What does it take to keep a behavioral health organization audit-ready in an increasingly digital, increasingly scrutinized landscape? That was the central question at the heart of a recent Behavioral Health Tech webinar, where attorney Derek R. Staub of Frost Brown Todd and Nathan Ford, CEO of Monolith, joined host Solome Tibebu for a candid, practical conversation on compliance vulnerabilities, documentation standards, and the promise and limits of technology in mental health targeted case management (TCM) programs.

The discussion covered a lot of ground in under an hour. Below are the key insights and takeaways.

The Root of Compliance Risk: Fragmented, Inconsistent Documentation

Derek Staub opened by identifying the most common compliance vulnerabilities he sees across behavioral health organizations: small errors and systems that do not communicate with each other. As he put it, the field has moved fully into the digital age, and auditors expect documentation to reflect that. When a federal, state, or private payer comes in, they want to be able to recreate the full picture of what happened, how it happened, and why. Missing check marks, wrong diagnosis codes, and fragmented records are all it takes to trigger red flags.

Nathan Ford echoed this from an operational lens, pointing to what he sees as a broader problem: outdated or simply missing standards across the marketplace. In Texas's Region 6 alone, he works with six different managed care organizations (MCOs), each requiring its own distinct audit process to deliver the same information. The lack of standardization is a burden on small providers and creates unnecessary complexity that invites errors.

One real-world example Nathan shared illustrated how arbitrary MCO decisions compound the problem: an MCO unilaterally decided to classify adults as being 19 years of age, which is not in federal or state standards. Providers caught in the middle, between MCO directives and regulatory requirements, can find themselves inadvertently non-compliant through no fault of their own.

What "Defensible Documentation" Actually Means Today

Derek invoked a maxim his physician father and brother learned in medical school: if it is not written down, it did not happen. That principle has taken on new weight in the digital era. Today, regulators are not just looking for proof that a service occurred. They want to know whether their own reviewer can independently recreate and confirm the same medical necessity, diagnosis, and treatment decisions.

Defensible documentation, in practice, means several things:

• Tight, consistent templates that capture required information every time, without relying on memory or individual discretion.
• Readiness to produce records quickly. Regulators now expect near-instant access to documentation. Requests that used to allow weeks to compile are now expected to be fulfilled within hours.
• Internal audits, at least annually. Regular self-review allows providers to find errors before regulators do, learn from them, and retool their practices.
• Short and accurate over long and verbose. Derek emphasized that length does not equal quality. An auditor who receives a bloated, meandering record may assume the provider is trying to obscure something. Clear, concise, accurate documentation tells the cleanest story.

On the government's side, this is not a manual process. Agencies use automated computer systems to scan billing records and flag patterns consistent with fraud, waste, and abuse. The scrutiny is constant, even when no human auditor is actively looking.

The Danger of Inconsistent Data Across Clinical, Billing, and Administrative Systems

Nathan raised a scenario that was striking in its real-world implications. If a clinical team determines that a patient needs a certain level of care, documents the medical need, and then the MCO declines to authorize the recommended hours, providers can be left legally exposed if something goes wrong with that patient. The MCO may later claim it told providers to use their clinical discretion, while the provider was simultaneously being told not to deliver services without authorization.

His solution: document everything, including conversations with MCOs. The Monolith system allows providers to record clinical review calls with MCOs and attach those recordings directly to a patient's profile. When data across clinical, billing, and administrative records is inconsistent, it creates exposure. When it is aligned and traceable, it becomes a shield.

Derek reinforced the compliance-first principle: when MCO instructions and regulatory requirements conflict, follow the regulations. If an MCO directs a provider to do something that is technically non-compliant, following that directive does not protect the provider. The regulations take precedence.

Building Systems That Are Designed to Be Audited

Nathan described a foundational design philosophy behind Monolith: the system is built to be audited first, and user comfort comes second. That framing required a culture shift internally, but it has paid off. When an MCO questions a claim, a staff member can pull up the audit package in real time while the auditor is still on the phone, share it via email, and resolve disputes within minutes.

Derek responded that this capability is, from a legal standpoint, one of the most valuable things a provider can have. His current casework includes a client struggling to locate and compile documentation that is scattered across multiple systems. The contrast is stark: a provider who can produce a full, organized record immediately lands in a very different pile than one who asks for additional weeks to compile it.

The Monolith system includes automated workflows built directly from Texas Administrative Code, utilization manuals, and MCO contract requirements. Key features include:

• Real-time compliance monitoring, with percentage-based tracking of note submission timeliness for every staff member.
• Automated escalation chains, so that overdue items are surfaced up the management hierarchy if not addressed within defined timeframes.
• Triggered safety workflows built into assessment tools, such as the CANS. If a client responds to certain questions in a way that requires an immediate clinical response, the system flags the appropriate personnel and initiates the required sequence automatically.
• An Audit Print function that compiles all relevant records for selected clients across selected date ranges and organizes them in a shared drive, ready for external review.

What Regulators Value Most: Clarity Over Volume

A question from the audience asked what types of data transparency regulators actually value, versus what creates noise. Derek's answer was practical:

Regulators value accurate dates and times, matching units of medication across all systems, clearly stated medical necessity, completeness without embellishment, and records that a neutral third-party clinician can read and independently validate. What creates noise, and risk, is inaccurate dates, incomplete fields, overstated clinical narratives, and anything that a reviewing physician cannot independently confirm.

He also noted a reality about the regulatory landscape that many providers underestimate: agencies and insurers are increasingly coordinating. Former FBI agents now work as special investigators for major insurance companies, and those investigators maintain relationships with their former colleagues at the Bureau. Quarterly meetings between CMS and major insurers mean that patterns flagged in one market can quickly trigger scrutiny in another.

Nathan added a counterintuitive insight from his background as a Sarbanes-Oxley auditor: treatment notes and care plans are not written for the clinician. They are written for the MCO reviewer. That reframe changes how documentation should be structured. It needs to tell a clear, navigable story, not serve as a private clinical journal.

The Future of Compliance: Digital Is Not Optional

Both panelists agreed that digital modernization is not something providers can opt out of. Derek noted that regulators, regardless of a provider's size, are moving toward an expectation of full digital capability. Providers who are not building toward that standard now will find themselves behind when the expectation becomes a requirement.

At the same time, Nathan was direct about the limits of AI and digital tools: technology is a tool, not the answer. AI outputs reflect the prompts and assumptions built into them, and they are designed to improve and evolve, which means responses to the same question can shift over time. Providers who rely on AI to generate documentation without deeply understanding that documentation are taking on risk.

What technology can do well is handle the administrative burden that keeps clinicians from doing what they do best: connecting with clients. Monolith, by Nathan's description, is designed to automate everything except the human relationship. Real-time dashboards, automated reminders, and escalation chains free up staff to be present with the people they serve, rather than buried in paperwork.

He also addressed access and equity in diagnostic capacity. In small or rural communities where licensed professionals are scarce, AI-assisted assessment tools can help gather and structure clinical data in ways that allow fewer, more expensive professionals to serve more people effectively. The goal is to extend reach.

Key Takeaways for Behavioral Health Providers

Compliance first, always. Whether you are a two-person practice or a large regional provider, regulatory requirements take precedence over MCO instructions. When in doubt, follow CMS standards, and everything else tends to fall in line.

Audit-readiness is a daily practice, not a crisis response. If producing documentation requires weeks of scrambling, something is wrong with the underlying system. The goal is to have everything organized and accessible within hours, or less.

Templates create consistency; consistency creates defensibility. Every clinician should be working from a documented framework that captures the necessary clinical elements every time, without relying on memory.

Internal audits are non-negotiable. Regular self-review surfaces errors before regulators do, and gives providers the opportunity to retrain, revise policies, and demonstrate a culture of compliance.

Technology should act as a way to serve humans instead of replacing them. The goal of digital tools is to free up clinicians for the work that only humans can do: building trust and connection with clients. Evaluate platforms on whether they reduce administrative drag without compromising clinical judgment.

Be proactive, not reactive. Healthcare regulations change constantly. Providers who treat compliance as a living, ongoing practice, rather than something to address when a problem arises, are far better positioned to weather audits and policy shifts.