CMS Pub. 100-15, ch. 3
(Rev. 14275; Issued: 12-23-25)
3.0 Overview 3.1 Medicaid Data for Use by UPICs 3.2 Data Project Record 3.3 Lead Screening 3.4 Vetting Process 3.5 Investigations/Audits 3.6 Prioritization 3.7 Extrapolation 3.8 Look Back Period 3.9 Medical Review for Program Integrity Purposes 3.10 Request for Medical Records 3.11 Working with Law Enforcement – Requests for Assistance and Requests for Information 3.12 Auditing Program Integrity Activities in Managed Care Plans 3.12.1 Scope of Managed Care Plan Project 3.12.2 –Review of Managed Care Plans’ Compliance Efforts 3.12.3 Review of Paid Claims 3.12.4 Review of Denied Claims and Denied Prior Authorizations 3.12.5 Review of Provider Network Adequacy 3.12.6 Review of Preventive Services
(Rev. 13494; Issued: 12-23-25; Effective: 01-26-26; Implementation:01-26-26)
The UPICs shall be responsible for collaborating with State Medicaid Agencies (SMAs) in their respective jurisdiction to share CMS CPI priorities and processes and to develop processes for investigating Medicaid fraud, waste, and abuse issues. The UPIC may be requested to provide the complete spectrum of investigative and audit services for a state or selected activity that augments programmatic reviews conducted by states regarding Medicaid including, but not limited to, identifying leads, conducting investigations, and referring cases to law enforcement.
The SMAs have established processes for investigating potentially fraudulent activities. The UPIC shall work with SMA to develop a state preferred, and CMS approved, process to perform Medicaid investigations and/or audits. Therefore, it is essential that the state and the UPIC work cooperatively to understand both parties' requirements. The UPIC shall establish ongoing meetings with SMAs (as referenced in Chapter 2 of this manual) to discuss vulnerabilities, update the status of existing investigations and referrals, and resolve any issues that may arise during ongoing investigations.
(Rev. 12871; Issued: 10-11-24; Effective: 11-14-24; Implementation: 11-14-24)
Transformed Medicaid Statistical Informational System (T-MSIS) data is the system of record for Medicaid. CMS has now made T-MSIS data from all states and territories available in OnePI Business Intelligence tools. The UPICs may now access all OnePI Business Intelligence tools, such as BusinessObjects and SAS, for all T-MSIS data. The UPICs shall use T-MSIS data to the fullest extent for every state.
The purpose and uses of T-MSIS data are published in the T-MSIS System of Records Notices (SORN) (https://www.federalregister.gov/documents/2019/02/06/2019-01157/privacy-act-of-1974-system-of-records), of which became effective March 18, 2019. CMS has authorized UPICs to use T-MSIS data to the fullest extent for every state for UPIC related activities.
The UPIC is not to replicate or confirm findings from T-MSIS with data from state source data warehouses, unless observed or noted data quality issues cast doubt on the results. If data quality issues necessitate additional data, the UPIC may supplement data as needed with prior approval from the BFL and COR. Supplemental data includes data obtained from state source data warehouses or data obtained directly from Managed Care Plans. In addition, for any newly identified data issues in T-MSIS, the UPIC shall submit a ticket to CMS as directed in earlier guidance.
(Rev. 13494; Issued: 12-23-25; Effective: 01-26-26; Implementation:01-26-26)
Through ongoing collaboration with each state, the UPIC shall discuss areas of interest and convey CMS' priorities related to Medicaid fraud, waste, and abuse for purposes of potential investigations. As outlined in the UPIC statement of work, the UPIC shall be flexible and shall have the capability to adapt to the changing landscape of fraud, waste, and abuse in their jurisdiction. The UPIC shall keep CMS and the state informed as to the highest investigative priorities in such a way as to assure that CMS and the state always has a full understanding of the UPIC's highest priorities and supports State PI efforts.
Once an investigative area of interest is identified, the UPIC shall access the applicable Medicaid claims data for analysis through the CMS/CPI Integrated Data Repository (IDR).
Concurrently, the UPIC shall conduct state policy research and communicate with the appropriate state policy experts. Once the policies have been researched and clarified, the UPIC will conduct an analysis of the applicable data. The UPICs shall develop proactive, innovative and robust analytic tools for investigations that commence with an exposure (i.e. Medicaid dollars-at-risk associated with the specific scheme/allegation) greater than $50,000 total computable. If a state is interested in pursuing an audit where exposure does not reach the $50,000 threshold, UPICs shall ensure that the exposure is greater than the total cost of the audit. In these instances, the UPICs should consult with their Medicaid BFLs/CORs prior to lead screening to discuss the value of proceeding and document the reason for proceeding in the UCM case record. The threshold would not apply to cases where fraud is suspected.
Upon review of the data, clarification of policy interpretation, and agreement by the state on the focus of the investigation, the UPIC will identify those 'targets' or 'potential leads' that meet the criteria of the project and submit those potential leads to the Medicaid BFL for review/approval. When submitting a potential lead to CMS, the UPIC will submit the total dollars at risk for the allegation to be investigated. The dollars at risk do not include the total amount billed by the provider for all services. The dollars at risk will only include the dollars for the service code(s) that are outliers on any specific data algorithm or analysis, and which will be the focus of the investigation/audit. Once approved, those leads will then be screened in accordance with Section 3.3 of this manual. In lieu of a workflow diagram, please see the step-by-step process below to demonstrate this workflow.
Step 1: UPIC conducts proactive data study as a PDP/Data Project Record (DPR) in UCM.
Step 2: UPIC identifies potential targets it would like to pursue that are outliers on the data study and which meet or exceed the $50,000 threshold. It is understood that there may be numerous outliers in a large state, and the UPIC may choose to pursue only a portion of them at any one time. The DPR may remain open as it continues to generate leads, with the data being refreshed as needed, or at least
every 30 days per the Medicare PIM. 4.12.1. [The $50,000 threshold may not be applicable to certain projects such as opioid prescribing.]
Step 3: UPIC submits the potential provider targets, on an Analytic Findings Report (Appendix O), to Medicaid BFL with the total dollars at risk for the scheme. The Analytic Findings Report shall summarize the data analysis performed, identify potential leads that justify further action (also referred to as “actionable”), and provide recommendations for activities that may include further investigation, audit, referral to law enforcement, or administrative action.
Step 4: BFL approves or declines potential targets.
Step 5: For those targets which were approved, the UPIC will open a CSE in UCM within seven (7) calendar days of approval by the BFL and begin the screening process.
(Rev. 13494; Issued: 12-23-25; Effective: 01-26-26; Implementation:01-26-26)
Screening is the initial step in the review of a lead to determine whether further investigation/audit is warranted based on the potential for fraud, waste, or abuse. In addition to the guidance listed below, please refer to the Medicare PIM at Section 4.5 – Screening Leads if further guidance is needed.
The UPIC may identify leads through any number of sources:
a. Data Analysis: Discussions should take place between all stakeholders about data project analyses to facilitate the detection and prevention of fraud, waste, and abuse. In addition, the progress of data projects and/or investigations shall be communicated to partners on an ongoing basis through informal communications between the UPIC and the stakeholders. Prioritization is critical to ensure that resources are devoted to projects that are high priority to all the stakeholders including CMS, state Medicaid officials, and local law enforcement.
b. State Identified Leads: The SMA may provide leads to the UPIC that result from data analytics, tips, or any other source.
c. Medicare-related Leads: The UPIC may identify a lead resulting from work conducted in Medicare fraud, waste, and abuse.
d. Law Enforcement: The UPIC may receive Medicaid-related leads from law enforcement entities and/or through the HHS-OIG hotline.
e. CMS Identified Leads: These may include special projects (Moratorium, etc.), complaints from beneficiaries or their families via CMS regional offices, or inquiries from the CMS Administrator through SWIFT.
f. General Leads: The UPIC may receive or identify Medicaid-related leads from any source not identified above. These could include tips, newspaper, or internet articles.
g. Suspected Beneficiary Harm: CMS has a zero tolerance for beneficiary harm issues. When there is any indication that beneficiary harm may exists when investigating a lead, complaint, project, etc., the UPIC shall immediately contact the SMA and BFL with its preliminary findings. These allegations will be handled on a case-by-case basis dependent upon the severity of the potential patient harm.
Screening shall be completed within 45 calendar days after receipt of the lead.
If the lead resulted from data analysis conducted by the UPIC, the receipt of the lead shall be the date the lead was referred from the UPIC data analysis department to its investigation or screening unit. For a new lead that is identified from an active or current UPIC investigation, the receipt of the lead shall be the date the new lead was identified by the UPIC investigator.
Activities that the UPIC may perform in relation to the screening process include, but are not limited to:
Any screening activities shall not involve contact with the subject provider/supplier during this stage. If the lead involves potential patient harm, the UPIC shall immediately notify CMS within two (2) business days.
After completing its screening, the UPIC shall close the lead if it does not appear to be related to fraud, waste, or abuse. If the screening determines that further investigation is warranted, the UPIC will move forward with submitting the lead to vetting with CMS and the SMA. (See Section 3.4) The UPIC shall upload the IP in UCM for BFL approval.
At a minimum, the UPIC shall document the following information in its case file regarding the lead screening:
Additionally, if the screening process exceeds 45 calendar days, the UPIC shall document the reasons, circumstances, dates, and actions associated with the delay in UCM and to its COR and BFL within its monthly reporting in CMS ARTS.
(Rev. 12871; Issued: 10-11-24; Effective: 11-14-24; Implementation: 11-14-24)
All leads and any new providers that the UPIC determines warrant further investigation shall be vetted concurrently through the SMA and CMS for approval before transitioning to an investigation. Prior to submitting to CMS and SMA for vetting, with the exception of managed care plan leads, the UPIC will submit the proposed lead to the Medicaid BFL for review and approval. This is to ensure that projects of the highest priority are being addressed by the UPIC, and resources are being properly allocated.
When vetting with CMS, the UPICs shall follow the Medicare PIM 4.6 - Vetting Leads with CMS.
When vetting with the SMA, the UPIC will submit an initial referral form to the SMA (Appendix L). The SMA's acceptance or declination of the proposed investigation shall be clearly documented on such form and shall be uploaded into the Document section of UCM by the UPIC. In addition, the UPIC shall indicate in the 'State Involvement' tab the date vetting was sent to the SMA, the date the response was received, and the state's response.
If the SMA declines pursuing the provider/scheme (for example, the SMA has already investigated the provider or scheme and had no findings), then the proposed investigation
shall be closed. However, leads should not be closed due to delays in the state's response to vetting. Instead, the UPIC shall document any delays in the vetting process in UCM. If the SMA declines a potential investigation that the UPIC believes is a major risk to the applicable state Medicaid program, the UPIC will communicate this to the CMS COR/BFL team.
(Rev. 13494; Issued: 12-23-25; Effective: 01-26-26; Implementation:01-26-26)
An investigation/audit is the formal review of suspicious aberrancies in a provider's submitted Medicaid claims or financial payments to establish evidence that potentially fraudulent activities or other improper payments have occurred. The UPIC shall focus its investigation/audit in an effort to establish the facts and the magnitude of the alleged fraud, waste, or abuse and take any appropriate action to protect Medicaid dollars.
The investigative/audit process may differ by each SMA; therefore, the UPIC shall coordinate and confirm the use of its investigative approach with the SMA at the onset of the collaboration. This may include determining how joint investigations will be conducted. It is important that the two parties discuss the process early.
The UPIC shall document the final investigative plan of action and share with the CMS Medicaid BFL for review and approval prior to sharing with the SMA for final approval.
The UPIC, SMA, and CMS shall determine the level of effort required by the UPIC in support of an investigation. CMS shall make the final approval or disapproval of any investigative strategy.
Activities that the UPIC may perform in relation to the investigative process include, but are not limited to:
If additional guidance is needed, the UPIC shall consult with the Medicaid BFL on potential investigative strategies. If the SMA determines it would like the UPIC to utilize an audit and/or a financial accounting approach, the UPIC shall follow the guidance established by the SMA (i.e., Generally Accepted Government Auditing Standards) during an investigation.
Throughout the course of any investigation, CMS may request the UPIC to cease all activity associated with an open investigation and allow CMS to review the current status of the investigation. During this time, the UPIC shall take no action, including, but not limited to, investigative and administrative actions, unless otherwise directed by CMS.
Upon receiving CMS's request to review the investigation, the UPIC shall document in UCM the reason for ceasing investigative activities at that time. After CMS has conducted its review, CMS will provide the UPIC with a determination. If the UPIC is instructed by CMS to close the investigation without further action, the UPIC shall do so within two (2) business days. If the UPIC is instructed to continue its investigation, it shall proceed with the appropriate investigative and administrative actions. The UPIC shall discuss any questions regarding the decision with its COR and BFL.
In order to process investigations/audits in a timely manner, UPICs are expected to reach a decision on the ongoing status of a case within 180 days from the Medicaid Investigation Start Date. This would mean:
a) Determining whether there are low/no findings to pursue and submitting a request to close the investigation/audit to CMS; or b) Determining there is sufficient evidence that warrants a law enforcement referral and initiating the referral process by completing the Major Case Coordination (MCC) Pre/Post Meeting Report - Work Details (hereon referred to as the Executive Summary) and submitting to CMS; or, c) Identifying potential Medicaid overpayments and submitting an Initial Findings Report (IFR) to the SMA.
The UPIC shall not wait 180 days to request a discontinuance and closure of an investigation/audit due to low/no findings, begin making an LE referral, or begin developing the IFR. Action shall be taken once the investigation/audit has revealed what decision is needed. Please refer to Chapter 4 "Reporting Investigational Findings and Making Referrals" for more details on Close-Out Letters, LE referrals, and developing the IFR.
In addition, for any of these scenarios, vulnerabilities may be identified in the SMA's policies or processes that may warrant submitting the Vulnerability Template. Please refer to Chapter 4.11 of the Medicaid PIM on "Reporting State Vulnerabilities."
It is understood that investigations/audits may also be closed after an IFR has been issued to the SMA and/or the provider, and the findings have been changed due to the SMA's or the provider's feedback. Similarly, referrals to law enforcement may result in cases being returned to the UPIC with nothing to pursue. In these circumstances, closures following an IFR to the SMA/Provider or LE Referral would not be subject to the 180-day time frame.
(Rev. 11948; Issued:04-13-23, Effective: 05-15-23; Implementation: 05-15-23)
As Congress has appropriated limited resources to CMS for the audit and investigation of Medicaid providers through the UPICs across five jurisdictions, prioritization of the investigation workload is critical to ensure that the resources available are devoted
primarily to high-priority investigations. UPICs shall ensure that resources are used appropriately and to the maximum impact of protecting the integrity of the Medicaid program.
The UPIC shall follow the requirements in its UPIC SOW for prioritizing leads and will include consideration of CMS priority areas, along with the SMA’s areas of concern. The UPIC Medicaid Operations Lead shall prioritize work coming into the UPIC to ensure that investigations with the greatest program impact and/or urgency are given the highest priority. The UPIC shall prioritize all work on an ongoing basis as new work is received or developed. With the limited resources allocated for Medicaid investigations, the UPICs primary focus should be on high risk (potential patient abuse or harm) and high dollar exposure investigations/audits. The CMS priority areas will be communicated in writing to the UPICs and may change as the fraud, waste, and abuse environment changes. In turn, UPICs will need to adjust their workload to accommodate the changing environment.
In addition, UPICs shall share CMS’ priorities with SMAs to solicit interest from the state on other possible projects.
The UPIC shall contact its Contracting Officer’s Representative (COR) and Medicaid BFL if there are any questions or concerns about prioritization of workload.
(Rev. 12871; Issued: 10-11-24; Effective: 11-14-24; Implementation: 11-14-24)
While UPICs have the ability to extrapolate, they must first determine if each state allows for the use of extrapolation. Even if state law allows for extrapolation, based on the focus of the investigation, extrapolation may not be appropriate. For investigations where extrapolation can be used, the UPIC shall seek agreement from the SMA on the use of extrapolation and the parameters for applying extrapolation. The UPIC shall defer to the state’s policies on extrapolation, when applied. Each UPIC and state will continuously coordinate to determine the most efficient way to sample the claims universe and apply it to the investigation.
In addition, the UPIC may need to consult with its BFL on the appropriate use of extrapolation. The use of extrapolation may be dependent on the provider’s previous history with the SMA or other Medicaid contractors. When applicable, this information should be provided to the BFL in order to make a determination.
(Rev. 12871; Issued: 10-11-24; Effective: 11-14-24; Implementation: 11-14-24)
The UPIC shall defer to the state’s look-back period for purposes of conducting an audit or investigation. If the SMA’s look-back period exceeds five years, the UPIC shall consult with the COR and BFL on the appropriate review timeframe.
(Rev. 13494; Issued: 12-23-25; Effective: 01-26-26; Implementation:01-26-26)
Medical Review (MR) for program integrity purposes is one of the parallel strategies of the UPIC to encourage the early detection of fraud, waste, and abuse. The primary task of the UPIC is to identify suspected fraud, develop cases thoroughly and in a timely manner, and take immediate action to ensure that improper payments of Medicaid monies are identified. For this reason, the UPIC and the state must collaborate early in the development of the investigative process to ensure the UPIC is following the necessary state policies/guidelines, the policy/guidelines are interpreted accurately, and that grounds for potential appeals are taken into consideration. If the SMA prefers that the UPIC utilizes an audit protocol (i.e., Generally Accepted Government Auditing Standards), the UPIC shall follow those established protocols. Additionally, the UPIC and SMA staff shall coordinate and communicate throughout the course of the investigation/audit to prevent inappropriate duplication of review activities.
Typically, the focus of program integrity MR includes, but is not limited to:
It is essential that the MR is integrated early in the investigative plan of action to facilitate the timeliness of the investigative process. Before deploying significant MR resources to examine claims/claim lines identified as potentially fraudulent, the UPIC may perform a MR probe to validate the data analysis or allegation by selecting a small representative sample of claims/claim lines. The general recommendation for a provider/supplier-specific probe sample is 20-40 claims/claim lines. This sample size should be sufficient to determine the need for additional post-payment MR actions. MR resources shall be used efficiently and not cause a delay in the investigative process. In addition, development of an investigation shall continue while the contractor is awaiting the results of the MR.
The UPIC shall follow Medicare PIM Chapter 3.3.1.1 - Medical Record Review, all other applicable chapters of the PIM, and any applicable state specific medical review requirements, where applicable, unless otherwise instructed in this chapter and/or in its Task Order Statement of Work (TO SOW). If there is a discrepancy between the methodologies outlined between the state and Medicaid PIM, the UPIC shall consult with its COR and BFL for guidance. To promote investigation timeliness, the UPIC shall complete the MR process within 60 calendar days, unless otherwise directed by CMS, as stated in Medicare PIM Chapter 3.3.1.1.
1. 1. The UPIC shall maintain current references to support MR determinations. The review staff shall be familiar with the below references and be able to track requirements in the internal review guidelines back to the statute or manual. References include, but are not limited to: - • State statutes, administrative code, and/or specific state Medicaid policies and guidance; - • Code of Federal Regulations; - • CMS guidance; and - • Internal review guidelines (sometimes defined as desktop procedures).
2. 2. The UPIC shall have specific review parameters and guidelines established for the identified claims/claim lines. Each claim/claim line shall be evaluated using the same review guidelines. The claim/claim line and the medical record shall be linked by patient name, applicable Medicaid ID, diagnosis, Medicaid claim number, and procedure when providing feedback to the SMA regarding the review outcome.
3. 3. The UPIC shall evaluate if the provider specialty is reasonable for the procedure(s) being reviewed. For example, chiropractors should not bill for cardiac care, podiatrists for dermatological procedures, and ophthalmologists for foot care.
4. 4. The UPIC shall evaluate and determine if there is evidence in the medical record that the service submitted was actually provided, and if so, if the service was medically reasonable and necessary. The UPIC shall also verify diagnosis and match to age, gender, and procedure.
5. 5. The UPIC shall determine if patterns and/or trends exist in the medical record that may indicate potential fraud, waste, abuse or demonstrate potential patient harm.
6. 6. The UPIC shall evaluate the medical record for evidence of alterations including, but not limited to, obliterated sections, missing pages, inserted pages, white out, and excessive late entries. The UPIC shall not consider undated or unsigned entries handwritten in the margin of a document. These entries shall be excluded from consideration when performing medical review.
7. 7. The UPIC shall adjust payment for the service, in part or in whole, depending upon the service under review, when medical records/documentation do not support services billed by the provider/supplier.
8. 8. The UPIC shall thoroughly document the rationale utilized to make the MR decision.
9. 9. The UPIC shall coordinate with the SMA to validate the review, in order to ensure
the necessary state policies/guidelines were referenced and interpreted accurately.
10. The UPIC shall follow the guidance provided in Chapter 4 of this manual on documenting medical review findings.
(Rev. 13494; Issued: 12-23-25; Effective: 01-26-26; Implementation:01-26-26)
At the beginning of any review, the UPIC sends the provider a record request letter, which includes a request for specific Medicaid medical records (Appendix C). The UPIC shall collaborate with the SMA to determine if additional steps are required and/or if state approval is required prior to sending record requests to the provider. The UPIC will allow the provider 30 days to produce the records, with a permissible 15-day extension if requested by the provider, unless otherwise specified by the SMA or CMS. If no records are received within the specified timeframe and the provider has made no reasonable attempt to provide the requested records, the UPIC shall document this with CMS and the state, and move forward with the investigation/audit.
(Rev. 12871; Issued: 10-11-24; Effective: 11-14-24; Implementation: 11-14-24)
On occasion, law enforcement agencies may request assistance from the UPIC in conducting an investigation or may request information to assist in carrying out an investigation. These are referred to, respectively, as Request for Assistance (RFA) and Request for Information (RFI).
An RFA is commonly submitted to the UPIC to request clinical expertise that the law enforcement agency may be lacking. This may be in the form of a medical review of clinical records. In these circumstances, the UPIC does not engage the provider directly. Instead, the law enforcement agency obtains the medical records (often through a subpoena) and provides the records to the UPIC for the clinical review. The UPIC will not share findings from the medical review with the provider as in other investigations/audits for the SMA. Instead, the findings are shared directly with the law enforcement agency to help support their investigation. In these circumstances, no contact is to be made with the provider unless the law enforcement agency permits it. The SMA may be notified, if law enforcement is in agreement, so that the SMA may take any administrative actions that may be needed.
For an RFI, a law enforcement agency may request specific information, usually in the form of data, regarding a specific provider.
Additional requirements and guidance related to RFIs and RFAs can be found in the Task Order Statement of Work, along with the Medicare PIM guidelines at 4.8 – Requests for Information from Outside Organizations.
The CMS has established a level of effort limit of 40 hours for any individual request for support RFIs and RFAs. If the estimated level of effort to fulfill any one request is likely to meet or exceed this figure, the UPIC shall contact its COR for approval to proceed. A CMS representative will contact the HHS-OIG to explore the feasibility of other data search and/or production options. The UPIC shall obtain approval from the COR regarding requests started by the UPIC that it subsequently anticipates will exceed that 40-hour level of effort. The UPIC shall not exceed the 40-hour level of effort until it receives COR approval.
Additionally, if an outside organization (including a law enforcement agency) is requesting only Medicaid claims data, the UPIC shall refer the requestor to the SMA to have the request fulfilled. However, if an outside organization is requesting Medicaid claims data, in addition to Medicare and/or Medicare/Medicaid crossover claims data, the UPIC can fulfill the request. However, the UPIC shall notify and gain approval by the SMA prior to releasing the Medicaid claims data.
The Center for Program Integrity (CPI) has developed an audit strategy to address Medicaid managed care utilizing the resources of the Unified Program Integrity Contractors (UPICs). This strategy and the resulting investigative/audit work will help drive CPI's efforts related to Medicaid managed care program integrity oversight.
These audits will focus solely on the program integrity efforts of the state's managed care plans (MCPs) and will not include other administrative operations such as calculating medical loss ratios.
For FFY 2024, the strategy is being revised and expanded to capture quality issues that may impact beneficiaries' access to care that include reviewing the adequacy of the MCP's provider network to meet beneficiaries' needs, and the timeliness of receiving medically necessary preventive services.
The strategy will provide greater insight into program integrity oversight and fraud, waste, and abuse risks in Medicaid managed care by identifying:
• Shortcomings in the provision of preventive services for children, adults, and pregnant/post-partum females.
Previously the audits/investigations were conducted in four components in two stages. The audits/investigations will now be conducted as one project and captured in a single IFR and FFR for each MCP. For some components of the review, the report may only identify non-monetary findings, which reflect deficiencies in program integrity activities. For other components, there may be an identified overpayment or dollars at risk due to the program deficiency. Additional direction regarding this process shall be provided by CMS.
The time frame for this project is being modified to allow additional time to reach the IFR. The UPICs will have 210 days to submit the IFR to the SMA. The time frame for traditional work will remain at 180 days. All other time frames for investigation/audit work will apply. As usual, any delays outside of the control of the UPIC shall be documented in the CSE record in UCM.
Due to the expansion and scope of the project, which includes numerous data analytics, the UPICs will collaborate with CMS/CPI's Program Integrity Modeling and Analytics Support Contractors (PIMASCs) for much of the work. The UPICs will be responsible for reviewing state contracts and policies for the needed information and communicating the data needs to the PIMASCs. In addition, the UPIC's role will be essential in working with the PIMASCs to create valid models and review the data once it is received to ensure that the UPIC has the necessary data to continue its audit of the plan.
(Rev. 12871; Issued: 10-11-24; Effective: 11-14-24; Implementation: 11-14-24)
For states having 10 or fewer MCPs, all MCPs will be reviewed, unless otherwise directed by CMS. In states having more than 10 MCPs, a sample of 10 MCPs will be selected, unless otherwise directed by CMS. A lead (CSE) will be opened in UCM on each MCP selected.
The project will have five different sections addressing both program integrity oversight by the MCPs, along with quality of access to care for beneficiaries. The five sections include:
a) Review of Managed Care Plans' Compliance Efforts b) Review of Paid Claims to Network Providers c) Review of Denied Claims and Denied Prior Authorizations d) Review of Provider Network Adequacy e) Review of Preventive Services
(Rev. 12871; Issued: 10-11-24; Effective: 11-14-24; Implementation: 11-14-24)
This section will include a review of the activities that the MCPs engage in to protect the Medicaid program. This may include, but is not limited to data analytics, cost avoidance measures, investigative procedures, and analysis of payments made to the plans and/or providers.
(Rev. 12871; Issued: 10-11-24; Effective: 11-14-24; Implementation: 11-14-24)
In this section of the MCP audit, the UPIC will audit a broad sample of claims paid by the MCP to its network providers for the past two (2) federal fiscal years. The sample will focus on areas identified as high priorities for CMS and which are frequently reviewed by program integrity groups. This stage will aid in determining if program integrity efforts are sufficient or should be increased. Additional direction regarding this process shall be provided by CMS.
For this section, the MCP remains the primary subject in UCM, and the selected providers for review will be secondary subjects. If, while reviewing the provider’s records, the UPIC finds evidence of questionable billing that is outside the scope of the current audit, the UPIC shall open a separate lead on the provider as part of the UPIC’s traditional work.
(Rev. 12871; Issued: 10-11-24; Effective: 11-14-24; Implementation: 11-14-24)
In this section, the UPIC will separately analyze the denied claims and denied prior authorizations of services and prescriptions for the past two (2) federal fiscal years to determine if any patterns exist that may be indicative of underutilization of services and/or avoiding payment for high-dollar services, prescriptions, or items.
For this section, the MCP will remain the primary subject. The providers, whose records will be requested from the MCP to support/refute the denial, will be secondary subjects and vetted accordingly. If, while reviewing the provider’s records, the UPIC finds evidence of questionable billing that is outside the scope of the current audit, the UPIC shall open a separate lead on the provider as part of the UPIC’s traditional work.
(Rev. 12871; Issued: 10-11-24; Effective: 11-14-24; Implementation: 11-14-24)
The UPIC will review the state’s contracts with their MCPs in accordance with the federal regulations and evaluate the adequacy of the MCPs’ provider networks, and accuracy of provider network disclosures, to ensure beneficiaries have access to needed health care.
For this component, the UPIC, working collaboratively with the PIMASCs, will evaluate the MCP's compliance with state and federal requirements for provider network adequacy. The UPIC shall become familiar with the federal regulations for Medicaid Managed Care network adequacy standards at 42 CFR § 438.68.
(Rev. 12871; Issued: 10-11-24; Effective: 11-14-24; Implementation: 11-14-24)
This component will evaluate the frequency and scope of delivery of routine preventive services at medically recommended intervals. The data will be reviewed separately for three categories of preventive services:
a) Children/youth under the age of 21. b) Adults, general health care. c) Pregnant and post-partum women, and newborns, including prenatal, postpartum, and neonatal care.
The UPIC will review the state's contract for coverage of required preventive services for these three categories. If the information is not specifically outlined in the state's contract or elsewhere within state policy, the UPIC will follow the basic guidelines as provided by CMS for assessing preventive services. Where state contract may conflict with the CMS-provided guidelines, the UPIC will follow the state contract.
The PIMASCs will collect demographic data, e.g. age, race/ethnicity, sex, and zip code, for all three categories of preventive services, as well as the demographics data for total enrolled beneficiaries of the MCP. The PIMASCs will provide the raw data results and analyses to the UPIC for inclusion in the findings reports.
| Rev # | Issue Date | Subject | Impl Date | CR# |
|---|---|---|---|---|
| R13494MPI | 12/23/2025 | Updates of Chapters 1-5 in Publication (Pub.) 100-15, Including Updates to the Guidance Terminology, Existing Definitions, and Details to Standing Guidance | 01/26/2026 | 14275 |
| R12871MPI | 10/11/2024 | Updates of Chapter 1, Chapter 2, Chapter 3, Chapter 4, and Appendices in Publication (Pub.) 100-15, Including Auditing of Program Integrity Activities in Managed Care Plans | 11/14/2024 | 13720 |
| R12467MPI | 01/18/2024 | Updates of Chapter 1, Chapter 3, and Chapter 5 in Publication (Pub.) 100-15, Including Updates to the Definitions and Additional Clarification to the Proactive Project Development and Creation of Overpayment Records Guidance | 02/19/2024 | 13403 |
| R11948MP | 04/13/2023 | Updates of Publication (Pub.) 100-15, Including Revisions to Chapters 1 and 2, and the Addition of Chapters 3, 4, 5, and Appendices | 05/15/2023 | 13141 |
| R1MPI | 09/23/2011 | Initial Publication of Manual | 09/23/2011 | NA |
Back to top of Chapter