Built to survive the audit you hope never comes.
For an ABA clinic, compliance isn't a feature bolted onto a note app — it's the product. The HHS-OIG is auditing Medicaid ABA state by state, and the pattern is brutal: 100 of 100 sampled enrollee-months came back with an improper claim line in Indiana and Wisconsin, and 93 of 100 in Colorado. Session notes are the kill zone. Every finding in that audit wave has a specific design answer on this page — not a policy promise, a mechanism.
HHS-OIG: Colorado $77.8M improper, Indiana $56M, Maine $45.6M, Wisconsin $18.5M confirmed + $94.3M potential.
Sampling-based QA doesn't survive a line-by-line audit. Missing notes, invalid signatures, unsupported units.
Recoupments reach back 6–24 months and extrapolate a sample across the whole period. This is when, not if.
The through-line of this page: humans stay on every gate that matters. The RBT signs every note, reviewers handle exceptions, the biller presses submit. Agents draft and check — humans commit.
Payer rules are data, not code
The clinic's core pain today: a payer changes a requirement, and the note engine needs a software deploy to catch up. The new PraxisNotes makes every payer's note requirements a versioned, clinic-editable rule pack — the same pack drives both the writer agent and the reviewer agents. A rule change is an edit with an effective date, not a release. That's how one product serves Florida Medicaid, five managed-care plans, TRICARE, and commercial payers at once.
payer_plan Florida Medicaid — Sunshine Health (SMMC) cpt_code 97153 · adaptive behavior treatment by protocol version v4 · effective 2024-12-01 → present required_elements date · time · location · duration maladaptive behaviors observed replacement skills targeted response to interventions protocol modifications / directions parent-absence explanation participants present (7 mandatory) timeliness sign + date ≤ 2 business days from service telehealth_pos direct 97153 telehealth not covered co_signature BCBA co-sign: per contract (not default) narrative_rules depth ∝ session length · data ≠ narrative individualized · anti-cloning check on unit_math 8-minute rule · units = minutes ÷ 15 remainder ≥ 8 min → +1 unit retention ≥ 5 yr (FL) · default to longest applicable
The writer agent reads the pack to compose a complete note; the QA agent reads the same pack to verify one. They can never drift apart, because there is only one source of truth.
Every pack carries effective dates. A note is checked against the pack that was in force on its date of service — so a July rule change never retroactively fails a June note.
How a pack is layered
Requirements stack. A note inherits from the state floor up through the plan, the clinic's own house standard, and finally the agent's writing style. Most-specific wins — but a compliance rule always beats a style rule. Style can make a note read better; it can never relax a payer requirement.
The §6.2.4 seven mandatory elements, the 8-minute unit rule, the 2-business-day signature rule. Managed-care plans may not go below this.
Sunshine, Aetna, Humana, Molina, United each add their own PA portals, EVV posture, and claim edits on top of the state floor. Optum adds stop-clock timestamps; TRICARE adds the full-name and supervisor rules.
The clinic can require more than any payer — a house rule that every note names two goals, or that notes sign within 24 hours instead of two days. Org rules tighten, never loosen.
The writer agent's voice — clinical register, sentence rhythm, how progress is narrated. This is the only layer that is preference, not law, and it yields to every layer above it.
Real packs, real payers
These aren't illustrative. Each is a live requirement pulled from the payer's own documentation — the kind of rule that recoups money when a note misses it, and the kind the clinic edits centrally instead of asking engineering to redeploy.
| Payer | The rule that trips notes | What the pack enforces |
|---|---|---|
| Florida Medicaid | 7 mandatory session-note elements (§6.2.4); sign & date within 2 business days; an explanation is required whenever the parent or guardian is not present. | Completeness gate on all 7 fields; a hard prompt for the parent-absence reason before signing; a 2-day signature clock with escalating nudges. |
| Optum / UHC | Start/stop times for every code billed; fresh timestamps after any break ≥ 12 minutes or a code switch; NPI + taxonomy for billing and rendering must match the note (2026 enforcement, informational edits since Oct 2025). | Time blocks split automatically on breaks and code changes; renderer NPI/taxonomy validated against the claim before the packet is marked ready. |
| TRICARE | 15 core elements; client's full name (initials insufficient); supervisor name on RBT notes; a missed 1×/month 97155 supervision triggers a 10% auto-recoupment on all that client's ABA claims for the whole 6-month authorization. | Full-name field enforced; supervisor credential pulled onto every RBT note; a monthly-supervision counter surfaced to the BCBA before the window closes. |
| Cigna / Evernorth | At a continued-treatment request, quantitative data must be no older than 60 days — both before the request's start date and before the payer receives it (policy EN0499). | Data-currency check on reauthorization packets; stale data flagged for refresh before the request assembles. |
| Anthem / BCBS | Entry at time of service or shortly after, not to exceed 30 days; signature within 30 days of the date of service; member ID on every page of the record; start and stop times required. | A 30-day entry/signature ceiling; member ID stamped on each page at export; start/stop enforced as a required field. |
One rule set per payer, held side by side. The February 2025 managed-care carve-in multiplied this variance — which is exactly why hard-coding "Florida Medicaid" would already be obsolete, and why packs-as-data is the scaling answer.
A bulletin arrives on a Tuesday
What happens today versus what happens on the new PraxisNotes — the whole difference the clinic is buying.
A plan tightens a note requirement, effective next month.
A form, not a deploy. Set the new element, set the effective date, save.
Writer and reviewer agents enforce it on the next note. No release, no downtime.
See what last month's notes would have flagged under the new rule — before it bites.
The life of a note, on the record
A note isn't a text field — it's a state machine where every transition is attributed and immutable. This is the structure that answers an auditor's first question, "who authored this note, and when?", without anyone having to reconstruct it later.
- Attribution. Each version records whether the change came from the AI draft or a human hand — the audit trail regulators expect (HIPAA 45 CFR 164.312(b) audit controls).
- Immutable. Transitions are append-only. A post-signature amendment is a new, attributed version, not an overwrite.
- Full lineage kept 7+ years. Draft → each edit → signature → any amendment, retained past both the BACB 7-year and Florida 5-year floors — we default to the longest applicable.
- Role validated against the CPT code. Only a credential authorized for that code can sign — an RBT can't sign a 97155 that requires a BCBA.
- Timestamp constrained after session end. The signing clock can't run before the session is over — the constraint is structural, not a policy note.
- A real e-sign stamp. "Signed electronically by [name, credential] on [datetime]" — authenticated to that person, never a pasted image, never a shared login.
Every finding, a mechanism
The HHS-OIG Colorado report (A-09-24-02004) is the fullest picture of what auditors do to ABA documentation. We took its deficiency list and its siblings from Indiana and Wisconsin and built a specific design answer for each. The left column is what auditors found. The right is why they can't find it here.
| What auditors found | The design answer |
|---|---|
| Missing notes entirely — 26 of 100 Colorado enrollee-months had no note behind a paid line. | Notes exist before billing by construction — no note, no packet. A claim can't reach the biller's queue without a signed, reviewed note attached. |
| Invalid or pasted signatures — no signature, billing staff pasting stored signature images, typed "signatures" with no e-sign indication. | Authenticated per-user credentialed e-sign. No images, no shared logins, no billing-staff signing. The signature belongs to the rendering provider or it doesn't exist. |
| Notes signed before the session ended — by as much as 1 hour 44 minutes, calling into question whether the session even happened. | The signature timestamp is constrained after session end. Signing early isn't discouraged — it's impossible. |
| Cloned or verbatim notes — entries duplicating the prior session's note word for word. CMS treats cloned documentation as falsification of the medical record. | A cross-note similarity check runs before signing — against the client's own history and the org corpus — and blocks look-alikes. Per-session variance is a compliance feature, not a style choice. |
| Unsupported units — units exceeding the documented time, and double-billing during another service. | 8-minute-rule math reconciled against captured start/stop times. Units can't disagree with the clock, and overlaps with the RBT's other sessions are detected. |
| Services that weren't therapy, billed as therapy — nap time, meals, and academic time counted as billable ABA (the headline Indiana finding). | Excluded-content detection reads the narrative and flags nap, meal, and academic time before the note is signed — routing it to the RBT, not the claim. |
| RBT notes missing supervisor credentials — 18 of 100 Colorado enrollee-months failed on credentials. | The supervisor's name and credential are a rule-pack element, pulled onto every RBT note and enforced on 100% of them — not sampled. |
This is the QA agent's job description written as a checklist — and every line has a regulator citation behind it. Enforcement runs on 100% of notes before billing, with humans handling only the exceptions the agent flags. That's the "scale QA without scaling QA headcount" story, made concrete.
Voice, done carefully
Voice is the whole unlock — and also the place a careless product would create legal exposure. So we drew a hard line and designed to the strict side of it.
The RBT dictates their own voice — push-to-talk, near-field mic, tuned to the speaker. This is not room recording. In an all-party-consent state like Florida, ambient recording of a session with a minor client is a legal minefield: intercepting others' speech without every party's prior consent is a third-degree felony under Fla. Stat. § 934.03. An RBT recording their own speech is not an interception. So we simply don't do room audio — push-to-talk near-field capture is a compliance feature, not just a UX choice.
Transcribe, generate, then auto-delete the raw audio within days. Only the signed note is the permanent record. Every retained layer grows the breach and discovery surface — so we keep the fewest possible.
AI-use and recording consent is documented at intake, per the BACB RBT Ethics Code §2.06 and Ethics Code §2.11 — re-confirmed annually and surfaced in-app, with a non-AI path offered.
A bilingual RBT can dictate in Spanish, Creole, any language, and the note composes in compliant clinical English. To keep the signed record honest, the transcript is shown beside the draft for the RBT to verify before signing, speech-to-text confidence is logged, and low-confidence segments escalate a quick question instead of guessing. The RBT signs what they actually reviewed — because they, not the model, own the record.
after session end · role valid for 97153
HIPAA posture and AI governance
PHI touches several systems on the way to a note. Each hop is governed, minimized, and logged — and the whole accountability model matches exactly where regulators are converging.
Business associate agreements with every vendor that touches PHI — the LLM provider on zero-data-retention endpoints (Claude API or OpenAI API), the speech-to-text provider (AssemblyAI or Deepgram), and hosting. Without a signed BAA, an API call with PHI is an impermissible disclosure — so no PHI flows before the chain is in place.
The note-generation agent receives session-scoped fields — client ID, goals, session data — not the whole chart. Any analytics or tuning runs on de-identified data. Every AI call is metered and logged from day one.
An RBT sees only their own caseload. Access is scoped by role and relationship — the same permission model that gates every surface in the platform.
AI-vs-human attribution on every version — the HIPAA 164.312(b) audit control and the direct answer to "who authored this note?" in an audit, kept as append-only history.
The accountability rule regulators are converging on — FSMB and AMA principles, California's AB 3030 pattern: AI may draft, but a licensed or credentialed human reviews and signs before it counts. That's exactly the product's shape, not a compromise bolted on.
CASP guidance is honored: don't assume payers permit AI-assisted notes. We help the clinic proactively describe the workflow to its payers, tag AI-assisted notes internally, and always offer a non-AI path.
What v1 won't do — on purpose
This artifact wins trust by being honest. A few capabilities are deliberately out of v1 because they carry legal or clinical risk that isn't worth taking early — and a few questions are genuinely open, to settle with the clinic.
Not in v1 Deliberately deferred — each has a specific risk
Open questions for the clinic Decisions we make together, not for you
When the auditor asks "who wrote this, and when?" — the record already answers.
Rule packs that update in minutes, a note lifecycle that can't be signed too early or cloned, a design answer for every finding in the audit wave, and a human on every gate that matters. That's what audit-ready looks like when it's built in, not bolted on.
See the code it's built on →