Most hospital physician-arrangement compliance programs run on a spreadsheet. It is the natural first tool: rows for arrangements, columns for the data points that matter, a tab per fiscal year. It captures everything the program knows.
The problem surfaces only under audit. An investigator doesn't ask what you tracked — they ask what you can prove, arrangement by arrangement, with dates. That is a different question, and a spreadsheet is structurally the wrong instrument for answering it. The gap between "we have the data" and "we can produce the evidence" is where defensibility is won or lost.
This post is written for compliance officers and healthcare counsel — the people who have to stand behind the documentation. Five concrete failure modes, and one operational test you can run on your own program this week.
Data is not evidence
A spreadsheet records the current state of a fact. An audit tests the history of that fact: not just that an FMV opinion exists, but that it existed and was current while the arrangement was live; not just that screening happened, but when, and what it returned. Excel has no reliable memory of when a cell was written or by whom. It can tell you what the record says today. It cannot tell an auditor what it said eighteen months ago.
A version-history feature doesn't close the gap. Edit logs in a shared workbook are themselves editable, are attributable only to whoever held the credentials, and are trivially defeated by exporting, revising, and re-importing the file. To be evidence, a record has to be able to vouch for itself — and a spreadsheet, by construction, cannot.
Once you hold that distinction, the failure modes below stop looking like discipline problems and start looking like what they are — the predictable limits of the tool.
1. No expiration alerting, so FMV opinions go stale
Fair market value documentation has no statutory expiration, but practitioners and defense counsel converge on a 12–24 month refresh cadence for active arrangements, with shorter cycles when compensation moves materially. A spreadsheet holds the opinion date in a cell; it does not tell anyone when that cell has aged past the cadence. The refresh becomes the calendar reminder no one set, and staleness accumulates silently across a portfolio. A program with forty active arrangements can be three opinions past due and have no way to know until the file is pulled — which, under audit, is the worst moment to find out.
FMV drift is one of the most common threads in settled Stark matters — Tuomey Healthcare ($72.4M, on a 21,730 false-claims jury finding) turned on valuation that didn't hold up. A column of opinion dates is data. Knowing, today, which of those opinions has lapsed is evidence of a functioning program. The spreadsheet gives you the first and not the second.
2. No tamper-evidence, so you can't prove contemporaneous documentation
The standard auditors and defense counsel reach for is "tamper-evident" — documentation that demonstrably existed while the arrangement was active, not assembled in response to the inquiry. This is the heart of the problem with a spreadsheet: a file edited last Tuesday is byte-for-byte indistinguishable from one maintained faithfully for two years. The record cannot evidence its own timeline.
That matters because the post-hoc reconstruction is detectable and damaging. The Community Health Network settlement ($345M, the largest Stark resolution in ArrowISE's enforcement library) involved documentation-integrity questions, including valuation-firm manipulation. Append-only logs, cryptographically chained entries, or independently-witnessed contemporaneous records all answer the timeline question. A shared workbook, by design, cannot.
3. No reconciliation cadence, so arrangements go live untracked
Most compliance gaps aren't wrong controls — they're arrangements that go live before they're entered. A contract is executed; the spreadsheet row gets added days or weeks later, once someone has time, often after the FMV opinion or safe-harbor election has been mislaid. For that interval the arrangement is active with no compliance footprint, and the eventual fill-in is a reconstruction rather than a contemporaneous record.
Whatever the tracking threshold is — seven days from execution is a defensible one — it has to be a threshold the team can actually meet on a recurring basis. A spreadsheet imposes no cadence and reconciles against nothing; it accepts a row added at any time and presents it identically to one entered on day one.
4. Screening isn't auditable as a single cell
OIG LEIE exclusion screening is a three-part fact: when the screen ran, what it returned, and what action followed. A spreadsheet tends to flatten that to one cell — "screened: yes" — which, under audit, is functionally equivalent to no screening at all. "We screen monthly" is an assertion; the timestamp plus the result plus the action taken is the evidence, and it is the evidence an auditor actually asks for.
The 2024 OIG General Compliance Program Guidance reinforces routine batch screening against the List of Excluded Individuals and Entities, and the February 2026 Medicare Advantage ICPG adds explicit expectations for ongoing-monitoring documentation. Both describe a record a single cell can't carry.
5. The five-minute evidence test
Here is a test you can run without buying anything. Pick one active physician arrangement at random and ask whether your team can produce, in five minutes:
the executed contract with its date; the FMV justification with the valuation date; the OIG screening result with the date it ran; the element-by-element record that the applicable Stark exception or AKS safe harbor was satisfied; and a trail showing each of those existed before today.
The five-minute threshold is operational, not legal: if assembling the package takes longer than that per arrangement, the program will fail under real audit pressure simply because there isn't time. If the honest answer is "not in five minutes," the fix isn't faster spreadsheet work — it's a different system of record. The test scales: a program that passes it for one arrangement passes it for two hundred. The inverse is the warning sign: a program that can pass only by pulling several people off other work for an afternoon doesn't have a five-minute answer at all — it has a fire drill, and a fire drill does not survive a portfolio-wide request.
What replaces the spreadsheet
Not a better spreadsheet — a system that produces evidence as a byproduct of normal work rather than reconstructing it under deadline. In practice that means calendar-aware FMV expiration alerts, Stark and AKS exception elements modeled as structured validation rather than free-text notes, exclusion screening captured as timestamp-plus-result-plus-action, and an append-only audit trail that can answer the timeline question on its own.
ArrowISE is purpose-built compliance infrastructure for physician arrangements: real-time FMV expiration alerts, structured safe harbor and Stark exception validation, OIG LEIE screening with auditable documentation, and audit-ready evidence exports designed for both committee reporting and defense-counsel preparation — the five-minute test, mechanized.