ABA Medicaid Audit Preparation Checklist

A Medicaid audit letter is one of the most stressful pieces of mail an ABA agency owner receives. The state (or its contracted MCO) wants documentation for a sample of billed sessions, often 20–50 sessions, with a 30-day turnaround. The agencies that handle audits cleanly didn't get lucky — they had documentation habits that held up under inspection.

This guide walks through what Medicaid auditors look for in ABA, the documentation standards they apply, and the operational habits that turn an audit from an emergency into a paperwork exercise.

Step 1 — Understand what triggered the audit

Medicaid audits come in three flavors:

Random / routine: The state samples providers periodically. No specific concern, just verification.
Data-driven: The state's analytics flagged unusual billing patterns — high hours per client, low supervision ratios, unusual code mix, billing on weekends/holidays.
Complaint-driven: Someone (former employee, family, competitor) filed a complaint that triggered review.

The audit letter sometimes states the trigger; often it doesn't. Knowing the type changes how aggressively to prepare. Random audits are paperwork exercises. Data-driven and complaint-driven audits often expand if the initial sample shows issues.

Step 2 — Pull the documentation requested

The audit request typically asks for:

Session notes for the sampled dates of service
Supervision documentation for 97155 hours
Treatment plans active during the audit period
Assessment documents for clients in the sample
Authorization documents showing approved hours
Time records for RBT staff
RBT credential documentation
BCBA license and certification documents

Pull everything within 5 business days of receipt. Don't wait. The 30-day window passes faster than expected, and finding documents from 18 months ago in a disorganized system can take weeks.

Step 3 — Review the documentation against Medicaid standards

Before submitting anything, the agency's clinical leadership should review the packet against the state's documentation requirements. Common gaps:

Session notes missing the required elements. Most states require: date, time start, time end, location, RBT name, BCBA supervisor name, target behaviors addressed, data collected, parent/guardian signature (in some states).
Notes that don't match the schedule. Billed for 9:00–11:00 but the note says 9:00–10:30. The 30 minutes get clawed back.
Notes that look templated. Identical language across sessions and clients reads as fraud risk to auditors. "Worked on tacts and mands. Client made progress." across 80 sessions for 5 different clients gets flagged.
Supervision documentation missing. 97155 requires a BCBA note. No note, the hours get clawed back.
Authorization mismatches. Hours billed exceed authorization, or for codes outside authorization.

This pre-submission review is the single highest-value hour the clinical director will spend during an audit. Issues found internally before submission are claw-backs; issues found by the auditor often expand the sample and the scrutiny.

Step 4 — Address the issues found in pre-submission review

For documentation gaps, the agency has a choice:

Self-disclose the gap. Some states have programs that reduce penalties for self-disclosed issues. This is more often the right move than agencies think.
Fix what's fixable through proper amendment processes. Late-added notes are NOT acceptable in most states — back-dating is fraud. But amending an existing note with clarifying detail (e.g., "addendum: parent signature obtained 2026-04-15") is generally acceptable.
Don't submit and accept the claw-back. If a session genuinely lacks documentation, it's better to acknowledge the gap than to submit something fabricated.

Never fabricate. Auditors have seen everything, and fabricated notes are detected at high rates through document forensics, language pattern analysis, and cross-reference with EHR audit logs. Fabrication turns a claw-back into a fraud investigation.

Step 5 — Submit the documentation cleanly

Audit submissions should be:

Indexed: Cover sheet listing every document with page numbers
Organized by client and date of service: Match the auditor's request structure
Redacted appropriately: PHI for non-sampled clients should not appear
Submitted through the requested channel: Provider portal, secure email, or physical mail per the audit letter

A clean submission signals competence to auditors and reduces follow-up requests.

Step 6 — Respond promptly to follow-up requests

Auditors often request additional documentation after initial review — clarifying questions, additional clients added to the sample, supervision logs, etc. Respond within the requested window. Silence prolongs the audit and often expands its scope.

If the audit's findings don't make sense, request a meeting. Most state auditors will explain their interpretation and discuss the agency's response. Going straight to formal appeal is sometimes correct but often premature.

Step 7 — Implement corrective action plans

Most audits result in either no findings or findings with a corrective action plan (CAP). The CAP typically requires:

Repayment of identified overpayments
Documentation improvements (specific changes to session-note templates, supervision documentation, etc.)
Internal monitoring (the agency runs its own audits and reports findings to the state)
Staff training (documented training on documentation standards)
Time-bound deliverables (CAP elements are usually due in 30–90 days)

Implementing the CAP fully and on time is the difference between a closed audit and an escalated one. The agencies that don't take CAPs seriously end up in larger audits 12–18 months later.

Step 8 — Build documentation habits that pre-empt audits

The agencies that handle audits cleanly built the habits before the letter arrived:

Session notes written within 24 hours of session. Same-day is better. Notes written weeks later read as templated and fail audit scrutiny.
BCBA reviews of RBT notes weekly. Catches documentation gaps before they accumulate.
Internal audits quarterly. Pull a random sample of 20 sessions and review against state documentation standards. Whatever the auditor would flag, the agency wants to find first.
Authorization tracking integrated with scheduling. No session billed beyond authorized hours.
Credential and license tracking. RBT certifications and BCBA licenses always current and documented.
Communications log on the client record. Auditors increasingly ask for evidence of family communication and training. See HIPAA compliance for the related compliance framework.

These habits cost ~2 hours/week of clinical-leadership time. They prevent five-figure claw-backs.

How GoodABA helps

GoodABA's client record, task automation, and communications log build the documentation trail audits depend on — session-linked notes, automated supervision-due reminders, credential expiration tracking, and family communication tied to the client record. The clinical documentation discipline is yours. GoodABA makes sure the operational scaffolding produces the audit trail without manual reconstruction.

FAQ

How much notice does Medicaid give for an audit?

Typical: 30 days from the date of the audit letter. Some states give as little as 14 days; some allow 60 days for complex requests. Don't assume — check the specific letter.

Can the audit period extend back further than the requested sample?

Yes. If the initial sample shows issues, auditors can expand the look-back window. Federal Medicaid audits can look back up to 5 years. State audits often run 2–3 years.

What's a typical claw-back rate?

Agencies with strong documentation habits run claw-back rates under 5%. Agencies with weak habits can see 20–40% claw-back, which can be five- or six-figure repayments.

Should I hire an audit consultant?

For first-time audits, agencies often manage internally. For audits with significant exposure (large samples, complaint-driven, multi-year scope) or for agencies without billing/compliance experience, an experienced ABA audit consultant is usually worth the cost. They've seen the patterns and know how to package responses.

What's the difference between a Medicaid audit and a commercial payer audit?

Commercial audits typically have shorter look-back windows and smaller penalty structures. Medicaid audits can have multi-year scope, federal involvement, and significant penalties. Both should be taken seriously, but Medicaid audits warrant more aggressive preparation.