incentive plan provisions. |
| Section 1876(i)(6)(A)(vii) Section 1857(g)(1)(G) | HMO/competitive medical plan/MCO hiring/employing person excluded under §1128 or §1128A. |
| Section 1877(g)(3) | Ownership restrictions for billing clinical lab services. |
| Section 1877(g)(4) | Circumventing ownership restriction governing clinical labs and referring physicians. |
| Section 1882(d)(1) | Material misrepresentation referencing compliance of Medicare supplemental policies (including Medicare + Choice). |
| Section 1882(d)(2) | Selling Medicare supplemental policy (including Medicare + Choice) under false pretense. |
|---|---|
| Section 1882(d)(3)(A) | Selling health insurance that duplicates benefits. |
| Section 1882(d)(3)(B) | Selling or issuing Medicare supplemental policy (including Medicare + Choice) to a beneficiary without obtaining a written statement from beneficiary with regard to Medicaid status. |
| Section 1882(d)(4)(A) | Use of mailings in the sale of non-approved Medicare supplemental insurance (including Medicare + Choice). |
| Section 1891(c)(1) | Notifying home health agency of scheduled survey. |
| Section 1927(b)(3)(B) | False information on drug manufacturer survey from manufacturer/wholesaler/seller. |
| Section 1927(b)(3)(C) | Provision of untimely or false information by drug manufacturer with rebate agreement. |
| Section 1929(i)(3) | Notifying home- and community-based care providers/settings of survey. |
| Section 421(c) of the Health Care Quality Improvement Act (HCQIA) | Failure to report medical malpractice liability to National Practitioner Data Bank. |
| Section 427(b) of HCQIA | Breaching confidentiality of information report to National Practitioner Data Bank. |
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
(Rev. 11962; Issued: 04-21-23; Effective: 05-22-23; Implementation: 05-22-23)
Compliance is promoted through both administrative and formal legal actions. Administrative compliance action shall first be attempted by MACs through education and warning letters that request the provider to comply with Medicare’s rules and regulations. If the provider fails to take corrective action and continues to remain non-compliant, the MAC shall make a referral to the UPIC who shall forward it to the BFL, with a copy to the COR.
It is important for MACs to promote program compliance in their respective jurisdictions. The MACs shall ensure that all materials presented to providers through education, published bulletins, or written communication are clear and concise and
accurately represent the facts of compliance versus non-compliance. Providers shall also be allowed the opportunity to present additional facts that may represent mitigating circumstances.
UPICs shall consider this information in an objective manner before proceeding with a CMP referral to CMS.
When a UPIC elects to make a CMP referral to CMS, the initial referral package shall consist of a brief overview of the case; supportive documentation is not required at such time. The initial referral package shall consist of:
1. Identification of the provider, including the provider's name, address, date of birth, Social Security number, Medicare identification number(s), and medical specialty. If the provider is an entity, include the names of its applicable owners, officers, and directors.
2. Identification of the CMP authorities to be considered (use the authorities identified in PIM Chapter 4, §4.11.5).
3. Identification of any applicable Medicare manual provisions.
4. A brief description of how the violations identified above were discovered, and the volume of violations identified.
5. Total overpayments due the program or the beneficiary(ies), respectively.
6. A brief chronological listing of events depicting communication (oral and written) between the MAC and the provider.
7. A brief chronological listing of bulletins addressing the non-compliant area (starting with the bulletin released immediately prior to the first incident of non- compliance by the provider).
8. Any additional information that may be of value to support the referral.
9. The name and phone number of contacts at the UPIC.
Upon receipt of the above information, CMS staff will review the materials and may conduct follow-up discussions with the UPIC regarding the referral. Typically, within 90 days of receipt of the referral, CMS will notify the UPIC of its decision to accept or decline the referral.
If CMS declines the referral, the UPIC shall communicate this to the MAC to continue in their efforts to educate and promote compliance by the provider. The UPIC shall also consider other (less severe) administrative remedies, which, at a minimum, may include revocation of assignment privileges, establishing prepayment or postpayment medical reviews, and referral of situations to state licensing boards or medical/professional
societies, where applicable. In all situations where inappropriate Medicare payments have been identified, MACs shall initiate the appropriate steps for recovery.
If CMS accepts the referral, the UPIC shall provide any supportive documentation that may be requested, and be able to clarify any issues regarding the data in the case file or UPIC and MAC processes.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
Upon discovery of any case that may implicate any of the OIG's delegated CMP authority, regardless of whether there is any other pending activity, or whether the fraud case was closed, UPIC shall contact the OIG/OI Field Office to discuss the potential case. If this contact results in a referral, the UPIC shall follow the same referral format as described in PIM, chapter 4, §4.9.2.1. If a referral is not made or a referral is declined, the UPIC shall consider other administrative remedies, which, at a minimum, may include revocation of assignment privileges, establishing prepayment or post payment medical reviews, and referral of situations to state licensing boards or medical/professional societies, where applicable. In all situations where appropriate Medicare payments have been identified, MACs shall initiate the appropriate steps for recovery.
The UPIC shall send to the OIG all cases, as appropriate, where an excluded provider or individual has billed or caused to be billed to the Medicare or Medicaid program for the furnishing of items or services after exclusion. Such misconduct is sanctionable under §1128A(a)(C)(1) of the Social Security Act.
The UPIC shall send to the CMS Provider Enrollment and Oversight Group all cases where UPIC believes that misuse has occurred of the Medicare name, symbols, emblems, or other violations as described in §1140 of the Social Security Act and in 42 CFR 1003.102(b)(7).
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The following information, if available, shall be included as part of the CMP case package and made available upon request by CMS:
a. All known identification numbers (NPI, Provider Transaction Access Number (PTAN), etc.);
b. Provider's first and last name or entity name (if subject is an entity, also include the full name of the principal operator);
c. Provider/supplier's address (street, city, state, and zip code). If violator is an entity, identify address where principal operator personally receives his/her mail;
2. Copies of any interviews, reports, or statements obtained regarding the violation;
3. Copies of documentation supporting a confirmation of the violation;
4. Copies of all applicable correspondence between beneficiary and provider;
5. Copies of all applicable correspondence (including telephone contacts) between the MAC and provider;
6. Copies of provider's applicable bills to beneficiaries and/or MACs, and associated payment histories;
7. Copies of any complaints regarding provider and disposition of the complaint;
8. Copies of all publications (e.g., bulletins, newsletters) sent to provider by the UPIC, SMRCs or MAC who discuss the type of violation being addressed in the CMP case;
9. Copies of any monitoring reports regarding the provider; and
10. Name and telephone number of UPIC contact.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The following is background information for developing specific CMS CMP cases:
Effective for services or items provided on or after January 1, 1999, §4311 of the Balanced Budget Act (BBA) provides that Medicare beneficiaries have the right to request and receive an itemized statement from their health care provider of service (e.g., hospital, nursing facility, home health agency, physician, non-physician practitioner, DMEPOS supplier). Upon receipt of this request, providers have 30 days to furnish the itemized statement to the beneficiary. Health care providers who fail to provide an itemized statement may be subject to a CMP of not more than $100 for each failure to furnish the information (§1806(b)(2)(B) of the Social Security Act). An itemized statement is defined as a listing of each service(s) or item(s) provided to the beneficiary. Statements that reflect a grouping of services or items (such as a revenue code) are not considered an itemized statement.
A beneficiary who files a complaint with a MAC regarding a provider’s failure to provide an itemized statement must initially validate that his/her request was in writing (if available), and that the statutory 30-day time limit (calendar days) for receiving the information has expired. In most cases, an additional 5 calendar days should be allowed for the provider to receive the beneficiary’s written request. If the beneficiary did not make his/her request in writing, inform him/her that he/she must first initiate the request to the provider in writing. It is only after this condition and the time limit condition are met that the MAC may contact the provider.
Once the MAC confirms that the complaint is valid, the MAC shall initiate steps to assist the beneficiary in getting the provider to furnish the itemized statement. MACs shall initiate the same or similar procedures when receiving complaints regarding mandatory submission of claims (i.e., communicating with the provider about their non-compliance and the possibility of the imposition of a CMP).
If the intervention of the MAC results in the provider furnishing an itemized statement to the beneficiary, the conditions for the statute are considered met, and a CMP case should not be developed. Should the intervention of the MAC prove unsuccessful, the MAC shall consider referral to the UPIC for subsequent referral of the potential CMP case to CMS, following the guidelines established in PIM Chapter 4, §§4.11.6.1 and 4.11.7.
There may be instances where a beneficiary receives an itemized statement and the MAC receives the beneficiary’s request (written or oral) to review discrepancies on his/her itemized statement. MACs shall follow their normal operating procedures in handling these complaints. MACs shall determine whether itemized services or items were provided, or if any other irregularity (including duplicate billing) resulted in improper Medicare payments. If so, the MAC shall recover the improper payments.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The Omnibus Budget Reconciliation Act of 1989 (OBRA) established a limitation on actual charges (balanced billing) by non-participating physicians. (Refer to §1848(g) of the Act, and Medicare Carriers Manual §§5000ff. and 7555, respectively, for further information.)
As a result of the reduction in limiting charge monitoring activities (i.e., the discontinuance of the Limiting Charge Exception Report and the Limiting Charge Monitoring Report, the discontinuance of sending compliance monitoring letters and Refund/Adjustment Verification Forms), developing a Limiting Charge CMP case shall require the following additional information:
providers. This assistance reinstates the activity of sending the refund verification forms and compliance monitoring letters respective to the beneficiary(ies) who request assistance. Copies of these communications will become part of the CMP case file. Ensure that the communication includes language that reminds the provider that the limiting charge amounts for most physician fee schedule services are listed on the disclosure reports they receive in their yearly participation enrollment packages. (This constitutes “notice” of the Medicare charge limits for those services.) The provider’s letter should also include information that describes “what constitutes a violation of the charge limit,” and that providers are provided notification on their copy of the remittance statements when they exceed the limiting charge. Providers who elected not to receive remittance statements for non- assigned claims should be reminded that they are still bound by the limiting charge rules, and that they are required to make refunds of overcharges. It may be appropriate at this time for providers to reconsider their decision not to receive remittance forms for non- assigned claims. Providers should also be informed of what action to take in order to receive these statements.
(Rev. 871; Issued: 03-29-19; Effective: 04-29-19; Implementation: 04-29-19)
The Unified Case Management (UCM) System is a national database that the UPICs use to enter and update Medicare and Medicaid fraud, waste, and abuse data analysis projects, leads, and investigations initiated by the UPIC. Additionally, the UCM allows the UPICs to enter and track various administrative actions (i.e., pre or post-payment reviews, payment suspensions, revocations, etc.), requests for assistance (RFAs), and requests for information (RFIs) that are fulfilled by UPICs at the request of law enforcement, CMS, or other stakeholders.
Additional details related to each field in the UCM can be referenced in the UCM user manual. The UPIC shall complete all appropriate UCM training and reference the UCM user guide for specific instructions on how to utilize the UCM. The UPIC users shall become proficient and knowledgeable users of the UCM. The UPIC shall be responsible for ensuring they are using the UCM as the system of record and that all data entered into the UCM is entered correctly. This requirement includes, but is not limited to, the spelling of names and accuracy of addresses and identifiers that are entered, etc.
The following agencies/organizations currently have access to the UCM:
All workload received and/or initiated by the UPIC shall be saved in the UCM and shall contain identifying information on the potential subject(s) of a project, lead, investigation, etc., as well as general information on activities performed by the UPIC to substantiate the allegation of potential fraud, waste, or abuse. Investigative workload initiated by the UPIC shall contain a summary of the pertinent information related to any activities and/or resolution, and all fields in the UCM shall be updated with the applicable information as it is received by the UPIC.
The following are the general guidelines associated with project, investigation, RFI/RFA, and administrative action requirements in the UCM:
(Rev. 871; Issued: 03-29-19; Effective: 04-29-19; Implementation: 04-29-19)
UPICs shall log a proactive data project into the UCM as a “PDP” record type within seven (7) calendar days of initiating the study/project. As new information is identified, the UPIC shall make updates to the PDP as needed, but no less than every thirty (30) calendar days. The PDP should include reference to all subjects as they are identified, in addition to plan of action, projected next steps related to the study/project analysis, etc.
Each study/project will vary in terms of age. There are instances when a PDP may stay open and continue to generate leads, or the PDP may be closed after the identification of a specific number of leads. However, if a PDP has not generated a lead within ninety (90) calendar days, the UPIC shall close the PDP within seven (7) calendar days, unless otherwise directed by CMS.
(Rev. 13485; Issued: 12-23-25; Effective: 01-26-26; Implementation: 01-26-26)
Leads and Investigations are logged into the UCM as a case record type (CSE). CSEs are generated based on PDP outcomes, or through a reactive measure (i.e., complaint, FPS
lead, etc.). When a PDP identifies a lead that justifies the opening of a CSE, the UPIC shall initiate the CSE from the PDP record within seven (7) calendar days, unless otherwise directed by CMS. When a reactive lead is identified, the UPIC shall initiate a CSE within seven (7) calendar days of receipt of the lead. All leads are required to be screened in accordance with the Medicare PIM guidelines at Chapter 4, Section 4.5 – Screening Leads, unless otherwise directed by CMS.
The UPIC shall review the FPS Rapid Alert Warning (RAW) Dashboards each business day to identify leads. The UPIC shall open a UCM lead within one business day of identifying a lead from the FPS RAW Dashboards. All FPS RAW Dashboard leads selected for screening shall be treated with a heightened level of priority— i.e., screened as promptly as possible — to ensure that administrative action(s) can be taken expediently when investigations resulting from leads find that administrative actions are appropriate. Because the RAW Dashboard identifies claims in Phase One (1) of the billing cycle, this heightened prioritization increases the UPIC’s ability to take immediate administrative action, thereby reducing the potential loss of Medicare Trust Fund dollars.
The CMS expects the UPICs to make timely updates, generally within two (2) business days of the action, to the UCM throughout the course of a lead and/or investigation. The UPIC shall document all activities it has performed in order to substantiate any allegations of potential fraud, waste, or abuse. For example, on-site visits, medical reviews, audits, data analysis, etc., shall be documented, along with the applicable dates for each action. Investigative notes should be documented in the Record Summary, rather than added as a separate document, attachment, etc.
The UPIC shall take all appropriate administrative actions, as defined in PIM Chapters 3, 8, and/or 10. Each action shall be noted in the UCM under the appropriate administrative action record type (i.e., PSP, OPT, REV, PPE, etc.) and linked to the primary investigation CSE record, when applicable. Of note, when pursuing an administrative action based on an existing CSE, the UPIC shall generate the appropriate administrative action record from the originating CSE record. The primary investigation record (CSE) should include a high level summary of the action(s) taken within the administrative action record. In addition, all applicable documents linked to these activities shall be uploaded to the corresponding UCM record.
In instances where the UPIC is referring the subject of an investigation to law enforcement, the UPIC shall generate a referral record (REF) per the primary NPI from the case record (CSE) within seven (7) calendar days of each referral, unless otherwise directed by CMS. The primary investigation record (CSE) should include a high level summary of the action(s) taken within the referral record. In addition, all applicable documents linked to the referral shall be uploaded to the UCM referral record.
For investigations referred to law enforcement (i.e., OIG, DOJ, FBI, etc.), updates to the UCM shall be made within the following parameters:
After all actions are taken and all subsequent administrative activities are complete, the UPIC shall close the investigation in the UCM within seven (7) calendar days.
(Rev. 871; Issued: 03-29-19; Effective: 04-29-19; Implementation: 04-29-19)
RFIs/RFAs and all applicable documentation shall be entered into the UCM within seven (7) calendar days of receipt of the RFI/RFA. The UPIC shall update the Hours to Complete data field with the estimated time it will take the UPIC to fulfill the RFI/RFA. If it is estimated that the RFI/RFA will take 40 or more hours to fulfill, the UPIC shall select the Submit to COR workflow button, which will send a notification to the COR requesting approval to proceed.
CMS expects the UPICs to make regular updates to the UCM throughout the course of fulfilling the RFI/RFA. This shall include, but is not limited to:
Within seven (7) calendar days of completing the RFI/RFA, the UPIC shall update the Fulfillment Date data field with the date the RFI/RFA was submitted to the requestor and close the RFI/RFA UCM record.
(Rev. 10184; Issued: 06-19-2020; Effective: 07-21-2020; Implementation: 07-21-2020)
Law Enforcement Payment Suspension Requests and all applicable documentation shall be entered into the UCM within five (5) calendar days of receipt of the request, unless otherwise directed by the Payment Suspension team manager.
CMS expects the UPICs to make timely updates, generally within two (2) business days of the action, to the UCM throughout the course of a LE Payment Suspension, including timely monthly reports of any escrow dollars. If the Payment Suspension is a National Payment Suspension, the UPIC shall follow the process outlined in 8.3.3.1 DME Payment Suspensions (MACs and UPICs) and 8.3.3.2 Non-DME National Payment Suspensions (MACs and UPICs). The lead UPIC is responsible for entering all documentation into the UCM within five (5) calendar days as well as communicating/coordinating with the non-lead UPICs to make sure their information also is entered timely.
Within seven (7) calendar days of the termination of a LE payment suspension, or if a LE Payment Suspension request is denied or withdrawn, the UPIC shall finalize any remaining actions and close the UCM Payment Suspension (PSP) record.
When criteria for an Immediate Advisement to the OIG/OI is met based on the criteria referenced in Chapter 4, Section 4.9.1 of the PIM, the UPIC shall notify the OIG/OI by phone or email to determine if a formal Immediate Advisement should be sent to the OIG/OI. The UPIC shall document this communication in the UCM Record Summary field immediately. Should the OIG/OI confirm that an Immediate Advisement should be sent, the UPIC shall provide all available documentation to the OIG/OI within four (4) business days. Upon submission of an Immediate Advisement to the OIG/OI, the UPIC shall update the applicable UCM fields, as referenced in the UCM User Manual, within two (2) calendar days of submission. Once notification is received by the OIG/OI regarding its acceptance or declination of the Immediate Advisement, the UPIC shall update the applicable UCM fields within two (2) calendar days of the notice. All further correspondence and details associated with the Immediate Advisement shall be documented in the UCM Record Summary field as it is received.
The UCM has the capability to allow for documents and files to be attached in each record type. Each record type has pre-designated attachment folders, in addition to an option for the UPICs to create their own folders. The UPICs shall ensure that all necessary documents are attached in the appropriate folder, and the most up-to-date version of each document and/or file is attached. Should a document and/or file have multiple versions that need to be attached, the UPIC shall notate the date in the document/file name. Documents and/or files that are replaced by an updated version shall
be removed as long as all relevant and necessary information remains in the most up-to-date version.
Acceptable UCM attachments may include, but are not limited to:
(Rev. 871; Issued: 03-29-19; Effective: 04-29-19; Implementation: 04-29-19)
A duplicate entry exists when a UPIC inadvertently enters a provider, supplier, or beneficiary as the subject of a lead, investigation, etc., absent other differentiating criteria requiring a separate investigation, case, payment suspension, or RFI entry.
Entries shall not be considered a duplicate if multiple UPICs enter the same provider/supplier as the subject of the lead, investigation, etc. These entries shall be linked and cross-referenced by the UPIC in the UCM to indicate that more than one UPIC is involved in investigating the provider/supplier.
If a new lead or investigation is initiated on a provider/supplier that was already the subject of a closed investigation or case, a new entry shall be opened. The closed entry, however, shall be documented and linked to the new entry in the UCM.
The primary subject of the investigation, whether a business or individual, shall be entered as the subject of the UCM entry, when possible. The UPIC shall check for potential duplicate entries of leads, investigations, etc., when making its initial entry into the UCM.
(Rev. 11962; Issued: 04-21-23; Effective: 05-22-23; Implementation: 05-22-23)
Entries can be deleted from the UCM only by users with the system administrator designation. The UPIC shall contact its BFL, with a copy to the COR, to discuss the need for deleting an entry. If the BFLs agree that the entry should be deleted, the UCM system administrator has the ability to delete any entries. To initiate any deletions, the UPIC shall send an e-mail to its BFL, with a copy to the COR, detailing the need for the entry deletion. The BFL will then forward the issue to the UCM SME, who will be responsible for coordinating the deletion of the entry.
(Rev. 10184; Issued: 06-19-2020; Effective: 07-21-2020; Implementation: 07-21-2020)
For UCM issues, users can contact the UCM helpdesk at UCMHelpDesk@cms.hhs.gov or 1-833-FLD-DESK (1-833-353-3375). If there are UCM contract changes that affect the helpdesk contact information, users can contact their COR, who will provide the most current information available.
(Rev. 943; Issued: 02-21-20; Effective: 03-24-20; Implementation: 03-24- 20)
If there are system outages, scheduled or unscheduled, resulting in UCM being unavailable for two or less business days, the expectation is that the contractors shall complete UCM entries within five business days of UCM being restored.
If there are system outages, scheduled or unscheduled, resulting in UCM being unavailable for greater than two business days, the expectation is that the contractors shall complete UCM entries within ten business days of UCM being restored.
(Rev. 11962; Issued: 04-21-23; Effective: 05-22-23; Implementation: 05-22-23)
This section applies to UPICs and SMRCs.
Program vulnerabilities are identified flaws or weaknesses in policy and/or regulatory authority that increases the likelihood of significant inappropriate payments being made to a broad provider/supplier population. Program vulnerabilities can be identified through a variety of sources such as the Chief Financial Officer's audit, Fraud Alerts, the GAO, the OIG, data driven studies, and UPIC and Medicare contractor operations.
Program Integrity concerns are issues CPI and/or the UPICs/SMRCs have identified through their own analysis and have the ability to mitigate through existing operations. Examples of PI concerns include, but are not limited to: routine changes and implementation of new billing codes (i.e. ICD-10, HCPCs, CPT codes, etc.) that may lead to questionable billing practices, reports/complaints of a potential fraud schemes that can be addressed in CMS regulations or policy guidance, or identified concerns and significant mitigating changes to enrollment processes.
The UPICs and SMRC shall discuss potential program vulnerabilities with the BFL(s) during the established recurring workload meetings. Program vulnerabilities should be submitted sooner if the UPIC/SMRC believes it requires immediate consideration. The BFL will validate the lead to determine whether the potential issue is a program vulnerability, a PI Concern, or another type of issue that may need to be addressed. Should the BFL need additional information, the UPIC shall submit an overview of the
potential program vulnerability, program impact, and proposed action to the BFL, with a copy to the COR, via email.
Should the BFL(s) agree that the identified issue is a program vulnerability, the UPIC/SMRC shall submit the proposed program vulnerability to the vulnerability mailbox at CPIVulnerabilityIntake@cms.hhs.gov, using the Vulnerability Template.
Additionally, all program vulnerabilities that are submitted to the mailbox shall be documented in the UPIC/SMRC program vulnerability report. If the UPIC/SMRC believes the proposed program vulnerability has potential Medicaid impact, the UPIC/SMRC shall document this in the submission to the vulnerability mailbox.
Should the BFL(s) determine that the identified issue is a PI concern, the BFL(s) shall advise the UPIC/SMRC to mitigate the concern through its existing operations. Issues not considered to be program vulnerabilities or PI concerns will be addressed on a case by case basis.
Name: Organization: Phone: Email:
Vulnerability Title:
Provider Type (if applicable):
Vulnerability Description:
Risk Factors (specific conditions, drivers, and/or actions that likely cause the vulnerability or increase the chances of it occurring):
For the below, provide risk assessment point valuation and provide a written justification for each (This is not required but will greatly assist in the vulnerability process).
Likelihood (Likelihood for the identified vulnerability. Provide 1-2 sentences behind the reasoning for selecting this level of likelihood for the vulnerability):
4 -- Almost Certain (>=75% likelihood to occur) 3 -- Likely (>=50% - <75% likelihood to occur) 2 -- Possible (>=25% - <50% likelihood to occur) 1 -- Unlikely (<25% likelihood to occur)
Patient Harm (Provide 1-2 sentences behind the reasoning for selecting this level of likelihood for the vulnerability):
4 -- Life Threatening 3 -- Significant 2 -- Minimal 1 -- No harm
Financial Impact (Provide 1-2 sentences behind the reasoning for selecting this level of financial impact for the vulnerability):
4 -- Greater than $200m (>=$200 million) 3 -- $100m - $200m (>=$100 million <$200 million) 2 -- $10m - $100m (>=$10 million <=$100 million) 1 -- Less than $10m (<$10 million)
Breadth (Provide 1-2 sentences behind the reasoning for selecting this level of breadth for the vulnerability):
4 -- National 3 -- Regional 2 -- Pocketed 1 -- Isolated
Existing Controls (Provide current projects or activities that are underway to address the risk factor):
Suggested Mitigation Activities (Suggestions for action items (i.e. key results) that may help to mitigate the risk factor(s):
Source (i.e. person/organization that first identified it):
FPS Model-Related (Y/N):
Attachments (If applicable, upload document(s), such as Office of Inspector General reports or relevant data that can provide additional information or context on the vulnerability being reported):
(Rev. 12127; Issued: 07-21-23; Effective: 08-21-23; Implementation: 08-21-23)
This section applies to UPICs.
Fraud Alerts are issued when circumstances arise that indicate a need to advise the UPICs, SMRCs, MACs, LE, state Medicaid agencies, and other appropriate stakeholders about an activity that resulted in the filing of inappropriate and potentially false Medicare claims. If the UPIC identifies the need for a Fraud Alert, it shall provide the BFL, with a copy to the COR, a summary of the circumstances. The CMS will evaluate the need to issue a Fraud Alert. All Fraud Alerts will be disseminated by CMS to the appropriate stakeholders.
The following direction applies to the I-MEDIC:
HPMS Memos are issued when circumstances arise that indicate a need to advise the Part C plans and Part D Plan Sponsors, and other appropriate stakeholders about an activity that resulted in the filing of inappropriate and potentially false Medicare claims. If the I-MEDIC identifies the need for an HPMS Memo, it shall provide the BFL, with a copy to the COR, a summary of the circumstances. CMS will evaluate the need to issue an HPMS Memo. All HPMS Memos will be disseminated by CMS to the appropriate stakeholders through the HPMS Portal.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
This section applies to UPICs.
Section 203(b)(1) of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (Public Law 104-191) instructs the Secretary to establish a program to encourage individuals to report information on individuals and entities that are engaged in or have engaged in acts or omissions that constitute grounds for the imposition of a sanction under sections 1128, 1128A, or 1128B of the Social Security Act (the Act), or who have otherwise engaged in sanctionable fraud, waste, and/or abuse against the Medicare program under title XVIII of the Act.
The Incentive Reward Program (IRP) was established to pay an incentive reward to individuals who provide information on Medicare fraud, waste, and/or abuse or other sanctionable activities. The applicable regulations are in 42 CFR § 420.405.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
This section applies to UPICs and MACs, as indicated.
For UPICs and MACs, the IRP responsibilities explained below shall be worked out in the UPIC and MAC Joint Operating Agreement (JOA).
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
This section applies to UPICs and MACs, as indicated.
On or after July 8, 1998, any complaints received that pertain to a potentially sanctionable offense as defined by sections 1128, 1128A, or 1128B of the Act, or that pertain to those who have otherwise engaged in sanctionable fraud, waste, and/or abuse against the Medicare program under title XVIII of the Act, are eligible for consideration for reward under the IRP. The UPIC should consider the complainant for the reward program. Complaints may originate from a variety of sources such as the OIG Hotline, the UPIC, customer service representatives, etc. The UPIC and MAC shall inform their staff of this program to ensure that the staff will respond to or refer questions correctly. PIM, Exhibit 5 provides IRP background information to assist staff who handle inquiries.
The UPIC and MAC shall treat all complaints as legitimate until proven otherwise. The MAC shall refer potential fraud, waste, and abuse incoming complaints to the UPIC for investigation. Complaints shall either be resolved by the UPIC or, if determined to be a sanctionable offense, referred to the OIG for investigation. Complaints that belong in another UPIC's zone shall be recorded and forwarded to the appropriate UPIC. All information shall be forwarded according to existing procedures.
If an individual registers a complaint about a Medicare managed care provider/supplier, UPICs and MACs shall record and forward all information to:
Centers for Medicare & Medicaid Services Centers for Medicare Management Performance Review Division Mail Stop C4-23-07 7500 Security Blvd. Baltimore, MD 21244
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
If the UPIC receives a related complaint and the complainant is eligible for the IRP, the UPIC shall notate the IRP in the UCM and coordinate with its COR and BFL when issuance of the award is identified.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The following individuals are not eligible to receive a reward under the IRP:
subcontractors, the Social Security Administration (SSA), the OIG, a SMA, the DOJ, the FBI, or any other federal, state, or local LE agency at the time he/she came into possession, or divulged information leading to a recovery of Medicare funds. Immediate family is as defined in 42 CFR 411.12(b), which includes any of the following:
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The amount of the reward shall not exceed 10 percent of the overpayments recovered in the case, or $1,000, whichever is less. Collected fines and penalties are not included as part of the recovered money for purposes of calculating the reward amount. If multiple complainants are involved in the same case, the reward will be shared equally among each complainant but not to exceed the maximum amount of the reward.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
For UPICs, SMRCs, and MACs, the IRP responsibilities explained below shall be worked out in the JOA.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
On or after July 8, 1998, any complaints received that pertain to a potentially sanctionable offense as defined by §§1128, 1128A, or 1128B of the Act, or that pertain to those who have otherwise engaged in sanctionable fraud, waste, and/or abuse against the Medicare program under title XVIII of the Act, are eligible for consideration for reward under the IRP. While the complainant may not specifically request to be included
in the IRP, the UPIC should consider the complainant for the reward program. Complaints may originate from a variety of sources such as the OIG Hotline, the UPIC, customer service representatives, etc. The UPICs, SMRCs and MACs shall inform their staff of this program, so they will respond to or refer questions correctly. Exhibit 5 of the PIM provides IRP background information to assist staff who handle inquiries. The UPICs, SMRCs and MACs shall treat all complaints as legitimate until proven otherwise. They shall refer incoming complaints to the UPIC for further screening.
Complaints shall either be resolved by the UPIC, if determined to be a sanctionable offense, referred to the OIG for investigation. Complaints that belong in another UPIC's zone shall be recorded and forwarded to the appropriate UPIC. All information shall be forwarded to them according to existing procedures.
If an individual registers a complaint about a Medicare Managed Care provider, UPICs and MACs shall record and forward all information to:
Centers for Medicare & Medicaid Services Centers for Medicare Management Performance Review Division Mail Stop C4-23-07 7500 Security Blvd. Baltimore, MD 21244
(Rev. 11358; Issued: 04-21-2022; Effective: 05-23-2022; Implementation: 05-23-2022)
The UPICs shall continue to track all incoming complaints potentially eligible for reward in their existing internal tracking system. The following complainant information shall be included:
The OIG has 90 calendar days from the referral date to make a determination for disposition of the case. UPICs shall regularly follow up with the OIG to obtain information on recovery of complaints referred to them that originated from an IRP complainant. The UPIC shall follow up on referrals to the OIG when no action is taken within 90 calendar days. If no action is taken by the OIG within the 90 calendar days,
the UPIC should begin the process for recovering the overpayment and issuance of the reward, if appropriate.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
The UPIC and SMRCs shall initiate overpayment recovery actions according to PIM Chapter 3, if it is determined an overpayment exist. Only MACs shall issue demand letters and recoup the overpayment.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
After all fraudulently obtained Medicare funds have been recovered and all fines and penalties collected, if appropriate, the UPIC will send a reward eligibility notification letter and a reward claim form to the complainant by mail at the most recent address supplied by the individual. PIM Exhibit 5.1 provides a sample eligibility notification letter and Exhibit 5.2 provides a sample reward claim form that may be used as guides.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
After the complainant has returned the reward claim form with appropriate attachments, the UPIC shall determine the amount of the reward and initiate payment. The reward payment should be disbursed to the complainant from the overpayment money recovered. Payments made under this system are considered income and subject to reporting under Internal Revenue Service tax law. No systems changes to implement these procedures are to be made.
For UPICs, only the MAC shall make IRP payments. The UPIC shall provide the necessary documentation to the MAC to initiate the IRP payment.
(Rev. 11358; Issued: 04-21-2022; Effective: 05-23-2022; Implementation: 05-23-2022)
The UPIC shall maintain an audit trail of the disbursed check. The following data shall be included:
Social Security number of complainant
Party the complaint is against
The UPIC shall work with the MAC via the JOA to disburse the reward check.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
A UPIC that learns of a questionable discount program shall contact its BFL to determine the course of action, when needed.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
Whoever knowingly and willfully solicits or receives any remuneration (including any kickback, hospital incentive or bribe) directly or indirectly, overtly or covertly, in cash or in kind, in return for referring a patient to a person for the furnishing or arranging for the furnishing of any item or service for which payment may be made in whole or in part under Medicare, Medicaid or a State health care program, or in return for purchasing, leasing, or ordering, or arranging for or recommending purchasing, leasing, or ordering any good, facility, service, or item for which payment may be made in whole or in part under Medicare, Medicaid or a State health program, shall be guilty of a felony and upon conviction thereof, shall be fined not more than $25,000 or imprisoned for not more than five years, or both. 42 U.S.C. 1320a-7b(b), §1128B(b) of the Act.
Discounts, rebates, or other reductions in price may violate the anti-kickback statute because such arrangements induce the purchase of items or services payable by Medicare or Medicaid. However, some arrangements are clearly permissible if they fall within a safe harbor. One safe harbor protects certain discounting practices. For purposes of this safe harbor, a “discount” is the reduction in the amount a seller charges a buyer for a good or service based on an arms-length transaction. In addition, to be protected under the discount safe harbor, the discount must apply to the original item or service that is purchased or furnished (i.e., a discount cannot be applied to the purchase of a different good or service than the one on which the discount was earned). The definition of discount under the anti-kickback statute does not include “bundled” goods or services. As a result, a discount may apply to the purchase of different goods or services other than the one on which the discount was earned, when they are bundled together to induce the purchase of that good or service without coming under the anti-kickback statute.
Additionally, the discount offered for bundled goods or services to induce the purchase of a different good or service would not come under the anti-kickback statute only when both items are subject to the same reimbursement methodology under Medicare or Medicaid. A “rebate” is defined as a discount that is not given at the time of sale. A “buyer” is the individual or entity responsible for submitting a claim for the item or service that is payable by the Medicare or Medicaid programs. If the buyer is an entity
that reports its costs on a cost report required by the Department or state health care program, it must comply with all of the following standards:
The discount must be earned based on purchases of that same good or service bought within a single fiscal year.
The buyer must claim the benefit of the discount in the fiscal year in which the discount is earned or the following year.
The buyer must fully and accurately report the discount in the applicable cost report.
The buyer must provide, upon request by the Secretary or a state agency, information provided by the seller as specified in 42 CFR §1001.952 (h)(2)(ii) of this section, or information provided by the offeror as specified in 42 CFR §1001.952 (h)(3)(ii).
“seller” is the individual or entity that offers the discount.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
This section applies to UPICs.
Certain marketing or solicitation practices could be in violation of the Medicare anti-kickback statute, 42 U.S.C. 1320a-7b(b). All marketing practices shall comply with the Medicare anti-kickback statute and with the Office of the Inspector General's (OIG's) Compliance Program Guidance for the DMEPOS industry.
Marketing practices may influence Medicare beneficiaries who use medical supplies, such as blood glucose strips, on a repeated basis. Beneficiaries are advised to report any instances of fraudulent or abusive practices, such as misleading advertising and excessive or non-requested deliveries of test strips, to their durable medical equipment MACs.
Advertising incentives that indicate or imply a routine waiver of coinsurance or deductibles could be in violation of 42 U.S.C. 1320a-7b(b). Routine waivers of coinsurance or deductibles are unlawful because they could result in--1) false claims; 2) violation of the anti-kickback statute; and/or 3) excessive utilization of items and services paid for by Medicare.
In addition, 42 U.S.C. 1320a-7a(a) (5) prohibits a person from offering or transferring remuneration. Remuneration is a waiver of coinsurance and deductible amounts, with exceptions for certain financial hardship waivers that are not prohibited.
Suppliers should seek legal counsel if they have any questions or concerns regarding waivers of deductibles and/or coinsurance or the propriety of marketing or advertising material.
Any supplier that routinely waives co-payments or deductibles can be criminally prosecuted and excluded from participating in Federal health care programs.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
This applies to UPICs and MACs.
For a discount to be protected, certain factors must exist. These factors assure that the benefit of the discount or rebate will be reported and passed on to the programs. If the buyer is a Part A provider, it must fully and accurately report the discount in its cost report. The buyer may note the submitted charge for the item or service on the cost report as a “net discount.” In addition, the discount must be based on purchases of goods or services bought within the same fiscal year. However, the buyer may claim the benefit of a discount in the fiscal year in which the discount is earned, or in the following fiscal year. The buyer is obligated, upon request by the HHS or a state agency, to provide information given by the seller relating to the discount.
The following types of discounts may be protected if they comply with all of the applicable standards in the discount safe harbor:
The following types of discounts are not protected:
Note: There is a separate safe harbor for routine waiver of co-payments for inpatient hospital services. (Refer to 42 CFR §1001.952(k)(1).)
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
This section applies to UPICs and MACs.
For a discount program to be protected for Part B billing, certain factors must exist. These factors ensure that the benefit of the discount or other reduction in price is reported and passed on to the Medicare or Medicaid programs. A rebate rendered after the time of sale is not protected under any circumstances. The discount must be made at the time of sale of the good or service. In other words, rebates are not permitted for items or services if payable on the basis of charges. The discount must be offered for the same item or service that is being purchased or furnished. The discount must be clearly and accurately reported on the claim form.
The following types of discounts may be protected if they comply with all of the applicable standards in the discount safe harbor:
Credit or coupon directly redeemable from the seller The following types of discounts are not protected:
NOTE: There is a separate safe harbor for routine waiver of co-payments for inpatient hospital services. (Refer to 42 CFR §1001.952(k)(1).)
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
This section applies to UPICs.
If the buyer is a health maintenance organization or a competitive medical plan acting in accordance with a risk contract or under another state health care program, the buyer does not need to report the discount, except as otherwise required under the risk contract.
(Rev. 11032; Issued: 09-30-21; Effective: 10-12-21; Implementation: 11-10-21)
Section 2306 of the Deficit Reduction Act of 1984 established a physician/supplier participation program. The Omnibus Budget Reconciliation Act of 1989 established a limitation on actual charges by non-participating physicians (see §1848(g) of the Act). Participating physicians/suppliers who violate their participation agreements, and non-participating physicians who knowingly, willfully, and repeatedly increase their charges to Medicare beneficiaries beyond the limits, are liable for action in the form of CMPs, assessments, and exclusion from the Medicare program for up to 5 years, or both. Criminal penalties also apply to serious violations of the participation agreement provisions.
For further discussion of the participation agreement and limiting charge provisions, see IOM Pub.100-04, chapter 1.
| Rev # | Issue Date | Subject | Impl Date | CR# |
|---|---|---|---|---|
| R13821PI | 06/09/2026 | Updates of Chapters 3, 4, and Exhibits in Publication (Pub.) 100-08, Including Updates to the Provider Notification Process and Vetting with the CMS Process | 02/26/2026 | 14362 |
| R13595PI | 01/26/2026 | Updates of Chapters 3, 4, and Exhibits in Publication (Pub.) 100-08, Including Updates to the Provider Notification Process and Vetting with the CMS Process- Rescinded and replaced by transmittal 13821 | 02/26/2026 | 14362 |
| R13485PI | 12/23/2025 | Updates of Chapter 4 in Publication (Pub.) 100-08, Including Updates to the Recovery Audit Contractor Data Warehouse (RACDW) Process | 01/26/2026 | 14275 |
| R13000PI | 12/12/2024 | Updates of Chapter 4 and Exhibits in Publication (Pub.) 100-08, Including the Unified Program Integrity Contractor (UPIC) and Medical Review Accuracy Contractor (MRAC) Coordination Process | 12/10/2024 | 13850 |
| R12954PI | 11/08/2024 | Updates of Chapter 4 and Exhibits in Publication (Pub.) 100-08, Including the Unified Program Integrity Contractor (UPIC) and Medical Review Accuracy Contractor (MRAC) Coordination Process- Rescinded and replaced by transmittal 13000 | 12/10/2024 | 13850 |
| R12772PI | 08/09/2024 | Updates of Chapter 1, Chapter 2, Chapter 3, Chapter 4, and Chapter 9 in Publication (Pub.) 100-08, Including Complaint Referral Coordination Between Contractors | 09/20/2024 | 13719 |
| R12333PI | 10/26/2023 | Updates of Chapter 4 and Chapter 8 in Publication (Pub.) 100-08, Including Adding Guidance Regarding Handling of Freedom Information Act (FOIA) Requests | 11/28/2023 | 13404 |
| R12127PI | 07/21/2023 | Updates of Chapters 4, Chapter 8, and Exhibits in Publication (Pub.) 100-08, Including Adding Additional Clarification to Ongoing Direction | 8/21/2023 | 13281 |
| R11962PI | 04/21/2023 | Updates of Chapters 4 and 8 in Publication (Pub.) 100-08, Including Point of Contact Clarification and Update to Statistical | 05/22/2023 | 13173 |
| Rev # | Issue Date | Subject | Impl Date | CR# |
|---|---|---|---|---|
| Sampling Terminology | ||||
| R11797PI | 01/19/2023 | Updates of Chapters 4 and 8 in Publication (Pub.) 100-08, Including an Update to the Statistical Sampling Process, in Addition to Various Other Minor Updates | 02/21/2023 | 13066 |
| R11696PI | 11/09/2022 | Updates to Chapter 4 of Publication (Pub.) 100-08, to Include the Addition of a Congressional Inquiries Section, Updates to the Vetting Leads with CMS Process, and Various Other Updates | 12/12/2022 | 12942 |
| R11358PI | 04/21/2022 | Updates of Chapter 4 in Publication (Pub.) 100-08, Including Update to Medicare Program Integrity Contractor Investigative Timeliness Requirement, and Updates to Exhibit 5 - Background Information for Contractor Staff When Incentive Reward Program (IRP) is Questioned in Pub. 100-08 | 05/23/2022 | 12700 |
| R11218PI | 01/27/2020 | Updates to Chapter 4 in Publication (Pub.) 100-08, Including Removal of Requests for Anticipated Payment (RAP) Suppressions and Updates to Exhibit 16 - Model Payment Suspension Letters in Pub. 100-08 | 02/28/2022 | 12595 |
| R11032PI | 09/30/2021 | Updates to Chapters 1, 3, 4, 5, 8 and 9 of Publication (Pub.) 100-08 | 11/10/2021 | 12375 |
| R10984PI | 09/09/2021 | Updates to Chapters 1, 3, 4, 5, 8 and 9 of Publication (Pub.) 100-08 – Rescinded and replaced by transmittal 11032 | 11/10/2021 | 12375 |
| R10749PI | 05/11/2021 | Updates to Chapter 4 and Chapter 5 of Publication (Pub.) 100-08 | 06/11/2021 | 12257 |
| R10711PI | 04/01/2021 | Updates to Chapter 4 of Publication (Pub.) 100-08 | 04/19/2021 | 12135 |
| R10641PI | 03/18/2021 | Updates to Chapter 4 of Publication (Pub.) 100-08- Rescinded and Replaced by Transmittal 10711 | 04/19/2021 | 12135 |
| R10509PI | 12/11/2020 | Unified Program Integrity Contractor (UPIC) Coordination with Other Contractors Related to the Recovery Audit Contractor (RAC) Data Warehouse (RACDW) - Exclusion | 01/12/2021 | 12059 |
| Rev # | Issue Date | Subject | Impl Date | CR# |
|---|---|---|---|---|
| Clarification | ||||
| R10383PI | 10/09/2020 | Updates to Chapters 4, 5, 8, 15, and Exhibits of Publication (Pub.) 100-08 | 11/10/2020 | 11999 |
| R10228PI | 07/27/2020 | Updates to Chapters 1, 2, 3, 4, 5, 6, 7, 8, 10, 11, and Exhibits of Publication (Pub.) 100-08 | 08/27/2020 | 11884 |
| R10184PI | 06/19/2020 | Updates to Chapters 4, 6, and 8 of Publication (Pub.) 100-08 | 07/21/2020 | 11812 |
| R944PI | 03/06/2020 | Section 4.26.2 in Chapter 4 of Publication (Pub.) 100-08 | 04/06/2020 | 11541 |
| R943PI | 02/21/2020 | Updates to Chapter 4 and Exhibit 8 in Publication (Pub.) 100-08 | 03/24/2020 | 11629 |
| R902PI | 09/27/2019 | Updates to Chapters 3, 4, 8, 15, and Exhibits of Publication (Pub.) 100-08 | 10/28/2019 | 11425 |
| R875PI | 04/05/2019 | Updates to Immunosuppressive Guidance | 04/18/2019 | 11172 |
| R872PI | 03/29/2019 | Updates to Immunosuppressive Guidance-Rescinded and Replaced by Transmittal 875 | 04/18/2019 | 11172 |
| R871PI | 03/29/2019 | Update to Section 4.12 in Chapter 4 of Publication (Pub.) 100-08 | 04/29/2019 | 11159 |
| R868PI | 02/22/2019 | Update to Chapter 4, Section 4.7 in Publication (Pub.) 100-08 | 03/25/2019 | 11136 |
| R866PI | 02/22/2019 | Update to Chapter 4, Section 4.11 in Publication (Pub.) 100-08 | 03/25/2019 | 11058 |
| R851PI | 12/14/2018 | Updates to Chapter 4 of Publication (Pub.) 100-08 | 10/22/2018 | 10591 |
| R848PI | 12/11/2018 | Update to Chapter 4, Section 4.18.1.4 and Exhibit 16 in Publication (Pub.) 100-08 | 10/22/2018 | 10853 |
| R839PI | 10/26/2018 | New Instructions for Home Health Agency Misuse of Requests for Anticipated Payments (RAPs) | 09/17/2018 | 10789 |
| R827PI | 09/21/2018 | Updates to Chapter 4 of Publication (Pub.) 100-08- Rescinded and Replaced by Transmittal 851 | 10/22/2018 | 10591 |
| R826PI | 09/21/2018 | Update to Chapter 4, Section 4.18.1.4 and Exhibit 16 in Publication (Pub.) 100-08- Rescinded and Replaced by Transmittal 848 | 10/22/2018 | 10853 |
| R817PI | 08/17/2018 | New Instructions for Home Health Agency Misuse of Requests for Anticipated | 09/17/2018 | 10789 |
| Rev # | Issue Date | Subject | Impl Date | CR# |
|---|---|---|---|---|
| Payments (RAPs) | ||||
| R785PI | 04/06/2018 | Clarifying Instructions Related to Proof of Delivery and Dates of Service | 05/07/2018 | 10592 |
| R783PI | 03/30/2018 | Proof of Delivery Exceptions for Immunosuppressant Drugs Paid Under the Durable Medical Equipment (DME) Benefit | 04/30/2018 | 10544 |
| R750PI | 10/20/2017 | Proof of Delivery Documentation Requirements | 11/20/2017 | 10324 |
| R721PI | 06/09/2017 | Elimination of Routine Reviews Including Documentation Compliance Reviews and Instituting Three Medical Reviews | 07/11/2017 | 9809 |
| R675PI | 09/09/2016 | Update to Chapter 4, Pub. 100-08 | 12/12/2016 | 9426 |
| R667PI | 08/08/2016 | Revisions to Instructions Regarding the Fraud Investigation Database (FID) and Other Program Integrity Procedures | 11/08/2016 | 9436 |
| R641PI | 02/19/2016 | Proof of Delivery in Nursing Facilities | 03/19/2016 | 9524 |
| R635PI | 02/04/2016 | Clarification to Language Regarding Proof of Delivery Requirements in Pub. 100-08, Chapter 4, Section 4.26.1 | 03/04/2016 | 9487 |
| R608PI | 08/14/2015 | Update to Pub. 100-08 to Provide Language-Only Changes for Updating ICD-10 and ASC X12 | 09/14/2015 | 8747 |
| R495PI | 12/13/2013 | Recalcitrant Provider Procedures | 01152014 | 8394 |
| R472PI | 06/21/2013 | Elimination of SMART FACTS for PSCs/ZPICs (SMP Program) | 0723/2013 | 8312 |
| R467PI | 05/31/2013 | Requirements for the Closing of Complaints After Transfer to the PSCs and ZPICs in the Office of the Inspector General (OIG) Hotline Complaint Database | 07/01/2013 | 8288 |
| R466PI | 05/17/2013 | Requirements for Sending Immediate Advisements to the OIG/OI (Office of the Inspector General/Office of Investigations) | 06/18/2013 | 8287 |
| R432PI | 08/31/2012 | Timeframes for Handling OIG Hotline Complaints Uploaded into the OIG Hotline Database; Requirements for the Transfer and Closing of Cases in the OIG Hotline Complaint Database System | 10/01/2012 | 7852 |
| R389PI | 09/30/2011 | Proof of Delivery and Delivery Methods | 10/31/2011 | 7410 |
| Rev # | Issue Date | Subject | Impl Date | CR# |
|---|---|---|---|---|
| R311PI | 11/13/2009 | Recovery Audit Contractors (RACs) | 12/14/2009 | 6684 |
| R265PI | 08/08/2008 | Medicare Fraud Edit Module Phase 3 | 04/06/2009 | 6135 |
| R264PI | 08/07/2008 | Transition of Responsibility for Medical Review From Quality Improvement Organizations (QIOs) | 08/15/2008 | 5849 |
| R262PI | 07/01/2008 | Flagging Health Insurance Claim Numbers (HICN) in the Medicare Carrier System (MCS) for Pre-Payment Review/Audit | 07/07/2008 | 5644 |
| R259PI | 06/13/2008 | Benefit Integrity Updates | 07/07/2008 | 6003 |
| R252PI | 04/11/2008 | Flagging Health Insurance Claim Numbers (HICN) in the Medicare Carrier System (MCS) for Pre-Payment Review/Audit - Rescinded and replaced by Transmittal 262 | 07/07/2008 | 5644 |
| R241PI | 02/08/2008 | Flagging Health Insurance Claim Numbers (HICN) in the Medicare Carrier System (MCS) for Pre-Payment Review/Audit – Rescinded and Replaced by Transmittal 252 | 04/07/2008 | 5644 |
| R213PI | 06/29/2007 | Various Benefit Integrity Revisions | 07/30/2007 | 5630 |
| R211PI | 06/22/2007 | Medicare Benefit Vulnerability Reporting | 07/23/2007 | 5581 |
| R210PI | 06/15/2007 | High Risk Areas | 07/16/2007 | 5626 |
| R176PI | 11/24/2006 | Various Benefit Integrity (BI) Revisions | 12/26/2006 | 5368 |
| R174PI | 11/17/2006 | Transition of Medical Review Educational Activities | 10/06/2006 | 5275 |
| R170PI | 11/03/2006 | Transition of Medical Review Educational Activities – Replaced by Transmittal 174 | 10/06/2006 | 5275 |
| R163PI | 09/29/2006 | Transition of Medical Review Educational Activities – Replaced by Transmittal 170 | 10/06/2006 | 5275 |
| R160PI | 09/25/2006 | Complaint Screening | 10/02/2006 | 5335 |
| R144PI | 03/31/2006 | Various Benefit Integrity (BI) Revisions | 05/01/2006 | 4247 |
| R127PI | 10/28/2005 | Complaint Screening Revisions | 11/28/2005 | 4118 |
| R118PI | 08/12/2005 | Various Benefit Integrity (BI) Clarifications | 09/12/2005 | 3896 |
| R101PI | 01/28/2005 | Benefit Integrity (BI) PIM Revisions | 02/28/2005 | 3579 |
| R099PI | 01/21/2005 | Waivers Approved by the Regional Office (RO) by Replacing Regional Office with Central Office (CO) | 02/22/2005 | 3646 |
| R096PI | 01/14/2005 | Consent Settlements | 02/14/2005 | 3626 |
| R083PI | 08/27/2004 | Miscellaneous Revisions for Chapter 4 | 09/27/2004 | 3379 |
| R080PI | 07/16/2004 | PIM Fraud and Abuse Complaint Screening | 08/16/2004 | 3341 |
| Rev # | Issue Date | Subject | Impl Date | CR# |
|---|---|---|---|---|
| Revisions | ||||
| R071PI | 04/09/2004 | Rewrite of Program Integrity Manual (except Chapter 10) to Apply to PSCs | 05/10/2004 | 3030 |
| R016PIM | 11/28/2001 | Adds Various Program Memoranda for BI Requests for Information, Organizational Requirements, Unsolicited Voluntary Refund Checks, Anti-Kickback Statute Implications | 11/28/2001 | 1732 |
| R003PIM | 11/22/2000 | Complete Replacement of PIM Revision 1. | NA | 1292 |
| R001PIM | 06/2000 | Initial Release of Manual | NA | 931 |
Back to top of Chapter