OIG auditors don't audit practices randomly. They use data analytics to identify billing patterns that deviate from specialty norms, providers whose E/M level distribution is a statistical outlier, and claims where the documented complexity doesn't match the billed code. By the time an auditor requests your records, they already believe you have a problem — your job is to prove the documentation supports what you billed.
Most E/M audit failures aren't because physicians are dishonest. They're because physicians are documenting their clinical thinking incompletely — capturing what they did without capturing why they did it. That "why" is medical necessity, and it's the foundation of every defensible E/M claim.
Medical Necessity — The Why Behind the Level
CMS's definition is clear: a service is medically necessary when it's reasonable and necessary for the diagnosis or treatment of illness or injury. For E/M purposes, medical necessity means the visit level should reflect the complexity of the clinical decision-making or the amount of time the physician needed to devote to the patient's care.
A common audit finding: a physician documents high-complexity MDM — multiple chronic conditions, extensive data review — but the note's assessment and plan section reads "continue current medications, follow up in 3 months." High complexity MDM implies high-risk decisions or extensive data management. A plan that consists entirely of continuing existing management doesn't demonstrate that complexity.
Your assessment and plan section is where medical necessity lives. It should explain what the clinical situation required, what options were considered, and why the chosen plan is appropriate for this patient at this time.
The Copy-Paste Problem
EHR copy-paste — also called cloning — is the fastest way to fail an audit. When auditors review a provider's documentation and find identical or nearly identical notes across multiple visits for the same patient, they treat the entire series as suspect. They may downcode every visit to the lowest defensible level and demand repayment for the difference.
Beyond audit risk, copy-paste documentation doesn't actually reflect the patient's current status. A review of systems section copied from a visit six months ago where the patient denied shortness of breath — and the patient now has it — is both clinically dangerous and legally indefensible.
Most EHRs allow you to configure which elements carry forward and which must be freshly documented. Work with your IT and compliance team to set those configurations appropriately. Problem lists can carry forward — but clinical assessments, examination findings, and plans should be current.
MDM Common Documentation Failures
Number and complexity of problems: The key mistake here is listing inactive, stable, or resolved conditions to inflate problem complexity. A condition that's been stable for two years and requires no management decision is not an "addressed" problem for MDM purposes. Document the problems you're actively managing in this visit.
Amount and complexity of data: Ordering tests alone doesn't maximize this element. The documentation must reflect review and interpretation of results, consideration of the implications for the patient's management, and any resulting decision. "Ordered BMP" doesn't demonstrate data complexity. "Reviewed BMP results — potassium 3.1 on current diuretic dose, discussed with patient, added potassium supplementation" does.
Risk of complications: This element is most effectively supported by documenting the decision-making process for prescription drugs with monitoring requirements, decisions about whether to pursue additional diagnostic testing, and assessments of patient comorbidities that affect the risk of the current treatment plan.
