How to Implement Behavioral Health Compliance Best Practices

Navigating the world of behavioral health compliance can prove challenging. But going out of compliance can cause a lot of frustration and cost your organization real dollars, taking that money away from your ability to provide services. To help you better manage your organization’s various compliance needs, let’s delve into what behavioral compliance entails and some best practices to keep in mind.

Understanding behavioral health compliance

Demand for behavioral health services continues to grow across the United States. Over recent years, more adults have reported experiencing mental health challenges such as anxiety and depression. In fact, by 2024, 43% of American adults indicated they felt more anxious than they did the previous year. As more individuals seek support from behavioral health organizations, these providers are grappling with the pressure to scale services while maintaining strict compliance standards.

Significant federal regulatory changes introduced in 2024 compound this pressure. Early in the year, updates to 42 CFR Part 2 strengthened privacy protections for individuals receiving substance use disorder (SUD) treatment from federally assisted programs. Later, in September, the Mental Health Parity and Addiction Equity Act (MHPAEA) was amended to prohibit health plans and insurers from limiting access to mental health or SUD benefits in ways that differ from physical health benefits.

While these reforms are a positive step toward expanding access and safeguarding patient privacy, they also introduce new layers of complexity for compliance officers, administrators, and frontline behavioral health professionals. As referrals to services increase, so too does the burden of navigating evolving regulatory expectations.

This complexity is more than just operational — it carries real consequences. Non-compliance can lead to severe financial penalties and reputational damage. Consider HIPAA as an example: violations classified as “unknown” may incur fines starting at $100 per infraction. However, repeated offenses can total up to $25,000 annually, and in cases of willful neglect that go uncorrected, penalties can reach as high as $1.5 million per year.

Behavioral health compliance challenges

In this section, we’ll review the top behavioral health compliance challenges. Some of these challenges are common occurrences that can crop up despite staff’s best efforts. Others are less common but are good to be aware of nonetheless.

Documentation

Documentation integrity involves the accuracy of the complete health record. It includes information governance, patient identification, and validation of authorship, amendments, and record corrections (CMS, 2016). Medical record information quality and integrity issues can create potential concerns about patient safety, quality of care, and compliance.

Accurate and timely medical record documentation:

• Facilitates diagnosis and treatment
• Communicates pertinent information to other caregivers to ensure patient safety
• Supports optimal care delivery and patient outcomes

Common deficiencies in medical records documentation include incompleteness, inaccuracy, and inconsistency. Incomplete, inaccurate, or inconsistent medical record documentation increases the risk of medical errors and legal liability. Failure to document changes in a patient’s health status or treatments can lead to miscommunication among caregivers and can potentially cause dangerous errors.

Billing and coding

Billing and coding issues can often lead to healthcare fraud. This type of fraud can take different forms. Although the context of each form may vary according to the type of provider, they can all be labeled as follows:

• Upcoding: This assigns a more costly procedure with a higher reimbursement rate than is necessary. An example would be billing for a behavior treatment that allowed multiple technicians to address destructive behavior when the client’s behavior did not require that level of intervention.
• Downcoding: This can show false client improvement and allow the assignment of benefits for behavioral improvement that would not otherwise be allotted. A benefit of downcoding for fraudulent billers would be that it may allow additional treatment time over what is necessary.
• Separating Procedures or Unbundling: This action breaks down a session into multiple treatments and bills them separately instead of as one complete session. This may look like billing for an assessment, a team meeting, and then for parent training when it should have been billed as one complete session.
• Duplicate or Double Billing: Billing for multiple sessions or assessments when only one was provided. This can also mean that a behavior technician and BCBA are billing for the same services simultaneously.
• Canceled Services: If a session is canceled, these are sometimes billed as completed services, which is fraudulent.
• Phantom Billing: This is billing for a service that was not performed. This can be an assessment or an entire session that is billed but not fulfilled.
• Unnecessary Treatments: This is completing unnecessary medical services, such as implementing a behavioral treatment plan for a person who does not meet the qualifications for treatment and billing the client for the services.

Telehealth

Navigating behavioral health compliance in telehealth can be complex due to the lack of a centralized federal framework. While federal guidelines, such as HIPAA and reimbursement rules from the Centers for Medicare & Medicaid Services (CMS), set the baseline, telehealth and telemedicine standards are largely governed by state regulatory boards. These boards oversee both in-person and virtual care, meaning providers must align with varying state-specific policies and meet federal compliance requirements.

Telehealth regulation remains largely decentralized, however. For behavioral health providers, staying compliant involves continuously monitoring both federal and state-level changes. Resources like the Federation of State Medical Boards (FSMB) and the Center for Connected Health Policy offer up-to-date summaries of telemedicine regulations, including reimbursement policies and pending legislation, helping organizations maintain behavioral health compliance across jurisdictions.

Anti-kickback

Anti-kickback laws and safe harbor provisions prohibit the knowing and willful payment of “remuneration” to induce or reward patient referrals or the generation of business involving any item or service payable by the federal health care programs (e.g., drugs, supplies, or health care services for Medicare or Medicaid patients).

Violators are subject to criminal penalties and administrative sanctions, such as:

• Jail terms
• Fines — Under the Civil Monetary Penalties Law (CMPL), fines could be up to $50,000 per kickback plus three times the amount of remuneration.
• Exclusion from participation in the federal healthcare program — Hospitals that violate the anti-kickback statute may lose their tax-exempt status.

A safety net for providers is to check whether a particular activity must fit squarely within the safe harbor provisions and satisfy all its requirements. To learn more about additional safe harbors, visit the “OIG’s Safe Harbor Regulations” site. Some safe harbors address:

• Personal services
• Rental agreements
• Investments in ambulatory surgical centers
• Payments to bona fide employees

Using marketing tactics to make unsolicited contact with beneficiaries to refer or prescribe unnecessary services for which the defendant received kickbacks. Examples include:

• Genetic testing
• Prescription medications
• Durable medical equipment

Kickback and self-referral statutes can surprise health professionals because they prohibit conduct that may not be considered illegal in other business contexts. Clinicians are in key positions to recognize these types of fraud.

Implementing a behavioral health compliance program

According to the Office of the Inspector General (OIG) of the Department of Health and Human Services, an effective compliance program must include seven elements. Let’s check how digitizing each aspect of the program can improve your compliance officer’s workflow and your program’s effectiveness.

1. Written policies and procedures: Digitizing written policies and procedures allows for easier dissemination, updates, and tracking. Compliance officers can quickly distribute and update policies, ensuring staff can access the most current information immediately.
2. Compliance oversight: Digital platforms can facilitate communication and collaboration among compliance officers and committee members, streamlining decision-making processes and providing a centralized platform for documentation and discussions.
3. Education and training: Digital training and education platforms enable compliance officers to deliver, track, and manage staff training efficiently. This can reduce administrative burdens and allow more flexible and convenient employee training options.
4. Effective lines of communication: Digital communication tools enable compliance officers to establish efficient channels for reporting and addressing compliance issues. This can streamline the reporting process and ensure compliance-related communication is documented and easily accessible.
5. Internal monitoring and auditing: Digitizing monitoring and auditing processes allows for efficient collection and analysis of compliance data. Compliance officers can use digital tools to automate data collection, perform real-time monitoring, and generate reports, thus improving the efficiency of compliance monitoring.
6. Enforcement and discipline: Digital documentation and tracking can aid in enforcing compliance standards and tracking disciplinary actions. Compliance officers can use digital systems to maintain records of enforcement actions, ensuring transparency and consistency in disciplinary processes.
7. Response and prevention: Digitizing response and prevention processes can lead to more efficient management of compliance risks. Digital tools can facilitate the implementation of proactive measures and enable quick responses to compliance issues, ultimately improving the organization’s ability to prevent and address non-compliance.