ABA Audit Preparation Guide

ABA audits — payer reviews, state Medicaid integrity reviews, and accreditation visits — are routine in this industry. Every agency over a certain size will face at least one in any given year. The agencies that handle audits cleanly all do the same thing: documentation as a routine habit, not as an emergency response.

This guide walks through what auditors actually look at, what gets agencies in trouble, and the operational habits that make audit preparation a one-day exercise rather than a one-month scramble.

What auditors actually look at

Most ABA audits — regardless of source — examine the same four document categories:

1. Authorization and eligibility. Was the service authorized at the time of delivery? Was the client eligible under the plan?
2. Clinical documentation. Session notes, BIPs, treatment plans, supervision records, supervision-hour compliance.
3. Credentialing. Was the BCBA credentialed with the payer at the time of service? Was the RBT certified? Were supervision hours documented?
4. Billing accuracy. CPT codes match the service delivered. Hour totals match session notes. Modifiers are correct for the payer.

A clean audit means clean documentation in all four categories. A failed audit usually traces back to gaps in one specific category that the agency knew about and put off addressing.

Habit 1 — Document during the work, not after

The single biggest audit-preparation lever is documentation timing. Session notes written within 24 hours of the session are detailed and accurate. Session notes written four weeks later are vague and reconstructed. Auditors notice the difference, and so do payers when reviewing claims.

Build the workflow so documentation happens at session time:

• RBTs document data and session notes in the clinical platform during or immediately after the session.
• BCBAs review and sign session notes within the supervision interval.
• Authorization tracking updates after each session, not at the end of the month.

The agencies that handle this cleanly all use clinical platforms that make in-session documentation friction-free.

Habit 2 — Track authorizations as expiration dates, not as approval events

The most common audit finding for ABA is services delivered after authorization expired. This is preventable with one operational habit: track authorizations by expiration date with recurring reminders.

• Recurring task at 60 days before auth expiration
• Recurring task at 30 days before
• Recurring task at 14 days before
• Block scheduling past the auth end date until renewal is approved

GoodABA's task automation handles this kind of expiration tracking, and most ABA platforms have similar capability — turn it on.

Habit 3 — Separate signed documents from working documents

Audits ask for specific signed documents — treatment consent, Notice of Privacy Practices, photo release, BAAs with vendors — by client or by date. Spending an hour digging through email is the wrong way to handle the ask.

File signed documents on the client record (or the vendor record, for BAAs) at the moment they are signed. Tools that do this automatically save real audit time.

Habit 4 — Run quarterly internal audits

The single best preparation for an external audit is regular internal audits. Quarterly:

• Pick 5–10 random clients
• Pull authorization, eligibility, session notes, supervision records, credentialing, and billing documentation for each
• Verify each document is present and complete
• Document findings and remediation

Findings from internal audits are far cheaper to fix than findings from payer audits. Build the internal audit into the operations calendar as a recurring task.

Habit 5 — Maintain HIPAA documentation continuously

HIPAA documentation — Security Risk Assessment, training records, BAAs, breach response plan — is what state Medicaid reviews and accreditation visits look at first. Update training records as training happens, not at the end of the year. Re-run the SRA annually. Audit BAA coverage when adding any new vendor.

What an actual audit looks like

A typical payer audit goes:

• Notification. Letter or call notifying you of the audit, with a list of clients and date ranges to be reviewed.
• Document request. A specific list of documents to produce — session notes, BIPs, treatment plans, supervision records, credentialing — usually within 30 days.
• Document review. The auditor reviews submitted documentation, often returning with follow-up requests for clarification.
• Findings. A written report of any concerns, often with recoupment proposed for any deficiencies.
• Response window. You have a window (usually 30 days) to respond, dispute findings, or supply additional documentation.

Agencies with continuous documentation breeze through this. Agencies with reconstructed documentation spend a month chasing paperwork.

Recoupment risk

The most expensive audit outcome is recoupment — the payer demands repayment of past claims they now consider improperly billed. Common recoupment triggers:

• Services delivered after authorization expired
• Sessions delivered by an RBT whose certification had lapsed
• Supervision below minimum required percentages for the period
• Missing signed treatment plans or consents
• BIP fidelity scoring missing or incomplete

Document everything that prevents these. Recoupment can run six figures or higher for agencies with systemic gaps.

How GoodABA helps with audit preparation

GoodABA's task automation, credential tracking, document signing, and central client record give agencies the operational scaffolding for continuous documentation. Recurring tasks fire on auth expirations and credential renewals; signed documents land on the client record automatically; supervision-hour tracking flags gaps before the month closes. The agencies that adopt this kind of structure in their first year do not have audit emergencies later.

For HIPAA specifically, see HIPAA compliance for ABA agencies.

FAQ

How often should I expect a payer audit?

It varies. Some commercial payers audit every 2–3 years; some Medicaid programs audit annually. New providers often see an audit in their first 18 months. Plan for the possibility continuously.

What's the difference between a payer audit and a state Medicaid integrity review?

Payer audits review compliance with that specific payer's contract. State Medicaid integrity reviews are broader and can include compliance with state law, fraud screening, and program-integrity rules. Both look at similar documentation; integrity reviews can have more severe consequences.

Do internal audits actually help?

Yes — they are the single most effective audit-preparation activity. Findings from internal audits are dramatically cheaper to remediate than findings from external audits.

What documents do I need to retain, and for how long?

Most payers and state laws require 6–7 years of retention. HIPAA documentation requires 6 years. Default to 7 years for everything and you cover most cases.

Related guides

• HIPAA Compliance for ABA Agencies
• ABA Medicaid Audit Preparation Checklist