QA is not Compliance: Why Quality Alone Won't Protect You in an Audit

Many ABA organizations are doing good clinical work. They have a quality assurance (QA) program. They provide ongoing supervision. They monitor fidelity. On the surface, it may seem like these systems are enough to keep the organization compliant.

But here’s the challenge: Quality assurance and healthcare compliance are not the same thing.

And in today’s payer environment, especially for organizations billing Medicaid or any commercial payer, that distinction matters more than ever. Mistaking one for the other can leave your organization exposed.

The Problem: Mistaking QA for Compliance

It’s not uncommon to hear things like:

• “Our supervisors regularly review session notes.”

• “We monitor treatment integrity and clinical progress.”

• “Our QA team looks at documentation every month.”

These are good practices. But none of them, on their own, constitute a compliance audit. And funders are increasingly looking for evidence of that distinction.

Quality assurance is concerned with clinical effectiveness—is the care meaningful, ethical, aligned with best practice?
Compliance is concerned with regulatory alignment—were services delivered, documented, and billed according to payer and policy requirements?

One does not replace the other. If your organization is focused solely on QA, you may be unintentionally leaving significant risk areas unchecked.

What’s the Difference? 

Think of it this way:

QA asks: “Is this good ABA?”
Compliance asks: “Could this get us in trouble?”

Both are important. They often use the same tools.  But they serve very different  purposes. (Think similar form, different function). 

Regulators, funders, and licensing boards aren’t interested in whether your staff delivered the highest-quality services—they’re interested in whether your services were delivered correctly, legally, and defensibly.

What Makes Something an Audit (And Why It Matters)

To function as an internal compliance audit—something that could stand up to external scrutiny—your review process must include:

• A defined scope (e.g., specific codes, providers, date ranges)

• Objective Criteria aligned with funder and regulatory requirements

• A repeatable process that produces reliable, repeatable results

• Documentation of findings—and ideally, root cause analysis

• A plan for corrective action and follow-up

If the review lacks these elements, it may still be valuable for clinical oversight—but it won’t serve as a defensible compliance mechanism.

In other words, without auditing systems in place, even strong QA programs may be unable to detect compliance breakdowns until it’s too late.

Quick Litmus Test: QA or Compliance?

Ask yourself this about your last internal review:

• Did I identify and document the rules or regulations I was checking against?

• Did I define what counts as a pass or fail before I looked?

• Did I write up a summary of findings (even for myself)?

• Did I track those findings over time to see if it’s improving?

• Did I choose the notes/staff/services based on risk?

If not… it wasn’t a compliance audit. And that’s okay—as long as you know the difference.

Real-World Risk: What Funders Are Looking For

Payers and regulators are auditing ABA organizations as healthcare providers. That means your compliance program has to function like healthcare, too.  That doesn’t mean building a massive compliance department. It means building repeatable, risk-based internal audits that help you spot and fix problems before someone else does.

Claims must be supported by defensible documentation. Provider supervision must meet regulatory minimums. Billing practices must align with authorization terms, not just clinical need.  Notes must corroborate that services occurred and show that they were medically necessary, and coding must match what’s documented.  These are not clinical standards—they’re compliance requirements. And if your internal systems aren’t designed to evaluate them, you’re operating with a blind spot.

A Practical First Step: Start Small, But Start Now

The good news is that building an internal audit process doesn't require a full compliance department or even full-time compliance staff.

Start with one high-risk area:

1. Select a code (e.g., 97153) and a provider with high billing volume.

2. Choose a short time frame—one week or five notes.

3. Use criteria aligned with funder policy (e.g., session times, credentials, corroboration).

4. Score each note. Track errors. Look for patterns.

This kind of micro-audit gives you a window into your risk areas—and a foundation to build on.

The Goal Isn’t Perfection—It’s Visibility 

You don’t need to be 100% compliant 100% of the time–in fact if it looks like you are, you most likely missed something. But you do need systems that help you see where problems exist—and respond before they escalate.

If your team is working hard but missing the mark on documentation, supervision, or billing practices, the issue isn't effort—it's infrastructure. And infrastructure can be built.

The good news is you don’t need a large compliance department to fix that. You need the right systems, tools, and guidance.

The ABA Compliance Collective was built to give ABA leaders exactly that. It provides step-by-step support for building internal audit processes, strengthening documentation practices, and creating a compliance program that can stand up to payer and regulatory scrutiny.

Instead of guessing what to do next, you’ll have a clear path forward—and the resources to implement it.

Take a closer look at what’s included in the Collective here:
https://www.abacompliance.com/collective

If you’re unsure where to begin, we’ve created a Starter Audit Plan Template you can use to launch your first internal compliance review. It’s simple, focused, and tailored to ABA.