Top Themes & Takeaways from the 2026 HCCA Managed Care Compliance Conference
- Jordan Flynn
- 2 minutes ago
- 3 min read
The 2026 HCCA Managed Care Compliance Conference made one thing clear: compliance in managed care is no longer a static, check-the-box function. It is rapidly evolving—shaped by advancing technology, heightened regulatory scrutiny and growing expectations that compliance teams operate as strategic risk partners across Medicare, Medicaid and commercial lines of business.
Across sessions, speakers emphasized the need for compliance programs that are proactive, operationally embedded, and audit-ready by design—not reactive to enforcement actions or engagement letters.
Below are the key themes compliance leaders should be paying attention to now.
AI in Managed Care: Opportunity Meets Accountability
Artificial intelligence (AI) was a central focus of this year’s conference, particularly its expanding role in audit support, risk adjustment, utilization management, and compliance monitoring. While many organizations are eager to leverage AI-driven efficiencies, regulators are equally focused on how these tools are governed, monitored, and controlled.
Sessions consistently reinforced that AI does not replace compliance accountability—it increases it.
The “Four Knows” of AI Governance
A recurring framework discussed across sessions was the importance of four foundational principles for responsible AI use:
Know your models. Organizations must understand how their AI systems function in order to identify risks, measure performance, and detect failures or unintended consequences.
Know your inputs and outputs. Transparency into the data AI consumes and produces is essential for trust, defensibility, and audit readiness.
Know how you monitor accuracy and outcomes. Compliance should ensure frequent audits and monitoring to assess patient impact, measure outcomes, and validate accuracy.
Know the regulatory landscape. AI-related policies are evolving quickly. Compliance strategies must be continuously updated to reflect new state and federal requirements.
Additional practical takeaways included:
Conducting robust due diligence on AI vendors, including data handling and compliance controls, before adoption.
Preparing for new state-level requirements, including physician review mandates stating that AI cannot be used to deny claims or prior authorizations.
Regulatory Change and Emerging Risk Areas
Beyond AI, the conference reinforced that traditional compliance risks—regulatory audits, fraud and abuse, program integrity, and vendor oversight—remain top priorities. What’s changing is how regulators expect plans to operationalize compliance.
The emphasis has shifted from policy documentation to demonstrable execution.
CMS Audit Preparedness: A New Standard for 2026
CMS shared significant updates on audit expectations, particularly for 2026, where compliance review is now embedded directly into program area audits, including ODAG, CDAG, FA, and SNPCC.
Key areas of focus include:
How compliance actively prevents, detects, and corrects noncompliance
Whether root causes are truly resolved—not just documented
Evidence that corrective actions are effective and sustainable
The strongest performers, speakers noted, treat audit readiness as an ongoing operating model rather than a response to an audit notice.
Best practices repeatedly highlighted included:
Formal, enterprise-wide risk assessments that drive monitoring and auditing workplans
Routine, independent monitoring and auditing—including first-tier, downstream, and related entities (FDRs)
Regular mock audits, universe validation, and tracer exercises
A documented audit playbook outlining roles, escalation paths, and communication protocols
Delegation and FDR Oversight: Still the Biggest Risk
Delegation oversight remains one of the most cited sources of CMS findings and enforcement actions.
CMS data presented during the conference reinforced that:
Sponsors remain fully accountable for FDR compliance
Many recent CPE findings stem from failures to detect issues at delegated entities
Common triggers for findings and CMPs include untimely notices, regulatory misinterpretation, and ineffective escalation
CMS expects plans to demonstrate:
Risk-based FDR selection
Active, ongoing monitoring and auditing
Timely remediation driven by sponsor oversight—not vendor self-attestation
Compliance Leadership and Board Communication
Another strong theme was the evolving role of compliance leadership. Sessions emphasized that compliance is no longer just an operational function—it is an enterprise risk discipline.
Effective communication with executive leadership and Boards is now essential. Compliance leaders must be able to translate regulatory risk into business impact, support informed decision-making, and position compliance as a strategic partner rather than a control function.
SNP Compliance: Evidence Over Narrative
Special Needs Plans (SNPs) received focused attention, particularly around audit readiness and data integrity.
Key lessons included:
CMS approval of a Model of Care (MOC) does not guarantee audit success. NCQA evaluates narrative quality; CMS audits evidence.
Every MOC commitment must be supported by timestamped, auditable data.
CMS’s updated audit framework elevates universe accuracy and weak data controls as high-impact risks.
The shifted MOC timeline requires earlier alignment across clinical, compliance, and bid strategy teams—late fixes are no longer viable.
Vague or aspirational MOC language creates audit exposure. Precise, operational commitments perform better.
Audit-ready SNPs design workflows that generate documentation as a byproduct of care, not an after-the-fact exercise.
Final Takeaway
The overarching message from the 2026 HCCA Managed Care Compliance Conference was clear: compliance programs must evolve alongside technology, regulation, and operational complexity. Organizations that embed compliance into daily operations—supported by strong governance, data integrity, and leadership engagement—will be best positioned to navigate audits, enforcement, and the growing use of AI in managed care.