Compliance9 min read

Understanding CMS Compliance Requirements: A 2026 Guide for Medicare Advantage Plans

S

Sevana Health Team

May 16, 2026

CMS compliance requirements for Medicare Advantage and Part D plans were materially reset by the November 2025 Program Audit memo. Scoring is gone, the old ICAR/ORCA finding classifications are retired, the new CAR/Observation/IDS framework is in place, and CPE evaluation has shifted to a collaborative model. This guide covers what compliance teams need to know about the current requirements.

The 2026 audit framework at a glance

For more than a decade, CMS audited Medicare Advantage and Part D sponsors using a scoring system and the ICAR/ORCA finding structure introduced in 2012. CMS concluded that approach did not fully reflect a sponsor's compliance posture, and retired it for the 2026 audit cycle. The replacement is a three-class finding framework:

CAR

Corrective Action Required. A noncompliance finding that requires a documented corrective action plan to strengthen controls or resolve enrollee impact.

Observation

A noncompliance finding that does not require a CAP. Sponsors should monitor to ensure ongoing compliance and prevent recurrence.

IDS

Invalid Data Submission. Cited when the sponsor cannot produce an accurate or complete universe after three submission attempts.

For a detailed look at why IDS has become the most consequential of the three for universe data quality, see our post on Invalid Data Submission in 2026. For the full breakdown of what changed, see the 2026 CMS Program Audit changes overview.

Universe file submission requirements

CMS universe files remain the core data submission that compliance teams need to get right. Five protocols carry their own tables, field requirements, and validation rules:

  • ODAG (Organization Determinations, Appeals, Grievances): six tables covering coverage decisions, appeals, payments, effectuations, grievances, and the AIP table for D-SNPs. Detailed walkthrough in our ODAG universe table-by-table guide.
  • CDAG (Coverage Determinations, Appeals, Grievances): the Part D mirror of ODAG with its own field nuances. See our CDAG universe guide.
  • FA (Formulary Administration): specific data on formulary coverage decisions, exceptions, and exclusions. See our FA universe guide.
  • SNPCC (Special Needs Plan Care Coordination): for D-SNP and other SNP types, captures care coordination activities. See our SNPCC compliance guide.
  • CPE COA (Compliance Program Effectiveness, Compliance Oversight Activities): the universe that now drives Collaborating on Compliance discussions. See our CPE COA universe deep dive.

Each protocol has hundreds of validation rules. Across all five, the rule count crosses 1,600. Common submission errors that trigger CMS feedback include:

  • Incorrect date formats, invalid date ranges, or sequencing errors across linked tables
  • Missing required fields, improper field lengths, or invalid codes against the current CMS specs
  • Duplicate records, inconsistent member identifiers, or mismatched case IDs across tables
  • Misaligned category codes, resolution types, or timeliness calculations
  • Failures in the OD-to-Reconsideration-to-Effectuation chain that surface only when tables are cross-validated

The three-attempts-then-IDS rule makes pre-submission validation critical. The CMS Universe Scrubber validates all five protocols against the current CMS specifications and surfaces errors row by row, so issues are caught and corrected before the first submission attempt.

Compliance Program Effectiveness under Collaborating on Compliance

The old CPE model was a punitive exercise: findings, three-business-day corrective action plans, and back-and-forth on remediation. The 2026 memo replaces that with Collaborating on Compliance, a discussion-based model where auditors and the sponsor's compliance team work from the sponsor's own oversight data.

The COA universe still has to be submitted, and it now matters more, not less. It is the evidence base for the conversation. A well-populated COA universe with documented oversight activities supports a productive discussion. A thin COA universe leaves the compliance team defending gaps instead of demonstrating capability.

What this means in practice: monthly and quarterly oversight has to be captured as it happens, not assembled in audit-prep week. The Compliance Metrics module and the Compliance Work Plan together capture the oversight activities and corrective actions that produce a real COA story.

Audit-ready operations year-round

Plans that treat audit readiness as a continuous operation rather than an annual sprint consistently fare better in fieldwork. The core requirements are:

Universe data accuracy

Validate universe files against the current CMS specifications before each submission window, not after CMS rejects them.

Documented oversight

Capture auditing, monitoring, and investigation activities as they happen, tied to the operational areas they cover.

Memo-to-policy traceability

Maintain a clear chain from each HPMS memo to affected policies to operational implementation, with acknowledgments captured along the way.

Delegated entity measurement

Track per-entity error rates, iteration counts, and recurring failure modes. The plan is accountable for delegated work, so the data has to be reviewed monthly.

Active CAR resolution

Any CAR carries through to evidenced resolution. Open corrective actions are a primary fieldwork topic.

Risk assessment cadence

Formal risk assessments per OIG and CMS expectations, with mitigation tracked through completion. See our Risk Assessment module.

Best practices for staying compliant

  1. 1. Validate before you submit. The three-attempts-then-IDS rule punishes plans that treat the first submission as the validation step. Catch errors row by row before the file reaches CMS.
  2. 2. Treat the COA universe as a living artifact. Capture oversight activities continuously. The quality of your COA submission shapes every conversation auditors will have with your compliance team.
  3. 3. Measure delegated entities, do not just contract them. For more on what good measurement looks like, see our piece on measuring TPA performance with universe file data.
  4. 4. Make memo-to-policy traceability automatic. Manual cross-referencing of HPMS memos against a P&P library breaks down quickly. Tooling here is no longer optional at scale.
  5. 5. Track corrective actions to documented resolution. Open CARs and unresolved findings carry forward into the next audit cycle.

Key takeaways

  • The 2026 audit framework retired scoring and ICAR/ORCA, replacing them with CAR/Observation/IDS
  • IDS findings, triggered after three failed universe submission attempts, are the new fail state for data quality
  • CPE evaluation now happens through Collaborating on Compliance, with the COA universe as the foundation
  • Continuous oversight beats annual audit-prep sprints, both for compliance quality and for the conversations auditors will have
  • Pre-submission universe validation, memo-to-policy traceability, and measured delegated entity oversight are now the baseline expectations

The 2026 requirements are not necessarily harder than what came before, but they are different. Plans that adapted their tooling and processes to the new framework are running their compliance programs more smoothly than plans still operating on the 2024 playbook.

Ready to Simplify Your Compliance?

See how Sevana Health can help you avoid violations and streamline your processes.

Request a DemoContact Sales