Healthicity

MA ICPG Part 1: Where Compliance Risk Is Showing Up

April 14, 2026 | Posted by :  Picture of CJ Wolf CJ Wolf

Share:

  

compliance, OIG, Medicare Advantage, compliance risk, Medicare Advantage Organizations, ICPG

We previously wrote about some of the highlights in the HHS OIG’s newest compliance program guidance for the Medicare Advantage segment of healthcare. The guidance is often referred to as the MA ICPG, and our prior posting can be found here.

This article is the first of two more documents where we will take a deeper dive into the seven specific risks OIG outlined in Section II of the MA ICPG. This first writing will examine three of the seven risks and the second article will cover the remaining four. The three covered here include (1) risk adjustment, (2) accuracy of claims, and (3) quality of care.

Risk Adjustment

It should come as no surprise that the OIG has included risk adjustment as one of the risks they chose to highlight in the ICPG. For the last few years, OIG has sounded the alarm over and over again about concerns with some Medicare Advantage Organizations (MAOs) that inappropriately report certain diagnostic medical codes to drive higher reimbursement from CMS. A review on the OIG’s website demonstrates a significant number of audit reports with findings of inappropriate reimbursement from improper risk adjustment scores.

“Risk adjustment” is the measure upon which CMS relies to make appropriate and accurate payments to MAOs to arrange for care for Medicare enrollees with expected differences in health care costs. CMS typically pays MAOs a capitated, per member per month (PMPM) rate for each person who enrolls in an MA plan. These capitated payments are based, in part, on enrollees’ health status from the prior year. For each person enrolled, CMS calculates a risk score derived, in part, from diagnoses the MA plans submit to CMS. Sicker patients generally receive higher risk scores, and higher risk scores result in higher PMPM payments to the MA plans. This risk adjustment process is designed to align PMPM payments with the MA plans’ expected costs and to help ensure that MA plans do not have an incentive to target healthy enrollees or avoid sicker enrollees. However, OIG believes the risk adjustment process is vulnerable to fraud and abuse, and they think strong compliance measures may help prevent fraud and abuse from happening.

The OIG audit reports previously referenced have focused on the diagnosis codes that MAOs submit to CMS in support of enrollees’ risk adjustment scores. For example, OIG has examined MAOs reporting diagnoses based solely on chart reviews or health risk assessments (HRAs) and providing no other records in the encounter data that enrollees received services for the diagnoses.

OIG concluded that the MA Parties may be inappropriately using chart reviews and in-home HRAs to maximize risk adjustment payments. In many of the audits, the OIG has examined specific diagnosis codes which are at a high risk for being miscoded. OIG writes they have seen indications that MAOs are submitting diagnosis codes for payment that are not verifiable.

The MA ICPG lists the following behaviors as questionable and could be leading to the fraud and abuse:

  • Using chart reviews to identify additional diagnoses that increased risk scores inappropriately.

  • Failing to remove diagnosis codes previously submitted to CMS when chart reviews provide information that those codes were unsupported or otherwise invalid.

  • Conducting in-home HRAs to generate additional diagnoses that were not considered in the care, treatment, or management of the enrollees or that were otherwise unsupported.

  • Querying physicians via electronic medical record platforms (including prompts generated by artificial intelligence algorithms) or otherwise prompting physicians to add risk-adjusting diagnoses that patients did not have or that did not affect the care, treatment, or management of the patient.

  • Providers submitting diagnoses that were not supported by the enrollees’ medical records to inflate the payments MAOs made to the providers under risk-sharing or other arrangements.

MAOs’ are required to have compliance programs that should:

  • Have procedures to monitor and evaluate the accuracy of the risk adjustment data they submit to CMS.

  • Ensure diagnosis codes submitted are documented in the medical record as the result of a face-to-face visit and coded according to authoritative coding sources such as the ICD-10 guidelines and the AHA Coding Clinic newsletters.

  • Ensure that diagnoses are from acceptable data sources (e.g., hospital inpatient facilities and physicians.

  • Promptly respond to any detected problems, including any related to risk adjustment data, and

  • Certify that the risk adjustment data they submit to CMS are accurate, complete, and truthful to their best information, knowledge, and belief after having taken steps to help ensure the accuracy, completeness, and truthfulness of such data.

Submission of Accurate Claims

A similar risk discussed in the MA ICPG is the submission of accurate claims. The discussion of this risk predominantly repeats much of the information described in the risk adjustment section.

However, the OIG’s discussion on this risk connects the inappropriate coding to the False Claims Act. They point out that one of the conditions of receiving payment is the submission of certifications by MAOs that the data they submitted to CMS are accurate.

The False Claims Act is the primary tool used by enforcement agencies to bring legal action against organizations alleged to have knowingly committed fraud or abuse. Rather than repeating a detailed explanation of the False Claims Act, OIG refers readers of this ICPG to their GCPG (General Compliance Program Guidance) which provides a detailed overview of the False Claims Act.

Organizations and individuals involved in Medicare Advantage, or MA Parties, could have exposure under the False Claims Act in the following ways:

  • Participating, either as an MAO, provider, or vendor, in a scheme to submit false and fraudulent information (e.g., diagnoses for ailments that patients did not actually have) to CMS to increase the amount of reimbursement received from the Medicare program.

  • Knowingly submitting and failing to withdraw inaccurate and untruthful diagnosis codes for MA enrollees to increase reimbursements from Medicare.

  • Submitting unsupported diagnosis codes for certain patient encounters, such as visits to an individual’s home for completion of health risk assessment forms.

Quality of Care

CMS expects, and most MA Parties want to provide, quality care. One way in which CMS has emphasized the importance of quality of care is by their development of the quality bonus payment program, efforts to ensure enrollee access to care, and oversight of providers.

It is expected that MA Parties’ compliance programs prioritize quality-of-care oversight. Reimbursement under the MA program is tied to quality of care through the quality bonus payments (“QBPs”) which CMS makes to MAOs when they achieve at least 4 stars in a 5-star quality rating system.

The accuracy of the quality rating system relies on the data of health outcomes that MAOs need to provide CMS. Because this data affects their rating, and their rating could lead to bonus payments, MA organizations must ensure their submitted data is unbiased, accurate, and complete.

Those potential enrollees who are looking for an MA plan use information about quality assessments (including “Star Ratings”) to compare plans and make the best decisions for themselves. Because of this, MA Parties’ compliance programs should ensure accurate information about Star Ratings, benefits, and costs is being shared. The ICPG states that ensuring the integrity of the data used for Star Ratings’ quality and performance measures is a key component for MA Parties’ quality-of-care compliance oversight.

To make sure the quality of care data is accurate, compliance programs need to make sure procedures exist that result in regular reviews of the integrity of the data (e.g., complaints and systems used for quality assessment).

CMS has rules that MAOs ensure, among other things, the adequacy of their provider network and utilization review tools. To ensure that MA Plans’ enrollees receive high-quality care, they need to make certain that:

(1) Their provider networks are adequate (we will discuss this more in the forthcoming second article on risks)

(2) They collect, evaluate, and send to CMS accurate quality data

(3) Individuals receive care that is appropriate for their reported medical conditions.

Conclusion

This article is the first of two which collectively take a deeper dive into the seven risks we touched upon in our general summary of the MA ICPG. The three risks included in this article were risk adjustment, submission of accurate claims and quality of care.

Keep an eye out for our second article, in which we will cover the other four of seven risks, which include: (1) Access to Care, Utilization Management Tools, Including Prior Authorization, (2) Marketing and Enrollment, (3) Oversight of Third Parties and (4) Compliance Programs Within Vertically Integrated Organizations and Other Ownership Structures

Additional ICPG Resources:

On-Demand Webinar: Understanding the OIG’s ICPG for Medicare Advantage

Your Guide to the OIG's Nursing Facility ICPG: Part 2

 

To download this blog post as a pdf, fill out the form below.

Questions or Comments?