When a Medicare auditor requests documentation for an AI-generated note, they are reviewing two things: whether the clinical content supports the billed service, and whether the documentation is complete. A physician's signature satisfies neither question on its own.
This is a new problem. Before AI scribes, the physician wrote the note. The note was the record of the physician's own clinical thinking. With AI scribes, the note is generated by a system the physician did not control — and then signed. The documentation gap between “generated” and “verified” is where audit risk lives.
Ontario's Auditor General reviewed all 20 government-approved AI scribe vendors in May 2026 and found that every single one showed at least one inaccuracy during procurement testing — hallucinations, incorrect clinical information, or missing content. The official government response placed the obligation squarely on physicians: doctors “must review and approve” all documentation before it is added to the patient record. The audit trail is how a physician proves they did.
Why AI Notes Create a New Documentation Risk
Traditional documentation had one author: the physician. The note reflected their clinical reasoning. Auditors reviewing it were reviewing the physician's own work.
AI scribes introduce a second contributor. The physician speaks. The AI generates. The physician signs. But only one of those three steps produces a verifiable record — the signature. The review step that happened between generation and signing leaves no trace in the standard documentation workflow.
Medicare audits focus on medical necessity, documentation completeness, and coding accuracy. An AI-generated note that contains hallucinated content, dangerous abbreviations, or missing clinical elements creates exposure on all three fronts — and the physician's signature does not resolve that exposure. It confirms it.
What Auditors Actually Look For
RAC auditors, MAC reviewers, and OIG investigators focus on three documentation criteria:
Medical Necessity
Does the documented clinical content support the billed service? An AI-generated note that omits key findings, overstates complexity, or contradicts the clinical picture creates medical necessity risk regardless of who signed it.
Documentation Completeness
Are all required elements present? Missing physician orders, absent clinical reasoning, or incomplete assessment sections are common audit findings. AI scribes that omit critical elements — or hallucinate content that was never discussed — produce notes that fail completeness review.
Coding Accuracy
Do the diagnosis and procedure codes match the documented clinical content? AI scribes that document the wrong diagnosis — such as confusing HFrEF and HFpEF — create a coding inconsistency that auditors are trained to identify.
The 5 Elements of a Defensible Audit Trail
A signature is the end of the documentation workflow. An audit trail is the record of what happened before the signature. For AI-generated notes, that record needs to include five things:
Timestamp of review
When was the note reviewed before signing? A verifiable timestamp that precedes the signature demonstrates the review occurred as a deliberate step, not as an afterthought.
Independent analysis record
What structured process was used to verify the AI's output? Physicians who can point to a documented framework — rather than an informal read-through — are in a materially stronger position when documentation is challenged.
Findings identified
Were any issues found during review? A record that captures what was checked — and what the physician's response was — demonstrates active engagement with the content, not passive acceptance.
Framework used
Was the review structured against a recognized clinical documentation standard? The PDSQI-9 framework (JAMIA 2025) is a peer-reviewed instrument for evaluating clinical documentation quality — an independent, citable standard for the review process.
Exportable PDF for audit response
Can the physician produce documentation of their review process on demand, in a format auditors can read? A timestamped PDF is the format auditors work with. Notes in EHR audit logs are not the same thing.
Common Mistakes That Leave Physicians Exposed
- Signing AI-generated notes without a structured review process
- No separate record that a review occurred before the signature
- Treating the scribe company's own quality checks as independent verification — they are not
- No way to produce proof of review during an audit response
- Relying on EHR audit logs as a substitute for a documented review record
The last point deserves emphasis. AI scribe companies now commonly advertise built-in quality checks. But a scribe company checking its own output is not independent verification — it is the system grading its own work. An audit trail requires a record from an independent source.
How VerifyChart Generates the Audit Trail
VerifyChart runs an independent analysis of the note before you sign — built on the PDSQI-9 framework, a peer-reviewed clinical quality instrument (JAMIA 2025).
Every analysis produces a timestamped PDF report documenting:
- Date and time of independent review
- Findings across all 9 PDSQI-9 clinical dimensions
- Hallucination detection results — contradictions, impossible values, copied-forward patterns
- Billing risk assessment
- Physician attestation: documentation review conducted
That PDF is the audit trail. It is independent — generated by a system that did not produce the original note. It is timestamped — proving the review preceded the signature. And it is structured against a peer-reviewed framework — not an informal read-through. The analysis takes under 60 seconds and works with any AI scribe.
The Bottom Line
AI scribes generate documentation. Physicians verify it and sign it. The gap between those two steps is where audit risk lives — and where most physicians currently have no record.
A timestamped, independent verification report closes that gap. It takes 60 seconds to generate. Try VerifyChart free at verifychart.ai — no credit card, no EHR integration required.
Protect your license. Prove you verified.