In February 2026, the U.S. Department of Health and Human Services Office of Inspector General (OIG) issued new Medicare Advantage Industry Segment-Specific Compliance Program Guidance (MA ICPG). The MA ICPG is OIG’s first update in 27 years to its 1999 Medicare+ Choice Compliance Program (1999 CPG). Since that time:
- The Medicare Advantage (MA) program has grown dramatically—from just under 7 million enrollees when the 1999 CPG guidance came out to more than 35 million enrollees today.
- Health care administration and managed care practices have continued to evolve.
- Medicare Advantage Organization (MAO) contractual relationships have grown more complex.
- The Centers for Medicare & Medicaid Services (CMS) has codified program rules previously in guidance.
- OIG, CMS, and the Department of Justice (DOJ) have increased their scrutiny of MAOs through investigations and enforcement actions, including significant False Claims Act activity.
The new MA ICPG outlines seven “compliance risk areas” and provides corresponding “recommendations for mitigation.” While the MA ICPG carries forward many of the risk areas identified in the 1999 CPG, the updated guidance focuses even more on practices that support data accuracy.
MAOs—and what OIG more broadly defines as the “MA Parties,” meaning “the wide range of entities and individuals participating in or engaged with the MA program”—should use OIG’s roadmap to evaluate and update their compliance infrastructure to mitigate these risk areas. Companies may find that enforcement agencies are less forgiving about issues OIG explicitly highlights in the updated guidance.
Access to Care: Provider Directory Accuracy and Individualized Decision-Making
The MA ICPG emphasizes the need for accurate provider directories and highlights risks associated with artificial intelligence (AI), including the expectation that AI-supported determinations reflect individualized clinical circumstances. This focus continues the OIG’s concern with access to care, first identified in the 1999 CPG.
OIG identifies network adequacy as a barrier to ensuring that enrollees have access to covered services—a core requirement of the MA program. Two key areas are highlighted: (1) provider network adequacy and accuracy of provider directories; and (2) access to services.
OIG suggests that inaccurate directories could mislead enrollees into choosing a plan without sufficient provider access, particularly if network provider lists are out of date. It also warns that false or misleading certifications about the accuracy of provider directories submitted to CMS could expose MAOs to false claims liability or sanctions.
OIG has also been vocal about concerns that prior authorization programs can result in improper denials or delays in care. It cautions that any algorithm or AI tool incorporated into utilization management practices that focus on bulk data sets may run afoul of CMS regulations requiring determinations based on a member’s individualized circumstances (their medical history, physicians’ recommendations, and medical records).
Recommended strategies to mitigate risks in this area include:
- Focusing on provider directory accuracy by regularly contacting providers or management services organizations, using third-party or publicly available verification tools, having transparent indicators for unverified provider information, and promptly removing out-of-network providers.
- Verifying provider quality and identifying suspicious providers through systematic checks to confirm provider availability, investigating enrollee complaints about providers, and reviewing claim submissions to ensure providers are delivering care to enrollees and that conditions/procedures align with provider specialties.
- Documenting and monitoring the use case and inputs for any AI tool used for prior authorization processes and ensuring AI and other algorithm-based tools focus on individual patient details.
- Overseeing utilization management by analyzing trends and sampling denials, appeals, and appeal outcomes.
- Ensuring utilization management committees are in place, with responsibilities and composition consistent with CMS rules.
Marketing and Enrollment: FMV Support and Materials Compliance
The MA ICPG identifies documentation of the basis and fair market value (FMV) of compensation for marketing and enrollment partners as a key risk area and emphasizes the need for compliant marketing materials.
The focus on marketing and enrollment practices should come as no surprise. Much of the concern centers on the role of third-party marketing organizations. Echoing a 2024 Special Fraud Alert, OIG stressed concern that improper incentives may skew member enrollments toward plans not in the member’s best interest. OIG cautions against payments that encourage steering members to a particular plan, bonuses conditioned on high volume enrollment, or payments tied to health status.
Companies should focus on enhancing compliance programs for payment structures in place with agents, brokers, third-party marketing organizations, providers and their staff, management services organizations, and First Tier, Downstream, or Related Entities (FDRs).
Some guardrails for compliant payment streams include:
- Developing, monitoring, and tracking payment arrangements for marketing and enrollment functions, including for payments made to agents, brokers, or third parties fulfilling these functions.
- Documenting fair market value determinations for any arrangement for marketing or enrollment services.
- Auditing network provider marketing practices.
- Ensuring agents, brokers, and other third parties receive compliance-focused training, either from the MAO or from their own companies.
- Establishing a consistent process to review and approve marketing materials used by agents and brokers and monitoring their activities to identify trends that could be indicative of deceptive marketing.
Risk Adjustment: Data Accuracy Review and Analysis
OIG identified risk adjustment as an area of major vulnerability. Both OIG and the Medicare Payment Advisory Commission (MedPAC) have expressed concern in recent years that, because payments to MAOs are based on beneficiary health status, some MAOs may be increasing their CMS payments by submitting unverifiable diagnosis codes. Some specific areas with potential for abuse OIG flagged include diagnoses derived from in-home health risk assessments or chart reviews and certain diagnosis codes that are “at a high risk for being miscoded.”
Recommendations to mitigate risk adjustment coding issues include:
- Implementing programs (software, data filtering logic, algorithms, AI tools) to ensure risk adjustment data accuracy, identify outliers, and monitor potentially concerning trends.
- Using OIG’s toolkit to help identify and analyze high-risk diagnosis codes.
- Benchmarking risk scores and Hierarchical Condition Category prevalence rates and analyzing trends over time.
- Appropriately investigating allegations of provider or contractor fraud regarding risk adjustment coding.
- Educating contracted providers, coders, and other third parties on proper coding practices.
OIG also encourages MA Parties to take appropriate corrective actions (including termination of providers) based on substantiating investigation allegations and notes an affirmative duty under CMS rules to report unsupported or invalid diagnoses codes and overpayments.
Quality of Care: Star Rating Data Accuracy and Provider Monitoring
OIG reiterates that MA Parties must prioritize providing high-quality care to beneficiaries. It recommends that MAOs have systems to regularly assess the integrity of quality data submitted to CMS. Inaccurate data can negatively impact CMS quality assessments, which beneficiaries rely on to compare MA plans. MA reimbursement is also tied to quality of care.
OIG recommends:
- Implementing programs (software, data filtering logic, algorithms, AI tools) to ensure data accuracy.
- Ensuring provider network quality so that beneficiaries can access medically necessary care.
- Monitoring network providers to ensure networks do not include providers excluded by OIG or with suspended licenses by a state licensing body.
Monitoring Third Parties: Partner Selection, Contractual Compliance Metrics, and Oversight
OIG acknowledges that most MAOs delegate “an expanding scope of services” to third parties. In fact, it calls this delegation “essential to the functioning of the MA program.” Even so, OIG cautions that MAOs are on the hook for compliance violations by their FDRs, and delegation does not absolve an MAO of potential liability. Understanding which third parties make good business partners and understanding how CMS and OIG may view those relationships is paramount.
OIG recommends:
- Conducting due diligence on potential partners to assess the risk of the delegated functions, the third party’s experience, capabilities, and level of sophistication.
- Including compliance-focused terms in agreements, especially with FDRs. MAOs can require attestations on the structure and operation of the FDR’s compliance program, can require they conduct self-audits, and can require they report certain data to the MAO to facilitate oversight.
- Developing adequate training, guides, and toolkits for FDRs, providing compliance training and resources, and regularly updating third parties on updates to statutes and regulations.
- Assess the risk based on the relationship and develop ongoing oversight calibrated to the level of risk, including regularly auditing and monitoring core activities, and conducting internal investigations through special investigation units.
Vertically Integrated Organizations and Ownership Structures: Alignment of MA Functions and Compliance Oversight
The MA ICPG calls for MA functions within vertically integrated organizations to be supported by compliance teams with sufficient authority, expertise, and independence.
OIG acknowledges that MA Parties are entering into increasingly large and complex arrangements, including vertically integrated organizations or ownership by private equity funds, which create unique compliance risks that require programmatic safeguards.
OIG recommends:
- Ensuring MA-related business functions have the appropriate Medicare expertise to assess compliance risk specific to that function.
- If MAOs are under the ownership of those without sophisticated health care experience (private equity funds or investors), offer education and training on compliance risks.
Submission of Accurate Claims
In a somewhat ominous conclusion, OIG warns that MA Parties can be subject to False Claims Act (FCA) exposure by submitting or causing the submission of false or fraudulent claims for reimbursement. Though OIG notes that conduct that ran afoul of the FCA has “taken various forms”—citing examples about submitting data for diagnoses “that patients did not actually have” or “unsupported diagnosis codes for certain patient encounters, such as visits to an individual’s home for completion of health risk assessment forms”—it offers no additional specific recommendations.
Proactively consulting with outside counsel on programmatic ways to verify that data being submitted to CMS is accurate can reduce liability and save companies from exposure down the road.
Conclusion
The MA ICPG concludes with a discussion of the elements of an effective compliance program. The new guidance serves as a valuable tool to help organizations in the industry better understand OIG’s priorities.
Alston & Bird’s Health Care Litigation, Health Care Regulatory Counseling and Fraud & Abuse, and False Claims Act Litigation teams are well equipped to help MA Parties implement this guidance and to assist with updates to compliance programs to reduce risks and potential liability.
If you have any questions, or would like additional information, please contact one of the attorneys on our Health Care team.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.