Table of Contents
Ready to See Results?
From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.
The Short Answer
Behavioral health operators need to treat every AI tool that touches PHI as a regulated system: a written risk analysis, a signed Business Associate Agreement, human clinician sign-off on adverse decisions, 42 CFR Part 2 consent handling, and documented monitoring for bias and error. That is the floor.
The DOJ, HHS Office for Civil Rights (OCR), SAMHSA, and CMS have all moved on this in the last 24 months, and federal prosecutors are now specifically told to ask about it. On September 23, 2024, the DOJ Criminal Division updated its Evaluation of Corporate Compliance Programs (ECCP). Prosecutors now evaluate whether a company’s compliance program includes safeguards against the deliberate or reckless misuse of new technologies, including AI, in ways that violate criminal laws or the company’s Code of Conduct. Then-Deputy Attorney General Lisa Monaco said it in her March 2024 remarks at the ABA: “Fraud using AI is still fraud.”
If you operate a treatment center in Florida, Texas, New Jersey, or Arizona and you cannot hand a surveyor or a prosecutor the risk assessment, the BAA, and the human-in-the-loop protocol for every AI tool touching a chart, a claim, or a coverage decision, you are exposed.
The Regulators Have Already Moved. Most Operators Haven't.
Three federal actions matter more than any LinkedIn discourse about AI.
DOJ ECCP (September 2024). The 2024 updates instruct DOJ prosecutors to assess how companies manage risk related to AI and other emerging technologies, use data for compliance program purposes, and protect whistleblowers. DOJ now expects companies to stress-test AI applications to identify vulnerabilities, continuously monitor high-risk AI use cases, and document risk mitigation efforts.
HHS OCR on Section 1557 (July 2024). The Section 1557 nondiscrimination final rule was issued on May 6, 2024 and took effect July 5, 2024, and OCR has confirmed it will enforce Section 1557’s nondiscrimination protections in the use of AI, with the affirmative requirement to identify and mitigate risks of discrimination in patient care decision support tools taking effect May 1, 2025. OCR expects covered entities to train staff on the proper use of AI tools and audit performance in real-world scenarios, and to use tools that allow qualified human staff to override discriminatory decisions through mechanisms such as human-in-the-loop AI review.
SAMHSA / OCR 42 CFR Part 2 Final Rule. On February 8, 2024, HHS through SAMHSA and OCR announced a final rule modifying the confidentiality regulations for SUD patient records, aligning Part 2 more closely with HIPAA while keeping stricter consent and re-disclosure controls. Persons subject to the regulation must comply with the applicable requirements by February 16, 2026. Enforcement began on that date.
Meanwhile, the enforcement picture. As of January 28, 2025, the OCR breach portal showed 725 data breaches of 500 or more records in 2024, the third consecutive year above 700 large breaches. OCR imposed 22 financial penalties in calendar year 2024, collecting $9,944,612, and risk analysis failures were by far the most commonly identified HIPAA violations. If your team has not documented an AI-specific risk analysis, that is the finding waiting for you.
What Actually Fails in a Behavioral Health Setting
Picture the fact pattern. An ambient AI scribe drafts a group therapy note. The clinician clicks accept. The note gets pushed to Kipu or Sunwave. Ninety days later a payer SIU audit lands and pulls 30 charts. Here is what breaks.
- No signed BAA with the scribe vendor. The vendor is a subcontractor to your EHR, or worse, a Chrome extension a clinician installed. Under HIPAA, only a signed Business Associate Agreement legally binds the vendor to protect PHI.
- Part 2 consent is missing or expired. Under 42 CFR §§ 2.3, 2.12, 2.13, disclosure of SUD records for treatment, payment, or health care operations requires patient consent, with narrow exceptions. Piping session audio through a third-party AI vendor without valid consent is a Part 2 violation, full stop.
- SUD counseling notes get swept in. The Final Rule creates a new definition for an SUD clinician’s notes analyzing the conversation in an SUD counseling session that the clinician voluntarily maintains separately from the rest of the patient’s SUD treatment and medical record and that require specific consent. If your scribe drops raw therapist analysis into the general record, you have collapsed a protection the regulation just built.
- The AI hallucinates a Level of Care justification. We have tested several AI chart audit tools. They skip obvious errors and invent findings. If a UR reviewer reads an ASAM Criteria 4th Edition rationale that the clinician never wrote, that is a False Claims Act exposure, not a documentation quirk.
None of these fail in isolation. They fail together, on the same chart, in the same audit. Prosecutors have been told to look for exactly this pattern; the September 23, 2024 ECCP update addresses how companies manage risks associated with new and emerging technology, including artificial intelligence.
Coverage Decisions, Prior Auth, and the CMS WISeR Pilot
AI on the operator side is one problem. AI on the payer side is a different one, and it will hit your census.
CMS clarified in a February 6, 2024 FAQ memo that Medicare Advantage organizations may use algorithms, artificial intelligence, and related technologies to assist in making coverage determinations, but these technologies may not override standards related to medical necessity. The FAQ went further: “an algorithm that determines coverage based on a larger data set instead of the individual patient’s medical history, the physician’s recommendations, or clinical notes would not be compliant.” Under 42 C.F.R. § 422.566(d), an adverse medical necessity decision must be reviewed by a physician or other appropriate health care professional with expertise in the field of medicine or health care that is appropriate for the service at issue.
Then came WISeR. The Wasteful and Inappropriate Service Reduction (WISeR) Model helps protect American taxpayers by leveraging enhanced technologies, such as Artificial Intelligence (AI) and Machine Learning (ML), along with human clinical review, to ensure timely and appropriate Medicare payment for select items and services. WISeR runs for six performance years from January 1, 2026 to December 31, 2031 in six states: New Jersey, Ohio, Oklahoma, Texas, Arizona, and Washington. A human clinician must review every denial decision.
If your treatment center operates in any of those six states, expect algorithmic scrutiny on documentation quality, medical necessity language, and continued-stay justifications. Weak notes will not survive. WISeR services accounted for 5.3% ($12.3B) of all Part B spending in traditional Medicare in 2024, up from 1.1% ($2.4B) in 2019, which tells you where CMS thinks the money is. Your utilization management team needs to read every denial rationale for signs of pattern-matching that ignored patient-specific facts, because that is the exact scenario CMS said would be non-compliant.
What Operators Should Actually Do This Quarter
Not a maturity model. A punch list.
- Inventory every AI tool that touches PHI. Scribes, chart auditors, intake bots, verification-of-benefits tools, revenue cycle predictors, marketing chatbots. If your leadership team does not know where the tool sits, you cannot analyze the risk.
- Get the BAA or turn the tool off. No BAA, no PHI. This is not negotiable and it is the single fastest way to shrink your surface area.
- Write the AI-specific risk analysis. Document what data flows where, how the vendor trains on it (or does not), what the deletion policy is, and what your human override looks like. This is the artifact a prosecutor or an OCR investigator will ask for. Through its investigations, OCR found that the most common violations related to risk analyses and risk management, information system activity reviews, audit controls, and the authentication of persons or entities.
- Add Part 2 consent language for AI processing of SUD records. Your consent forms probably do not name AI vendors as recipients. Fix that before your next state licensure survey.
- Human-in-the-loop, on paper. The DOJ ECCP asks whether the company monitors and tests these technologies. Write the policy. Log the overrides. Show the audit trail.
- Train the clinical team. OCR’s guidance calls for training staff on the proper use of AI tools and auditing performance in real-world scenarios. Not a one-time deck. A recurring competency.
Behavioral health has always been the sector where the regulator shows up first and the technology matures second. AI has not changed that. Operators who write it down, test it, and can hand a surveyor a binder will be fine. The ones treating AI as an IT decision instead of a compliance decision will not.
Frequently asked questions
Does an AI scribe vendor need a Business Associate Agreement in behavioral health?
Yes. Any vendor that creates, receives, maintains, or transmits PHI on your behalf is a business associate under HIPAA and requires a signed BAA. For SUD programs, you also need to confirm the vendor will honor 42 CFR Part 2 restrictions on use and re-disclosure, which most generic medical scribes do not address by default. No BAA means no PHI touches the tool.
What did the DOJ change in September 2024 that affects behavioral health operators?
The Criminal Division updated its Evaluation of Corporate Compliance Programs to instruct prosecutors to evaluate how companies manage risks associated with AI and other emerging technologies, use data for compliance program purposes, and protect whistleblowers. DOJ now expects companies to stress-test AI applications, continuously monitor high-risk use cases, and document risk mitigation. For behavioral health operators, an AI tool without a documented risk assessment and controls is now a specific prosecutorial checkpoint.
Can a Medicare Advantage plan use AI to deny a patient’s admission or continued stay?
AI can assist with the decision, but per CMS’s February 6, 2024 FAQ, an algorithm that determines coverage based on a larger data set instead of the individual patient’s medical history, physician recommendations, or clinical notes is not compliant. Adverse medical necessity decisions must be reviewed by a physician or appropriate clinician with relevant expertise under 42 CFR § 422.566(d). If a denial rationale reads like pattern-matching against a generic profile rather than the specific chart, that is your appeal argument.
When did 42 CFR Part 2 compliance for the 2024 Final Rule become mandatory?
HHS, through SAMHSA and OCR, announced the Final Rule on February 8, 2024, with an effective date of April 16, 2024, and a compliance date of February 16, 2026. The rule aligns certain Part 2 provisions with HIPAA, applies HIPAA Breach Notification obligations to Part 2 breaches, and requires separate patient consent for the use and disclosure of SUD counseling notes. Operators running SUD programs should confirm consent forms, breach notification workflow, and any AI vendor handling of SUD records reflect the new rule.
Which states are affected by CMS’s WISeR AI prior authorization pilot?
The WISeR Model launched January 1, 2026 and operates in six states through December 31, 2031: New Jersey, Ohio, Oklahoma, Texas, Arizona, and Washington. Providers in those states will see AI-assisted prior authorization or pre-payment medical review on selected Original Medicare items and services, with human clinician review required on non-affirmed decisions.
References
- U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (Updated September 2024)
- HHS Fact Sheet: 42 CFR Part 2 Final Rule (SAMHSA / OCR, February 8, 2024)
- CMS Innovation Center: Wasteful and Inappropriate Service Reduction (WISeR) Model
- AAMC summary of CMS February 6, 2024 FAQ on Medicare Advantage use of AI and algorithms
- HHS OCR Annual Report to Congress on Breaches of Unsecured Protected Health Information (2024)
- HIPAA Journal: OCR 2024 Reports to Congress on HIPAA Compliance and Data Breaches
- McDermott Will & Emery: Section 1557 Patient Care Decision Support Tools Compliance
- Congressional Research Service: Overview of the Medicare WISeR Model