Liability Doesn’t Stop at the Contract
When a health plan hires a coding vendor, the contract defines the commercial relationship. But it doesn’t define the regulatory relationship. CMS holds the plan responsible for every code submitted under its contract, regardless of who produced it. If a vendor’s chart review generates an unsupported diagnosis that CMS later finds discrepant in a RADV audit, the plan pays the recoupment. If a vendor’s add-only methodology produces the coding patterns the DOJ targets, the plan pays the settlement.
Over $670 million in DOJ settlements from two organizations in the past two years involved coding programs executed through vendor partnerships. The vendors didn’t write the settlement checks. The plans did. That precedent established a clear liability chain: the plan owns the regulatory consequences of every coding decision, and the vendor relationship doesn’t transfer that ownership.
Where the Liability Chain Breaks
Most plans govern vendors through periodic quality reviews, contract provisions, and deliverable acceptance. The weakness in this governance model is that it evaluates output after the fact rather than governing methodology in real time. A quarterly quality review catches errors from last quarter. It doesn’t prevent the same methodology from producing the same errors this quarter.
The deeper problem is visibility. Plans often don’t see how the vendor makes coding decisions. They see the deliverable: a list of recommended codes with supporting documentation. But the methodology behind that deliverable, how the AI evaluated the chart, what evidence thresholds it applied, whether it looked for deletions or only additions, remains inside the vendor’s system. The plan accepts output without full visibility into the process that created it.
When that process produces problematic patterns, the plan discovers the problem through audit findings or enforcement actions, not through governance. By that point, the codes are already submitted, the data is in CMS’s system, and the liability has materialized.
Real-Time Methodology Governance
Closing the liability gap requires shifting from output-based to methodology-based governance. Plans should require vendors to provide access to AI decision logic, evidence mapping protocols, and MEAT validation thresholds. The plan’s compliance team should be able to audit the vendor’s methodology in real time, not just review sample output retrospectively.
Contract provisions should include methodology audits, not just quality audits. A quality audit asks “did the vendor produce accurate codes?” A methodology audit asks “does the vendor’s process produce defensible codes by design?” The distinction matters because a process that produces accurate codes 85% of the time still produces indefensible codes 15% of the time, and at scale, that 15% can generate millions in recoupment exposure.
Deletion tracking should be a contractual requirement. The vendor must report its add-to-delete ratio across all charts reviewed for the plan. If the ratio is zero or near-zero, the methodology is add-only, and the plan is accumulating the exact liability pattern DOJ enforcement targets.
The Governance Standard for 2026
Plans evaluating risk adjustment companies should apply one overarching test: can you see inside the vendor’s methodology, audit its AI logic, verify its evidence thresholds, and confirm its two-way coding activity in real time? Vendors that pass this test are governable partners. Vendors that don’t are black boxes where coding decisions you can’t examine create regulatory consequences you can’t avoid. The liability chain runs from CMS through the plan to the vendor, and the plan pays at every break in the chain where governance doesn’t reach.