Key Takeaways

OIG’s new Medicare Advantage Industry Segment-Specific Compliance Program Guidance (MA ICPG) highlights major compliance risk areas and provides practical guidance for MA plans and other parties.

Many provisions of this new guidance will impact health care providers participating in the MA program.

As MA plans implement this guidance, providers may encounter new obligations from MA plans.

This month, OIG released its long-awaited Medicare Advantage Industry Segment-Specific Compliance Program Guidance. In the 25 years since OIG last issued compliance program guidance in this area, the MA program has changed dramatically—in size, scope and complexity. And as the program has grown, so too has government scrutiny of many aspects of the MA program through audits, investigations, False Claims Act litigation and a growing body of regulatory obligations. The MA ICPG highlights familiar risk areas for MA plans and for the “constellation” of other entities surrounding the program, including health care professionals, marketers, vendors and other entities. Although the legal obligations and risk areas described in the ICPG might not seem new—and the guidance emphasizes that it is voluntary and nonbinding—the document provides an abundance of practical recommendations for MA plans and other entities to improve their compliance programs and mitigate fraud and abuse risk.

While MA plans remain the primary focus, providers serving MA beneficiaries are now squarely in the compliance spotlight. The guidance highlights specific risks relevant to providers, offers concrete recommendations for adhering to existing regulations and promotes best practices to strengthen compliance efforts. This alert highlights provisions of the ICPG of particular interest to health care providers.

Oversight of Third Parties, Including Providers and Their Downstream Vendors

The MA ICPG emphasizes the critical responsibility of MA plans to oversee their First Tier, Downstream and Related Entities (FDRs), as required by CMS regulations. Per those regulations, MA plans must monitor, audit and retain ultimate accountability for the actions of FDRs—including providers and certain downstream subcontractors.

OIG urges MA plans to adopt proactive and robust oversight measures of third parties, including providers. In a discussion specific to oversight of providers, the ICPG recommends dedicated oversight or compliance teams for providers, which could include oversight of network adequacy, quality data and analytics, coding audits and utilization management case logs. OIG also encourages MA plans to consider conducting internal investigations, making referrals to law enforcement and collaborating with government officials “to ensure providers are held accountable for MA-related fraud.”

Providers and other third parties should anticipate heightened scrutiny of their subcontractor relationships, particularly those involving entities less familiar with CMS or MA plan requirements (e.g., IT vendors or offshore arrangements). OIG also notes that MA plans themselves may play a role in developing compliance programs for their FDRs, including by providing training or other compliance resources.

Risk Adjustment and Data Accuracy

MA plan payments depend heavily on diagnosis data submitted by plans, with the underlying medical documentation originating from provider records. The MA ICPG reiterates OIG's longstanding concerns regarding potentially fraudulent provider practices, such as:

Submission of unsupported diagnosis codes;

Upcoding or overstating condition severity;

Incomplete or inadequate documentation;

Use of automated electronic medical record (EMR) prompts that encourage physicians to add diagnoses unrelated to patient care.

To address these issues, OIG recommends that MA plans implement rigorous data accuracy procedures, including algorithmic and artificial intelligence-driven analyses of provider-submitted data. These measures will likely result in increased MA plan requests for provider records and more frequent audits. Providers that proactively establish diagnosis validation processes, data accuracy controls and documentation integrity programs will be better positioned to respond effectively to such inquiries.

Network Adequacy and Provider Directory Accuracy

In a development potentially beneficial to providers, the MA ICPG cautions MA plans regarding potential administrative sanctions for failing to maintain adequate provider networks or accurate provider directories. Enhanced compliance in this area could create opportunities for providers to join or remain in MA plan networks. More accurate directories may also reduce reliance on out-of-network providers, improving beneficiary access and experience.

Nevertheless, risks persist for providers. CMS has long prioritized accurate provider directories, and some MA plans responded by imposing stricter notification requirements for roster updates. Noncompliance in some cases leads to payment reductions or outright denials. Providers should reassess their MA participation strategies and relationships with specific plans while remaining vigilant for new, more stringent contract provisions related to directory accuracy and updates.

Marketing

As an area of significant recent enforcement interest, the ICPG provides examples of marketing and enrollment activity that may present compliance risk. Although much of this guidance is directed at MA plans themselves and the agents, brokers and TPMOs that conduct marketing activities, OIG does caution against payments by MA plans to providers in exchange for steering patients to a particular plan. In addition, the guidance cites OIG’s 2024 Special Fraud Alert on MA marketing, which included a particular focus on MA-related marketing conduct involving providers.

Next Steps for Providers

The MA ICPG highlights persistent risk areas and provides practical compliance guidance relevant to the wide range of entities that touch the MA program, including health care providers. Although MA plans may face the greatest responsibility for compliance, OIG clearly views the full range of these contractors and related entities as important compliance stakeholders. And in light of this guidance, MA plans likely will accelerate efforts to share the responsibility for compliance, all the way down to the point of care.

Providers should expect more frequent interactions with MA plans, including heightened monitoring, audits and compliance demands. By proactively strengthening internal controls, documentation practices and subcontractor oversight now, providers can mitigate risks and position themselves favorably in the heavily regulated MA environment.