The Compliance Checklist Nobody Wants to Run
Most health plans evaluate their risk adjustment programs on financial metrics: codes added, RAF score improvement, revenue recovered. Those numbers matter. But they don’t tell you whether your program can survive a RADV audit, a DOJ investigation, or an OIG review. The compliance evaluation is a different exercise, and it’s one that too few organizations run until it’s too late.
The Aetna DOJ settlement ($117.7 million, March 2026) and Kaiser settlement ($556 million) both involved programs that were generating revenue successfully. The financial metrics looked strong. What failed was the underlying compliance architecture: add-only design, inadequate documentation validation, and coding patterns that CMS interpreted as intent to inflate payments.
Running a compliance audit on your own risk adjustment program isn’t comfortable. It often surfaces problems that are expensive to fix. But the alternative, discovering those problems when CMS or the DOJ surfaces them, is significantly more expensive.
Five Questions Your Solution Must Answer
First: does your program add and remove codes? If the answer is add-only, you’re running a program that OIG’s February 2026 guidance specifically identified as high-risk. Two-way review that validates existing submissions and removes unsupported codes is now the regulatory expectation, not an optional enhancement.
Second: can you produce an evidence trail for every submitted HCC? CMS doesn’t accept “our coder reviewed the chart” as proof. They want to see which clinical note supported the diagnosis, what MEAT criteria were satisfied, and how the coding decision was made. If your system doesn’t generate this documentation automatically, your coders are creating audit liability with every chart they close.
Third: is your AI explainable? If you’re using technology to assist coding decisions, the technology’s reasoning must be transparent. Auditors will ask how a code was identified and what evidence supported it. “The AI recommended it” without supporting documentation is not a defensible answer.
Fourth: does your program validate documentation quality before submission? Submitting codes and hoping they hold up during audits is a reactive strategy. Tools that score defensibility and flag weak documentation before codes reach CMS are proactive. The cost difference between fixing a problem before submission and defending it after an audit finding is orders of magnitude.
Fifth: are your coding metrics aligned with compliance goals? If your team is measured on codes added and RAF uplift, the incentive structure rewards volume over accuracy. Programs measured on accuracy, defensibility, and two-way validation rates produce different outcomes than programs measured on revenue impact alone.
The Operational Reality
Rebuilding a risk adjustment program around compliance isn’t a technology switch. It’s an operational restructuring. Coding teams need new metrics. Quality assurance workflows need to include MEAT validation as a standard step. Provider query processes need to address documentation gaps before submission, not after audit findings. And leadership needs to accept that removing an unsupported code is a win, not a loss.
The technology enables the change but doesn’t cause it. AI-assisted MEAT validation, two-way coding capability, and audit simulation tools make compliance-first workflows practical at scale. But the cultural shift, from celebrating volume to celebrating defensibility, has to come from leadership. Without that shift, even the best technology gets used in the same revenue-first pattern that generated the settlements now making headlines.
Where to Start
If your organization hasn’t run a compliance assessment on its risk adjustment program in the past 12 months, that’s the first step. Not a financial review. A compliance review. Map your current process against the five questions above. Identify where gaps exist. Prioritize fixes based on regulatory exposure.
Any Risk Adjustment Solution deployed in 2026 must answer those five questions affirmatively. The settlement era has established clear precedent: programs designed for revenue without adequate compliance architecture generate nine-figure liability. The cost of prevention is a fraction of the cost of remediation.
