OIG Issues New Medicare Advantage Compliance Program Guidance: 15 Compliance Risk Areas

On February 3, 2026, the U.S. Department of Health and Human Services Office of Inspector General (OIG) issued updated Medicare Advantage Industry Segment-Specific Compliance Program Guidance (ICPG). As with other OIG compliance program guidance, the ICPG is recommended, not mandatory. It uses advisory language such as “should,” rather than “must.” Although it does not carry the force of law, it reflects government expectations and may be referenced in audits, investigations, and enforcement actions (e.g., Corporate Integrity Agreements). Compliance officers for Medicare Advantage (MA) plans should review the ICPG to align their programs with the OIG’s current views on fraud, waste, and abuse (FWA) risk trends. The guidance outlines compliance program expectations and industry “best practices,” focusing on risk areas specific to MA and broader managed care operations. It helps plans identify key compliance risk areas, suggests practical mitigation strategies, and offers practical steps on structuring effective compliance and quality programs.

Consistent with the General Compliance Program Guidance (GCPG), the ICPG emphasizes the seven standard elements of an effective compliance program, tailored to the managed care environment, including risks involving capitated payments, utilization management, network oversight, and benefit design. The ICPG identifies specific risk areas that compliance officers should prioritize, including the following:

1. Evaluate the compliance program against the GCPG and ICPG to identify areas needing enhancement.
2. Ensure the compliance officer reports directly to the CEO and/or the board.
3. Update compliance policies and ensure they are accessible and understood by covered parties.
4. Assess referral patterns, data accuracy, payment integrity, and care management activities.
5. Implement annual, role‑specific compliance training addressing identified risks and expectations.
6. Strengthen the compliance hotline and other reporting channels for suspected non‑compliance.
7. Review marketing practices to prevent misleading conduct and compliance violations.
8. Verify that contracts with vendors and providers include robust compliance obligations.
9. Conduct due diligence, monitoring, and auditing of first‑tier, downstream, and related entities.
10. Ensure timely investigation, reporting, root‑cause analysis, and remediating of compliance issues.
11. Conduct annual risk assessments and tailor audit plans to the highest risk areas.
12. Enhance monitoring and auditing of high-risk operational functions.
13. Document and evidence good-faith implementation of recommended practices.
14. Maintain thorough documentation evidencing compliance efforts.
15. Provide reports to leadership and the board on identified risks, audit findings, corrective actions, training completion, and emerging issues.

In addition, organizations should consider having an independent effectiveness evaluation of their Compliance Program. An external review can help document and evidence program strengths, identify opportunities for improvement, and support ongoing enhancement efforts.

Interested in hearing more from Richard Kusserow on OIG matters and learning how his expertise can support your organization?  Link to his bio here or email him at [email protected].

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.