ABA Operations

ABA Practice Compliance Checklist: 15 Items Per Quarter

A 15-item quarterly ABA practice compliance checklist covering documentation, billing, HIPAA, licensure, and ethics, with what to check and when it's due.

DDustin Schwartz12 min read

Most ABA practices treat compliance as an annual event, something you scramble to reconstruct when a payer sends an audit letter. That worked when enforcement was rare. It does not work now. The HHS Office of Inspector General has identified more than $285 million in improper or potentially improper ABA Medicaid payments across several state audits (OIG reports), with the most recent reports finding problems in every sampled enrollee-month. Documentation that would have passed three years ago may not pass today, and the practices that stay clean are the ones that check a fixed list on a fixed cadence instead of hoping. This guide lays out that list: 15 items across five domains, each with what to verify, the failure it prevents, and how often to look. It is one discipline inside a larger system; the ABA practice operations guide covers how compliance fits alongside documentation, staffing, and revenue cycle.

Reviewed by the VG Soft Co Clinical and Operations team. Last updated July 2026.


TL;DR

  • Compliance now runs on three layers that move independently. Federal (HIPAA plus Medicaid enforcement), state (licensure and state Medicaid policy), and payer (each plan's documentation and authorization rules). A gap in any one can trigger a denial or a recoupment.
  • Quarterly is the minimum audit cadence, with a monthly spot-check on top. Run the full 15-item list every quarter, and pull 10 random claims monthly to catch drift early. Medicaid-heavy practices should treat the monthly check as mandatory.
  • The 15 items sit in five domains: clinical documentation, billing and coding, authorization and payer rules, privacy and HIPAA, and staff licensure and ethics.
  • Code-to-note alignment and authorization tracking carry the most risk. A note that does not justify its CPT code, or a service delivered after an authorization lapsed, is where most recoupment dollars are lost.
  • A checklist is a routine, not legal advice. It catches the high-frequency gaps; bring in counsel for state-specific or high-stakes questions.

Why a quarterly cadence beats an annual scramble

Compliance debt works like any other kind of debt: the cost of neglect is delayed, so it feels safe to defer. You can run loose session notes for a year before the denials catch up. You can let the compliance calendar slide until a license lapses mid-quarter. The problem is that all of it accrues quietly and then lands at once, usually in the form of a recoupment demand for care you already delivered and spent the money on.

A fixed cadence turns that reactive scramble into a managed system. The BACB and federal compliance frameworks both assume ongoing monitoring rather than a once-a-year look, and the operational answer is two loops. The monthly loop is a light spot-check: a random pull of about 10 claims, each checked against the authorization on file and the quality of the note behind it. The quarterly loop is the full audit, where you work the entire 15-item list across all three layers and assign follow-up on anything that failed. The list below is built for that quarterly pass, with the items that also deserve a monthly look flagged in the cadence column.

The 15 items at a glance

#ItemDomainWhat to checkCadence
1Treatment plans and assessmentsDocumentationCurrent, signed, measurable goals; FBA/BIP matched to diagnosisQuarterly
2Session notesDocumentationComplete elements; note justifies the CPT billedMonthly + quarterly
3Progress reportsDocumentationFiled on each client's reauthorization cycleQuarterly
4Supervision recordsDocumentationRBT supervision meets BACB minimums; contracts on fileQuarterly
5Code-to-note and credential matchBillingCPT and ICD codes match the note and the provider's credentialMonthly + quarterly
6Units billed vs. authorizedBillingDelivered and billed units reconcile to authorized unitsMonthly + quarterly
7Denial and recoupment reviewBillingLast 90 days of denials analyzed by reason codeQuarterly
8Authorization trackingAuthorizationExpirations flagged; reauth submitted 30 to 60 days outMonthly
9Payer and Medicaid rulesAuthorizationPlan-specific and state Medicaid requirements currentQuarterly
10Consent and privacy noticesHIPAAConsent and notice of privacy practices signed and currentQuarterly
11Business associate agreementsHIPAAA BAA on file for every vendor touching PHIAnnually + quarterly review
12ePHI safeguards and telehealthHIPAAEncryption, access controls, telehealth BAA, breach procedureQuarterly
13Licenses, certifications, CEUsLicensureBCBA/RBT credentials renewed; CEUs and background checks currentQuarterly
14Ethics-code acknowledgmentEthicsSigned acknowledgment on file; 30-day self-report rule understoodAnnually + quarterly review
15Incident and mandated-reporter readinessEthicsReporting procedure documented; staff training currentQuarterly

Domain 1: Clinical documentation and service delivery

1. Treatment plans and assessments are current and defensible. Every active client should have a treatment plan with measurable goals, a supporting assessment or functional behavior assessment, and a behavior intervention plan that matches the diagnosis. The plan has to be signed and dated, and its goals have to be specific enough that a reviewer can tell whether progress is real. This is the medical-necessity foundation, and when it is thin, the denials are for the whole episode of care rather than a single date.

2. Session notes are complete and justify the code billed. A defensible note names the date, start and stop times, location, the provider and credential, the specific programs or targets run, quantified data, and a signature. The part practices miss is alignment: the note has to support the CPT code on the claim, so a 97155 protocol-modification claim needs a note that actually documents protocol modification, not just direct therapy. Code-to-note alignment is the single largest source of recoupment risk, which is why it earns a monthly spot-check on top of the quarterly audit. The specific patterns that trigger denials are broken down in the eight session note mistakes that trigger claim denials.

3. Progress reports are filed on the reauthorization cycle. Most payers expect a progress report tied to the authorization period, commonly every six months, showing movement against the plan's goals. Missing or late reports are a common reason reauthorization stalls, which then creates an authorization gap that produces denials downstream. Check that every client's next report date is tracked and owned.

4. Supervision is documented to BACB standards. RBT supervision has to run at least 5% of the hours spent delivering services each month, with a minimum of two monthly contacts and at least one direct observation of the RBT working with a client, and it all has to be documented with a current supervision contract on file. Under-supervised RBTs produce weaker data collection and more note errors, and missing supervision records are both a certification problem and a trigger for supervision-link claim denials. The BACB supervision standards spell out the current requirements.

Domain 2: Billing and coding compliance

5. Codes match the note and the provider's credential. The CPT and ICD-10 codes on each claim have to match what the note documents and what the rendering provider is credentialed to bill. A mismatch, for example a code that requires a BCBA billed under an RBT's delivery, is both a denial risk and, at volume, a fraud-exposure risk. The ABA billing codes and CPT reference covers the current code set and the alignment rules.

6. Units billed reconcile to units authorized and delivered. Pull a sample and confirm that the units billed match the units actually delivered per the note and fall within the units authorized. Over-billing against an authorization is a recoupment waiting to happen; under-billing is revenue you earned and left on the table. This reconciliation belongs in the monthly spot-check because it drifts fast.

7. The last 90 days of denials and recoupments have a root cause. Do not read denials as a single percentage. Sort them by reason code and look for the cluster, because ABA denials group predictably around supervision links, the 8-minute rule, and code bundling, and the pattern names the workflow that is failing. When the appeal workload is climbing faster than the team can work it, dedicated denial management shortens the clock on recovering the winnable ones.

Domain 3: Authorization and payer compliance

8. Every authorization is tracked with its expiration and units remaining. An expired authorization is an automatic denial, typically CO-197, and it is rarely winnable because the service genuinely was not authorized when it happened. You need a live view of each client's authorization, its expiration date, and units remaining, with reauthorization requests submitted 30 to 60 days before expiration so there is never a gap. This is the item most worth automating, and authorization management in VGPM exists specifically to remove it from the list of things a person has to remember.

9. Payer-specific and Medicaid rules are current. Each plan has its own documentation and authorization quirks, and state Medicaid programs change faster than commercial payers. Confirm you are working from the current rule set for your top payers, and pay special attention if you operate in a state that recently overhauled its program. State fragmentation is real: practices operating across state lines have to track each state's rules separately, which is a coordination task that belongs to a named owner.

Domain 4: Privacy, security, and HIPAA

10. Consent forms and the notice of privacy practices are current and acknowledged. Informed consent should cover the services, and where relevant it should name telehealth explicitly. The notice of privacy practices should be current and acknowledged by families. These lapse quietly as forms get updated and old versions keep circulating, so a quarterly confirmation that everyone is on the current version is worth the few minutes it takes.

11. A business associate agreement is on file for every vendor that touches PHI. Your EHR, billing partner, telehealth platform, and even a document-shredding service all need a signed BAA. The gap that bites practices is the vendor added mid-year without one. Keep a vendor list, review it at least annually, and confirm at each quarterly audit that no new tool started handling protected health information without an agreement. Federal HIPAA guidance from HHS lays out the requirement.

12. Electronic PHI is safeguarded and telehealth is compliant. Confirm encryption on data at rest and in transit, access controls limited to need-to-know, and a documented breach-notification procedure that someone actually owns. For telehealth, the platform has to be one the vendor will sign a BAA for, which rules out consumer video tools used without that agreement. The federal telehealth privacy guidance is specific enough that there is no reason to guess here.

Domain 5: Staff licensure and ethics

13. Licenses, certifications, continuing education, and background checks are current. Track every BCBA and RBT credential with its renewal date, confirm continuing-education hours are on pace, and keep background checks up to date. State licensure adds a layer on top of BACB certification in many states, and the requirements vary, so the BACB state licensure map is the reference for where you operate. Credential tracking is another item that software handles better than memory; credential tracking in VGPM keeps the renewal dates from slipping.

14. Ethics-code acknowledgment is on file and the self-report rule is understood. Every clinician should have a signed acknowledgment of the applicable BACB ethics code, and supervisors should understand the 30-day self-reporting obligation for investigations, legal actions, and ethics violations. Scope-of-competence questions (Standard 2 on practicing within training, Standard 3 on supervising only what you are competent to supervise) come up most often when a practice expands into new populations or service lines, so revisit them when the practice changes.

15. Incident reporting and mandated-reporter readiness are in place. Behavior technicians and analysts who work with children are mandated reporters, so every staff member needs to know the reporting procedure, the timeline, and the chain of command. Maintain an internal incident log for safeguarding events, allegations, and near-misses, and confirm that reporting-obligation training is current. This is the domain practices least like to think about and most regret neglecting.

A suggested quarterly rotation

Running all 15 items with equal intensity every quarter is more than most practices can sustain, so spread the deep work across the year while keeping the monthly spot-check constant. The rotation below is a starting point, not a rule; adapt it to when your renewals and reauthorizations actually cluster.

QuarterDeep-focus itemsWhy here
Q1Licensure, certifications, ethics acknowledgments (13, 14)Many credentials and CEU cycles renew early in the year
Q2Documentation and supervision (1 to 4)Reset note quality and supervision records before mid-year reauths
Q3Billing, coding, denials (5 to 7)Root-cause the first half's denials while the data is fresh
Q4HIPAA, security, incident review, next-year state changes (10 to 12, 15)Close the year clean and plan for January regulatory shifts
Every monthSession-note and code spot-check, authorization expirations (2, 5, 6, 8)The high-drift items that cannot wait for a quarterly look

The full review cadence, and how it connects to KPI review and staffing, is laid out in the operations guide's section on the quarterly operations review. The seven KPIs that predict sustainability are the companion here: the KPIs tell you whether the practice is healthy, and the compliance checklist tells you whether it is clean, and the two reviews fit naturally into the same monthly and quarterly rhythm.

Where the checklist fits, and where it does not

A checklist is a routine, and its value is entirely in whether it gets run. The practices that stay out of trouble are not the ones with the most elaborate policy binder; they are the ones where each of these 15 items has an owner, a cadence, and a place the evidence lives, so the quarterly audit is a review rather than an archaeology project. Purpose-built software helps here because several of the highest-risk items, authorization tracking, credential renewals, and code-to-note alignment, are tracking problems that a system can surface automatically instead of leaving to vigilance. That is the case for keeping scheduling, documentation, authorization tracking, and billing in one place, which is how VGPM is built, and for practices that would rather hand the revenue-cycle side of compliance to specialists, ABA revenue cycle management carries the code-to-note, authorization, and denial items as its own accountability.

It is worth being honest about the limits. This checklist catches the recurring, high-frequency gaps that produce most denials and recoupments, but it is not legal advice, and it is not a substitute for counsel on state licensure specifics, an active audit, or an employment-law question. Dedicated compliance consultants and healthcare attorneys earn their fee exactly where a general checklist runs out, on the complex and state-specific edges. Use the 15 items as the routine that keeps the practice clean quarter after quarter, bring in a professional for the hard cases, and the compliance layer stops being the thing you fear and becomes just another operation you run. The wider system it belongs to is mapped in the ABA practice operations guide.


Frequently Asked Questions

Quarterly is the minimum for any practice that bills insurance. On top of the quarterly full audit, run a monthly documentation spot-check: a random pull of about 10 claims checked against the authorization on file and the quality of the matching note. Practices with heavy Medicaid volume, or any practice operating in an audit-active state like Indiana, Maine, North Carolina, or Colorado, should treat the monthly spot-check as non-negotiable. The reason is timing. A documentation habit that slips in January becomes a recoupment demand months later, and the monthly pull catches the drift while the fix is still cheap. The quarterly audit is where you work through the full 15-item list across all three compliance layers; the monthly check is the early-warning system between audits.
A workable checklist covers five domains. Clinical documentation (treatment plans, session notes, progress reports, supervision records), billing and coding (code-to-note alignment, units billed against units authorized, denial patterns), authorization and payer rules (expiration tracking, timely reauthorization, plan-specific and Medicaid requirements), privacy and security (consent, business associate agreements, protected health information safeguards, telehealth, breach procedures), and staff licensure and ethics (license and certification renewals, continuing education, background checks, ethics-code acknowledgment, incident reporting). Fifteen concrete items across those five domains cover most of the surface area a payer or regulator will examine. The point is not the exact count. It is that each domain has an owner, a cadence, and a place where the evidence lives.
Federal Medicaid enforcement is the risk that changed the most. The HHS Office of Inspector General has identified more than $285 million in improper or potentially improper ABA Medicaid payments across several state audits, and the most recent reports found problems in every sampled enrollee-month. Documentation that would have passed three years ago may not pass now. The second risk is state fragmentation: Indiana's overhaul went live April 1, 2026, and North Carolina's HB 696 added out-of-state-provider and telehealth restrictions, so multi-state practices have to track each state separately. The third is under-credentialing, meaning services delivered before payer enrollment finishes, which turns into months of unbillable care. All three are operations failures rather than clinical ones, and all three are preventable with a calendar and an owner.
At the claim level, payers want a session note that names the date, start and stop times, location, the provider and their credential, the specific programs or targets run, quantified data, and a signature, and the note has to match the CPT code billed. Above the claim, they want a current treatment plan with measurable goals, a supporting assessment or functional behavior assessment, and progress reports on the plan's reauthorization cycle. The most common failure is a note that does not justify the code, for example a 97155 protocol-modification claim with a note that only documents direct therapy. Code-to-note alignment is where most recoupment risk lives, which is why it belongs in both the monthly spot-check and the quarterly audit.
The core obligations are informed consent and a current notice of privacy practices, business associate agreements with every vendor that touches protected health information (your EHR, billing partner, telehealth platform, even the shredding service), reasonable safeguards for electronic protected health information such as encryption and access controls limited to need-to-know, and a documented breach-notification procedure. For ABA specifically, two scenarios trip practices up: parent and caregiver observation during sessions, which needs clear consent and confidentiality boundaries, and telehealth delivered over consumer tools without a signed business associate agreement. Review consent forms and the vendor list at least annually, and confirm the breach procedure is written down and someone owns it before you need it.
Under Behavior Analyst Certification Board standards, an RBT must receive ongoing supervision for at least 5% of the hours they spend delivering behavior-analytic services in a given month, and that supervision has to include a minimum of two contacts per month, at least one of which involves the supervisor observing the RBT working directly with a client. The supervision has to be documented, and a current supervision contract should be on file. This matters for compliance on two fronts: under-supervised RBTs produce weaker data and more note errors, and missing supervision documentation is both a certification problem and a trigger for supervision-link claim denials. Treat supervision as a scheduled, protected operation, not a residual that happens when there is time.
It can be, but only with the right setup. The video platform has to be one the vendor will sign a business associate agreement for, which rules out most consumer versions of everyday video tools used without that agreement. Beyond the platform, the same rules apply as for in-person care: informed consent that specifically covers telehealth, a private setting on the provider's end, and safeguards on any recording or data storage. Federal guidance on telehealth privacy is specific enough that there is no reason to guess. The quarterly review should confirm the telehealth platform's business associate agreement is current and that consent forms name telehealth explicitly.
Any service delivered after an authorization lapses is an automatic denial, typically CO-197, and unlike many denials it is rarely winnable on appeal because the service genuinely was not authorized when it happened. That makes authorization tracking one of the highest-value items on the checklist. The fix is a live view of every client's authorization with its expiration date and units remaining, and a reauthorization request submitted 30 to 60 days before expiration so there is no gap. Eligibility should be re-verified monthly as well, because coverage changes drive a separate family of denials such as CO-27 and PR-204. This is an operational tracking problem, and it is the kind of thing purpose-built software removes rather than solves with vigilance alone.
No. It is an operational guardrail, not legal advice. The checklist is built to catch the recurring, high-frequency gaps that produce most denials, recoupments, and certification problems, and running it well will keep a practice out of the majority of avoidable trouble. But state licensure rules, Medicaid program specifics, employment law, and any active audit or investigation are situations where you want a healthcare attorney or a dedicated compliance professional who knows your state. Use the checklist as the routine that keeps the practice clean, and bring in counsel for the complex, high-stakes, or state-specific questions it is not designed to answer.

Share this article