Healthcare compliance changes fast, and without a keen eye, you’re likely to miss something that will come back to bite you. If you can’t afford that, then you should listen to what our director of product content, Anne Marie Anderson, has to say.

Anne Marie Anderson is a licensed attorney with over 25 years of experience as a legal and compliance professional. Basically, she’s our secret weapon, keeping us ahead of the curve on industry developments so that we can help protect businesses like yours, no matter how fast regulations and enforcement evolve.

Here’s a look at the items that are on Anne Marie’s radar this month. Our secret weapon can be yours, too.

The OIG Just Rewrote its Medicare Advantage Playbook, and it Covers More than Health Plans

If your practice participates in Medicare Advantage as an employed physician, independent group, or a practice that contracts with an MA plan, the OIG’s February 2026 guidance isn’t background reading; it’s required reading.

For the first time since 1999, the Office of Inspector General released an updated Medicare Advantage Industry Segment-Specific Compliance Program Guidance (ICPG). The program it’s addressing looks nothing like it did 25 years ago: MA now covers more than half of all Medicare beneficiaries, federal spending is projected at up to $600 billion annually, and fraud estimates run into the billions. Enforcement has scaled accordingly, and DOJ’s recent track record is a reliable preview of where OIG is headed next.

One thing the new guidance makes clear: this isn’t just a health plan issue. The ICPG covers MA Organizations, contracted providers, coding vendors, and any other party participating in or engaged with the MA program. If you treat MA patients, the OIG has now spelled out exactly what it expects from your organization—and what it will look for if something goes wrong.

Key takeaway: The OIG’s 2026 compliance guidance covers contracted providers and coding, not just health plans.

What the $556 Million Kaiser Settlement Tells Providers About Their Own Exposure

On January 14, 2026, the DOJ announced the largest False Claims Act settlement in Medicare Advantage history. Five Kaiser Permanente affiliates agreed to pay $556 million to resolve allegations that Kaiser mined patient records for unsubmitted diagnoses, sent queries to physicians asking them to add those diagnoses after visits had already concluded, and financially pressured providers who didn’t go along. Allegedly, some of those addenda were added months or even over a year after the original encounter.

Here’s the part that matters most for provider organizations: the settlement didn’t just name Kaiser’s health plan affiliates. It named the physician groups too: the Permanente Medical Group, Southern California Permanente Medical Group, and Colorado Permanente Medical Group were all parties. The plan didn’t absorb liability on behalf of the providers. Under the FCA, when a plan builds a coding program that pressures physicians to document diagnoses they didn’t clinically assess, both sides of that relationship can be held accountable.

That’s not an isolated result. A March 2025 settlement with Los Angeles’ Seoul Medical Group and a separate radiology group produced $62 million in DOJ FCA recoveries where providers were the primary defendants, named directly for submitting unsupported diagnosis codes to MA organizations, with no health plan as a co-defendant.

Key takeaway: “The plan told us to” is not an FCA defense. Providers can be, and have been, named defendants on their own.

Coding Vendors Don’t Provide Cover, Either

The same post-visit addenda pattern that drove the Kaiser case also led to a separate December 2024 settlement. New York MA plan Independent Health, its coding vendor subsidiary DxID, LLC, and DxID’s CEO agreed to pay up to a combined $100 million to resolve FCA allegations. According to the DOJ, Independent Health used DxID to run retrospective record reviews and query physicians to add diagnoses, and DxID kept 20% of the additional reimbursements it generated.

This case matters for provider organizations that contract with third-party risk adjustment vendors or that receive requests from plan-sponsored coding programs. When a vendor’s business model is built around finding more diagnoses, the financial structure is itself a compliance risk signal, especially when the vendor is paid based on results. The OIG’s 2026 guidance flags this type of contingency-based coding arrangements and retrospective chart review programs as areas of concern.

Providers who respond to vendor queries by adding diagnoses to records should understand that they, not just the vendor, become part of the documentation chain the government will examine.

Key takeaway: If a coding vendor is asking your providers to add diagnoses to records after a visit, that’s a warning sign. Get legal review before participating to avoid DOJ or OIG actions.

A 2025 Court Win on Audits: Real, but Limited

There’s a court ruling making the rounds that’s worth addressing directly, because it’s easy to read more into it than is actually there.

In September 2025, a federal district court in Texas vacated CMS’s 2023 Risk Adjustment Data Validation (RADV) Final Rule. That rule had allowed CMS to extrapolate audit findings from a sample of records out to a plan’s full contract population, a mechanism that could dramatically amplify repayment exposure.

The court struck it down, but on purely procedural grounds: CMS hadn’t followed proper notice-and-comment rulemaking. The court did not find that extrapolation itself is unlawful. CMS has appealed the ruling and continues to audit every eligible MA contract annually while expanding its medical coding review staff.

Even without extrapolation in play, audit findings at the sample level still produce real repayment obligations. More importantly, DOJ’s FCA enforcement authority—the tool behind Kaiser, Seoul Medical Group, and Independent Health—is completely untouched by this ruling. DOJ doesn’t need the RADV rule; it needs evidence of knowingly submitted unsupported codes.

Key takeaway: The 2025 ruling limits extrapolation while the appeal works through the courts. It doesn’t reduce your obligation to ensure diagnosis documentation is accurate and clinically supported.

Three Things Every Provider Organization Should Do Now

All of these enforcement actions and OIG guidance points converge on the same core practices. If your organization isn’t doing these three things, now is the time to start.

1. Read your MA contracts before you sign them. When contracts come up for renewal, look specifically for provisions tied to coding volume, diagnosis capture targets, or addenda programs. If a plan is offering financial incentives connected to how many diagnoses your providers document, that language warrants independent legal review before you accept it.
2. Know the 60-day rule, and have a process for it. Federal law requires any party that identifies an overpayment, including an unsupported diagnosis in a submitted record,  to report and return it within 60 days. That clock runs for providers independently of what the plan does. If your practice runs internal coding reviews and turns up errors, you need a documented process that covers how discoveries are recorded, when counsel gets involved, and how you act within the window.
3. Question post-visit diagnosis requests before acting on them. It doesn’t matter if the request comes from a plan, a coding vendor, or an EMR prompt. Any request to add a diagnosis after a patient encounter should be evaluated against one question: Does the medical record support this as a condition the patient has, and one that was actually assessed during the visit? If the honest answer is no, adding the diagnosis to satisfy the request isn’t compliance. It’s exposure.

Key takeaway: Meaningful MA compliance comes down to knowing your contracts, responding to overpayment discoveries within 60 days, and documenting only what the clinical record genuinely supports.

Keep up to date and secure as regulations evolve! Compliancy Group is the #1 rated healthcare compliance software for a reason: we make it easy to understand and manage every aspect of compliance at your business.