About Compliance Community ABA Session Note Frameworks Work With Us Blog Get in Touch

ABA Compliance: What To Do When You Don't Know Where to Start

risk assessment Jun 11, 2026

At some point, many ABA leaders realize compliance can’t live in the back of their mind anymore.

Maybe the organization is growing.

Maybe Medicaid is now part of the payer mix.

Maybe a payer requested records.

Maybe you realized your QA efforts were starting to veer toward something different.

Maybe someone asked, “Do we have a compliance plan?” and the answer was, “what do you mean? What’s a compliance plan?” 

Or maybe nothing specific happened at all. You just have the uncomfortable sense that there are probably gaps somewhere, and you’re not sure where to look first.

All of these are really common scenarios that we see everyday.  In all of them, something causes a nervousness that there’s something you should be doing but you aren’t sure what and don’t know how to find out.

ABA organizations are often built by clinicians, owners, and operators who are very good at solving the problems directly in front of them. Staffing. Turnover. Treatment decisions. Authorizations. Billing. Parent communication. Schedule changes. Documentation. Cancellations. Wash, rinse, repeat.

Meanwhile, new requirements keep popping up.

Another payer expectation.

Another training requirement.

Another documentation standard.

Another authorization requirement.

Another form.

Another credentialing rule.

Another audit concern.

None of them seem particularly large by themselves but they add up.

Until one day you realize you’re not just running an ABA organization, you're running a healthcare organization.  

You go from, “we need to make sure we are delivering excellent ABA services” to, “We need to do something about compliance.”

And then immediately after that:

“I have no idea where to start.”

 

Why Compliance Feels So Hard to Start

The first problem is that “compliance” sounds like one thing. It sounds like a state you can achieve–”we are compliant”.

But it’s not one thing. It’s a practice and a process that must be responsive to all the context and contingencies in play.

In ABA, compliance may touch:

  • clinical documentation
  • billing practices
  • payer requirements
  • staff qualifications
  • licensing
  • supervision
  • HIPAA
  • incident reporting
  • internal auditing
  • corrective action
  • training
  • policies and procedures

The list goes on and on.

So when someone says, “We need to work on compliance,” the next question is usually:

“Okay. Which part?”

That’s where many organizations get stuck.

They start with whatever feels most urgent or whatever seems to have the most concrete requirements. A policy manual. A note audit. HIPAA training. A compliance officer job description. A payer handbook. A folder called “Compliance” that everyone hopes will eventually become a system.

All of those things may be useful.

But they are not automatically the right starting point and starting with what feels most urgent can result in a random game of whack-a-mole.

 

Why “Feels Urgent” Is Not Always the Starting Point

It’s helpful to start with what the function of compliance is.  

The purpose of compliance is to help organizations prevent problems where they can, detect problems when they occur, and respond appropriately when something goes wrong.

In compliance, we often talk about those potential problems as risks.

Risk isn't a mysterious compliance concept. It's simply a way of describing where problems are most likely to occur and how significant the consequences would be if they did.

Often, ABA leaders approach compliance like a to-do list:

"Just tell me what I have to do and I’ll do it."

This makes sense, but you can see it can’t answer all of the important questions:

What problems can happen here?

If something happens, how big of a problem will it actually be?

And what can I do to manage it?”

Compliance is  actually much closer to clinical decision-making than you might think. You're constantly evaluating the context you’re operating in, what’s going right, what could go wrong, what is going wrong, and whether your current systems are sufficient to respond appropriately.

The reality is, the problems facing a five-person startup are different from the problems facing a 200-person organization billing Medicaid across multiple locations.

The risks are different.

Which means the priorities are different.

Which means the compliance activities should be different.

An effective Compliance Program requires shifting from asking only,

“What are we required to do?”

To asking

“Where are we most exposed to risk right now?”

 

The Problem With Starting Randomly

When compliance work starts  randomly, organizations can spend a lot of time building things that do not address their highest risks.

For example, an organization might spend weeks revising a policy manual while their session notes do not support medical necessity or meet payer requirements.

Another organization might train staff on documentation while no one is reviewing whether billing matches what was actually documented.

Another might assign someone as the compliance officer without giving that person authority, protected time, or a clear reporting pathway.

The issue is not effort.

The issue is sequence.  Much like clinical work, where you start has a major effect on where you end up. 

Compliance work is much easier to manage and is much more effective when you know what needs attention first and start there.

 

So Where Do I Start: Risk Assessment 

Once again, our clinical practices can give us a meaningful structure for compliance processes.  Just as in clinical work, knowing where to start requires assessing where you are right now and knowing where you’re headed.  You would never just start providing treatment–you would assess your client, identify goals, and develop a plan for reaching those goals.

A compliance risk assessment tells you where you are and helps answer the question:

“Where do we need to go and where should we start?”

It is not the same as a session note audit, although documentation may be part of it.

It is not the same as a policy review, although policies may be reviewed.

It is not the same as buying a compliance manual, although policies and procedures may eventually need to be built.

A risk assessment looks across the organization to identify where compliance risk is most likely to occur and where the current systems may not be strong enough to prevent it, detect it, or respond to it.

In ABA, that may include questions like:

  • Are session notes supporting the services billed?
  • Are provider qualifications and supervision requirements being monitored?
  • Are billing practices aligned with payer rules and authorization terms?
  • Are you recruiting staff and clients in compliant ways?
  • Are compliance concerns documented and escalated appropriately?
  • Are policies actually implemented, or do they only exist on paper?
  • Is someone reviewing the work of billers, supervisors, and documentation reviewers?
  • Does leadership have visibility into compliance trends?
  • Are corrective actions tracked to completion?

The goal is not to find every possible flaw.

The goal is to create visibility and a roadmap– a clear picture of where you are and where you need to get to. 

Once you assess, creating a plan to get from where we are to where we need to be becomes much more manageable and a good risk assessment should result in a compliance plan. 

 

The Goal Is Not Perfection

A good compliance program does not mean nothing ever goes wrong.  Remember, there’s no such thing as reaching a state of compliance.

That’s not how healthcare works.

And it is definitely not how ABA works.

Payers and regulators do not expect perfection. But they do expect organizations to take compliance seriously.

They expect systems.

They expect clear plans.

They expect oversight.

They expect documentation.

They expect follow-through.

When something goes wrong, the question is not only:

“What happened?”

It is also:

“Could the organization have known?”

And:

“What did the organization do once they found out?”

 

Signs You May Need a Risk Assessment and a Compliance Plan

A risk assessment may be a good next step if you are thinking things like:

“We know we need to deal with compliance, but we don’t know what that should look like.”

“We have policies, but I’m not sure they match what we actually do.”

“We review notes, but I’m not sure we’re auditing the right things.”

“We have grown quickly and our systems haven’t caught up.”

“We take Medicaid and I’m not sure whether our compliance infrastructure is enough.”

“We keep finding issues after the fact.”

“We have a compliance person, but the role isn’t clearly defined.”

“We want to be proactive, but we don’t know what to prioritize.”

If any of those sound familiar, the problem may not be that you are behind.

The problem may be that you need a clearer map.

 

A Practical Way to Think About Starting

If you are trying to strengthen compliance, resist the urge to start with the biggest binder.

Start with the biggest risks.

For many ABA organizations, that means looking first at:

  1. Session notes
    Do your notes support the service billed?
  2. Billing alignment
    Does the claim match the authorization, provider, code, time, and documentation?
  3. Supervision and qualifications
    Are staff qualified, supervised, and monitored according to payer and regulatory expectations?
  4. Reporting and escalation
    Do staff have a way to raise concerns, and does the organization track what happens next?
  5. Oversight
    Does leadership actively evaluate whether the system is working?

Then, make a plan to correct them. You do not have to fix everything at once.

But you do need to know where you are and where you’re headed.

 

Final Takeaway

If compliance feels overwhelming, that doesn’t mean you are doing something wrong.

It may mean you are trying to build the solution before you have assessed the problem and made a solid plan.

ABA leaders are used to assessment-first thinking in clinical work. Compliance is not so different.

Assess where you are.

Identify where you’re going.

Make a plan for getting there.

That is the purpose of a risk assessment and compliance plan.

It gives you a clearer picture of your current compliance infrastructure, identifies priority areas, and helps turn “I don’t know what I don’t know” into a practical action plan.

If your organization is growing, billing Medicaid, preparing for audits, or simply realizing that informal systems are no longer enough, a risk assessment can help you decide what needs attention first.

Want to learn more, contact us to hear more about ABA Compliance Solutions’ Risk Assessment and Compliance Plan services.

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry. We won't share your information.

We hate SPAM. We'll never sell your information.

Categories

Documentation

ABA Session Note Frameworks

Align your team's session notes to what payer reviewers actually look for — before a records request arrives.

LEARN MORE

Membership

The Compliance Collective

Ongoing guidance, tools, and support for the person who said "I'll do it" when compliance needed an owner — and quickly realized compliance is too big for one person to figure out alone.

LEARN MORE