The OIG Guidance That Should Trigger a Contract Review
On February 3, 2026, the OIG published its first Medicare Advantage Industry-wide Compliance Program Guidance update since 1999. The document identifies seven key risk areas, with risk adjustment prominently featured. It flags chart reviews, in-home health risk assessments, and EHR prompts as suspect activities for inflating risk scores. It explicitly warns that failing to remove unsupported codes is a compliance failure, not just an operational gap.
For health plans that outsource any portion of their risk adjustment coding, this guidance should trigger an immediate review of every active vendor contract. The OIG didn’t publish suggestions. It published enforcement priorities. And the practices it flagged, add-only chart reviews, diagnoses disconnected from patient care, and inadequate validation processes, are the exact services many vendors have been selling for years.
Plans are responsible for what gets submitted to CMS regardless of who did the coding. If a vendor’s methodology falls within the OIG’s identified risk areas, the plan carries the exposure.
Four Contract Provisions to Add or Strengthen
First, require two-way methodology in the statement of work. The vendor must identify both codes to add and codes to remove. The deliverable should include deletion recommendations with the same evidence documentation as addition recommendations. If the vendor can’t or won’t operate in both directions, the contract embeds the exact add-only risk the OIG flagged.
Second, mandate evidence trail deliverables. Every coding recommendation must include the specific clinical language supporting it, the MEAT criteria satisfied, and the AI reasoning behind the recommendation. A spreadsheet listing codes and HCCs without evidence documentation isn’t a deliverable. It’s a liability.
Third, include AI governance provisions. If the vendor uses AI-assisted coding, the contract should require the AI to be explainable, with reasoning visible to the plan’s compliance team. The plan needs the ability to audit the vendor’s AI decision-making process. Opaque AI producing unexaminable recommendations exposes the plan to ungoverned automation risk.
Fourth, add audit readiness requirements. The vendor’s output should align with CMS RADV submission specifications. The plan shouldn’t need to rework vendor deliverables for audit defense. Include provisions for mock audit participation and defensibility scoring as standard contract elements.
The Accountability Structure That Matters
Contracts define obligations. Accountability structures determine whether those obligations produce results. Plans should establish regular quality audits of vendor output, not just volume tracking. Pull a sample of vendor-recommended codes each quarter and evaluate them against MEAT criteria independently. Track the false positive rate (codes recommended without adequate evidence) and the false negative rate (legitimate codes the vendor missed).
Measure deletion rates alongside addition rates. A vendor that consistently produces zero or near-zero deletions across large chart review volumes is either operating an add-only methodology or is not looking for unsupported codes with adequate rigor. Either scenario creates the asymmetric coding pattern that CMS monitors at the population level.
Track vendor output through audit cycles. When RADV audit results come back, which vendor-produced codes held up and which didn’t? That data, accumulated over time, tells you more about vendor quality than any RFP response or reference check.
The New Vendor Standard
The OIG guidance drew a clear line. Plans selecting Risk Adjustment Services after February 2026 should treat that guidance as the minimum standard for vendor evaluation. Two-way methodology, evidence-based deliverables, explainable AI, and audit-ready output are now compliance requirements, not competitive differentiators. Vendors that meet this standard are aligned with regulatory expectations. Vendors that don’t are operating in the risk zone the OIG specifically identified, and the plans that hire them share that risk fully.
