CMS Tightens Oversight of Medicare Advantage Plans
In the coming year, the nation’s Medicare Advantage insurers – which cover over 31 million Americans – face an unprecedented wave of regulatory changes and scrutiny. The Centers for Medicare & Medicaid Services (CMS) has quietly ushered in a more aggressive audit regime for Medicare Advantage (MA) plans, alongside significant updates to how these plans are paid for the health risks of their enrollees.
Health plan CEOs, whose organizations collectively received about $455 billion in Medicare payments last year, are now grappling with what these changes mean operationally and financially. Many are preparing for a future in which annual federal audits become a routine part of doing business and risk adjustment rules are rewritten to curb excess payments.
Oversight Intensifies: RADV Audits Expand in 2025
Late this spring, CMS announced a dramatic expansion of its Risk Adjustment Data Validation (RADV) audits – the primary tool for verifying that MA plan payments are justified by members documented health status. Historically, CMS audited only a small sample (around 60) of MA contracts each year, targeting plans suspected of excessive billing. That is changing effective immediately: CMS will audit all eligible Medicare Advantage contracts annually (approximately 550 plans in total)1. In addition, the agency is fast-tracking a backlog of past years’ audits, pledging to complete all outstanding audits for payment years 2018 through 2024 by early 2026. This means health plans could be hit with multiple audit findings in short succession, condensing what might have been a decade of scrutiny into a much shorter window.
“We are committed to crushing fraud, waste and abuse across all federal healthcare programs,” Dr. Mehmet Oz, the CMS Administrator, said in a statement announcing the new audit strategy. While emphasizing the value of Medicare Advantage, Oz underscored that CMS must ensure [plans] are billing the government accurately2.
The RADV audits themselves will also become more intensive. CMS is increasing the sample size of medical records it reviews for each plan from about 35 records to as many as 200 records per plan annually1. By reviewing a larger slice of each plan’s claims, CMS aims to make any identified error rates more credible for extrapolation – a process of projecting the sample’s error rate onto the plan’s entire member population1. CMS finalized a rule in 2023 that, for the first time, allows auditors to extrapolate overpayment findings starting with audits of 2018 claims onward. In the past, if an audit uncovered (for example) $100,000 in improper payments in the sample, the plan would repay that amount; now CMS can multiply that figure across all similar cases in the year – a change that could turn modest audit findings into multimillion-dollar liabilities for plans.
To support this ambitious oversight agenda, CMS is bolstering its audit arsenal. The agency will deploy “enhanced technology” – including advanced data analytics, and potentially artificial intelligence, to flag suspect diagnoses in billing data1. It is also undertaking a massive workforce expansion, increasing its team of medical coders from just 40 to roughly 2,000 by September 2025 to manually review records and confirm unsupported codes2. This 50-foldstaffing surge underscores the scale of CMS’s commitment. All Medicare Advantage plans can now expect an audit each year, a stark departure from an era when many insurers never faced a RADV audit at all1.
For health plans, the immediate implication is a significant operational burden. Insurers will need to respond to ongoing documentation requests, often under tight deadlines, and may find themselves in perpetual audit preparation mode. Some plans are already ramping up their own internal audit teams and processes to mirror CMS’s efforts, aiming to catch and correct errors proactively before federal auditors arrive.
A Revamped Risk Adjustment Model and Policy Changes
Behind the audit crackdown is a broader effort to refine how risk adjustment – the system that pays more for sicker patients – is administered. In 2024, CMS began phasing in a new risk adjustment model (known as “V28”) for Medicare Advantage, the first major overhaul in years. This updated model recalibrates which diagnoses count toward a patient’s risk score and how much they raise payments. Notably, CMS removed over 2,000 diagnosis codes from the model that it deemed prone to being “up-coded” – the practice of documenting extra or more severe conditions to inflate payments3. The goal is to target codes most likely to be abused and ensure that payments better reflect genuine health status.
The transition to the new model is occurring gradually to mitigate disruption. For payment year 2024, risk scores were calculated with a blend (33% new model, 67% old model). By 2025, the balance flips to 67% new model (V28) and 33% old4, and by 2026 the new model will be fully in place. The V28 model introduces 115 condition categories (up from 86 in the previous model) but with a more selective set of diagnosis codes – 7,770 codes mapping to those categories, versus 9,797 codes in the old model4. In practical terms, some diagnoses that used to boost payments will no longer do so, or will do so to a lesser degree. Chronic conditions like diabetes, depression, or vascular disease are among those seeing coding criteria tightened or subdivided to prevent overstating a patient’s illness burden, according to policy analysts.
CMS argues these changes will improve payment accuracy and curb excess spending. Agency officials noted that Medicare Advantage plans have been paid billions more than similar patients in traditional Medicare, partly due to aggressive coding practices. Indeed, CMS now estimates MA plans overbill the government by about $17 billion a year through unsupported diagnoses, with some estimates as high as $43 billion. The new risk model, coupled with stepped-up audits, is designed to rein in this overspending. Med PAC, a congressional advisory body, has reported that payments to MA plans in 2024 were on track to be roughly $83 billion higher than they would have been in fee-for-service Medicare for the same enrollees – a gap these policies seek to narrow.
Health plans and providers, however, have voiced concern about the speed and impact of these changes. The industry pushed back hard when the new model was proposed, prompting CMS to adopt the three-year phase-in rather than an immediate switch3. Many insurers and health systems fear the model’s stricter coding could reduce payments for vulnerable patients, potentially affecting benefit offerings. CMS’s own projections suggested that despite the model changes, average plan payments per enrollee would still rise in 2024 and 2025, due to other adjustments. But those increases may be smaller than plans are used to, and impacts will vary byplans3.
The American Medical Group Association, representing provider organizations, cautiously noted that the phase-in gives CMS “an opportunity to refine the plan” if unintended consequences emerge by 2026. In essence, while regulators see the new model as a needed course correction, the industry sees a potential budget cut in disguise, to be fought or at least closely watched.
Operational and Compliance Challenges for Health Plans
For health plan executives, the confluence of comprehensive audits and new risk scoring rules translates into a daunting compliance agenda. Operationally, plans must strengthen their documentation practices and IT systems immediately. Every diagnosis code submitted for payment must be backed by proper medical record evidence – not just to withstand a CMS audit, but to ensure the plan isn’t overstating its risk scores under the refined model. Many insurers are conducting internal RADV-style audits on 2018–2022 data right now, essentially red-flagging any diagnosis in their system that might not hold up to scrutiny. By performing these self-audits and deleting or correcting unsupported codes in CMS’s database, plans can mitigate future penalties4. This proactive approach, encouraged by consultants, aims to “reduce and manage RADV financial exposure” by addressing issues before the government does.
Provider engagement is another critical piece. Medicare Advantage insurers often rely on networks of physicians and hospitals to document diagnoses, and historically some have incentivized providers to code comprehensively. Now the dynamic is shifting: plans are implementing new provider training and education on the V28 coding changes, stressing accurate and only supported diagnoses. Some plans are also revisiting their contracts with providers. Those that share risk with providers (through value-based arrangements or bonus incentives) may insert clauses making providers financially liable for coding errors that lead to audit recoveries. If a CMS extrapolated audit claws back millions of dollars from a plan, the plan doesn’t want to shoulder that alone – it may seek to recover portions from the physician groups whose documentation was found lacking. This is a delicate conversation, but it reflects how seriously plans are treating the new audit risk.
Internally, compliance and audit departments at MA organizations are bracing for a heavier lift. Plan CEOs are evaluating whether their teams have the bandwidth and expertise to handle continuous audit requests, or if they need to enlist outside help (such as specialized auditing firms or consulting partners). The administrative load of responding to RADV audits – pulling hundreds of medical records from archives, coding them, and submitting rebuttal evidence – is significant, especially for smaller regional plans. Plans must also keep pace with evolving guidance: CMS recently issued updated RADV audit dispute and appeal instructions (effective January 2025), clarifying how plans can challenge audit findings through a reconsideration process2. Ensuring the legal team is ready to navigate these appeals, especially when extrapolated sums are on the line, will be crucial.
Finally, IT systems need updates to accommodate the 2025 risk model blend and forthcoming full model transition. Claims and billing software must incorporate the new HCC definitions so that as of January 1, 2025, incoming claims are evaluated under the correct risk adjustment logic. Misalignments here could directly affect revenue projections and compliance. Some plans have had to reconfigure analytics dashboards and retrain their coders and coding vendors on the model’s nuances – for example, which codes no longer map to an HCC (and thus no longer increase payments)4. This system work is technical, but vital to avoid errors in submissions that could trigger audits or payment shortfalls.
Financial Stakes and Industry Response
The financial implications of CMS’s 2025 changes are multifaceted. On one hand, Medicare Advantage insurers might see lower revenue growth per patient as risk scores level off under the tighter model. On the other hand, they face the possibility of paying back substantial sums if audits uncover past overpayments. Even a small error rate can translate into a large liability when extrapolated across tens or hundreds of thousands of members. Past RADV audits (2011–2013) found overpayments in the range of 5% to 8%2. If a similar error rate were found today and extrapolated, a mid-sized plan with $1 billion in annual revenue might have to refund $50–$80 million for a single year – a heavy hit to earnings.
Compounding the concern, CMS’s decision to finalize audits from 2018 through 2024 in one burst means some plans could be writing checks for multiple years’ worth of overpayments almost at once. Financial officers are reviewing reserves and worst-case scenarios now. “If CMS identifies and extrapolates overpayments for those years, financial losses due to recoupment will be concentrated over a much shorter time period than under the prior timetable,” the Ropes & Gray analysis cautioned1. In other words, what might have been staggered as a series of smaller repayments over a decade could become a tidal wave of obligations around 2025–2026. This has implications for plan budgeting, dividend plans, and even market valuations – indeed, stock analysts have begun asking public MA insurers about their audit exposures in earnings calls.
Preparing for Change: Mitigation Strategies for Plans
In response to these challenges, savvy health plans are taking a multi-pronged approach to mitigate risk. One key strategy is investing in advanced analytics to identify coding outliers. Plans are leveraging data algorithms to scan claims for patterns – for example, providers who code unusually high rates of certain lucrative diagnoses – and then conducting targeted chart reviews to verify those cases. By doing so, plans can either validate the codes with proper documentation or proactively “unlock” and remove unsupported diagnoses from their submissions, thereby inoculating against future audit findings. This kind of internal cleanup, though potentially reducing payments in the short term, can save a plan from a costly claw-back down the road. Several large insurers have created special RADV task forces for this purpose, blending expertise from compliance, IT, and clinical coding teams.
Education and training are also front and center. Health plan leaders are doubling down on provider education programs to reinforce documentation standards. For example, physicians are being reminded that every chronic condition must be explicitly documented each year in the medical record to count for risk adjustment – and if they add a diagnosis, it should be one actively managed or treated, not just noted in passing. Plans are updating provider handbooks to reflect diagnoses that no longer risk-adjust under the new model, so clinicians don’t waste effort coding conditions that won’t contribute to funding. Some plans are even offering or requiring “documentation integrity” training sessions for network providers, knowing that many audit issues can be prevented at the point of care through better record-keeping.
Another defensive measure is incorporating more stringent audit clauses in vendor contracts. Many health plans use third-party vendors for chart reviews or in-home assessments to help identify additional diagnoses. In the wake of the RADV rule, plans are making sure those vendors attest to the accuracy of codes they submit on the plan’s behalf – and assume liability if codes don’t hold up in an audit. Similarly, plans in risk-sharing arrangements with providers are clarifying how any recovered payments will be handled, as noted earlier. The overarching aim is to align incentives so that everyone – plan, provider, vendor – has “skin in the game” to only report truthful, supportable diagnoses.
From a financial planning perspective, some insurers are bolstering reserves or reinsurance coverage to cushion against possible repayments. Just as importantly, they are scenario-testing the impact of lower risk scores. CFOs are running models on 2025 revenue under various coding intensity assumptions (for instance, if certain common diagnoses drop out of HCC scoring) to guide bids and benefit design for the upcoming plan year. In extreme cases, a few plans have hinted they might need to trim benefits or adjust premiums if the new model significantly undercuts their payments – a move that would likely invite member and political backlash. For now, most are taking a wait-and-see approach, hoping that improved documentation and coding accuracy can blunt the negative financial impacts.
Navigating the Changes with Technology and Support
As Medicare Advantage organizations brace for this new regulatory landscape, many are turning to technology and specialized support services to adapt more effectively. Digital operations platforms and analytics tools are emerging as essential aids in ensuring compliance without overwhelming internal teams. For example, some health plans are deploying AI-driven software to automatically review medical records for any discrepancies between documented conditions and submitted diagnosis codes. These tools can flag potential unsupported diagnoses in real time, allowing plans to correct errors before they are picked up in a CMS audit. Enhanced reporting systems also help plans continuously monitor their risk score trends under the new model and identify areas where scores are dropping due to the V28 changes – insight that can inform provider outreach and member care programs.
Mizzeto’s healthcare digital operations suite is designed to streamline back-office processes for payers, which now include the heavy compliance workloads. For instance, Mizzeto provides audit and compliance assistance, conducting transactional audits to ensure policy compliance and quality control. Such services can take on the labor-intensive task of reviewing claims and medical records for accuracy, effectively augmenting a health plan’s internal audit department. Mizzeto also specializes in claims processing automation and data management, which helps plans keep their billing accurate and up-to-date with the latest rules. By automating routine claims checks and integrating the new risk adjustment logic into claims workflows, these technologies reduce the chance of human error that could lead to audit findings.
Another area where external partners prove valuable is in financial reconciliation and provider recovery efforts. If a plan does end up owing money back to CMS or identifies overpayments made to providers, Mizzeto’s services include analyzing overpayment situations and even helping to recoup excess payments from providers in the plan’s network. This kind of support is critical when plans are processing the results of an audit or adjusting payments post-review. It ensures that once a compliance issue is identified, the plan can resolve it swiftly on the financial side – whether that means correcting claims, retrieving funds, or crediting CMS – all with minimal disruption to operations.
Crucially, these solutions are not about replacing human expertise but augmenting it. Health plan executives remain at the helm in setting strategy (such as how to respond to CMS rule changes or when to self-audit), but they are leveraging technology and trusted partners to execute those strategies at scale. The result can be a more resilient organization: one that can handle an uptick in audits and shifting payment formulas without sacrificing focus on member care.
Looking ahead, Medicare Advantage plans will continue to refine their approach as real-world data from 2025 rolls in. Early audit results and the first full year of the new risk score model will provide feedback, showing where coding patterns need improvement or which compliance investments yield the best returns. Health plan CEOs are keenly aware that the stakes are high – both in terms of dollar amounts and public trust. Yet, with thorough preparation, the right expertise, and strategic use of technology, plans can navigate these reforms. The overarching goal is aligning Medicare Advantage’s impressive growth with robust accountability. And while the 2025 CMS audit changes pose undeniable challenges, they also present an opportunity: for health plans to demonstrate their commitment to accuracy and quality, strengthening the partnership between the government and private insurers that millions of seniors rely on every day.
2CMS Rolls Out Aggressive Strategy to Enhance and Accelerate Medicare Advantage Audits
3Providers, payers press CMS to get rid of Medicare Advantage risk adjustment changes entirely
4Key Areas of Focus for Risk Adjustment as the Calendar Turns to 2025
