Medicare Advantage Risk Adjustment Payment Authority Failure Through Diagnosis Codes Generated by Third-Party Vendor Without Correspondence to Clinical Encounter Documentation at Independent Health and DxID LLC

Medicare Advantage plan sponsors receive risk-adjusted capitated payments from CMS based on the documented health status of enrolled beneficiaries. The risk adjustment system uses diagnosis codes submitted by plan sponsors to calculate each member's risk score — a higher-acuity score produces a higher per-member per-month payment. The codes are supposed to reflect conditions documented by clinicians during qualifying encounters within the relevant data collection period. The plan sponsor is responsible for the accuracy of the codes it submits. The payment credential is the submitted diagnosis code. It authorizes the risk-adjusted transfer.

To identify additional diagnoses that might not have been captured in routine clinical documentation, plan sponsors frequently engage retrospective coding vendors — companies that review member medical records and identify diagnoses that could be added to risk adjustment submissions. The vendor's output becomes the basis for additional code submissions. The vendor produces the credential. The plan submits it. CMS pays on it. The clinical encounter that the credential is required to represent is not verified at any point in that chain.

DOJ announced in December 2024 that Independent Health and its coding subsidiary DxID LLC agreed to pay up to $98 million to resolve False Claims Act allegations arising from a whistleblower suit filed in 2012. The government alleged that DxID systematically generated diagnosis codes that did not correspond to qualifying clinical encounters: coding from sources that did not meet CMS requirements, adding codes for conditions patients were not treated for during the relevant period, and sending addenda to providers requesting that they add diagnoses to records months or years after the encounters had concluded. Independent Health submitted those codes to CMS as the basis for risk-adjusted payments. The payments followed.

The case settled twelve years after the whistleblower's initial filing and four years after DOJ intervention. DxID's CEO, Betsy Gaffney, paid $2 million separately as part of the resolution. The settlement amount was structured based on Independent Health's ability to pay, with guaranteed minimum payments and contingent additional amounts tied to the organization's financial performance.

The diagnosis code as risk adjustment credential has a single correspondence requirement: it must reflect a condition documented by a clinician during a qualifying encounter. When a retrospective coding vendor generates the code, that correspondence requirement applies to the vendor's output just as it applies to codes generated directly from clinical documentation. The vendor's review of a member record does not substitute for the clinical encounter. It is supposed to identify diagnoses that the encounter produced but that were not captured in the original submission. When it generates codes for conditions the encounter did not produce, the credential is false at the point of generation — before it is submitted, before CMS processes it, and before the payment is made.

This case introduces a structural condition distinct from the Aetna case (108). There, the plan sponsor submitted or retained codes it knew to be unsupported. Here, a vendor operating at a layer removed from the clinical encounter generated codes that did not correspond to clinical reality, and the plan submitted them. The correspondence gap exists at two points: between the vendor's output and the underlying clinical record, and between the submitted code and the clinical encounter it purports to represent. CMS has no mechanism to verify either gap at the point of payment. The credential moves through both layers. The clinical encounter it represents is absent at both.

The addenda practice compounds the failure structurally. By sending requests to providers months or years after service dates, DxID created a mechanism through which the credential could be retroactively manufactured: a provider who received an addenda request and signed it produced a document that appeared to establish clinical support for the code — without the clinical encounter having occurred. The credential was not merely unsupported. It was engineered to appear supported.

The $98 million settlement resolved allegations spanning more than a decade of alleged conduct. Independent Health entered a five-year Corporate Integrity Agreement requiring annual independent review of a sample of member medical records and internal risk adjustment controls. The CIA is the government's mechanism for imposing post-hoc verification on a process that lacked it during the period of alleged misconduct. DxID ceased operations. DOJ's enforcement posture on Medicare Advantage risk adjustment coding vendors has intensified — the Independent Health settlement follows the Kaiser Permanente resolution ($556 million, January 2026) and the Aetna resolution ($117.7 million, 2025), establishing a pattern of enforcement across plan types and coding methodologies. The coding vendor as a distinct point of liability is now confirmed in the enforcement record.

• Independent Health and DxID settled False Claims Act allegations for up to $98 million in December 2024, resolving claims that DxID generated diagnosis codes from improper sources, for conditions patients were not treated for, and through retroactive addenda sent to providers months or years after service dates — in each instance, the risk adjustment credential was generated without correspondence to a qualifying clinical encounter
• The retrospective coding vendor introduces a second correspondence gap into the risk adjustment credential chain: between the vendor's output and the underlying clinical record, and between the submitted code and the clinical encounter it purports to represent — CMS has no mechanism to verify either gap at the point of payment
• The addenda practice is structurally distinct from standard upcoding: by soliciting provider signatures on retroactive record additions, DxID engineered documents designed to make unsupported codes appear supported — the credential was manufactured to look like it had correspondence it did not have
• The settlement was structured on ability to pay, with Independent Health guaranteeing $34.5 million in minimum payments and contingent additional amounts — the gap between the guaranteed minimum and the $98 million ceiling reflects the scale of the alleged conduct relative to the organization's financial capacity
• DxID's CEO paid $2 million separately, establishing individual liability at the executive level for a coding vendor's systematic generation of unsupported risk adjustment credentials
• The coding vendor as a distinct point of risk adjustment fraud liability is now confirmed across the enforcement record: Independent Health/DxID (December 2024), Kaiser Permanente ($556 million, January 2026), and Aetna ($117.7 million, 2025) collectively establish that the credential correspondence failure operates across plan types, vendor relationships, and coding methodologies