Join the ABA Clubhouse!

Blog > Blog details

What Most People Get Wrong About Ethics & Compliance for Businesses

Pencil sketch illustration for: What Most People Get Wrong About Ethics & Compliance for Businesses
  • By Jordan Mirchev
  • Published on
  • November 14, 2022
  • 2 min read

What Most People Get Wrong About Ethics & Compliance for Businesses (And What to Do Instead)

If you run an ABA clinic or lead a team, you already know the pressure. Payers want documentation yesterday. Staff need training. Families need answers. Cash flow needs attention. Somewhere in that mix, ethics and compliance can start to feel like one more thing on a list you cannot finish.

Here is the problem: most ethics and compliance mistakes do not come from bad intentions. They come from unclear systems, misaligned rewards, and real pressure that pushes good people toward shortcuts. See also: BACB Ethics Code.

This post will help you spot the most common mistakes, understand why they happen, and build simple systems to prevent them. No fear-based advice. No checkbox thinking. Just practical guidance for clinic owners and leaders who want to do right by their clients, staff, and business.

Get free CEUs every Wednesday

Join 1,000+ BCBAs getting weekly CEUs and access to the free ABA Clubhouse.

    No spam. Unsubscribe anytime.

    Start Here: Ethics vs. Compliance (Plain English)

    Before we talk about what goes wrong, let us get clear on two words everyone mixes up. See also: research on organizational behavior change and compliance.

    Compliance means following the rules you must follow—laws, regulations, contracts, payer rules, internal policies. It is about doing things right so you avoid penalties, audits, or denied claims.

    Ethics means following your values about what is right, even when no one is watching. Honesty. Fairness. Integrity. Treating people with dignity.

    Here is why this matters. You can be compliant and still be unethical. You might meet every contract requirement but schedule services in ways that repeatedly ignore caregiver constraints. No rule is broken, but trust and dignity take a hit.

    You can also have good intentions and still break rules. A staff member wants to help a family and texts client details from a personal phone with weak security. The intent is good, but the action may violate privacy rules.

    For service businesses with billing and documentation pressure, both problems are common. That is why you need both working together. Compliance sets the floor. Ethics sets the ceiling.

    A Quick Way to Tell the Difference

    When you are not sure which one you are dealing with, ask three questions.

    First, “Is it allowed?” That is a compliance question.

    Second, “Is it fair and safe?” That is an ethics question.

    Third, “Would we be okay if a client, payer, or staff member saw this?” That question covers both. If you hesitate on that last one, slow down.

    Why “Good People” Still Make Bad Choices

    Here is something most training programs skip. Most failures are system failures, not “bad person” stories. When you see a compliance breakdown, the first question should not be “Who did this?” It should be “What in our system allowed this?”

    Consider the common pressure points. Money is tight. Growth is happening fast. Staffing is short. Time is limited. Rules are unclear. In that environment, shortcuts start to feel logical.

    Incentives play a quiet role too. If your team is only rewarded for speed, productivity, or revenue, people will find ways to hit those numbers. Sometimes that means cutting corners on documentation, skipping review steps, or ignoring small concerns that do not feel urgent.

    Then there is silence. When people fear payback for speaking up, or when they believe nothing will change, problems stay hidden. Small issues become big ones.

    Common Rationalizations to Watch For

    Watch for these phrases in yourself and your team: “Everyone does it.” “We’ll fix it later.” “It’s just this once.” “We can’t afford to do it the right way.”

    If you hear one of these, pause. Map the system pressure behind it. Is it a staffing gap? A confusing rule? An unclear process? That is where the real fix starts.

    Mistake Number One: Treating Compliance Like Paperwork (Not Behavior)

    Many clinics have a binder full of policies. That binder does not change what people do.

    The gap between “policy written” and “policy followed” is where risk lives. You can have the best-written documentation policy in the field. If your staff do not know it exists, cannot explain it, or do not see it enforced, it does not protect you.

    Real compliance includes people, training, reporting, audits, and follow-up—not just documents.

    What to Do Instead

    Start by naming an owner. Designate a compliance officer or compliance lead. In a small clinic, this can be a part-time role. The point is someone is responsible.

    Next, pick three to five top risks. For most ABA clinics: billing and documentation, PHI security, conflicts of interest, supervision credentials, and payer rules.

    Add one routine check per month. Ten to twenty minutes. Spot-check a few notes. Review who has access to what. Confirm training completion.

    Finally, track versions and proof. Keep records of policies, training, and audits. If something goes wrong, you want evidence that you had systems in place and followed them.

    Mistake Number Two: No Clear Reporting Path (Or People Don’t Feel Safe Using It)

    A reporting channel only helps if people trust it. Many clinics have a policy that says “report concerns to your supervisor.” But if staff fear payback, or if they think nothing will change, they stay quiet.

    Common failure modes include fear of retaliation, unclear steps for what happens next, and past experiences where concerns went nowhere.

    Build a Simple Reporting Workflow

    Receive the concern through a manager, HR, compliance lead, or anonymous channel.

    Acknowledge fast—within a day or two. Say “We got it. Here’s the next step.”

    Protect against retaliation. Say it, document it, monitor it.

    Triage severity. Is this a client safety issue, billing risk, or privacy risk?

    Investigate by limiting access to information and preserving records.

    Close the loop by sharing what you can and documenting the outcome.

    Fix the system by updating policy, training, or controls—not just addressing the person.

    Write down your reporting steps in six lines or less. If you cannot, your staff cannot either.

    Mistake Number Three: Weak Training (One-Time, Too Long, or Too Vague)

    Training is not one-and-done. Most compliance training fails because it is too long, too general, and not tied to real decisions. Staff sit through an hour-long module once a year, click through slides, and forget it by lunch.

    What works instead is short training, real examples, role practice, and refreshers.

    Make Training Stick

    Teach one topic at a time. Do not try to cover everything in one session.

    Use one real scenario from your work. What do you do if someone calls asking for client status without verification?

    Ask “What would you do next?” Let staff practice the right steps.

    Revisit the topic often. Monthly micro-refreshers of three to five minutes beat annual marathons.

    Pick one high-risk moment—like documentation or billing—and build a fifteen-minute training around it.

    Mistake Number Four: Leadership Says the Right Words (But Rewards the Wrong Actions)

    People follow what gets rewarded, not what gets posted on a wall. If leadership talks about ethics but only promotes high-revenue performers, staff notice.

    Common failure looks like this: speed, growth, or revenue wins every time. Quality and compliance get mentioned but not measured. When things get busy, corners get cut and no one says anything.

    Simple Leadership Checks

    Ask yourself: What do we praise in meetings? What do we promote? What do we overlook when we are busy? What do staff think gets you in trouble here?

    Run a reward audit. List what your business rewards today, then list what you want it to reward. Close one gap this week.

    Maybe add a performance metric for timely documentation, audit participation, or speak-up responsiveness. Recognize “good stops”—when someone refuses an improper gift or pauses billing until documentation is fixed.

    Mistake Number Five: Not Managing Conflicts of Interest

    A conflict of interest happens when a personal benefit could influence—or look like it influences—your business decisions. Conflicts can be real or just appear real, and both matter.

    Examples include hiring a friend without a fair process, vendor relationships that include gifts or kickbacks, and referrals that benefit you more than the client.

    Keep It Simple

    The steps for managing conflicts are disclose, recuse, and seek advice.

    Disclose early. Recuse yourself from decisions where you have a personal tie. Seek advice if you are unsure.

    Create a one-page conflict-of-interest form and require it yearly and anytime something changes. Define what gifts are never allowed, what is allowed, and what must be disclosed.

    Mistake Number Six: Missing the Basics: Documentation, Billing, and Transparency

    Risk often lives in routine tasks, not big scandals. Common breakdowns include unclear rules, rushed work, copy-paste habits, and poor review steps.

    If it is not documented correctly, it often “didn’t happen” in an audit. That is a painful lesson to learn during a payer review.

    Transparency matters too. Make sure what you promise matches what you deliver.

    Build Guardrails

    Define what “done right” looks like. What elements are required in a session note? What codes match which services?

    Use checklists for high-risk steps. A short pre-bill checklist can catch errors before claims go out.

    Spot-check regularly. Pick a small sample on a schedule. Review verification, medical necessity support, coding accuracy, duplicates, timeliness, and signatures.

    Fix the process, not just the person. If the same error repeats, change the template or workflow.

    Mistake Number Seven: Ignoring Risk Alignment (You Treat All Risks the Same)

    You cannot fix everything at once, so you have to prioritize. Risk alignment means your rules and effort match your biggest risks.

    The mistake is spending the same energy on low-risk items as high-risk ones.

    A Simple Way to Rank Risk

    Score each risk on three dimensions.

    Harm. Who could get hurt? How bad is the harm?

    Likelihood. How often could this happen?

    Detectability. Would we notice fast or late?

    The risks that are high-harm, high-likelihood, and low-detectability deserve the most attention.

    For example, staff texting client information: likelihood is medium, impact is high, detectability is low. That makes it a high priority needing controls like approved tools, training, and monitoring.

    Make a top-five risk list for your business. Assign one owner and one next step to each item.

    Mistake Number Eight: Waiting for a Crisis to Fix the Program

    Mistakes will happen. Your response determines the damage.

    Many clinics wait until something goes wrong to build a corrective action process. By then, you are scrambling. The better approach is to have a plan before you need it.

    Corrective Action Steps

    CAPA stands for Corrective and Preventive Action. Corrective means fix the issue now. Preventive means fix the system so it does not happen again.

    Stop the harm first and contain the issue. Preserve records by freezing logs and keeping chain of custody. Do root cause analysis. Build an action plan with clear owners and follow-up verification. Train and re-check. Follow up to confirm it worked.

    First Twenty-Four Hours Response Plan

    When something goes wrong, have these steps ready.

    Contain the issue by stopping the risky process. Preserve evidence including notes, billing records, and access logs. Assign a lead and set a timeline. Decide who must be notified—internally first, then externally if required. Start root-cause questions: what allowed this to happen?

    Write your response plan now, before you need it.

    Recent Failures in the News: The Same Patterns

    Year-in-review stories from compliance publications share the same themes: pressure plus weak controls plus silence.

    Common lessons include documentation gaps, tech adoption faster than governance, weak third-party oversight, and misaligned incentives.

    In healthcare, data breaches and ransomware remain real threats. Smaller practices are targets. Root causes include weak passwords, phishing, and missing vendor agreements. Remove access fast when staff leave.

    A Simple Lesson Map

    Next time you see an ethics scandal headline, ask:

    What was the pressure? Where did the process break? What did leaders reward or ignore? What control could have caught it sooner? What would prevent it next time?

    Apply that map to your own clinic.

    Minimum Viable Ethics and Compliance Program

    A simple program beats a perfect plan you never use.

    A minimum viable program includes these core pieces:

    • Assign ownership with a designated compliance officer or clear program owner
    • Build tone at the top with leadership support
    • Conduct risk assessment at the start and periodically
    • Write standards and a code of conduct with clear expectations
    • Create an incident response plan
    • Maintain documentation and version control
    • Set access control and least privilege
    • Establish security baselines including MFA, encryption, and strong passwords
    • Manage vendors with contracts and BAAs
    • Provide regular training appropriate to role
    • Build a reporting channel with an anonymous option and no retaliation
    • Conduct periodic auditing and monitoring
    • Enforce discipline consistently
    • Use feedback and remediation to update training and controls

    A Simple Cadence

    Monthly, do one spot check: billing and documentation, access list, or training completion.

    Quarterly, refresh training scenarios and update your risk list.

    Annually, review policies, collect conflict-of-interest disclosures, and review vendors.

    If you only do one thing this month, create your top five risk rules and train them with real examples.

    Frequently Asked Questions

    What is the difference between ethics and compliance in business?

    Ethics means following your values about what is right, even when no rule forces it. Compliance means following rules you must follow. You need both.

    What are the most common ethics and compliance mistakes businesses make?

    Treating compliance like paperwork, having no safe reporting path, weak training, leadership that rewards the wrong actions, unmanaged conflicts of interest, missing basics like documentation and billing checks, ignoring risk alignment, and waiting for a crisis to fix the program.

    What should a small business include in an ethics and compliance program?

    Start with a code of conduct in plain language, top risk rules, new-hire training plus refreshers, a safe reporting path, routine checks on a schedule, and a basic corrective action process.

    How do you create a safe way for employees to report concerns?

    Define safe reporting and retaliation clearly. Provide basic steps for how to report. Acknowledge reports fast. Protect against retaliation. Close the loop. Follow up to build trust.

    What do you do if you think your business already made a compliance mistake?

    Stay calm and stop the harm. Preserve records and document facts. Fix the process, not just the person. Know when to involve qualified experts.

    Why do ethics and compliance programs fail even when companies have policies?

    Policies in a binder do not change behavior. Programs fail when training is weak, culture does not support speaking up, incentives push shortcuts, and oversight is missing.

    How often should a business review its compliance risks and policies?

    Monthly spot checks. Quarterly training refreshers and risk list updates. Annual policy and vendor review. When you grow, add services, or sign new contracts, review sooner.

    Conclusion

    Most ethics and compliance mistakes are predictable. They come from unclear systems, misaligned rewards, and real pressure that pushes good people toward shortcuts. The good news: they are fixable.

    You do not need a perfect program. You need a simple one that you actually use. Name an owner. Pick your top risks. Train with real examples. Make it safe to speak up. Check your work on a schedule. Fix processes, not just people.

    Ethics and compliance are not obstacles to running a good business. They are the foundation.

    Choose one mistake from this guide and fix it this week. Start small. Write it down. Train it. Check it again next month. That is how programs grow. That is how trust is built.

    Related Reading

    Ethics & Compliance for ABA Businesses: Billing, Supervision, and Risk Reduction
    Designed for ABA business owners, supervisors, and clinicians, this post explains ethical and compliant approaches to billing, supervision, and risk management. It shows how to turn ABA data into…
    Read more

    More in this pillar