Pay Now or Pay Later: Whistleblower Lawsuits and Risk Adjustment

Whistleblower lawsuits are pulling back the curtain on risky coding practices and costly compliance gaps in risk adjustment. From inflated RAF scores to vendor oversight failures, the consequences are real and growing. This episode unpacks several DOJ cases that reveal how coding shortcuts, unsupported diagnoses, and non-compliant queries can escalate. From internal governance gaps to coding-policy breakdowns, the message is clear: vendor oversight is a necessity.

Listen now to uncover what these cases reveal and what your plan can learn from these whistleblower lawsuits. 

Host: Welcome to the show. Today we’re talking about something that every executive in the Medicare Advantage space needs to hear: the serious issues that have led to high-profile whistleblower lawsuits, DOJ involvement, and multimillion-dollar settlements, and what health plans can do to avoid this outcome.

Our guest is Kristi Reyes, Director of Risk Adjustment Coding Operations. She leads a team on the frontlines of compliance and revenue protection, and she’s here to help us unpack how plans get into trouble, and what they can do to avoid noncompliance and the associated penalties. Welcome Kristi.

Kristi: Thanks for having me. I know this topic can feel heavy, but it’s absolutely necessary. These lawsuits didn’t appear out of thin air. They came after health plans ignored early warnings, neglected vendor oversight, and pushed compliance boundaries to chase higher RAF scores.  

Host: Agreed. It is important to have these uncomfortable discussions. You’ve been fairly outspoken about compliance advocacy. You had a LinkedIn post about the Poehling v. UnitedHealth Group case, and it received a lot of attention, likes, and reposts. That’s telling us this is a topic that the industry is following closely.  

Kristi: Yes, there was a lot of engagement and buzz around that post. I think it struck a nerve in the industry.

Host: Will you give us a quick overview of the legal framework that governs risk adjustment operations?  

Kristi: Absolutely. The False Claims Act makes it illegal to knowingly submit, or cause the submission of, false claims for payment to the federal government. In risk adjustment, that means you can’t submit diagnosis codes that aren’t supported by documentation. And that includes any upstream practices that influence those codes, like querying a provider to add a condition that was never discussed during the visit.

Host: This is what happened in the Osinek v. Kaiser Permanente case, right?  

Kristi: Exactly. That case involved four Kaiser Permanente MA plans. Coders were encouraged to identify potential missed diagnoses, then providers were asked to amend the records retroactively, even for conditions not discussed in face-to-face visits. That’s a hard no. You can't just backfill a diagnosis because you think it should’ve been addressed.  

Host: Why is this a hard no?

Kristi: ACDIS has guidelines on how to operate a compliant query process. Those guidelines are crystal clear: you may only query to clarify documentation that exists, not to add something new. Coders are not medical providers, they cannot read between the lines and make medical decisions. If Kaiser had followed that playbook, they likely would not have ended up under DOJ scrutiny.

Host: What’s the reason why some plans are straying from the guidelines?  

Kristi: It can be pressure from business operations, or not understanding the guidelines, which of course is not excusable. Plans have to develop a culture where there are collaborative relationships between departments and different areas of expertise. Everyone wants their area of operations to be successful and meet KPIs, but sometimes compliance and revenue goals conflict. If your coding experts are saying, “Hey, this goes against the guidelines,” then there has to be respect for their expertise on compliance.  

Everyone wants a high RAF score, and we can maximize that, but it has to be under a compliant practice. Could the RAF score be higher if we fudged a bit? Absolutely. But, I don’t look good in orange.

Host: Lol. Yes, mean neither. This is what happened in the case, U.S. ex rel. Poehling v. UnitedHealth Group. In this whistleblower suit, the former finance director at United alleged the company systematically submitted diagnosis codes not supported by the medical record to boost risk scores and increase payments from CMS. Can you talk about what happened here?

Kristi: Yeah. First, let’s talk about what unsupported medical records are. These were diagnoses that either were never documented by the provider, didn’t meet the MEAT criteria, lacked evidence of being monitored, evaluated, assessed, or treated in the chart, or were flagged during internal audits but never corrected.  

The allegation is that United ran retrospective chart reviews, found invalid diagnoses, and only deleted them when it would not reduce revenue. They kept overpayments in place when no offsetting code could be found. The DOJ called it a one-way compliance program, and argued that knowingly keeping unsubstantiated codes while collecting the revenue violates the False Claims Act and the 60-day repayment rule.

Host: This is timely information, given the new CMS commitment to RADV extrapolation and audit acceleration. Plans that don’t proactively identify and delete unsupported codes are facing increasing risk, not just financially, but also legally.

Kristi: Absolutely, if your audits only add and never subtract, your program isn’t just imbalanced, it could be exposed.  

Host: And this wasn’t just Kaiser. There have been other plans with similar allegations.  

Kristi: Yes, Ross v. DxID is another major case. A health plan outsourced its retrospective reviews to DxID, and the coding vendor did not adhere to ICD-10 and AHA guidelines. They were coding from problem lists and old history, and treating those as current conditions. Which of course, raised RAF scores. But the AHA, which CMS recognizes as an authority, clarified that coders must have clinical support in the documentation.

For example, coding a history of stroke as an acute stroke, or assuming chronic kidney disease based on a lab value alone, is noncompliant. Coders aren’t physicians. We can’t infer or assume diagnoses.

Host: Let’s talk about vendor oversight. You said in a recent webinar that this is one of your biggest concerns for plans.

Kristi: It is. I can’t tell you how many health plans don’t know what their vendors are doing. That terrifies me. If you’re using a vendor, you need insight into their coding guidelines. You need to be asking if your vendors are compliant. Do you have the ability to review or edit them? Are you auditing your vendors regularly? What’s their process for internal audits? How often are they being conducted? What corrective action plans are in place for coders who fall short?

Host: You’re right, those are critical questions for overseeing vendor activity. Let’s discuss Poehling v. UnitedHealthcare. What happened there?

Kristi: United’s coding team identified unsupported diagnosis codes that had already been submitted. Rather than submitting deletes to CMS, leadership let it ride. They gambled that CMS wouldn’t catch it. But a whistleblower did. Under RADV extrapolation, even a small set of errors can result in tens of millions of dollars in overpayment exposure. Plans can’t afford to ignore that. I encourage everyone to go read the Coventry case on the OIG website. They found $752,000 in unsupported codes and extrapolated it to a $6.9 million recovery.  

Host: So let’s be clear for the execs listening, because this matters. These health plans and vendors were told their practices were non-compliant. And they kept doing it.

Kristi: Yes. Here’s the thing, the DOJ is not just looking for a mistake. They look for a pattern of behavior and evidence that they were told it’s unlawful. And too often, the warnings come from coding and compliance subject matter experts who are ignored in favor of financial performance. This is where I want to speak directly to business leaders: if your coding or compliance teams flag an issue, listen. Because once the DOJ steps in, it’s too late.

Host: And Kristi, these aren’t just legacy issues—some plans are still doing this, right?

Kristi: Absolutely. I still see plans coding chronic conditions without support. Coders using lab values to infer diagnoses, like Stage 3 kidney disease, without a provider ever making the diagnosis. If a value suggests a condition, that’s not enough. You need documented evidence that the provider diagnosed and addressed it.

In-home assessments are another grey area. You can’t diagnose heart failure from a living room couch. You need an echo to support that diagnosis. Some vendors are diagnosing complex conditions during IHAs without any clinical data to support it. That’s another compliance red flag.

Host: Let’s talk vendor oversight. You’ve said repeatedly that too many plans have no idea what their vendors are doing.

Kristi: It scares me. The health plan, not the vendor, is liable for any errors. Yet, I meet plans that haven’t reviewed their vendor’s coding guidelines, don’t conduct regular audits, and don’t require corrective action plans when quality thresholds aren’t met. You should know what coding guidelines are they following? Are they using AHA guidance and ICD-10 rules? Do they allow you, as the client, to weigh in or approve updates? Are they regularly auditing their own coders? Do you see those audit results? You wouldn’t outsource finance or legal without controls, right? Coding should be no different. Plans have to audit their vendor’s coding and have regular meetings with internal coding SMEs to review.

Host: This feels like a governance issue—especially between business ops and coding compliance.

Kristi: It is. One of the most preventable causes of compliance failure is a lack of collaboration between those teams. Business ops wants to maximize value per chart. Coders want to follow the rules. Without a regulatory governance council, without regular meetings to discuss things like V28, provider education, prospective programs—you’re not managing your plan’s risk.

Host: And sometimes the problem gets worse when third-party consultants are brought in, right?

Kristi: Oh, yes. We’ve seen vendors hired under the premise of quote-unquote, finding missed opportunities. But all they do is flag codes from problem lists or make assumptions that aren’t supported. It’s opportunistic. And when their reports get delivered to business leaders without being vetted by compliance subject matter experts, that’s when bad decisions get made. And that revenue that you were trying to maximize can go from $30 million dollars found to a $300 million extrapolated overpayment once a RADV audit hits. So, before you celebrate new ROI, make sure it's compliant.

Host: Let’s shift to action. What can plans do now to protect themselves?

Kristi: First, start with transparency: Request your vendor’s current coding guidelines. Make sure they’re compliant with ICD-10 and AHA rules. Set up regular governance meetings between business, coding, and compliance teams. If you’ve never done a mock RADV audit, do one. Don’t wait for the government to tell you what’s wrong. Review the ACDIS guidelines on compliant query practices. And use the OIG’s open-source SQL tool to identify high-risk codes in your data. It’s free, and it’s a roadmap for what the government is looking for.

Host: How can your team help?

Kristi: We have a dedicated Risk Mitigation and RADV team. We offer mock RADV audits, TDVRs, even full vendor evaluations. If you’re not sure where your vulnerabilities are, we’ll help you find them and fix them before it becomes a crisis.  

Host: The big takeaway is, don’t wait for the whistle to blow. Act now. Invest in compliance. Align your teams. And remember: if you don’t get caught now, you might get caught later—with a much bigger price tag.

Kristi: Exactly.

Host: Kristi, thanks for your expertise and continued commitment to risk adjustment compliance. 

Kristi: Anytime.  

Host: To our listeners, if you liked this episode, follow on Apple or Spotify to get notification of when our next episode is released. And leave a comment to let us know what topics you want to hear more about.