OIG Issues New Industry Compliance Program Guidance for Medicare Advantage in First Major Update Since 1999

The US Department of Health and Human Services Office of Inspector General (OIG) released its new Industry Compliance Program Guidance (ICPG) on February 3, 2026. The ICPG is a comprehensive voluntary guidance for entities participating in the Medicare Advantage (MA) program that was last updated in 1999. This update is the latest in a series of compliance-related publications by OIG that started with the 2023 update to the General Compliance Program Guidance (GCPG) and will conclude with six individual ICPGs for specific industries, with the Medicare Advantage ICPG being the latest.

Under federal regulations, MA Organizations (MAOs) are required to maintain a compliance program aimed at preventing, detecting, and correcting fraud, waste, and abuse. 42 CFR § 422.503(b)(4)(vi). The ICPG, together with the General Compliance Program Guidance (GCPG) (a general nonbinding guide last updated in 2023) and the Medicare Managed Care Manual are key resources for the MA industry and interested stakeholders (e.g., first tier, downstream, or related entities) seeking to implement an effective compliance program. The ICPG addresses broad considerations relevant across the MA landscape as well as best practices and mitigation for “key risk areas” including access to care, marketing practices, risk adjustment, quality of care, third-party oversight, and accurate claims submission. However, adoption of OIG’s guidance in the ICPG is voluntary and does not create new legal obligations.

KEY COMPLIANCE RISK AREAS

The ICPG addresses several risk areas central to the MA industry, noting that OIG’s discussion of a particular practice or activity “is not intended to imply that the practice or activity is necessarily illegal[.]” Additionally, OIG notes that strategies to address these risk areas may vary depending on the size of the MAO and the type of plan(s) offered.

Access to Care

MAOs must contract with sufficient providers, including specific provider types, to allow most enrollees to access covered services within specific travel time and distance maximums. 42 CFR § 422.116. Importantly, MAOs attest to the accuracy of their provider directory information published by the Centers for Medicare & Medicaid Services (CMS) on the Medicare Plan Finder and should ensure prompt updates are made once they become aware of changes. Out-of-date directories can lead to negative impacts on enrollees, administrative sanctions, and liability for making false statements. In the ICPG, OIG recommends quarterly outreach to providers, independent verification of network adequacy, analysis of claims data to prevent ghost networks, reviewing and tracking enrollee complaints, and use of secret shopper surveys.

MAOs are required to conduct individual medical necessity determinations (e.g., utilization management, prior authorization) to ensure that only medically necessary care is provided. 42 CFR §§ 422.112(a)(6), 422.101. However, concerns surrounding improper denials and delays led CMS to warn in a February 2024 HPMS memo against decisions based solely on artificial intelligence (AI) algorithms that do not account for an individual’s circumstances. In the ICPG, OIG recommends MAOs review trends in claim denials and appeals to ensure that policies do not inappropriately restrict coverage.

Marketing and Enrollment

Many MAOs delegate marketing and enrollment to agents, brokers, field marketing organizations, and other third-party marketing organizations. The ICPG takes notice of OIG’s 2024 Special Fraud Alert, questionable compensation arrangements, and referrals and cautions again abusive practices that could violate the Anti-Kickback Statute, False Claims Act, and CMS regulations.

OIG recommends avoiding agent/broker payments 1) for steering patients to the plan, 2) conditioned on meeting enrollment volume targets, 3) to not recommend or not offer particular plans offered by specific competitors, and 4) tied to the health status of enrollees. In the ICPG, OIG also cautions against agent/broker payments exceeding the permitted regulatory compensation amounts at 42 CFR § 422.2274. However, the District Court for the Northern District of Texas held, in August 2025, that CMS may only regulate how compensation is used and cannot engage in ratemaking, which we previously discussed in our February 6, 2026 Health Law Scan blog post.

OIG made the ICPG more user-friendly by highlighting key information through helpful tips throughout the reference guide that provide critical takeaways—for example:

Risk Adjustment

MAOs are generally paid a fixed capitated amount per member per month, regardless of the number or cost of services paid on behalf of that enrollee. Payments to MAOs are adjusted based on enrollees’ health status, creating opportunities for manipulation and risks of errors. In the ICPG, OIG expresses suspicion of chart reviews, in-home health risk assessments, and prompts to physicians in electronic medical records to increase risk scores. OIG also recommends MAOs scrutinize reporting of particularly high-risk diagnosis codes (i.e., those at greater risk of being miscoded) and implement processes (e.g., oversight, education, monitoring, software system reviews, compliance hotlines) to prevent the submission of unsupported diagnosis codes. Note that in December 2023, OIG published a ToolKit to assist MAOs in identifying and evaluating high-risk diagnosis codes.

Quality of Care

OIG in the ICPG stresses that MAOs must provide high-quality care as measured by CMS’s quality bonus payment program and Star Ratings, which we previously discussed in our November 27, 2024 Health Law Scan blog post. OIG recommends MAOs implement processes to ensure that their networks avoid providers who are excluded by OIG, who have licenses suspended by a state licensing body, or who were the subject of a disciplinary action that would limit the provider’s ability to practice or bill Federal health care programs. In short, compliance programs should monitor the accuracy of quality data submissions and ensure that provider credentialing and eligibility align with regulatory standards.

Oversight of Third Parties

MAOs delegate certain functions to first tier, downstream, and related entities (FDRs) and are required to flow down certain contractual provisions to those parties. 42 CFR § 422.504. CMS regulations require MAOs to audit and monitor these entities, maintain ultimate responsibility, and enforce compliance through due diligence and timely corrective actions. 42 CFR § 422.504(i)(1). In the ICPG, OIG recommends MAOs triage the delegation of high-risk and sensitive tasks and consider a party’s sophistication, prior experience, and ability to assume such responsibilities. OIG also recommends enhancing compliance oversight in agreements by requiring onboarding education, attestations, and/or data reporting.

Vertically Integrated Organizations and Ownership Structures

The ICPG notes that vertical integration and consolidation raise unique compliance challenges, such as ensuring that compliance officers at subsidiary MAOs possess sufficient expertise and access to senior leadership. In the ICPG, OIG takes specific notice of private equity firms that may lack extensive experience in the MA industry and suggests such investors consult the GCPG. OIG also recommends safeguards for accurate medical loss ratio calculations and management of investor-owned entities.

Submission of Accurate Claims

MAOs must certify the accuracy of data submitted to CMS, with false or fraudulent claims exposing organizations to liability under the False Claims Act and other statutes. 42 CFR § 422.504(l). In the ICPG, OIG recommends robust internal controls, regular audits, and prompt corrective action as essential elements of compliance. Note that in March 2025, OIG published a Strategic Plan to align its audits, evaluations, investigations, and enforcement of managed care that emphasized the importance of promoting data accuracy.

“SEVEN ELEMENTS” COMPLIANCE PROGRAM

The ICPG recommends tailoring the traditional seven elements of an effective compliance program to the Medicare Advantage context as follows:

1. Written Policies and Procedures: Policies should be tailored, regularly reviewed, and distributed to all relevant entities, including FDRs. Policies should be adopted for each of the key risk areas described above.
2. Compliance Leadership and Oversight: Appointment of qualified compliance officers with MA experience and expertise and direct access to senior management is essential.
3. Training and Education: Specialized, ongoing training for staff and third parties should be tailored to each party’s role.
4. Effective Lines of Communication: Open, accessible channels (protected from retaliation) for reporting concerns and raising questions should extend from MAOs to providers and FDRs.
5. Risk Assessment, Auditing, and Monitoring: Regular risk assessments and targeted audits should identify and address vulnerabilities and ongoing monitoring of OIG audit and evaluation findings in high-risk areas.
6. Enforcing Standards: Well-publicized disciplinary guidelines and consistent enforcement.
7. Responding to Detected Offenses and Corrective Action: Prompt investigation of issues and implementation of corrective actions.
In the ICPG, OIG recommends that MA parties regularly review and update their compliance programs to reflect changes in laws, regulations, and business practices, emphasizing that “laws and regulations impacting the MA industry are subject to change.”

CONCLUSION

For organizations participating in Medicare Advantage, the ICPG represents an opportunity to benchmark and enhance existing compliance frameworks. While the guidance is nonbinding, it synthesizes current enforcement priorities and practical insights from OIG’s experience, providing a valuable roadmap for managing risk. In sum, based on the ICPG, MA stakeholders should consider tailoring or developing their compliance programs to focus on:

• Proactive Risk Management
• Alignment with Evolving Regulations
• Third-Party Oversight
• Training and Communication
• Board and Leadership Engagement
• Data Integrity

Morgan Lewis has vast experience assisting stakeholders in the MA program with implementing actionable strategies to reduce fraud, waste, and abuse, promote high-quality care, and support ongoing compliance efforts. Morgan Lewis can assist MA stakeholders to leverage OIG’s new guidance to strengthen their compliance programs and prepare for future regulatory developments.