Medical records and AI scribes: Risk considerations

Before rendering medical care or providing goods to Medicare and Medicaid beneficiaries in exchange for the prescribed annual rates set by the Centers for Medicare and Medicaid Services (CMS), participating providers and suppliers must enroll with CMS. There are two ways to do this: (1) electronically through the Provider Enrollment, Chain, Ownership System (PECOS); or (2) via paper utilizing the respective CMS-855 Form (i.e., 855A (Institutional Providers), 855B (Clinics, Group Practices, and Certain Other Suppliers), 855I (Physicians and Non-Physician Practitioners), 855O (Ordering and Certifying Physicians and Non-Physician Practitioners) and 855S (DMEPOS Suppliers)). When a provider or a supplier submits the respective CMS-855 Form either electronically or hardcopy, there is a certification section. One of the most notable items that the signator attests to follows:

“I agree to abide by the Medicare laws, regulations and program instructions that apply to me or to the organization listed in section 2B1 of this application.The Medicare laws, regulations, and program instructions are available through the Medicare Administrative Contractor. I understand that payment of a claim by Medicare is conditioned upon the claim and the underlying transaction complying with such laws, regulations, and program instructions (including, but not limited to, the Federal Anti-KickbackStatute, 42 U.S.C. section 1320a-7b(b) (section 1128B(b) of the Social Security Act) and the Physician Self-Referral Law (Stark Law), 42 U.S.C. section 1395nn (Section 1877 of the Social Security Act)).” See CMS 855A Form, p. 47. (emphasis added).

Two notable conditions of participation are 42 CFR §482.24 (Condition of participation for hospitals: Medical record services); and 42 CFR §482.13 (Condition of participation for hospitals: Patient’s rights). Notable subsections of these two conditions are:

• ·§482.24
  • (b) requires, among other items, that “[m]edical records must be accurately written, promptly completed, properly filed and retained, and accessible. The hospital must use a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all records.” (emphasis added).
  • (c)(4)(C)(v) requires “[p]roperly executed informed consent forms for procedures and treatments specified by the medical staff, or by Federal or State law if applicable, to require written patient consent.”
• ·§482.13
  • (c)(2) requires in part that a “patient has the right to receive care in a safe setting.”
  • (d)(1) although HIPAA is not expressly mentioned, a “patient has the right to the confidentiality of his or her clinical records.”

Fundamentally, these excerpts require informed consent to be obtained at the hospital, which is distinct from the informed consent obtained by the physician, require the prompt and proper completion of medical records, and require that a patient receive care in a safe setting with the confidentiality of medical records remaining intact. Now, what are the risks of using artificial intelligence (AI) scribes, which are “designed to automatically document patient encounters, generate clinical notes, and assist with medical documentation”?

As an American Medical Association (AMA) survey indicated, the use of AI by physicians has increased; “[h]owever, many physicians are at a crossroads and remain guarded with their enthusiasm for health AI due to lingering concerns.” Not surprisingly, the concerns, which highlight areas of risk not only for non-compliance with conditions of participation (supra) but also adverse patient outcomes and downstream implications on one’s medical license.

Specifically, the AMA survey results indicate, “[a]ccording to physicians surveyed in 2024, the top attributes required to advance physician adoption of AI tools were a designated feedback channel (88%), data privacy assurances (87%), and EHR integration (84%). In 2023, the top attributes were data privacy assurances (87%), not being held liable for AI model errors (87%), and medical liability coverage (86%).”

To mitigate areas of risk, juxtapose the conditions of participation requirements with the aforementioned concerns. An adequate and effective compliance program requires that each of these items from HIPAA and related privacy and confidentiality considerations, to informed consent to hallucinations which may lead to both upcoding and adverse patient outcomes and liability – both in terms of potential lawsuits and insurance coverage be considered. In sum, failure to take adequate steps could in the best case scenario result in a government enforcement action or class action lawsuit or in the worse case scenario an adverse patient event that adversely impacts a provider’s license.

Rachel V. Rose, J.D., MBA, advises clients on compliance, transactions, government administrative actions and litigation involving health care, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rose can be reached through her website, www.rvrose.com.