On February 3, 2026, the Department of Health and Human Services (“HHS”) Office of Inspector General (“OIG”) issued the Medicare Advantage (“MA”) Industry Segment-Specific Compliance Program Guidance (“ICPG”) to help MA Organizations (“MAOs”) and other individuals and entities participating in or engaged with the MA program (referred to collectively as “MA Parties”) identify, mitigate, and monitor fraud, waste, and abuse risks in the MA program. The MA ICPG guidance marks the first update to OIG’s MA compliance program guidance since 1999 and, together with OIG’s General Compliance Program Guidance (“GCPG”) released in November 2023, replaces the 1999 guidance.
The MA ICPG is only the second ICPG to be issued since OIG announced its “Modernization of Compliance Program Guidance Documents” initiative in April 2023. Its release underscores that managed care oversight is a top priority of OIG, as Medicare and Medicaid program enrollment continues to shift towards managed care delivery models.
An “evolving set of challenges”
A key driver for the updated guidance is the evolution of the MA program in the past two and a half decades. OIG identifies several key trends:
- The increasingly complex industry relationships between MAOs and a “constellation of other entities and individuals,” including healthcare professionals, management service organizations, individual practice associations, agents, brokers, other entities that perform marketing and enrollment activities, and other vendors;
- New market entrants, both MAOs and other MA Party entities, who may have varying levels of sophistication in matters of MA compliance; and
- Merger activity, which has led to novel combinations of different entity types, and greater vertical integration across the board.
OIG identifies the following compliance risk areas and discusses recommendations for risk mitigation:
Access to Care
Network Adequacy and Provider Directory Accuracy
OIG expresses concern regarding the adequacy of provider networks and accuracy of provider directories. Noting that MAOs must submit provider directory information to CMS, OIG warns that false or misleading representations regarding such information can lead to administrative sanctions or liability for making false statements to the Government. In addition, beneficiaries can be misled into enrolling if a plan’s provider directory includes false, outdated, or incomplete information. Inaccurate provider directories can result in other negative impacts on enrollees, including greater use of out-of-network providers and higher out-of-pocket costs.
OIG recommends various strategies to proactively mitigate these risks, including regular contact with providers to update directory information, using an independent third-party verification company, reviewing claims submission volumes to determine whether providers are actively participating in the network, and relying on CMS resources such as the “Evaluate my Network” functionality in CMS’s Health Plan Management System, and participating annually in CMS’s informal “Consultation” on network adequacy.
Utilization Management Tools, Including Prior Authorization
Another key risk area identified by OIG is the impact of utilization management tools, including prior authorizations, on access to care, noting that prior OIG oversight has identified “serious concerns about improper denials or delays in care resulting from prior authorization programs.” In particular, OIG identifies the use of algorithms based on artificial intelligence technology as an emerging area with potential benefits, but one that presents potential compliance risks, as MAOs are required to make medical necessity determinations based on the circumstances of the specific member and may not rely solely on an algorithm or software that does not account for a member’s circumstances.
To mitigate compliance risks, OIG recommends that MA Parties “not only follow CMS’s regulations but go beyond them to establish robust safeguards to oversee utilization management practices.” The MA ICPG lists a number of strategies for compliance, including reviewing trends in claims denials and prior authorization denials to ensure that such denials “do not inappropriately restrict coverage”; analyzing trends in appeals of denied claims, including volume of denials overturned on appeal; and reviewing algorithm-based tools to ensure that decisions are grounded on members’ individualized medical history, physicians’ recommendations, and medical records.
Marketing and Enrollment
It is not surprising that OIG identifies MA plan marketing and enrollment as a key compliance risk area. MA marketing has been the topic of significant attention in the past several years, including Congressional investigations, a failed attempt by CMS to limit payments to third party marketing organizations, and an OIG Special Fraud Alert regarding suspect payments in MA marketing arrangements.
OIG identifies two core compliance concerns with MA marketing and enrollment:
Improper Financial Incentives
Actions identified by OIG that may create improper financial incentives include marketing payments that exceed the permitted compensation amounts set forth in CMS regulations, payments that are conditioned on meeting enrollment volume targets, payments to not recommend or not offer particular plans offered by specific competitors, and payments tied to the health status of enrollees, which could cause agents and brokers to steer relatively healthy individuals to particular plans.
Strategies offered by OIG are not new. To mitigate these risks, OIG advises MA Parties to “ensure that any compensation arrangements do not create incentives to inappropriately influence enrollments,” to develop monitoring and auditing systems, to document fair market value determinations, and to provide compliance trainings.
Deceptive Marketing Practices
OIG states that MA Parties who engage in “marketing activities that improperly mislead or deceive individuals to enroll in MA plans” may be subject to enforcement under fraud and abuse laws, including the False Claims Act, the Federal Anti-Kickback Statute, the exclusions statute, and the Civil Monetary Penalties Law.
Compliance recommendations from OIG include establishing processes to review and approve marketing materials and tracking complaints. OIG also recommends that MA Parties “monitor the volume of enrollments outside of the annual enrollment period and verify enrollees’ eligibility for enrollment during any special enrollment period”—which may indicate that special enrollment periods may be a target for future enforcement scrutiny.
Risk Adjustment
OIG states that through focused oversight, OIG and others have identified a range of abusive practices involving MA risk adjustment. For example, OIG discusses concerns with unsupported diagnoses in chart reviews and health risk assessments (“HRAs”), as well as problematic querying generated by artificial intelligence algorithms in electronic medical record platforms prompting physicians to add risk-adjusting diagnoses that patients did not have or that did not affect the care, treatment, or management of the patient.
OIG recommends enhanced oversight such as pre- and post-submission audits, heightened review of high-risk diagnosis codes, governance of chart review/HRA programs, provider and coder education, anomaly/outlier detection (including algorithmic tools), benchmarking HCC prevalence and coding intensity, stronger oversight of contractors where financial incentives exist, investigation and referral processes, and reporting and returning overpayments as required.
Quality of Care
Quality is tied directly to MA compensation through CMS’s Star Ratings program and quality bonus payments> Therefore, data integrity and unbiased reporting are central compliance issues. OIG notes that ensuring the integrity of the data used for Star Ratings’ quality and performance measures is a key component for MA Parties’ quality-of-care compliance oversight.
Oversight of Third Parties
OIG adopts new safeguards that detail MAO compliance obligations vis-à-vis third party arrangements. OIG recognizes that MAOs routinely delegate an expanding scope of services to third parties, and states that doing so presents unique compliance challenges to maintain a consistent and effective level of oversight.
OIG cautions that the fraud and abuse risks associated with MAO interactions with third parties “are not limited to interactions with [first tier, downstream or related entities (“FDRs”)], because liability under fraud and abuse laws does not turn on any entity’s status as an FDR (as defined by CMS).” More specifically, OIG states MAOs “may be liable for the actions of those third parties beyond MAOs’ accountability to CMS for delegated functions,” and that third parties themselves also could be vulnerable to liability under certain fraud and abuse laws for their own conduct or for the actions of their downstream entities.
OIG states that MA Parties should consider the following factors when developing a compliance strategy in connection with third parties: (1) the types of tasks an MAO has delegated to the third party, (2) compliance risks associated with those tasks, (3) the third party’s sophistication and preexisting compliance infrastructure, and (4) current Government enforcement and oversight trends.
Compliance Programs Within Vertically Organizations and Other Ownership Structures
OIG discusses the increasingly large and complex partnerships and arrangements between MA Parties, including vertically integrated organizations, which may include provider and insurer lines of business with common ownership, MAO ownership of healthcare providers and health systems (or vice versa), and common ownership by MAOs and other related entities, such as data analytics firms or utilization review entities. According to OIG, integrated entities present unique compliance challenges, and the compliance infrastructure of an MA-related business should have the appropriate expertise to oversee those functions, which may present different compliance risks than the larger organization’s operations.
Submission of Accurate Claims
Noting that MAOs must submit certifications that the data submitted to CMS are accurate, OIG warns that MA Parties may have exposure to administrative sanction or civil liability where fraud is involved in such submissions.
OIG does not offer any risk mitigation guidance, but provides an overview of the False Claims Act, and notes that MA Parties have settled False Claims Act cases involving the alleged submission of false or fraudulent information in an effort to increase Medicare program payments.