Most ABA practices treat compliance as an annual event, something you scramble to reconstruct when a payer sends an audit letter. That worked when enforcement was rare. It does not work now. The HHS Office of Inspector General has identified more than $285 million in improper or potentially improper ABA Medicaid payments across several state audits (OIG reports), with the most recent reports finding problems in every sampled enrollee-month. Documentation that would have passed three years ago may not pass today, and the practices that stay clean are the ones that check a fixed list on a fixed cadence instead of hoping. This guide lays out that list: 15 items across five domains, each with what to verify, the failure it prevents, and how often to look. It is one discipline inside a larger system; the ABA practice operations guide covers how compliance fits alongside documentation, staffing, and revenue cycle.
Reviewed by the VG Soft Co Clinical and Operations team. Last updated July 2026.
TL;DR
- Compliance now runs on three layers that move independently. Federal (HIPAA plus Medicaid enforcement), state (licensure and state Medicaid policy), and payer (each plan's documentation and authorization rules). A gap in any one can trigger a denial or a recoupment.
- Quarterly is the minimum audit cadence, with a monthly spot-check on top. Run the full 15-item list every quarter, and pull 10 random claims monthly to catch drift early. Medicaid-heavy practices should treat the monthly check as mandatory.
- The 15 items sit in five domains: clinical documentation, billing and coding, authorization and payer rules, privacy and HIPAA, and staff licensure and ethics.
- Code-to-note alignment and authorization tracking carry the most risk. A note that does not justify its CPT code, or a service delivered after an authorization lapsed, is where most recoupment dollars are lost.
- A checklist is a routine, not legal advice. It catches the high-frequency gaps; bring in counsel for state-specific or high-stakes questions.
Why a quarterly cadence beats an annual scramble
Compliance debt works like any other kind of debt: the cost of neglect is delayed, so it feels safe to defer. You can run loose session notes for a year before the denials catch up. You can let the compliance calendar slide until a license lapses mid-quarter. The problem is that all of it accrues quietly and then lands at once, usually in the form of a recoupment demand for care you already delivered and spent the money on.
A fixed cadence turns that reactive scramble into a managed system. The BACB and federal compliance frameworks both assume ongoing monitoring rather than a once-a-year look, and the operational answer is two loops. The monthly loop is a light spot-check: a random pull of about 10 claims, each checked against the authorization on file and the quality of the note behind it. The quarterly loop is the full audit, where you work the entire 15-item list across all three layers and assign follow-up on anything that failed. The list below is built for that quarterly pass, with the items that also deserve a monthly look flagged in the cadence column.
The 15 items at a glance
| # | Item | Domain | What to check | Cadence |
|---|---|---|---|---|
| 1 | Treatment plans and assessments | Documentation | Current, signed, measurable goals; FBA/BIP matched to diagnosis | Quarterly |
| 2 | Session notes | Documentation | Complete elements; note justifies the CPT billed | Monthly + quarterly |
| 3 | Progress reports | Documentation | Filed on each client's reauthorization cycle | Quarterly |
| 4 | Supervision records | Documentation | RBT supervision meets BACB minimums; contracts on file | Quarterly |
| 5 | Code-to-note and credential match | Billing | CPT and ICD codes match the note and the provider's credential | Monthly + quarterly |
| 6 | Units billed vs. authorized | Billing | Delivered and billed units reconcile to authorized units | Monthly + quarterly |
| 7 | Denial and recoupment review | Billing | Last 90 days of denials analyzed by reason code | Quarterly |
| 8 | Authorization tracking | Authorization | Expirations flagged; reauth submitted 30 to 60 days out | Monthly |
| 9 | Payer and Medicaid rules | Authorization | Plan-specific and state Medicaid requirements current | Quarterly |
| 10 | Consent and privacy notices | HIPAA | Consent and notice of privacy practices signed and current | Quarterly |
| 11 | Business associate agreements | HIPAA | A BAA on file for every vendor touching PHI | Annually + quarterly review |
| 12 | ePHI safeguards and telehealth | HIPAA | Encryption, access controls, telehealth BAA, breach procedure | Quarterly |
| 13 | Licenses, certifications, CEUs | Licensure | BCBA/RBT credentials renewed; CEUs and background checks current | Quarterly |
| 14 | Ethics-code acknowledgment | Ethics | Signed acknowledgment on file; 30-day self-report rule understood | Annually + quarterly review |
| 15 | Incident and mandated-reporter readiness | Ethics | Reporting procedure documented; staff training current | Quarterly |
Domain 1: Clinical documentation and service delivery
1. Treatment plans and assessments are current and defensible. Every active client should have a treatment plan with measurable goals, a supporting assessment or functional behavior assessment, and a behavior intervention plan that matches the diagnosis. The plan has to be signed and dated, and its goals have to be specific enough that a reviewer can tell whether progress is real. This is the medical-necessity foundation, and when it is thin, the denials are for the whole episode of care rather than a single date.
2. Session notes are complete and justify the code billed. A defensible note names the date, start and stop times, location, the provider and credential, the specific programs or targets run, quantified data, and a signature. The part practices miss is alignment: the note has to support the CPT code on the claim, so a 97155 protocol-modification claim needs a note that actually documents protocol modification, not just direct therapy. Code-to-note alignment is the single largest source of recoupment risk, which is why it earns a monthly spot-check on top of the quarterly audit. The specific patterns that trigger denials are broken down in the eight session note mistakes that trigger claim denials.
3. Progress reports are filed on the reauthorization cycle. Most payers expect a progress report tied to the authorization period, commonly every six months, showing movement against the plan's goals. Missing or late reports are a common reason reauthorization stalls, which then creates an authorization gap that produces denials downstream. Check that every client's next report date is tracked and owned.
4. Supervision is documented to BACB standards. RBT supervision has to run at least 5% of the hours spent delivering services each month, with a minimum of two monthly contacts and at least one direct observation of the RBT working with a client, and it all has to be documented with a current supervision contract on file. Under-supervised RBTs produce weaker data collection and more note errors, and missing supervision records are both a certification problem and a trigger for supervision-link claim denials. The BACB supervision standards spell out the current requirements.
Domain 2: Billing and coding compliance
5. Codes match the note and the provider's credential. The CPT and ICD-10 codes on each claim have to match what the note documents and what the rendering provider is credentialed to bill. A mismatch, for example a code that requires a BCBA billed under an RBT's delivery, is both a denial risk and, at volume, a fraud-exposure risk. The ABA billing codes and CPT reference covers the current code set and the alignment rules.
6. Units billed reconcile to units authorized and delivered. Pull a sample and confirm that the units billed match the units actually delivered per the note and fall within the units authorized. Over-billing against an authorization is a recoupment waiting to happen; under-billing is revenue you earned and left on the table. This reconciliation belongs in the monthly spot-check because it drifts fast.
7. The last 90 days of denials and recoupments have a root cause. Do not read denials as a single percentage. Sort them by reason code and look for the cluster, because ABA denials group predictably around supervision links, the 8-minute rule, and code bundling, and the pattern names the workflow that is failing. When the appeal workload is climbing faster than the team can work it, dedicated denial management shortens the clock on recovering the winnable ones.
Domain 3: Authorization and payer compliance
8. Every authorization is tracked with its expiration and units remaining. An expired authorization is an automatic denial, typically CO-197, and it is rarely winnable because the service genuinely was not authorized when it happened. You need a live view of each client's authorization, its expiration date, and units remaining, with reauthorization requests submitted 30 to 60 days before expiration so there is never a gap. This is the item most worth automating, and authorization management in VGPM exists specifically to remove it from the list of things a person has to remember.
9. Payer-specific and Medicaid rules are current. Each plan has its own documentation and authorization quirks, and state Medicaid programs change faster than commercial payers. Confirm you are working from the current rule set for your top payers, and pay special attention if you operate in a state that recently overhauled its program. State fragmentation is real: practices operating across state lines have to track each state's rules separately, which is a coordination task that belongs to a named owner.
Domain 4: Privacy, security, and HIPAA
10. Consent forms and the notice of privacy practices are current and acknowledged. Informed consent should cover the services, and where relevant it should name telehealth explicitly. The notice of privacy practices should be current and acknowledged by families. These lapse quietly as forms get updated and old versions keep circulating, so a quarterly confirmation that everyone is on the current version is worth the few minutes it takes.
11. A business associate agreement is on file for every vendor that touches PHI. Your EHR, billing partner, telehealth platform, and even a document-shredding service all need a signed BAA. The gap that bites practices is the vendor added mid-year without one. Keep a vendor list, review it at least annually, and confirm at each quarterly audit that no new tool started handling protected health information without an agreement. Federal HIPAA guidance from HHS lays out the requirement.
12. Electronic PHI is safeguarded and telehealth is compliant. Confirm encryption on data at rest and in transit, access controls limited to need-to-know, and a documented breach-notification procedure that someone actually owns. For telehealth, the platform has to be one the vendor will sign a BAA for, which rules out consumer video tools used without that agreement. The federal telehealth privacy guidance is specific enough that there is no reason to guess here.
Domain 5: Staff licensure and ethics
13. Licenses, certifications, continuing education, and background checks are current. Track every BCBA and RBT credential with its renewal date, confirm continuing-education hours are on pace, and keep background checks up to date. State licensure adds a layer on top of BACB certification in many states, and the requirements vary, so the BACB state licensure map is the reference for where you operate. Credential tracking is another item that software handles better than memory; credential tracking in VGPM keeps the renewal dates from slipping.
14. Ethics-code acknowledgment is on file and the self-report rule is understood. Every clinician should have a signed acknowledgment of the applicable BACB ethics code, and supervisors should understand the 30-day self-reporting obligation for investigations, legal actions, and ethics violations. Scope-of-competence questions (Standard 2 on practicing within training, Standard 3 on supervising only what you are competent to supervise) come up most often when a practice expands into new populations or service lines, so revisit them when the practice changes.
15. Incident reporting and mandated-reporter readiness are in place. Behavior technicians and analysts who work with children are mandated reporters, so every staff member needs to know the reporting procedure, the timeline, and the chain of command. Maintain an internal incident log for safeguarding events, allegations, and near-misses, and confirm that reporting-obligation training is current. This is the domain practices least like to think about and most regret neglecting.
A suggested quarterly rotation
Running all 15 items with equal intensity every quarter is more than most practices can sustain, so spread the deep work across the year while keeping the monthly spot-check constant. The rotation below is a starting point, not a rule; adapt it to when your renewals and reauthorizations actually cluster.
| Quarter | Deep-focus items | Why here |
|---|---|---|
| Q1 | Licensure, certifications, ethics acknowledgments (13, 14) | Many credentials and CEU cycles renew early in the year |
| Q2 | Documentation and supervision (1 to 4) | Reset note quality and supervision records before mid-year reauths |
| Q3 | Billing, coding, denials (5 to 7) | Root-cause the first half's denials while the data is fresh |
| Q4 | HIPAA, security, incident review, next-year state changes (10 to 12, 15) | Close the year clean and plan for January regulatory shifts |
| Every month | Session-note and code spot-check, authorization expirations (2, 5, 6, 8) | The high-drift items that cannot wait for a quarterly look |
The full review cadence, and how it connects to KPI review and staffing, is laid out in the operations guide's section on the quarterly operations review. The seven KPIs that predict sustainability are the companion here: the KPIs tell you whether the practice is healthy, and the compliance checklist tells you whether it is clean, and the two reviews fit naturally into the same monthly and quarterly rhythm.
Where the checklist fits, and where it does not
A checklist is a routine, and its value is entirely in whether it gets run. The practices that stay out of trouble are not the ones with the most elaborate policy binder; they are the ones where each of these 15 items has an owner, a cadence, and a place the evidence lives, so the quarterly audit is a review rather than an archaeology project. Purpose-built software helps here because several of the highest-risk items, authorization tracking, credential renewals, and code-to-note alignment, are tracking problems that a system can surface automatically instead of leaving to vigilance. That is the case for keeping scheduling, documentation, authorization tracking, and billing in one place, which is how VGPM is built, and for practices that would rather hand the revenue-cycle side of compliance to specialists, ABA revenue cycle management carries the code-to-note, authorization, and denial items as its own accountability.
It is worth being honest about the limits. This checklist catches the recurring, high-frequency gaps that produce most denials and recoupments, but it is not legal advice, and it is not a substitute for counsel on state licensure specifics, an active audit, or an employment-law question. Dedicated compliance consultants and healthcare attorneys earn their fee exactly where a general checklist runs out, on the complex and state-specific edges. Use the 15 items as the routine that keeps the practice clean quarter after quarter, bring in a professional for the hard cases, and the compliance layer stops being the thing you fear and becomes just another operation you run. The wider system it belongs to is mapped in the ABA practice operations guide.



