Last updated: June 2026
Quick Answer
RADV audits (Risk Adjustment Data Validation audits) are how the Centers for Medicare and Medicaid Services checks that the diagnosis codes Medicare Advantage plans submit are backed by medical records. In 2026, CMS is moving fast. A January 27, 2026 memo confirmed Payment Year 2020 audits began in February 2026, on a roughly quarterly cadence, with a restored five-month record window and sample sizes of 35 to 200 enrollees [1]. Extrapolated penalties are paused after a 2025 court ruling, but the audits themselves continue. For MA plans, the message is plain: defensible documentation is now a year-round job.
Where RADV Audits Stand in 2026
RADV audits are back, and they reach further than before. On January 27, 2026, the Centers for Medicare and Medicaid Services (CMS) issued a memo confirming that Risk Adjustment Data Validation audits remain a top priority and that Payment Year 2020 audits began in February 2026 [1]. For Medicare Advantage organizations, the era of slow, occasional reviews is over.
Here is the state of play. CMS is expanding RADV audits from roughly 60 contracts a year toward every eligible MA contract, on a quarterly cadence. It restored the five-month medical record submission window, confirmed variable sample sizes of 35 to 200 enrollees, and will use AI only to support certified human coders, not to replace them [1]. A September 2025 court ruling vacated the extrapolation method, so extrapolated recoveries are paused while the appeal plays out [3]. The audits continue regardless.
This guide breaks down what changed in 2026, how the RADV audit process works, what it can cost, and how Medicare Advantage plans build records that hold up. The short version: accuracy alone is no longer the bar. Defensible, encounter-linked coding is.
Key Takeaways
- PY 2020 RADV audits began in February 2026 and will continue on a roughly quarterly cadence [1].
- CMS restored the five-month medical record submission window, replacing the shorter window floated in May 2025 [1].
- Sample sizes run from 35 to 200 enrollees based on contract size, and smaller contracts draw smaller samples [1].
- AI supports coders during reviews, but certified human coders make every overpayment determination [1].
- A September 2025 court ruling vacated extrapolation, so extrapolated recoveries are paused while audits proceed [3].
- Two-way coding, adding and removing diagnoses, is now the compliance benchmark, and add-only programs draw enforcement attention [5].
Industry First RADV Audit Solution
AI-powered solution enables health plans to efficiently manage and streamline RADV audits
What Is a RADV Audit and Why Does It Matter?
A RADV audit is the process CMS uses to confirm that the diagnosis codes a Medicare Advantage plan submitted for risk adjustment payment are supported by the enrollee’s medical record [2]. Risk Adjustment Data Validation is the formal name. The check is simple in concept: does a real, signed clinical encounter back each code that raised the plan’s payment?
Why it matters comes down to money and trust. Medicare Advantage now covers more than half of all Medicare beneficiaries, and MedPAC estimated $615 billion in total MA payments for 2026, roughly 14% (about $76 billion) more than equivalent fee-for-service spending [6]. When diagnosis codes are not supported, CMS can recover overpayments from the audited contract. RADV audits are the main tool the centers for Medicare Medicaid Services use to protect the Medicare Trust Funds and keep risk adjustment payments tied to real patient complexity.
For a Director of Risk Adjustment, the stakes are personal. An audit that surfaces unsupported diagnoses means remediation, repayment, and harder questions from compliance and finance. That is why the smart move is to find weak documentation before CMS does.
What Changed in the January 2026 CMS Update
The January 27, 2026 memorandum from CMS adjusted several operating rules for the MA RADV audit program [1]. CMS kept the accelerated strategy it announced in May 2025 but softened the parts that drew the loudest stakeholder pushback. Four changes matter most.
The Five-Month Medical Record Submission Window
CMS restored the five-month medical record submission window, reversing the three-month window floated in May 2025 [1]. Plans now have more runway to retrieve charts from providers, which matters when dozens of contracts request records at once. For the PY 2019 audits started in June 2025, CMS set record deadlines in November 2025. The longer window is a real operational relief, but it is not a reason to wait. Retrieval at scale still takes weeks.
PY 2020 Audits and the Quarterly Cadence
CMS began PY 2020 RADV audits in February 2026 and will start future audits roughly every three months [1]. CMS said it will publish a calendar describing the audit cadence so MA plans can staff and budget around it. This predictable, quarterly rhythm is the heart of the shift: RADV audits are becoming a standing program, not a surprise. The question is no longer whether a contract gets audited, but when.
Sample Sizes of 35 to 200 Enrollees
CMS confirmed variable sample sizes of 35 to 200 enrollees, scaled to contract size, for PY 2020 and later audits [1]. Smaller contracts are less likely to draw the maximum sample. The two-records maximum per audited HCC stays in place, and CMS stressed that only one valid record is needed to support payment. Even a small sample carries weight: with the audits proceeding contract by contract, a high error rate on 35 enrollees still drives repayment demands and signals deeper documentation problems.
AI as Coder Support, Not Decision-Maker
CMS plans to use AI to support its medical coders during reviews, while certified human coders make every coding decision that affects an overpayment [1]. The technology flags possible issues and speeds review; it does not determine findings. CMS said it will fully test the tool before using it in live audits. For MA plans, the takeaway is direct: machine-assisted review can surface documentation gaps faster than manual review ever did, so records have to withstand that scrutiny.
How the Accelerated Audit Strategy Took Shape
This audit strategy did not appear overnight. In May 2025, CMS announced a plan to expand and accelerate RADV audits [3], built on a few core moves:
- Clearing the backlog of audits for Payment Years 2018 through 2024 on a compressed timeline
- Expanding audits to all eligible Medicare Advantage plans, roughly 550 in total, up from about 60 MA plans a year
- Setting sample sizes from 35 to 200 enrollees
- Cutting medical records per HCC from five to two
- Adding AI to support faster reviews
Through the summer of 2025, CMS met with health plans and industry groups that raised concerns about compressed timelines and operational burden. The January 2026 refinements, the restored five-month window and the published cadence, reflect that feedback. CMS gave ground on logistics while holding firm on the core goal: audit every eligible plan, every year.
Autonomous Retrospective Risk Adjustment Solution
One platform. Every HCC validated. Revenue secured.
The 2023 RADV Final Rule and the 2025 Court Ruling
The legal backdrop shapes what CMS can collect. The 2023 RADV Final Rule removed the Fee-for-Service Adjuster and let CMS extrapolate a sample error rate across an entire contract, starting with PY 2018 [2]. The FFS Adjuster had long capped recoveries by accounting for documentation error baked into traditional Medicare. Dropping the FFS Adjuster, paired with extrapolation, sharply raised the financial stakes of any audit.
That is what the courts paused. In September 2025, a federal court vacated portions of the 2023 RADV Final Rule, including the extrapolation provisions [3]. HHS appealed and said it will comply with the court order while pursuing payment year audits [1]. The practical result: for now, CMS recovers overpayments on the sampled enrollees only, not an extrapolated figure across the contract.
Do not read the pause as relief. Extrapolation is a question of how much CMS collects, not whether it audits. The audits run on schedule, and the appeal could restore extrapolated recoveries later. Treat this window as time to get clean, not time to coast.
Who Conducts RADV Audits and How Often?
CMS, through its Center for Program Integrity, conducts all RADV audits, and audit notices arrive through the Health Plan Management System [2]. RADV audits begin after the final risk adjustment data submission deadline for the contract year. Questions go to RADV@cms.hhs.gov.
The frequency is the real story. Historically, CMS audited about 60 MA contracts a year. Under the expanded program, CMS intends to audit all eligible plans annually, roughly 550 MA plans, on a quarterly cadence. CMS is not alone in the oversight push. The HHS Office of Inspector General has run parallel compliance audits of MA organizations, and its February 2026 Medicare Advantage compliance guidance flagged add-only chart reviews and in-home assessments as risk areas [7]. Strengthening oversight is now a coordinated, multi-agency effort.
Documentation That Survives a RADV Audit
Every diagnosis code submitted for risk adjustment has to be backed by a record showing the condition was actively managed during a face-to-face encounter. The MEAT criteria (Monitor, Evaluate, Assess, Treat) (https://www.raapidinc.com/blogs/simplify-hcc-coding-with-meat-criteria/) remain the working standard for acceptable documentation, where any one element is enough to support a code.
Accurate documentation that holds up in a RADV review includes:
- A valid face-to-face encounter, dated within the payment year under audit
- Clear provider credentials and a legible signature
- Specific clinical evidence that the diagnosis was monitored, evaluated, assessed, or treated
- A clean link between the diagnosis, the encounter, and the submitted code
The patterns that create unsupported diagnoses are consistent and avoidable: missing or illegible signatures, thin documentation of chronic conditions, history-of conditions coded as active disease, and codes submitted from chart reviews that never tie back to an encounter. In its 2026 audits, the OIG found that history-of conditions coded as active diagnoses were the single most common error pattern, with some high-risk categories like acute stroke and acute myocardial infarction hitting 100% error rates in the sampled records [4]. These are exactly the gaps a defensible coding program closes first.
For a deeper playbook on the rules CMS coders apply, see RAAPID’s guide to RADV audit guidelines.
The Four Phases of the RADV Audit Process
The end-to-end RADV audit process runs in four phases. Knowing the sequence lets a plan build a repeatable response instead of scrambling each time.
- Notification and preparation. Receive the audit notice through the Health Plan Management System, download the Enrollee Data List from CMS, assemble the response team, and set project milestones.
- Chart retrieval and management. Generate chase lists, start provider outreach early, receive and organize charts, then link each record to its enrollee and HCC.
- Chart review and HCC validation. Certified coders run a first-pass review, validate each record against the MEAT criteria, complete a quality assurance pass, and identify unsupported HCCs and any potential adds.
- Submission and post-audit activities. Select the single best record for each validated HCC, format it to CMS specifications, submit, and manage any rebuttal.
Phase 2 is where most plans lose time. Provider outreach across a large sample, during a window when many contracts are requesting records at once, is the bottleneck. Starting retrieval the day the notice lands is the difference between a calm submission and a last-minute scramble.
For a step-by-step readiness list you can hand to your team, use RAAPID’s CMS RADV audit checklist
What RADV Audits Cost Medicare Advantage Plans
The financial exposure from CMS RADV audits is real, even with extrapolation paused. For audited MA plans where CMS identifies unsupported diagnoses, the agency moves to recover overpayments on those enrollees, and that financial exposure grows with every weak record. CMS completed audits for Payment Years 2011 through 2013 and found error rates between 5% and 8%, a useful benchmark for the financial risk a plan carries into any audit [2].
The OIG compliance audits point to a steeper number. In a 2026 audit of one MA organization, the OIG found that 247 of 271 sampled enrollee-years, a 91% error rate, contained unsupported high-risk diagnosis codes (report A-07-22-01207) [4]. Apply that kind of validation rate to a 200-enrollee RADV sample and the payment recoupment adds up quickly, even before any future return of extrapolated recoveries across an entire contract.
The point is not to fear a single audit. It is to recognize that unsupported diagnoses are now a structural risk across the industry, and the plans that quantify and close that exposure early are the ones that avoid the surprise repayment demand.
The Compliance-First Shift: Why Two-Way Coding Matters Now
Here is the position RAAPID holds, and the data backs it: risk adjustment has moved from a capture problem to a care and accountability problem, and defensible coding is the foundation. Finding more codes is no longer the goal. Proving the right codes is.
That shift has teeth. In March 2026, Aetna agreed to a False Claims Act settlement resolving allegations that an add-only chart review program submitted diagnosis codes to CMS while failing to delete unsupported codes the same reviews had identified [5]. The lesson for every MA plan is blunt: a program that only adds diagnoses and never removes them is now treated as a compliance risk, not a revenue engine. The OIG’s February 2026 guidance makes the same point, naming add-only chart reviews as a suspect practice [7].
This is why two-way coding, adding supported diagnoses and removing unsupported ones, is the benchmark. RAAPID’s Clinical AI Platform, built on Neuro-Symbolic AI, was designed for it. The technology links every suggested HCC to MEAT-based evidence in the clinical note, gives coders a transparent, audit-ready trail, and surfaces both the codes a plan should submit and the ones it should withdraw. In independent validation, the platform reached 92% out-of-the-box accuracy and more than 98% after human-in-the-loop quality review.* Coders keep final authority on every decision.
Defensible accuracy means each diagnosis is encounter-linked, clinically evidenced, explainable, and auditable. That is the documentation standard a RADV audit is built to test.
How to Get Audit-Ready for Continuous RADV Audits
With annual audits and compressed timelines, Medicare Advantage organizations need a continuous readiness posture, not a fire drill. The right technology turns RADV audits from chaos into a controlled, repeatable process.
Start here:
- Audit yourself first. Run internal chart reviews against CMS criteria before CMS does, and prioritize high-risk HCC categories where OIG error rates run highest.
- Use the delete windows. Review claims data and remove unsupported codes during CMS-provided correction windows, so you are not defending codes you already know are weak.
- Strengthen provider relationships now. Simultaneous record requests across plans strain provider capacity, so build the retrieval relationships before the notice arrives.
- Train for defensibility, not just accuracy. Coders should document why a diagnosis holds up, not only that a code is present.
- Put the right technology in place. Manual review cannot scale to all-contract annual audits. AI-powered HCC validation, concurrent-audit workflow management, and leadership dashboards are what keep a plan audit-ready.
RAAPID’s RADV Audit Solution was purpose-built for this reality. It manages concurrent audits end to end, validates each HCC against clinical evidence, and gives compliance leaders a clear evidence trail for every determination, with chart review time of 8 to 12 minutes per record.* The teams that treat RADV audits as an operational discipline, rather than a once-a-year event, are the ones ready when the next notice lands.
See how RAAPID streamlines RADV audits.
Frequently Asked Questions About RADV Audits
A RADV audit (Risk Adjustment Data Validation) is the process CMS uses to confirm that diagnosis codes submitted by Medicare Advantage plans are supported by medical records. It verifies that each code meets documentation standards like the MEAT criteria so risk adjustment payments reflect real, encounter-based patient complexity [2].
A RADV audit (Risk Adjustment Data Validation) verifies that diagnosis codes submitted by Medicare Advantage plans are supported by medical documentation, ensuring diagnoses meet MEAT criteria for appropriate risk-adjusted payments.
CMS restored the five-month medical record submission window for RADV audits, reversing the shorter three-month window it floated in May 2025. The longer window gives Medicare Advantage plans more time to retrieve charts from providers, though large-scale retrieval still takes weeks of coordinated work [1].
CMS uses variable sample sizes of 35 to 200 enrollees, scaled to contract size, for PY 2020 and later audits. Smaller contracts are less likely to draw the maximum sample. Plans may submit a maximum of two medical records per audited HCC, and only one valid record is needed to support payment [1].
No. A September 2025 federal court ruling vacated the extrapolation provisions of the 2023 RADV Final Rule, so extrapolated recoveries are paused. HHS has appealed. The audits continue, and CMS currently recovers overpayments on the sampled enrollees rather than across an entire contract [3].
CMS conducts all RADV audits through its Center for Program Integrity. Audit notices arrive through the Health Plan Management System, and plans can direct questions to RADV@cms.hhs.gov. The HHS Office of Inspector General runs separate, parallel compliance audits of MA organizations [2].
Documentation must show the diagnosis was actively managed during a dated, face-to-face encounter, with clear provider credentials and a legible signature. The record should meet the MEAT criteria, monitor, evaluate, assess, or treat, and tie the diagnosis directly to the encounter and the submitted code [2].
Add-only programs submit new diagnoses but never remove unsupported ones. A March 2026 DOJ settlement resolved allegations against an add-only chart review program that ignored its own evidence of unsupported codes. Two-way coding, adding and removing, is now the compliance benchmark [5].
CMS intends to audit all eligible Medicare Advantage plans annually, roughly 550 in all, up from about 60 a year historically. The expansion runs on a quarterly cadence, which means audit selection is no longer a question of whether a contract is reviewed, but when [1].
Ready to Evaluate a Collaborative Path?
Over a Partnership Evaluation Call.
Source
*Internal RAAPID benchmark, based on independent proof-of-concept validation and human-in-the-loop quality review.
About the author
Wynda Clayton, MS, RHIT, CRC
Director of Risk Adjustment Coding & Compliance, RAAPID
Wynda Clayton is Director of Risk Adjustment Coding and Compliance at RAAPID. A former CMS RADV auditor with more than 20 years in risk adjustment, coding, and compliance, she focuses on building defensible, audit-ready documentation programs that improve coding accuracy while meeting regulatory standards.