Medicare Documentation Guidelines for AI Scribes in 2026: The Complete Compliance Guide for Billing Managers

TL;DR: CMS updated its signature requirements guidance in July 2025 (MLN905364) to explicitly address AI scribes and artificial intelligence technology in clinical documentation for the first time. The signing clinician must authenticate all AI-generated entries—CMS does not require the AI scribe itself to sign or date documentation. Medicare claims reviewers will deny claims if documentation lacks proper signatures, dates, or fails to support medical necessity. This guide breaks down every requirement medical billing managers need to enforce, including attestation procedures, signature logs, electronic signature safeguards, and audit-readiness strategies specific to AI-assisted documentation workflows. Platforms like Scribing.io are built to help practices meet these requirements—see pricing and plans here.

If you manage billing operations for a practice using AI-assisted clinical documentation, the compliance landscape shifted meaningfully in mid-2025. CMS issued updated guidance that, for the first time, directly addresses how clinicians should handle documentation produced by artificial intelligence scribes. For billing managers whose livelihoods depend on clean claims and defensible records, this update demands immediate operational attention.

This guide translates the updated CMS MLN905364 fact sheet into actionable compliance steps. Whether your practice uses Scribing.io or another AI documentation platform, you need to understand what CMS expects, what triggers audit scrutiny, and how to build workflows that protect your revenue cycle from denials and recoupments.

Table of Contents

• What Changed: CMS's Updated Signature & AI Documentation Guidance (MLN905364)

• Clinician Signature Requirements for AI-Scribed Medicare Documentation

• How to Handle Missing Signatures: Attestations & Signature Logs

• Medicare Audit Red Flags in AI-Generated Documentation

• ICD-10 Coding Accuracy in AI-Scribed Encounters

• Building an AI Documentation Compliance Program

• EHR Integration & Compliance Considerations

• Preparing for What's Next: CMS Rulemaking on AI

What Changed: CMS's Updated Signature & AI Documentation Guidance (MLN905364)

The July 2025 MLN905364 Update Explained

In July 2025, CMS revised its long-standing "Complying with Medicare Signature Requirements" fact sheet (MLN905364) to add three new areas of guidance: stamped signatures, artificial intelligence, and attestations/signature logs. The AI-specific language is concise but carries significant implications for every practice using ambient listening tools, AI scribes, or any form of machine-generated clinical documentation.

The key CMS language states: "If you use a scribe, including artificial intelligence technology, sign the entry to authenticate the documents and the care you provided or ordered. You don't need to document who or what transcribed the entry."

Two critical takeaways emerge from this single passage. First, CMS treats AI scribes identically to human scribes for authentication purposes—the signing clinician bears full responsibility. Second, CMS does not require practices to identify the AI tool by name in the medical record. There is no mandated disclosure that a note was AI-generated, at least not at the federal Medicare level.

It is essential to understand what this document is and what it is not. MLN905364 is sub-regulatory guidance, not a formal rule published through the Federal Register notice-and-comment process. However, billing managers should treat it with near-regulatory weight. Medicare Administrative Contractors (MACs), Unified Program Integrity Contractors (UPICs), and Recovery Audit Contractors (RACs) all use MLN guidance documents as their operational playbooks during claims review. A reviewer denying your claim will cite this fact sheet.

Why This Matters Beyond Medicare

Historically, Medicaid programs and commercial payers adopt CMS documentation standards as their baseline. Many state Medicaid programs explicitly reference CMS signature guidance in their provider manuals. Blue Cross Blue Shield affiliates, Aetna, UnitedHealthcare, and other major payers routinely align with CMS expectations for medical record documentation. Billing managers should treat the MLN905364 AI scribe language as a cross-payer compliance baseline, not a Medicare-only concern.

One clarification worth emphasizing: CMS does not require the AI scribe to sign or date the documentation. Only the responsible clinician—the ordering, prescribing, or treating physician or non-physician practitioner (NPP)—signs. This is the same framework that has governed human scribe documentation for years, now explicitly extended to AI tools.

Effective Dates & Enforcement Timeline

The updated MLN905364 guidance is currently in effect. There is no delayed implementation date. Any AI-generated documentation entering the Medicare claims pipeline today is subject to these standards.

Enforcement intensity varies by MAC region. Billing managers should confirm with their specific MAC whether additional local coverage determinations (LCDs) or articles address AI documentation. Some MACs have been more aggressive than others in auditing documentation quality. If your practice operates across multiple MAC jurisdictions, you need to check each one. State-level requirements may impose additional obligations—for example, California has its own evolving framework for AI scribe regulations that billing managers in that state must layer on top of CMS guidance.

Clinician Signature Requirements for AI-Scribed Medicare Documentation

What CMS Considers a Valid Signature

CMS defines a handwritten signature as "a mark or sign the ordering or prescribing physician or NPP makes on a document signifying knowledge, approval, acceptance, or obligation." For Medicare purposes, acceptable signature formats include:

• Handwritten signatures — The traditional ink-on-paper mark.

• Electronic signatures — Must include protections against modification and meet applicable administrative safeguard standards.

• Initials — Acceptable in limited contexts when supported by a signature log.

Stamped signatures are NOT accepted unless the clinician has a verified, documented physical disability under the Rehabilitation Act of 1973. Even then, each stamped signature must be accompanied by a statement from the clinician (or the clinician's representative) verifying the stamp was applied with knowledge and consent. Billing managers should not permit stamped signatures as a workaround for fast-paced AI documentation workflows.

Electronic Signature Standards for AI-Assisted Notes

Because AI-scribed notes are generated and stored electronically, most authentication will occur via electronic signature. CMS requires that electronic signature systems include "protections against modification" and meet administrative safeguard standards consistent with HIPAA Security Rule requirements.

In practical terms, this means your EHR or AI scribe platform must:

• Prevent alteration of the note after the clinician signs it (or maintain a complete audit trail of post-signature amendments).

• Authenticate the identity of the signing clinician through unique credentials (username/password, biometric, or multi-factor authentication).

• Record the date and time of the electronic signature automatically.

CMS explicitly advises clinicians to "check with attorneys and malpractice insurers" before using alternative signature methods. For billing managers, this means you should verify—in writing—that your AI scribe platform's electronic signature functionality satisfies these requirements. Platforms like Scribing.io build these safeguards into their core workflow, including audit trails and tamper-evident signing.

The "Sign to Authenticate" Rule for AI Scribes

When a clinician signs an AI-generated note, that signature constitutes a legal attestation that:

1. The content accurately reflects the encounter as it occurred.

2. The services documented were actually provided or ordered.

3. The documentation supports the level of service billed.

This is not a rubber-stamp exercise. The clinician is legally certifying the accuracy of every word in that note. If an AI scribe fabricated an exam finding that never occurred, and the clinician signs without correcting it, the clinician—and by extension, the practice—bears liability. CMS does not offer an "AI made an error" defense.

No additional notation identifying the AI tool is required by CMS. However, best practice—and many institutional compliance programs—recommend including a brief disclosure such as "Documentation generated with AI assistance and reviewed/authenticated by the undersigned clinician." This is not a CMS mandate, but it demonstrates good faith and transparency in the event of a post-payment audit.

Date Requirements & Undated Entries

All Medicare documentation must contain sufficient information to determine when services were ordered or performed. CMS allows reviewers to infer dates from entries immediately above and below an undated entry, but this inference creates audit risk. If an AI-scribed note lacks a clear date of service and the surrounding context is ambiguous, the claim is vulnerable to denial.

Best practice: configure your AI scribe software to auto-timestamp every entry at the time of generation, and capture a separate timestamp when the clinician authenticates the note. This dual-timestamp approach provides a clear audit trail showing when the encounter occurred and when the clinician reviewed and signed the documentation.

View Scribing.io Pricing

How to Handle Missing Signatures: Attestations & Signature Logs

When and How to Use Attestation Statements

Attestation statements serve as the primary remediation tool when a signature is missing or illegible. CMS accepts attestations for all medical documentation except orders. If a clinician forgot to sign an AI-generated progress note before the chart was submitted for billing, an attestation can cure the deficiency.

For an attestation to be valid under CMS standards, it must:

• Be created by the author of the medical record entry (not a staff member, not the billing department).

• Be associated with a specific, identifiable medical record.

• Contain the clinician's signature and the date the attestation was created.

• Reference the specific entry being authenticated.

A significant advantage: CMS will consider attestations "regardless of their creation date" unless a specific regulation requires a signature before a given event. This means a clinician can create an attestation months after the encounter if needed. However, there is a critical limitation: attestations cannot be used to backdate a plan of care. This distinction matters enormously for home health and skilled nursing billing.

Building and Maintaining a Signature Log

A signature log is a typed listing of physicians and NPPs that pairs each provider's printed name with their corresponding handwritten signature (or electronic signature identifier). Signature logs serve as a reference document when a reviewer encounters an illegible signature or initials in the medical record.

Key requirements and best practices for signature logs:

• Can be maintained at the individual clinician level or as a group/practice-level document.

• May be created at any time—MACs accept all signature logs regardless of creation date.

• CMS encourages listing credentials (MD, DO, NP, PA, etc.) alongside each name, though this is not strictly required.

• For practices using AI scribes, include the electronic signature identifier or token associated with each clinician's EHR login in the log.

Billing managers should maintain a current signature log as a standing compliance document, updated whenever a new clinician joins the practice or an existing clinician's electronic signature credentials change.

The 20-Day Response Window

When a review contractor—whether a UPIC, Supplemental Medical Review Contractor (SMRC), or RAC—requests a signature attestation or signature log, the practice has 20 calendar days from the date of phone contact or receipt of the written request letter to respond.

If the submitted attestation or signature log resolves the signature deficiency, the review period extends by an additional 15 calendar days to allow the contractor to complete its review of the remaining documentation.

Important exception: These timeframes do not apply to Comprehensive Error Rate Testing (CERT) review contractors. CERT reviews follow their own procedural timelines, and missing signatures in CERT samples carry significant implications for national error rate calculations.

Proactive Submission Strategy

CMS encourages submitting complete medical records with proper signature documentation upfront to avoid delays and potential denials. For billing managers overseeing AI-scribed documentation, this translates to a concrete operational requirement: implement pre-submission audits that verify every AI-generated note has been properly authenticated before the claim goes out the door.

Consider building a daily or weekly queue review process where a designated staff member checks that all AI-scribed notes from the billing period have clinician signatures, proper dates, and no obviously incomplete or nonsensical content. Catching problems before claim submission is exponentially cheaper than resolving them after a post-payment audit.

Medicare Audit Red Flags in AI-Generated Documentation

Cloned and Template-Like Notes

AI scribes can produce documentation that is suspiciously uniform across patients. When a Medicare reviewer sees near-identical physical exam descriptions, reviews of systems, or assessment and plan sections across dozens of charts from the same provider, it triggers a "cloned documentation" flag. Cloned notes suggest the clinician is not performing individualized evaluations—or is not meaningfully reviewing what the AI generates.

Action items for billing managers:

• Require clinicians to personalize AI drafts before signing. The AI-generated note should be a starting point, not a finished product.

• Implement periodic internal audits comparing notes across patients for the same provider. If you pull five charts and the HPI sections are interchangeable, you have a compliance problem.

• Configure your AI scribe platform to generate patient-specific language from each encounter's unique audio rather than populating from templates.

Documentation That Doesn't Match the Billing Level

AI tools can generate overly thorough notes that suggest a higher evaluation and management (E/M) level than what was actually performed. Conversely, some AI scribes under-document complex encounters, leaving insufficient support for the code billed. Either mismatch creates audit exposure.

The AMA's E/M documentation guidelines require that the note support the level of medical decision-making or total time reported. When AI generates a comprehensive note for a straightforward 99213-level visit, and the coder upcodes to 99215 based on the documentation rather than the actual clinical work, the practice has a false claims risk.

Billing managers must cross-reference AI-generated notes against the CPT code selected. Build a workflow where coders are trained to evaluate whether the documented complexity reflects the actual encounter—not just whether the note checks enough boxes.

Hallucinated Clinical Content

This is the risk unique to AI documentation that has no parallel in human scribe workflows. Large language models can generate exam findings that were not performed, review-of-systems questions that were not asked, medications that were not prescribed, or diagnoses that were not discussed. In AI research, this is called "hallucination." In Medicare compliance, it is called fraud if billed.

Under the False Claims Act (31 U.S.C. § 3729), submitting claims supported by documentation that describes services not actually rendered can trigger treble damages and per-claim penalties. The fact that an AI tool generated the false content does not shield the practice. The clinician signed the note. The practice submitted the claim.

Billing managers must implement systematic safeguards:

• Train clinicians to read every line of AI-generated notes before signing—not skim, not scroll, read.

• Establish a reporting mechanism for clinicians to flag hallucinated content so the AI platform can be recalibrated.

• Conduct random chart audits specifically looking for documented services that appear clinically implausible given the patient's chief complaint and diagnosis.

Missing or Incomplete Encounter Components

Some AI scribes struggle with capturing certain encounter elements—particularly when conversations are non-linear, when the clinician examines the patient silently, or when critical information is communicated through body language or visual assessment. If the AI fails to capture a performed component and the clinician signs without adding it, the documentation may not support medical necessity for the billed service.

Billing managers should work with clinicians to identify common documentation gaps in AI-scribed notes and develop standardized addendum protocols for those situations.

Try Scribing.io Free

ICD-10 Coding Accuracy in AI-Scribed Encounters

AI-Suggested Codes vs. Clinician-Validated Codes

Many AI scribe platforms now suggest ICD-10 codes based on the encounter documentation they generate. This creates a circular risk: the AI writes the note, then suggests codes based on its own writing—including any hallucinated or inflated content. If a coder accepts AI-suggested codes without independent validation, the practice is building its revenue cycle on an unverified foundation.

Billing managers should establish a clear policy: AI-suggested ICD-10 codes are suggestions only and must be validated by a qualified coder or the billing clinician. Platforms with dedicated ICD-10 coding tools can help streamline this validation process while maintaining human oversight.

Specificity and Medical Necessity Documentation

Medicare requires that ICD-10 codes be reported to the highest level of specificity supported by the medical record. AI scribes sometimes capture diagnoses at a general level ("knee pain") without the laterality, chronicity, or etiology detail needed for the most specific code. When a reviewer sees Z-codes or unspecified codes on claims where the note contains enough detail for a more specific code—or conversely, sees highly specific codes unsupported by the note—both scenarios invite scrutiny.

Ensure your coding team reviews AI-generated documentation for diagnosis specificity before code assignment. The note should contain enough clinical detail—onset, location, duration, severity, context—to justify each diagnosis code on the claim.

Building an AI Documentation Compliance Program

Written Policies and Procedures

The OIG Compliance Program Guidance has long recommended that practices maintain written policies governing documentation standards. With AI scribes in the workflow, billing managers should update existing documentation policies—or create new ones—addressing:

• Clinician responsibilities for reviewing and authenticating AI-generated notes.

• Prohibited uses of AI scribes (e.g., generating documentation for encounters the clinician did not personally conduct).

• Procedures for correcting AI errors, including amendment vs. addendum protocols.

• Retention requirements for AI-generated drafts vs. final authenticated notes.

• Incident reporting procedures for AI hallucinations or systematic documentation errors.

Internal Audit Program Design

A compliance program without auditing is a compliance program on paper only. For AI-scribed documentation, billing managers should implement a structured audit program with the following components:

1. Pre-billing audits — Sample AI-generated notes before claim submission to verify signature, date, clinical accuracy, and coding support.

2. Post-payment audits — Periodically pull paid claims and re-review the supporting documentation for compliance with all MLN905364 requirements.

3. Provider-specific audits — Track documentation quality metrics by individual clinician. Some providers may need additional training on AI scribe review workflows.

4. Cross-patient comparison audits — The cloned documentation check described earlier. Pull multiple charts from the same provider on the same date and compare for inappropriate similarity.

Staff Training Requirements

Every clinician using an AI scribe needs documented training on their authentication obligations. Every coder needs training on how to evaluate AI-generated documentation critically. Every billing manager needs to understand the audit triggers specific to AI documentation.

Training should occur at onboarding and be refreshed at least annually. Document the training—dates, attendees, topics covered—in your compliance files. Auditors and investigators look for evidence that the practice took reasonable steps to prevent compliance failures.

EHR Integration & Compliance Considerations

Ensuring Audit Trail Integrity

When an AI scribe integrates with an EHR, the technical architecture must preserve a complete audit trail. Medicare reviewers and fraud investigators may request documentation showing who created the note, when it was generated, when it was modified, what modifications were made, and when the clinician authenticated it.

Billing managers should confirm with their IT team and AI vendor that the integration maintains these audit trail elements. If your practice uses Epic, the integration requirements are specific—this guide covers AI scribe integration with Epic in detail. Similarly, practices on Athenahealth should review Athenahealth-specific integration considerations.

Amendment and Addendum Protocols

When a clinician needs to correct an AI-generated note after signing, the correction must follow proper amendment or addendum procedures. The original AI-generated content should never be deleted—it must remain visible in the record with the correction appended and signed separately. Most EHRs support this functionality, but billing managers should verify that the AI scribe integration does not create a workflow that bypasses amendment tracking.

Preparing for What's Next: CMS Rulemaking on AI

Anticipated Regulatory Developments

The MLN905364 update is guidance, not regulation. CMS has signaled through multiple channels—including the CY 2025 and CY 2026 Medicare Physician Fee Schedule proposed rules—that more formal rulemaking on AI in clinical documentation is under consideration. Billing managers should monitor:

• CMS Federal Register notices for proposed rules addressing AI documentation standards.

• MAC-level communications for local policies that may impose stricter requirements than national guidance.

• OIG Work Plan updates for new audit targets related to AI-generated documentation.

• Congressional activity around AI transparency in healthcare, which could mandate AI disclosure requirements that CMS currently does not.

Building a Future-Proof Compliance Framework

The practices that will navigate evolving AI documentation regulations most successfully are those building compliance infrastructure now—not waiting for enforcement actions to force changes. A robust compliance framework includes written policies, regular audits, documented training, and technology partners who prioritize regulatory alignment.

Specialty-specific considerations also matter. Documentation requirements and audit patterns differ across specialties. Billing managers in cardiology practices, for instance, face different documentation complexity than those in family medicine or psychiatry. Your compliance program should account for specialty-specific risk areas.

Choosing AI Scribe Technology That Supports Compliance

Not all AI scribe platforms are built with Medicare compliance in mind. When evaluating or re-evaluating your AI documentation vendor, billing managers should assess:

Platforms like Scribing.io are designed with these compliance requirements embedded in the workflow—not bolted on as afterthoughts. When your AI documentation tool enforces proper authentication, maintains audit trails, and supports clinician review before finalization, your billing operation starts from a position of compliance rather than chasing it retroactively.

Get Started Today

Medicare compliance for AI-generated documentation is not optional, and the window for treating it as a future concern has closed. The CMS MLN905364 guidance is in effect, auditors are reviewing AI-scribed notes, and practices without proper authentication workflows, audit programs, and clinician training are exposed. Scribing.io gives billing managers the tools to enforce compliant AI documentation workflows—from automatic timestamping and e-signature safeguards to clinician review gates that prevent unsigned notes from reaching your billing queue.

Start Your Free Trial — No Credit Card Required