OIG MA Compliance Guidance 2026: What Coders Must Know

A Compliance Wake-Up Call for Every Risk Adjustment Coder

On February 3, 2026, the United States Department of Health and Human Services (HHS) Office of Inspector General (OIG) released its new Industry Compliance Program Guidance (ICPG) for the Medicare Advantage (MA) program. This is the first major update since 1999 -- a 27-year gap -- and it sends a clear signal to every organization and coder involved in Hierarchical Condition Category (HCC) coding: the era of loose risk adjustment practices is over. You can see how the OIG is lining up its enforcement priorities in the agency's own work plan project on CMS-HCC V24 vs. V28 model trends, which feeds directly into the ICPG's risk-adjustment section.

Coming on the heels of the Kaiser Permanente $556 million False Claims Act settlement in January 2026 and an Aetna settlement in March 2026, this guidance is not theoretical. It reflects real enforcement patterns, real investigations, and real penalties. Whether you work for a Medicare Advantage Organization (MAO), a coding vendor, or a provider group submitting diagnosis data, this guidance directly affects how you do your job.

What the OIG Guidance Covers

The ICPG is a voluntary but heavily influential compliance framework organized around seven key risk areas:

1. Access to Care -- ensuring enrollees can reach providers within network adequacy standards

2. Marketing and Enrollment -- honest communication about plan benefits

3. Risk Adjustment -- the section that matters most to HCC coders

4. Quality of Care -- clinical outcomes and care coordination

5. Oversight of Third Parties -- vendor management for coding, chart review, and Health Risk Assessment (HRA) companies

6. Vertically Integrated Organizations -- conflicts of interest when plans own provider networks

7. Accurate Claims Submission -- ensuring every code on every claim is supported

For coders, sections three, five, and seven are where the action is. The OIG has essentially drawn a map of the practices it considers high-risk, and many of them touch day-to-day coding workflows.

Risk Adjustment Practices the OIG Flagged

The guidance identifies specific practices that federal investigations have linked to fraudulent or abusive conduct. Here are the ones every HCC coder should internalize:

Relying solely on chart reviews to add diagnoses that increase risk scores. The OIG explicitly calls out the practice of mining historical records to identify diagnoses that were never addressed during a face-to-face encounter, then submitting those codes to the Centers for Medicare and Medicaid Services (CMS). If a condition was not monitored, evaluated, assessed, or treated (the MEAT criteria -- see AAPC's MEAT documentation primer for the practical rubric) during the encounter, the diagnosis does not belong on the claim -- period.

Conducting in-home Health Risk Assessments primarily to generate diagnosis codes. HRAs serve a legitimate purpose in care coordination and identifying unmet health needs. But the OIG has flagged scenarios where HRA vendors are deployed specifically to capture diagnosis codes that drive up Risk Adjustment Factor (RAF) scores without those diagnoses being incorporated into the patient's ongoing care or treatment plan.

Failing to delete unsupported diagnosis codes. When a chart review reveals that a previously submitted diagnosis code lacks clinical support, the organization has an obligation to remove that code from the data submitted to CMS. The OIG found patterns where organizations identified unsupported codes but did not follow through with deletions.

Using artificial intelligence-generated prompts to encourage unsupported coding. This is a new addition that reflects the growing use of technology in coding workflows. The OIG is watching how organizations deploy AI-assisted coding tools and whether those tools push coders toward adding diagnoses that are not fully supported by the clinical documentation.

The Kaiser Settlement: A $556 Million Warning

The timing of this guidance is no coincidence. On January 14, 2026, Kaiser Permanente affiliates agreed to pay $556 million to resolve False Claims Act allegations -- the largest MA risk adjustment fraud settlement in history. The Department of Justice (DOJ) alleged that from 2009 to 2018, Kaiser pressured physicians to add diagnoses after patient visits through addenda to medical records, sometimes months or even over a year after the encounter.

Kaiser developed internal systems to mine patient histories for diagnoses that had not been submitted to CMS, then sent queries to providers urging them to add these codes retroactively. The case was brought by a physician whistleblower who had served as a medical director responsible for coding governance.

This settlement dwarfs prior MA risk adjustment recoveries, including Cigna at $172 million in 2023 and Independent Health at $100 million in 2024. It establishes a clear precedent: retrospective diagnosis mining without clinical support during the encounter is a liability, not a revenue strategy. Policy advisors have been calling for exactly this direction for years -- MedPAC's February 2026 CY2027 Advance Notice comment letter again urged CMS to tighten risk-score validation specifically around chart-review-driven captures.

What This Means for Your Daily Coding Work

If you are an HCC coder, a coding manager, or a risk adjustment specialist, here are the practical takeaways:

Document MEAT for every HCC-relevant diagnosis. Every condition you code must show evidence that the provider monitored, evaluated, assessed, or treated it during the encounter. A mention in the past medical history or problem list is not sufficient. The documentation must demonstrate active clinical engagement with the condition on the date of service.

Question retrospective addenda. If your workflow involves processing provider queries or addenda that add diagnoses weeks or months after an encounter, treat those with heightened scrutiny. Ask whether the condition was actually addressed during the visit. If the addendum is simply adding a code that was "missed" without any clinical narrative to support it, that is exactly the pattern the OIG is targeting.

Audit your HRA-sourced diagnoses. If your organization uses in-home HRAs, verify that diagnoses captured during those assessments are being incorporated into the patient's care plan and addressed by treating providers. A standalone HRA diagnosis that never appears in subsequent office visit documentation is a red flag.

Understand your AI tools. If your organization uses AI-assisted coding software that suggests diagnosis codes, make sure you understand how those suggestions are generated. Blindly accepting AI-generated code recommendations without verifying clinical documentation support puts both you and your organization at risk.

Delete what is not supported. If an internal audit or chart review reveals that a submitted diagnosis lacks documentation support, ensure your organization has a process to delete that code from CMS submissions. Knowing a code is unsupported and leaving it in place is not a gray area -- it is the exact behavior the OIG highlighted.

The V28 Connection

These compliance expectations align directly with the full implementation of the CMS-HCC V28 risk adjustment model in 2026. The V28 model removed approximately 2,000 International Classification of Diseases, 10th Revision, Clinical Modification (ICD-10-CM) diagnosis codes from HCC mapping and increased the number of HCC categories from 86 to 115, demanding greater clinical specificity -- all documented in the CMS 2026 risk-adjustment model software and ICD-10 mappings release. Codes that once mapped to an HCC under V24 may no longer carry risk adjustment weight under V28, and coders should verify every questionable code against the CMS ICD-10-CM code set directly.

This convergence of stricter compliance guidance and a more specific risk model means that the path forward for HCC coders is clear: code what is documented, document what is treated, and do not chase codes that lack clinical substance.

Protecting Yourself and Your Organization

The OIG's guidance is voluntary, but the enforcement actions behind it are not. Organizations that align their coding practices with this ICPG will be better positioned in Risk Adjustment Data Validation (RADV) audits, DOJ investigations, and whistleblower lawsuits. Coders who understand these expectations protect not only their employers but also their own professional standing.

Review your current workflows against the risk areas identified in the guidance. If your organization has not yet conducted a gap analysis, now is the time to raise the issue with compliance leadership.

Stay Audit-Ready with the Right Tools

Keeping your coding accurate and compliant starts with having reliable reference tools at your fingertips. The HCC Buddy encoder lets you quickly verify ICD-10-CM to HCC mappings under the V28 model, while the CRC reference helps you confirm condition category hierarchies. For checking provider credentials during chart reviews, the NPI lookup tool provides instant access to the National Plan and Provider Enumeration System registry data.

Staying ahead of compliance changes is easier when you are not guessing. If you are not already using HCC Buddy's free coding tools, create an account and build compliance confidence into your daily workflow.