Applied Behavioral Analysis Services (ABAS)

ABAS Compliance Program

Policies, standards, and program documents
POL-003-SOP

Compliance Ticket Management SOP and Checklists

Version 1.0Approved by Benjamin Chouinard · 2026-07-01Review cycle: Annual

Overview

This Standard Operating Procedure operationalizes POL-003: Compliance Reporting, Investigation, and Resolution. It defines required actions, owners, timelines, and documentation standards for managing compliance tickets.

Ticket volume assumption: Low volume (fewer than 25 tickets per year).

Oversight model: Compliance Officer with Compliance Committee governance.

Tools: OSticket (primary ticketing system), anonymous reporting web form (https://anonymous.abaswma.com/), HIPAA-compliant cloud storage.

Roles

Role Responsibilities
Compliance Officer (CO)Owns the compliance ticketing process. Performs triage. Assigns Case Owners. Determines escalation and reporting obligations. Approves case closure.
Case Owner / InvestigatorManages day-to-day investigation activities. Maintains working case documentation. Develops findings and corrective actions.
Compliance CommitteeReviews high-risk, sensitive, or systemic cases. Reviews trends and aggregate reporting.

Lifecycle Steps

Step 1: Intake and Logging (Day 0-1)

Owner: Compliance Officer or designee

Actions:

  1. Create a compliance ticket immediately upon receipt of a concern. For submissions received through the anonymous web form (https://anonymous.abaswma.com/), the email notification to the compliance monitor serves as the initial receipt. The compliance monitor logs the ticket in OSticket (manually or via auto-routing).
  2. Assign a unique Ticket ID (generated by OSticket upon ticket creation).
  3. Capture the original narrative verbatim.
  4. Record intake source and date/time.
  5. Restrict access to intake record.

Checklist:

Artifact: Unredacted Intake Record (Form 1)


Step 2: Triage and Risk Classification (Within 1-2 Business Days)

Owner: Compliance Officer

Actions:

  1. Assess credibility and urgency.
  2. Identify applicable oversight bodies (MassHealth, commercial payers, HIPAA, or the MA Board of Allied Mental Health).
  3. Assign risk level (Low / Medium / High / Critical).
  4. Assign Case Owner.
  5. Determine need for interim controls.

Checklist:

Artifact: Triage and Risk Classification Form (Form 3)


Step 3: Redaction and Working Case Creation

Owner: Compliance Officer

Actions:

  1. Create a redacted working version of the intake.
  2. Remove reporter identity unless required by law.
  3. Remove unnecessary PHI or identifiers.
  4. Preserve original intake separately.

Checklist:

Artifacts: Redacted Working Case File, Redaction Log (Form 2)


Step 4: Aggregation and Pattern Review

Owner: Case Owner

Actions:

  1. Review prior compliance tickets for related issues.
  2. Determine whether issue is isolated or systemic.
  3. Document related ticket IDs.
  4. Escalate to Compliance Committee if systemic risk is identified.

Artifact: Aggregation and Pattern Review Form (Form 4)


Step 5: Investigation

Owner: Case Owner / Investigator

Actions:

  1. Document investigation plan and scope.
  2. Collect and preserve evidence.
  3. Conduct interviews if applicable.
  4. Maintain evidence log.
  5. Separate factual findings from analysis.
  6. Disclose any conflict of interest and recuse if necessary (per POL-003, Section 5.5).
  7. Recommend referral to outside counsel if the matter exceeds in-house capabilities or involves potential legal liability.

Checklist:

Artifacts: Investigation Plan (Form 5), Evidence Log (Form 6), Interview Summaries (Form 7)


Step 6: Findings Determination

Owner: Case Owner, reviewed by Compliance Officer

Actions:

  1. Classify each allegation as substantiated, unsubstantiated, or inconclusive.
  2. Reference supporting evidence.
  3. Cite applicable policy or regulatory standards.

Artifact: Findings Summary (Form 8)


Step 7: Resolution and Corrective Action

Owner: Compliance Officer

Actions:

  1. Identify root cause.
  2. Develop Corrective Action Plan (CAP) for substantiated findings.
  3. Assign owners and deadlines.
  4. Define verification method.

Checklist:

Artifact: Corrective Action Plan (Form 9)


Step 8: Notification and Reporting

Owner: Compliance Officer

Actions:

  1. Identify internal notification recipients.
  2. Complete required notifications.
  3. Determine external reporting obligations.
  4. Document reporting or non-reporting decisions with rationale.

Checklist:

Artifacts: Notification Log (Form 10), External Reporting Record (Form 11)


Step 9: Closure and Follow-Up

Owner: Compliance Officer

Actions:

  1. Confirm investigation completion.
  2. Confirm CAP completion or scheduling.
  3. Complete closure summary.
  4. Schedule follow-up monitoring if required.

Checklist:

Artifact: Case Closure Summary (Form 12)

Record Retention

Compliance tickets and associated documentation are retained for a minimum of six to ten years, depending on issue type and applicable regulatory requirements. Records are stored securely with role-based access controls.

Forms Reference

All forms referenced in this SOP are maintained in the Compliance Ticket Forms and Templates Pack (CFM-005):

Form Title
Form 1Compliance Intake Form (Unredacted, Restricted)
Form 2Redaction Log
Form 3Triage and Risk Classification Form
Form 4Aggregation and Pattern Review Form
Form 5Investigation Plan Template
Form 6Evidence Log
Form 7Interview Summary Template
Form 8Findings Summary
Form 9Corrective Action Plan (CAP)
Form 10Notification Log
Form 11External Reporting Record
Form 12Case Closure Summary