OIG's Managed Care Compliance Roadmap: Key Risk Areas For Medicare Advantage

The U.S. Department of Health and Human Services Office of Inspector General (OIG) released long-awaited compliance program guidance for parties involved in the Medicare Advantage (MA) industry. The Medicare Advantage Industry Segment-Specific Compliance Program Guidance (ICPG) significantly updates and expands OIG's nearly three-decade-old guidance and provides the most detailed articulation to date of OIG's enforcement priorities for MA organizations (MAOs), providers, vendors, and first-tier, downstream, and related entities (FDRs).

OIG issued the new ICPG in conjunction with its November 2023 General Compliance Program Guidance, which previewed OIG's intention to publish industry-specific compliance guidance on a rolling basis. MA is the second industry area to receive this focused treatment, following OIG's release of specific guidance to nursing facilities in November 2024. OIG intends to publish guidance specific to Hospital, Clinical Laboratory, Pharmaceutical Manufacturer, and Hospice industries, but release dates for that guidance are unknown.

While expressly nonbinding, the ICPG provides a detailed roadmap of OIG's enforcement priorities and compliance expectations. Below, we summarize the key risk areas and practical compliance recommendations for MA stakeholders.

1. Access To Care: Network Adequacy and Prior Authorization

OIG places "Access to Care" at the top of its list of key risk areas, emphasizing MAOs' obligations to ensure (1) network adequacy and accurate provider directories and (2) appropriate application of utilization management tools, including prior authorization.

Network Adequacy and Directory Accuracy

MAOs must maintain networks sufficient to ensure enrollee access and to comply with Centers for Medicare & Medicaid Services' (CMS) travel time-and-distance standards. OIG highlights the risk of out-of-date directories or "ghost networks" — directories that overstate provider availability. The compliance risk is twofold: beneficiary harm and potential False Claims Act (FCA) exposure where representations to CMS regarding network or directory accuracy are false or misleading. OIG recommends proactive monitoring, regular provider outreach, claims-based validation, and prompt removal of inactive providers.

Prior Authorization and Utilization Management

For years, OIG has highlighted serious concerns about improper denials or delays in care resulting from prior authorization programs. OIG expressly flags emerging risks associated with artificial intelligence and algorithm-driven tools that do not account for individualized clinical circumstances. MAOs should ensure that automated tools supplement — rather than replace — individualized medical judgment. OIG recommends robust monitoring of denial rates, appeal overturn rates, and sampling of denied claims to assess appropriateness. MAOs should also carefully review algorithm-based tools to confirm decisions on claims and prior authorization focus on patients' individualized circumstances.

2. Marketing and Enrollment: Financial Incentives and Deceptive Practices

Second, OIG devotes significant attention to marketing and enrollment risks, particularly given MAOs' common delegation to agents, brokers, and third-party marketing organizations and its 2024 Special Fraud Alert warning of MA marketing schemes.

Improper Financial Incentives

The guidance underscores that compensation arrangements must not create incentives to steer beneficiaries into plans that are not in their best interests, as such arrangements may trigger FCA exposure. Examples of problematic arrangements include payments contingent on volume targets or enrollee health status, remuneration to enrollees, and incentive payments for steering an enrollee to the plan (as alleged in the 2025 complaint against Aetna, Anthem, and Humana discussed in our June 2025 Blog). OIG recommends compliance-focused training for agents and brokers, as well as formalized tracking systems for fair market value determinations, compensation arrangements, and periodic payment audits.

Deceptive Marketing

MAOs must also ensure their marketing efforts are accurate and not misleading to enrollees. To address this risk, OIG recommends clear messaging when certain benefits may not be available to all enrollees, centralized review of marketing materials, monitoring of third-party marketing, and investigation of complaints and enrollment outliers.

3. Risk Adjustment: OIG's Continuing Enforcement Focus

Risk adjustment remains one of the most significant enforcement risk areas in the MA program. Risk adjustment is one of the most detailed sections of the guidance and remains a core enforcement priority for OIG and the U.S. Department of Justice, as confirmed by their combined FCA Working Group announced last June. OIG highlights its past reports that examined diagnoses derived solely from chart reviews or health risk assessments (HRAs) and that analyzed specific diagnosis codes at high risk of being miscoded. The ICPG further lists examples of potentially abusive risk adjustment practices, such as inappropriate use of chart reviews to increase risk scores (as alleged against MA plan Independent Health and its coding vendor DxID LLC discussed in our January 2025 Blog); failure to delete unsupported diagnoses; and AI-generated prompts encouraging unsupported coding.

CMS requires MAOs to monitor the accuracy of risk adjustment data and certify its completeness and truthfulness. With risk adjustment firmly in the government's crosshairs, enhanced oversight should be a compliance priority for MAOs and their vendors. OIG recommends additional steps, including pairing diagnosis "adding" activities (such as chart reviews or HRAs) with audits to ensure data accuracy; applying data filtering logic to detect anomalies; benchmarking risk scores and hierarchical condition category prevalence rates to identify outliers over time; and systematic monitoring of FDR's compliance with risk adjustment data submission.

4. Quality of Care and Star Ratings Integrity

Fourth, OIG emphasizes that quality bonus payments and Star Ratings are not just operational requirements but also compliance priorities. As a key component of the MA program, MAOs must ensure data submitted to CMS for Star Ratings is accurate and complete. OIG also reiterates the importance of credentialing providers and its prohibition on payment to individuals on CMS' Preclusion List.

5. Oversight of Third Parties and FDRs

MAOs retain ultimate responsibility for compliance with CMS requirements, even when operational functions are delegated. OIG recommends conducting pre-delegation risk evaluations of potential partners; implementing compliance-focused contract provisions and required attestations; and performing ongoing auditing, monitoring, and corrective action as needed, calibrated to the risk.

6. Vertically Integrated Organizations and Private Equity Ownership

Sixth, OIG acknowledges increasing vertical integration and common ownership between MAOs and providers. OIG cautions that parent organizations must ensure MA-specific compliance expertise and adequate oversight infrastructure. It also flags risks associated with private equity funds — a consistent target of government scrutiny, especially in the healthcare space.

7. FCA and Accurate Claims Submission

Finally, as discussed throughout, OIG closes by emphasizing MAO obligations to certify accurate data to CMS, and highlights FCA exposure tied to the various risk areas above.

Conclusion

The ICPG is a clear articulation of OIG's enforcement priorities and expected MA-specific compliance practices for MA parties. The ICPG reflects OIG's stated goal of aligning its audits, investigations, and enforcement of managed care. Entities that treat this guidance as a strategic compliance roadmap — rather than merely advisory commentary — will be better positioned to mitigate FCA exposure, withstand regulatory scrutiny, and navigate an increasingly enforcement-driven MA environment.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.