By Usman Khokhar 
The Vendor You Choose Is the Risk You Carry
When a health plan outsources any part of its risk adjustment coding, the plan retains full liability for what gets submitted to CMS. The vendor does the work. The plan bears the consequences. If the vendor’s methodology is add-only, the plan faces the same regulatory exposure as if it designed the program itself. If the vendor’s documentation validation is inadequate, the plan pays the settlement.
This isn’t hypothetical. The DOJ’s enforcement actions against Kaiser ($556 million) and Aetna ($117.7 million, March 2026) involved coding programs executed by or in partnership with external vendors and service organizations. The plans, not the vendors, paid the settlements. The regulatory framework doesn’t distinguish between internally produced and externally produced coding errors. It cares about what was submitted and whether the evidence supports it.
That makes vendor selection a compliance decision with potentially nine-figure consequences. The cheapest per-chart rate or the highest projected RAF uplift is irrelevant if the vendor’s methodology produces codes that can’t survive an audit.
The Due Diligence Checklist for 2026
Start with methodology. Does the vendor run two-way chart reviews that identify both missed diagnoses and unsupported codes? Or is the program add-only? OIG’s February 2026 Industry-wide Compliance Program Guidance specifically named add-only chart reviews as a high-risk practice. Any vendor still operating that model is a direct regulatory risk to every plan that uses them.
Evaluate the evidence trail. When the vendor delivers coding recommendations, does each code come with documentation showing the specific clinical language that supports it, the MEAT criteria satisfied, and the reasoning behind the recommendation? Or does the deliverable consist of a spreadsheet listing codes and HCCs without supporting evidence? The difference between those two outputs determines whether the plan can defend the codes when audited.
Assess AI governance. If the vendor uses AI-assisted coding (most do), ask whether the AI is explainable. Can your compliance team see how the AI reached each recommendation? Can the vendor demonstrate that its AI produces consistent, auditable output? Systems where the AI operates without transparent reasoning create ungoverned automation risk that regulators are increasingly focused on.
Test audit readiness. Does the vendor’s output align with CMS RADV submission specifications? Can the work product be used directly for audit defense, or does your team need to rework it? Does the vendor support mock audits or defensibility scoring? The gap between “coding complete” and “audit-ready” determines how much internal effort the plan invests in cleaning up vendor output.
Technology Plus Expertise, Not One or the Other
The strongest vendor models combine scalable technology (explainable AI, automated MEAT validation, two-way coding engines) with certified coding expertise (CRC, CPC, or CCS-credentialed coders who validate AI output and apply clinical judgment). Neither technology alone nor manual services alone produces the quality and scale that the current environment demands.
Technology without expert oversight produces speed without clinical judgment. Manual services without technology produce quality at volumes that don’t scale. The combination produces validated, defensible coding at the volumes health plans need, with evidence trails that hold up under scrutiny.
Plans should ask vendors to demonstrate their human-in-the-loop process. How do coders interact with AI recommendations? What’s the override rate? How are disagreements between AI and coder resolved? The answers reveal whether the vendor treats AI as a decision-support tool or an automation engine. The distinction matters to regulators and to audit outcomes.
Selecting Partners for the Settlement Era
The vendor landscape is splitting into two categories: organizations that restructured their methodology for the current enforcement environment and organizations still operating programs designed for the revenue-first era. Plans selecting Risk Adjustment Services in 2026 need to identify which category each vendor falls into before signing a contract. The evaluation criteria are defensibility, two-way methodology, evidence quality, and AI governance. Everything else is secondary to those four factors. The cost of choosing wrong is measured in settlement figures, not contract terms.