Key Takeaways
- The federal audit cascade is structural, not isolated: Every one of the 100 sampled enrollee-months across Indiana, Wisconsin, Maine, and Colorado contained at least one improper or potentially improper claim, signaling state-level oversight gaps rather than scattered provider misconduct.
- The Office of Inspector General is auditing states, not providers directly: The OIG reviews state Medicaid agencies, but providers must supply medical records, policies, and interviews as part of every audit and bear downstream recoupment exposure when states act on findings.
- Improper payments are not the same as fraud: OIG reports identify documentation deficiencies and unallowable services rather than criminal intent. Fraud, waste, abuse, and error are distinct categories with different legal consequences and different remediation paths.
- Documentation and credentialing are the dominant findings: Auditors flagged session notes that did not support billed time, billing codes that did not match documented activities, missing parental signatures, identical notes across clients, and services rendered by staff without required credentials.
- Federal recoupment recommendations now exceed $123 million across four states: Indiana ($39.4 million), Wisconsin ($12.2 million), Maine ($28.7 million), and Colorado ($42.6 million) have been instructed to refund the federal share of improper payments, with additional state-level recoupments from providers expected.
- Audit pressure is spreading beyond the audited states: On April 21, 2026, CMS Administrator Dr. Mehmet Oz announced that all 50 state Medicaid programs must submit plans to revalidate their providers within 30 days. Eleven states are under additional investigation by the House Energy and Commerce Committee. Commercial payers are watching closely and adopting parallel documentation requirements.
- The path forward is operational: Providers can prepare by reading the published reports, mastering payer-specific policies, building internal pre and post-claim audit processes, training staff continuously on documentation standards, and treating compliance as a culture rather than a checklist.
Inside a packed ballroom at Mandalay Bay during the Council of Autism Service Providers’ 2026 conference, four leaders representing CASP, APBA, and the ABA Coding Coalition walked an audience of clinic owners, board-certified behavior analysts, and policy staff through a presentation that has become unavoidable for anyone providing applied behavior analysis under Medicaid. Mariel Fernandez represented CASP, where she is vice president of government affairs. Chanti Fritzsching Waters represented the Association of Professional Behavior Analysts (APBA). Andi Waks and Jenna Minton represented ProActive Strategies and the ABA Coding Coalition. The subject was the U.S. Department of Health and Human Services Office of Inspector General, the federal auditor whose ABA review has produced four published state reports since late 2024 and recommended more than $123 million in refunds to the federal government.
Their message was direct: the audits are not over, the findings are not anomalous, and the operational expectations of state Medicaid agencies and commercial payers alike will not return to where they were before. “Do the best you can until you know better,” one of the presenters said in closing, paraphrasing Maya Angelou. “And when you know better, do better.”
This is a primer on the OIG audit series, what its findings mean for ABA providers, and the structural changes already underway across the federal audit cascade now reshaping ABA. It is meant to be read alongside the published reports, not in place of them.
What the OIG Audits Actually Examine
The first source of confusion in conversations about the OIG audits is whom the agency is actually auditing. The OIG’s role is to protect the integrity of federal health programs, including Medicare and Medicaid, by investigating allegations, publishing evaluation reports, issuing compliance recommendations, and excluding providers who violate federal law. In the ABA series, the OIG is auditing state Medicaid agencies, not providers. The question being asked is whether each state had policies in place that managed care organizations and providers could understand and follow, and whether the state conducted the program integrity reviews necessary to catch improper payments.
But providers are not bystanders. As part of every audit, the OIG requests medical records directly from a sample of providers, conducts parallel interviews with provider staff, and reviews provider policies against state requirements. Participation is not optional. Provider contracts with Medicaid agencies require cooperation in the event of an audit, and the documentation submitted in that process is what populates the eventual report.
Each audit examines a representative sample of 100 enrollee-months: month-long windows of claims drawn from a sample of beneficiaries and providers. The OIG reviews approved prior authorizations, diagnostic evaluations, ABA referrals, comprehensive ABA assessments, individualized treatment plans, provider licensure and credentials, and the session notes supporting the units of ABA paid. What the OIG does not do is conduct medical-necessity review. The audits ask whether documentation supports what was billed, not whether the underlying service was clinically appropriate.
After the on-site review, the OIG returns to the state Medicaid agency for an exit conference, drafts a report, gives the state 30 days to respond, and then publishes a final report. The 30-day window can, in practice, be revisited multiple times before publication: Colorado’s audit included several rounds of state response before the final report went out. The state is then required to develop a corrective action plan to address the findings. Refusing to act would, in practice, jeopardize federal Medicaid funding for the state.
Improper Payments, Potentially Improper Payments, and the Fraud Distinction
The OIG reports speak in a precise vocabulary that is often elided in media coverage. Two terms do most of the work.
Improper payments are payments that should not have been made or that were made in an incorrect amount under statutory, contractual, or other requirements. Examples include payments to ineligible recipients, payments for ineligible services, duplicative payments, payments for services not rendered, and payments that fail to account for applicable discounts.
Potentially improper payments are payments that may not have complied with requirements but cannot be confirmed one way or the other based on the available documentation. The vast majority of dollars flagged across the four published reports fall into this category. A potentially improper finding does not prove that the service was billed inappropriately. It indicates that the documentation was not robust enough for an auditor to verify that it was billed appropriately.
Neither category is synonymous with fraud. Fraud is an intentional act of deception by a person who knew the deception could result in an unauthorized benefit. Because intent is required, fraud is a criminal matter. Waste is the inappropriate use of services or resources resulting in unnecessary cost, but is not intentional and is therefore not criminal. Abuse describes provider practices inconsistent with accepted business and medical norms that result in unnecessary cost to the program, including the kind of one-size-fits-all 40-hour ABA dosage that has been a flashpoint in the field. Errors are simply mistakes, which payers expect and which providers are obligated to disclose and correct as soon as they identify them.
The presenters were emphatic on this point. The OIG reports do not allege fraud. The federal government, through the Centers for Medicare and Medicaid Services and the Department of Justice, does. That distinction matters because it determines what providers should do in response. A documentation gap is solved by retraining and process improvement. A fraud allegation requires legal counsel. The Point32Health fraud counterclaim against ABA Centers of America is the kind of case that occupies the second category, while OIG findings sit firmly in the first.
The Four Published OIG Audit Reports: Indiana, Wisconsin, Maine, and Colorado
As of April 2026, the OIG has published four state ABA audits. In each case, all 100 sampled enrollee-months contained at least one improper or potentially improper claim. The federal share of recommended refunds totals more than $123 million. The audits cover services delivered between 2019 and 2023, with each state’s audit examining a different window within that range.
Indiana was the first published, on December 16, 2024. The OIG estimated at least $56 million in improper fee-for-service Medicaid ABA payments for 2019 and 2020, with an additional $76.7 million in potentially improper payments. The agency recommended Indiana refund $39.4 million as the federal share. Deficiencies included unsupported CPT code billing, missing or inadequate session notes and signatures, and insufficient state oversight.
Wisconsin followed on July 10, 2025. The OIG identified $18.5 million in improper payments and an additional $94.3 million in potentially improper payments for 2021 and 2022. The recommended federal refund was $12.2 million. Notably, the OIG flagged that all 100 sampled enrollee-months contained session notes that did not include a full description of services, the goals addressed, or the data collected. Wisconsin had not previously conducted statewide post-payment reviews of ABA payments, which the state agency attributed to a 2020 Wisconsin Supreme Court ruling that constrained its ability to recoup payments identified through such reviews.
Maine was published on January 16, 2026. Because Maine reimburses ABA primarily through a single rehabilitative and community support code (HCPCS H2021 with various modifiers under MaineCare’s Section 28), the audit examined RCS services for children diagnosed with autism for calendar year 2023, rather than two consecutive years as in the other state audits. The OIG found at least $45.6 million in improper payments and recommended a federal refund of $28.7 million. The findings closely mirrored the other states: missing comprehensive assessments, missing parent or guardian signatures, and session notes lacking full descriptions of services, goals, or data collected. The Maine audit deep-dive on Acuity walked through the specific compliance failures identified.
Colorado became the fourth published report, completed on February 25, 2026, and the largest. The OIG identified $77.8 million in improper payments and an additional $207.4 million in potentially improper payments for 2022 and 2023, recommending a federal refund of $42.6 million. Colorado disputed several findings, particularly the OIG’s flagging of payments for behavior technicians who lacked Registered Behavior Technician credentials. The state argued that its written rules did not, in fact, require RBT certification, even though state staff verbally told auditors that they did. That gap between stated policy and written policy is one of the most consequential patterns across the four reports.
Three additional state audits in the seven-state series remain unpublished. The OIG does not confirm which states are under audit until each report is published, but officials and providers in Arizona, Louisiana, New Jersey, Maryland, and Minnesota have each indicated they believe their state is part of the audit series. Where each of those audits stands in the OIG’s process is not something the agency has confirmed publicly.
ABA Documentation and Billing Failures Auditors Are Flagging
If there is a single message providers should take from the four published reports, it is that the audits are documentation audits. The clinical question of whether a child needed ABA was not what the OIG examined. The question was whether the records on file substantiated the units billed.
The improper payment findings cluster into three primary categories. The first is ineligible beneficiaries: cases where required documentation, such as the diagnostic evaluation or referral for ABA, was missing entirely, meaning services should not have been authorized in the first place. The second is ineligible or unqualified providers: technicians who did not meet state credentialing requirements, including in some states the requirement to hold an RBT credential, as well as cases where a Board Certified Assistant Behavior Analyst (BCaBA) delivered a service that should have been delivered by a Board Certified Behavior Analyst (BCBA). The third, and largest, is documentation that did not substantiate what was billed.
Within that third category, the patterns are specific. CPT codes were billed that did not match documented activities, including instances where 97153 (one-on-one direct treatment) was billed when the activities described in the note suggested group services that should have been billed under 97154. There were instances where 97155 (protocol modification) was billed for assessment time or for parent training, neither of which the code is meant to capture. Session notes failed to support the time billed, with vague descriptions of activities and durations. Some providers billed scheduled time on fixed nine-to-twelve and twelve-to-three blocks rather than the actual time services were rendered, which auditors flagged as inconsistent with how real-world sessions actually unfold.
Documentation quality itself drew sustained scrutiny. Auditors found notes that were too vague to substantiate active treatment, notes signed before the scheduled session ended, notes whose narrative was identical to other notes in the same record, and notes that referenced the wrong client entirely. Concurrent billing with speech or occupational therapy frequently lacked documentation explaining the overlap. Records indicated children napping during sessions billed at high intensity, sometimes for seven and a half or eight hours of continuous services without breaks for meals or rest. The concurrent billing restrictions now spreading across states are a direct response to these findings.
For CPT-specific requirements, the OIG took a strict reading. If a code requires evidence that a treatment protocol was modified, the documentation must explicitly describe what was modified. “I updated these programs” does not satisfy the requirement. If a code requires a particular qualification level of provider, the rendering provider’s credentials must be documented in a way that ties to the claim line.
97153 session notes, written primarily by behavior technicians, account for the bulk of audited documentation. That tracks the broader spending pattern: per the Indiana ABA Working Group’s November 2025 final report, more than 80 percent of total ABA Medicaid spending in Indiana from 2019 to 2024 was on RBT-delivered individual therapy under code 97153. The implication for providers is that documentation responsibility falls disproportionately on the most junior staff in the clinical hierarchy, and that training cannot be a one-time event at hire.
How States Are Responding to OIG Findings on ABA Medicaid
The four audited states have responded in distinctly different ways, and the unaudited states are responding too. Indiana’s response has been the most aggressive. After the OIG report was published, the state proposed a State Plan Amendment in early 2025 that CMS placed in a formal request for additional information, halting its progress. Following Governor Braun’s Executive Order 25-31 and a 21-member Working Group process that ran from May through September 2025, the state issued bulletin BT202627 on February 26, 2026, with most provisions effective April 1, 2026. The bulletin includes phased rate reductions (6 percent in 2026 and an additional 4 percent in 2027), a 4,000-hour lifetime cap on comprehensive ABA, a minimum standard of up to 18 hours of family guidance every six months under code 97156 (interpreted variably across managed care entities), supervision standards of one hour of qualified healthcare professional time for every eight hours of RBT time, and an accreditation requirement (application by August 1, 2026, full accreditation by October 1, 2027) through either the Autism Commission on Quality or the Behavioral Health Center of Excellence. Indiana is also re-auditing the same dates of service the OIG examined and recouping dollars from providers.
Wisconsin has taken a slower, more deliberate approach, with policy revisions proposed for the next year and re-audits underway. The state’s existing constraints on post-payment recoupment, tied to the 2020 Wisconsin Supreme Court ruling, complicate the implementation path.
Maine has agreed to develop guidance and re-audit claims. Maine’s situation is complicated by its use of a single H code (H2021) with various modifiers to capture different ABA services. The ABA Coding Coalition has formally recommended that Maine adopt the AMA CPT code set to reduce ambiguity.
Colorado tried to pass emergency rules before the OIG report was even published, which would have been procedurally improper because the report was confidential until release. Those rules were delayed. As of CASP 2026, no substantive Colorado changes had passed, but the state is expected to require RBTs for technicians and to add 97156 (family guidance) to the fee schedule, since the OIG report flagged that Colorado required family guidance services consistent with 97156 but did not actually allow that code to be billed.
States that have not been audited are not waiting. Arizona’s Medicaid agency, AHCCCS, announced proposed updates to its ABA policy (AMPM 320-S) in April 2026, with informational webinars for providers held April 15. CASP presenters described the expanded draft as growing from roughly a page and a half to 18 pages, with most of the new content addressing provider eligibility and tightening previous self-referral provisions. Other states are updating medical-necessity considerations, adjusting rates (mostly downward), establishing minimum provider qualifications, and revising beneficiary eligibility criteria.
On April 21, 2026, CMS Administrator Dr. Mehmet Oz announced that all 50 state Medicaid programs would be required to submit plans within 30 days to revalidate their providers, expanding what had previously been a state-by-state inquiry into a national directive. The announcement is not ABA-specific, but ABA sits inside its scope. Earlier in March 2026, CMS had also sent a separate program-integrity letter to Florida’s governor seeking data on Medicare and Medicaid operations, part of a parallel CMS initiative focused on Minnesota, California, Maine, New York, and Florida. Separately, the U.S. House Energy and Commerce Committee has opened investigations into 11 states (Minnesota, plus 10 additional states added in March 2026: California, Colorado, Maine, Massachusetts, Nebraska, New York, Oregon, Pennsylvania, Vermont, and Washington) over program integrity concerns. Where the OIG reports are careful to avoid the language of fraud, the House investigations are not.
Why OIG Findings Are Reshaping Commercial Payer Policy
The most underappreciated implication of the OIG audits, as the CASP presenters emphasized, is that commercial payers are watching. State Medicaid agencies often serve as a guide for commercial payer policy, particularly in states where Medicaid enforcement actions become public. Once Medicaid documentation standards tighten, commercial plans frequently follow with parallel requirements in their next contract cycle. The accountability era arriving for autism care is being driven jointly by federal audits and commercial payer review.
Colorado offers the cleanest example of this pattern. The state’s commercial insurance mandate already specifies the use of RBTs, but commercial payers historically had discretion to enforce or waive that requirement. With the OIG report explicitly flagging non-RBT technicians, the presenters expect commercial payers in Colorado to remove that discretion. Similar dynamics are expected to play out in any state where the OIG audit identifies a documented gap between what was supposed to happen and what actually happened.
The same logic applies to documentation standards more generally. Commercial plans negotiating new rates or new contract language can point to OIG findings as justification for more rigorous session-note requirements, prior authorization conditions, and post-payment audit clauses. Providers operating across both Medicaid and commercial books should expect tightening on both sides simultaneously.
How ABA Providers Should Prepare for an OIG or State Medicaid Audit
If the audits are documentation audits, the response is documentation discipline. The CASP presenters offered a practical playbook organized around several principles.
Read the published reports.
The four published OIG reports are, in effect, training documents. They describe in detail what auditors flagged, what they expected to see, and what was missing. Providers who treat the reports as a compliance curriculum rather than as headlines about other states will be in a much stronger position when their own state acts.
Know your payer requirements at the level of session-note detail.
Many providers, the presenters noted, do not have current copies of their state Medicaid policies, their MCO policies, or their commercial payer policies. In a state with multiple MCOs administering the Medicaid benefit, providers need all of them, because the requirements differ. Once a contract is signed, the obligation to know the policy lies with the provider, not with the payer to push updates.
Build internal pre-claim and post-claim audit processes.
Pre-claim scrubs catch billing errors before submission. Post-claim audits, conducted on a sample of paid claims, identify systemic patterns that need correction. The OIG’s central recommendation to every audited state is that the state begin doing post-payment reviews. Providers who do their own version of those reviews internally are better positioned to identify and fix problems before an external auditor does.
Train, retrain, and document the training.
Because so many OIG findings concern 97153 session notes written by behavior technicians, training must reach the team level and be repeated when codes, payer policies, or state rules change. Documentation of training is itself a compliance artifact. The CASP session-note templates are a starting point, not a substitute, and the presenters emphasized that providers must train staff on how to use the templates accurately, not just distribute them.
Know the difference between protocol modification, supervision, and direction.
Several states have used the term “supervision” loosely to capture activities that may or may not be billable, while the coding coalition that wrote the AMA CPT codes intended a more specific meaning. Providers should use the term “direction” when describing the face-to-face work of 97155, and should know whether their specific payer requires that protocol modification involve an actual modification (some do) or simply be made available (the original intent of the code).
If you receive an audit notice, read it carefully and consider counsel.
Audit timelines and appeal rights are real and consequential. One presenter recounted a case in which a missed letter at the start of the COVID-19 pandemic resulted in a four-month review window expanding into a two-year retrospective audit that cost roughly $500,000. Documentation, contemporaneous records of phone calls and reference numbers, and prompt legal advice can substantially reduce the eventual cost of an audit.
The Maturation of an ABA Industry Built Without Oversight
The expansion of Medicaid coverage for ABA over the past 12 years has been extraordinarily fast. As recently as 2014, only about five states included ABA as a meaningful Medicaid benefit, and most of those did so under the threat of litigation tied to the Early Periodic Screening Diagnosis and Treatment program. The CMS guidance that followed in July 2014 made coverage effectively universal. The 50-state expansion that followed was, in many cases, executed by states that had not built the policy infrastructure to manage a benefit of its eventual size. Spending followed accordingly. Indiana’s total ABA Medicaid spending grew from roughly $21 million in 2017 to $611 million in 2023, according to the state’s ABA Working Group report. Colorado’s fee-for-service ABA payments grew from $60.1 million in 2019 to $163.5 million in 2023, according to the OIG. The evidence behind the dosage debate sits underneath those numbers, but the immediate driver of the audits is simpler: states approved benefits without the documentation rules to administer them rigorously, and that gap is being closed in retrospect.
The published OIG reports have not, on their own, alleged criminal activity. But they have produced a catalog of structural weaknesses that, in the words of OIG staff, create the conditions for fraud, waste, and abuse to thrive. As state-level enforcement intensifies, providers in Massachusetts facing six-figure recoupments are encountering the leading edge of what the audited states are now beginning to do at scale.
For providers committed to clinical quality, the path forward is one the field has long needed and has historically resisted. Outcomes measurement, documentation standards, and verifiable provider credentials are the building blocks of a durable benefit. The CASP presenters did not characterize the audit cycle as punitive. They characterized it as a maturation step. “Do the best you can until you know better,” the closing line ran. “And when you know better, do better.”
