The OIG Just Raised the Bar: New Medicare Advantage Compliance Guidance You Cannot Afford to Ignore

Executive Summary

In this alert, we summarize key details of the Office of Inspector General’s (OIG) updated Medicare Advantage Compliance Program Guidance (the “Guidance”) for Medicare Advantage Organizations (MAOs), delegated providers, and first-tier, downstream, and related entities (FDRs).

The new guidance reflects the OIG’s current enforcement priorities and insights gained from audits, investigations, evaluations, and enforcement actions. Although the guidance is voluntary and non-binding, it provides a clear enforcement roadmap of the OIG’s expectations for effective compliance programs and serves as a benchmark for organizations assessing and updating their compliance programs.

The OIG, the Department of Justice (“DOJ”), and the Centers for Medicare and Medicaid Services (“CMS”) have all signaled intensified scrutiny of Medicare Advantage (MA) practices, particularly around risk adjustment, prior authorization, and third‑party oversight. MAOs should conduct a gap analysis, prioritize high-impact areas, and implement strategies such as audits and training to mitigate enforcement risks.

What MAOs, Delegated Providers, and FDRs Must Do Now

Immediate Actions

• Conduct a targeted gap analysis of current compliance program elements against the OIG’s updated risk areas.
• Review utilization management and prior authorization policies to confirm individualized medical necessity determinations.
• Assess data validation controls supporting risk adjustment and quality of care.

Contractual and Structural Review

• Reassess third-party and FDR agreements to ensure robust audit rights, reporting obligations, and compliance attestations.
• Confirm fair market value documentation for marketing and enrollment compensation arrangements.
• Evaluate network adequacy monitoring processes and provider directory validation controls.

Programmatic Enhancements

• Update compliance training to address AI-supported decision tools, marketing oversight, and risk adjustment documentation standards.
• Enhance monitoring frameworks for high-risk functions, including denial trends, diagnosis validation, and enrollment patterns.
• Strengthen documentation of board and executive oversight of Medicare Advantage compliance risks.

Access to Care Risks

MAOs must guarantee that enrollees have access to care and ensure that they can obtain all covered and applicable supplemental services. Their responsibilities focus on two main areas:

1. Maintaining adequate provider networks with accurate directories, and
2. Ensuring access to services, even when using utilization management tools such as prior authorization.

Failure to meet these requirements can lead to significant legal and compliance risks for MAOs. OIG explicitly expects MAOs to exceed CMS’s minimum standards by implementing enhanced safeguards around algorithmic decision‑making, provider availability verification, and complaint‑driven network remediation.

Network Adequacy and Provider Directories

MAOs must maintain and monitor provider networks that ensure enrollees have adequate access to all covered services. CMS sets network adequacy standards requiring minimum numbers and types of providers, as well as maximum travel time and distance limits.

MAOs must demonstrate compliance when applying for new or expanded service areas, and CMS reviews network adequacy at least every three years. MAOs are responsible for keeping provider directories accurate and up to date. They must promptly update directories, submit accurate information to CMS for publication on Medicare Plan Finder, and attest to the accuracy of this information. Failure to comply can result in administrative sanctions or liability for false statements.

To reduce network adequacy and directory accuracy risks, MAOs should implement a multi-layered verification and oversight approach:

• Validate directory accuracy through independent third-party review.
• Analyze in-network claims data to identify “ghost networks” and confirm active provider participation.
• Use secret shopper surveys to assess provider availability and directory accuracy.
• Audit provider listings against authoritative sources (e.g., CMS Provider Supply File, NPPES, PECOS, OIG LEIE, and CMS Preclusion List) to confirm eligibility and Medicare participation.

Prior Authorization and Utilization Management

MAOs must provide all Medicare Parts A and B benefits and ensure that services are medically necessary through individualized determinations. Compliance programs should evaluate whether utilization management tools—including prior authorization—improperly restrict access to care and implement safeguards to prevent such risks.

CMS now requires Medicare Advantage Organizations to maintain formal utilization management committees, comply with defined operational and clinical standards, and issue medical‑necessity determinations in a timely manner. These determinations must reflect the individual circumstances of each patient—including their medical history, treating physician’s recommendations, and relevant clinical documentation—rather than relying exclusively on algorithms or artificial intelligence tools.

To manage these risks, MAOs should:

• Analyze denial trends to confirm coverage policies are applied consistently and do not improperly restrict access.
• Review appeals volumes and overturn rates, triggering root-cause analysis and corrective action when thresholds are exceeded.
• Perform audits of denial decisions to assess medical necessity and identify recurring issues.
• Inventory all algorithmic and AI‑supported tools, conduct validation testing for bias or inappropriate auto-denial patterns, and document individualized review consistent with CMS requirements.

Marketing and Enrollment Risk

Marketing and enrollment are central to MAOs, which often delegate these functions to agents, brokers, field marketing organizations, and other third-party marketing organizations (TPMOs). Compliance programs must closely oversee delegated activities and related compensation arrangements.

CMS regulations govern MAO marketing and enrollment practices to prevent abuse, and violations—such as unauthorized plan transfers or commission-driven enrollments—can trigger administrative sanctions.

Certain arrangements may also implicate the federal Anti-Kickback Statute. In 2024, the OIG issued a Special Fraud Alert highlighting problematic marketing schemes involving payments and referrals among MA plans, providers, and third-party marketers that can mislead beneficiaries into selecting plans or providers that do not meet their needs.

Improper Financial Incentives

MAOs and related parties must avoid marketing and enrollment practices that could harm Medicare-eligible individuals. Financial incentives tied to these activities must not distort enrollment decisions or steer beneficiaries toward plans that may not best meet their needs.

Payments to agents, brokers, and third-party marketing organizations (TPMOs) should prioritize beneficiaries’ interests over commissions or financial gain. Improper financial incentives can expose MA parties to significant legal and regulatory risk, including administrative sanctions, False Claims Act liability, and violations of the federal Anti-Kickback Statute, which prohibits knowingly offering or paying remuneration to induce referrals for items or services reimbursable under federal health care programs.

To manage these risks, MAOs should:

• Oversee all marketing-related compensation arrangements to identify fraud and abuse risks.
• Structure payments to avoid incentives that could improperly influence enrollment decisions.
• Document legitimate business purposes and fair market value (FMV) support, centralizing FMV files for compliance, legal, and audit access.
• Implement outlier analytics to detect rapid disenrollment patterns, complaint spikes, or agent-level anomalies.
• Reconcile payments to services performed and conduct periodic independent audits of marketing compensation.
• Provide ongoing compliance training for agents, brokers, and relevant staff on regulatory requirements and red flags.

Deceptive Marketing and Enrollment Practices

Medicare Advantage Organizations (MAOs) must ensure that all marketing and enrollment activities—including those conducted by third parties—are accurate, non-misleading, and nondiscriminatory. CMS regulations prohibit providing materially inaccurate or confusing information and forbid practices that deny, limit, or condition coverage based on health status.

Fraud and abuse laws, including the False Claims Act, the Anti-Kickback Statute, the exclusions statute, and the Civil Monetary Penalties Law, may apply when marketing misleads or deceives beneficiaries. Because MAOs are responsible for their subcontractors’ marketing materials and activities, oversight of third-party marketing and enrollment is critical.

To manage these risks, MAOs should:

• Implement oversight controls to ensure marketing complies with regulatory requirements and protects beneficiaries.
• Require clear, accurate disclosures, especially where benefits vary by geography, plan, or eligibility.
• Monitor agents and brokers using attestations, audits, and performance reviews.
• Track and investigate complaints promptly, with corrective action as needed.
• Review enrollment patterns, including off-cycle enrollments, to verify special enrollment eligibility.

Risk Adjustment Risk

Under the False Claims Act, MAOs face significant exposure when risk adjustment data is inaccurate or unsupported. Because MA payments are based on capitated PMPM rates adjusted by diagnosis-driven risk scores, the system is vulnerable to abuse.

OIG audits have identified practices such as submitting diagnoses from chart reviews or HRAs without corresponding clinical encounters and reporting high‑risk codes that cannot be validated. These behaviors inflate payments and undermine data integrity.

To mitigate these risks, MAOs should implement the following controls that ensure all risk adjustment data is accurate, supported, and properly documented:

• Require diagnoses to be supported by face-to-face medical records and acceptable data sources.
• Monitor risk adjustment data for accuracy, correct errors, and report overpayments consistent with the 60-day repayment rule.
• Train and oversee employees and FDRs on appropriate diagnosis queries and documentation practices.
• Use data analytics and provider-level benchmarking to identify outliers, followed by targeted audits and corrective action.
• Track risk scores and HCC trends over time to detect unusual patterns.
• Enhance oversight of FDRs, particularly where financial incentives relate to risk adjustment.
• Investigate suspected coding misconduct and report unsupported diagnoses to CMS as required,
• Prohibit diagnosis generation practices flagged by OIG—such as chart‑review‑only codes or unsupported HRA‑derived diagnoses—and incorporate retrospective deletion workflows for invalid codes.

Quality of Care Risk

Quality of care ensures that payments reflect actual beneficiary needs. Providing high-quality care is a key focus of the MA program, reflected in CMS’s quality bonus payment program, access requirements, and provider oversight.

MA Parties’ compliance programs should prioritize quality-of-care oversight, ensuring accurate, complete, and unbiased data submissions for CMS Star Ratings and other quality measures. Common pitfalls include submitting incomplete HEDIS data, which can skew Star Ratings downward.

To mitigate quality-of-care risks, MAOs should:

Maintain adequate provider networks and ensure enrollees receive medically necessary care regardless of location or demographics.

• Use utilization management tools appropriately.
• Monitor provider performance and verify eligibility for payments.
• Avoid paying excluded or non-Medicare-enrolled providers.
• Ensure the integrity of data used for quality metrics and CMS reporting.
• Implement pre-submission validation processes for quality data reported to CMS, including internal audits of Star Ratings measures and HEDIS-related documentation.

Oversight of Third-Party Risk

MAOs routinely delegate functions to providers, marketers, and other vendors, but these arrangements create significant oversight and accountability risks. CMS regulates these relationships through its First Tier, Downstream, and Related Entity (FDR) framework, specifying which compliance activities may be delegated and which—such as compliance officer duties—may not.

Although MAOs may delegate certain functions, they remain fully responsible for meeting Medicare requirements, and FDRs themselves are subject to program rules. FDRs include entities that contract directly with an MAO, subcontractors further down the chain that ultimately deliver services, and related organizations under common ownership or control that provide management functions or other services above regulatory thresholds.

Selecting and Evaluating Third Parties

MAOs should establish clear policies for identifying FDRs and calibrate compliance strategies based on the roles of all third parties, not just FDRs. Fraud and abuse risks exist across all delegated relationships, and MAOs may be liable for third-party actions.

Effective oversight considers the tasks delegated, associated compliance risks, the third party’s sophistication, and government enforcement trends. MAOs should carefully evaluate third-party partners before delegating any Medicare program functions. MAOs should implement a formal pre-delegation due diligence process to minimize compliance risks.

Due diligence should include:

• Assess scope and risk of delegated functions, especially those involving enrollees, marketing, or high fraud and abuse exposure.
• Determine FDR status and applicable CMS requirements.
• Evaluate experience and regulatory knowledge in working with MAOs or other health care entities.
• Review compliance program maturity and infrastructure.
• Confirm IT and reporting capabilities to meet data and timeliness standards.
• Verify Medicare enrollment status, where required.
• Check the OIG’s LEIE and CMS’s Preclusion List before contracting and periodically verify the status of current contractors.

Crafting Compliance-Focused Agreements

MAOs can strengthen oversight of First Tier, Downstream, or Related Entities (FDRs) by including explicit compliance rights and obligations in contracts. Agreements should require attestations—formal statements from an authorized representative—covering the third party’s organizational structure, business practices, and compliance program.

Common provisions include:

• Employee and downstream entity screenings via OIG’s LEIE.
• Obligations to report potential violations.
• MAO auditing and monitoring rights.
• Reporting data in specified formats at defined intervals.
• Conducting self-audits and reporting results to the MAO.
• Standardized credentialing processes.
• Onboarding and compliance education for new FDR staff.
• Prompt notification to the MAO of any government investigation, subpoena, civil investigative demand, or CMS/OIG inquiry.

Agreements should clearly define termination rights for non-compliance and include provisions for an orderly transition to ensure continuity of care for enrollees, protect data, and prevent disruption to MAO operations. Attestations and contractual requirements should be tailored as needed, including for offshore subcontractors or in response to evolving legal or regulatory requirements.

Ongoing Oversight and Corrective Action

Medicare Advantage Organizations (MAOs) should ensure that third parties understand and comply with applicable legal and regulatory requirements both before and after delegation.

Providing practical compliance resources—such as manuals, guides, toolkits, training programs, and centralized information on health care statutes, regulations, and fraud, waste, and abuse requirements—helps mitigate risks, particularly for startups or smaller contractors unfamiliar with the health care environment.

Ongoing oversight should supplement attestations and include:

• Periodic renewal of attestations.
• Regular reporting from FDRs and quarterly FDR audits for high-risk delegations.
• Provider‑specific audit and monitoring oversight—including targeted coding audits, UM case log reviews, and documentation integrity checks.
• Policies to implement corrective actions for noncompliance, up to and including termination of the relationship.

Oversight should extend to all third‑party partners performing MA‑related functions, regardless of FDR designation, with risk‑tiering based on function, data access, and enrollee impact.

Vertically Integrated Organizations and Other Ownership Structure Risk

MA Parties increasingly operate within vertically integrated or consolidated structures, where MAOs, health systems, and related entities. These arrangements create unique compliance challenges, as existing compliance programs may lack the specialized expertise to oversee MA-specific functions and risks, which can differ substantially from the organization’s non-MA operations.

Compliance programs should incorporate monitoring for consolidation-related risks, including patient steering, formulary manipulation, and reimbursement practices that may indirectly affect MA network adequacy and access to care.

To mitigate these risks, organizations should:

• Empower MA compliance leaders with the expertise, authority, and executive access needed to oversee MA-specific risks.
• Integrate MA risks into enterprise risk assessments, audit plans, and compliance strategies.
• Conduct ownership structure risk assessments, including MLR-related incentives, cross-entity data sharing, investor-driven pressures, and risks of steering, preferential referrals, or inflated utilization.
• Maintain strict data access controls—such as firewalls between provider and plan operations—to prevent improper influence on coverage decisions.
• Mitigate investor-related risks through targeted training and ongoing compliance communication.
• Provide regular MA risk reporting to the Board with clear escalation pathways.

Payment Data Accuracy and False Claims Risk

Medicare Advantage Organizations (MAOs) must certify that all data submitted to CMS for payment are accurate. The submission of inaccurate or fraudulent data can trigger administrative actions and civil liability under the False Claims Act (FCA), which holds individuals or entities responsible for submitting or causing the submission of false claims to the government.

MA Parties face FCA exposure when they engage in practices that inflate Medicare payments, such as participating in schemes to submit false diagnoses, knowingly submitting inaccurate codes without correction, or reporting unsupported diagnoses generated through encounters like in‑home health risk assessments. To mitigate these risks, MAOs should implement reimbursement policies covering the entire claims lifecycle—from initial submission through final payment.

Key mitigation strategies include:

• Monitoring and auditing provider‑submitted claims before submitting data to CMS.
• Implementing end‑to‑end claims controls—encounter data validation, NPI‑level anomaly detection, and rapid overpayment identification and refund processes—to reduce FCA risk.
• Reporting suspected fraud or misconduct to the Medicare Drug Integrity Contractor or using the OIG Health Care Fraud Self‑Disclosure Protocol when shared‑risk or ownership arrangements are involved.

Board and Executive Oversight

The OIG’s updated guidance reinforces that MA compliance risk must be visible at top levels of the organization. MAOs should ensure regular reporting to the board and executive leadership regarding risk adjustment trends, denial metrics, marketing oversight findings, network adequacy status, and identified overpayments.

Board reporting should explicitly address areas prioritized by the DOJ–HHS FCA Working Group, including risk adjustment integrity, prior authorization denials, and third‑party oversight.

Escalation protocols should be clearly documented, and enterprise risk management processes should incorporate MA-specific compliance risks. Documentation of board engagement and oversight will be critical in demonstrating an effective compliance program.

Conclusion

This updated guidance from the OIG marks a significant shift in the compliance landscape for Medicare Advantage Organizations. While voluntary, it clearly signals the enforcement priorities and risk areas that will command regulatory attention in the years ahead. Compliance programs should anticipate increased CMS audit frequency, expanded RADV methodologies, and heightened expectations for documentation integrity, particularly in areas where CMS and OIG have aligned enforcement priorities.

Effective compliance is no longer limited to policies and procedures. It requires embedding accountability across every facet of MA operations—from network adequacy and prior authorization to marketing oversight, risk adjustment integrity, and third-party delegation.

Organizations that view compliance as a strategic function rather than a checkbox will be better positioned to detect issues early, respond effectively, and avoid enforcement actions. For these organizations, the OIG’s guidance is not a burden to be managed, but a strategic asset for building a more resilient, trustworthy, and successful Medicare Advantage program.