Legal & Compliance
CCBHCs, cloud AI scribes, and the PPS audit chain: five adversarial proceedings that reach the vendor archive of a CCBHC client's sessions
A Certified Community Behavioral Health Clinic session documented by a cloud AI scribe is not a standard outpatient therapy encounter. CCBHCs are federally certified to deliver eight required service types — crisis intervention, psychiatric assessment, outpatient mental health and substance use disorder treatment, targeted case management, peer and family support, psychiatric rehabilitation, and patient-centered treatment planning — and are reimbursed through a Medicaid Prospective Payment System that pays a single per-contact-day encounter rate for all of those services delivered on a given date. The cloud AI scribe vendor archive at a CCBHC holds the contemporaneous documentation of that entire multi-disciplinary service mix. Five enforcement frameworks — each with no structural analog in standard outpatient private practice — can reach that archive independently, without going through the treating clinician, and often without the client's knowledge.
What makes a CCBHC structurally different from a standard outpatient therapy practice
Certified Community Behavioral Health Clinics exist under a federal certification framework that has no equivalent in standard outpatient mental health practice. The CCBHC model was created by the Excellence in Mental Health Act (enacted as part of the Protecting Access to Medicare Act of 2014, P.L. 113-93), which authorized a time-limited Medicaid demonstration program in eight states. The Bipartisan Safer Communities Act (P.L. 117-159, enacted 2022) made the CCBHC Medicaid Demonstration permanent and expanded it significantly, and as of 2026 dozens of states have CCBHCs operating either within the formal Medicaid Demonstration Program or under state certification programs modeled on the federal criteria.
SAMHSA publishes the certification criteria that CCBHCs must meet. Those criteria require CCBHCs to deliver a defined menu of behavioral health services — not just the services that individual clinicians happen to provide, but a federally prescribed set of required services that the clinic as an organization must make available to every client who needs them. The required CCBHC service types include 24-hour-a-day, 7-day-a-week crisis mental health services (including mobile crisis response and crisis stabilization); screening, assessment, and diagnosis; patient-centered treatment planning; outpatient mental health and substance use disorder services; targeted case management; psychiatric rehabilitation; peer support and family support services; and community mental health services to veterans and other special populations, to the extent required by state law. A CCBHC that does not deliver this full menu of services is not in compliance with SAMHSA's certification criteria — and loss of CCBHC certification terminates the clinic's eligibility for CCBHC Medicaid Prospective Payment System reimbursement.
The CCBHC Prospective Payment System is the second structural feature that distinguishes the CCBHC context from standard outpatient practice. A private therapist billing Medicaid for an individual therapy session submits a CPT code for that session (typically 90837 or 90834 for a 53-minute or 45-minute psychotherapy session) and produces a progress note documenting that session. The PPS works differently: a CCBHC is paid a single encounter rate — per client, per contact day — that covers all CCBHC-required services delivered to that client on that date. States may use PPS-1 (a daily rate) or PPS-2 (a monthly rate); in either structure, the PPS rate is intended to reflect the full cost of delivering the CCBHC required service menu to the clinic's client population. On a given contact day, a CCBHC client might receive an individual therapy session, a case management check-in, a peer support group session, a nursing medication management review, and a brief crisis screening — all billed under a single PPS encounter rate, and all potentially documented by the cloud AI scribe in separate encounters during that contact day.
This combination — a federally required multi-disciplinary service menu, a PPS reimbursement structure that pays a single rate for all services in a contact day, and a cloud AI scribe that generates vendor-held business records of each clinical encounter — creates a documentation and audit exposure profile that is qualitatively different from anything that exists in standard outpatient therapy. The analysis of Medicaid managed care organizations and cloud AI scribe vendor archives addresses the MCO audit framework that applies when an outpatient therapist is a Medicaid network provider. A CCBHC faces that MCO framework — if it is a network provider for a Medicaid managed care plan — plus four additional enforcement frameworks that apply to CCBHC operations specifically. The CCBHC context does not replace the MCO context; it layers on top of it.
What the cloud AI scribe vendor holds at a CCBHC — and why it is more sensitive than in private practice
The cloud AI scribe vendor archive at a CCBHC is not a collection of individual outpatient therapy session notes. It is a multi-disciplinary record of the full range of services CCBHC clients receive across all their contact days with the clinic. Because the PPS rate covers all required services in a single billing unit, the cloud AI scribe at a CCBHC may be used across all of those service types — not just individual therapy sessions. The vendor archive of a single CCBHC client's contact history might include: crisis intervention narratives from a mobile crisis call; psychiatric diagnostic assessment disclosures from an initial evaluation; verbatim content from peer support group sessions where other clients with lived experience of mental illness discuss their recovery; SUD intake assessments and ongoing addiction counseling session content; case management call notes documenting a client's housing instability, benefits status, or involvement with the criminal justice system; and individual therapy progress notes. All of this enters the same vendor archive, held by the same third-party vendor, under the same BAA — which was drafted to govern data handling, not to shield the archive from the five enforcement frameworks described below.
The sensitivity profile of the vendor archive is amplified by the CCBHC's client population. CCBHCs are specifically designed to serve individuals with serious mental illness (SMI), serious emotional disturbance in children (SED), and co-occurring mental health and substance use disorders — the populations with the most complex behavioral health needs and, correspondingly, the most sensitive clinical disclosure histories. A CCBHC vendor archive is systematically more likely to contain serious mental illness treatment narratives, crisis intervention content, SUD treatment records subject to 42 CFR Part 2, descriptions of trauma, housing and poverty contexts, and documentation of criminal justice involvement than the vendor archive of a private-pay therapist's outpatient practice. The enforcement frameworks described below reach those records with the same legal process tools they would use for any vendor archive — but the content they reach is of a categorically higher sensitivity level.
The analysis of what a BAA actually covers and does not cover applies here with the same force it applies in every other cloud AI scribe context: the BAA governs the vendor's internal data handling and imposes HIPAA-compliant security requirements, but it does not prevent the vendor from responding to a valid legal demand, does not prevent the CCBHC from providing vendor-held records to its state behavioral health authority auditor, and does not prevent a federal program integrity subpoena from reaching the archive. The five proceedings below each represent a category of legal demand that runs to the vendor archive independent of the BAA's protections.
Five adversarial proceedings specific to the CCBHC context
1. SAMHSA CCBHC certification compliance audit
SAMHSA and the state behavioral health authority (SBHA) — the state agency that administers SAMHSA's behavioral health block grants and oversees CCBHC certification under state law — are responsible for ensuring that certified CCBHCs continue to meet SAMHSA's required service criteria. Certification compliance is not a one-time assessment; it is an ongoing obligation that the CCBHC must be able to demonstrate through its operational and clinical records at any audit cycle. The SBHA conducts certification compliance reviews on a periodic basis — typically annually or biennially for demonstration-program CCBHCs, and on a schedule set by state policy for state-certified CCBHCs outside the formal demonstration.
A certification compliance audit asks a central question: is the CCBHC actually delivering all eight required service types to clients who need them? The answer to that question is documented in clinical records — the session notes, encounter records, and assessments that document each required service as it was delivered. A cloud AI scribe vendor archive of clinical encounters is the most granular available evidence of what actually occurred in each clinical encounter during the audit period. If a certification compliance auditor is reviewing whether a CCBHC's crisis team delivered 24-hour crisis response to a specific client during a specific period, the vendor archive of that client's crisis encounters — the verbatim content of crisis calls and follow-up sessions — documents whether and how the required crisis service was delivered.
The mechanism by which the vendor archive reaches the certification compliance auditor differs from a formal subpoena pathway. The CCBHC itself is under obligation to produce documentation of required service delivery; the SBHA does not typically issue a court-ordered subpoena to the CCBHC's cloud AI scribe vendor directly. Instead, the CCBHC receives an audit document request, and the CCBHC — knowing that its certification (and PPS billing eligibility) depends on demonstrating required service delivery — requests records from its cloud AI scribe vendor to supplement or replace any clinical documentation that is incomplete or missing from its own records. The vendor, receiving a record production request from its CCBHC client, produces the requested archive under the BAA's authorization for the CCBHC to access its own data. The certification compliance pathway reaches the vendor archive through the CCBHC's own compliance incentive rather than through a court order directed at the vendor — making it more reliable, not less, as a pathway to the vendor's records.
The stakes of a certification compliance audit make this pathway particularly powerful: a CCBHC that loses certification faces not only the end of PPS Medicaid reimbursement but also the loss of its SAMHSA block grant compliance standing, the potential unwind of its managed care network contracts (if MCO contracts were conditioned on CCBHC certification), and NPDB or state licensing authority reporting obligations if the decertification involves professional or facility licensing. Certification compliance creates an organizational incentive to produce all available documentation — including vendor archives — that dwarfs any individual HIPAA compliance analysis the CCBHC might otherwise apply.
2. CMS and state Medicaid CCBHC PPS billing audit and cost reconciliation
The CCBHC Prospective Payment System generates a distinct audit obligation that does not exist for standard Medicaid outpatient billing. When a CCBHC bills a PPS encounter rate for a client contact day, the documentation must support: (a) that the client was eligible for Medicaid and for CCBHC services on that date; (b) that the CCBHC delivered CCBHC-required services to the client on that date; and (c) that the services delivered were of the type and intensity the PPS rate covers. CMS Medicaid audit contractors — including the Recovery Audit Contractors (RACs), Comprehensive Error Rate Testing (CERT) contractors, and state Medicaid Integrity Contractors (MICs) — can conduct post-payment audits of CCBHC PPS claims using standard Medicaid audit authority.
The PPS billing audit reaches a cloud AI scribe vendor archive in the same way any Medicaid documentation audit reaches clinical records: the auditor selects a sample of billed PPS encounter dates and requests supporting documentation that the services billed on those dates were actually delivered. The auditor is not limited to the formal progress note — it is looking for any documentation of the services delivered on the billed contact day, and a cloud AI scribe vendor archive of the clinical encounters from that day is responsive to that request. If the CCBHC's formal progress note for a contact day is incomplete — not documenting that case management services were delivered on the date billed — the PPS auditor may specifically request any other records documenting what occurred that day, including audio recordings, transcripts, or AI-generated draft notes held by the cloud scribe vendor. The vendor archive becomes an alternative documentation source the auditor can use to verify or contradict the CCBHC's billing.
Some states implement an additional layer specific to CCBHC PPS: annual cost reconciliation. Under cost reconciliation, a CCBHC files an annual cost report documenting its actual cost of delivering CCBHC-required services, and the state Medicaid agency reconciles the cost report against the PPS encounter rates paid during the year. If the PPS rate exceeded actual costs, the state may require repayment of the overpayment. Cost reconciliation audits reach clinical documentation as evidence of the volume and intensity of services actually delivered — the inputs that determined actual cost. A cloud AI scribe vendor archive that documents the clinical encounter activity across a full fiscal year is directly probative in an annual cost reconciliation audit. The cost reconciliation mechanism creates an additional audit occasion beyond the standard post-payment claim review, and both occasions reach the same vendor archive.
The PPS billing audit is also distinct from the MCO-level program integrity audit described in the Medicaid MCO analysis because it comes from CMS and the state Medicaid agency directly — not from the MCO as an intermediary contractor. In a direct Medicaid fee-for-service CCBHC arrangement, the state Medicaid agency is the payor, and the CMS-directed audit authority operates without an MCO layer. In a managed care CCBHC arrangement (discussed in the next proceeding), both the MCO contractor audit and the CMS/state Medicaid PPS audit can reach the vendor archive simultaneously and independently.
3. CCBHC Medicaid managed care contractor audit
Several states implement CCBHC services through Medicaid managed care arrangements — rather than paying the CCBHC PPS rate directly from the state Medicaid agency, the state contracts with a behavioral health managed care organization (BHMO) or comprehensive MCO, and the MCO in turn contracts with CCBHCs as specialty network providers, paying the PPS rate (or an approximation of it) through the managed care payment structure. In these states, a CCBHC faces the full MCO audit framework described in detail in the Medicaid managed care context analysis — the MCO's 42 CFR § 438.602 program integrity obligations, the MCO's contractual audit rights over its network providers, the MFCU fraud investigation pathway, and the FCA qui tam litigation pathway — layered directly on top of the CCBHC-specific enforcement frameworks described in this post.
The MCO-contracted CCBHC faces a compounded audit exposure that neither standard outpatient MCO providers nor fee-for-service CCBHCs face in isolation. The MCO's quality management program may audit clinical documentation to assess the quality of CCBHC services being delivered to MCO members. The MCO's program integrity unit may audit billing claims to verify that the PPS encounter rates submitted for contact days are supported by documentation of the required services. The MCO's network management function may review CCBHC performance data — HEDIS measures, member grievances, utilization — and trigger a documentation audit as part of network termination review if the CCBHC's performance falls below contractual thresholds. Each of those MCO-level audit functions reaches the cloud AI scribe vendor archive through the provider contract audit clause the CCBHC signed as a condition of MCO network participation.
The managed care CCBHC also faces the MFCU investigation and FCA qui tam pathways described in the MCO analysis. CCBHC PPS billing in a managed care state generates Medicaid claims through the MCO, which means Medicaid fraud in a managed care CCBHC arrangement implicates both the MCO's fraud reporting obligations and the MFCU's independent investigative authority. A qui tam relator who knows that a CCBHC used a cloud AI scribe to document encounters can specifically target the vendor archive in a qui tam complaint, identifying the archive as the contemporaneous documentation of services claimed to be delivered under the PPS rate but allegedly not actually rendered. The PPS context makes the qui tam theory particularly direct: if the PPS rate was billed for a contact day on which certain required services were not actually delivered, the vendor archive of that contact day's encounters is the central documentary evidence of what was and was not delivered.
The 42 CFR Part 2 compliance conflict described in the MCO analysis also arises with greater frequency in the CCBHC context. CCBHCs are required to provide outpatient SUD treatment as one of their required service types — and many CCBHCs are licensed as SUD treatment programs or hold themselves out as providing SUD treatment, which qualifies them as Part 2-covered programs for their SUD services. The existing analysis of 42 CFR Part 2 and AI scribes in addiction counseling and the OTP and MATE Act AI scribe context address Part 2 in the addiction counseling setting; the CCBHC context encounters Part 2 not as an incidental co-occurring diagnosis but as a required service delivery category — SUD treatment is mandated by CCBHC certification. When a cloud AI scribe documents a CCBHC contact day that includes SUD treatment encounters, the vendor archive will systematically contain Part 2-protected records mixed with non-Part 2 mental health records, and every MCO program integrity audit or PPS billing audit that requests the contact day archive runs into Part 2's disclosure prohibition.
4. Federal CCBHC Demonstration Program CMS oversight audit
CCBHCs in states that participate in the CCBHC Medicaid Demonstration Program — authorized under the Excellence in Mental Health Act and made permanent by the Bipartisan Safer Communities Act — are subject to a distinct layer of federal oversight that does not apply to CCBHCs operating outside the formal demonstration. The demonstration requires participating states to report CCBHC performance measures, clinical outcome data, and expenditure information to CMS on a regular basis. CMS uses this data to evaluate whether the CCBHC model is delivering the improved outcomes and cost-effectiveness that justified the enhanced federal matching funds available to demonstration states.
CMS and its contracted demonstration evaluators verify the accuracy and completeness of the performance measure data states report. That verification requires examining the clinical encounter data underlying the reported measures — the specific client encounters that produced the utilization, quality, and outcome data the state submitted. A cloud AI scribe vendor archive of clinical encounters during the demonstration period is a business record of the clinical activity that generated the performance measure data under audit. CMS demonstration oversight can reach that vendor archive through the state's contractual relationship with the CCBHC and the CCBHC's contractual relationship with the vendor.
The federal CCBHC Demonstration oversight pathway is structurally distinct from the standard Medicaid audit pathway because it operates under CMS's demonstration authority — Section 1115 or Section 1915(b) waiver authority, as applicable — rather than standard Medicaid program integrity authority. Demonstration auditors are often examining systemic questions: not just whether a specific billed claim was supported by documentation, but whether the CCBHC model as implemented by this state's CCBHCs is actually delivering the required services and achieving the outcomes the demonstration projected. A multi-year cloud AI scribe vendor archive of clinical encounters across a demonstration state's CCBHC network could constitute the documentary record of how the demonstration actually functioned — and CMS's oversight authority to reach that record is grounded in the demonstration terms of approval, not in the standard Medicaid audit cycle. For mobile crisis teams and ACT programs, the community mental health services analysis addresses the programmatic audit context those specific services face; CCBHC demonstration oversight encompasses those services within its broader required-service-menu audit framework.
5. SAMHSA block grant compliance audit
The fifth enforcement pathway operates under SAMHSA's direct administrative authority rather than CMS's Medicaid program authority. States receive two major SAMHSA behavioral health formula grants: the Community Mental Health Services Block Grant (CMHSBG, also called the Mental Health Block Grant or MHBG), authorized under Title XIX of the Public Health Service Act (42 U.S.C. § 300x et seq.), and the Substance Abuse Prevention and Treatment Block Grant (SABG), authorized under Title XIX, Part B of the Public Health Service Act (42 U.S.C. § 300x-21 et seq.). Many states direct a portion of their MHBG and SABG funds toward CCBHC services — using block grant funds to support services for the SMI, SED, and SUD populations the block grants are designed to serve, overlapping substantially with the CCBHC required-service populations.
Block grant funds come with reporting requirements: states must demonstrate to SAMHSA that block grant funds were used for the required purposes — services to adults with SMI, children with SED, and individuals with SUD — and that the services delivered met the block grant's quality and coverage standards. SAMHSA conducts block grant compliance audits through its Center for Mental Health Services (CMHS) and Center for Substance Abuse Treatment (CSAT) to verify that states and their grantees (including CCBHCs receiving sub-awards of block grant funds) are meeting block grant requirements.
A CCBHC that receives MHBG or SABG funds through a state sub-award is subject to block grant compliance audit requirements that can reach its clinical documentation. Block grant audits examining whether services were delivered to the required populations — SMI adults, SED youth, SUD individuals — reach the clinical documentation of those services as evidence that eligible individuals received eligible services. A cloud AI scribe vendor archive of clinical encounters with block-grant-eligible clients is a business record that documents whether required populations received required services during the block grant period under review. SAMHSA's block grant administrative authority to reach that documentation operates under federal grant compliance law (2 CFR Part 200, the Uniform Guidance for federal grants) rather than Medicaid audit authority — it is a distinct legal basis for reaching the vendor archive, independent of the Medicaid program's audit tools. The vendor's BAA was not drafted with reference to 2 CFR Part 200 block grant compliance audits, and the therapist's HIPAA training did not address the interaction between grant compliance audit authority and cloud AI scribe vendor archives. Both parties are exposed to an enforcement pathway they most likely did not contemplate when the BAA was signed.
What on-device processing eliminates in the CCBHC context
The five adversarial proceedings described in this post — SAMHSA certification compliance audits, CMS and state Medicaid PPS billing audits, MCO contractor audits, CCBHC Demonstration CMS oversight audits, and SAMHSA block grant compliance audits — are each structurally distinct enforcement frameworks. They operate under different federal statutory authorities, involve different agencies, and reach clinical documentation through different mechanisms. But they all converge on the same asset: the cloud AI scribe vendor archive of clinical encounters at the CCBHC.
The vendor archive is the structural target because it is the most comprehensive contemporaneous record of what occurred in each clinical encounter — more granular than the formal progress note, covering all service types documented through the cloud AI scribe, and held by a third party whose production obligations run to the requesting authority rather than to the treating clinician. The CCBHC's certification compliance, PPS billing justification, MCO network contract performance, demonstration outcomes data, and block grant service delivery documentation all depend, in part, on the accuracy and completeness of the clinical record of what services were actually delivered. The cloud AI scribe vendor archive is a shadow clinical record system that all five of those enforcement frameworks can reach.
On-device processing eliminates the vendor archive at the point of creation. When clinical staff at a CCBHC use TherapyDraft to document their clinical encounters, session audio is transcribed locally on the clinician's Apple Silicon Mac, and the draft note is generated from that local transcript on the same device. No session audio, no transcript, and no draft note leaves the device to a commercial server. The cloud AI scribe vendor archive — the third-party business record that all five enforcement frameworks are structured to reach — does not come into existence.
Without a vendor archive, a SAMHSA certification compliance audit that requests documentation of required CCBHC service delivery reaches the formal clinical record — the same progress notes and assessment documents the CCBHC would have produced in a paper-record practice — rather than a separate, independently held archive of verbatim session content. A CMS PPS billing auditor who requests documentation of clinical encounters on a specific contact day reaches the formal documentation rather than a vendor-held archive containing audio, transcript, and AI-generated draft notes that the CCBHC's formal progress note may not reflect. An MCO program integrity audit, a CMS demonstration oversight review, and a SAMHSA block grant compliance audit each reach the formal clinical record — not a separate layer of raw session content accumulated by a vendor the CCBHC contracted with for note generation assistance.
The distinction matters because the formal clinical record and the cloud AI scribe vendor archive are not identical. The formal progress note reflects what the clinician chose to document. The vendor archive reflects what the clinician said, what the client said, and what occurred in the room — the raw clinical encounter that the progress note summarizes. When an auditor has access to both, the vendor archive becomes an independent evidentiary source that can contradict, supplement, or reframe the formal clinical record. When an auditor has access only to the formal clinical record, they are in the same evidentiary position as they would be with any paper-record CCBHC — which is the legal and professional landscape CCBHCs operated in before cloud AI scribes became widespread. On-device processing returns the CCBHC to that landscape while still delivering the note-generation efficiency benefit that makes AI scribes attractive in a high-volume, multi-disciplinary clinical setting. The foundational analysis of when AI therapy notes can be subpoenaed explains the general framework; the CCBHC context amplifies the stakes of that analysis across five enforcement dimensions that most cloud AI scribe vendors and the CCBHCs who use them have not systematically evaluated.
TherapyDraft — no vendor archive for your CCBHC clients or anyone else
TherapyDraft is a native macOS app that runs Whisper transcription and note generation entirely on your Mac. Session audio, transcripts, and draft notes never leave your device — no cloud vendor archive, no BAA with a third-party note processor, no third-party business records for SAMHSA certification auditors, CMS PPS billing reviewers, MCO program integrity units, or block grant compliance auditors to reach. The same architecture protects your clients who are enrolled in CCBHC services and your clients in any other clinical setting.
Ten free sessions, no card required. If the local-inference quality meets your workflow, $39/month or $349/year.
Try 10 sessions free