Inside the New OIG Guidance for Medicare Advantage

March 17, 2026 | Posted by : Picture of CJ Wolf

CJ Wolf

OIG, ebrief, Medicare Advantage, MAO, Medicare Advantage Organizations, ICPG

The long-awaited Medicare Advantage Industry Segment-Specific Compliance Program Guidance (ICPG) has recently been released by the HHS OIG. It serves as an updated, voluntary resource intended to help Medicare Advantage Organizations (MAOs) and other Medicare Advantage Parties or “MA Parties” identify, mitigate, and manage program-specific compliance risks.

The ICPG is meant to be used alongside the OIG’s General Compliance Program Guidance (GCPG) and CMS’s mandatory compliance program regulations. The OIG has performed a lot of oversight on MA including audits, investigations, data analyses, and enforcement actions. The ICPG is designed to help MA parties with practical mitigation recommendations.

The OIG emphasizes that the guidance is not exhaustive or binding, but it does offer practices MA parties can apply across compliance domains. It highlights the complexity and growth of the MA market (new entrants, consolidation, vertical integration, private equity ownership, and extensive delegation to third parties), the incentives created by capitated, risk-adjusted payments, and the need for robust internal controls to prevent fraud, waste, and abuse while protecting beneficiary access and quality of care.

The ICPG’s structure: (I) Introduction and industry overview; (II) Compliance risk areas + mitigation recommendations (the heart of the document); (III) Compliance program structure and activities (practical steps to operationalize compliance); and (IV) Conclusion and “stay up to date” resources.

This article will emphasize Section II on risk areas and mitigation recommendations.

Section II identifies seven core risk domains for MA Parties and provides detailed, practical mitigation measures. The seven areas are:

Access to Care (network adequacy and prior authorization)
Marketing and Enrollment
Risk Adjustment
Quality of Care
Oversight of Third Parties
Compliance programs in vertically integrated/other ownership structures
Submission of Accurate Claims.

Each subsection outlines the risk, relevant regulatory touchpoints, common problematic practices found in prior OIG work, and concrete controls MA Parties can adopt.

1. Access to Care (Network adequacy and prior authorization)

OIG emphasizes MAOs’ regulatory obligation to ensure enrollees’ access to covered services (including travel/time standards). OIG highlights two principal risks related to access to care:

i. Inaccurate provider directories/“ghost networks”

ii. Improper utilization management (notably prior authorization) that delays or denies medically necessary care.

Mitigation steps include routine provider verification (CMS recommends at least quarterly), use of independent third-party verification, periodic secret-shopper checks, claims-data reconciliation to confirm providers actually see enrollees, prompt removal of providers who no longer participate, and using government data sources (e.g., PECOS, NPI registry, LEIE) to validate status.

For utilization management, OIG warns against overreliance on algorithms that do not account for individualized medical records; CMS requires individualized medical necessity determinations. MAOs should monitor denial and appeal trends, sample and medically review denied cases, ensure clinician review of denials, and validate any AI/algorithmic tools to ensure patient-specific decisioning.

2. Marketing and Enrollment

Marketing and enrollment present both beneficiary harm and legal risk. Delegation to agents, brokers, and Third-Party Marketing Organizations (TPMOs) increases exposure. Two primary risks identified by OIG include:

i. Improper financial incentives

ii. Deceptive marketing

Improper incentives include compensation above CMS limits, volume-based steering, payments tied to enrollee health status, or remuneration to beneficiaries to choose a plan, all of which can implicate the anti-kickback statute, False Claims Act, and CMS administrative sanctions. OIG recommends fair market value documentation for all arrangements, documented approval processes, tracking systems for marketing payments and activity logs, periodic audits, and targeted training for agents and staff. 

To prevent deceptive marketing, MAOs should implement standardized review/approval of materials (use CMS model materials), require clear disclosures when certain benefits are not universally available, monitor third-party marketers through attestations and audits, track complaints and suspicious agent behavior (e.g., spikes in disenrollments), and validate enrollments outside standard periods.

3. Risk Adjustment

Risk adjustment drives payment and is therefore a high-risk area for fraud and abuse. OIG highlights abusive practices discovered in their previous investigations and audits which includes:

Overuse or misuse of chart reviews and in-home Health Risk Assessments (HRAs) to generate diagnoses
Submission of unsupported diagnosis codes
Provider or vendor prompting to up-code
Failure to remove unsupported codes

CMS requires diagnoses be supported in medical records, often following face-to-face encounters and appropriate coding guidance. Recommended mitigations are extensive: pre- and post-submission data audits; special scrutiny for high-risk HCC codes; pairing diagnosis capture programs (chart reviews/HRAs) with clinical quality controls; provider and coder education; filtering logic and analytics to detect anomalies and outliers; benchmarking HCC prevalence and risk scores across providers and time; auditing vendors and providers receiving risk-based incentives; and prompt corrective action and overpayment reporting to CMS where necessary. The ICPG stresses cross-functional oversight with work from compliance, Special Investigation Units (SIU), legal, and clinical services. OIG also recommends establishing committees or processes to coordinate risk-adjustment oversight.

4. Quality of Care

Quality metrics (Star Ratings, quality bonus payments) tie directly to payments and beneficiary choice. Risks include inaccurate or biased quality data, incomplete reporting, and network deficits that weaken the quality of care. MAOs should ensure the integrity of inputs to Star Ratings, regularly validate quality data and complaints, ensure credentialing and enrollment of providers, screen for excluded or precluded providers, and consider requiring network providers to be Medicare-enrolled. Quality oversight should be a compliance priority and impacts both reimbursement and beneficiary outcomes.

5. Oversight of Third Parties

Delegation to First Tier, Downstream, or Related Entities (FDRs) brings operational efficiency but raises risk because MAOs retain ultimate responsibility. The ICPG recommends strong pre-delegation due diligence, formal risk assessments, attestation requirements, tailored contractual rights (reporting formats, periodic self-audits, audit access, LEIE checks), and ongoing monitoring calibrated to risk level. Practical steps include vendor scorecards, dashboards, issue logs, periodic attestations/renewals, auditing FDR compliance programs, and corrective action policies that should include disciplinary action up to termination. Special provider-related oversight (coding audits, utilization reviews) is recommended where providers are delegated functions. OIG is urging MAOs to provide compliance resources and training to smaller or newer contractors.

6. Compliance in Vertically Integrated/Other Ownership Structures

Vertical integration and private equity ownership create unique governance and data-segregation risks. The ICPG advises that parties unfamiliar with Medicare Advantage ensure MA-specific expertise in compliance leaders, empowering subsidiary compliance functions, accurate medical loss ratio tracking where related-party transactions exist, robust internal controls to separate business lines when appropriate, and heightened training for investors or leaders lacking health-care experience.

7. Submission of Accurate Claims

Accuracy of data submitted to CMS is critical. False or unsupported claims and/or medical codes may trigger False Claims Act liability. The ICPG reiterates MAOs’ obligation to certify accuracy, implement internal controls, audit claims and encounter data, identify and report overpayments, and use SIUs and hotlines to detect and investigate potential fraud.

The ICPG closes in Section III by providing guidance on how to operationalize and/or structure a compliance program tailored to MA risks. It maps MA-specific practices to the GCPG’s seven compliance elements: (I) written policies and procedures; (II) compliance leadership and oversight; (III) training; (IV) effective reporting channels; (V) enforcement and discipline; (VI) risk assessment/auditing/monitoring; and (VII) responding to detected offenses with corrective action. 

The guidance document provides examples (e.g., policies for network adequacy, reimbursement accuracy, marketing payment tracking), governance recommendations (full-time compliance officer with board access, compliance committees), training modules (including fraud/waste/abuse templates), SIU roles, data analytics and auditing expectations, communication channels (hotlines, reporting mechanisms), and corrective-action frameworks. 

OIG concludes by reiterating the guidance’s voluntary nature but urges MA Parties to incorporate recommendations into risk-based programs, maintain cross-functional coordination, and monitor CMS/OIG updates.

To download this blog post as a pdf, fill out the form below.