The Office of Inspector General (OIG) on Tuesday released a 42-page guide that describes Medicare Advantage-specific compliance guidance and risk areas, including details on how organizations should address risk adjustment.
The OIG’s Medicare Advantage Industry Segment-Specific Compliance Program updates the watchdog’s prior compliance guidance issued more than 25 years ago and lays out clear risk areas, practical recommendations, and structural expectations that Medicare Advantage organizations can use to implement an effective internal compliance program.
Here are three takeaways:
The guidance is voluntary but comprehensive
OIG states that the guidance is a consolidation of best practices and risk insights drawn from decades of audits, investigations, and industry engagement. The document is intended to help Medicare Advantage plans implement, evaluate, and update their compliance programs in alignment with an increasingly complex regulatory environment.
It identifies seven major compliance risk areas
Access to care: OIG highlights two core requirements under Centers for Medicare & Medicaid Services (CMS) rules—network adequacy and appropriate use of utilization management tools like prior authorization. Failures can delay or block needed care and introduce enforcement risk. Key expectations include:
- Proactively verifying provider directories at least quarterly
- Avoiding “ghost networks” by comparing directories to claims and other data
- Monitoring prior authorization decisions to ensure they are timely, individualized, and not driven solely by algorithms
Marketing and enrollment: Given widespread concerns about misleading plan marketing, OIG warns organizations to ensure marketing activities—often delegated to brokers or third-party marketing organizations (TPMOs)—are compliant and free of improper financial incentives. Risks include:
- Making payments to brokers that exceed CMS limits or reward enrollment volume
- Steering enrollees based on health status
- Using deceptive or confusing marketing materials
Plans should tighten oversight of agents and TPMOs through audits, fair market value documentation, complaint tracking, and training.
Risk adjustment: Risk adjustment remains one of the highest enforcement priorities for OIG. While the system is designed to provide higher payments to plans that care for sicker patients, the watchdog says that it also creates financial incentives to make members appear as sick as possible to increase these payments. Frequent problem areas include:
- Unsupported diagnosis codes
- Diagnoses derived only from chart reviews or health risk assessments (HRAs)
- Overreliance on provider prompts or AI tools that encourage upcoding
To address these areas, OIG recommends that Medicare Advantage organizations:
- Conduct both prospective and retrospective audits of risk adjustment data
- Pair diagnosis capture efforts with accuracy and care‑related controls
- Benchmark HCC rates and investigate anomalies
- Actively oversee vendors and contracted providers involved in coding
- Scrutinize reporting of high-risk diagnosis codes that are at greatest risk of being miscoded
- Evaluate and oversee any in-home HRA programs or chart review programs that result in submission of risk-adjusting diagnoses
- Educate employees and, as appropriate, first tier, downstream, or related entities (FDRs) on the appropriate use of queries and other prompts and overseeing their use
- Teach providers, including employed and contracted providers, and coders on proper coding
Quality of care: Quality bonus payments create incentives tied to Star ratings and quality metrics. OIG underscores Medicare Advantage plans’ responsibility to ensure:
- Accurate, complete reporting of quality data
- Adequate networks
- No payment to excluded providers or those on CMS’ Preclusion List
Oversight of third parties: Most Medicare Advantage operational work is delegated to vendors or other entities, creating unique oversight challenges. Under CMS rules, organizations remain fully responsible for the actions of FDRs.
OIG expects Medicare Advantage organizations to:
- Conduct robust pre‑delegation due diligence
- Categorize FDRs properly
- Require compliance attestations and self‑audits
- Monitor high‑risk vendors more frequently and impose corrective actions when needed
Vertically integrated organizations: As payers acquire providers—and vice versa—OIG warns that compliance programs must adapt. Parent‑level compliance structures often lack Medicare Advantage‑specific expertise. Organizations and health systems with common ownership must:
- Ensure Medicare Advantage compliance officers have autonomy and direct access to leadership.
- Monitor for risks tied to shared incentives, such as medical loss ratio reporting.
Accurate claims submission: Medicare Advantage organizations can face False Claims Act liability for knowingly submitting inaccurate data or failing to correct known errors. Examples of past enforcement include:
- Unsupported diagnoses
- Failing to delete invalid codes
- Using in‑home assessments only to boost risk scores
Accuracy certifications to CMS place direct responsibility on executives and compliance teams.
It provides compliance program structure expectations
The guidance reinforces CMS’ seven required compliance program elements and offers Medicare Advantage–specific recommendations, such as:
- Dedicated Medicare Advantage compliance leadership with appropriate expertise
- Frequent policy updates due to rapidly shifting Medicare Advantage regulations
- Direct board oversight and empowered compliance committees
- Hotlines and safe reporting channels for employees, enrollees, and FDRs
- Robust auditing and monitoring, including data‑driven reviews of risk adjustment, prior authorization, and vendor performance
- Documented corrective actions and disciplinary measures