If you didn’t already fill out the four-question (2-minutes, anonymous) benchmarking survey, please complete it now and we will send you blinded results showing how your RADV preparedness compares to other providers in the market.
The Centers for Medicare & Medicaid Services (CMS) issued an announcement on May 21, 2025, that all Medicare Advantage (MA) plans will be subject to risk adjustment data validation (RADV) audits. These audits are the process CMS uses to address overpayments to Medicare Advantage Organizations (MAOs) as the result of insufficient documentation. Historically, CMS has found that MA plans have errors in reporting diagnosis codes, which has led to significant revenue recoupment from MAOs.
The recent news creates the framework for additional MAO risk, which could shift to risk-bearing provider groups. Key components of the announcement include:
- CMS will audit all eligible MA contracts beginning with performance year (PY) 2019.
- CMS is committed to accelerating audits by investing in enhanced technology and workforce expansion.
- CMS will extrapolate revenue recoupment beyond the sample audited.
CMS has outlined changes in methodology that could substantially increase the amount of revenue MAOs must return following RADV audits. Specifically, CMS plans to rank all audit-eligible members—primarily those enrolled for all 12 months of the incurred year and at least one month of the payment year—using a “predicted improper payment” algorithm. Although the formula has yet to be disclosed, Wakely anticipates it will rely on circumstantial indicators of coding risk, such as hierarchical condition categories (HCCs) supported by a single encounter, added solely through chart review, or with limited evidence of corroborating medical or pharmacy utilization.
From this ranking, CMS will identify the top 10 percent of members with the highest predicted improper payments, targeting HCCs most likely to yield overpayments. CMS will audit 35−200 records per plan per year, depending on plan enrollment. For members in the top 10 percent who are not audited, CMS will extrapolate error rates from the audited sample to the entire high-risk group. Risk-bearing providers contracted with MAOs should understand their risk as it relates to RADV audits.
- Depending on how a contract is structured, overpayment recoupments may be passed on to the providers. How the recoupments are allocated to risk-bearing providers, however, will depend on how these and other CMS adjustments were defined in the risk-based contract.
- Given plan-level audits are based on a sampling and extrapolated to a larger population, it is difficult to fairly identify which providers are responsible for the overpayment. MAOs could include contract language that allows them to distribute the settlements to providers in several ways (e.g., membership, claims, revenue). Providers should consider the possibility of recoupments, even if their own data shows clean substantiation.
More information on best practices in this new landscape, contracting considerations, and potential risk mitigation follows.
RADV Best Practices
CMS has adopted a more aggressive posture toward the scope and magnitude of RADV audit recoveries. Hence, provider practices bearing risk must further embed robust, defensible coding practices to minimize exposure and ensure compliance. Examples include:
- Reinforce documentation standards: Train providers to document clearly using the MEAT (monitor, evaluate, assess/address, treat) or TAMPER (treat, assess, monitor, plan, evaluate, refer) frameworks. Link each diagnosis to specific, dated clinical documentation.
- Code with precision and completeness: Capture chronicity, complications, and disease severity when applicable. Avoid unspecified or generic codes. Pay close attention to codes for “history of” or “testing for” conditions because they rarely map to active diagnoses and are frequently flagged in audits.
- Identify known high-risk HCCs for extra scrutiny: Previous RADV-related findings frequently flag diagnoses that lack clinical evidence. Focus on codes that show up without documented treatment, workup, or related findings. Examples include stroke without hospitalization or neuro follow-up, cancer without treatment or specialist care, and diabetes with complications but no labs, meds, or management to support the claim.
- Conduct both prospective and retrospective reviews: Use suspecting models to surface likely miscoded or missed conditions, including diagnoses that were coded without sufficient documentation (RADV risks) and those documented but not coded (revenue opportunities). Deploy reviewers or auditors to validate evidence and ensure coding accuracy.
- Monitor coding trends and outliers: Track shifts in risk scores, prevalence and recapture rates, and unsupported diagnosis patterns. Benchmark performance internally and against external benchmarks to detect anomalies and drive improvement.
By establishing these practices, groups that bear risk contractually for CMS recoupments can reduce their RADV exposure and improve risk-adjusted revenue accuracy. In today’s regulatory landscape, financial and reputational risks are real. Provider groups that act decisively can protect margins while maintaining compliance.
RADV Recovery and Provider Risk
In agreements between MA plans and risk-bearing providers, the percent of premium funding that the provider receives should be based on a complete picture of the revenue that the plan receives. This scenario often results in final reconciliations that are somewhat extended (e.g., 9−12 months following the end of the performance period) to allow for the final risk adjustment sweep payments to be reflected in funded revenue. Retroactive adjustments to revenue, however, can be either favorable or unfavorable and sometimes occur years after the end of a performance period and final reconciliation of a provider risk agreement. RADV audits are a good example. It is difficult to govern risk contracts when adjustments may be made many years after final reconciliation. Wakely actuaries have seen a number of approaches and share the following summary, evaluation, and PADU (preferred, acceptable, discouraged, and unacceptable) assessment of those approaches.
| Summary | Evaluation | PADU Assessment (Provider Perspective) | Rationale |
| Contracts Explicitly Exclude RADV | Payer retains the risk related to RADV audit.Provider accounts for a small portion of the payer’s book of business, and the impact of an audit is unlikely be perfectly calibrated to the actual performance of an individual provider group. | Preferred | The payer bears ultimate accountability for ensuring that the documentation supports submissions to CMS. |
| Contract Silence Related to CMS Adjustments | No mention of CMS adjustments in the contract.Ambiguity is usually construed against the drafter of the agreement should a legal dispute arise.Given the extended timeline associated with RADV impacts, RADV audit risk is usually retained by the plan, unless explicitly passed to the provider. | Acceptable | If the contract is silent, a risk-bearing provider is less likely to be found liable for the RADV adjustments. |
| Contract Reference to CMS Adjustments | Explicit mention of CMS adjustments, regardless of whether specific adjustments are outlinedMany adjustments made to revenue throughout the year via the monthly membership report (MMR) that this could refer to, including risk score updates, enrollment/disenrollment, Dual/Medicaid status, end-stage renal disease/institutional status, etc. Without explicit mention, this ambiguity could be construed against the originator of the agreement in a legal dispute.Given the extended timeline associated with RADV impacts, RADV audit risk is usually retained by the plan, unless explicitly passed to the provider. | Discouraged | Reference to CMS adjustments could be construed as including RADV audit impacts. |
| Contracts Explicitly Include RADV | Allocation of extrapolated findings is a challenge.Provider is likely going to be negatively affected by the coding practices of others, even if they are conservative. | Unacceptable | Need to understand the allocation of audit amounts to ensure they are reasonable. |
Other considerations:
- The amount of risk the provider bears is also a consideration: In upside-only or limited risk situations, plans usually retain the RADV audit risk. In delegated, full-risk, or capitation settings with direct coding control, providers can justifiably share in or assume full relevant RADV liability.
Providers could implement a mock audit approach before final reconciliation to identify coding practices and behavior that present risk to the plan (and potentially themselves). Then, try to incorporate contract language that limits exposure to the provider based on favorable results in the audit.
RADV can have a sudden and very substantial impact on provider groups taking risk in MA. Wakely uses a two-pronged approach to support providers. The first prong is educational, helping providers understand how RADV works and what the potential implications could be for prior PYs (2019−2024). The second prong sets provider groups up for success in current and future performance years (2025+) by providing analytics to identify key RADV risks, conducting mock RADV audits, reviewing internal policies and procedures, and analyzing the specific language of risk-based contracts.
Related Resources:
Wakely Provider Playbook page
Someone from our team will contact you to discuss how RADV audit provisions in your current agreements may impact your organization, and what risk mitigation strategies your organization may want to consider, or feel free to reach out to one of us with questions.
