Table of Contents
Ready to See Results?
From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.
The short answer: AI does not lower your compliance burden, it raises it
If you run a behavioral health facility in Florida, Texas, or Arizona, here is the direct answer: federal regulators are now using AI to find you faster than your AI can clean up your charts. The OCR, OIG, DOJ, and CMS have all moved into algorithmic enforcement, and a compliance program built on auto-generated notes and unaudited AI scribes is a self-reporting tool for the government. In June 2025 the DOJ announced a national healthcare fraud takedown that charged 324 defendants in schemes involving $14.6 billion in alleged false claims, and the takedown was facilitated in significant part by AI-driven pattern recognition. Read that sentence twice if you sell AI as a compliance shortcut to your board.
The same agencies that are deploying AI against you have also told you, in writing, what they expect you to do with the AI you deploy. Recent enforcement actions, audit activity, proposed rulemakings, and guidance issued by HHS Office for Civil Rights highlight the agency’s focus on health data security and artificial intelligence. Operators who treat AI as a productivity story instead of a risk-management story will lose that argument with a surveyor.
What changed in 2024 and 2025: the rulebook operators are working under right now
Three concrete moves matter for behavioral health CEOs. First, on January 10, 2025, OCR issued a “Dear Colleague” letter on AI in patient care decision support. According to the letter, regulated organizations have an ongoing duty to make reasonable efforts to identify and mitigate the risk of discrimination from AI tools that use race, color, national origin, sex, age, or disability as input variables. That duty applies whether the tool is a clinical algorithm, a utilization management engine, or an intake screener.
Second, on January 6, 2025, the HHS Office for Civil Rights proposed the first major update to the HIPAA Security Rule in 20 years, citing the rise in ransomware and the need for stronger cybersecurity. The proposed rule removes the distinction between “required” and “addressable” implementation specifications such that all implementation specifications are required, with limited exceptions, and it mandates a compliance audit at least once every 12 months. If your EMR vendor or AI scribe touches ePHI, HHS expects that artificial intelligence software used to create, receive, maintain, or transmit ePHI would be listed as part of the technology asset inventory.
Third, the threat surface is bigger than most operators understand. According to HHS OCR, the number of individuals impacted by health care data breaches increased from 27 million in 2020 to 259 million in 2024. The third-party vendor doing your AI transcription is, statistically, your most likely breach origin.
Why AI chart audits will not save you in front of a surveyor
I will say this plainly because it gets us in trouble at conferences: AI chart audit tools are not a substitute for human chart review in a behavioral health setting. We have tested several. They miss medical necessity language. They miss ASAM Criteria 4th Edition level-of-care justifications. They hallucinate documentation that is not in the record. And when a Florida AHCA surveyor or a TRICARE SIU auditor sits down across from your clinical director, the AI is not in the room.
The regulators agree with that framing in their own language. OCR has told regulated organizations to train staff on the proper use of AI tools and audit their performance in real-world scenarios to ensure compliance, and to use tools that allow qualified human staff to override and report discriminatory decisions made by AI. Translation for operators: if your AI scribe drafts a progress note and a clinician signs it without reading it, you own the note, the documentation defect, and the false claim if the level of care does not match. The OIG already flagged the dollars at stake. The OIG reports an estimated $86.5 billion in improper payments across Medicare, Medicaid, and CHIP, with limited improvement in high-risk service areas.
What enforcement actually looks like now: DOJ, OIG, and state MFCUs working in parallel
Behavioral health operators in states like Florida, Tennessee, Massachusetts, and Maryland are seeing coordinated enforcement, not isolated audits. The Office of Inspector General, the Department of Justice, and the Centers for Medicare and Medicaid Services are now deploying artificial intelligence, machine learning, and advanced data analytics to monitor healthcare claims in near-real time, identify outlier billing patterns, map provider referral networks, and predict which providers are most likely to be engaged in fraudulent or abusive billing practices. DOJ’s announcement of a Healthcare Fraud Data Fusion Center, a hub of government data and collaboration with the FBI, HHS OIG, and other federal agencies, demonstrates the government’s continued focus of using data analytics and AI tools to detect, investigate, and prosecute healthcare fraud.
State Medicaid Fraud Control Units are moving in the same direction. State-led MFCU investigations are also on the rise and will likely increase as federal enforcement priorities evolve. For a behavioral health CEO, that means three things. Your Medicaid census is being analyzed against peer benchmarks. Your level-of-care mix is being compared to expected distributions for similar facilities. And your billing patterns are being modeled before a single auditor knocks on your door. Rather than investigating problems after they occur, enforcement agencies now use predictive models to identify likely violators before claims are paid.
What AHS tells operators to do this quarter, in plain English
Five concrete moves. Do them before your next survey window opens.
- Inventory every AI tool that touches PHI. The proposed HIPAA Security Rule expects it. If you cannot name the vendor, the version, the data flow, and the BAA effective date, you are already behind.
- Run a real mock survey with human auditors. Have a reviewer read 30 charts against ASAM Criteria 4th Edition and your state licensure standards. Compare the human findings against whatever your AI audit tool flagged. The gap is your risk.
- Update your Section 1557 analysis. If you use any patient-screening, risk-stratification, or utilization management algorithm, document the mitigation steps OCR named. “We did not know” is not an answer the agency accepts.
- Tighten BAAs with every AI vendor. Training data, model retention, breach notification timelines, and de-identification protocols all belong in the contract, not in a sales deck.
- Train clinical leadership on AI documentation risk. A clinician who signs an AI-drafted note attests to it. The Joint Commission, CARF, and state licensing bodies will not care that a model wrote it.
One quote to end on, because it captures the regulator’s posture better than I can. The American Hospital Association, writing to HHS in February 2026, noted that it is essential that entities that hold or process PHI, including certain AI vendors that may not meet the definition for covered entities or business associates under current law, be subject to similarly rigorous privacy and security standards. The fence is moving outward. Operators who get ahead of it will keep their accreditation, their payer contracts, and their license. The ones who outsource their thinking to a chatbot will not.
Frequently asked questions
Does an AI scribe or AI chart auditor satisfy HIPAA and OCR requirements on its own?
No. OCR’s January 2025 guidance and the proposed HIPAA Security Rule both treat AI tools as part of the regulated technology footprint, not as a substitute for human oversight. Covered entities must inventory AI systems that touch ePHI, train staff on proper use, audit performance in real-world scenarios, and allow qualified human staff to override AI decisions. An unaudited AI tool is a finding waiting to happen.
How are DOJ and OIG actually using AI to investigate behavioral health providers?
DOJ, OIG, and CMS deploy machine-learning models that analyze claims in near-real time, map referral networks, and compare a provider’s billing patterns against peer benchmarks. The Healthcare Fraud Data Fusion Center aggregates Medicare, Medicaid, and commercial claims data across state lines. The 2025 national takedown that charged 324 defendants in $14.6 billion of alleged false claims relied heavily on AI-driven pattern recognition.
What should a behavioral health CEO in Florida, Texas, or Tennessee prioritize in the next 90 days?
Five items: build a complete AI and ePHI technology asset inventory, run a human-led mock chart audit against ASAM Criteria 4th Edition and state licensure standards, document Section 1557 mitigation steps for any decision-support algorithm, update BAAs with every AI vendor to address training data and breach timelines, and train clinical leadership on the legal weight of signing AI-drafted documentation.
If state Medicaid Fraud Control Units are increasing enforcement, what is the operator-side signal to watch?
Watch your level-of-care distribution, length-of-stay outliers, and any clinical documentation that looks templated across patients. MFCUs are running the same analytics DOJ and OIG run, and they are moving aggressively in states like Maryland and Massachusetts. A pattern your AI scribe creates today can become an MFCU investigation 18 months from now.
References
- HHS OCR, “Dear Colleague” Letter on Nondiscrimination in the Use of AI (January 10, 2025)
- HHS OCR, Proposed HIPAA Security Rule Update (January 6, 2025)
- DOJ, 2025 National Health Care Fraud Takedown ($14.6B, 324 defendants)
- HHS-OIG Compliance Guidance and Resources
- American Hospital Association, Response to HHS RFI on AI in Health Care (February 2026)
- Healthicity summary of OIG 2025 Top Management Challenges Report ($86.5B improper payments)
- Morgan Lewis, Enforcement Notes from AHLA Fraud and Compliance Forum (October 2025)