The OIG Just Raised the Bar: New Medicare Advantage Compliance Guidance You Cannot Afford to Ignore

Executive Summary

In this alert, we summarize key details of the Office of Inspector General’s (OIG) updated Medicare Advantage Compliance Program Guidance (the “Guidance”) for Medicare Advantage Organizations (MAOs), delegated providers, and first-tier, downstream, and related entities (FDRs).

The new guidance reflects the OIG's current enforcement priorities and insights gained from audits, investigations, evaluations, and enforcement actions. Although the guidance is voluntary and non-binding, it provides a clear enforcement roadmap of the OIG's expectations for effective compliance programs and serves as a benchmark for organizations assessing and updating their compliance programs.

The OIG, the Department of Justice (“DOJ”), and the Centers for Medicare and Medicaid Services (“CMS”) have all signaled intensified scrutiny of Medicare Advantage (MA) practices, particularly around risk adjustment, prior authorization, and third‑party oversight. MAOs should conduct a gap analysis, prioritize high-impact areas, and implement strategies such as audits and training to mitigate enforcement risks.

What MAOs, Delegated Providers, and FDRs Must Do Now

Immediate Actions

• • Conduct a targeted gap analysis of current compliance program elements against the OIG’s updated risk areas.
  • Review utilization management and prior authorization policies to confirm individualized medical necessity determinations.
  • Assess data validation controls supporting risk adjustment and quality of care.

Contractual and Structural Review

• • Reassess third-party and FDR agreements to ensure robust audit rights, reporting obligations, and compliance attestations.
  • Confirm fair market value documentation for marketing and enrollment compensation arrangements.
  • Evaluate network adequacy monitoring processes and provider directory validation controls.

Programmatic Enhancements

• • Update compliance training to address AI-supported decision tools, marketing oversight, and risk adjustment documentation standards.
  • Enhance monitoring frameworks for high-risk functions, including denial trends, diagnosis validation, and enrollment patterns.
  • Strengthen documentation of board and executive oversight of Medicare Advantage compliance risks.

Access to Care Risks

MAOs must guarantee that enrollees have access to care and ensure that they can obtain all covered and applicable supplemental services. Their responsibilities focus on two main areas: 

1. 1. Maintaining adequate provider networks with accurate directories, and
   2. Ensuring access to services, even when using utilization management tools such as prior authorization.

Failure to meet these requirements can lead to significant legal and compliance risks for MAOs. OIG explicitly expects MAOs to exceed CMS’s minimum standards by implementing enhanced safeguards around algorithmic decision‑making, provider availability verification, and complaint‑driven network remediation.

Marketing and Enrollment Risk

Marketing and enrollment are central to MAOs, which often delegate these functions to agents, brokers, field marketing organizations, and other third-party marketing organizations (TPMOs). Compliance programs must closely oversee delegated activities and related compensation arrangements.

CMS regulations govern MAO marketing and enrollment practices to prevent abuse, and violations—such as unauthorized plan transfers or commission-driven enrollments—can trigger administrative sanctions.

Certain arrangements may also implicate the federal Anti-Kickback Statute. In 2024, the OIG issued a Special Fraud Alert highlighting problematic marketing schemes involving payments and referrals among MA plans, providers, and third-party marketers that can mislead beneficiaries into selecting plans or providers that do not meet their needs.

Risk Adjustment Risk

Under the False Claims Act, MAOs face significant exposure when risk adjustment data is inaccurate or unsupported. Because MA payments are based on capitated PMPM rates adjusted by diagnosis-driven risk scores, the system is vulnerable to abuse.

OIG audits have identified practices such as submitting diagnoses from chart reviews or HRAs without corresponding clinical encounters and reporting high‑risk codes that cannot be validated. These behaviors inflate payments and undermine data integrity.

To mitigate these risks, MAOs should implement the following controls that ensure all risk adjustment data is accurate, supported, and properly documented:

• • Require diagnoses to be supported by face-to-face medical records and acceptable data sources.
  • Monitor risk adjustment data for accuracy, correct errors, and report overpayments consistent with the 60-day repayment rule.
  • Train and oversee employees and FDRs on appropriate diagnosis queries and documentation practices.
  • Use data analytics and provider-level benchmarking to identify outliers, followed by targeted audits and corrective action.
  • Track risk scores and HCC trends over time to detect unusual patterns.
  • Enhance oversight of FDRs, particularly where financial incentives relate to risk adjustment.
  • Investigate suspected coding misconduct and report unsupported diagnoses to CMS as required,
  • Prohibit diagnosis generation practices flagged by OIG—such as chart‑review‑only codes or unsupported HRA‑derived diagnoses—and incorporate retrospective deletion workflows for invalid codes.

Quality of Care Risk

Quality of care ensures that payments reflect actual beneficiary needs. Providing high-quality care is a key focus of the MA program, reflected in CMS’s quality bonus payment program, access requirements, and provider oversight.

MA Parties’ compliance programs should prioritize quality-of-care oversight, ensuring accurate, complete, and unbiased data submissions for CMS Star Ratings and other quality measures. Common pitfalls include submitting incomplete HEDIS data, which can skew Star Ratings downward.

To mitigate quality-of-care risks, MAOs should:

Maintain adequate provider networks and ensure enrollees receive medically necessary care regardless of location or demographics.

• • Use utilization management tools appropriately.
  • Monitor provider performance and verify eligibility for payments.
  • Avoid paying excluded or non-Medicare-enrolled providers.
  • Ensure the integrity of data used for quality metrics and CMS reporting.
  • Implement pre-submission validation processes for quality data reported to CMS, including internal audits of Star Ratings measures and HEDIS-related documentation.

Oversight of Third-Party Risk

MAOs routinely delegate functions to providers, marketers, and other vendors, but these arrangements create significant oversight and accountability risks. CMS regulates these relationships through its First Tier, Downstream, and Related Entity (FDR) framework, specifying which compliance activities may be delegated and which—such as compliance officer duties—may not.

Although MAOs may delegate certain functions, they remain fully responsible for meeting Medicare requirements, and FDRs themselves are subject to program rules. FDRs include entities that contract directly with an MAO, subcontractors further down the chain that ultimately deliver services, and related organizations under common ownership or control that provide management functions or other services above regulatory thresholds.

Vertically Integrated Organizations and Other Ownership Structure Risk

MA Parties increasingly operate within vertically integrated or consolidated structures, where MAOs, health systems, and related entities. These arrangements create unique compliance challenges, as existing compliance programs may lack the specialized expertise to oversee MA-specific functions and risks, which can differ substantially from the organization’s non-MA operations.

Compliance programs should incorporate monitoring for consolidation-related risks, including patient steering, formulary manipulation, and reimbursement practices that may indirectly affect MA network adequacy and access to care.

To mitigate these risks, organizations should:

• • Empower MA compliance leaders with the expertise, authority, and executive access needed to oversee MA-specific risks.
  • Integrate MA risks into enterprise risk assessments, audit plans, and compliance strategies.
  • Conduct ownership structure risk assessments, including MLR-related incentives, cross-entity data sharing, investor-driven pressures, and risks of steering, preferential referrals, or inflated utilization.
  • Maintain strict data access controls—such as firewalls between provider and plan operations—to prevent improper influence on coverage decisions.
  • Mitigate investor-related risks through targeted training and ongoing compliance communication.
  • Provide regular MA risk reporting to the Board with clear escalation pathways.

Payment Data Accuracy and False Claims Risk

Medicare Advantage Organizations (MAOs) must certify that all data submitted to CMS for payment are accurate. The submission of inaccurate or fraudulent data can trigger administrative actions and civil liability under the False Claims Act (FCA), which holds individuals or entities responsible for submitting or causing the submission of false claims to the government.

MA Parties face FCA exposure when they engage in practices that inflate Medicare payments, such as participating in schemes to submit false diagnoses, knowingly submitting inaccurate codes without correction, or reporting unsupported diagnoses generated through encounters like in‑home health risk assessments. To mitigate these risks, MAOs should implement reimbursement policies covering the entire claims lifecycle—from initial submission through final payment.

Key mitigation strategies include:

• • Monitoring and auditing provider‑submitted claims before submitting data to CMS.
  • Implementing end‑to‑end claims controls—encounter data validation, NPI‑level anomaly detection, and rapid overpayment identification and refund processes—to reduce FCA risk.
  • Reporting suspected fraud or misconduct to the Medicare Drug Integrity Contractor or using the OIG Health Care Fraud Self‑Disclosure Protocol when shared‑risk or ownership arrangements are involved.

Board and Executive Oversight

The OIG’s updated guidance reinforces that MA compliance risk must be visible at top levels of the organization. MAOs should ensure regular reporting to the board and executive leadership regarding risk adjustment trends, denial metrics, marketing oversight findings, network adequacy status, and identified overpayments.

Board reporting should explicitly address areas prioritized by the DOJ–HHS FCA Working Group, including risk adjustment integrity, prior authorization denials, and third‑party oversight.

Escalation protocols should be clearly documented, and enterprise risk management processes should incorporate MA-specific compliance risks. Documentation of board engagement and oversight will be critical in demonstrating an effective compliance program.

Conclusion

This updated guidance from the OIG marks a significant shift in the compliance landscape for Medicare Advantage Organizations. While voluntary, it clearly signals the enforcement priorities and risk areas that will command regulatory attention in the years ahead. Compliance programs should anticipate increased CMS audit frequency, expanded RADV methodologies, and heightened expectations for documentation integrity, particularly in areas where CMS and OIG have aligned enforcement priorities.

Effective compliance is no longer limited to policies and procedures. It requires embedding accountability across every facet of MA operations—from network adequacy and prior authorization to marketing oversight, risk adjustment integrity, and third-party delegation.

Organizations that view compliance as a strategic function rather than a checkbox will be better positioned to detect issues early, respond effectively, and avoid enforcement actions. For these organizations, the OIG's guidance is not a burden to be managed, but a strategic asset for building a more resilient, trustworthy, and successful Medicare Advantage program.

We are Here to Help

Hinshaw’s healthcare law attorneys have extensive experience advising Medicare Advantage Organizations, delegated providers, and first-tier, downstream, and related entities on regulatory and compliance matters. For further information, please contact Michael Dowell, Hinshaw’s healthcare law team, or your Hinshaw attorney.