On May 21, 2025, the Centers for Medicare & Medicaid Services (CMS) announced significant changes in its risk adjustment data validation (RADV) audits. The changes focus on speed, the volume of targeted contracts, and process. CMS accurately labeled its strategy as aggressive. 

Speed

CMS plans to complete all RADV audits for payment year (PY) 2018 – PY 2024 by early 2026. This is a drastic change from CMS’s regular cadence for RADV audits, as audits for 2018 (which are reviews of records for dates of service in 2017) are largely still open and RADVs for many of the PYs included in that window have not been sent out yet. Under CMS’s historic cycle, Medicare Advantage organizations (MAOs) that would have been selected for RADVs for PY 2024 would have been expecting to receive notices of the RADV in perhaps 2028, at the earliest. Instead, MAOs should be expecting to receive notices in the coming days or weeks.

Expediting this process on such short notice will be a significant administrative lift both for CMS and for all MAOs. 

Volume of Targeted Contracts

CMS has typically audited approximately 60 MA contracts per year. Most MAOs believed that if they received a RADV audit one year and performed well, they were unlikely to receive one the following year, or at least they would not receive one for the same Medicare contract. That is changing. CMS intends to “audit all eligible MA contracts for each payment year in all newly initiated audits…” In its announcement, CMS recognizes that this growth will result in audits of approximately 550 Medicare Advantage (MA) contracts per year, a growth of over 900%. CMS also anticipates that rather than auditing an average of 35 member records per contract, it will audit 200 member records per contract.

Process

To meet its aggressive goals, CMS intends to use enhanced technology and expand its work force of medical coders from 40 to about 2,000 by September 1, 2025.

Key Takeaways and Questions

CMS’s announced changes do seem rather aggressive, but the industry will learn much more about the scope and impact of these changes once CMS formerly kicks of the “newly initiated audits.” The regulations that govern RADV audits set general parameters for what CMS can do, but the regulations do not require that CMS conduct a specific type of RADV audit. As a result, some of the newly initiated audits that will be conducted for all eligible MA contracts may be more focused on specific diagnosis codes or Hierarchical Condition Categories (HCCs) rather than the random, broad audits that CMS has been conducting. 

Historically, while CMS invalided some diagnosis codes in medical records, its audits also identified diagnosis codes that were supported by the medical record but that had not submitted by the MAO. In those circumstances, CMS largely gave the MAOs credit for such missed diagnosis codes, which may have offset some of the diagnosis codes that were found to be unsupported. Based on the information in CMS’s press release, it is unclear whether CMS intends to use its “enhanced technology” to only identify potentially unsupported codes, or whether the technology will also identify potentially supported but not billed for diagnosis codes. To the extent CMS opts for the former, MAOs will have to fight harder to ensure that the results of the audits deliver payment accuracy, rather than just reduced payments, especially in light of the fact that the results of these audits will be subject to extrapolation across the MA contract. 

Certified medical coders have already been rather sought after by MAOs, vendors, and the government. We expect opportunities in that industry to continue to grow as CMS expands its team and MAOs seek to support their businesses through the onslaught of audits they should now be expecting.