Applied Behavioral Analysis Services (ABAS)

ABAS Compliance Program

Policies, standards, and program documents
POL-003

Compliance Reporting, Investigation, and Resolution

Version 1.0Approved by Benjamin Chouinard · 2026-07-01Review cycle: Annual

Purpose

This policy establishes a consistent, confidential, and auditable process for the intake, review, investigation, resolution, and closure of all compliance-related concerns at ABAS. It ensures that compliance issues are identified early, investigated objectively, resolved with appropriate corrective action, and documented to a standard sufficient to demonstrate an effective compliance program.

Scope

This policy applies to all ABAS employees and any individual who reports or is involved in a compliance concern. It covers all compliance-related issues regardless of source or program area, including:

All compliance concerns are managed under a single framework due to shared risk exposure across programs.

Definitions

Term Definition
Compliance TicketA logged record of a compliance concern, tracked from intake through resolution and closure.
Case OwnerThe individual assigned by the Compliance Officer to manage the day-to-day investigation of a specific compliance ticket.
Corrective Action Plan (CAP)A documented set of steps to address the root cause of a substantiated compliance finding and prevent recurrence.
TriageThe initial assessment of a compliance concern to determine credibility, urgency, risk level, and appropriate response.
SubstantiatedA finding supported by evidence that a violation of law, regulation, or ABAS policy occurred.
UnsubstantiatedA finding where the investigation did not produce sufficient evidence to confirm a violation occurred.
InconclusiveA finding where the available evidence is insufficient to reach a determination either way.
Redacted RecordA working copy of the intake record with reporter identity, unnecessary PHI, or irrelevant identifiers removed.

Policy Statement

5.1 Guiding Principles

All compliance activities conducted under this policy follow these principles:

Non-retaliation. ABAS prohibits retaliation against any individual who reports a compliance concern in good faith. This protection applies regardless of whether the concern is ultimately substantiated. Any employee who believes they have experienced retaliation for making a report should notify the Compliance Officer or, if the concern involves the Compliance Officer, the Executive Director. Confirmed retaliation will result in disciplinary action, up to and including termination.

Confidentiality. Information related to compliance concerns is shared strictly on a need-to-know basis. Reporter identity is protected to the extent permitted by law.

Minimum necessary access. Access to compliance records is limited to individuals required to perform assigned duties related to the concern.

Timely response. Compliance concerns are reviewed and addressed promptly, within the timelines defined in the companion SOP (POL-003-SOP).

Objectivity. Investigations are conducted in good faith, without bias, and based on documented evidence.

Documentation. All decisions, actions, and outcomes are documented.

Follow-through. Corrective actions are tracked through completion and verified.

5.2 Intake and Logging

All compliance concerns must be logged as a compliance ticket upon receipt, regardless of perceived severity or credibility. Accepted intake sources include:

  1. Internal employee reporting (named or anonymous)
  2. Client or family reporting
  3. Audit findings
  4. External inquiries or complaints
  5. System- or process-detected incidents

An unredacted intake record is created and stored with restricted access. The original narrative is preserved verbatim and is not altered. Anonymous reports are accepted and investigated to the same standard as named reports. Anonymous concerns may be submitted through the ABAS anonymous reporting form (https://anonymous.abaswma.com/). Submissions are routed to the compliance monitor and logged through the compliance ticketing system (OSticket).

5.3 Triage and Risk Classification

Within one to two business days of intake, the Compliance Officer performs an initial triage to:

  1. Assess credibility and urgency.
  2. Identify applicable regulatory or oversight bodies (MassHealth, commercial payers, HIPAA, or the MA Board of Allied Mental Health).
  3. Assign a risk level: Low, Medium, High, or Critical.
  4. Assign a Case Owner.
  5. Determine whether interim controls are required to prevent ongoing harm.

All triage decisions are documented.

5.4 Redaction and Working Case Creation

A redacted working version of the intake record is created for investigation purposes. The redacted version removes reporter identity (unless required by law), unnecessary PHI, and irrelevant employee identifiers. The unredacted intake record remains preserved separately and is not edited. A redaction log documents what was removed and why.

5.5 Investigation

An investigation plan is documented before substantive review begins. The plan includes the scope of investigation, evidence sources, interview plan (if applicable), and whether HR or legal consultation is required.

Evidence is collected, date-stamped, preserved, and stored securely. Findings are documented as substantiated, unsubstantiated, or inconclusive, with reference to applicable policies or regulations.

Conflict of interest. If the Compliance Officer, Case Owner, or any individual involved in the investigation has a personal or professional relationship with the subject of the investigation that could compromise objectivity, they must disclose the conflict and recuse themselves. The Compliance Officer will reassign the investigation. If the conflict involves the Compliance Officer, the Executive Director will designate an alternate investigator.

Outside counsel. For matters that are beyond the capabilities of in-house employees, involve potential legal liability, or require privileged investigation, the Compliance Officer may recommend referral to outside counsel. The Executive Director approves outside counsel engagements.

5.6 Resolution and Corrective Action

For substantiated findings, a Corrective Action Plan (CAP) is developed. Each CAP includes:

  1. Specific corrective actions tied to the root cause.
  2. A responsible owner for each action.
  3. A target completion date.
  4. A defined verification method to confirm the action was effective.

Corrective actions may include policy revisions, training, system changes, disciplinary action, or monitoring controls. The Compliance Officer tracks all CAPs through completion.

5.7 Notification and Reporting

Internal notifications are made on a need-to-know basis and documented. Where required by law or regulation, external reporting to regulators, payers, or other authorities is completed within applicable timeframes and documented. Decisions not to report externally are also documented with rationale.

5.8 Closure and Follow-Up

A compliance ticket may be closed only when:

  1. Investigation activities are complete.
  2. Corrective actions are implemented or scheduled with confirmed owners and deadlines.
  3. Required notifications are completed.
  4. Documentation is finalized.

Closure is approved by the Compliance Officer. Post-closure monitoring is conducted for higher-risk cases to verify the effectiveness of corrective actions.

5.9 Aggregation and Pattern Review

Prior to closing a case, the Case Owner assesses whether the issue relates to prior compliance tickets or indicates a recurring or systemic problem. Related ticket identifiers and pattern determinations are documented. The Compliance Committee reviews systemic or recurring issues as part of its quarterly oversight.

Procedures

Responsibilities

Role Responsibility
Compliance OfficerOversees the full ticket lifecycle. Performs triage. Assigns Case Owners. Determines escalation and reporting obligations. Approves closure. Tracks CAPs.
Case Owner / InvestigatorConducts assigned investigations. Maintains investigation records. Develops findings and corrective action recommendations.
Compliance CommitteeProvides oversight for high-risk or systemic cases. Reviews trends and aggregate data. Supports corrective action planning.
Executive DirectorApproves outside counsel engagements. Serves as alternate reporting path when concerns involve the CO.
All ABAS EmployeesReport compliance concerns promptly through established channels. Cooperate with investigations.

Steps

Detailed step-by-step procedures, timelines, and operational checklists are maintained in the companion document: POL-003-SOP: Compliance Ticket Management SOP and Checklists.

The SOP covers:

  1. Intake and logging (Day 0-1)
  2. Triage and risk classification (within 1-2 business days)
  3. Redaction and working case creation
  4. Aggregation and pattern review
  5. Investigation
  6. Findings determination
  7. Resolution and corrective action
  8. Notification and reporting
  9. Closure and follow-up

Standardized forms and templates supporting each step are maintained in the Compliance Ticket Forms and Templates Pack.

Training Requirements

All ABAS employees must receive training on this policy during onboarding and as part of annual compliance refresher training. Training must cover how to report a compliance concern, the non-retaliation protections available, and what to expect after a report is made. The Compliance Officer and any employees who may serve as Case Owners must receive additional training on investigation procedures, evidence handling, and documentation standards.

Reporting and Enforcement

Any ABAS employee who becomes aware of a potential compliance violation must report it to the Compliance Officer or through the anonymous reporting mechanism. If the concern involves the Compliance Officer, reports should be directed to the Executive Director. ABAS prohibits retaliation against anyone who reports a concern in good faith (see Section 5.1). Failure to report a known compliance concern, or interference with a compliance investigation, may result in disciplinary action, up to and including termination.