Medicare Advantage organizations facing program audits in 2026 will encounter an unusual batch of changes. These changes, revealed in a November CMS memo, are intended to streamline the process and more holistically assess plans’ overall approach to compliance. But that doesn’t mean the audit process will be any more predictable, according to experts from BluePeak Advisors, a Gallagher company.
Here, BluePeak experts walk you through what’s changing and how plans can prepare for 2026 — and what may be coming in 2027.
How Will CMS Handle Compliance Program Effectiveness in 2026?
As CMS tests a new approach to reviewing a sponsor’s compliance program effectiveness, CPE evaluations will no longer take place as a separate audit session during the fieldwork phase. In addition, CMS plans to host quarterly educational calls with compliance officers.
”With compliance program effectiveness materially changing, compliance oversight and overview questions are going to be pushed into the operational area webinars.”
Greg Miller, R.Ph.Director of Part D and Pharmacy, BluePeak
What does that look like in practice?
“Until we get to sit through these first couple of program audits, we can only prepare for the changes CMS has outlined on paper,” says Miller. But compliance officers should be standing by to assure CMS that proper oversight is in place — and that you have the necessary oversight and monitoring programs in place to help reduce or eliminate fraud, waste and abuse.
Whether it’s during a review of your Part C Organization Determinations, Appeals, and Grievances (ODAG), Part D Coverage Determinations, Appeals, and Grievances (CDAG) or other areas, a compliance representative from the health plan should be sitting in on those webinars. And your compliance reps will likely have to answer CMS’s questions in real time, advises Beth Brooks, director of Part C with BluePeak.
“Compliance is a little more unpredictable now,” agrees Cheryl Wasserman, director of compliance with BluePeak. “The old way, you could prepare for interviews with standard questionnaires that you could prep in advance…now, it’s more open to whatever the specific case is in that program area.”
In Part C, plans can also expect an increased focus on utilization management practices and their use of internal coverage criteria. Per its 2024 final rule clarifying coverage criteria, CMS will be looking to make sure MA enrollees can “access medically necessary services without excessive burden or delays,” the memo stated.
What Will CMS Deem as Requiring Corrective Action?
CMS is also launching two other major program audit changes in 2026. One is the removal of audit scoring. CMS explained that it will no score audit findings because that “does not fully reflect a Sponsor’s audit performance or how the Sponsor is performing overall.”
Second is the reduction of condition classifications from four to two. For 2026, CMS is removing the classifications of Immediate Corrective Action Required (ICAR) and Observation Requiring Corrective Action (ORCA). Instead, noncompliance will be categorized as either Corrective Action Required (CAR) or Observation.
In Part D, for example, plans can likely intuit which way CMS will lean based on the impact to members (i.e., did they receive their medications?), suggests Miller. “Still, it will be interesting to see, as we go through it, how CMS will leverage the impact analysis requests to classify the findings,” he says.
“Whether or not the finding is a CAR or Observation, it always boils down to a member benefit perspective. Regardless of if you’re a 100-member plan or a million-member plan, you want to make sure that your beneficiaries have correct and immediate access to the benefits that are afforded under your plan,” emphasizes Miller.
Meanwhile, CMS will keep applying the Invalid Data Submission (IDS) classification, which is triggered when a plan fails to submit an accurate or complete universe and/or documentation to CMS.
What Can Plans Do to Prepare?
Test your requested universes before submission. “While scoring has been removed for 2026, IDS still remains a critical fail, meaning data quality is effectively a standalone failure score,” says Brooks. “Plans are going to need to concentrate on that and do some work beforehand. I would recommend self-auditing to make sure those data submissions are going to be accurate.”
Work with a partner to perform mock audits. In addition to universe testing, BluePeak can walk plans through an audit scenario, ask the questions that CMS would likely ask in both their operational and compliance areas, and improve audit preparedness.
Be prepared to explain how you are monitoring each audit element for compliance. Plans should have a “written narrative” that clearly states your policy and procedure for monitoring compliance, the types of issues identified and how you addressed them.
”Plans should have a compliance track for
Beth BrooksDirector of Part C, BluePeak
every single audit element to best prepare.”
If your Special Needs Plan, for example, requires that members have a care plan within 30 days of their health risk assessments, do you have internal audits to catch when that’s not happening?
“If you do internal audits, do you have records to show where you’ve retrained? Do you have records to show that you ran an impact report that showed how many patients were impacted by not having a care plan? Did you implement a plan to remediate? I believe those are the questions that we are going to see now,” predicts Brooks.
BluePeak has developed a Compliance Oversight Tracking Tool to ensure plans have a roadmap for CPE. Using Protocol from each audit element, compliance officers can document oversight activities and cross-reference to their Compliance Oversight Activities (COA) universe, giving CMS a clear understanding of plan compliance effectiveness.
CMS Plans Additional Changes for 2027
In late December, CMS released proposed changes to the 2027 audit protocol through the Paperwork Reduction Act website, clarifying some of the 2026 changes. For example, tables 4,6 and 7 will no longer be collected for ODAG, as well as table 3 in Formulary Administration. For CPE, CMS is proposing to collect a CPE Oversight Questionnaire, blending the former Compliance Officer and First Tier, Downstream and Related Entities (FDR) interviews. CMS is also proposing to have an initial compliance officer interview, ongoing discussions with the Compliance Officer about potential findings during the audit weeks, and a second interview at the end of field work.
Comments for these proposed changes are due in early spring 2026, with expected protocol published in mid 2026.
BluePeak can help!
Not sure where to start? Email info@bluepeak.com and secure your successful path to 2026 audits!
