In February 2026, the Department of Health and Human Services, Office of Inspector General (HHS-OIG) issued its highly anticipated Industry Compliance Program Guidance for Medicare Advantage (MA ICPG), the first such compliance guidance for the Medicare Advantage (MA) industry in over 25 years. The MA ICPG is the second industry segment-specific compliance guidance published in a series for different types of providers, suppliers, and other participants in the health care industry. The first was a 2024 nursing facility ICPG.
The guidance comes as MA now covers more than half of all Medicare enrollees. The program’s capitated payment structure generally pays Medicare Advantage Organizations (MAOs) a fixed monthly amount per enrollee. This model creates financial incentives that run throughout the entire MA ecosystem, touching plans, providers, investors and vendors alike, but in a manner different from traditional fee-for-service. While the MA ICPG is voluntary, nonbinding guidance, it carries significant practical weight: Investors, owners and operators of MA-related businesses as well as providers contracting with MA plans should treat the MA ICPG as a signal of HHS-OIG’s current enforcement priorities and a benchmark against which their compliance programs will be measured.
Why the MA ICPG Signals Heightened Risk
Oversight of the MA program remains a top HHS-OIG priority due to its size, complexity, and fraud and abuse risks, and the MA ICPG makes clear that scrutiny of the industry is intensifying. Since HHS-OIG published its prior Compliance Program Guidance for Medicare+Choice Organizations Offering Coordinated Care Plans in 1999, the MA program has grown dramatically: in 2024, 54% of all Medicare enrollees (more than one in two) received their benefits from MA plans, and the government spent an estimated $462 billion on the program.
That growth reflects a fundamental transformation in how Medicare delivers and pays for care, and it is a key reason HHS-OIG elevated oversight of the MA program to a top priority. Unlike traditional fee-for-service Medicare, in which payment follows each discrete service rendered, the MA program pays MAOs a capitated per member per month rate adjusted for each enrollee’s predicted health costs. This payment model creates compliance dynamics distinct from the rest of the healthcare industry: Because payment is fixed and risk-adjusted, there is a structural incentive at every level of the ecosystem, from plans and providers to investors, to maximize reported health acuity while minimizing care expenditures. At the plan level, there is an additional structural incentive to deny enrollees access to services and deny payments to providers as a means of increasing profits. Those incentives have played a role in HHS-OIG’s fraud and abuse worries about the MA program, and they make strong compliance programs essential for anyone operating in or investing in this space.
The MA industry has also grown in complexity due to the breadth of relationships MAOs maintain, including with healthcare providers, management service organizations, individual practice associations, agents and brokers, and other vendors. New companies and contractors are continually entering the market, and recent M&A activity has created novel combinations of different entity types, each presenting new compliance risks that HHS-OIG, the Centers for Medicare & Medicaid Services (CMS), and the Department of Justice (DOJ) are actively monitoring.
Compliance Risk Areas
The MA ICPG identifies key compliance risk areas relevant to the MA program, including: (i) access to care (network adequacy and prior authorization); (ii) marketing and enrollment; (iii) risk adjustment; (iv) quality of care; (v) oversight of third parties; (vi) compliance programs within vertically integrated organizations and ownership structures; and (vii) submission of accurate claims. To address these risk areas, HHS-OIG provides numerous mitigation strategies MA Parties should consider when implementing, evaluating and updating their compliance programs. The recommendations in the ICPG are intended to be complementary to CMS regulations imposed on MAOs. HHS-OIG recommends that MA Parties’ compliance programs follow and go beyond CMS’ MA regulations to establish robust safeguards to address the risks identified in the ICPG as well as other risks relevant to the specific MA Party.
Heightened Enforcement Risk for All MA Parties
All MA Parties, including plans, investors, operators and contracting providers, should heed HHS-OIG’s recommendations in the ICPG and implement proactive measures in the applicable risk areas to reduce enforcement risk. The capitated payment model that underpins MA means compliance failures in this space, whether by a plan, a provider or an investor-owned entity, can carry significant financial and legal consequences. Because the government is paying fixed, risk-adjusted amounts for millions of enrollees, even modest patterns of inaccurate coding or improper care denials can translate into programmatic impacts or False Claims Act exposure.
The MA ICPG is based on HHS-OIG’s current enforcement priorities and findings from audits, evaluations, investigations, enforcement actions and other data analyses (additional information is on HHS-OIG’s Managed Care page). Scrutiny of the MA industry is also a top priority for the DOJ-HHS False Claims Act Working Group. Further, MA fraud remained a leading source of False Claims Act settlements and judgments in fiscal year 2025. Enforcement activity spans plans, providers and investors alike, and no segment of the MA ecosystem is insulated from risk.
Takeaways for Strategic and Private Equity Investors and Owners
The MA ICPG is also a useful tool for potential investors, owners and operators of MA Parties, particularly those involved in vertically integrated organizations. This focus on private equity and vertically integrated structures builds on a key theme HHS-OIG articulated in its General Compliance Program Guidance (GCPG). Its message is that nontraditional healthcare entrants, such as private equity funds, may be unfamiliar with fraud and abuse laws, the financial incentives created by complex investment and ownership structures, and the importance of a robust compliance program — and that the GCPG is a good starting point for addressing those gaps. For investors in MA that are unfamiliar with the fraud and abuse risks and compliance challenges of this industry, the MA ICPG is a similarly useful resource. HHS-OIG points out that ensuring robust training and communication with leadership and staff may help mitigate compliance risks posed by investors new to the MA industry.
Additionally, potential investors should carefully assess the compliance safeguards in place to ensure the accuracy of diagnosis codes MAOs submit to CMS — codes that directly determine the risk-adjusted payments CMS makes to MAOs for each enrollee. Potential investors should use the MA ICPG to understand potentially abusive conduct by MAOs, providers and others involved in the risk adjustment process to understand risk during due diligence. Beyond the CMS compliance program requirements MAOs must have in place to monitor risk adjustment data accuracy, potential investors should assess whether MAOs have implemented the additional risk adjustment oversight measures the MA ICPG recommends. For example, HHS-OIG recommends implementing data filtering logic to identify anomalies, outliers or other potentially inaccurate diagnosis codes, as well as analyzing providers’ coding intensity.
HHS-OIG highlights the unique compliance challenges that emerged from the increasingly large and complex partnerships and arrangements among MA providers, health systems, plans, and related entities such as data analytics firms and utilization review entities that are often under common ownership. The compliance infrastructure of an MA-related business line must have appropriate expertise and resources to oversee these functions, as the compliance risks are likely to differ from those of the larger organization. HHS-OIG recommends that the parent organization implement strategies to ensure compliance leaders at the subsidiary MA Party have sufficient expertise, are fully empowered and have access to senior leaders in the parent organization. Even if the MA-related functions represent a small part of a larger organization, organization-wide compliance risk assessments, audits and other compliance planning should account for MA-specific operations and risks. Certain programmatic safeguards may trigger unique risks when MAOs and providers share common ownership. For example, MAOs should take additional compliance steps to categorize and track the data needed to calculate and verify the medical loss ratio and any associated remittance amount.
Takeaways for Providers Contracting with Medicare Advantage Plans
Providers that contract with MA plans are increasingly subject to compliance scrutiny, not only from HHS-OIG and CMS directly, but also through the MAOs with which they contract. Under CMS regulations, MAOs maintain ultimate responsibility for fulfilling their contract obligations even when certain functions are delegated to third parties. CMS can hold an MAO responsible if one of its contracted providers fails to comply with program requirements. As a result, MAOs are under growing pressure to implement more robust oversight of their provider networks. And providers should anticipate that existing contracts will be revisited and new arrangements will carry increasingly demanding compliance terms, including requirements for compliance program attestations, self-audit obligations with reporting to the MAO and enhanced credentialing standards.
Risk adjustment coding is perhaps the highest-risk compliance area for providers contracting with MA plans. Because MAO payments are calibrated to the predicted health costs of each enrollee, the diagnosis codes that providers submit to MAOs directly influence the dollars flowing from CMS into the MA system and, through risk-sharing and other arrangements, back to providers themselves. The MA ICPG catalogs a range of abusive practices in which providers have been implicated; these include submitting diagnoses unsupported by medical records, adding risk-adjusting diagnoses through artificially prompted physician queries (including those generated by AI algorithms) and participating in in-home health risk assessment programs that generate diagnoses not reflected in the enrollee’s actual care. Each of these practices has been the subject of federal investigations and False Claims Act litigation. Providers should be aware that the MA ICPG recommends that MAOs analyze providers’ coding intensity, implement data filtering logic to identify outliers and anomalies, and deploy enhanced monitoring systems when providers receive financial incentives tied to risk adjustment data, such as risk-sharing arrangements or diagnosis capture bonuses. Providers should expect these oversight mechanisms to be exercised with increasing rigor.
With the unique challenges for investors and owners in the face of increasingly large and complex partnerships, providers that are under common ownership with an MAO have additional compliance concerns, including medical loss ratio requirements that the MA ICPG specifically highlights. HHS-OIG recommends establishing a dedicated compliance or oversight team for provider-side functions, including coding audits, network adequacy reviews and utilization management monitoring, separate from the MAO side.
With the MA ICPG, HHS-OIG has made clear that its core expectation that effective compliance programs prevent fraud, waste and abuse while promoting high-quality, cost-effective care extends well beyond MA plans themselves, reaching investors, private equity owners, vertically integrated organizations and the providers that contract with MA plans.
For investors and operators, key action items include:
- using the MA ICPG to structure pre-acquisition due diligence around risk adjustment data accuracy and coding practices,
- assessing the compliance infrastructure of any target with MA-related functions, and
- ensuring that post-closing integration plans account for MA-specific compliance obligations.
For providers, the MA ICPG signals that the time to act is now. Providers should:
- review their MA plan contracts and FDR compliance obligations for gaps,
- implement or strengthen internal coding compliance programs, particularly with respect to diagnosis codes submitted for MA enrollees, and
- closely evaluate any financial arrangements with MAOs tied to risk adjustment data or diagnosis capture.
Providers in vertically integrated structures should additionally confirm that their compliance programs have dedicated MA expertise. Given that the MA ICPG is grounded in HHS-OIG’s current enforcement priorities and that MA fraud continues to be a leading source of False Claims Act settlements, proactive compliance investment across all MA participants has moved from best practice to business necessity with the MA ICPG as a helpful guide.
McGuireWoods’ Healthcare Compliance, Regulatory & Policy attorneys continuously monitor HHS-OIG, CMS and DOJ developments affecting the MA industry. For more information, contact one of the authors of this article.