Medicare’s program integrity framework relies on multiple layers of auditing activity. For most providers, the two audit types most likely to affect day-to-day operations are those conducted by Medicare Administrative Contractors (MACs) and Unified Program Integrity Contractors (UPICs). Though both are federal audit mechanisms operating under the authority of the Centers for Medicare & Medicaid Services (CMS), they differ substantially in their purpose, scope, and consequences.
Understanding the distinction is essential for any provider billing Medicare or Medicaid.
What Are MAC Audits?
MAC audits are part of a Targeted Probe and Educate (TPE) process. These audits examine claims to ensure Medicare regulatory compliance and can impact a healthcare business’s operations.
Medicare Administrative Contractors (MACs) are the private entities that CMS contracts to process and pay Medicare claims within defined geographic jurisdictions. MACs handle the administrative infrastructure of the Medicare program. They adjudicate claims, issue payments, and conduct routine review activity to ensure that claims submitted to them are accurate and complete.
MAC audit activity generally falls into two categories:
- Automated Review involves no human review of medical records; the MAC’s systems flag claims that fail specific coding or billing edits and deny or automatically adjust them..
- Complex Review (also called Additional Documentation Requests, or ADRs) involves the MAC requesting supporting documentation from the provider to substantiate a claim that has already been paid or is pending payment. The MAC then reviews those records and makes a coverage or coding determination.
MAC audit activity is primarily administrative and corrective. When a MAC identifies overpayments through its review processes, it issues a demand letter seeking repayment. Providers have the right to appeal through the Medicare appeals process, which proceeds through five levels: redetermination by the MAC, reconsideration by a Qualified Independent Contractor (QIC), hearing before an Administrative Law Judge (ALJ), review by the Medicare Appeals Council, and finally, federal district court.
MAC audits are routine. They are a normal part of claims administration, and most providers will encounter ADR activity at some point. They do not, in themselves, signal suspicion of fraud.
What Are UPIC Audits?
A Unified Program Integrity Contractor (UPIC) audit is a targeted investigation authorized by the Centers for Medicare & Medicaid Services (CMS) to detect, investigate, and prevent fraud, waste, and abuse within the Medicare and Medicaid programs.
Unified Program Integrity Contractors are a different instrument from MACs. UPICs were established by CMS to consolidate the program integrity functions previously spread across several contractor types, including Zone Program Integrity Contractors (ZPICs), Program Safeguard Contractors (PSCs), and others, into a single, coordinated structure.
Each UPIC covers a defined geographic region and has jurisdiction over both Medicare and Medicaid, giving it a broader mandate than a MAC.
Where MACs are primarily concerned with claims accuracy and administrative compliance, UPICs are explicitly investigative bodies. Their statutory and contractual authority is oriented toward the detection, investigation, and referral of fraud, waste, and abuse.
When a UPIC opens a review of a provider, it is not simply auditing for billing errors. It is conducting a law enforcement-adjacent investigation that may result in referrals to the Department of Justice, the HHS Office of Inspector General (OIG), or state Medicaid fraud control units.
The tools available to a UPIC reflect this investigative posture. In addition to requesting medical records, a UPIC may conduct unannounced site visits to a provider’s place of business. It may interview staff and patients. UPICs may coordinate with federal law enforcement agencies.
Critically, a UPIC has the authority to recommend that CMS impose a Temporary Medicare Payment Suspension on a provider under 42 C.F.R. § 405.371, which means that Medicare payments to the provider can be withheld while the investigation is ongoing. For many practices, this represents an immediate and severe cash flow disruption that can threaten business viability. Knowing how to respond to UPIC audit requests can help protect your practice and prevent criminal referrals after the audit.
What Are the Core Differences Between MAC and UPIC Audits?
| Feature | MAC Audit | UPIC Investigation |
| Primary Intent | Proceeds from a presumption of error (mistakes). | Proceeds from a suspicion of misconduct (fraud or abuse). |
| Scope of Review | Narrow & Discrete: Typically focuses on a specific sample of claims within a single billing category. | Broad & Intensive: Less bounded document requests; may revisit the same provider repeatedly over an extended period. |
| Initial Contact | Typically sends a demand letter. | May send a federal agent to the provider’s location. |
| Process & Handling | Findings are handled through the standard administrative appeals process. | Findings can be referred to federal prosecutors or state attorneys general for legal action. |
| Legal Framework | Generally, regulatory compliance and billing accuracy. | Potential action under the False Claims Act, Anti-Kickback Statute, or Stark Law. |
| Primary Risks | Financial Risk: Determination of overpayment that must be paid back. | Existential Risk: Reputational damage, loss of licensure, and potential criminal or civil liability. |
What Does This Mean for Medical Professionals Responding to Healthcare Audits?
Receiving an ADR from a MAC is a routine compliance event that requires a prompt, organized response, but does not, by itself, require the involvement of legal counsel. Providers should maintain robust documentation practices, respond within the specified timeframe, and submit the most complete clinical record available to support the claim under review. If the MAC’s determination is unfavorable, the appeals process provides multiple opportunities to present additional evidence and legal argument.
Receiving a UPIC records request, a site visit, or a payment suspension notice is materially different.
The appropriate response is to engage experienced healthcare audit counsel before providing any documents, making any statements, or communicating substantively with UPIC investigators.
Providers should be aware that documents produced to a UPIC may subsequently be shared with law enforcement. Statements made to UPIC investigators are not protected communications. The investigative phase is where the record that will support or undermine any future legal defense is being established, and uncoordinated responses can cause significant harm.
Regardless of audit type, proactive record-keeping is the best way to avoid potential penalties. Maintaining thorough, contemporaneous clinical documentation, conducting periodic internal billing audits, and training billing staff on applicable coverage requirements and coding standards substantially reduces exposure to both MAC adjustments and UPIC scrutiny.
Book a Free UPIC or MAC Audit Consultation with Lowther Walker
Lowther | Walker’s healthcare audit attorneys have proven experience defending healthcare professionals nationwide. Schedule your free consultation today for a proactive, effective response to MAC and UPIC auditor requests.
UPIC and MAC Audits – Frequently Asked Questions
Can a MAC audit escalate into a UPIC investigation?
Yes. MACs are required to refer potential fraud indicators to the relevant UPIC. A pattern of billing anomalies identified through MAC review, including high denial rates, aberrant utilization compared to peers, or repeated claims for services that do not meet coverage criteria, can trigger a referral that initiates a UPIC investigation.
Can a provider bill Medicare while under a UPIC payment suspension?
A payment suspension does not prevent a provider from submitting claims; it suspends the release of payment on those claims. Providers may continue to treat Medicare patients, but payments are withheld pending resolution of the investigation. The suspension may be lifted, converted to an overpayment demand, or extended, depending on the findings.
Do UPIC audits cover Medicaid as well as Medicare?
Yes. Unlike MACs, which have jurisdiction only over Medicare, UPICs have concurrent jurisdiction over both Medicare and Medicaid. A single UPIC investigation can encompass a provider’s billing activity in both programs simultaneously.
What is the timeframe for responding to a MAC ADR?
MAC ADR letters typically provide 45 days from the date of the request to submit the requested documentation. Failure to respond or submission of an incomplete response will generally result in a denial of the claim. Extensions may be available in limited circumstances.
Is a UPIC site visit the same as a law enforcement raid?
No. A UPIC site visit is conducted by contractor employees, not law enforcement officers. Investigators do not carry arrest authority and cannot compel entry without consent. It is advisable to have counsel available by telephone and to avoid allowing investigators unsupervised access to records or staff before consulting with legal counsel.
If a MAC audit results in an overpayment demand, is repayment required immediately?
No. Providers who appeal a MAC determination are not required to repay while the appeal is pending, provided they submit their appeal within the applicable timeframe. However, if the provider does not appeal or exhausts the appeal process unsuccessfully, CMS will seek recovery offset against future Medicare payments or other collection mechanisms.
Does participating in a UPIC investigation voluntarily reduce potential penalties?
Cooperation with investigators can be a relevant factor in enforcement outcomes, but voluntary cooperation is not a substitute for legal counsel, and its value depends heavily on the circumstances of the investigation. Providers should not interpret a cooperative posture as a reason to forgo legal representation.
Can a provider’s Medicare enrollment be revoked as a result of an audit?
Yes. CMS has the authority to revoke a provider’s Medicare enrollment for a range of conduct, including submission of false or fraudulent claims, failure to report overpayments within the required timeframe, or a pattern of improper billing. Revocation carries a re-enrollment bar that can extend up to ten years in cases involving fraud.
References and Further Reading for Healthcare Providers Under Audit
Centers for Medicare & Medicaid Services. (n.d.). Targeted probe and educate (TPE). U.S. Department of Health and Human Services. https://www.cms.gov/research-statistics-data-and-systems/monitoring-programs/medicare-ffs-compliance-programs/medical-review/targetedprobeandeducate
Centers for Medicare & Medicaid Services. (2023). Medicare program integrity manual: Chapter 3 – Verifying potential errors and taking corrective actions (Pub. 100-08). U.S. Department of Health and Human Services. https://www.cms.gov/regulations-and-guidance/guidance/manuals/downloads/pim83c03.pdf
Centers for Medicare & Medicaid Services. (2023). Medicare program integrity manual: Chapter 4 – Program integrity (Pub. 100-08). U.S. Department of Health and Human Services. https://www.cms.gov/regulations-and-guidance/guidance/manuals/downloads/pim83c04.pdf
False Claims Act, 31 U.S.C. §§ 3729–3733. (2006). https://uscode.house.gov/view.xhtml?path=/prelim@title31/subtitle3/chapter37/subchapter3&edition=prelim
Suspension, offset, and recoupment of Medicare payments to providers and suppliers of services, 42 C.F.R. § 405.371. (2011). https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-405/subpart-C/section-405.371
