Legal & Compliance
Hospital observation status, the Medicare two-midnight rule, and cloud AI scribes: five adversarial proceedings that reach the vendor archive of a patient's admission assessment
When hospital-based mental health professionals use cloud AI scribes during admission assessments, the vendor accumulates verbatim documentation of the clinical reasoning that determines inpatient versus observation classification. Five independent adversarial proceedings can reach that archive — and the hospital's records management system controls none of them.
The two-midnight rule and why admission assessment documentation matters
The Medicare two-midnight rule, codified at 42 CFR § 412.3, creates a clinical documentation threshold with significant financial consequences on both sides of the billing relationship. Under the rule, Medicare generally pays for an inpatient admission when the physician reasonably expects at the time of admission that the patient will require hospital care spanning at least two midnights. Stays shorter than that threshold — or stays where the documentation does not establish that the two-midnight expectation was reasonable at the time of admission — are candidates for reclassification to observation status and Part B billing, or for claim denial.
For patients, the distinction between inpatient and observation status is not semantic. Observation status means Part B cost-sharing, which is often higher than Part A inpatient cost-sharing for the hospital stay itself. More significantly, observation status does not satisfy Medicare's three-consecutive-day prior inpatient hospitalization requirement for Part A skilled nursing facility (SNF) coverage under 42 C.F.R. § 409.30. A patient who spends four days in a hospital psychiatric unit classified as observation — not inpatient — faces a complete denial of Part A SNF coverage for the post-acute care that may be the medically necessary next step. The financial exposure can exceed ten thousand dollars per month in SNF costs the patient must pay entirely out of pocket.
For hospitals, the two-midnight rule creates compliance risk concentrated at the admission decision point. The admitting physician's documentation of medical necessity for inpatient classification — the certification required under Medicare Benefit Policy Manual Chapter 1, § 10 — is the evidentiary foundation that Medicare Recovery Audit Contractors examine when they challenge an inpatient claim. That documentation must reflect the clinician's clinical reasoning at the time of admission: what the patient's presentation showed, why the clinical findings supported an expectation of care spanning at least two midnights, and why a lower level of care was not clinically adequate.
For psychiatric admissions, this certification typically includes the consulting psychiatrist's or emergency department behavioral health clinician's assessment of suicidal ideation, risk of harm to others, psychiatric symptom severity, level of functional impairment, and the clinical basis for concluding that crisis stabilization, partial hospitalization, or intensive outpatient care would not adequately address the patient's needs at that moment. This is the documentation that cloud AI scribes capture verbatim during the admission assessment session.
The contractor's scribe and the parallel documentation layer
Hospital-based mental health professionals are among the users most likely to independently adopt cloud AI scribes. Consulting psychiatrists conduct rapid, high-volume assessments under documentation pressure that acute care settings create. Emergency department behavioral health specialists move between patients under conditions where dictating a note without technological assistance means either incomplete documentation or delayed throughput. Inpatient social workers conducting initial psychosocial assessments face the same time pressure with fewer administrative resources.
Critically, many hospital-based psychiatric consultants are independent contractors, not hospital employees. A contracted consulting psychiatrist independently retains their business associate relationships — including with any cloud AI scribe vendor they use for their clinical practice. The hospital's BAA with its own EHR vendor and other contracted service providers does not extend to the contracted psychiatrist's independently retained scribe vendor. The hospital may not know the vendor archive exists.
When the consulting psychiatrist uses a cloud AI scribe during an admission assessment, the workflow creates a documentation structure that operates outside the hospital's EHR governance: audio captured, transmitted to the vendor's servers, transcript generated, note drafted, note edited by the clinician, edited note pasted into the hospital's EHR. The EHR receives the edited note. The cloud AI scribe vendor retains the verbatim audio, transcript, and draft history as a business record of the clinical encounter — held in the vendor's infrastructure, not in the hospital's medical records system, not subject to the hospital's legal hold procedures, and not controlled by the hospital's medical records department or legal team.
The vendor archive holds what the clinician actually said during the assessment — the full clinical reasoning, including statements that were edited out of the formal note as extraneous, hedge language about clinical uncertainty that did not survive the documentation editing process, and specificity about the patient's presentation that the formal note summarized. In a RAC review where the formal note is a close call on two-midnight criteria, the vendor archive is a higher-resolution record of what the clinician's assessment actually showed. In adversarial proceedings, the vendor archive and the formal note may tell somewhat different stories about the strength of the inpatient-necessity finding at the time of admission.
Proceeding 1: Medicare RAC post-payment audit and claim recoupment
Recovery Audit Contractors, authorized under 42 U.S.C. § 1395ddd(h) and operating under CMS oversight on a contingency-fee basis, identify and recover Medicare overpayments through post-payment claim review. RACs are authorized to request clinical records for claims under review, and their scope of review encompasses all documentation that supports or fails to support the clinical basis for the billed claim.
For inpatient psychiatric admissions, RAC review focuses on whether the admitting physician's documentation supports the inpatient classification under the two-midnight rule at the time of admission. The formal EHR note is the starting point for review. RACs can request "complete medical records" for claims under review, and that request encompasses business records of the clinical encounter held by third-party vendors — including cloud AI scribe vendors whose archives document the admission assessment session that generated the inpatient certification.
The significance of the vendor archive in RAC review is the gap it can reveal between the formal note and the clinician's actual clinical reasoning. If the formal note documents an inpatient certification that appears to meet two-midnight criteria, while the vendor archive contains statements from the same admission assessment session in which the clinician expressed significant uncertainty about whether the patient required inpatient care, the RAC has access to contemporaneous evidence that the inpatient-necessity finding was weaker than the formal documentation reflects. That gap — which is a product of the editing process between verbatim clinical communication and the formal progress note — is exactly the kind of evidence RAC review is designed to identify.
Hospitals facing RAC audits typically engage legal counsel who manage the records request response process. But legal counsel can only manage records the hospital controls. A vendor archive held by the contracted psychiatrist's independently retained cloud AI scribe vendor is not within the hospital's control, not within the scope of the hospital's legal hold, and not subject to instructions from the hospital's counsel. The vendor responds to the RAC records request pursuant to its own legal obligations — and the hospital's billing defense does not determine the scope of that response.
Proceeding 2: False Claims Act qui tam relator case
The False Claims Act (31 U.S.C. § 3729 et seq.) imposes civil and criminal liability on persons and entities that knowingly submit false or fraudulent claims to the federal government. Medicare claims for inpatient admissions that do not meet the two-midnight rule are false claims when submitted with knowledge that the inpatient classification was unsupported by the clinical documentation.
Qui tam provisions (31 U.S.C. § 3730) allow private persons — called relators — to file FCA suits on behalf of the United States and share in any recovery. The population most likely to bring qui tam claims in the two-midnight context includes hospital employees with knowledge of the billing and utilization management process: coders, utilization review nurses, case managers, discharge planners, social workers involved in level-of-care assessments, and billing compliance staff who see both the clinical documentation and the submitted claims.
A qui tam complaint alleging systematic two-midnight rule violations initiates a DOJ investigation under seal. DOJ investigators use FRCP Rule 45 to subpoena third-party business record custodians, including cloud AI scribe vendors holding the admission assessment archives of the clinicians whose documentation is at issue. The relator's complaint — which is based on the relator's insider knowledge of the hospital's documentation and billing practices — may specifically identify the cloud AI scribe vendor as the source of contemporaneous evidence: a relator who worked in utilization management and knew that the consulting psychiatrists used a cloud AI scribe during their assessments can direct investigators to the vendor archive as the most granular record of what those assessments showed.
The hospital's counsel cannot assert physician-patient privilege on behalf of the hospital's billing interests in response to a Rule 45 subpoena directed to the vendor. The privilege belongs to the patient. The vendor's response to the subpoena is governed by the vendor's own legal team and the FRCP Rule 45 process — not by the hospital's litigation strategy. The civil FCA case and any parallel DOJ criminal investigation under 18 U.S.C. § 287 can run concurrently, and both use independent legal process reaching the vendor archive.
Proceeding 3: CMS/OIG billing fraud investigation
The HHS Office of Inspector General exercises administrative subpoena authority under 42 U.S.C. § 1320a-7b and other provisions to investigate Medicare fraud and abuse. OIG can issue Civil Investigative Demands and administrative subpoenas to third-party business record custodians — including cloud AI scribe vendors — when those records are relevant to a Medicare fraud investigation.
OIG investigations in the two-midnight context typically begin with referrals from RAC findings, MAC pattern-of-care data, or — increasingly — qui tam complaints. A hospital identified through PEPPER data or RAC review as a statistical outlier for short-stay inpatient psychiatric admissions may be referred to OIG for a fraud investigation focused on whether the documentation practices that generated the inpatient claims reflect genuine clinical findings or systematic billing optimization.
The OIG administrative subpoena is directed to whoever holds the records — not just to the hospital. An OIG subpoena addressed to the cloud AI scribe vendor holding a contracted psychiatrist's admission assessment archive reaches the vendor directly, under OIG's own authority, without the hospital's involvement. The vendor's HIPAA obligations permit disclosure to health oversight agencies conducting oversight activities under HIPAA § 164.512(d) — a disclosure that does not require patient authorization and does not require the treating clinician's advance knowledge.
The critical evidentiary value of the vendor archive in an OIG fraud investigation is the comparison it enables between what the clinician said verbatim during the assessment and what the formal note documented. If OIG investigators find a pattern in which the vendor archives of admission assessment sessions show clinical reasoning that does not consistently support the inpatient classifications claimed in the corresponding billing codes — while the formal notes are written to appear compliant — the vendor archive is the evidence that the billing optimization was knowing, not inadvertent. That is the difference between a repayment demand and a fraud referral.
An OIG fraud investigation that results in findings may lead to exclusion from Medicare participation under 42 U.S.C. § 1320a-7 — a sanction that affects the contracted psychiatrist, not just the hospital.
Proceeding 4: Patient civil action for SNF coverage denial and observation misclassification harm
The most direct adversarial proceeding arising from observation misclassification is brought not by the government but by the patient. A Medicare beneficiary who was functionally an inpatient — presenting with acute psychiatric symptoms that met two-midnight criteria, receiving inpatient-level services, remaining in the hospital for multiple days — but was classified as observation status faces the financial consequences of that classification without recourse to the Medicare billing appeal process on the inpatient-versus-observation question. The patient cannot appeal the observation classification through the Medicare administrative appeal process in the same way they can appeal a coverage denial; the legal remedies are civil.
A patient who was misclassified as observation status and denied Part A SNF coverage as a result can bring civil claims against the hospital and the treating clinician. The theories include negligent misclassification — a failure to exercise reasonable care in making the inpatient-versus-observation determination — and breach of fiduciary duty in the billing and documentation process. The patient's attorney, using FRCP Rule 45 civil subpoena authority, can compel the cloud AI scribe vendor to produce the verbatim admission assessment archive.
The vendor archive is the most favorable record for the patient's theory: it documents, in the admitting clinician's own words, what the clinical picture looked like at the time of admission. If the verbatim archive shows clinical findings — severity of psychiatric symptoms, level of functional impairment, absence of social supports, history of prior hospitalizations — that consistently with the two-midnight standard, while the formal note was drafted in a way that resulted in an observation classification, the patient's attorney has contemporaneous clinician-generated evidence supporting the misclassification claim.
The treating clinician cannot control how the vendor responds to the patient's Rule 45 subpoena. The hospital's counsel, retained to defend the hospital, is not representing the contracted psychiatrist's interests in the vendor subpoena proceeding. The vendor's compliance is governed by the FRCP Rule 45 process and the vendor's own legal obligations — processes that operate independently of either the hospital's or the clinician's litigation strategy.
Proceeding 5: PEPPER-triggered MAC targeted pre-payment review
CMS provides hospitals with a PEPPER — Program for Evaluating Payment Patterns Electronic Report — a quarterly data report comparing the hospital's Medicare billing patterns against state and national norms for selected claim types. PEPPER identifies statistical outliers: hospitals whose billing patterns on specific DRG and claim categories deviate significantly from peer institutions. For psychiatric inpatient programs, PEPPER tracks short-stay inpatient psychiatric admissions as an indicator of potential two-midnight rule compliance risk.
Hospitals flagged in PEPPER as outliers — with unusually high rates of one- and two-day inpatient psychiatric stays that suggest systematic admission of patients who do not meet two-midnight criteria — become targets for MAC targeted pre-payment review. Unlike RAC post-payment audits (which challenge claims after they have been paid), MAC pre-payment review occurs before the claim is processed. The MAC requests complete clinical documentation for each claim under review before issuing payment, effectively making the hospital prove inpatient-necessity in advance for every claim in the audit cohort.
MAC pre-payment documentation requests encompass all clinical records for the admission — including business records held by third-party vendors of the clinical staff who conducted the admission assessment. Cloud AI scribe vendor archives of admission assessment sessions conducted by the hospital's contracted psychiatric consultants are business records of the clinical encounters that the MAC's records request covers. For a hospital with a PEPPER outlier pattern in short-stay psychiatric inpatient billing, every admission assessment that a contracted psychiatrist conducted through a cloud AI scribe has a corresponding vendor archive that may be subject to the MAC's pre-payment review documentation request.
The PEPPER-to-MAC pathway creates a systemic, recurring audit exposure — not just an episodic risk from individual claim challenges. A hospital that contracts with psychiatric consultants who independently use cloud AI scribes may not have mapped the vendor archive footprint of its admission assessment documentation when calculating the scope of its pre-payment review exposure. The pre-payment review process does not afford the same opportunity to prepare a legal defense as post-payment audit proceedings; the MAC reviews documentation and makes a payment determination before the hospital's legal team has an opportunity to contest the records request.
Existing coverage of the hospital-based psychiatric contractor's documentation layer — including the independently subpoenable vendor archive and its role in wrongful discharge malpractice, payer utilization review, and CMS Conditions of Participation enforcement — is analyzed in detail in the psychiatric inpatient unit documentation and cloud AI scribes post. The two-midnight rule proceedings addressed here represent a distinct and additional layer of adversarial exposure, arising from Medicare's billing classification framework rather than from care quality or discharge decision-making.
The broader audit infrastructure: how RAC, MAC, CERT, and PEPPER interact
The five adversarial proceedings described above do not operate in isolation. Medicare's audit infrastructure is designed so that RAC findings, MAC pre-payment data, CERT (Comprehensive Error Rate Testing) contractor reviews, and PEPPER outlier identification all feed referral pathways to OIG, DOJ, and the qui tam plaintiff's bar. A hospital that appears in RAC post-payment audit findings, PEPPER short-stay outlier data, and a qui tam complaint simultaneously is facing four simultaneous adversarial proceedings, each using independent legal process to reach the vendor archives of the same admission assessment sessions.
The cloud AI scribe vendor archive is not just a records curiosity — it is the highest-resolution contemporaneous documentation of the clinical reasoning that every one of those proceedings is examining. The formal EHR note is an edited artifact. The vendor archive is the verbatim clinical encounter. For a hospital that has not mapped its contracted clinicians' independent cloud AI scribe use, the vendor archive is an unknown evidentiary variable in proceedings the hospital's legal team may not have anticipated when drafting its audit response strategy.
The Medicaid analog to this Medicare audit infrastructure — the Medicaid managed care program integrity audit chain, MFCU investigations, and qui tam FCA exposure for Medicaid claims — is analyzed separately in the CCBHC cloud AI scribe post and the Medicaid MCO cloud AI scribe post. The general question of whether an AI-generated therapy note can be subpoenaed at all is addressed in can an AI therapy note be subpoenaed. The contractual limits of HIPAA business associate agreements in protecting vendor-held records are analyzed in what a BAA actually covers and what it doesn't. The specific documentation exposure that arises from integrated behavioral health models in which mental health professionals work alongside primary care in hospital-adjacent settings is covered in the behavioral health integrated primary care and COCM post.
What on-device processing eliminates
Each of the five adversarial proceedings described above depends on the existence of a cloud AI scribe vendor archive — a repository of verbatim admission assessment content held in a vendor's infrastructure, outside the hospital's medical records governance, independently subpoenable through legal processes the hospital cannot control.
On-device processing eliminates the vendor archive before any of those proceedings can open a pathway to it. TherapyDraft processes admission assessment audio on the clinician's device using local inference: the audio, transcript, and note draft never leave the device. There is no vendor server. There is no third-party business record custodian. A RAC records request, MAC pre-payment documentation demand, OIG administrative subpoena, FRCP Rule 45 civil subpoena from a qui tam relator's counsel, and a patient's attorney's subpoena all reach a vendor that holds no admission assessment archive — because no archive was created outside the device.
The clinical note that reaches the hospital EHR is the edited note — exactly the documentation that would exist if the clinician had dictated without a scribe. The architectural choice eliminates the parallel records layer, the vendor archive exposure, and the gap between verbatim clinical communication and formal documentation that five independent adversarial proceedings are built to exploit.
Insurance utilization review and payer post-payment audit exposure for the documentation that does reach the EHR is addressed in the CBT progress notes and insurance utilization review post. That exposure exists regardless of whether the note was drafted with a cloud AI scribe — it is inherent in the relationship between clinical documentation and payer audit authority. What on-device processing eliminates is the additional layer of vendor archive exposure that cloud AI scribes add on top of the documentation-audit relationship that already exists.
HIPAA by architecture, not by contract.
TherapyDraft drafts your notes on your Mac. Audio, transcript, and note never open a network socket — no vendor archive, no third-party record custodian, no exposure in proceedings you don't control.
See pricingFrequently asked questions
What is the Medicare two-midnight rule and what clinical documentation does it require?
The Medicare two-midnight rule, codified at 42 CFR § 412.3, provides that Medicare will generally pay for an inpatient admission when the physician reasonably expects at the time of admission that the patient will require hospital care spanning at least two midnights. For psychiatric admissions, the admitting physician must document a certification of inpatient necessity addressing the patient's clinical history, examination findings, and the clinical basis for concluding that inpatient-level care is required rather than a lower level of care. Short stays — cases where the patient is admitted and discharged before the two-midnight threshold — require documentation showing the clinical facts at admission supported inpatient classification under one of the approved exceptions. This clinical reasoning is the documentation that Medicare Recovery Audit Contractors examine when they challenge an inpatient claim, and it is the content that cloud AI scribes capture verbatim during the admission assessment session.
If a cloud AI scribe vendor receives a Medicare RAC records request or subpoena, does the hospital or treating clinician get notified first?
Not necessarily. A RAC records request directed to the cloud AI scribe vendor as a business record custodian does not require advance authorization from the hospital or treating clinician. A FRCP Rule 45 subpoena in a civil False Claims Act case is served on the vendor as a third party, and the parties in the civil proceeding receive notice, but the vendor's response timeline does not wait for the hospital to retain separate counsel to contest it. An OIG administrative subpoena under 42 U.S.C. § 1320a-7b is directed to the vendor and processed by the vendor's legal team. In all three scenarios, the treating clinician who created the vendor archive by using the cloud AI scribe may not know the vendor produced their admission assessment archive until after production has already occurred.
Can the hospital assert the physician-patient privilege to block a subpoena directed at the cloud AI scribe vendor?
The physician-patient privilege belongs to the patient — not to the hospital's billing interests. The hospital cannot assert the patient's privilege on behalf of its own billing defense. Additionally, a cloud AI scribe vendor retained independently by a contracted psychiatrist (not by the hospital) is not covered by the hospital's privilege assertions — the hospital's counsel cannot instruct a vendor it did not retain. The practical result is that the hospital's records management system and legal team do not control a vendor archive created independently by a contracted clinician, and the hospital's billing defense does not determine the scope of that vendor's response to legal process.
What is PEPPER and how does it create systematic audit exposure for hospital psychiatric inpatient programs?
PEPPER (Program for Evaluating Payment Patterns Electronic Report) is a CMS-provided quarterly data report comparing a hospital's Medicare billing patterns against state and national norms. For inpatient psychiatric programs, PEPPER tracks short-stay inpatient psychiatric admissions as an indicator of potential two-midnight rule compliance risk. Hospitals flagged as statistical outliers face targeted pre-payment review by their Medicare Administrative Contractor (MAC), which requests complete clinical documentation — including business records held by third-party vendors such as cloud AI scribe companies — before processing each claim. This makes vendor archive exposure a recurring, systemic risk for high-outlier hospitals rather than an episodic risk from individual claim challenges.
How does a contracted consulting psychiatrist's cloud AI scribe create documentation outside the hospital's EHR and records governance?
A contracted consulting psychiatrist independently retains their own business associate relationships, including with any cloud AI scribe vendor they use. The hospital's BAA with its own vendors does not extend to the contracted psychiatrist's independently retained scribe vendor. When the psychiatrist uses a cloud AI scribe during an admission assessment, the vendor receives and stores audio, transcript, and note draft as a business record held entirely in the vendor's infrastructure — not in the hospital's EHR, not subject to the hospital's legal hold procedures, and not controlled by the hospital's medical records department or legal team. When a RAC, MAC, OIG investigator, or civil litigant serves a subpoena on the cloud AI scribe vendor, the vendor's compliance is governed by the vendor's own legal obligations, not by the hospital's counsel or the psychiatrist's malpractice insurer.