Most people imagine a government audit as a vague menace: stern letters, men with briefcases, trouble. The reality, at least in the corner of American healthcare currently living through the largest audit expansion in its history, is more interesting and more instructive. It is a process, with rules, timelines, and a surprisingly clear definition of what survival looks like.
Understanding that process is worth ten minutes of anyone’s time, because the way the US government audits health insurers has become a template for how large organisations everywhere will be held to their data.
The occasion for the audit
The programme being audited is Medicare Advantage, through which private insurers cover more than thirty million older Americans. The government pays each insurer monthly, adjusted by risk scores built from members’ documented diagnoses. Sicker members bring higher payments, so documentation is money, and for years documentation grew faster than sickness plausibly could. Congressional advisers estimate the resulting excess payments in the tens of billions of dollars annually. Federal reviews published in March 2026 found that 81 to 91 percent of certain sampled diagnosis codes at three plans lacked proper support, and one major insurer settled with the Department of Justice for 117.7 million dollars over how its diagnosis records were assembled.
The audit machinery that responded is called RADV, Risk Adjustment Data Validation, and it has been rebuilt for scale: roughly two thousand certified coders, quarterly cycles, AI-assisted record review, and payment-year 2020 audits underway since February 2026.
The anatomy of the process
The mechanics are almost elegant. The government selects a sample of an insurer’s members, between 35 and 200 depending on contract size. For every diagnosis submitted for those members, the insurer must produce the medical records that support it, within a five-month window. Certified coders then check each record against documentation standards: does the note show the condition was actually monitored, evaluated, assessed, or treated during a real clinical encounter?
Diagnoses that fail become errors. And here is the part that concentrates executive minds: the error rate found in the sample is extrapolated across the entire contract. A 30 percent failure rate in 150 charts becomes a 30 percent clawback on a contract worth hundreds of millions. The sample is small. The consequences are not.
The official RADV audit guidelines set out the full choreography, what triggers selection, how records must be submitted, which documentation passes, how disputes and appeals run, and reading them explains the behaviour of the entire industry right now: insurers are reorganising themselves around the ability to produce, for any diagnosis, on demand, the evidence behind it.
What survival selects for
Talk to compliance teams that have been through the process and a consistent picture emerges of what separates a manageable audit from a catastrophe.
The survivors know their error rate before the government does. They run internal mock audits on their own samples, in both directions, finding unsupported codes and removing them proactively. Arriving at an audit having already corrected your worst findings changes the entire posture of the engagement.
The survivors can find things. A five-month window sounds generous until you are chasing records from four hundred provider offices for care delivered five years ago. Organisations with centralised, indexed, retrievable documentation clear the window comfortably. Organisations running on spreadsheets and email discover that logistics, not medicine, is what fails audits.
The survivors have evidence trails by design. Where AI helped produce a diagnosis, the winning systems stored the source sentence, the rule applied, and the human who confirmed it, so every audited code arrives pre-packaged with its justification. Retrofitting that trail after the audit letter arrives is archaeology under deadline, and it shows.
The transferable lesson
Strip away the healthcare particulars and the RADV template generalises to any organisation whose revenue rests on reported data, which is gradually becoming all of them. Assume a sample of your claims will someday be pulled. Assume the error rate found will be extrapolated. Assume the window to produce evidence will be finite and the examiner unsympathetic.
Then invert those assumptions into design principles: know your own error rate first, correct in both directions before being asked, keep evidence retrievable at the speed of a deadline, and make every consequential number reconstructable years later. Organisations that operate this way describe an unexpected benefit beyond audit survival: their data simply gets better, and decisions built on it get better too.
The audit, it turns out, is just honesty with a schedule. The industries meeting it earliest are writing the manual for everyone else, one five-month evidence window at a time.
