AI is quietly solving one of healthcare’s most expensive compliance problems. Medicare Advantage organizations managing RADV audit risk are increasingly replacing manual review workflows with AI-powered risk adjustment platforms, automated documentation validation, and anomaly detection systems that surface coding inconsistencies before they reach CMS.
The compliance pressure driving this shift is real: enforcement settlements have reached nine figures, CMS has intensified audit activity, and the OIG issued its first Medicare Advantage-specific compliance guidance in over two decades in February 2026. The technology response is what this article is about.
For health plans, payers, and the technology teams supporting them, understanding what RADV audits test and where technology fits in the compliance response is the practical starting point.
What RADV Audits Actually Test
Medicare Advantage operates on a risk-adjusted payment model. CMS pays Medicare Advantage Organizations a fixed monthly amount per enrollee, adjusted upward for enrollees with more complex health conditions.
To receive those higher risk-adjusted payments, MAOs submit diagnosis codes to CMS that must be supported by face-to-face clinical encounters documented in medical records.
RADV audits are the mechanism CMS uses to validate that the diagnosis codes driving those risk-adjusted payments are actually supported by the underlying medical record documentation.
Auditors select a sample of beneficiaries, request the corresponding medical records, and determine whether the submitted codes are adequately supported. Where codes cannot be validated, CMS identifies overpayments.
The underlying compliance question is not simply whether a diagnosis code is clinically plausible. It is whether that code was documented at a qualifying face-to-face encounter, reflected in an acceptable medical record, and whether the record actually supports the specific code submitted.
This is precisely where technology creates its highest value in the compliance workflow. The gap between what a patient experienced and what a medical record adequately captures is a data quality problem, and data quality problems are where AI-assisted validation tools perform best.
The Stakes Changed When CMS Finalized Extrapolation
For years, MAOs faced RADV audit findings limited to the actual sample audited. If CMS reviewed 200 beneficiary records and found unsupported codes in 40 of them, the overpayment obligation was limited to the overpayment identified in those 40 records.
The 2023 final rule changed that equation significantly. The 2023 RADV Final Rule established authority to extrapolate audit findings across an MAO’s entire membership for payment years 2018 and forward. This means an error rate identified in a sampled set of records can become the basis for calculating a population-wide overpayment.
That extrapolation authority is currently under legal challenge following a September 2025 federal court ruling that vacated those provisions, with HHS having appealed. The regulatory position remains contested, but health plans are not waiting for the legal outcome to invest in more robust compliance infrastructure.
The financial exposure that extrapolation introduces is the reason enterprise-scale risk adjustment programs are prioritizing end-to-end data validation over point-in-time manual reviews. CMS selected MAOs for Payment Year 2018 RADV audits and has initiated that process.
The OIG has completed related audits that encompass PY 2018, and the financial impact of extrapolation in those completed audits is already evident.
The No UPCODE Act and Congressional Appetite for Reform
The Regulatory Signals AI Teams Need to Track
Pending legislation would prohibit coding submissions derived from chart reviews and in-home health risk assessments, directly affecting how AI-assisted coding tools can be used in risk adjustment workflows. The OIG has also identified 20 Medicare Advantage organizations as statistical outliers in their use of in-home health risk assessments for diagnosis reporting, a signal that data sourced from these assessments will face heightened scrutiny.
For AI platform developers and health plan technology teams, the implication is clear: the data inputs feeding risk adjustment models need to be traceable to qualifying face-to-face clinical encounters, not algorithmic pattern-matching across unverified data sources.
The False Claims Act Exposure That Runs Through Risk Adjustment
The compliance stakes in Medicare Advantage operate on two levels. The first is direct CMS administrative action through the RADV audit process: unsupported codes, calculated overpayments, and repayment demands.
The second is False Claims Act liability for plans that submit, or fail to withdraw, diagnosis codes they knew or should have known were not adequately supported.
This is where the technology infrastructure a plan has built becomes directly relevant to its legal exposure. AI-assisted review tools that flag potentially unsupported codes create a documented record of what the organization knew and when.
Plans that invest in retrospective review platforms are simultaneously building the compliance evidence trail that supports their position in enforcement proceedings.
The Kaiser and Aetna settlements, totaling over $670 million between them, reflect the scale of liability that can accumulate when risk adjustment practices are found to have systematically submitted unsupported codes at scale.
The resolution of that litigation is being watched closely across the industry.
The Kaiser and Aetna settlements reflect the scale of liability that can accumulate when risk adjustment practices are found to have systematically submitted unsupported codes. At those settlement sizes, even legally defensible programs that settle to avoid litigation risk create substantial financial and reputational consequences.
The OIG’s February 2026 Guidance Sets the Enforcement Road Map
The OIG’s February 3, 2026 release of Industry Segment-Specific Compliance Program Guidance for Medicare Advantage represents the first MA-specific compliance guidance the agency has issued since 1999.
That time gap is itself significant. The guidance reflects decades of audit findings, enforcement actions, and regulatory experience that the OIG has compressed into a framework that functions as both a best practices guide and an enforcement road map.
The guidance is voluntary and non-binding. It does not establish new legal requirements. However, organizations that ignore it materially increase their exposure because it signals precisely where regulators are looking and what constitutes an effective response.
Compliance gaps that align with areas the OIG has explicitly identified as high risk are unlikely to receive the benefit of the doubt in enforcement proceedings.
The guidance identifies risk adjustment integrity as a primary focus area, with specific attention to documentation of diagnoses from face-to-face encounters, the use of acceptable data sources, coding oversight of FDRs, and the treatment of HCC trends that deviate from expected patterns.
MAOs are expected to maintain provider-level benchmarking, conduct targeted audits when outliers are identified, and implement end-to-end claims validation workflows that catch errors before they reach CMS.
Algorithmic Compliance Tools and Their Limits
AI and data analytics have become central to how large MAOs manage their risk adjustment programs, and the technology stack supporting RADV audit readiness has matured considerably.
The broader shift toward AI compliance tools is reshaping how payers approach coding oversight, documentation validation, and audit readiness across the enterprise.
Prospective coding assistance tools flag documentation gaps before claim submission, allowing clinical and coding teams to resolve issues at the point of encounter rather than during audit response. Retrospective review engines identify inconsistencies between submitted codes and medical record content across large beneficiary populations at a speed and scale that manual review cannot match.
Anomaly detection tools surface providers or encounter types with unusual risk score patterns, giving compliance teams a data-driven signal for where to focus targeted auditing resources.
Platforms like RAAPID represent the enterprise architecture shift that is most relevant to health plan technology leaders in 2026. Rather than deploying separate prospective coding tools, retrospective review engines, and anomaly detection systems that each produce independent findings, RAAPID integrates these capabilities into a single AI-powered environment.
The operational advantage is significant. When a prospective tool flags a documentation gap and a retrospective engine confirms the same pattern across a provider’s encounter history, compliance teams receive a coordinated, cross-validated signal rather than two disconnected alerts requiring separate investigation workflows. That integration reduces the gap between identifying a potential coding issue and resolving it before it reaches CMS, which is precisely the capability that transforms RADV audit preparation from a reactive exercise into a continuous data quality program.
For health plan CIOs and compliance technology leads evaluating their risk adjustment infrastructure, the question is no longer whether AI belongs in this workflow. It is whether the AI tools in place are integrated enough to close the loop between prospective validation and retrospective review.
These tools represent a genuine advancement in compliance capability. They also create an evidentiary record that matters in enforcement proceedings.
When an AI-assisted review flags a potential unsupported code and the organization nonetheless submits or retains that code, the argument that the organization lacked knowledge of the unsupported status becomes significantly harder to maintain.
The OIG has specifically noted that determinations must reflect individual patient circumstances rather than relying exclusively on algorithms. This cuts in both directions. Algorithmic tools that identify overpayments create obligations to investigate and potentially return funds. Algorithmic tools used to generate codes without corresponding clinical validation do not satisfy the documentation requirements for risk adjustment.
Healthcare advocates have raised broader concerns about the role of algorithms in coverage and care decisions, a set of issues that intersects with the compliance questions discussed here when one considers what happens when the law fails patients at the point where coverage determinations meet clinical reality.
Practical Priorities for Compliance and Legal Teams in 2026
The convergence of active RADV audits, extrapolation risk, elevated enforcement activity, and the OIG’s new guidance creates a compliance environment where technology infrastructure is no longer a support function.
It is a primary risk management tool. Health plans that have not yet built integrated risk adjustment and audit readiness platforms should treat the following as implementation priorities.
Internal Audit Priority
Organizations that have not conducted a targeted internal review of their risk adjustment data submission practices for payment years 2018 and forward should treat this as an immediate priority. The extrapolation rule applies from PY 2018 forward, and audit findings for those years carry substantially different financial exposure than prior years.
IH-HRA and Chart Review Assessment
Any risk adjustment data derived from in-home health risk assessments or retrospective chart reviews warrants heightened scrutiny under current enforcement priorities.
The OIG has published specific guidance on the types of practices that have driven FCA allegations in this space. Organizations relying on these data sources should evaluate their programs against that guidance and assess whether code submissions are adequately supported by qualifying face-to-face encounters.
FDR Oversight and Contractual Protections
MAOs are liable for risk adjustment data submitted by their downstream entities. The OIG’s new guidance explicitly addresses this, recommending that MAOs conduct initial risk evaluations of third parties before delegating Medicare program functions, incorporate compliance obligations into vendor agreements, and require audits that support ongoing compliance monitoring.
Agreements with coding vendors, health risk assessment contractors, and other risk-adjustment data contributors should be reviewed to confirm that they include adequate representations, compliance requirements, and audit rights.
The 60-Day Overpayment Clock
Internal investigations that identify potential overpayments require careful management of the 60-day return obligation. The legal determination of when an overpayment has been “identified” within the meaning of the statute is fact-specific and has significant consequences for FCA exposure.
Organizations conducting internal reviews should ensure outside counsel is engaged before any conclusion about overpayment identification is reached that would start the clock.
The Broader Governance Implication
The Medicare Advantage audit reckoning is not simply a compliance problem. It is a governance question.
The OIG has explicitly stated that risk adjustment trends, denial metrics, and identified overpayments should be reported regularly to boards of directors and executive leadership of MAOs.
The expectation is not that boards become technical auditing experts but that they receive sufficient information to understand material compliance risk and exercise oversight accordingly.
MAOs that treated risk adjustment compliance as a delegated operational matter without board-level visibility are now operating in an environment where that posture is precisely what regulators have identified as a governance gap.
The combination of expanded RADV extrapolation authority, elevated DOJ enforcement activity, and the OIG’s explicit focus on governance infrastructure creates a clear expectation that compliance risk reaches the board.
For legal advisors and compliance professionals, the practical implication is to build reporting structures that can satisfy this expectation before regulators ask whether they exist.
Conclusion
Medicare Advantage is the dominant Medicare delivery model, covering more than half of all Medicare enrollees. At that scale, the financial stakes of risk adjustment integrity are enormous, and the enforcement infrastructure reflects it.
The organizations best positioned to navigate this environment are those that have built the technology infrastructure to treat RADV audit risk as a continuous data quality problem rather than a periodic compliance event.
The investments that matter most in 2026 are not reactive. They are the prospective coding validation tools, retrospective review platforms, anomaly detection systems, and integrated audit preparation workflows that catch documentation gaps before they become overpayment findings.
For health plan technology leaders and the enterprise AI platforms supporting them, the direction of travel is clear. The compliance capability of a plan’s technology stack and its RADV audit exposure are no longer separate conversations.
The organizations building integrated AI infrastructure now, combining prospective coding validation, retrospective review, and anomaly detection in a single environment, are building the compliance infrastructure that will define competitive positioning in Medicare Advantage for the next decade. That is a technology investment decision as much as a compliance one.
