On February 1, 2023, the Centers for Medicare & Medicaid Services (CMS) published a final rule outlining its audit methodology and related policies for its Medicare Advantage (MA) Risk Adjustment Data Validation (RADV) program. The final rule codifies long-awaited regulations first proposed by CMS in 2018.

As stated in the final rule, CMS intends to extrapolate RADV audit findings beginning with payment year (PY) 2018 but will not extrapolate RADV audit findings retroactively for PYs 2011–2017. For these years, CMS will limit payment recoveries to “enrollee-level adjustments,” i.e., the non-extrapolated overpayments identified in CMS RADV audits and Department of Health and Human Services Office of Inspector General (OIG) audits. CMS advised that it will soon issue enrollee-level audit findings from completed RADV audits (PYs 2011–2013, followed by PYs 2014 and 2015) and collect enrollee-level improper payments identified in OIG audits. For PY 2018 and beyond, CMS declined in the final rule to adopt a specific extrapolation methodology. Though not specified in the final rule, CMS promised to “continue to disclose” its extrapolation methodology to MA Organizations (MAOs) through Health Plan Management System (HPMS) memos or other appropriate means.

Similarly, CMS declined in the final rule to adopt any specific sampling methodology, such as the contract-level and sub-cohort approaches discussed in the proposed rule. Instead, CMS intends to use any statistically valid method for sampling that CMS determines is well-suited for a specific audit. While CMS indicated it could apply multiple audit methodologies to a specific contract level audit, CMS likely will use a more targeted approach to be able to audit more MAOs. CMS will identify MAOs for audits based on data analytics to identify coding intensity, audit performance, and high enrollment.

CMS also stated in the final rule that it will not apply a Fee-For-Service (FFS) Adjuster in its RADV audits. CMS reasoned that while the Social Security Act (the Act) requires actuarial equivalence between FFS and MA, the Act only applies to how CMS calculates the risk adjustment made to MAO payments and not to the obligation of MAOs to return improper payments, leveraging recent case law (UnitedHealthcare Insurance Co. v. Becerra). Furthermore, CMS argues in the final rule that it would not be reasonable to read the Act as requiring a reduction in payments to MAOs by a statutorily-set minimum adjustment based on coding intensity, while at the same time prohibiting CMS from enforcing longstanding documentation requirements by requiring an offset to the recovery amounts calculated for CMS audits.

CMS expects to recover a total of $4.7 billion between 2023 and 2032 from MAOs based on both non-extrapolated and extrapolated overpayment amounts. This total includes $41.1 million from non-extrapolated errors based for PYs 2011–2015, an estimated average of $8.2 million per year after 2015 related to non-extrapolated enrollee-level errors, and $479.4 million per year starting in 2025 for PY 2018 from extrapolated recoveries.

We will publish an Insight with deeper analysis in the coming days.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.