New OIG Medicare Advantage Compliance Guidance in More Than 25 Years: Five Risk-Adjustment Takeaways for Providers

Jason N. Silberberg

Article

On February 3, 2026, the U.S. Department of Health and Human Services Office of Inspector General (OIG) published its Industry Segment-Specific Compliance Program Guidance for Medicare Advantage (ICPG or “Guidance”) – OIG’s first compliance program guidance dedicated specifically to the Medicare Advantage (MA) program since 1999.

The Guidance is voluntary and nonbinding, and OIG is careful to say that its use of “should” creates no new legal obligations. But it consolidates decades of OIG enforcement experience into a single statement of the conduct OIG considers potentially fraudulent or abusive – and it arrives during a period of record MA enforcement, including the $556 million Kaiser Permanente settlement and the $62.85 million Seoul Medical Group provider settlement.

For providers and downstream entities, the most important takeaway is that the ICPG can be construed as not being solely directed to Medicare Advantage organizations (MAOs). Instead, OIG broadly addresses entities and individuals participating in or engaged with the Medicare Advantage program and specifically discusses risk adjustment compliance issues involving “conduct by MAOs, providers, and others involved in the risk adjustment process.” As a result, downstream entities, including physician groups, independent practice associations (IPAs), management services organizations (MSOs), Risk Bearing Organizations (RBOs), and coding and analytics vendors should not treat the new ICPG as strictly a health plan compliance issue. Instead, compliance-forward entities should consider the ICPG as guidance for entities across the Medicare Advantage risk adjustment ecosystem.

Below are five key risk adjustment takeaways for providers and downstream entities.

1. The First Medicare Advantage Fraud and Compliance Guidance Since 1999

The ICPG updates OIG’s 1999 Compliance Program Guidance for Medicare+Choice Organizations. In the more than 25 years since, the program has grown to cover more than half of all Medicare beneficiaries, and the number and types of entities participating in it have multiplied. The Guidance is designed to be read alongside OIG’s General Compliance Program Guidance (GCPG) and, while it complements CMS’s mandatory compliance-program regulations (which bind MAOs), it addresses a broader audience of MA parties. Because the Guidance is publicly available and describes specific practices OIG views as fraudulent or abusive, it may also inform the knowledge analysis in a False Claims Act (FCA) case – a provider that continues a flagged practice after this Guidance issues gives relators and the government a cleaner argument that it acted “knowingly” or with reckless disregard. Providers should treat the Guidance as a benchmark against which their practices may later be measured.

2. Provider Coding Under Risk-Sharing Arrangements

The Guidance’s risk-adjustment section lists, among the abusive practices OIG has identified, “providers submitting diagnoses that were not supported by the enrollees’ medical records to inflate the payments MAOs made to the providers under risk-sharing or other arrangements.” (Emphasis added). In other words, when a provider group has a risk-sharing reimbursement model with an MAO, such that payments to the provider increase if their patients’ risk scores increase (e.g., a percent-of-premium model), providers who submit unsupported diagnosis codes upstream to their MAOs are on the federal government’s target list for investigation and potential civil or even criminal prosecution. The Guidance does not cite specific cases, but its focus is consistent with recent settlements involving provider-side coding, including the combined $62.85 million resolution with a California physician group, its MSO, an individual physician, and a radiology group over allegedly unsupported spinal-condition codes, and the earlier $270 million HealthCare Partners/DaVita resolution involving an IPA. Provider groups in value-based or capitated arrangements should expect their diagnosis submissions to draw scrutiny.

3. Failing to Delete Unsupported Codes

OIG identifies as abusive the practice of “failing to remove diagnosis codes previously submitted to CMS when chart reviews provide information that those codes were unsupported or otherwise invalid.” The duty to report and return identified overpayments (42 U.S.C. § 1320a-7k; 42 C.F.R. §§ 422.326, 423.360) runs to the MAO, which submits risk-adjustment data to CMS and is paid by it – but the practical burden flows downstream. A provider or vendor that generates or reviews that data and later learns a code is unsupported cannot simply leave it in place. Unless its contract provides otherwise, it should submit deletions or other corrective communications to its upstream MAO in time for the plan to correct the data and meet its own report-and-return deadline, mitigating or avoiding liability on both sides. A chart-review program, in short, cannot operate in one direction only – adding revenue-generating codes while ignoring unsupported ones.

4. Artificial Intelligence in Risk-Adjustment Coding

The Guidance expressly flags artificial intelligence (AI) in the risk-adjustment context, identifying as potentially abusive “querying physicians via electronic medical record platforms (including prompts generated by artificial intelligence algorithms) or otherwise prompting physicians to add risk-adjusting diagnoses that patients did not have or that did not affect the care, treatment, or management of the patient.” It also lists, as an oversight step, plans’ use of analytics and AI to flag providers whose coding is an outlier – a reminder that aberrant provider coding is increasingly likely to be detected. Providers and coding vendors using AI-assisted coding, clinical documentation, or query tools should build in documented validation processes for any AI-generated codes and, critically, employ human oversight in a meaningful capacity.  Every AI-suggested risk-adjustment code should be traceable to the patient’s medical record and the evaluation, care, or treatment provided by the clinician during the relevant encounter.Organizations should also document how AI-generated coding recommendations are reviewed, accepted, rejected, and audited.

5. HRAs, Unlinked Chart Reviews, and the CY2027 Payment Rule

The Guidance catalogs OIG’s series of risk-adjustment studies and singles out diagnoses generated solely from chart reviews or in-home health risk assessments (HRAs) with no other encounter data showing the enrollee received care for the condition. That concern now converges with a payment-side change: in the CY2027 Rate Announcement, CMS proposed the exclusion of diagnoses from “unlinked” chart-review records – those not tied to a specific beneficiary encounter – and from audio-only encounters from risk-score calculation, subject to a limited exception for enrollees who switch plans. CMS estimates these diagnosis-source exclusions will lower risk-adjusted payments by a non-negligible percentage; for providers paid on a percent-of-premium or otherwise risk-adjusted basis, those reductions flow downstream through their plan contracts. With CMS’s new proposed rules and DOJ’s enforcement converging on the same practices, providers that perform HRA or in-home assessment work, or that support retrospective chart-review programs, should ensure that risk-adjusting diagnoses trace back to a documented, face-to-face encounter.

What Providers and Downstream Entities Should Consider

  • Review risk-sharing arrangements. FCA and anti-kickback liability do not turn on whether an entity qualifies as a First Tier, Downstream, or Related Entity (FDR). IPAs, MSOs, physician groups, and vendors can face liability for causing false claims to be submitted even though they never bill CMS directly.
  • Audit chart review and HRA workflows. Chart-review and HRA programs should be designed to correct and delete unsupported codes, not only add them. When a downstream entity identifies an unsupported code, it should, absent a contrary (and compliant) process outlined in the relevant contract, route the deletion or correction to its upstream MAO in time for the plan to meet its own report-and-return deadline.
  • Evaluate AI-assisted coding tools. AI-assisted coding and query tools should be validated against the underlying documentation, ideally using human coder oversight, with a record kept of that oversight.
  • Confirm diagnosis-to-encounter support. In light of the CY2027 proposed changes, it is advisable that all risk-adjustment codes be supported by a documented, face-to-face encounter rather than an “unlinked” chart review alone.
  • Benchmark current practices against the OIG Guidance. Document the organization’s review of the risk areas OIG has now publicly identified.

How Frier Levitt Can Help Medicare Advantage Providers and Downstream Entities

Frier Levitt advises physician groups, IPAs, MSOs, healthcare providers, and other downstream entities on Medicare Advantage risk adjustment, value-based and risk-sharing arrangements, False Claims Act exposure, and compliance matters. Our attorneys assist clients in reviewing MAO agreements, evaluating coding and chart review practices, assessing AI-assisted coding and documentation tools, responding to government scrutiny, and developing compliance strategies tailored to Medicare Advantage operations.

If your organization participates in a full-risk or partial-risk Medicare Advantage arrangement or has questions about OIG’s new Medicare Advantage compliance guidance, contact Frier Levitt to discuss your compliance and risk adjustment practices.