The Cost of Noncompliance: Whistleblower Lawsuits and Risk Adjustment

The Cost of Noncompliance: What Whistleblower Lawsuits Reveal About Risk Adjustment Failures

The recent wave of whistleblower lawsuits in Medicare Advantage has sent a clear and urgent message to payers: coding compliance is no longer a back-office issue, it’s a strategic risk. These cases, some of which are ongoing and others already settled under the False Claims Act, are exposing systemic breakdowns in documentation, vendor oversight, and governance. The result? Multimillion-dollar liabilities, reputational damage, and a sharp wake-up call for health plans to prioritize compliance.

Lessons Revealed  

Across the different lawsuits, a similar story emerged. Health plans or their vendors used retrospective reviews to identify “missed” diagnoses, then amended or coded conditions that were never addressed during patient visits. Providers were asked to amend medical records after the fact, sometimes for conditions that had not been discussed at all. Chronic conditions were routinely coded without supporting documentation. And perhaps most alarmingly, plans continued these practices even after internal subject matter experts raised red flags.

In each case, the Department of Justice found enough cause to move forward. What started as coding shortcuts turned into major compliance violations, with whistleblowers stepping in when leadership failed to act.

When Business Priorities Override Compliance

In many plans, the disconnect between business operations and coding compliance remains a root cause. Leaders push for higher value per chart and stronger RAF scores, often without a full understanding of what compliant documentation requires. Meanwhile, coders and compliance experts were not invited to collaborate. That’s not just an operational misalignment, it’s a governance failure.

In one case, coding was performed based on problem lists and past medical history, failing to meet ICD-10 and AHA guidelines. The coders weren’t acting independently; they were following internal directives or vendor protocols shaped by financial incentives, not regulatory standards.

Vendors Are Not a Shield

Under the law, the health plan is accountable for every diagnosis code it submits, regardless of whether the plan or its vendor entered it. Yet, many plans operate without insight into their vendor’s coding guidelines, auditing procedures, or quality controls.

This lack of oversight is especially dangerous when vendors or third-party consultants are brought in to find opportunities. Often, the goal is to flag as many potential diagnoses as possible; however, this is a recipe for noncompliance. These types of findings should always be vetted by coding subject matter experts to prevent exposure.

Health plans should review their coding vendors' practices by asking:  

• What coding rules is the vendor using?

• Do we approve or even review their guidelines?

• How often do they audit their own work?

• What corrective actions are taken when coders fall below standard?

Extrapolation Raises the Stakes

With CMS now applying extrapolation across all plans’ RADV audits, the financial risk is exponentially higher. One overpayment in a sample set can trigger repayments across the entire population. In one case, a $752,000 error extrapolated to $6.9 million in liability. For smaller plans, this level of financial impact could be catastrophic.

With the recent CMS announcement signaling tighter enforcement and expanded RADV activity, the window for course correction is closing fast. Plans must ensure their entire process is defensible, from coding and documentation to queries and vendor management.

The Compliance Tools Already Exist

CMS and the Office of Inspector General (OIG) provide ample guidance. The ACDIS guidelines for compliant queries spell out when and how to query providers. The AHA Coding Clinic clarifies grey areas in ICD-10 and is recognized by CMS as an extension of the regulation. The OIG even offers SQL-based tools to help plans identify high-risk codes in their own data.

Governance Is the Differentiator

Plans that are serious about compliance build governance into their operations. They create regular meetings between business ops and coding leaders, ensuring that updates, such as V28, are communicated early. Additionally, vendor audits are consistently performed, not just annually. This maintains an environment that proactively manages clinical and financial risk.

The Bottom Line: Pay Now or Pay Later

The message is clear: cutting corners will result in far higher costs than any short-term gains in RAF scores or ROI.

At UST HealthProof, we help health plans operate with confidence. From mock RADV audits to vendor coding assessments and compliant query protocols, our teams are trusted by payers nationwide to bring transparency, accuracy, and audit readiness to risk adjustment.