Understanding Federal Audits: Who's Contacting Your Practice?

Four federal entities knock on providers’ doors—but only one is actually there to collect money

By Elizaveta Bannova, Billing Department, WCH | Education Officer, AAPC

Last month, a physician called our office in a panic. “We’re being audited by the government,” she said, her voice shaking. “They want five years of records. Should I shut down the practice?”

I asked her to read me the letterhead. It wasn’t the government. It was a routine insurance utilization review—something we handle weekly without breaking a sweat.

This confusion isn’t rare. In fact, it’s epidemic. Providers use “audit” as a catch-all term for everything from a simple claim follow-up to a federal criminal investigation. The problem? When you don’t know who’s actually contacting you, you can’t respond appropriately—and inappropriate responses can turn a manageable situation into a catastrophic one.

After fifteen years in healthcare billing and compliance, I’ve seen practices waste tens of thousands on legal fees for issues that needed a simple corrective action plan. I’ve also seen practices treat serious enforcement actions casually, only to face payment suspensions or worse.

Here’s what you’re actually dealing with when that letter arrives.

The Four Entities—At a Glance

Entity	What They Are	Who They Work For	What They Actually Do	Can They Take Your Money?	Can They End Your Career?
UPIC	Medicare’s fraud investigators	CMS	Find billing patterns that look wrong, demand records, calculate overpayments	Yes—including extrapolation	No—but can recommend exclusion
OIG	Federal law enforcement	HHS	Investigate serious fraud, exclude providers, refer for prosecution	Yes—through settlements	Yes—mandatory exclusion power
GAO	Congress’s research arm	U.S. Congress	Study whether programs work, write policy reports	No	No
“DOGE”	Political discussion	N/A	No actual enforcement authority existed	No	No

1. Unified Program Integrity Contractors (UPICs): Primary Investigators of Program Integrity

Unified Program Integrity Contractors (UPICs) serve as specialized investigators focused on identifying irregularities in billing practices and service delivery. Authorized by the Centers for Medicare & Medicaid Services (CMS), UPICs are responsible for detecting fraud, waste, and abuse within the Medicare and Medicaid programs.

Primary Focus Areas: Hospitals, clinics, pharmacies, and billing entities that submit claims for reimbursement.

Investigative Methods:

Analysis of large datasets to identify anomalies, such as unexpected increases in billing volumes or deviations from peer benchmarks.

Review of claims extending up to five years or longer into the past.

Requests for complete medical records to substantiate claims.

Extrapolation of findings to assess the scope of potential overpayments.

Referral of substantiated cases to authorities such as the Office of Inspector General (OIG) or the Department of Justice (DOJ).

Enforcement Measures: UPICs may recommend suspension of payments, revocation of provider licenses, or exclusion from federal programs, which can lead to subsequent legal proceedings.

Operational Approach: Investigations by UPICs involve rigorous scrutiny, requiring prompt and thorough responses from affected parties to resolve inquiries.

Upon receipt of a UPIC notification, immediate action is essential, including comprehensive documentation of all relevant activities.

2. Office of Inspector General (OIG) at the Department of Health and Human Services (HHS): Oversight and Enforcement Authority

The OIG, operating under the Department of Health and Human Services (HHS), conducts comprehensive audits and investigations to ensure accountability across the healthcare sector.

Primary Focus Areas: Healthcare providers and suppliers, as well as vendors, state agencies, and even CMS operations.

Investigative Methods:

Initiation of inquiries that may result in criminal charges or civil monetary penalties.

Publication of detailed reports addressing systemic vulnerabilities, such as deficiencies in Medicare Advantage risk adjustment processes.

Issuance of subpoenas, performance of interviews, and establishment of Corporate Integrity Agreements to enforce compliance.

Imposition of exclusions from federal healthcare programs for non-compliant entities.

Enforcement Measures: Direct coordination with the DOJ for prosecutions, negotiation of substantial settlements, and maintenance of exclusion lists.

Operational Approach: OIG investigations are conducted with stringent standards, emphasizing compliance and accountability.

It is noteworthy that UPICs frequently provide foundational evidence upon which the OIG bases its enforcement actions. Coordinated efforts between these entities underscore the importance of professional legal representation.

3. Government Accountability Office (GAO): Strategic Policy Evaluators

The GAO, reporting to Congress, adopts a high-level perspective on federal program efficacy, prioritizing systemic evaluations over individual case investigations. Its mandate centers on assessing the allocation and impact of federal resources.

Primary Focus Areas: CMS, HHS, state-level implementations, and overarching federal healthcare initiatives.

Evaluative Methods:

In-depth analyses of policies, performance indicators, and operational efficiencies.

Assessments of program effectiveness through audits of resource utilization and cost-benefit evaluations.

Scope Limitations:

No involvement in recovery of provider reimbursements or imposition of financial restrictions.

No direct participation in fraud detection or enforcement activities.

Operational Approach: GAO evaluations are analytical and advisory in nature, aimed at ensuring alignment with congressional objectives.

While GAO findings do not typically impose immediate financial liabilities, they can influence regulatory frameworks significantly. Monitoring GAO publications is advisable for anticipating policy developments.

4. Clarification Regarding “DOGE Audits”: Addressing a Misconception

It is important to note that no formal “DOGE” entity possesses auditing authority within the healthcare domain. References to “DOGE audits” pertain to informal efficiency reviews, such as internal expenditure analyses or contract evaluations, rather than structured audits.

Actual Scope:

Expedited reviews of data and budgetary adjustments.

Absence of adherence to governmental auditing standards or CMS guidelines.

Key Distinction: DOGE initiatives operated independently and did not supersede UPIC functions; they functioned in parallel without hierarchical oversight.

In essence, these efforts represented preliminary oversight measures rather than formal enforcement mechanisms. Concerns related to “DOGE” designations should be viewed as unsubstantiated.

Early identification of the originating entity is critical for effective response. A UPIC inquiry necessitates coordinated internal efforts; an OIG investigation requires immediate engagement of legal counsel; a GAO evaluation may warrant advocacy or procedural adjustments. Maintaining vigilance, thorough documentation, and proactive compliance are paramount to navigating these processes successfully. If you encounter specific challenges related to audits, please share details for further discussion.

If you enjoyed this piece, subscribe to our monthly newsletter to receive even more in-depth insights.

Quick Reference Resources

UPIC Contact Info: https://www.cms.gov/medicare/program-integrity/activities/unified-program-integrity-contractor-upic 