Effective Compliance in Medicare Advantage: Key Takeaways from OIG’s Compliance Program Guidance

The Big Picture

On February 4, 2026, the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) issued updated Medicare Advantage (MA) (ICPG) for the first time since 1999, building on the OIG’s November 2023 (GCPG) (See the November 15, 2023 ). The MA ICPG is a non-binding, voluntary set of compliance recommendations for entities and individuals participating in, or contracted with, the MA program (MA Parties) that reflect current enforcement priorities, relevant stakeholder input, and the OIG’s experience with the MA program.

Recent MA growth has led to increased , with regulators particularly wary of . The MA ICPG was published just over a week after the Centers for Medicare & Medicaid Services (CMS) released its of proposed MA capitation rates and risk adjustment model changes for 2027, which, if finalized, would result in virtually no payment increase for the MA program for 2027. (The final 2027 rate announcement will be published no later than April 6, 2026.)

While the MA ICPG does not impose any new requirements, it provides practical compliance recommendations that MA Parties should consider as they seek to minimize risks under the MA program.

Focus of Medicare Advantage ICPG

The MA ICPG is a tool for the broader array of MA Parties, including MAOs’ First Tier, Downstream, and Related entities (FDRs), to use generally in both ensuring compliance with MA program requirements and implementing best practices for an efficient and high-quality program. The OIG is particularly attuned to addressing compliance risks associated with the following areas: 

• Network adequacy: MAOs must ensure their provider network and directories are accurate and up to date, comply with time and distance standards, and do not include providers who are either excluded from Federal health care programs (FHCPs) or are not providing enrollees with services as represented.
• Utilization management: MAOs must make utilization management (UM) determinations based on individual circumstances and not solely on algorithms or software that do not account for an individual’s circumstances.
• Marketing and enrollment: MAOs must conduct careful oversight of both marketing materials and third-party marketing organizations (TPMOs) (e.g., agents, brokers, field marketers, and others) to whom marketing functions are delegated. MA Parties must avoid compensation arrangements with , such as when compensation is tied to enrollment volume or enrollees’ health status. 
• Risk adjustment: The OIG stresses that diagnosis codes must be based on face-to-face visits, and MAOs should actively work to detect data anomalies and use of high-risk codes prior to and following submission to CMS. The OIG alerts MA Parties that addressing compliance issues such as maximizing risk adjustment payments by adding unverifiable diagnoses based solely on chart reviews or health risk assessments (HRAs), failing to remove unsupported codes, and improperly incentivizing providers to add unsupported codes is a top priority.
• Quality of care: MA Parties’ compliance programs should prioritize submitting unbiased, accurate, and complete data to enable quality-of-care and health outcomes assessments.
• Oversight of third parties: MAOs that delegate administrative or health care service functions to FDRs remain ultimately responsible and liable for their FDRs’ compliance with MA program rules, while FDRs must also comply with CMS regulations and may themselves be liable for their conduct. MAOs should perform ongoing oversight and monitoring of third parties, calibrated to the risks posed by the function or functions to be delegated, ensuring that FDRs do the same for their own contracted third parties.
• Compliance programs of vertically integrated organizations and other ownership structures: Integrated enterprises should ensure that MAOs or other MA Parties are empowered to conduct MA-specific compliance activities, either independently or as part of organization-wide activities. Certain ownership structures, such as private equity, may benefit from more robust training and education to ensure investors understand health care- and MA industry-specific limitations and rules.

Mapping to Seven Elements of Effective Compliance Programs in the GCPG

The GCPG identifies seven key elements of effective compliance programs; the MA ICPG provides certain recommendations for each element to address the risk areas identified above. These recommendations are summarized in the graphic below:

Next Steps

MAO, their boards, potential investors, and FDRs should read the ICPG and evaluate existing infrastructure against the recommendations, implementing practices absent within the organization. MA Parties should also be familiar with other OIG and CMS guidance and policies, such as those contained in the 2023 . Even though this ICPG may not contain recommendations relevant to all compliance threats, MA Parties should make every effort to preemptively identify and address emerging compliance challenges.