Due Diligence in the Settlement Era: What Boards Should Ask About Coding Vendors

The Board-Level Question

Risk adjustment vendor relationships used to be operational decisions managed by coding directors and procurement teams. The combined $670+ million in DOJ settlements against Kaiser and Aetna elevated them to board-level governance concerns. When a vendor’s coding methodology can generate a nine-figure liability for the plan, the board needs visibility into how vendors are selected, governed, and evaluated.

Most boards receive minimal information about risk adjustment vendor practices. They see financial results: revenue recovered, cost per chart, and RAF score trends. They don’t see methodology details: whether vendors run add-only or two-way reviews, whether evidence trails meet audit standards, whether AI governance is adequate, or whether vendor output has been independently validated against MEAT criteria. The financial reporting looks healthy. The compliance exposure is invisible.

The Aetna whistleblower case illustrates why this matters at the board level. The $117.7 million settlement resulted from internal coding practices that the board may not have had visibility into at the operational level. Board members have fiduciary responsibilities that include understanding material regulatory risks. Risk adjustment vendor methodology, in the current enforcement environment, qualifies as a material regulatory risk.

Five Questions for the Next Board Meeting

First: Do our coding vendors operate two-way chart reviews? If the answer is add-only, explain that OIG named this as a high-risk practice in February 2026 and that both major DOJ settlements involved add-only programs. The board needs to understand the direct connection between methodology and enforcement exposure.

Second: Can we produce an evidence trail for any submitted diagnosis within 48 hours? If the answer requires assembling data from multiple systems and vendors, the plan isn’t audit-ready. RADV response windows are measured in months, but the ability to quickly access evidence determines the quality of the response.

Third: Have we independently validated our vendors’ coding accuracy? Vendor-reported accuracy rates are self-assessments. Independent validation by the plan’s compliance team, using MEAT criteria applied to a random sample of vendor output, reveals whether reported quality matches actual quality.

Fourth: What is our delete rate? If the board has never seen this metric, the plan likely doesn’t track it. A zero or near-zero delete rate is the statistical signature of an add-only program.

Fifth: Does our D&O insurance cover risk adjustment enforcement actions? Settlement amounts in the hundreds of millions create exposure that extends to individual board members. Insurance coverage and indemnification provisions should be reviewed in light of the current enforcement precedent.

Governance Structure Recommendations

Board-level governance of risk adjustment doesn’t mean the board manages vendor relationships. It means the board receives regular reporting on compliance-relevant metrics: two-way coding rates, defensibility scores, delete rates, vendor methodology audits, and audit readiness assessments. This reporting should be as standard as financial reporting, because in the current environment, compliance risk is financial risk.

An annual independent review of the plan’s risk adjustment program, encompassing vendor methodology, AI governance, evidence trail quality, and population-level coding patterns, should be presented to the audit committee or full board. This review should be conducted by compliance or legal, not by the operational team that manages the vendors, to ensure an independent assessment.

The Fiduciary Imperative

Board members who haven’t asked about risk adjustment vendor methodology are governing without visibility into one of the plan’s largest regulatory risk exposures. Risk Adjustment Coding Companies selected without board-level due diligence, governed without board-level oversight, and evaluated without board-level reporting represent exactly the kind of material risk that fiduciary obligations require boards to understand. The settlement precedent is set. The question is whether the board learns from other organizations’ enforcement outcomes or from its own.