The CMS and OIG Audit Preparation Guide for Payers

The New Era of Oversight and Payer Audits

In 2025, payer organizations face an audit environment more rigorous than ever. The Department of Health and Human Services’ Office of Inspector General (OIG) has ramped up its focus on fraud, waste, and abuse (FWA) in health plans, PACE programs, managed service organizations (MSOs), and regional insurers. Compliance leaders, COOs, medical directors, CFOs, and risk officers are under pressure to ensure every claim, encounter, and authorization meets regulatory standards. Significant enforcement actions and evolving audit protocols signal that “business as usual” is no longer an option. Payers must proactively fortify their operations to avoid costly penalties and reputational damage.

Sources: CMS Newsroom, OIG Reports, Kaiser Reports

What an OIG Audit really is

An OIG audit is a formal review initiated by the Office of Inspector General to determine whether Medicare Advantage Organizations (MAOs) comply with federal laws, CMS regulations, and contractual obligations. Organizations may be selected for audit based on data anomalies, whistleblower complaints, random sampling, or prior risk indicators. Once notified, the plan must respond with extensive documentation—including medical records, claims data, and evidence of service delivery. The OIG conducts an in-depth review, either remotely or on-site, to assess coding accuracy, risk adjustment practices, utilization management decisions, and provider network adequacy.

If the audit identifies potential violations—such as unsupported diagnoses, improper denials of medically necessary care, or inflated risk scores—the OIG will issue a draft report. The organization is given a chance to respond, submit additional evidence, or outline corrective actions. Final findings may trigger a range of penalties: from corrective action plans and civil monetary penalties (exceeding $10,000 per claim in some cases) to full recoupment of overpayments. In more serious cases, MAOs can be excluded from federal healthcare programs or even lose their Medicare Advantage contracts entirely. To mitigate this risk, organizations must proactively invest in internal audit processes, maintain rigorous documentation, and use advanced tools like PCG’s Virtual Examiner to ensure ongoing compliance.

Why are CMS Audits Ramping up?

Both OIG and CMS have sharpened their tools and mandates. OIG investigators are employing advanced analytics to spot anomalies and outliers in data submissions, triggering audits when they detect potential non-compliance patterns. Audit selections can stem from random sampling, data irregularities, whistleblower complaints, or known high-risk behaviors. In parallel, CMS announced it will audit every Medicare Advantage contract annually – a dramatic expansion from past years. As CMS Administrator Dr. Mehmet Oz put it, “it is time CMS faithfully executes its duty to audit these plans and ensure they are billing the government accurately”. This climate of heightened scrutiny means delegated payers and their partners must be audit-ready at all times.
Sources:  CMS statement on ramp-up, OIG report, GOA report, modernhealthcare

Longitudinal Episode of Care Auditing Increases

Daily, longitudinal claims auditing has become a foundational expectation for payer compliance—not a best practice. OIG and CMS audits routinely examine multi-year billing patterns, not isolated claims. Reviewing claims nightly against three years of historical billing activity allows plans to identify systemic coding errors, improper risk adjustment trends, and recurring authorization issues before they surface in audits. This approach directly supports cost containment, reduces payment error rates below CMS CERT benchmarks, and demonstrates proactive compliance oversight during regulator reviews of internal controls.

Operational Impact of CMS Audits

OIG compares paid claims and encounter submissions against regulatory requirements. Unsupported or inconsistent codes lead to audit findings and repayment obligations. Payers must reconcile what is billed, paid, and submitted to CMS across systems.

Sources: OIG pdf, CMS report on RADV, OIG audit reports,

Pre-payment vs Post-payment Audits

To fully safeguard their claims workflows, payers must be fluent in both pre-payment and post-payment audit protocols. Pre-payment audits take place before any funds are disbursed. These may use edit engines, rules-based logic, or AI tools to catch invalid or noncompliant claims early—helping avoid improper payments altogether. Post-payment audits, by contrast, are retrospective. They focus on paid claims to detect errors, overpayments, or suspected fraud. Findings often trigger repayment demands or referrals to CMS and OIG. Using both together creates a layered compliance defense—stopping bad claims at the front door, while detecting missed risks in hindsight.

Incorrect Coding and Payments

Coding accuracy is central to payment integrity and audit defense. Yet, even minor inconsistencies—like a mismatched diagnosis or an overlooked modifier—can trigger civil penalties or risk adjustment rejections. CMS audits such as CERT (Comprehensive Error Rate Testing) and OIG reviews increasingly flag not just financial overpayments, but also technical or documentation-based issues that reflect systemic weaknesses. Health plans must ensure their coding logic aligns with evolving CMS standards, especially around modifiers, site-of-service accuracy, and procedural bundling. PCG’s Virtual Examiner (VE) addresses this exposure with its knowledgebase of 480+ reason codes, complete longitudinal billing history per patient, and built-in regulatory edit engines. Below are key coding pressure points plans must actively manage:

Prior Authorizations

Improper denials of care are facing heightened scrutiny. A 2022 OIG report revealed that 13% of denied authorizations were compliant with Medicare coverage guidelines. Auditors are analyzing whether plans are employing utilization management protocols that are more stringent than those permitted by CMS. With this knowledge, CMS will scrutinize not only the claims that were paid out but also the authorizations for payment made based on clinical requirements and contracts. Is your organization approving procedures and services that it shouldn't, or denying those that should be authorized? It’s essential to avoid any and all discrepancies.

Delegated Entity Oversight

Plans are accountable for the actions of MSOs, TPAs, and IPAs. We understand that healthcare increasingly involves shifting risk further down the funnel. However, anyone who agrees to take on partial risk is now under scrutiny. Consequently, inadequate oversight regarding coding, encounter submissions, or network management can lead to discoveries—even if the responsibility lies with the delegated party.

Contract Alignment and System Configuration

If payment systems do not reflect the latest contract terms or CMS fee schedules, the result is often mass overpayments. OIG will probe whether those overpayments were identified and refunded timely.

Separate Authorizations, Claims, and Compliance

According to CMS regulations, your compliance department must function autonomously from your claims administration department, and as a general guideline, it should also operate separately from your medical management team.

PCG Note: In our 30+ years, we've seen many payer organizations operate with a single compliance officer who essentially serves as the technology CIO... This won't cut it. There are multiple types of governmental compliance risk: technology, payments, authorizations, clinical, and more.

Range of OIG Fines

The Office of Inspector General (OIG) can impose civil monetary penalties (CMPs) ranging from $10,000 to $50,000 per violation under federal law. More serious offenses—like Anti-Kickback Statute (AKS) or False Claims Act (FCA) violations—carry higher exposure, with criminal FCA fines up to $500,000 and AKS penalties up to $27,894 per instance. Stark Law violations may result in $15,000 per improper claim and $100,000 per arrangement.

Penalties for employing excluded individuals are based on related claim value or compensation, often multiplied by 1.5. For egregious offenses like information blocking, fines can reach $1 million per violation. OIG may also pursue triple damages or exclusion from Medicare/Medicaid programs.

CMS requires overpayments to be reported and returned within 60 days of identification, though the clock pauses during a good-faith investigation or while under OIG’s Self-Disclosure Protocol (SDP). If related overpayments are found, the deadline extends to the earlier of the investigation’s end or 180 days. The updated SDP sets minimum settlement thresholds: $100,000 for AKS and $20,000 for other issues. Early self-reporting often reduces penalties and helps avoid corporate integrity agreements.

Sources: HHS FWA article, hippajournal, ecfr gov article, mintz fwa, baird-holm fwa

How OIG Enforcement Typically Escalates

Most OIG enforcement actions follow a defined escalation path. Initial findings often result in a required corrective action plan (CAP), outlining specific remediation steps and timelines. Failure to correct deficiencies can lead to civil monetary penalties, recoupment of overpayments, or both. In cases involving systemic non-compliance, unsupported risk scores, or repeated improper denials, enforcement may escalate to enrollment sanctions, exclusion from federal healthcare programs, or termination of Medicare Advantage contracts. Early identification and remediation materially reduce the likelihood of severe outcomes.

What is De-Delegtation?

How De-delegation works...

Delegation allows payer organizations to transfer administrative functions—such as utilization management, claims processing, credentialing, or quality improvement—to contracted entities. However, the responsibility for performance and compliance remains with the health plan. De‑delegation occurs when a plan revokes some or all delegated functions because the delegate fails to meet contractual or regulatory standards. This process is typically triggered after audits, performance scorecards, or corrective action plans (CAPs) reveal persistent deficiencies.

Health plan policies outline a structured pathway toward de‑delegation. For example, Inland Empire Health Plan (IEHP) requires delegates with deficiencies to submit a CAP; if they cannot correct the issues within the specified timeframe, IEHP may revoke delegation in whole or in part. Anthem’s Medicaid manual states that the Delegate/Vendor Oversight & Management Committee (DVOMC) reviews quarterly reports and conducts audits. If a delegate fails to resolve deficiencies, the account manager reports this to the DVOMC, which determines whether to continue delegation, apply additional oversight, or terminate the delegation. Health Net’s delegation training materials make clear that any activity falling below defined thresholds triggers a CAP; failure to complete the CAP allows the Delegation Oversight Committee to impose sanctions, freeze membership, revoke delegation, or terminate contracts. These policies underline that de‑delegation is not a first resort but follows an escalation process with clear expectations and timelines.

What happens after de-delegation?

De‑delegation can have serious operational impacts—claims workflows must be transitioned back to the plan or another delegate; member communications and provider network functions may be disrupted. For payer organizations, the best defense is proactive oversight: perform pre‑delegation audits, set clear performance metrics, require frequent reporting, and provide support to struggling delegates. Ultimately, you can delegate functions, but not accountability. A robust oversight program and contingency plans ensure that if de‑delegation becomes necessary, you can protect compliance, member experience, and financial performance.

Conclusion

Article Summary

With heightened OIG scrutiny and expanded CMS audit protocols, payer organizations face growing risk across claims, coding, and delegated functions. This article breaks down the latest penalty structures, audit triggers, and de-delegation realities, offering clear, actionable guidance for compliance leaders. Whether you're managing a PACE program, MA plan, or MSO, understanding how and why enforcement is intensifying is critical to avoiding financial and operational fallout.

Why PCG Wrote this Article

PCG Software published this guide to help plans navigate the shifting compliance landscape with clarity and confidence. If your organization wants to avoid audit findings and elevate claims defensibility, we invite you to enroll in a live Virtual Examiner (VE) audit and demo. See how VE proactively flags risk, corrects coding issues, and ensures audit readiness—before CMS or OIG come knocking.