Compliance in the Age of Al for Coding, Auditing, and CDI

Looking Ahead: Compliance in the Age of Al for Coding, Auditing, and CDI

Article Reference Code: NAMAS.12.12.2025

Written by: Melinda McGuire, MS, Master of Am Studies, RHIA

An Al coding tool suggests a diagnosis that will increase reimbursement by $2400. The documentation technically supports it. The keywords are there, and the format looks perfect. When you review the clinical context, you find that the medical necessity is questionable. The machine made the suggestion. You own the audit risk. Welcome to compliance in 2026.

Al: A New Partner or a New Risk?

Al is quickly reshaping healthcare documentation, coding, and auditing workflows. Tools now identify missing documentation elements, recommend diagnosis codes, and flag potential denials before submission with the promise of accuracy and efficiency. The risk is misplaced accountability.
Compliance risk doesn’t vanish because a machine makes the suggestion. Instead, it shifts to whoever approved the suggestion. Al can’t sign attestations or testify in an audit. Al can’t assume OIG responsibility. It is the human reviewer who remains accountable, always.
Al is becoming the standard in compliance workflows, where it must be treated as both a productivity tool and a new subject to audit. That means we must audit the algorithm itself. We must track its version, outputs, and errors, just as we would when auditing any clinical system under CMS or HIPAA oversight.

When Al Misses Context: Documentation, Coding, and Auditing Risks
Al-generated documentation can look impeccable with clean structure, complete fields, and perfect formatting. However, perfection on paper doesn’t equal accuracy in context . For example, an ambient documentation tool auto-completes “patient reports no chest pain” when the provider actually noted that the “patient unable to communicate pain level due to altered mental status.” The documentation appears compliant, but it is clinically inaccurate. This makes the documentation both inaccurate and legally indefensible.
Compliance teams must implement safeguards that validate both the content and the context.

What are the key actions for compliance teams?

• Audit for accuracy, not appearance. Compare Al-generated notes with actual clinical encounters.
• Verify provider intent. Providers should review Al drafts for accuracy, not just speed. Track overrides and errors. Document every instance where staff reject or correct Al suggestions. The patterns the compliance teams find will reveal risk areas.
• Without these key actions, organizations risk building systemic errors directly into the health record.

Trust but Verify: Coding and Auditing in 2026
Al-assisted coding can analyze thousands of records in minutes, but efficiency doesn’t equal compliance. Algorithms can detect keywords, butthey cannot apply clinical judgment. For example, an Al coding engine flags sepsis codes based on “elevated temperature,” “increased white count,” and “antibiotic use.” A human auditor later finds the patient didn’t meet clinical criteria for severe sepsis. The fever was low-grade, and antibiotics were prophylactic. The Al-assisted coding system saw a pattern. The auditor saw context.

What is the compliance solution?

• It’s the “trust but verify” model.
• Coders and auditors are clinical validators, not data clerks.
• Their role is to confirm that Al-suggested codes meet medical necessity and compliance standards.
• Use random sampling.
• Review 5-10% of high-risk cases manually (complex conditions, surgical encounters, E/M level assignments).
• Track discrepancies.
• Identify recurring Al errors and feed them back into model retraining or vendor review.

Compliance integrity still depends on human oversight, even when the machine gets it “mostly right.”

COi in the Al Era: The Clinical Integrity Checkpoint
Clinical Documentation Integrity (COi) specialists now act as the final checkpoint between Al efficiency and compliance reality. Al can flag missing diagnoses or suggest queries, but it cannot discern nuance or ethics. For example, an Al tool recommends querying for “acute respiratory failure” to boost severity and reimbursement. A COi specialist recognizes the criteria aren’t met. The Al optimized for capture. The human protected compliance integrity.

To stay ahead, COi professionals should:

• Understand Al’s training limits.
• Many models learn from historical documentation, and some of that documentation was non-compliant to begin with.
• Apply ethical and compliance filters. Not every “opportunity” is valid. COi must guard against algorithmic upcoding.
• Educate providers. Physicians should know Al-generated queries require the same scrutiny as human ones.
• COi is about improving documentation and governing Al behavior inside the documentation process.

Building a Compliance Framework for Al
Al use in compliance must be governed as rigorously as any other high-risk process. This means documented oversight, accountability, and auditability.

What do we need to do? Establish an Al Governance Framework.

• Policy Development: define acceptable use, risk tolerance, and who signs off on Al-assisted work.
• Training: equip coders, auditors, and COi staff to understand basic Al functions, limitations, and “hallucination” risks.
• Documentation: maintain an Al Compliance Log that records tools being used, versions, reviewers, and outcomes.
• Ethical Review: evaluate for bias or unequal coding outcomes. Al should not perpetuate existing disparities.

These controls demonstrate due diligence when CMS, OIG, or RAC auditors question how Al outputs were verified.

Practical Steps for the First 30 Days:
1. Week 1 -Audit 10 Al-assisted records. Note discrepancies and document findings.
2. Week 2- Meet with your Al vendor. Ask how the model was trained, validated, and updated.
3. Week 3 – Create a tracking log for Al output, reviewer, discrepancies, and actions taken.
4. Week 4- Present findings to leadership and propose a governance framework before issues arise.

This proactive cycle establishes accountability and provides evidence that oversight occurred.

The Human Signature on Al-Generated Work
Regulatory attention on Al healthcare is accelerating. CMS and the OIG are assessing documentation integrity and medical necessity, and these are the areas where Al struggles most. Organizations that establish governance now will lead the field in 2026. Al will generate documentation, suggest codes, and flag risks. Al will never sign the attestation. That responsibility and the compliance liability remain human. The professionals who understand this distinction won’t just survive the Al transition. They’ll define what compliant Al practice looks like for everyone else. Al makes the suggestion. You own the audit risk. 2026 requires us to be ready.

If you have questions about this article or it’s content- Click here to connect with Melinda on LinkedIn

---

 

Melinda McGuire, M.S., RHIA

I design and lead compliant, ethical, and effective learning programs for higher education and healthcare organizations. With 20 years as an educator and department head, I turn complex compliance, AI, and telehealth requirements into actionable frameworks and scalable training initiatives. As the creator of the AI-Ready Revenue Integrity Framework™, I help organizations build programs that strengthen compliance, improve outcomes, and earn long-term trust.

 

---

NAMAS BLOG Disclaimer:

The NAMAS Blog features content written by both NAMAS staff and guest contributors. Guest contributors may present opinions or perspectives that differ from those officially instructed or encouraged by NAMAS. We believe in providing space for a range of informed viewpoints to foster dialogue, reflection, and deeper understanding within the auditing and compliance community.

Some contributors may use artificial intelligence (AI) tools in the development of their content. The decision to incorporate AI is left to the discretion of the author and does not reflect an endorsement or directive from NAMAS.

If you have questions, comments, or concerns about a specific blog post, we encourage you to contact the individual author directly. Their name and contact information are provided at the end of each post.