The Whistleblower Factor: Why Internal Coding Practices Are Your Biggest Vendor Risk

The Risk That Comes From Inside

The Aetna DOJ settlement wasn’t triggered by a CMS audit finding. It was instigated by a whistleblower. Janice and Franz Thomas, who was once an Aetna risk adjustment coding auditor, submitted the qui tam complaint that resulted in the $117.7 million settlement in March 2026. She received $2.01 million as her share. She had observed the ad-only chart review program internally to the organization, knew the design of it, and decided that the design was such that it inflated payments, and not accuracy.

This is what health plan leaders misjudge. External audits are planned processes that have a process. Complaints that are made as whistleblowers are unannounced, and the persons making them have direct insight as to how the program is run, what shortcuts are cut, and the documentation that is lacking. The qui tam provisions of the False Claims Act provide a monetary motivation to insiders to report, and whistleblowers usually earn 15-30 per cent of recovered money.

In a case where a plan contracts risk adjustment code to a vendor, the employees of the plan deal with the work of the vendor. It is validated by internal coders. It is reviewed by quality teams. It is assessed by compliance officers. Any of those individuals who follow a trend of inadequate validation, an add-only approach, or non-supported coding has both the information and motive to be the next whistleblower.

Why Vendor Methodology Is an Internal Compliance Issue

A vendor selection is, at times, considered a procurement decision rather than a compliance strategy. The procurement proceeds on the contract. Compliance checks on the vendors’ certifications and insurance. Operations handles the relationship on a day-to-day basis. However, no one can thoroughly assess whether the coding process used by the vendor generates the type of patterns that a skilled insider would disclose to the DOJ.

Does the vendor conduct add-only reviews? That is the methodology that was identified to be high-risk by OIG in February 2026. Does the vendor generate indication paths of all coding suggestions, or only by code lists? That is the documentation hole that renders codes indefensible. Does the AI used by the vendor articulate why it is so, or is it a black box recommendation engine? That is the governance issue that CMS specifically discussed in its January 2026 HPMS memo.

They are not procurement questions. They are compliance questions with consequences of enforcement. Any response below the existing standard generates internal knowledge of the disjunction, knowledge that can be acted upon by any employee of the process.

Building Whistleblower-Resistant Programs

It is not aimed at avoiding whistleblowing. It is to construct programs that a whistleblower would have no material to show. It implies that all elements of the coding process, be they conducted in-house or by the vendors, will have to justify themselves.

The two-way methodology, which inserts and deletes codes, shows balanced intent of compliance. The validation, and not capture, is the driver of the process, as evidenced by the evidence trails of all coding decisions. Explainable AI that justifies its reasoning demonstrates that technology is a support mechanism, and not an uncontrollable automation machine. The fact that quality metrics that appreciate accuracy and volume indicates that the incentive structure of the program emphasizes the aspect of defensibility.

When a program is run in such a manner, an internal observer perceives compliance functionality, rather than a revenue plan. Nothing to report since the defense is the design itself. The coding practice is in line with OIG recommendations. The documentation of the evidence is more than that required by CMS. The program can be looked at internally and identified as being in line with the intended purpose of the program.

The Vendor Selection Implication

Every vendor hired becomes part of the plan’s internal coding practice. The vendor’s methodology becomes the plan’s methodology in the eyes of regulators and potential whistleblowers. Plans selecting Risk Adjustment Services must evaluate vendors not just on output quality and cost, but on whether the vendor’s approach would survive scrutiny from a knowledgeable insider with a financial incentive to report problems. That is what the Aetna case has cemented, and it is applicable to all the plans whose coding activity is outsourced.