Most health plans govern their risk adjustment coding vendor the same way they always have. The contract is signed, charts move, and codes come back. Whether anyone inside the plan has genuine visibility into what the vendor is actually doing, and whether those practices would survive regulatory scrutiny, is a question most plans have never had to answer formally.
OIG’s February 2026 Medicare Advantage Industry Segment-Specific Compliance Program Guidance changes that. For the first time in 27 years, the government has put in writing exactly what adequate RA vendor governance looks like. It outlined the contractual provisions plans must have, the oversight activities plans must perform, and it named the enforcement consequences when those standards are not met.
This goes beyond aspirational goalposts. This is the standard against which your RA coding vendor governance will be measured if CMS or the Department of Justice ever looks at your program.
Most existing vendor relationships fall short of it. Here is what changed, what the gap looks like in practice, and what closing it requires.
What the Guidance Actually Says About Vendor Accountability
OIG drew a line that most compliance teams missed in their initial reads of the document.
The guidance states that MAO liability under fraud and abuse law is not limited to CMS regulatory accountability for vendor conduct. When a health plan delegates functions to a third party, the plan may be liable for the actions of that third party under the False Claims Act and related statutes. That liability exists regardless of whether the vendor formally qualifies as a First Tier, Downstream, or Related Entity under CMS definitions.
This is an important distinction. The legal exposure follows the function, not the contract classification.
OIG named the specific vendor practices that have produced that exposure:
- Chart reviews used to inflate risk scores without corresponding clinical encounters
- Failure to delete invalid diagnosis codes after identifying them as unsupported
- AI-generated coding prompts that push physicians toward diagnoses that do not reflect active patient care
These represent actual risks which OIG has documented in enforcement actions. The February 2026 guidance is the agency telling plans, in writing, that they are responsible for what their vendors do.
The practical consequences are equally as clear. A vendor that operates without adequate analyst governance, applies AI without human review, or runs QA against internal benchmarks instead of CMS RADV methodology creates exposure that lands on the health plan’s balance sheet and not the vendor’s.
The Governance Requirements Most Vendor Contracts Do Not Contain
The good news is that OIG did not leave plans to interpret what adequate oversight looks like. The guidance names the specific provisions that should govern third party RA coding relationships. Most existing vendor contracts contain none of them.
Before delegating any Medicare program function, OIG expects a formal risk evaluation of the vendor. This means assessing the vendor’s compliance infrastructure, its experience with MA-specific requirements, and its capacity to handle audit-sensitive work. A reference check and a security questionnaire are not the same thing as a compliance risk evaluation.
Once a vendor is engaged, OIG expects contracts to contain:
- Self-audit obligations with results reported directly to the health plan, not held internally by the vendor.
- Explicit audit access rights so the plan can review vendor operations, QA outcomes, and coding decisions on demand.
- Periodic attestation renewals confirming the vendor’s compliance posture on a defined schedule.
- Performance dashboards with defined content covering coding accuracy, QA outcomes, AI performance metrics, and error root cause analysis.
- Corrective action policies with defined triggers and consequences, up to and including contract termination.
Plans need to treat vendor oversight as a continuous governance function with documented accountability at every stage.
Plans that cannot demonstrate this level of oversight in writing, with evidence, are not positioned to defend themselves if a vendor’s coding practices become the subject of a CMS audit or DOJ inquiry.
Where Most Plans Are Right Now
Most health plans govern their RA coding vendors through SLA reporting, accuracy metrics against internal benchmarks, and periodic business reviews. Those mechanisms address throughput and cost but don’t address what OIG is now asking about.
Internal accuracy benchmarks do not tell you whether your vendor’s QA methodology is calibrated against CMS RADV findings. SLA reports do not tell you whether analysts are governing AI output or accepting it uncritically. Business reviews do not constitute the formal risk evaluation OIG describes.
Closing these gaps are the plan’s responsibility. OIG is clear: MAOs maintain ultimate responsibility for fulfilling the obligations of their CMS contracts, even when functions are delegated. The vendor performing the work does not absorb the plan’s compliance accountability.
What Needs to Change and the Practical Steps to Get There
The February 2026 guidance is voluntary and nonbinding but treating it as aspirational is a mistake. OIG publishes this guidance to describe the standards it will apply when reviewing compliance programs. A plan that receives a CMS program integrity audit or a DOJ civil investigative demand in 2026 or 2027 will be evaluated against what OIG articulated in February. Voluntary guidance is the floor, not the ceiling.
Getting to that floor requires action across four areas.
Step 1: Conduct a Contract Review Now
Pull your current RA coding vendor agreements and evaluate them against the governance requirements OIG named. Look specifically for self-audit provisions, audit access rights, attestation renewal schedules, dashboard content requirements, and corrective action triggers. Where those provisions are absent, the next contract renewal is the window to add them. Do not wait for the renewal to begin that conversation. Vendors who operate at the standard OIG describes will welcome the structure. Those who resist it are telling you something important about their compliance posture.
Step 2: Evaluate What Your Vendor Can Actually Show You
OIG’s governance standard requires real-time visibility into vendor operations, not quarterly reporting summaries. Ask your current vendor to show you live QA outcomes by coder, AI performance metrics by HCC category, error root cause analysis by error type, and coding accuracy measured against CMS RADV methodology rather than internal benchmarks. If your vendor cannot produce those views on demand, your compliance program does not have the visibility OIG expects. Annova’s precision risk adjustment coding program includes real-time plan-facing dashboards covering exactly those dimensions, built as governance infrastructure rather than a reporting feature.
Step 3: Confirm Your Vendor’s AI Is Governed, Not Just Deployed
OIG specifically flagged AI-generated coding prompts that encourage unsupported diagnoses as abusive conduct. The question for your compliance program is not whether your vendor uses AI but whether every code that AI surfaces passes through trained analyst review before it enters your submission. At Annova, our nHance AI engine structures and surfaces clinical evidence. The risk adjustment analyst governs all coding decisions, so no HCC recommendation reaches submission without human accountability. We don’t treat architecture as a quality preference. Under OIG’s February 2026 guidance, it is the compliance-correct design.
Step 4: Build the Audit Trail That Demonstrates Governance
OIG expects risk assessment results to drive audit and monitoring work plans. It expects vendor compliance programs to be reviewed, not assumed. It expects corrective action to be documented and tracked. The coding season does not wait for compliance infrastructure to catch up. Annova’s RADV audit readiness program gives health plans a documented, evidence-based picture of where their vendor governance stands against the OIG standard before CMS asks the same question. Plans that begin that work now are building the audit trail that demonstrates governance, while plans that wait are building exposure.
