From 1999 To Prime Time: OIG Revamps Medicare Advantage Guidance For Today's—and Tomorrow's—Evolving Market

On February 3, the U.S. Department of Health and Human Services Office of Inspector General (OIG) issued new Medicare Advantage Industry Segment-Specific Compliance Program Guidance (MA ICPG) for the MA industry and individuals and entities participating in or engaging with the MA program (collectively, MA Parties). The MA ICPG is intended to be read together with OIG's General Compliance Program Guidance (GCPG), which applies to all individuals and entities involved in the healthcare industry and describes the seven elements of an effective compliance program. As OIG's first update to its 1999 Medicare+Choice compliance program guidance, the MA ICPG delivers updated guidance aligned with today's vastly expanded and increasingly sophisticated MA landscape.

OIG repeatedly characterizes the MA ICPG as nonbinding guidance that does not create any new legal obligations or standards. However, MA oversight has been a top OIG priority for years, and MA's growing popularity and OIG's recent experience pursuing fraud, waste, and abuse within the MA program motivated OIG to issue the MA ICPG. Consequently, MA organizations (MAOs) may be expected to look to the MA ICPG as a benchmark for effective compliance practices.

Key Risk Areas

The MA ICPG acknowledges that Centers for Medicare & Medicaid Services (CMS) regulations require MAOs to adopt effective compliance programs and characterizes those regulations as establishing the "minimum requirements" for an MAO's compliance program. OIG encourages MA Parties to use the MA ICPG to identify their own risk areas when implementing and evaluating their compliance programs in what OIG acknowledges is a complex and evolving program.

The MA ICPG identifies seven compliance risk areas and provides recommendations to mitigate these risks. OIG continues to recognize, however, that compliance programs should be tailored to an MA Party's size, structure, and operations, rather than following a one‑size‑fits‑all model.

1. Access to Care

The MA ICPG emphasizes the importance of ensuring enrollees can access covered MA services, with a focus on MAOs' obligations to maintain adequate provider networks and publish accurate provider directory information. The guidance notes that inaccurate directories or insufficient networks can contribute to delays in care or increased out‑of‑network costs and highlights a range of recommended practices to mitigate these risks, including regular provider outreach to validate directory information, the use of independent verification tools, secret shopper audits, and ongoing analyses of claims data to detect "ghost networks."

OIG also stresses that MAOs must ensure their utilization management (UM) practices—particularly prior authorization—do not inappropriately restrict medically necessary care. In particular, OIG cautions that algorithmic or artificial intelligence (AI)‑based prior authorization tools pose heightened compliance risk if they make medical necessity determinations "solely using an algorithm or software" that does not account for individual clinical circumstances—for example, by relying on a larger data set rather than an enrollee's medical history, physician recommendations, or clinical notes. The MA ICPG encourages MAOs to audit claim denial and appeals trends, review samples of denied requests for accuracy, and ensure that any automated tools are used only in ways consistent with CMS's individualized review requirements.

2. Marketing and Enrollment: Improper Financial Incentives and Deceptive Marketing Practices

The MA ICPG acknowledges that MAOs commonly outsource many marketing and enrollment activities and recommends that they ensure their compliance programs provide for adequate oversight of such activities. The MA ICPG references OIG's 2024 Special Fraud Alert on Suspect Payments in Marketing Arrangements Related to Medicare Advantage and Providers, in which OIG describes questionable payments and referrals between MA plans, healthcare professionals, and third-party marketers, such as agents and brokers.

The MA ICPG lists marketing and enrollment activities that, according to OIG, may create improper financial incentives—including paying agents and brokers amounts that exceed CMS' permitted compensation amounts, are conditioned on meeting enrollment targets, or are tied to enrollees' health status. OIG noted that a common thread throughout the examples provided in the MA ICPG is the potential to hinder patients' ability to find the MA plans best suited to their needs. The guidance goes on to recommend a number of strategies to mitigate the risk of improper financial incentives, including:

• Developing systems for documenting the fair market value nature of all arrangements involving marketing and enrollment activities.
• Conducting periodic audits of marketing-related payments to third parties.
• Providing compliance-focused training to agents and brokers.

The MA ICPG also addresses the potential for marketing efforts to mislead or discriminate against enrollees. Noting that MAOs are responsible for all materials their subcontractors use to market their plans, OIG recommends that MAOs adopt a number of practices, including:

• Establishing processes to review and approve marketing materials.
• Monitoring marketing and enrollment activities agents, brokers, and other third-party marketing organizations conducted on the MAOs' behalf.
• Tracking and investigating any complaints filed against any agents or brokers acting on the MAOs' behalf.
• Monitoring agents' and brokers' activities to identify potentially problematic outliers, such as rapid disenrollments.

3. Risk Adjustment

The MA ICPG details various risk adjustment practices OIG has identified as abusive through its audits and evaluations, including:

• Using chart reviews to identify additional diagnoses to increase risk scores inappropriately.
• Failing to delete unsupported or invalid diagnoses revealed in chart reviews.
• Generating diagnoses through in-home health risk assessments (HRAs) that are not treated or supported.
• Querying or prompting physicians through electronic medical record platforms (including prompts generated by AI algorithms) to add risk-adjusting diagnoses that the patient did not have or did not affect the patient's care, treatment, or management.
• Providers submitting unsupported diagnoses to inflate their payments from MAOs under risk-sharing or other arrangements.

The guidance recommends that MAOs review risk adjustment data and scrutinize submissions of high-risk diagnosis codes both before and after submitting such data to CMS, and provides a detailed list of additional oversight mechanisms MAOs may use to confirm their risk adjustment data is accurate. Such mechanisms include using data techniques and filtering logic, evaluating in-home HRA or chart review programs, using algorithms to evaluate submitted diagnoses and identify outliers, and analyzing coding trends.

The MA ICPG emphasizes the importance of risk adjustment to the MA program and instructs MA Parties to take appropriate corrective action, including provider contract termination, based on the results of internal reviews or investigations.

4. Quality of Care

The MA ICPG emphasizes that MA Parties should prioritize quality‑of‑care oversight, recognizing that MA plan reimbursement is directly tied to quality performance through the Star Ratings system and associated Quality Bonus Payments. As a result, OIG warns that MAOs face compliance risk not only when quality‑of‑care lapses occur (e.g., due to inadequate provider networks, provision of inappropriate care, or failure to provide medically necessary care), but also when the data used to generate Star Ratings, accreditation measures, and other quality assessments are biased, inaccurate, or incomplete.

To support quality‑of‑care compliance, OIG recommends that MAOs ensure enrollees receive medically necessary services without discrimination or improper barriers to access. This includes validating that contracted providers meet credentialing requirements, are not excluded from federal healthcare programs, and are appropriately licensed and qualified. OIG also recommends that MAOs implement systems to monitor complaints, service availability, and provider performance; conduct regular reviews of data used for Star Ratings and other measures; and ensure appropriate follow‑up on identified quality issues.

5. Oversight of Third Parties

MAO arrangements with third parties (primarily First Tier, Downstream, or Related Entities (FDRs)) are a key area of MA enforcement risk. While MAOs must audit and monitor FDRs and ultimately are responsible for meeting their obligations to CMS, third parties performing services for MAOs also may be liable for noncompliant conduct. The MA ICPG advises MA Parties to consider the following factors when tailoring a compliance strategy for third-party arrangements:

• The type of tasks the MAO delegated to the third party.
• Compliance risks associated with those tasks.
• The third party's sophistication and existing compliance infrastructure.
• Current government enforcement and oversight trends.

The MA ICPG includes special considerations for FDRs who are healthcare providers, noting that MAOs that delegate functions to such providers may wish to dedicate a compliance team to monitoring them. OIG also states that MAOs that own, or that are under common ownership with, provider groups may have expanded or specific compliance obligations.

The level of third-party oversight should reflect the nature of the MAOs' arrangements, with higher-risk relationships receiving more oversight than lower-risk arrangements. The MA ICPG offers several oversight options, such as requiring FDRs to submit various reports and to periodically renew their attestations, as well as regularly auditing third parties' core activities and compliance program function.

6. Compliance Programs Within Vertically Integrated Organizations and Other Ownership Structures

The MA ICPG acknowledges the complexities of MA compliance infrastructure within vertically integrated organizations, pointing to medical loss ratio requirements as an example of a programmatic safeguard that may trigger unique risks in vertically integrated organizations and requires additional compliance oversight. The MA ICPG notes that MA Parties may be part of various business models, including ownership by private equity funds or others, and directs MA Parties who are not experienced in the healthcare industry to the GCPG for baseline compliance program guidance.

7. Submission of Accurate Claims

OIG stresses that MAOs must certify to CMS that all data submitted for payment are accurate, complete, and truthful—a requirement that carries administrative, civil, and False Claims Act (FCA) exposure if violated. The MA ICPG explains that the risk of submitting false claims may arise at multiple points in the data‑submission chain, including unsupported diagnosis coding, failure to withdraw previously submitted inaccurate codes, or use of in‑home assessments or chart reviews that generate diagnoses not supported by medical records.

To mitigate these risks, OIG advises MAOs to implement rigorous auditing and monitoring of coding and encounter‑data accuracy, ensure timely correction and resubmission where necessary, and maintain strong oversight of providers and vendors involved in coding or documentation activities. OIG emphasizes that a robust compliance infrastructure—including internal investigations, corrective‑action processes, and reporting obligations—remains essential to ensuring accurate claims submission and preventing FCA exposure.

Takeaways

The MA ICPG reflects a notable evolution in the government's understanding of, and views toward, compliance in the MA space. The MA ICPG is more detailed and operationally prescriptive than earlier guidance, drawing on years of audits, evaluations, enforcement actions, data analyses, and industry engagement. It signals that regulators have become significantly more sophisticated in understanding how MAOs and their related entities operate—including how business models, delegated arrangements, technology tools, and data flows can create compliance vulnerabilities. Notably, OIG expresses measured skepticism toward technology: while acknowledging that advanced tools and analytics can support compliance, the MA ICPG cautions that they just as easily may compromise care quality or impede access if used without appropriate oversight, clinical context, or safeguards.

At the same time, the guidance sweeps more broadly in scope. Rather than focusing solely on MAOs, it applies to a wider array of "MA Parties," including providers, management service organizations, downstream vendors, and other entities—including investors—that play a role in the MA ecosystem. OIG makes clear that it views compliance risks as extending across the constellation of relationships and ownership structures within the MA sector—particularly in environments where clinical, administrative, and financial functions are dispersed across multiple intermediaries. In doing so, the guidance underscores that liability and compliance expectations do not, for example, turn on whether an entity is formally categorized as an "FDR"; rather, the broader network of contractors and stakeholders remains squarely within enforcement view.

Importantly, OIG acknowledges the increasingly complex ownership landscape surrounding the MA market, including consolidation, vertical integration, and private equity investment. The guidance highlights that investors and new entrants—especially those "without deep health care experience"—may lack awareness of MA‑specific fraud, waste, and abuse risks and therefore require enhanced compliance infrastructure, training, and governance. As deal activity continues to shape the sector, MA stakeholders should expect heightened scrutiny of compliance readiness during diligence, integration planning, and ongoing operations.

The MA ICPG comes on the heels of the CY 2027 Advance Notice for MA and Part D (Advance Notice) issued on January 26, which disappointed the industry with a lower-than-expected average year-over-year net payment increase of 0.09% projected by CMS (2.54% taking coding trends and population changes into consideration), a sharp reduction from the 5.06% increase in 2026 and 3.7% increase in 2025. In proposing changes to the MA risk adjustment model in the Advance Notice, CMS emphasized its commitment to the sustainability of MA through, in part, ensuring payments accurately reflect MA enrollees' health needs and promote program integrity and accountability. After OIG scrutiny of unlinked chart reviews and recommendation that CMS reassess allowing diagnoses from unlinked chart reviews to be used for risk adjustment, CMS proposed in the Advance Notice to exclude diagnoses from unlinked chart review records that are not associated with a beneficiary encounter from risk score calculation, citing data integrity concerns. The Advance Notice and the MA ICPG reflect CMS' and OIG's shared priority of MA oversight and continued emphasis on MA compliance.

Overall, the document serves as both a roadmap and a warning: OIG is paying close attention, expects MA Parties to build mature and proactive compliance programs, and is prepared to evaluate conduct across the full lifecycle of MA operations—including how organizations grow, structure themselves, deploy technology, and partner with investors and vendors.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.