Latest In Healthcare Management

When the Auditor Comes Knocking

Stephen D. Bittinger, Esq.

Medicare Zone Program Integrity Contractor (ZPIC) audits can cripple a practice.
Be aware of your rights when a ZPIC auditor arrives.
Proactivity is key to successful defense in a ZPIC audit.
Improper documentation is a leading cause of ZPIC audits.
A constantly monitored compliance program will help safeguard the practice.

The practice manager still remembers the day when the Medicare Zone Program Integrity Contractor (ZPIC) auditor showed up at the front door of the office. The auditor came unannounced, armed with several individuals who flashed credentials and, to the staff’s terror, started taking pictures of the office while demanding copies of patient records.

When asked by the auditor to produce the practice’s compliance manual, the manager, who was extremely diligent at her job, went directly to the company files and confidently produced the template manual that the practice had purchased online two years earlier for around $500. It had been collecting dust since then.

Using this manual as the basis for the practice’s compliance plan, as required by Medicare, the office manager soon learned that the document she was utilizing was grossly outdated and not at all compliant with Medicare’s requirements, which mandate a plan that is specifically tailored to the individual practice, providers, and services.

Unfortunately, the actual practice compliance plan (derived and implemented from the outdated manual) failed to detail information on the actual staff who worked there, noting individual roles, duties, a plan of action for reporting items deemed out of compliance, or a self-disclosure protocol for non-compliant findings.

Because of these and other non-compliance issues, Medicare’s final ruling in the audit went against the practice, resulting in extraordinary penalties and interest that nearly bankrupted the business. Countless hours were spent preparing for the audit defense. Countless tears were spilled as worried employees feared for their jobs. And countless hands were wrung in hopeful anticipation of a final ruling.

It all started with a ZPIC auditor walking through the front door.

Are you ready?

As a practice or compliance manager at your health entity, how would you have reacted to this scenario? Have you adequately prepared your staff for the inevitable arrival of the ZPIC auditor? Do you have a plan of action for when that private payer audit letter arrives? Are you prepared to respond to a records request from Medicare or your private payer?

Proactive compliance is the key ingredient to any audit. An effective, proactive plan begins with understanding and asking the right questions to develop a comprehensive response. In an effort to make your job easier, I’ve compiled the most common questions that I’ve been asked in my years of audit defense for health entities around the country, beginning with the most-asked query.

What should I do when a ZPIC auditor walks into my office?

First and foremost, you need to know that if an auditor shows up at your front office unannounced, do not panic. I say that confidently, knowing that all practices have certain rights—one of which is to refuse an on-the-spot inspection, even if it’s demanded by the auditor. Auditors are not police with a search warrant, and there are very tight reigns on their scope of authority.

You have the right to counsel before speaking with any investigator. That means when an auditor shows up, your first course of action is to call your attorney. Moreover, you shouldn’t have to struggle locating that attorney’s phone number, since any healthcare attorney who actually handles audit defense will always provide a 24-hour cell phone number to their clients for this reason.

You also have the right to produce requested documentation within a typical 30-day period, which is precisely what your counsel should tell the auditor over the phone. Just make sure you get the auditor’s full contact information.

There’s no reason to panic when the auditor arrives. There’s certainly no reason to be bullied. Remain calm and let your legal counsel respond accordingly.

How important is my counsel through all of this?

Because of the many intricacies and ultimate risks involved in undergoing a ZPIC audit, it’s imperative that you retain the services of knowledgeable healthcare counsel that fully understands your practice and its mechanics and knows the compliance end of the business. It also helps to have an expert who has previously dealt with ZPIC auditors.

Sure, it’s sometimes troubling to think that you need an attorney for every aspect of your business, but the reality is that there’s too much on the line when you’re faced with an audit, and you need white-collar counsel to make sure nothing goes wrong. Make sure your legal resource is 100% focused on healthcare law. Your corporate or personal injury attorney may be a great guy, but this is a totally different ballgame.

Why is data collection so important in an audit?

A ZPIC audit is initiated to determine possible fraud and abuse within a practice, and once it’s launched, the burden falls on the provider to prove that the alleged fraud and abuse don’t exist. That’s why the data collection step is the most important part of any audit.

Further, most audits only allow a short 30-day period to collect, organize, and present requested documentation to the auditor. Yes, all that work is going on while still maintaining day-to-day operations for the business. The stress can be unbearable.

Due to the production burden, providers often make the mistake of assembling data in incomplete bits and pieces, which many times results in a sample that isn’t truly representative of the practice as a whole. This is generally how good, meaningful practices end up with 90% error rates, which presents a skewed picture that gets compounded when the erred sample is spread over seven years “for good cause.”

The initial data collection process needs to be thoroughly planned out in a way that produces the most complete sampling for the auditor, presents a true representation of practice compliance, and enables counsel to present a strong, effective defense if the need arises.

Here are the top four errors we see that can potentially harm a practice undergoing an audit:

  • Producing more documentation than was requested. I know, I just excoriated readers for not assembling the proper amount of data that adequately represents the practice. On the flip side, why furnish information that isn’t requested and can possibly raise even more questions? Concentrate on the items requested and get that part right.
  • Providing billing records. Simply put, if you’re not asked for billing records, don’t you dare produce them. If the billing company was causing the problem, the auditor won’t ask them to pay the money back. Get the services straight first and determine billing errors internally, if possible.
  • Furnishing hybrid documentation. If you utilize both an electronic health record (EHR/EMR) and a physical records system, and you only produce half the record, that’s not enough documentation to tell the whole story. Services with incomplete documentation are always denied.
  • Schedules don’t match up. If the provider work schedules don’t match up with the services provided dates, you’re asking for trouble. No need to say more.

An audit is not the time to realize you haven’t kept up with compliance. You need sufficient and ongoing monitoring and processes to be proactive in your compliance procedures, which will greatly help in the defense of an audit.

What about the private payer audits? Are they any different?

In the private payer sector, you’re normally well into an audit before you ever receive the initial audit letter. Private payers are traditionally slow to notify you that you’re under audit. So the rule of thumb is to pick up the phone and contact your legal counsel when you notice a pattern of denied services, and not after you get a letter notifying you the practice is in a special investigations unit (SIU) audit.

Side note: If you decide to contact the private payer after receiving the audit notice, know that the person you speak with on the claims hotline won’t have a clue as to what’s going on and will be unable to tell you the level of scrutiny you’re presently under.

One way to predict an audit is to constantly keep watch over your denials and down-coded claims. Always check your explanation of benefits (EOBs) to get a feel for the pattern of denials. Audit departments rely on data-miners to “ping” on a specific pattern to determine the frequency of the error and to see if you’re making any attempt to correct the error on your end.

It’s important that you use certified coders in the office to ensure that all coding is precise and that there is a clear understanding of your payer policies. Keep an eye on regular email blasts from your payers that contain policy alerts, and conduct regular payer policy reviews (preferably on a quarterly basis).

Remember, it’s your compliance officer’s responsibility to stay up-to-date on these items and to make sure everyone else does too.

What’s the best practical tool to safeguard against an audit?

The best practical tool is a simple spreadsheet for tracking. If utilized correctly, a spreadsheet that outlines frequency of denials and records requests by payer and service type will clearly show you where your vulnerabilities lay. That spreadsheet will become a precursor to an audit, and may prevent such an event from occurring. As you most likely hear on a regular basis, internal tracking is incredibly vital.

How is my practice expected to pay this penalty and overpayment?

When you factor in penalty and interest, ZPIC audits can potentially devastate a practice. In the event you incur a financial penalty and/or significant overpayment recoupment demand, make certain you consider an extended repayment schedule (ERS), which enables you to make payments over a 60-month period. For a majority of private practices, this debt-management tool could be difference between life or death for the business, despite the brutal interest rate.

In the unfortunate event that “death” falls upon the business, you should know that the pain doesn’t go away if the business goes away. As allowed by law, Medicare has the distinct ability to “pierce the corporate veil” and hold individuals liable for liabilities over $100,000.

But it was my billing company that really messed up. Shouldn’t they be liable?

Despite what they may say, third-party billing companies have absolutely no duty to a payer to ensure that the codes are accurately compliant with payer policies. They only to make sure the process goes through the billing system. You’re held liable for your coding. Frankly, Medicare doesn’t care who made the mistake and why. Rest assured that they’re coming after your doctor for that mistake.

What are some rules to live by in preparing a proactive compliance program?

  • The operative word is “proactive.” Maintaining the ongoing assumption that you’ll eventually be audited will cause your practice to operate in a constantly monitored compliance mode that focuses on:
  • Adherence to payer policies (and updates) and maintaining procedures that match payer guidelines;
  • Guarding against intentionally submitting false information, including misdiagnoses, patterns of unnecessary service, and consistent lack of medical necessity;
  • “Fast” compliance, which utilizes a coding expert on-site, involves regular management of denied payments, maintains auditing and monitoring, implements internal and external compliance follow-ups, recognizes problems when they occur, and responds swiftly and accordingly; and
  • Fostering a culture of compliance that comes from the top-down, keying on preventing, detecting, containing, and correcting.

How do I know when the audit is complete?

Never assume you’ve completed everything involved in the audit until you receive a formal “close” letter from the auditor or the payer. Request one if you don’t get one voluntarily, and keep it on file.


Proactive compliance and knowing your legal rights are the keys to preventing or surviving a ZPIC audit.


About The Author

Stephen D. Bittinger ( is a Principle with BITTINGER | LAW in the Cleveland, Ohio.