Medicare Advantage: New OIG Compliance Guidance Has Implications for Providers

Background 

On February 3, 2026, the U.S. Department of Health & Human Services, Office of Inspector General (OIG), published the long-awaited Medicare Advantage Industry Segment-Specific Compliance Program Guidance (Medicare Advantage ICPG). 

The Medicare Advantage ICPG is meant to identify risk areas for those engaging with or participating in Medicare Advantage, provide recommendations and practical considerations for mitigating those risk areas, and highlight other important information that the OIG believes parties should consider when evaluating compliance programs. 

Although much of the Medicare Advantage ICPG is directed toward Medicare Advantage Organizations (MAOs), the OIG also discusses MAOs’ responsibilities for overseeing providers and other partners. This discussion focuses on the areas identified as most likely to affect providers furnishing services to Medicare Advantage beneficiaries. 

As with prior OIG Compliance Guidances, adherence to OIG’s recommendations is not mandatory. However, the OIG’s Guidances typically clarify the steps and parameters the OIG expects to demonstrate a compliance program is well-designed and effective. 

Medicare Advantage ICPG Provider Implications

Applicability. Under existing Centers for Medicare & Medicaid Services (CMS) regulations, First Tier, Downstream, or Related Entities (FDRs) are already subject to specific, defined compliance program requirements through their contracts with MAOs. However, the OIG makes clear that the Medicare Advantage ICPG is not limited to FDRs but rather is intended for a broader group it calls “MA Parties,” defined as any entity or individual participating in or engaged with the Medicare Advantage program. This suggests that providers who do not meet the regulatory definition of an FDR may still be viewed — by both MAOs and the OIG — as subject to compliance expectations if they perform Medicare Advantage-related functions. 

Oversight of Third Parties. The Medicare Advantage ICPG dedicates a full section to the oversight of third parties. The OIG recognizes that MAOs may delegate a range of functions to third parties. Some of these third parties may include FDRs, which have specific compliance requirements set forth in CMS regulations. Accordingly, the Medicare Advantage ICPG states that, to determine the level of appropriate oversight over third parties, MAOs will need to determine whether third parties are FDRs. Regardless of whether a third party meets the definition of an FDR, the OIG recommends that MAOs and other MA Parties consider the roles of third parties when assessing potential compliance risks arising from those relationships and calibrate an appropriate compliance strategy. 

Factors that MA Parties should consider when developing a compliance strategy in connection with third parties include:  

1. The types of tasks an MAO has delegated to the third party;
2. The compliance risks associated with those tasks;
3. The third party’s sophistication and preexisting compliance infrastructure; and
4. Current government enforcement and oversight trends.

Due Diligence of Third Parties. The Medicare Advantage ICPG also recommends that MAOs conduct basic due diligence of third parties before delegating any program functions. This due diligence should include an initial risk evaluation to determine the level of compliance or fraud and abuse risk presented by working with a particular third party. 

To determine the risk level, MAOs are recommended to assess, among other things:

• The scope of functions delegated and whether they involve higher risk or sensitive tasks, such as direct interaction with Medicare Advantage enrollees, marketing, or other functions that overlap with fraud, waste, and abuse risk areas;
• Whether the third party is an FDR;
• The third party’s prior experience working with MAOs and other health care entities and its understanding of the risks associated with assuming the obligations of the MAOs;
• The third party’s level of sophistication;
• The third party’s data expertise and ability to timely report information; and
• Whether the third party is enrolled in Medicare.

Compliance Considerations. Finally, the Medicare Advantage ICPG notes that, when drafting agreements between the MAOs and third parties, it is common for MAOs to secure specific compliance-related rights and obligations from FDRs. This includes attestations addressing the structure and operation of the third party’s compliance program, requirements to conduct regular screenings of employees and downstream entities against the OIG’s List of Excluded Individuals and Entities, obligations to report potential violations, auditing and monitoring rights, and other compliance-related provisions.

The OIG further notes there are special compliance considerations for providers that are also FDRs and recommends carefully tailored compliance programs to ensure proper oversight, even where functions have been delegated. MAOs should also identify opportunities to directly train their FDRs on compliance obligations, rather than relying solely on FDRs to train themselves.

Conclusion

The Medicare Advantage ICPG suggests that the OIG’s compliance expectations reach beyond MAOs and formally designated FDRs. Even if a provider does not meet the regulatory definition of an FDR, the OIG indicates an expectation that such providers may still be subject to certain OIG and MAO oversight. Providers that proactively align with the Medicare Advantage ICPG’s recommended practices will be better positioned for successful participation in the Medicare Advantage space in an increasingly heightened compliance environment.

Foley is here to help you address the short and long-term impacts in the wake of regulatory changes. We have the resources to help you navigate these and other important legal considerations related to business operations and industry-specific issues. Please reach out to the authors, your Foley relationship partner, or to our Health Care Practice Group and Health Care & Life Sciences Sector with any questions.