DME compliance automation tracks documentation, AOBs, POD, and audit trails automatically — so you pass CMS audits without a full-time compliance officer.
The auditor's letter arrived on a Tuesday. By Wednesday morning, my ops manager at Pinnacle had pulled every biller off their queue to start hunting patient files.
The request was routine as these things go: 47 patient files, 72 hours to produce them. What wasn't routine was what we found when we started pulling records. Eleven files were missing the Assignment of Benefits. Seven had proof of delivery on file — just not signed. Four had documentation that was technically compliant for the date of service but didn't match the format the auditor's contractor was expecting. Three patients had moved to different payers mid-rental cycle, and nobody had updated the authorization.
We spent the better part of two days doing nothing else. Two billers on overtime. The ops manager running triage from a whiteboard in the break room. By Thursday evening we'd reconstructed most of what we needed, but "most" isn't the same as "all," and the gap cost us more than I want to put in writing here. The ops manager quit six weeks later. She didn't say the audit was why, but I know what a person looks like when they've decided a job isn't worth it anymore.
That experience changed how I think about compliance — not as a regulatory obligation to be managed, but as an operational failure that was entirely preventable.
Here's the thing about DME compliance: the documentation requirements weren't designed for the way modern suppliers actually operate. They were designed for a paper-era industry where a supplier might handle fifty patients, all on Medicare, filing claims by mail.
The 21 CMS Supplier Standards still govern how every accredited DMEPOS supplier operates — covering everything from your physical location requirements to how you handle patient complaints. What they don't account for is the reality of running a 300-patient oxygen practice with six payers, two rental billing cycles, an outsourced intake team, and a delivery driver who doesn't have a printer in his van.
The documentation requirements are genuinely comprehensive. Every Medicare claim requires a Detailed Written Order (DWO) that specifies the item, quantity, and frequency. As of January 1, 2023, CMS eliminated Certificates of Medical Necessity (CMNs) — which sounds like a win until you realize what replaced them. Now suppliers are responsible for ensuring that the patient's own medical chart contains documentation sufficient to satisfy the Local Coverage Determination (LCD) for each equipment category. You don't just need a form anymore. You need to review the physician's notes, confirm they establish medical necessity under the LCD criteria, and document that review. It's more comprehensive, not less.
Proof of delivery requires a signed confirmation with the date, the patient or authorized representative's signature, and the specific item and quantity delivered. Prior authorization must be obtained and tracked before delivery for a growing list of covered items. Insurance verification must be current at the point of delivery — not just at intake.
The gap isn't that operators don't know the rules. The gap is that the rules require documentation infrastructure that manual operations simply can't sustain reliably at scale.
After watching a lot of DME operations up close, the same five documentation failures show up in audit findings again and again.
Since CMS discontinued CMNs in 2023, suppliers are required to confirm that the ordering physician's chart notes establish medical necessity under the applicable LCD — before they deliver equipment. In practice, this rarely happens. Intake teams collect the prescription and move on. Nobody reads the physician's progress notes to verify that the functional assessment criteria are documented.
An auditor will. And when the chart says "patient would benefit from a power wheelchair" rather than specifying the functional limitation score, distance walked, or trial of less costly alternatives — the claim is vulnerable. Audits using statistical extrapolation can turn a 30-claim sample with documentation gaps into a six-figure recoupment demand applied across every similar claim in a two-year window.
The AOB is the document that authorizes the supplier to bill the payer directly. Missing AOBs, expired AOBs, and AOBs signed by someone other than the patient or a legally authorized representative are among the most common audit findings — and among the most defensible if caught early, and indefensible if caught late.
The operational problem: AOBs collected at intake get scanned into a shared drive, and nobody checks them again until an auditor asks. If the signature is wrong or the form is missing entirely, you're starting from scratch with a patient who may have moved, changed their mind, or whose family member who originally signed no longer has authority.
POD is binary in the eyes of a Medicare contractor: you have it or you don't. And if you don't have it — even for equipment that was unquestionably delivered, is currently in the patient's home, and has been generating valid monthly rentals for two years — the claim can be denied in full.
Common failure modes: paper delivery tickets lost in transit, digital signatures captured but not linked to the correct patient record, delivery confirmation for the wrong item, and driver-collected signatures that don't include the required elements (date, item description, quantity, patient or representative signature).
This one is under-discussed because it feels like an internal process, not a compliance issue. It becomes a compliance issue when an auditor asks you to demonstrate that insurance was verified before delivery — and your answer is "we called the IVR and the biller wrote it on a sticky note."
HIPAA-compliant DME software should log every verification action: who ran the check, what system they used, what coverage was confirmed, and when. Without that log, you can't prove verification happened. Without proof it happened, a payer can argue the delivery was premature and the claim improper.
Rental items like oxygen concentrators, CPAP machines, and power wheelchairs require periodic re-qualification. The patient has to still meet the coverage criteria. The physician has to have reviewed the patient and documented continued need. Some equipment categories have specific month-by-month rental billing rules with different documentation requirements at each stage.
Manual operations almost always handle this reactively — the billing team knows to check at month 10 of a capped rental, but they're checking against internal records, not against a verified current eligibility picture. The result: claims that get paid for six months and then come back on audit review because the month-4 re-qualification note was missing from the file.
I want to be specific about this, because "automation" in the context of DME compliance software usually means "we added a checkbox."
What it should mean is this: every action that has compliance significance gets logged, timestamped, and attached to the patient record automatically. Not by a biller, not by a compliance officer reviewing claims after the fact — automatically, as part of the workflow.
At intake, that means NPI verification against the PECOS database to confirm the ordering provider is eligible to order DME under Medicare. It means flagging prescriptions where the documented diagnosis doesn't map to a qualifying LCD code. It means routing orders that require prior authorization into an authorization workflow before delivery is scheduled, not after.
For AOBs, it means electronic signature at intake with a validity check — is this person legally authorized to sign? Has the form been signed within the required timeframe? Is the version of the form current? The answer goes into the patient record immediately, not into a scan queue.
For proof of delivery, it means GPS-stamped delivery confirmation, electronic signature, and real-time attachment to the claim. If the driver delivers a CPAP to the wrong address, the system flags it. If the patient isn't home and a family member signs, the system records who signed and the relationship.
For insurance verification, it means every verification action is logged with the portal or phone system used, the verification result, and the user who ran the check. When an auditor asks how you confirmed eligibility before delivering that wheelchair in March, you pull the log and it's there — 9:42 AM, verified through the eligibility portal, confirmed active coverage for power mobility, authorization reference number attached.
For reorder eligibility, it means automatic flags when a rental item is approaching a re-qualification window, automatic blocks when eligibility criteria haven't been met, and automatic documentation of every check.
The practical result: an auditor asks for 47 files. You open the system, select the 47 patients, export the audit package. It takes 60 seconds. The files are complete, organized, and include a timestamped log of every compliance-significant action taken for each patient. That's not a hypothetical — that's what a purpose-built compliance workflow produces.
A compliant manual DME operation at scale requires dedicated compliance infrastructure. The math isn't complicated.
A compliance officer handling internal audits, payer response, documentation review, and staff training runs $65,000–$85,000 per year in most markets, before benefits. That's a single person. In a 300-patient practice with six payers, that's not enough — you're also pulling biller time for pre-submission reviews, ops management time for audit response, and everyone's time when a demand letter arrives.
Conservative estimate: 1.5 FTE equivalent of compliance-related labor in a mid-size operation, at a loaded cost of $100,000–$120,000 per year.
ScriptRelay's automation handles the same workflows — LCD-compliance review flags, AOB execution and tracking, POD capture, verification logging, reorder eligibility gates — without a dedicated headcount. The system doesn't miss a re-qualification deadline because it got pulled onto an audit response. It doesn't forget to check AOB expiration because a high-priority intake came in.
Use our ROI calculator to run the math for your operation size. For most mid-size suppliers, the labor offset alone covers the platform cost. The audit risk reduction is a separate line.
If you're evaluating DME compliance software, these are the questions that separate genuine compliance infrastructure from a checklist with a logo on it.
Most DME operators I've talked to think about compliance audits the way people think about car accidents — it's something that happens to other people until it happens to you.
CMS enforcement has intensified. The 2026 proposed rule includes a push toward annual DMEPOS accreditation renewal — down from the current three-year cycle — specifically because CMS is concerned that suppliers are falling out of compliance between surveys. UPICs are operating across five jurisdictions with the authority to suspend payments, extrapolate overpayment demands across claim populations, and refer cases to law enforcement.
The question isn't whether your documentation will be scrutinized. It's whether it will hold.
ScriptRelay was built for DME operators who want to run at scale without the compliance overhead that scale usually requires. Every workflow is designed to produce an audit-ready record as a byproduct of normal operations — not as something you build afterward when the letter arrives.
Review our security posture and BAA process →
Run your denial exposure through the Analyzer →
Book a 20-minute demo →
ScriptRelay automates the documentation trail — AOBs, POD, verification logs, eligibility gates — so passing a CMS audit is a 60-second export, not a two-day scramble.
See the Demo → Review Security & BAA