HHS-OIG Releases Long-Awaited Medicare Advantage Compliance Program Guidance

On February 3, 2026, HHS-OIG released its much-anticipated Medicare Advantage Industry Segment-Specific Compliance Program Guidance (MA Compliance Guidance), continuing the federal government’s sustained focus on Medicare Advantage (MA) program integrity and compliance. HHS-OIG’s focus on MA is not surprising given that more than half of Medicare beneficiaries are currently enrolled in the MA program. Further, as the agency explains in the MA Compliance Guidance, “[o]ngoing work by [HHS-OIG], CMS, the Department of Justice, and other law enforcement partners continues to identify potentially abusive practices” in the MA program. As such, managed care oversight has been, and remains, a “top priority” for HHS-OIG and CMS.

Indeed, the MA Compliance Guidance release comes at a time of heightened compliance and enforcement activity in the MA space. In the last two years, CMS has announced an aggressive expansion of its risk adjustment audit program, proposed significant changes to the risk adjustment methodology (including the exclusion of diagnoses from unlinked chart review records), and significantly strengthened its coverage, prior authorization and marketing requirements. In addition, there have been several high-profile False Claims Act (FCA) cases against MA organizations (MAOs), some of which have resulted in large financial settlements. Moreover, HHS and DOJ have announced the revival of the False Claims Act Working Group, which has identified MA as a priority enforcement area.

Below, we highlight key takeaways from the new guidance and offer practical next steps for MAOs and other stakeholders to consider.

Background

In 2023, HHS-OIG issued new General Compliance Program Guidance (General Compliance Guidance) aimed broadly at all individuals and entities involved in the health care industry and announced that it would be publishing a series of more specific compliance program guidance documents “tailored to fraud and abuse risk areas for each industry subsector” with “compliance measures that the industry subsector participants can take to reduce these risks.”

The MA Compliance Guidance—which is only the second subsector-specific guidance issued to date by HHS-OIG under the new initiative—replaces similar guidance issued by the agency over 25 years ago.¹ It incorporates information and recommendations based on the agency’s (i) findings and observations from its decades of work on matters involving the MA program, including audits, evaluations, investigations, enforcement actions, data analyses, and monitoring under Corporate Integrity Agreements; (ii) current enforcement priorities; (iii) work with government partners; and (iv) interactions with MAOs and other industry stakeholders. The updated MA Compliance Guidance is directed to “entities and individuals participating in or engaged with” the MA program (MA Parties) and is organized into two key sections: Compliance Risk Areas and Recommendations for Mitigation, and Compliance Program Structure and Activities.²

Taken together with HHS-OIG’s 2023 General Compliance Guidance, the MA Compliance Guidance provides a modernized framework for identifying compliance risks and implementing effective compliance programs in the MA program. Most importantly, it gives insight into priority enforcement areas and offers practical strategies for consideration in managing potential compliance risks. The voluntary, non-binding guidance complements CMS’s regulatory and program guidance requiring MAOs to implement effective compliance programs.³

Key MA Compliance Risk Areas

The MA Compliance Guidance identifies and provides recommendations to mitigate seven key risk areas relevant to the MA program and MA Parties:

• Access to Care,

• Marketing and Enrollment,

• Risk Adjustment,

• Quality of Care,

• Oversight of Third Parties,

• Compliance Programs Within Vertically Integrated Organizations and Other Ownership Structures, and

• Submission of Accurate Claims.

Many of these focus areas—including marketing and risk adjustment—should not come as a surprise to MA Parties, as they have received significant attention from HHS-OIG and CMS in recent years. Nevertheless, the agency’s discussion of these risk areas is of critical importance to MA Parties, as the agency identifies the specific fraud and abuse concerns that warrant focused attention and provides insight into how it thinks MAOs and their business partners should be combating such risks. In this summary, we highlight certain of the HHS-OIG’s referenced concerns and recommendations in several key areas.  

Risk Adjustment

CMS relies on risk adjustment methodologies to make appropriate payments to MAOs based on enrollees’ health status. However, HHS-OIG sees risk adjustment as a major vulnerability in the MA program because the payment methodology rewards higher-acuity diagnoses, creating incentive to inflate beneficiary risk scores. Federal investigations, the MA Compliance Guidance asserts, have uncovered numerous potentially problematic practices, including:

• Misusing chart reviews to mine for additional diagnoses;

• Deploying in-home health risk assessments (HRAs) primarily to capture diagnosis codes, which are not considered in the care, treatment, or management of the enrollee’s health;

• Querying physicians via electronic medical record platforms (including prompts generated by AI algorithms) or otherwise prompting physicians to add diagnoses that patients did not have or that did not affect the care, treatment, or management of the patient; and

• Neglecting to delete diagnosis codes that chart reviews found to be unsupported.

To address these concerns, HHS-OIG recommends, among other strategies:

• Pre- and post-submission audits of diagnosis data, particularly with respect to high-risk diagnosis codes (i.e., those at greater risk of being miscoded);

• Careful oversight of HRA and chart review vendors;

• Training employees and, as appropriate, first tier, downstream or related entities (FDRs) on the proper use of diagnostic prompts and queries;

• Educating employed and contracted providers and coders on proper coding;

• Implementing data filtering logic and other data analytics (including AI) to identify anomalies, outliers, or other potentially inaccurate diagnoses;

• Considering the implementation of enhanced systems or controls if providers and vendors receive financial incentives tied to risk adjustment data (e.g., risk-sharing arrangements or bonuses for diagnosis capture); and

• Benchmarking risk scores against the frequency and prevalence of particular reported codes to compare changes over time and identify outliers.

HHS-OIG also recommends pairing processes designed to ensure complete diagnosis data via reporting of additional diagnoses (e.g., through chart reviews or HRAs) with processes to ensure data accuracy and appropriate care.

Marketing and Enrollment

HHS-OIG has long expressed concern about improper marketing practices and enrollment manipulation schemes. Some of this concern is due to the fact that MAOs frequently delegate marketing, enrollment, and related functions to agents, brokers, and third-party marketing organizations. Picking up on this theme, the MA Compliance Guidance highlights two particular areas of concern: (i) improper financial incentives that can “skew enrollment in ways that may not be in the best interests of enrollees and potential enrollees,” such as excessive payments for steering patients to a particular plan; and (ii) deceptive marketing practices. The MA Compliance Guidance focuses primarily on improper financial incentives, explaining that potentially problematic activities could include payments to agents conditioned on enrollment volume targets or payments tied to the health status of enrollees.

HHS-OIG’s recommended safeguards for both concerns include, among other things, the following:

• Structuring compensation to avoid arrangements that create incentives to inappropriately influence enrollments;

• Documenting with significant detail fair market value (FMV) for all arrangements for marketing and enrollment services;

• Providing appropriate training to agents, brokers, and MAO employees overseeing marketing;

• Reviewing and monitoring payment data and associated work performed under any such arrangements (e.g., through service and activity logs) to validate that delegated entities are actually performing the services required;

• Implementing approval processes for ensuring compliant marketing materials; and

• Monitoring agent performance for outlier behavior, such as rapid disenrollments or enrollments or a high volume of complaints and appropriately responding to any identified outliers or trends.

Prior Authorization

Ensuring beneficiaries have timely access to covered services through adequate provider networks is a core MA program requirement. The capitated payment structure in the MA program, however, creates potential incentives for plans to limit enrollee access to services. To ensure MAOs are providing medically necessary care, the MA Compliance Guidance recommends that MAOs evaluate whether “utilization management tools, such as prior authorization, could inappropriately limit or impede access to medically necessary covered services and consider drafting policies and procedures to guard against this risk.” The guidance recognizes that AI technology is an “emerging area with potential benefits,” but warns of the potential compliance risks when AI is used to make prior authorization and coverage decisions.

To combat these risks, HHS-OIG recommends various compliance steps be implemented, including, among other things:

• Analyzing trends in claim and prior authorization denials (including the volume of denials overturned on appeal) to ensure that policies are applied consistently and in accordance with stated standards and do not inappropriately restrict coverage; and

• “Reviewing the use of any [AI] or other algorithm-based tools to ensure that decisions . . . focus on patients’ individualized circumstances.”

Downstream Entity Oversight

MAOs that contract with FDRs remain responsible for ensuring that those entities comply with applicable program requirements. The expanding scope of services MAOs are delegating to FDRs heightens the MAOs’ risk of liability for third-party misconduct.

The MA Compliance Guidance suggests risk mitigation strategies with respect to use of FDRs, including, among other things:

• Rigorous pre-contract due diligence;

• Incorporation of robust contractual provisions requiring compliance with MA standards, reporting to facilitate ongoing monitoring, corrective action to remediate identified issues, compliance attestations, and audit rights for the MAO;

• Periodic attestation renewals; and

• Tailored compliance processes for FDRs that are health care providers.

The MA Compliance Guidance also states that MAOs may have expanded or particular compliance obligations if the MAOs own or are under common ownership with provider groups.

Other Topics: FCA Exposure and New Entrants

In addition to risk areas discussed above, the MA Compliance Guidance warns that “[t]here are several ways that MA Parties can have exposure under the [FCA], many of which overlap with the substantive risk areas identified in the [MA Compliance Guidance].” For instance, because MAOs must certify to the accuracy of data submitted to CMS, the failure to submit accurate data can lead to liability under the FCA. As an example of such fraudulent conduct, the MA Compliance Guidance points to the submission or failure to withdraw inaccurate and untruthful risk adjustment diagnosis codes to increase Medicare reimbursement, emphasizing the past and present use of the FCA to address the agency’s concerns around risk adjustment.

HHS-OIG also highlights the growth of new individuals and entities in the MA space, explaining that “owners may include private equity firms that may lack extensive experience in the MA industry” and “may be unfamiliar with fraud, waste, and abuse risks and the need for a vigorous compliance program.” HHS-OIG stresses the importance of education for leadership and staff to help mitigate compliance risks posed by investors new to the health care and/or the MA industry, encouraging review of the General Compliance Guidance and the MA Compliance Guidance as a good starting point to guide an effective compliance program and serve as a valuable resource in structuring or overseeing new ventures involving MA Parties.

Next Steps

Given the new MA Compliance Guidance and other recent MA enforcement activity, MAOs should consider the following steps:

• Study the MA Compliance Guidance. The MA Compliance Guidance is lengthy and touches on a broad range of operational considerations beyond what is highlighted in this summary. MAO Compliance Departments should study the various recommendations for potential application to the relevant MA plan(s) and engage in a broad and collaborative dialogue with the various affected departments within their organization, as needed.

• Conduct a gap assessment. MAOs should evaluate their current compliance programs against the guidance in both the MA Compliance Guidance and the General Compliance Guidance to identify areas requiring potential enhancement.

• Prioritize high-risk areas. Given the continued focus on risk adjustment and marketing by both CMS and HHS-OIG, MAOs should ensure they have robust processes in place for validating diagnosis submissions, responding to risk adjustment audits, and ensuring compliant compensation structures and marketing practices.

• Evaluate downstream entity oversight. MAOs should review their FDR oversight programs to ensure they are comprehensive and include appropriate due diligence, monitoring, and audit activities.

• Update training programs. General and specific training materials should be refreshed to incorporate recommendations in the MA Compliance Guidance, particularly for personnel involved in the various areas identified, including risk adjustment, marketing, enrollment, and utilization management.

FDRs should consider the following steps:

• Recognize expanded scope. The MA Compliance Guidance explicitly applies to a broader range of MA Parties than CMS’s compliance program regulations, which impose mandatory requirements only on MAOs. FDRs and other vendors should understand that HHS-OIG views them as within the scope of this guidance and expects them to maintain robust compliance practices.

• Anticipate heightened MAO oversight. FDRs should expect MAOs to increase due diligence, monitoring, and audit activities in response to the MA Compliance Guidance. This may include more detailed pre-contracting risk evaluations, enhanced contractual compliance provisions, more frequent attestation requirements, and rigorous ongoing audits of FDR compliance programs and performance.

• Strengthen internal compliance infrastructure. HHS-OIG emphasizes that third parties themselves may be vulnerable to liability under fraud and abuse laws for their own conduct or for the actions of their downstream entities. FDRs—particularly those new to the MA space or lacking health care compliance experience—should evaluate and strengthen their own compliance programs, training, and internal controls.

---

1. HHS-OIG, Compliance Program Guidance for Medicare+Choice Organizations Offering Coordinated Care Plans (1999), https://www.govinfo.gov/content/pkg/FR-1999-11-15/pdf/99-29632.pdf. ↩︎
2. CMS regulations require MAOs to adopt and implement compliance programs that include measures to prevent, detect, and correct noncompliance with CMS’s program requirements and fraud, waste, and abuse. Both the MA Compliance Guidance and General Compliance Guidance are intended to complement and help facilitate compliance with CMS’s regulatory requirements and other statutory and regulatory obligations.    ↩︎
3. MAO obligations are set forth in detail in Chapter 21 of the Medicare Managed Care Manual. CMS monitors compliance program effectiveness under its routine program audits. CMS, Program Audits, https://www.cms.gov/medicare/audits-compliance/part-c-d/program-audits. ↩︎