PCOOB Weekly — May 1, 2026
PCOOB Weekly — Issue 4 — May 1, 2026

When the Audit Finds the Pattern

Three OIG findings. One major sanctions action. Four compliance obligations that were always there — and now have a precedent attached.

Risk Adjustment / Program Integrity

Regulatory-Analysis-Led / Operational Fault Line

CMS, OIG, 42 CFR

Scroll to read
Editor’s Note

The harder version requires reading the series as a whole.

There is a version of the OIG’s recent audit work that can be read as routine enforcement activity: a few plans, some unsupported diagnosis codes, modest overpayment amounts. That reading is available if you look at each finding in isolation.

The harder version requires looking at the series as a whole. The OIG has now published findings from the same targeted audit program across at least three Medicare Advantage organizations. The findings are structurally identical. And last month, CMS sanctioned one of the country’s largest MA operators for seven years of knowing noncompliance with risk adjustment submission requirements — not because CMS discovered it, but because Elevance Health could not produce required electronic submissions when asked.

This edition connects those two threads. The question at the center is not whether your plan has unsupported diagnosis codes. Some number of them almost certainly exist in every large risk adjustment portfolio. The question is what your plan does when the internal review finds them — and whether your current protocols are legally compliant with what CMS requires next.

3
OIG Audit Findings
Priority Health, Gateway Health Plan, and BCBS Alabama — all from the same targeted audit series, same methodology, structurally identical findings.
81–91%
Unsupported Code Rate
Across all three audits, between 81% and 91% of sampled enrollee-years contained at least one diagnosis code medical records did not support.
7
Years / CMS Directives
CMS sent Elevance Health seven formal directives between 2018 and 2025. Sanctions on 46 MA-PD contracts became effective March 31, 2026.
01
The Argument

The OIG has confirmed a pattern. Three plans, same series, structurally identical findings.

The OIG’s targeted Medicare Advantage diagnosis code audit series has been working through a defined set of high-risk diagnosis code categories across multiple MA organizations. In the past several months, it has published findings from three:

OIG Targeted Audit Series — Published Findings

Priority Health (H2320) 252 of 300 sampled enrollee-years — unsupported codes $828,010
Gateway Health Plan (H5932) 232 of 286 sampled enrollee-years — unsupported codes $830,334
BCBS Alabama (A-07-22-01207) 247 of 271 sampled enrollee-years — unsupported codes $7M est.

The structural consistency is the signal. These are not three separate OIG reviews with independently developed methodologies. They are from the same series, targeting the same categories of diagnosis codes, applying the same sampling approach. The finding — that between 81% and 91% of sampled enrollee-years contained at least one unsupported code — is consistent enough across three separate organizations that treating it as an isolated organizational problem requires deliberate effort.

The OIG does not typically publish findings in the same series without a larger enforcement purpose. The RADV audit scaling that CMS announced — expanding from approximately 40 to 2,000 coders and moving toward near-universal plan coverage — creates the infrastructure for these findings to translate into financial consequences at scale. The OIG diagnosis code series and the RADV expansion are parallel tracks. For compliance leadership, the relevant question is not whether your plan will encounter this kind of scrutiny. It is whether your internal medical record review program identifies unsupported codes with the same clinical rigor the OIG applies when it arrives.

> CMS Sanctions Notice — Elevance Health — Effective March 31, 2026

Four violations. Forty-six contracts. Seven years of known noncompliance.

> 42 CFR 422.310(d)(1)
Failure to delete unsupported diagnosis codes
Elevance failed to delete diagnosis codes from risk adjustment data submissions that internal review had identified as not supported by medical record documentation.
> 42 CFR 422.326(d)
Failure to comply with 60-day overpayment reporting
Once a plan identifies an overpayment, it has 60 days to report and return it. Elevance’s internal identification of unsupported codes did not trigger compliant reporting within the required window.
> 42 CFR 422.310(b)/(d)(2)
Electronic submission requirement violation
Risk adjustment data corrections must be submitted through RAPS, EDPS, or RAOR. Elevance instead transmitted corrections via encrypted USB flash drives to a CMS contractor. The channel was wrong regardless of accuracy.
> 42 CFR 422.504(l)
Inaccurate certification of data accuracy
Elevance’s executives certified the accuracy of risk adjustment data submissions that had not been fully corrected through compliant processes. Certification covers the entire downstream review and submission workflow.
Source: CMS Sanctions Notice, Elevance Health, February 27, 2026 (effective March 31, 2026). Covers data from service years 2015 through April 2, 2023 (PY 2016–2024). CMS issued seven formal directives to Elevance between 2018 and 2025 before sanctions action was taken.
02 — The Scale

Seven years of internal knowledge. Four regulatory violations. One sanctions action.

On February 27, 2026, CMS issued a sanctions notice to Elevance Health covering 46 of its Medicare Advantage and Part D contracts. The sanctions — suspension of enrollment and marketing communications — became effective March 31, 2026.

The timeline is the most significant disclosure in the CMS notice. CMS sent Elevance seven formal directives between 2018 and 2025 requiring correction. Elevance acknowledged the problem internally across that same period. It identified unsupported diagnosis codes. It simply did not submit corrections through the required electronic channels, and it continued certifying its data as accurate.

This is not an audit that caught a plan unaware. This is a seven-year gap between internal identification and regulatory action. The action came only when CMS determined that the standard correction process had failed completely. For compliance officers reviewing their own risk adjustment workflows, the Elevance notice provides a precise map of where the regulatory exposure sits: not in the existence of unsupported codes, but in what the plan does — and does not do — in the 60 days after internal review identifies them.

The 60-day overpayment reporting obligation under 42 CFR 422.326 does not require that CMS first audit the plan and find the overpayment. It requires the plan to act once it knows. Elevance’s internal reviews apparently identified, at minimum, some unsupported codes across years of service. The failure was not discovery. It was the response that followed discovery.

Contracts Suspended
46
MA-PD contracts suspended for enrollment and marketing communications effective March 31, 2026. Elevance had a 30-day cure option.
Regulatory Citations
42 CFR 422.310(d)(1) Diagnosis code deletion
42 CFR 422.326(d) 60-day reporting
42 CFR 422.310(b)/(d)(2) Electronic submission
42 CFR 422.504(l) Data certification
CMS Directives Ignored
7
Seven formal CMS directives to Elevance between 2018 and 2025 — one per year on average — before the sanctions action was taken.

“The failure was not discovery. It was the response that followed discovery.”

PCOOB Weekly — May 1, 2026 — Risk Adjustment Compliance Analysis
03 — The Response

Four operational implications that were always true. Now they have a precedent attached.

Immediate Action Required
01
Internal medical record review rigor
The OIG’s findings — 81% to 91% of sampled enrollee-years containing at least one unsupported code across three plans — suggest routine risk adjustment validation is not catching what OIG auditors find when they review the same records. Plans should assess whether their internal processes apply clinical specificity at the record-documentation level, not just attestation or abstraction summaries.
Relevant to: OIG audit series methodology
02
The 60-day overpayment reporting clock
Under 42 CFR 422.326, once a plan identifies an overpayment, it has 60 days to report and return it. The statute does not require CMS to audit first. Plans need a documented workflow that establishes when identification occurs, who triggers the reporting process, and what constitutes a completed report and return — not just a policy reference to the obligation.
42 CFR 422.326(d)
03
Electronic submission system requirements
Risk adjustment data corrections must flow through RAPS, EDPS, or RAOR. Alternative submission channels — including physical media delivered to CMS contractors — do not satisfy the requirement regardless of whether the underlying data is accurate. Plans using any process outside these systems should conduct a technical review before that process becomes the subject of a CMS inquiry.
42 CFR 422.310(b)/(d)(2)
04
Data certification integrity
Executives certifying risk adjustment data accuracy are certifying the output of the entire downstream process — including the completeness of internal reviews, the accuracy of reported corrections, and the timeliness of overpayment disclosures. The fourth Elevance violation clarifies the scope: certifying data that has not been validated through a complete and documented process is a distinct regulatory violation.
42 CFR 422.504(l)
Key Takeaways

Five things compliance and quality leaders should act on from this edition

The OIG series and the Elevance sanctions define the same four compliance areas from two different directions — one through audit findings, one through enforcement action. Both point to the same operational gaps.

The OIG audit series is now confirmed systemic. Three plans, the same series, 81–91% unsupported code rates. Plans not auditing their own portfolios with equivalent clinical rigor are likely to encounter this question through a mandatory review process.

The 60-day clock starts at internal identification — not at CMS audit. Plans need a documented identification-to-reporting workflow with defined triggers and responsible owners. A written policy referencing the obligation is not sufficient.

Electronic submission channels are not interchangeable. RAPS, EDPS, and RAOR are required. Workarounds — including encrypted physical media — are a violation independent of data accuracy.

The Elevance timeline is the editorial anchor: seven years, seven directives. CMS does not always move fast. But when it does, the sanctions notice reflects the accumulated record of what the plan knew and when it knew it.

The OIG series and RADV expansion are parallel enforcement tracks. Plans should treat the OIG diagnosis code findings as an audit hypothetical for their own portfolios — not as a case study in someone else’s compliance failure.

Open Threads

What to watch next

Elevance cure attestation status

Elevance had until March 30, 2026 to submit an attestation of completion to avoid sanctions taking effect. Whether that attestation was submitted — and whether CMS accepted it — has not been publicly confirmed. Any CMS response or continued sanctions would be significant.

OIG series expansion

Priority Health, Gateway Health Plan, and BCBS Alabama are three findings. A fourth or fifth publication from the same series would constitute a confirmed national pattern across plan types and regions. Monitor OIG audit report publications.

RADV Payment Year 2020 first determinations

The RADV audit program — now with near-universal plan coverage and approximately 2,000 coders — will produce its first PY2020 overpayment determinations. These will be the first test of the new methodology at scale and of plans’ formal appeal options.

IRE transition: MAXIMUS to C2C

As of May 1, 2026, C2C replaces MAXIMUS as the Part C Independent Review Entity. Plans should confirm their IRE submission workflows, contact information, and operational handoff procedures are updated for the new contractor.

Sources
1
CMS Sanctions Notice — Elevance Health
February 27, 2026. Effective March 31, 2026. CMS.gov. Covers 46 MA-PD contracts. Four regulatory violations. Dates of service 2015 through April 2, 2023.
Tier 1 — CMS
2
OIG Audit Report A-07-22-01207 — BCBS Alabama
Issued March 10, 2026. OIG.HHS.gov. 247/271 sampled enrollee-years; $769,195 direct; $7M estimated for 2018–2019.
Tier 1 — OIG
3
OIG Audit Report — Priority Health (H2320)
OIG.HHS.gov targeted audit series. 252/300 sampled; $828,010 in overpayments.
Tier 1 — OIG
4
OIG Audit Report — Gateway Health Plan (H5932)
OIG.HHS.gov targeted audit series. 232/286 sampled; $830,334 in overpayments.
Tier 1 — OIG
5
42 CFR 422.310, 422.326, 422.504
Federal Register / eCFR. Electronic submission requirements (RAPS/EDPS/RAOR); 60-day overpayment reporting; data certification accuracy standard.
Tier 1 — Federal Register
PCOOB Weekly
Namrata Giri
Healthcare payer compliance, strategy, and AI-enabled operations
PCOOB Weekly covers payer compliance, operations, oversight, and risk for U.S. health plan leaders. Independent analysis. No vendor affiliation. Every edition is factual, sourced, and perspective-led.
© 2026 PCOOB Weekly. Independent analysis for U.S. health plan leaders.
All analysis is based on publicly available regulatory sources. This publication does not constitute legal, compliance, or financial advice. Readers should consult qualified advisors before taking action based on this content.