Medicare Advantage RADV Audits | Health Data Max
Medicare Advantage · Risk Adjustment Data Validation

RADV audits just became every plan's reality.

CMS is moving from a handful of audits a year to all eligible MA contracts — across six open payment years. Health Data Max keeps your submissions continuously audit-ready.

Get RADV-Ready Understand RADV
PY2020–PY2025 audits scheduled · Findings extrapolated across the contract
The Shift
~550
MA contracts audited per year — up from about 60
Records per contract35–200
Payment years in scope2018–2024
Audit volume change+900%
MRs per audited HCCup to 2
All
eligible MA contracts now audited annually
6
payment years (PY2020–PY2025) on the schedule
~70%
of high-risk codes OIG reviewed were unsupported
2× HCCs
max medical records per enrollee (up to 2 per audited HCC)
The Fundamentals

What is a RADV audit?

Risk Adjustment Data Validation is how CMS checks whether the diagnoses an MA plan submitted for payment are actually supported in the member's medical record.

CMS pays MA organizations a risk-adjusted amount for each enrollee. Diagnoses submitted by providers map to Hierarchical Condition Categories (HCCs), each carrying a factor that raises the member's risk score — and the monthly payment to the plan.

Because payment follows diagnosis, CMS validates a sample of those diagnoses against the underlying charts. In a RADV audit, the plan must produce a medical record that supports each sampled HCC. If the record doesn't support the diagnosis, the HCC is invalidated, the risk score is overstated, and the associated payment is recovered.

CMS can then extrapolate the sampled error across the contract's full sampling frame, turning a modest sample into a large recovery. The 2023 rule that authorized extrapolation (and removed the fee-for-service adjuster) was vacated by a federal court in 2025 and is under appeal — but CMS has expressly designed its PY2020 and PY2021 audits to support extrapolated recoveries and reserves the right to collect them if legally permissible. Plan for extrapolation; don't bank on the litigation.

How a diagnosis becomes a payment — and an audit target

1
Provider documents & codesAn encounter produces an ICD-10 diagnosis from the medical record.
2
Plan submits to CMSCodes flow via encounter data / RAPS for risk adjustment.
3
Diagnosis maps to an HCCThe HCC factor increases the enrollee's risk score.
4
Risk score drives paymentCMS multiplies risk score × base rate for the monthly payment.
5
RADV validates the chartNo supporting record → HCC invalidated → overpayment recovered & extrapolated.
Why This Matters Now

The audit landscape changed in 2025

On May 21, 2025, CMS announced an aggressive strategy to enhance and accelerate MA audits — clearing the backlog and auditing everyone.

// SCALE

From ~60 to ~550 plans

CMS will audit all eligible MA contracts each year in newly initiated audits — roughly a 900% increase in audit volume, reaching nearly every contract.

// DEPTH

35 to 200 records each

Sample size scales with contract size (200 / 100 / 50 / 35 by stratum), and members aren't picked at random — CMS targets the enrollees its improper-payment model predicts will lose the most risk score.

// SPEED

PY2018–PY2024 backlog

CMS expanded its coder workforce from ~40 to ~2,000 and is using AI-assisted review to clear years of open audits on a compressed timeline — though final overpayment determinations stay with human coders.

Inside the Process

How a contract-specific RADV audit works

CMS's PY2020 and PY2021 Audit Methods & Instructions lay out the full mechanics — from how members are selected to how overpayments are calculated and extrapolated.

It starts before you know it. CMS defines a sampling frame, draws a statistically valid random sample, and sends an Audit Notice to your CEO, CFO, COO, and Compliance Officer. Your team designates points of contact, registers in CMS's secure CDAT portal, and downloads the Enrollee Data List (EDL) naming the exact enrollees, HCCs, and diagnosis codes under review.

From there the clock runs hard: pull a valid medical record — legibly signed and dated, from a face-to-face visit by a credentialed provider, within the data collection year — for every audited HCC, and submit it through CDAT before the deadline. CMS coders then abstract diagnoses through up to three rounds of review and classify each HCC as Confirmed, Confirmed Higher, Discrepant, Discrepant Lower, or Administrative Exception.

The audit lifecycle

1
Frame & sampleCMS builds the sampling frame and draws 35–200 enrollees by random selection.
2
Audit Notice & CDATSent to CEO/CFO/COO/MCO; POCs register and access the secure portal.
3
Enrollee Data ListNames the sampled enrollees, audited HCCs, and the diagnosis codes you must support.
4
Gather & submit MRsUp to 2 records per audited HCC, as PDFs (≤100MB), each with a coversheet, by the deadline.
5
AbstractionCertified coders review each record across up to three rounds.
6
Payment error & extrapolationPer-enrollee error summed; average risk-score change extrapolated across the frame.

How CMS picks the members it audits

The sample isn't random across your whole book. CMS first ranks audit-eligible enrollees — broadly, those enrolled for all 12 months of the data-collection year and at least one month of the payment year — with a "predicted improper payment" model, then samples from the top quartile most likely to lose risk score under review. The exact formula isn't published, but it's expected to lean on circumstantial coding-risk signals:

  • HCCs supported by only a single encounter
  • HCCs added solely through chart review (no underlying encounter)
  • HCCs with little corroborating medical or pharmacy utilization

// These are the exact OIG high-risk signatures below — acute Dx with no inpatient claim, cancer with no treatment, embolism with no anticoagulant. The audit target and the OIG pattern are the same thing.

Sample size is set by your stratum

CMS sorts RADV-eligible contracts by sampling-frame size into four strata. The ten largest contracts draw the deepest samples — which is exactly why our data shows audit probability rising with enrollment.

200
Stratum 1 — 10 largest contracts
100
Stratum 2 — top third of the rest
50
Stratum 3 — middle third
35
Stratum 4 — bottom third
How the dollars are calculated. CMS computes a payment error for each sampled enrollee, then — for the contract — multiplies the average change in risk score by the sum of county rates across every enrollee in the sampling frame, applying the lower bound of a 90% confidence interval. That makes county-level rates the multiplier on your entire exposure, and a single unsupported HCC in the sample a proxy for many. Telehealth note: for PY2021 dates of service Mar 6–Dec 31 2020, audio-video telehealth visits can satisfy the face-to-face requirement.
CMS Published Schedule

When CMS intends to initiate audits

The month CMS plans to begin RADV audits, by MA payment year. Six payment years are now on the calendar.

PY2020
Mar 2026
PY2021
May 2026
PY2024
Aug 2026
PY2023
Nov 2026
PY2022
Jan 2027
PY2025
Apr 2027
Source: CMS MA RADV Audit Schedule. Dates are subject to change; CMS updates the schedule as needed.
Payment Year 2020 · data collection year 2019

Audit milestones

Enrollee Data List in CDATApr 3, 2026
MR submission window opensApr 13, 2026
MR submission deadlineAug 28, 2026
Hardship exception deadlineSep 11, 2026
Payment Year 2021 · data collection year 2020

Audit milestones

Enrollee Data List in CDATJun 12, 2026
MR submission window opensJun 22, 2026
MR submission deadlineNov 6, 2026
Hardship exception deadlineNov 20, 2026
Once an audit is initiated you get roughly four months to assemble a valid record for every audited HCC. Source: CMS PY2020 & PY2021 Audit Methods & Instructions.
What the Audits Find

OIG's high-risk diagnosis findings

HHS-OIG built a public toolkit from its MA audits, identifying diagnosis codes that — when paired with other data — are at high risk of being unsupported. The error rates are striking.

90%error rate across these high-risk groups

Across its audits, OIG found that roughly 70% of the high-risk diagnosis codes it reviewed were not supported by the associated medical records — and within specific groups, error rates exceeded 90%. These aren't edge cases; they're patterns a plan can detect and correct before CMS arrives.

High-Risk GroupRecords in ScopeErrorsError Rate
Acute stroke945908
96%
Acute heart attack791751
95%
Embolism754593
79%
Lung cancer391345
88%
Breast cancer390373
96%
Colon cancer390368
94%
Prostate cancer360322
89%
Potentially mis-keyed codes522421
81%
Totals4,5434,08190%

Source: HHS-OIG, "Toolkit To Help Decrease Improper Payments in Medicare Advantage Through the Identification of High-Risk Diagnosis Codes" (Dec 2023, A-07-23-01213), errors as of Nov 2023.

The Coding Patterns

Where unsupported HCCs hide

Each high-risk group follows a recognizable signature: an acute diagnosis submitted without the clinical evidence you'd expect to accompany it. In most cases, a "history of" code — which doesn't map to an HCC — was what the record actually supported.

HCC 100 · Stroke

Acute stroke

One acute stroke diagnosis on a physician claim, with no matching inpatient or outpatient hospital claim.

Acute strokeHistory of stroke
HCC 86 · AMI

Acute heart attack

An acute MI on a single physician/outpatient claim with no inpatient claim within 60 days before or after.

Acute MIHistory of MI
HCC 107/108 · Vascular

Embolism

An embolism diagnosis with no anticoagulant medication dispensed — the treatment you'd expect for an active embolism.

Acute embolismHistory of embolism
HCC 9 · Cancer

Lung cancer

A lung cancer diagnosis with no surgery, radiation, or chemotherapy within six months before or after.

Active lung cancerHistory of lung cancer
HCC 12 · Cancer

Breast cancer

A breast cancer diagnosis without surgical, radiation, chemotherapy, or relevant drug treatment in the window.

Active breast cancerHistory of breast cancer
HCC 11 · Cancer

Colon cancer

A colon cancer diagnosis with no surgical therapy, radiation, or chemotherapy in the six-month window.

Active colon cancerHistory of colon cancer
HCC 12 · Cancer

Prostate cancer

A prostate cancer diagnosis in members 74 or younger with no treatment evidence in the surrounding window.

Active prostate cancerHistory of prostate cancer
Data Entry

Potentially mis-keyed codes

A single transposed or mistyped code (e.g., I720 → I270) that mapped to an unrelated, unvalidated HCC.

Mis-keyed codeCorrect diagnosis
The Health Data Max Approach

One platform. Continuous audit readiness.

HDM doesn't wait for an Audit Notice. Provider claims, encounters, CMS response files, payment and risk-score data, and chart coding all live in one database — so every submitted diagnosis stays continuously linked to the record that has to support it. When CMS initiates on its new accelerated timeline, you're already prepared instead of scrambling inside a four-month window.

01

Unify in one DB

Claims, encounters, CMS response files, risk scores, payments, and chart coding — reconciled and member-linked in a single source of truth.

02

Flag the suspects

Mirror CMS's improper-payment signals and OIG high-risk logic — single-encounter HCCs, chart-review-only adds, thin utilization — before they're ever sampled.

03

Match the evidence

Plans upload medical records; HDM surfaces the strongest supporting chart for each suspect member-HCC.

04

Validate or correct

Confirm defensible HCCs, and route truly unsupported diagnoses for correction — accurate payment, clean record.

One source of truthClaims, encounters, response files, risk scores, and charts in a single linked database — no scramble to reassemble data once an audit lands.
CMS- & OIG-aligned flaggingThe improper-payment signals and high-risk patterns auditors use, run against your data continuously.
Best-chart selection per HCCFor every flagged member, surface the record most likely to support the diagnosis — within the limit of two records per audited HCC.
Encounter ↔ chart reconciliationTie every submitted code back to source documentation, exposing gaps before CMS does.
Extrapolation-aware prioritizationFocus first on the sampled-frame HCCs whose error would hurt most when projected across the contract.
CDAT-ready packages & audit trailValid, coversheet-matched PDF submissions, with every flag and decision logged — governed, defensible, HIPAA-aligned.
Accuracy in both directions. The goal isn't to maximize codes — it's to make every submitted HCC defensible. HDM flags potential over-coding and unsupported diagnoses for correction just as it surfaces supporting evidence, so your risk capture is accurate, compliant, and able to withstand extrapolated review.
Get Ahead of Your Payment Year

Be ready before the audit notice arrives.

With PY2020–PY2025 on the CMS schedule, the question isn't whether your plan will be audited — it's whether your records are ready. Let's review your highest-risk HCCs together.

Request a Consultation Start a 30-Day Trial