channelmatter
Case Study · Anonymized · May 2026

They passed every V24 sample. Then CMS asked one question.

A regional MA plan had built risk-adjustment as a submission pipeline, not an audit-defense pipeline. The gap between "code submitted" and "chart defensible" became the entire engagement.

~280K MA members, 3 states $3.4B annual medical spend V28 100% phase-in, PY2026 6-month fractional engagement
7 min
broken state
<60s
after
Show me the chart note that supports this E11.65 code submitted in March 2024.
— CMS pre-audit walkthrough, November 2025. The answer required two queries and a manual reconciliation. CMS's expectation: under two minutes.

The architectural fix

Not more capture tooling — a different data model. The vendor stayed. The capture team kept their workflows. What changed was where responsibility for chain-of-custody lived.

● Broken state — submission pipeline
EHR / Chart
  ↓
Provider abstraction → HCC engine (vendor)
  ↓
Encounter file → CMS

DW: read-only after 18mo
Vendor env: snapshot only,
no diagnosis-level provenance
  • No preserved chain from chart to submission
  • Vendor "why this code" logic was a black box
  • Documentation freshness went unverified
● New state — audit-defense pipeline
EHR / Chart
  ↓
Immutable document store (hash-keyed)
  ├─ Diagnosis candidate + chart-doc hash
  │   ↓ HCC engine → Encounter → CMS
  │     (stores dx-doc hash w/ submission)
  └─ Audit: hash → chart → <90s
  • Immutable, hash-keyed document store of record
  • Every submitted code carries its chart-note hash
  • Pre-submission validation holds weak codes for review

Outcome — after 6 months

The plan did not change risk-adjustment vendors. They didn't capture more codes. They restructured around chain-of-custody.

<60s
to answer a CMS sample query, vs. ~7 minutes before
4.2%
of codes caught pre-submission that would have failed an OIG sample
0
unsupported codes in the Q1 2026 CMS sample (of 850 reviewed)
$4.1M
estimated V28 clawback exposure avoided

Five lessons that generalize

Patterns worth knowing whether you're at this plan or any peer plan.

Treat audit-defense as a first-class data model

The shape needed to "submit a code correctly" differs from "prove this code was supported." Don't bolt defense onto submission infrastructure.

Chart-note hashing is cheap and high-leverage

Immutable document hashing costs <$10K in engineering. The audit-response improvement is 10–100×.

The vendor environment is not your defense

When CMS asks for documentation, the vendor's audit trail is hearsay unless you have your own. They report what they received; you prove what was true.

Pre-submission validation prevents the OIG finding

A code held for review is a code not submitted — and a code not submitted is a code not unsupported. Economics favor over-validation.

The fix lives at the data-model layer

Not the HCC engine, chart abstraction, or encounter format. It's the binding between submission and documentation that must be preserved.

Prepping for a CMS sample — or auditing your own architecture?

I run fractional CTO engagements with mid-size MA plans, Medicaid MCOs, and provider-aligned payers on V28 audit-defense architecture, risk-adjustment vendor selection, and OIG-sample readiness. Most engagements run 6 months at $20–30K/month.

Book a 30-minute review steveni@channelmatter.com