How to Prepare Your ABA Company for an Aggressive Medicaid Audit

The Audit Era Is Here

I talk to lots of ABA company owners. Several have called me in the last six months sounding like they had just opened a letter that might end their company. Some of them had. The HHS Office of Inspector General has its eyes trained on ABA companies. A Northeast state is mid-clawback right now, demanding six-figure repayments from small ABA providers in 30 days on a rule their own associations argue is a clinical guideline and not a payment condition. Whether your company survives an audit depends on what you do before, during, and after the letter that has not yet arrived.

The numbers are not abstractions. The OIG is attempting to clawback more than $200 million from ABA providers across various states. In some cases, providers have committed egregious acts, in many others cases providers are getting swept up in a dragnet for honest mistakes in  documentation and billing. State Medicaid Fraud Control Units, Unified Program Integrity Contractors, and managed care plan Special Investigations Units are all working the same ground from different angles. The U.S. House Energy and Commerce Committee has reportedly opened probes into programs in at least 10 additional states. This is not a moment. It is an environment.

I have one bias to disclose before going further. I think the methodology being used to audit ABA right now is too blunt, and honest providers are being caught up in a dragnet built for bad actors. None of what follows assumes the auditor is right. All of it assumes the auditor is coming.

The Bad Actors Made This Bed

Real fraud exists in ABA. So as long as there are humans, there will be fraud. Federal and state authorities have publicly documented per-patient billing averages in the hundreds of thousands of dollars at certain providers, services billed for therapy that was not delivered, supervision performed by people without the right credentials, and outright misrepresentation of who rendered which session. Whistleblower settlements are up. False Claims Act cases are up. Managed care counterclaims are up.

The worst behavior in the field is now the perspective that an auditor brings into your conference room, whether you have done anything wrong or not. You no longer get to start from neutral. So the rest of this piece is about what you can control. It is about what you can do before, during, and after the dreaded letter arrives.

Before The Letter Arrives

Eight items. They scale from a 30-staff clinic to a 1,500-staff multi-state platform. The standards do not change with size. The resourcing does.

1. Run a real mock audit before the letter arrives. Quarterly for a multi-state organization, semi-annually for a single-clinic operator. Use the OIG’s published methodology against yourself. Pull a sample of enrollee-months, apply your state’s actual Medicaid documentation requirements, not your internal ones, and grade hard. Hire an outside compliance firm or healthcare attorney for at least one of those reviews per year. Resist the temptation to make your mock audit constructive. The point is to fail it before someone fails it for you.

2. Treat session notes like courtroom exhibits. Notes finalized within 24 hours, never beyond seven days. Every note tied to a goal on the approved treatment plan. Observable behaviors, not editorializing. Quantifiable data wherever possible. Provider name, credential, signature. The single most common finding across the four published OIG ABA state audits was session notes that did not meet state documentation requirements. Most of those failures were not sophisticated. They were missing fields, late entries, and templated narratives that did not match the actual session.

3. Lock down supervision documentation before someone clawbacks for it. The supervision-ratio fight in the Northeast right now is not a one-off. Auditors are increasingly using clinical-guideline metrics as payment-integrity weapons, and the providers being clawed back today often did the right clinical thing. They simply cannot prove it on paper. Whatever your state’s expected ratio is, document it at the case level and the enterprise level. If you are outside the ratio for a clinically defensible reason, document the reason at the time, not in retrospect.

4. Verify every credential, every month. BCBA, BCaBA (board-certified assistant behavior analyst), RBT (registered behavior technician), state license, NPI status, OIG exclusion list, SAM.gov, payer-specific credentialing. Automate it. Settlements and audit findings repeatedly include services rendered by uncredentialed staff or supervision performed by people without the right license tier. This is the cheapest finding in the audit world to prevent and the most expensive one to ignore.

If your compliance program is something you remember when you have time, you do not have a compliance program. You have hope masquerading as a compliance program.

5. Treatment plans that justify every hour you bill. The most damaging finding across the published OIG ABA state audits was billing not supported by the plan of care. If you bill 30 hours a week, the plan needs to justify 30 hours a week, with measurable goals, current data, and a defensible medical-necessity rationale a state Medicaid reviewer can read in five minutes. Update the treatment plan as often as your state requires, with documented parent involvement and signatures on every revision.

6. Build a billing-to-documentation reconciliation that runs every week. Published audit findings include unsupported CPT codes, excessive units, group sessions billed under individual treatment codes, and overlapping service times in which the same provider was apparently in two places at once. Every one of those is catchable with a basic prepay edit. Use your practice management software, not your wishful thinking.

7. Have healthcare counsel on retainer before you need them. Not your incorporation lawyer. Not your contract lawyer. A healthcare regulatory attorney who has defended Unified Program Integrity Contractor audits, state Medicaid post-payment reviews, and the appeals architecture in your specific state. The cost of that retainer is rounding error compared to the cost of running the first 30 days of an audit blind.

8. Build a real compliance function, even if you are small. For a 30-person clinic, that means a designated compliance lead with 10 percent of their week protected, a written compliance plan, documented annual training, and a contracted external reviewer. For a multi-state, it means a full-time chief compliance officer who reports to the board, not the chief financial officer, an internal audit function, and a cadence of board-level review. The Council of Autism Service Providers (CASP) Organizational Guidelines are a free starting framework, and the Autism Commission on Quality (ACQ) accreditation, founded by CASP in 2022, is the most credible third-party forcing function for small and mid-size providers building these systems for the first time.

The size differential matters most in resourcing. A small org should treat third-party accreditation as a forcing function, lean on a good ABA-specific revenue cycle and electronic health record system to enforce documentation at the point of billing, and join its state ABA association. The public fights on these issues are being led by associations, not individual providers. A multi-state org should run quarterly mock audits across business units and watch the variance between regions, because variance is where the real risk lives.

When The Letter Arrives

A letter arrives. The instinct is to respond fast, prove cooperation, get it over with. The instinct is wrong.

Do not respond on day one. Calendar the deadline, call counsel, mentally process the situation, then respond. Letters that look routine almost never are.

Centralize communications. A single point of contact, usually the compliance officer or counsel, handles everything. No phone calls between auditors and clinicians. No emails between auditors and billing staff. Every communication in writing, every communication logged. The fastest way to expand an audit’s scope is to let an auditor have a hallway conversation with the wrong, misinformed person.

Match scope of the request. Do not over-produce. Volunteering extra records is volunteering extra findings. Produce exactly what was requested, organized exactly as requested, in the format requested. If a request is ambiguous, get clarification in writing before responding to it. Some auditors conduct fishing expeditions. They cast a wide net and see what gets dragged in. It is your job to clarify the scope and be surgical in what you provide.

Get the universe definition in writing. This is the single biggest extrapolation defense most providers do not know they have. Auditors using statistical sampling must document the population the sample is drawn from, including CPT codes, date ranges, and provider identifiers. A flawed universe definition undermines the whole audit. Findings can only be extrapolated to claims properly included in that documented universe. Insist on it before you produce a single record.

Run your own sample in parallel. If the auditor’s sample looks suspect for selection bias, wrong universe, or methodology, your statistical expert can build a defensive sample to challenge the methodology. Health-law guidance is clear that providers have the right to present their own statistically valid rebuttal. The cheapest way to fight a multimillion-dollar extrapolation is not more lawyering. It is a better statistician.

Insist on entrance and exit conferences. Skip them and you have waived your best chance to narrow the scope before findings are written. Use the entrance conference to clarify the universe, methodology, and timeline. Use the exit conference to push back on preliminary findings before they harden into a final report. Think of times when you have been pulled over by a police officer, if you can have a productive conversation before a ticket is written, that is your best chance to prevent a citation. Once they write you a ticket, it’s too late.

Preserve everything. Touch nothing. The instinct to clean up or supplement notes after a request letter arrives is the single fastest path from a routine audit to False Claims Act exposure. Lock down the records the moment the letter arrives. If a note was incomplete on the day it was supposed to be written, it stays incomplete, and you let counsel handle the explanation.

Tell the right people internally, and only the right people. Board, executive team, counsel, compliance lead. Not the staff Slack channel. Audit information leaks turn into staff anxiety, then patient anxiety, then external chatter, and external chatter is how a routine audit becomes a Medicaid Fraud Control Unit referral.

The During phase of the audit differs in coordination cost between small and large orgs. A small organization can run an audit response with one healthcare attorney and an executive director, but it has to be relentless about not improvising. A multi-state has more bench depth and more failure paths. A regional office goes off-script. An HR action against a clinician produces a disgruntled witness. A new claim gets submitted that contradicts a position taken in the audit response. Centralized command-and-control matters more, not less, the bigger you are.

After The Findings Come

Most coverage of these audits ends at the audit. That is a mistake. The After phase is where companies actually win or lose.

Calendar every appeal deadline immediately. There is no unified Medicaid appeals process. Each state has its own, with different filings, different timelines, and different evidentiary standards. Miss a deadline by a day and you have forfeited rights you did not know you had.

Rebut bad extrapolation in writing. If the audit used statistical sampling, your appeal needs to attack the methodology, including universe, sample selection, error rate, and confidence intervals, with a qualified statistician on the record. Federal courts have upheld extrapolation in plenty of cases, and they have also overturned audits where the methodology was defective. The evidentiary bar is high. Meet it.

Negotiate before you litigate. A well-drafted Corrective Action Plan can settle far more findings than people realize. Auditors and program-integrity contractors carry caseloads. A provider that comes to the table with a credible Corrective Action Plan, evidence of remediation, and a reasonable settlement offer almost always gets a materially better outcome than a provider that fights everything to the wall.

Run a real root-cause review, not a blame campaign. The temptation after an audit is to fire the billing manager and move on. The real questions are structural. Why did our prepay edits not catch this? Why did our quarterly review not surface the issue? Why did our session-note template let people skip required fields? An audit that does not change the operating system is an audit you will fail again.

Tell your story to the right stakeholders, carefully. Board, lenders, key referral sources, payer partners. Not your full clinical staff. Not social media. The narrative needs to be: here is what we found, here is what we fixed, here is how it cannot happen again. Owning the story is almost always better than letting it leak. The audience for the story is narrow.

Re-run the Before checklist. Mock audit. Sampled claim review. Documentation spot-check. Credentialing verification. Treatment-plan reconciliation. The work that did not happen before the audit becomes the only work that matters after it.

The After phase differs in optionality between small and large orgs. A small org with a single-state Medicaid concentration may have one shot at a clean appeal and a survivable settlement. A large org has more legal firepower and more public exposure, because a settlement is now a press release. Either way, the benefits of your Before work is highest in hindsight, one you live through an After that your organization was not prepared for.

The Three Window Test

The audit era will not slow down. Three more state OIG ABA audits remain on the federal work plan. The supervision-ratio recoupment dispute in Massachusetts is unresolved. The next ABA company to receive a Medicaid audit letter does not know it yet. Whether they survive it will depend on what they do before, during and after the audit.

The Three Window Test is the simplest framework for an organization that wants to take this seriously without drowning in compliance vocabulary. Before the letter arrives: have you run a real mock audit on the last 90 days of claims? Do you have healthcare regulatory counsel on retainer? Has the board reviewed your documentation, supervision, and credentialing controls in the last 90 days? During the audit: do you have a single point of contact, a counsel relationship that can deploy on 24 hours’ notice, and a leadership team disciplined enough not to over-produce? After the audit: do you have a statistician, an appeal calendar, and a corrective action plan that changes the operating system, not just the org chart?

If the answer to any of those is no, your work for the next 90 days is obvious. The companies that prepare properly can spend the next five years building. The companies that do not will spend them explaining.

SOURCES & REFERENCES