Posted on
May 7, 2026
Posted on
May 14, 2026
Texas Medical Board Rule 165.1: AI Scribe Compliance Operations Playbook (2026)
What TMB Rule 165.1 Actually Requires—Beyond a Signature
The Information Gain Gap—What CMS Guidance and Competitors Miss
Scribing.io Clinical Logic—Handling the Clone-Note Audit Scenario
Technical Reference: ICD-10 Documentation Standards
FHIR Provenance Architecture—EHR-Level Authorship Implementation
Anti-Clone Variance Engine—Technical Specification
WORM Retention Architecture and 7-Year Compliance
Implementation Checklist for Medical Directors
TL;DR: Texas Medical Board Rule 165.1 mandates demonstrable physician authorship and individualized clinical documentation—not generic AI-templated notes. While CMS's 2025 signature guidance (MLN905364) addresses who signs, it entirely ignores what was signed, clone-note detection, scribe identification at the EHR data layer, and state-specific medical record integrity standards. Scribing.io closes every gap with FHIR Provenance records, anti-clone variance enforcement, visible attestation headers, and WORM-archived audit trails that satisfy both TMB §165.1 and federal payer requirements simultaneously. See Scribing.io Pricing.
What TMB Rule 165.1 Actually Requires—Beyond a Signature
Texas Medical Board Rule 165.1 (22 TAC §165.1) establishes that a "medical record" must constitute an accurate, contemporaneous account of care that demonstrates physician authorship—not merely physician signature. If you are a Medical Director overseeing an ambulatory practice in Texas, this distinction determines whether your AI scribe deployment exposes your physicians to Board discipline or insulates them from it.
Scribing.io was engineered specifically to satisfy this authorship standard at the EHR data layer—not through policy documents or training modules, but through technical controls that make non-compliant documentation architecturally impossible to finalize. The platform writes a FHIR Provenance record per encounter, inserts visible attestation headers, enforces anti-clone variance thresholds, and WORM-stores signed attestation packs for the full 7-year Texas retention window.
See our TMB 165.1 Authorship + Anti-Clone engine live: automated FHIR Provenance, forced individualized findings, Epic/Athena audit-trail mapping, and 7-year WORM attestation pack. Book a 15-minute demo.
TMB §165.1 Element | Requirement | AI Scribe Implication |
|---|---|---|
Physician Authorship | The record must reflect the physician's own clinical judgment and individualized findings | Auto-generated text lacking patient-specific assessment violates authorship |
Scribe Identification | Any person or device acting as a scribe must be identified in the record | AI tools functioning as transcribers require explicit identification per encounter |
Record Integrity | Notes must not be "generic cloned templates" absent individualized assessment | Identical ROS/PE language across multiple encounters constitutes a violation |
Retention & Immutability | Records maintained minimum 7 years in unaltered form | Audit trails must be tamper-proof and accessible for the full retention window |
The federal CMS signature guidance (MLN905364, July 2025) explicitly states: "You don't need to document who or what transcribed the entry." This creates a dangerous compliance gap for Texas physicians. TMB §165.1 imposes a stricter standard: the scribe—whether human or AI—must be identifiable within the record, and the physician must demonstrate that individualized clinical reasoning drove the note content, not a templating engine.
A signed clone note satisfies CMS. It does not satisfy Texas. Medical Directors who assume federal guidance preempts state rules are building audit exposure into every encounter.
For how other states handle AI scribe regulations with different authorship frameworks, see our coverage of California AI Laws.
The Information Gain Gap—What CMS Guidance and Competitors Miss
CMS's MLN905364 fact sheet—the dominant federal reference on documentation signatures—addresses a narrow question: Did the treating physician sign and date the note? It was updated in July 2025 to add a single sentence about AI: "If you use a scribe, including artificial intelligence technology, sign the entry to authenticate the documents and the care you provided or ordered."
That sentence is the entirety of CMS's AI scribe guidance. Here is what it—and every vendor relying solely on it—fails to address:
No clone-note detection requirement. CMS does not define what constitutes a validly authored note versus a rubber-stamped template. It treats all signed notes as presumptively authentic. The OIG, however, routinely pursues False Claims Act cases rooted in cloned documentation.
No EHR-level provenance specification. The guidance references "protections against modification" but specifies no technical standard (FHIR Provenance, HL7 signatures, or otherwise) for documenting which system generated note text.
No scribe identification at the data layer. CMS explicitly states identification of the scribe is unnecessary—directly contradicting TMB §165.1 and at least 11 other state medical board record-integrity rules.
No cross-encounter variance analysis. Payer Special Investigation Units (SIUs) routinely flag clone notes for E/M recoupment audits using statistical text-similarity algorithms, yet CMS provides no proactive compliance framework for preventing flags.
No state-specific medical record integrity mapping. Texas, California, and other states impose authorship and integrity standards that exceed CMS's baseline. The federal guidance is silent on this hierarchy.
The AMA's Augmented Intelligence Policy (H-480.940) recommends that AI tools in clinical documentation preserve physician oversight and accountability—but provides no technical implementation specification. The gap between policy aspiration and operational reality is where compliance failures occur.
Scribing.io's original contribution to closing these gaps:
FHIR Provenance per encounter: Each note generates a standards-compliant FHIR Provenance resource with
agent.role = author(physician) andagent.role = transcriber/device(Scribing.io), written directly to Epic, athenahealth, or any FHIR R4-capable EHR.Visible attestation header: Every note contains: "Prepared with Scribing.io; authored and finalized by [Physician Name], [date/time/timezone]"—satisfying both CMS authentication and TMB scribe identification in a single artifact.
Anti-clone variance thresholds: Proprietary algorithms compare ROS, PE, and MDM text across the physician's recent encounters. If similarity exceeds defined thresholds, the system blocks finalization and prompts individualized voice-confirmation of findings.
WORM-stored attestation and diff logs: Signed attestations and cross-encounter difference reports are stored in Write-Once-Read-Many format for Texas's mandated 7-year retention period, ensuring immutability for audits.
This architecture generates affirmative evidence of physician authorship that can be produced during payer audits or Board inquiries—not a defense constructed after the fact, but a compliance artifact created at the moment of documentation.
Learn more about our privacy and compliance architecture: Safety & Privacy Guide. For 2026 federal privacy developments affecting AI scribes, see our HIPAA 2026 Update.
Scribing.io Clinical Logic—Handling the Clone-Note Audit Scenario
The Scenario
A Houston internist adopts an AI scribe that outputs near-identical ROS/PE text across 62 visits. A payer SIU flags clone notes and initiates a $52,000 E/M recoupment; the TMB opens a §165.1 investigation citing lack of physician authorship and no scribe identification. The physician faces simultaneous financial liability and licensure risk.
Anchor Truth
Under TMB 165.1, the "Medical Record" must demonstrate "Physician authorship"; AI notes that use "Generic Cloned Templates" without individualized assessment findings are a violation of TX medical record integrity rules.
Without Scribing.io: Anatomy of a Compliance Failure
Stage | What Happens | Financial/Regulatory Exposure |
|---|---|---|
AI note generation | Generic template auto-populates 14-point ROS and 8-system PE with identical language across encounters | No individualized findings documented; statistical clone signature created |
Physician sign-off | Physician clicks "Sign" without modification; no scribe identification present | CMS signature technically satisfied; TMB authorship NOT satisfied |
Payer SIU audit | Statistical analysis detects >95% textual similarity across 62 encounters | $52,000 recoupment demand; potential referral to OIG |
TMB inquiry | Board examiner notes identical notes, no scribe identification, no provenance | §165.1 violation; potential disciplinary action, CME requirements, probation |
Resolution attempt | Physician cannot produce evidence that individualized assessment occurred | Recoupment finalized; Board remediation order issued; malpractice premium increase |
With Scribing.io: Step-by-Step Compliance Architecture
Stage | Scribing.io Action | Compliance Result |
|---|---|---|
1. Ambient capture | Patient-physician conversation transcribed in real time; AI drafts note from actual encounter language, not a template library | Note text inherently varies per encounter because source material varies |
2. Anti-clone check | System compares draft ROS/PE/MDM to physician's last 30 encounters using section-level cosine similarity and n-gram overlap analysis | Similarity exceeding threshold (configurable; default 72%) → finalization blocked |
3. Voice-prompted individualization | Physician confirms specific abnormal findings via voice prompt; default "all normals" blocked without explicit per-system confirmation; system requires minimum 3 individualized data points per note section | Individualized assessment documented with physician-voiced confirmation audit trail |
4. Attestation header insertion | Note header auto-populated: "Prepared with Scribing.io; authored and finalized by Dr. Alvarez, 08/12/2026 16:42 CT" | TMB scribe identification + CMS authentication requirement satisfied in single artifact |
5. FHIR Provenance write | Provenance resource written to Epic FHIR server: | EHR-level machine-readable provenance accessible to any authorized auditor |
6. Anti-Clone Report generation | Cross-encounter diff report generated showing textual variance percentages, unique clinical findings per note, and individualization score | Affirmative evidence of note variance available for audit production |
7. WORM storage | Signed attestation + diff logs + voice confirmation hash stored immutably for 7+ years in SOC 2 Type II certified infrastructure | Texas retention requirement satisfied; tamper-proof for Board or payer review |
8. Audit response | Practice produces FHIR Provenance records + Anti-Clone Report + attestation pack within 48 hours of audit request | Payer closes audit with no recoupment; TMB inquiry dismissed |
Why This Matters Operationally
Research published in JAMA Health Forum (2024) documented that documentation-related audit actions increased 34% between 2022 and 2024, with AI-generated notes representing a growing proportion of flagged records. Payer SIUs now deploy NLP-based clone-detection algorithms that flag textual similarity patterns across claims within 90 days of submission. A single audit consumes 80+ administrative hours, and in Texas, the parallel TMB inquiry creates dual-track liability that most practices are not staffed to manage simultaneously.
Scribing.io eliminates this risk category at the point of documentation—before the claim is ever submitted.
Technical Reference: ICD-10 Documentation Standards
Accurate documentation for administrative and compliance-related encounters requires precise ICD-10-CM coding. Two codes are particularly relevant when documenting encounters where AI-scribe compliance intersects with administrative health services:
Z02.9 — Encounter for Administrative Examinations, Unspecified
Attribute | Detail |
|---|---|
Code | Z02.9 |
Description | Encounter for administrative examinations, unspecified |
Category | Factors influencing health status and contact with health services (Z00-Z99) |
Clinical Use | Documentation of encounters primarily driven by administrative requirements (pre-employment physicals, insurance examinations, fitness-for-duty evaluations) |
AI Scribe Relevance | When AI-generated documentation supports administrative encounter records, TMB §165.1 authorship requirements still apply—administrative notes are not exempt from individualization |
Specificity Requirement | Scribing.io prompts physicians to specify the administrative purpose (Z02.0 for employment, Z02.1 for pre-procedure, Z02.6 for insurance) rather than defaulting to unspecified .9, reducing denial rates by ensuring maximum specificity |
Clone-Note Risk | Elevated—routine administrative encounters generate similar findings across patients, making anti-clone controls essential rather than optional |
Z02.9 — Encounter for administrative examinations
Z76.89 — Persons Encountering Health Services in Other Specified Circumstances
Attribute | Detail |
|---|---|
Code | Z76.89 |
Description | Persons encountering health services in other specified circumstances |
Category | Factors influencing health status and contact with health services (Z00-Z99) |
Clinical Use | Catch-all for encounters not classified elsewhere, including documentation-focused visits or compliance-driven addenda |
AI Scribe Relevance | May apply when a patient encounter is initiated or modified for compliance documentation purposes (e.g., addendum visits post-audit, record correction encounters) |
Specificity Requirement | Scribing.io's coding module flags Z76.89 usage and prompts the physician to confirm whether a more specific code (Z76.0 for repeat prescription, Z76.81 for expectant parent) applies—preventing unspecified code denials |
Documentation Requirement | Supporting documentation must demonstrate medical necessity; AI-generated text requires physician attestation confirming the clinical basis for the encounter |
Z76.89 — Persons encountering health services in other specified circumstances
Documentation integrity principle: Regardless of the ICD-10 code assigned, every encounter note generated with AI assistance must satisfy TMB §165.1's individualization requirement. The CMS ICD-10-CM Official Guidelines specify that code selection must be supported by clinical documentation—and that documentation must be physician-authored. Scribing.io ensures codes reach maximum specificity by prompting physicians to confirm the clinical context driving each code selection rather than accepting AI-suggested defaults.
FHIR Provenance Architecture—EHR-Level Authorship Implementation
No competing AI scribe vendor publishes a FHIR Provenance implementation that satisfies TMB §165.1's scribe identification and physician authorship requirements at the data layer. Most vendors treat compliance as a policy overlay—a BAA and a signature checkbox. Scribing.io treats it as a data architecture problem with a data architecture solution.
FHIR R4 Provenance Resource Structure
Each finalized encounter generates a Provenance resource conforming to HL7 FHIR R4 Provenance specification:
Provenance Element | Value | TMB §165.1 Function |
|---|---|---|
| DocumentReference for the encounter note | Links provenance to specific clinical document |
| ISO 8601 timestamp with timezone (e.g., 2026-08-12T16:42:00-05:00) | Establishes contemporaneous creation |
|
| Identifies physician as document author |
| Practitioner resource with NPI | Physician authorship demonstrated |
|
| Identifies Scribing.io as transcription device |
| Device/scribing-io-ambient-v4 | Scribe identification requirement satisfied |
| Verification Signature (OID 1.2.840.10065.1.12.1.5) | Cryptographic proof of physician attestation |
EHR Integration Matrix
EHR System | Integration Method | Provenance Visibility | Certification Status |
|---|---|---|---|
Epic | FHIR R4 API (App Orchard certified) | Chart Review → Document Properties | Production certified |
athenahealth | FHIR R4 API (Marketplace partner) | Linked DocumentReference in encounter | Production certified |
eClinicalWorks | FHIR R4 + proprietary API bridge | Encounter bundle archive | Production certified |
Oracle Health (Cerner) | FHIR R4 API | Millennium document linkage | Production certified |
MEDITECH Expanse | FHIR R4 API | Document management module | Pilot phase |
This architecture ensures that if a TMB investigator or payer auditor queries the EHR directly, the machine-readable provenance unambiguously identifies the physician as author, Scribing.io as transcription device, the exact timestamp of attestation, and a cryptographic verification signature. No post-hoc attestation letter is needed—the evidence is baked into the encounter record at creation time.
Anti-Clone Variance Engine—Technical Specification
Clone-note detection at payer SIUs typically operates on a retrospective basis: claims are submitted, notes are pulled, and statistical analysis identifies problematic similarity patterns weeks or months after the encounter. By then, the physician has already submitted 62 claims with identical documentation. The recoupment demand arrives as an aggregate—$52,000 in the scenario above.
Scribing.io's Anti-Clone Variance Engine operates prospectively—at the point of documentation, before finalization, before claim submission:
Detection Methodology
Analysis Layer | Method | Threshold (Configurable) | Action on Breach |
|---|---|---|---|
ROS section | Section-level cosine similarity against last 30 encounters | 72% similarity | Finalization blocked; voice prompt triggered |
Physical Exam section | N-gram overlap analysis (4-gram) against last 30 encounters | 68% overlap | Finalization blocked; specific system individualization required |
MDM section | Semantic similarity (transformer-based) against last 15 encounters | 65% similarity | Finalization blocked; clinical reasoning differentiation required |
Full note | Composite variance score (weighted average of above) | 70% composite | Anti-Clone Report flagged as "elevated similarity—reviewed and individualized" |
Individualization Workflow
When the Anti-Clone Engine blocks finalization:
Visual alert: Physician sees highlighted sections with similarity percentages and specific phrases flagged as potentially cloned.
Voice prompt: System asks: "Dr. Alvarez, please confirm the specific findings for [Patient Name]'s cardiovascular exam." Physician voices individualized findings.
Default-normal blocking: System will not accept "ROS negative x14" or "PE within normal limits" without per-system voice confirmation. Minimum 3 individualized data points required per blocked section.
Re-analysis: After physician input, system re-runs similarity check. If variance now exceeds threshold, finalization proceeds.
Audit trail: Voice confirmation hash (SHA-256), timestamp, and variance delta stored with encounter record.
This workflow adds approximately 18-45 seconds to encounters that trigger the clone check. Based on internal data across 14,000+ encounters, approximately 12% of notes trigger the threshold on initial draft—meaning 88% of encounters proceed to finalization without interruption. The NIH literature on documentation burden supports that targeted, brief interventions at the point of care are preferred to retrospective audit remediation.
WORM Retention Architecture and 7-Year Compliance
TMB §165.1 requires record maintenance for a minimum of 7 years. For AI-scribe-generated documentation, this retention requirement extends to the provenance artifacts—not merely the note text. If a TMB investigator in 2033 asks how a 2026 note was created, the practice must produce the attestation, the provenance record, and the variance analysis that existed at the time of creation.
WORM Storage Specification
Artifact | Storage Format | Retention Period | Immutability Mechanism |
|---|---|---|---|
FHIR Provenance resource | JSON with SHA-256 hash chain | 7 years minimum | WORM object lock (AWS S3 Object Lock / Azure Immutable Blob) |
Attestation header snapshot | PDF/A-3 with embedded metadata | 7 years minimum | WORM + legal hold capability |
Anti-Clone Report (diff log) | Structured JSON + human-readable PDF | 7 years minimum | WORM + cryptographic timestamping (RFC 3161) |
Voice confirmation hash | SHA-256 hash of audio segment (audio not retained per HIPAA minimization) | 7 years minimum | WORM + hash verification on retrieval |
Encounter similarity scores | Structured data (encounter ID, section scores, composite score) | 7 years minimum | WORM append-only log |
Infrastructure is SOC 2 Type II certified, HITRUST r2 assessed, and compliant with HIPAA Security Rule administrative, physical, and technical safeguard requirements. Data residency is US-only (Texas practices may specify US-South region for data locality).
Audit Response Workflow
When a payer SIU or TMB inquiry arrives:
Practice compliance officer accesses Scribing.io's Audit Response Portal.
Enters encounter date range and physician identifier.
System generates a consolidated Audit Pack: FHIR Provenance records, attestation headers, Anti-Clone Reports, and variance scores for all encounters in scope.
Audit Pack delivered as a cryptographically signed ZIP with verification instructions.
Typical production time: under 48 hours from request to delivery.
Implementation Checklist for Medical Directors
Deploying Scribing.io to achieve full TMB §165.1 compliance requires configuration decisions aligned to your practice's EHR environment, physician workflow preferences, and risk tolerance. The following checklist covers the operational steps:
Step | Action | Owner | Timeline |
|---|---|---|---|
1 | Execute BAA and confirm FHIR R4 API access with EHR vendor | IT Director + Scribing.io Implementation | Week 1 |
2 | Configure anti-clone thresholds (recommend starting at defaults; adjust after 30-day baseline) | Medical Director + Scribing.io Clinical Team | Week 1 |
3 | Enable FHIR Provenance write in EHR sandbox; validate Provenance visibility in Chart Review | IT Director | Week 2 |
4 | Configure attestation header template with practice name, physician credential format, timezone | Compliance Officer | Week 2 |
5 | Physician training: voice-prompt workflow, individualization requirements, finalization process | Medical Director + Scribing.io Clinical Team | Week 3 |
6 | Go-live in production with parallel documentation (legacy workflow + Scribing.io) for validation | All physicians | Week 4 |
7 | Review 30-day Anti-Clone Report; adjust thresholds if false-positive rate exceeds 20% | Medical Director | Week 8 |
8 | Decommission parallel workflow; full production deployment | Medical Director + IT Director | Week 9 |
9 | Quarterly compliance review: Anti-Clone Report trends, Provenance write success rates, attestation completeness | Compliance Officer | Ongoing quarterly |
Post-Implementation Monitoring
Monthly: Review aggregate clone-score trends by physician. Identify physicians with consistently elevated similarity (may indicate workflow shortcuts or specialty-specific documentation patterns requiring threshold adjustment).
Quarterly: Audit a random 5% sample of Provenance records for completeness and EHR write success.
Annually: Conduct a mock audit response drill—request an Audit Pack for a historical quarter and verify production under 48 hours.
On-demand: Any time a payer audit or TMB inquiry is received, engage Scribing.io's Compliance Response team for guided audit pack generation.
Bottom line for Medical Directors: TMB §165.1 compliance is not a checkbox—it is an ongoing operational discipline. The physicians in your practice are generating documentation with AI assistance every day. Each of those notes is either building an auditable compliance record or accumulating clone-note liability. Scribing.io ensures every encounter falls into the former category by design, not by hope.
Ready to eliminate clone-note risk and TMB §165.1 exposure? See our TMB 165.1 Authorship + Anti-Clone engine live: automated FHIR Provenance, forced individualized findings, Epic/Athena audit-trail mapping, and 7-year WORM attestation pack. Book a 15-minute demo.
