At a Glance:
Complete documentation is not always defensible documentation. This article explains why auditors look beyond populated fields to determine whether the record supports medical necessity, the level billed and the service provided. It also outlines practical steps organizations can take to strengthen documentation before external review.
Every November, the Centers for Medicare and Medicaid Services reports how much it paid out improperly. For fiscal year 2024, the Medicare fee for service improper payment rate was 7.66 percent, or roughly $31.7 billion. The figure that should hold a compliance leader’s attention is not the dollar amount. It is the reason behind it. CMS is direct on this point: most improper payments are not fraud. They happen because a record was missing a required element, or because the documentation that existed never proved the service was reasonable, necessary, and delivered as billed.
That distinction is the blind spot. The notes are finished. Required fields are populated. Internal review confirms that everything is present. The findings arrive anyway.
The problem is rarely effort. It is the standard being applied. Inside the organization, documentation is judged on whether it is finished. Outside it, documentation is judged on whether it proves something. Those are two different tests, and the space between them is where denials, recoupments, and repeat findings tend to live.
What “complete” means to an auditor
When CMS measures errors through its Comprehensive Error Rate Testing program, it sorts them into a handful of categories. Two are worth committing to memory. “No documentation” means the record never showed up. “Insufficient documentation” means the record arrived but could not establish that the service was actually provided, was provided at the level billed, or was medically necessary. A claim also falls here when a required element is missing, such as a signature on an order.
Read that second category again. The documentation was there. It simply did not carry the weight the claim required. In the most recent CERT results, medical necessity was the single largest error type across most of the top inpatient stay categories by improper payments. These were not empty charts. They were charts that never connected the service to a defensible clinical reason for performing it.
The regulators already moved past “complete”
If you want evidence that completeness was never the real goal, look at how the documentation rules themselves changed. For years, evaluation and management coding rewarded volume. Providers counted history elements and exam findings, and the note that checked the most boxes supported the highest level of service. The outcome was predictable. Records filled with cloned histories and templated exams that said very little about the patient in the room.
In 2021, CMS adopted revisions from the American Medical Association that retired that approach for office and outpatient visits. Code selection now rests on medical decision making or total time. A medically appropriate history and exam are still expected, but they no longer drive the code. In 2023, the same logic extended to hospital, emergency department, nursing facility, and home visits. The stated purpose was to stop rewarding note bloat and start rewarding the clinical thinking behind the visit.
That shift is the entire argument in miniature. The people who write the rules decided that a note can look complete and still prove nothing. What counts is whether the record shows the reasoning behind the decision.
A Complete note that fails: the cloning problem
Here is a scenario most reviewers see every week. A clinician opens yesterday’s progress note, copies it forward, updates the date, and adjusts a line or two. The new note is complete by any internal checklist. Every field is populated. In the eyes of a reviewer, it is also a liability.
The Office of Inspector General has flagged copy and paste, often called cloning, as a documentation integrity risk for more than a decade. CMS defines cloned documentation as entries worded the same as or similar to previous entries. The reason it matters is straightforward. To support medical necessity, the record for each service has to stand on its own. When several visits read identically, the chart stops telling a credible story about a specific encounter, and a reviewer can fairly ask whether the later visits happened the way they were billed.
This is not a hypothetical risk. The OIG has reported that only about a quarter of hospitals had any policy governing copy and paste, and cloned records have surfaced in voluntary disclosures and False Claims Act matters. A note can be complete, polished, and indefensible all at the same time.
Why your own system hides the gap
Electronic records are very good at producing complete documents. Fields that fill themselves, templates, and structured workflows make it almost effortless to finish a note. That is exactly the trap. The system is built to drive completion, and completion feels like readiness. Volume and tidiness create a confidence that the underlying evidence may not support.
None of this is really a documentation problem. It is an alignment problem. The organization is measuring whether the work got recorded. The auditor is measuring whether the record proves the work was warranted. Until those two measures match, more documentation simply means more pages for a reviewer to take apart.
What actually closes the gap
Writing more will not help. The goal is a record that holds up when someone with no context reads it cold. That is the test we use with clients. Hand a note to a person who knows nothing about the patient and ask one question: does this record, on its own, establish why the service was necessary and support the level that was billed? If reaching the answer takes a verbal explanation, the note is not ready.
In practice, closing the gap usually involves a few moves:
- Reviewing documentation the way an external auditor would, hunting for gaps in medical necessity, rationale, and alignment with payer and regulatory requirements rather than gaps in completeness.
- Reconciling what the record says against what was coded and what was billed, since inconsistencies among the three are one of the most common triggers for a finding.
- Reworking templates and EHR workflows so they prompt for clinical reasoning instead of inviting cloned or boilerplate text.
- Holding clinical, coding, and compliance teams to the same standard, so a note that satisfies one group does not blindside another.
- Running mock audits against real payer and CERT criteria, so findings show up internally while they are still fixable.
Organizations that make this shift, from finishing documentation to proving it, are the ones that reduce denials, stop repeating the same findings year after year, and walk into an audit without bracing for impact. The work is rarely about writing more. It is about making sure what is already written can stand on its own.
If your documentation looks complete but you are not certain it would survive outside scrutiny, that is worth a conversation. Reach out to Denise Gaulin or your Windham Brannon advisor.
Frequently Asked Questions
What is the difference between complete and defensible documentation? Complete documentation fills required fields. Defensible documentation shows why the service was necessary, supports the level billed and can stand on its own under review.
Why can a complete note still lead to a denial? A note may include every required element but still fail to connect the service to the patient’s condition, clinical decision making or payer requirements.
How does cloned documentation create audit risk? Repeated or copied language can make it difficult to prove that each encounter was unique, medically necessary and billed appropriately.
What can organizations do to reduce documentation risk? They can review records through an auditor’s lens, align coding with the medical record, improve templates and run mock audits against real payer criteria.
