The Centers for Medicare & Medicaid Services (CMS) announced they’re expanding Risk Adjustment Data Validation (RADV) audits from roughly 60 Medicare Advantage plans per year to all 550 eligible contracts. They’re not just auditing more plans. They’re scaling their medical coder workforce from 40 to 2,000 by September 2025 and increasing record reviews from about 35 charts per plan to as many as 200. For any organization that hasn’t conducted a thorough internal HCC audit recently, the timeline just compressed dramatically.
This isn’t a gradual shift. CMS explicitly called their strategy “aggressive,” and the numbers back that up. They’re planning to complete all audits for Payment Years 2018 through 2024 by early 2026, which means audit notices that organizations assumed were years away could arrive any day.
The financial exposure is substantial. CMS estimates Medicare Advantage overpayments at $17 billion annually, though the Medicare Payment Advisory Commission puts that figure closer to $43 billion. With extrapolation now in play for Payment Year 2018 forward, a handful of unsupported diagnoses in your audit sample could translate into millions in clawbacks.
Organizations don’t have to wait for CMS to surface these problems. The more defensible strategy is auditing high-risk Hierarchical Condition Category (HCC) codes internally and fixing documentation gaps before they become audit findings. At MDaudit, we’ve seen organizations that take this proactive approach consistently outperform those that wait for the audit notice to arrive.
Why Some HCC Codes Draw More Audit Scrutiny Than Others
Not all HCC codes carry the same audit risk. CMS specifically targets codes that show significant coding differences between Medicare Advantage and fee-for-service Medicare, or conditions where documentation practices tend to break down.
The transition to CMS-HCC Version 28 makes this even more critical. Version 28 removed 2,294 codes that previously mapped to payment HCCs in Version 24, while adding 115 total HCCs (up from 86). This restructuring means some codes that used to generate revenue now carry zero weight, and practices that haven’t updated their coding strategies are leaving money on the table, or worse, documenting conditions that won’t stand up in an audit.
One major shift is “constraining,” where CMS assigns the same coefficient to related conditions. Take diabetes. Under the old model, diabetes with complications paid more than diabetes without complications. Under Version 28, diabetes with unspecified complications, diabetes with acute complications, and diabetes with chronic complications all have the same coefficient (except for pancreas transplant status at the top). This flattening means that vague documentation like “diabetes, unspecified” doesn’t penalize you as much under V28, but auditors will still scrutinize whether that diabetes diagnosis is supported at all.
High-Risk HCC Categories That Draw Audit Scrutiny
Based on RADV audit patterns and coding intensity reviews, certain HCC categories consistently attract more attention. These are the areas organizations should prioritize for internal review.
Diabetes With Complications
Diabetes HCCs are everywhere in Medicare Advantage populations, which makes them prime audit targets. The challenge isn’t just coding them; it’s proving they’re still active and require ongoing treatment.
Under Version 28, diabetes now maps to HCC 35 through HCC 38. HCC 35 is pancreas transplant status (highest payment). HCC 36 covers severe acute complications. HCC 37 handles chronic complications. HCC 38 is the catch-all for glycemic, unspecified, or no complications. HCC 36, HCC 37, and HCC 38 all carry the same weight now thanks to constraining.
What gets providers in trouble is using diabetes with complications codes when the chart doesn’t actually document those complications being addressed during the encounter. CMS requires Monitor, Evaluate, Assess, and Treat (MEAT) criteria for each chronic condition. If a provider bills E11.65 (Type 2 diabetes with hyperglycemia) but the note only says “diabetes stable, continue metformin,” that’s insufficient. There needs to be evidence that hyperglycemia was monitored (recent A1c or glucose readings), evaluated (discussion of control), and treated (medication adjustment or continued management).
The other trap is failing to recapture diabetes annually. HCC conditions reset every year. If a patient had diabetes with nephropathy documented in 2023 but comes in for unrelated visits in 2024 and the diabetes never shows up in your coding, you lose that HCC for the year. The Risk Adjustment Factor (RAF) score drops, payments decrease, and if CMS audits that gap year, they’ll flag coding intensity inflation.
Congestive Heart Failure
Congestive Heart Failure (CHF) is the other constrained category in Version 28, and it underwent a massive expansion. What used to be a single HCC (HCC 85) in Version 24 is now split into five payment HCCs in Version 28 (HCC 222 through 226) based on clinical severity.
Auditors focus on heart failure because it’s simultaneously very common and frequently miscoded. The HCC documentation requirements are strict: specificity about whether it’s systolic, diastolic, or combined, and whether it’s acute, chronic, or acute on chronic. Generic codes like I50.9 (Heart failure, unspecified) leave risk adjustment value on the table and signal weak documentation to auditors.
Consider a scenario that routinely triggers audit findings: a patient comes in for a routine follow-up, the provider lists CHF in the assessment, but the note doesn’t document any monitoring (no BNP, no weight check, no discussion of edema or dyspnea), doesn’t evaluate current status, and doesn’t adjust or continue treatment. MEAT criteria apply just as strictly to heart failure as diabetes.
Organizations also need to watch for coding historical heart failure when it has resolved. If a patient had heart failure five years ago, was treated, and now has normal ejection fraction with no symptoms or medications, CHF codes are no longer supportable. Chronic heart failure means ongoing management, not ancient history.
Chronic Kidney Disease
Chronic Kidney Disease (CKD) stages map to payment HCCs, and specificity matters enormously. Version 28 replaced HCC 138 with more granular categories (HCC 324, 325, 328, 329) based on CKD stage, which means providers must document the stage.
Coding N18.9 (Chronic kidney disease, unspecified) when lab values show estimated glomerular filtration rate (eGFR) is inadequate documentation. If a patient’s eGFR is 28, that’s CKD Stage 4 (N18.4), which maps to a higher-paying HCC than unspecified CKD. More importantly for audit purposes, vague staging suggests the provider isn’t actually managing the condition.
A consistent red flag for auditors is CKD coded without any supporting lab values in the chart. If an organization bills Stage 3 CKD but there’s no creatinine, no eGFR, and no mention of kidney function anywhere in the note, CMS will disallow that code. Similarly, if the eGFR improved and the patient no longer meets criteria for that stage, the old code can’t persist just because it pays more.
COPD and Respiratory Conditions
Chronic Obstructive Pulmonary Disease (COPD), HCC 111 in Version 24 and restructured in V28, gets audited frequently because it’s often coded based on patient history rather than current management. A note that says “patient has a smoking history” doesn’t justify a COPD diagnosis. Auditors expect documented evidence of chronic airflow limitation.
Best practices include referencing spirometry results, describing current symptoms (chronic cough, dyspnea, wheezing), and documenting treatment (inhalers, oxygen, pulmonary rehab). Listing “COPD” in the problem list without addressing it in the encounter doesn’t meet MEAT criteria.
The distinction between acute exacerbations and chronic stable disease also matters. These code differently and carry different weights. If a provider bills COPD with acute exacerbation (J44.1), the documentation needs to show actual exacerbation, not just maintenance on usual inhalers.
Vascular Disease and Peripheral Artery Disease
Vascular disease HCCs expanded significantly in Version 28. What was previously HCC 107 and 108 now includes three new HCCs (263, 264, 267) that focus on severe atherosclerosis of extremities.
The audit risk runs in both directions: providers either undercode (using generic atherosclerosis when specific sites and severity exist) or overcode (billing Peripheral Artery Disease (PAD) when the patient only has hypertension with smoking history). True peripheral artery disease requires documented symptoms (claudication, rest pain, ulcers) or diagnostic evidence (abnormal ankle-brachial index (ABI), imaging showing stenosis).
CMS also tightened amputation status codes. Acquired absence of toe or finger moved to non-payment HCCs in V28. Organizations that relied on those for risk adjustment lost that revenue entirely.
What a Rigorous Internal HCC Audit Looks Like
If an organization is serious about staying ahead of CMS, the internal audit process should mirror what CMS will do. Start by pulling a random sample of charts for patients with high-value HCCs, 50 to 100 records, and dig into the documentation.
Check for MEAT criteria on every chronic condition coded. Was the condition monitored? Evaluated? Was there an assessment of current status? Was treatment provided or continued? All four elements don’t need to appear in every note, but at least one should be clearly documented. MDaudit’s compliance audit workflows are built to structure exactly this kind of review at scale.
Flag unsupported diagnoses. If codes appear on the claim but have no corresponding chart documentation, those represent significant audit liability. Either the coder pulled from a historical problem list without verifying the condition was addressed, or the provider documented it so vaguely that it won’t survive scrutiny. Billing risk analytics can help organizations identify these patterns across large claim volumes before CMS samples them.
Look for unspecified codes when specific information exists in the chart. If a patient has diabetes with documented neuropathy and the organization is only coding E11.9 (Type 2 diabetes without complications), that’s both missed reimbursement and audit risk from inconsistency between clinical care and coding.
Review deletions closely. With CMS’s accelerated audit timeline, they issued tight deadlines for submitting closed period deletions for Payment Years 2020 through 2024. Organizations scrambling to clean up errors before sampling raises concerns, and CMS knows it. If deletions are happening now, document the rationale, whether it was a coding error or an unsupported diagnosis, and track the patterns.
Close Documentation Gaps Before They Become Audit Findings
Running effective internal HCC audits requires more than coding knowledge. It takes auditors who understand both the clinical side (is this diagnosis clinically appropriate?) and the risk adjustment side (does this documentation meet CMS standards?).
MDaudit’s compliance reviews apply the same criteria CMS auditors will use. We identify documentation gaps, unsupported diagnoses, and coding inconsistencies before they become audit findings and extrapolated overpayments. We also provide provider education that goes beyond generic training, working directly with physicians and coders to improve documentation practices for the conditions where the organization carries the most risk. If diabetic patients consistently lack MEAT criteria documentation, we fix that. If heart failure coding is inconsistent, we tighten it up.
For organizations facing imminent RADV audits, our audit response and payer audit management capabilities help manage chart retrieval, review records for accuracy before submission, and prepare appeals when CMS makes incorrect determinations. With record requests jumping from 35 to 200 per plan and timelines compressing, experienced support makes the difference between manageable compliance and significant financial exposure.
Proactive HCC Auditing Is No Longer Optional
CMS’s audit expansion represents the most aggressive enforcement posture in Medicare Advantage history. Every eligible contract will face annual audits. Record samples are quintupling. Extrapolation is real and retroactive to 2018. And with AI-assisted review tools coming online, CMS will surface documentation problems faster than ever.
Organizations can wait for the audit notice and scramble to respond, or they can start auditing high-risk HCC codes now, fix the problems, train providers, and clean documentation before CMS ever looks at the charts.
Those who take the proactive approach consistently perform better in RADV audits. They carry fewer unsupported diagnoses, cleaner documentation, and stronger appeal positions when disputes arise. They also avoid the cash flow disruptions and financial penalties that come with failing a RADV audit in the extrapolation era.
Don’t let CMS be the first to find your documentation problems. MDaudit’s billing compliance programs give organizations the tools and expertise to audit themselves first, and get it right.
