CoCM Documentation Requirements: What Auditors Check
Collaborative Care (CoCM) billing requires documentation of five things: patient consent, an initiating primary care visit, a systematic registry that tracks the caseload with validated measures, the behavioral care manager's monthly time to the minute, and regular psychiatric consultation. Time is the anchor — most CoCM codes are billed by minutes per calendar month, and thin time logs are the most common audit finding.
CoCM is reimbursed under time-based codes (99492, 99493, 99494, and the general BHI code 99484). Because payment is tied to a minute threshold rather than a discrete service, the documentation burden is different from a normal office visit: an auditor is reconstructing a month of team activity, not reading a single note. The rules below reflect Medicare's model; confirm the specifics with each payer, because commercial and Medicaid plans vary.
At a minimum, a defensible CoCM month shows all of the following:
Each of these maps to a piece of the model. Miss one and the month is exposed, even if the clinical care was good.
Consent is a specific, checkable item, not a general clinic form. Auditors look for a note that the patient agreed to collaborative care specifically — including that a psychiatric consultant will be involved without a separate face-to-face visit, that applicable cost-sharing was explained, and that only one practitioner can bill the service per month. Verbal consent is generally acceptable when it is documented, but the documentation has to exist and be dated. A common gap is treating a signed intake packet as consent to CoCM; the packet rarely names the model or the cost-sharing, so it does not hold up on its own. Confirm your payer's exact wording, since some plans want consent re-affirmed periodically.
CoCM starts from primary care, and auditors expect to see that origin. For a new patient or a new episode of care, there should be an initiating visit by the treating practitioner in the month collaborative care begins — the encounter that identifies the need, discusses the model, and hands the patient into the team's registry. For patients already established with the practice, a recent qualifying visit can serve the same purpose. The point auditors are checking is continuity: that CoCM grew out of a real primary care relationship rather than being bolted on. If the initiating visit is missing or its date does not line up with when tracking began, expect a question.
Time is where most CoCM audits are won or lost, because the codes are defined by minutes of behavioral care manager time in a calendar month:
Two rules trip people up. First, time is cumulative across the calendar month, not per encounter — you total every qualifying minute the care manager spent. Second, only the care manager's non-face-to-face and face-to-face CoCM activities count; general clinic work does not. The defensible log shows date, activity, and minutes, and makes the monthly total obvious. Vague entries like "check-in — 15 min" repeated without substance are a classic flag, as is a month that lands suspiciously exactly on a threshold. Because these are minute thresholds, round-number totals and copy-pasted entries draw scrutiny — record the real activity.
The registry is what distinguishes CoCM from ordinary care coordination, so auditors treat it as core evidence, not paperwork. It should show the caseload as a whole and each patient's trajectory: the validated measure scores over time, target goals, treatment changes, and patients flagged for review because they are not improving. The systematic, measurement-based tracking is the point — a registry that only lists names, or has scores entered once at intake and never again, undercuts the claim that care was actively managed. If your registry lives in a spreadsheet, that can be fine; what matters is that it demonstrates ongoing, measurement-based follow-up.
CoCM pays for a psychiatric consultant's expertise applied at population scale, so there has to be a record that it happened. Auditors look for evidence the consultant regularly reviewed the caseload — typically weekly — and gave recommendations, and that those recommendations were communicated to the treating practitioner who acts on them. The consultant generally does not see the patient directly, which is expected; what is not acceptable is a month with no documented consultation at all, or recommendations that never reach the chart. A brief, dated consultation note tied to the registry review usually satisfies this.
Recurring findings cluster in a few places:
None of these are exotic. They are the difference between a month that was clinically real and one that only looks billable on paper. The fix is process, not heroics: capture time as you go, keep the registry current, and note the consultation each cycle. Rules and thresholds change, so confirm current requirements with each payer before you bill.
Generally yes, when it is documented. The record should note that the patient agreed to collaborative care specifically — including psychiatric consultation and any cost-sharing — and be dated. A signed general intake packet usually does not count on its own. Confirm your payer's exact consent expectations.
By total behavioral care manager minutes across the calendar month, not per visit. You add up every qualifying CoCM activity — face-to-face and non-face-to-face — and bill the code whose monthly threshold you met. General clinic work does not count toward the total.
Yes. 99492 covers the first month at a higher initial threshold, 99493 covers subsequent months, 99494 is an add-on for extra minutes in a month, and 99484 is general behavioral health integration at a lower monthly threshold. Check current threshold minutes with your payer.
No. In CoCM the consultant typically reviews the caseload with the care manager and advises the treating practitioner without a separate patient visit. What matters for documentation is evidence that the review happened and the recommendations reached the chart.
Time documentation. Because the codes are minute-based, logs that are vague, generic, or that land exactly on a threshold without supporting detail are the most frequent gap. Specific, dated, activity-level entries are the best protection.