Compliance

Audit Center & Compliance Records

The Audit Center is Coralia's compliance module for ABA (Applied Behavior Analysis) agencies: one dashboard that generates the records a Medicaid or commercial payer auditor requests — a supervision org chart, a consent and signature ledger, a staff credential matrix, and per-client records packets — live from operational data, on top of an append-only trail of every access to protected health information (PHI) on the platform.

The problem in real agencies

A payer audit in ABA rarely arrives at a convenient time. A Medicaid managed-care plan — or, in Florida, the Agency for Health Care Administration (AHCA) — requests records: session notes for specific dates of service, proof that a BCBA (Board Certified Behavior Analyst) supervised each RBT (Registered Behavior Technician), signed consents, staff credential files. In many agencies that letter starts a scramble across spreadsheets, shared drives, and paper binders, reconstructing after the fact what the payer expects to have been maintained all along.

Reconstruction is where agencies get hurt. A supervision chart drawn from memory contradicts the case assignments in the schedule. The credential spreadsheet was last touched before a technician's certification lapsed. A required consent was never re-signed after a template changed. Each discrepancy an auditor finds before the agency does can turn into recouped payments — and the underlying records were never wrong, just scattered across systems that don't check each other.

Beneath the documents sits a harder question that HIPAA (Health Insurance Portability and Accountability Act) reviews ask: who looked at this child's record, when, and under what role? That question can only be answered by a log written at the moment of access — it cannot be assembled afterward. An agency needs both layers: the artifacts an auditor reads, and the access trail that proves the agency controls its own data.

How it works in Coralia

  1. 1

    One page, seven audit artifacts

    The Audit Center is a dedicated dashboard page presenting an audit-ready package of seven compliance artifacts. Three render live on the page — the Clinical Supervision Hierarchy, the Consent & Signature Ledger, and the Staff Credential Matrix — and four link out to their home record sets: staff roster, supervision logs, safety event register, and client-technician assignments. It is pinned in the sidebar as a standalone destination. All three live artifacts exclude clearly marked test or demo records from every count and export, and each shows a visible note stating how many were held out.

  2. 2

    A supervision org chart built from case assignments, not a drawing

    The Clinical Supervision Hierarchy reconstructs a Lead Analyst → BCBA → BCaBA (Board Certified Assistant Behavior Analyst) → RBT → client org chart purely from active case assignments — there is no separately maintained tree to drift out of date. Three flags surface gaps — technicians without a supervising analyst, clients without an analyst, clients without a technician — each linking to the screen where the assignment is fixed. When all three are clear, a green banner says so. One click prints the chart to a landscape PDF, measured and scaled so wide charts are not cropped.

  3. 3

    Consent coverage measured across every client in care

    The Consent & Signature Ledger computes, for every client in care (active, intake, or on hold), which required consent templates are signed and which are missing — listed worst-first so the biggest gaps surface immediately. Below the gaps, a signing trail shows the 100 most recent events: client, document, status, signer name and role, method (typed or drawn signature), and date in the agency's timezone. Required templates still in draft are never counted against clients — a draft cannot be signed — and instead surface as a configuration warning with a link to finalize them. One CSV export combines all three row types.

  4. 4

    The credential roster sheet, generated live

    The Staff Credential Matrix grades every active staff member against every document requirement that applies to their role — described in-product as "the AHCA roster sheet, generated live." Each cell shows one of six statuses (valid, expiring, expired, missing, optional, not applicable) with distinct glyphs for expired versus missing, a 60-day expiry warning window, and a 0–100 compliance score per staff member, sorted worst-first. Requirements seed from a canonical 31-item template — 16 personal documents, 8 credentials, 7 mandatory in-services — with role scoping and renewal cadences, and the whole grid exports to CSV.

  5. 5

    An append-only audit trail under everything

    Independently of the Audit Center page, every access to protected health information (PHI) and every sensitive operation platform-wide writes an entry to an append-only audit log: actor, action, object, IP address, source (human user, AI agent, system, background job, data sync, or caregiver), and the active role the actor was working under. Entries record protected-field names and counts — never field values. Administrators browse the trail in an Activity Log with filters for actor, source, 21 domains, 12 object types, sensitivity, and date, plus a one-click filter that isolates PHI-access entries, rendered as plain-language summaries.

  6. 6

    A records packet for any payer request

    When a payer or auditor requests one client's records, staff generate a records packet for a chosen date range — up to 370 days, defaulting to the last 90. The packet assembles an identity cover, consent coverage, every authorization touching the range with per-procedure-code approved and used units, only finalized session notes with full SOAP (Subjective, Objective, Assessment, Plan) documentation and e-signatures, and supervision delivered in range — while disclosing how many non-finalized sessions were excluded. Date of birth and Medicaid ID stay redacted unless the viewer holds the PHI-view permission, and every packet generation is itself audit-logged.

The specifics

  • Seven artifact cards on the Audit Center page: three rendered live and four linking to their home modules (staff roster, supervision logs, safety events, client-technician assignments).

  • The supervision hierarchy raises three flag types — unsupervised technicians, clients without a supervising analyst, clients without a technician — each linking to the screen where it is fixed.

  • The consent ledger shows the 100 most recent signing events with signer name, role, method (typed or drawn), and date in the agency's timezone.

  • The credential matrix uses six cell statuses (valid, expiring, expired, missing, optional, not applicable) with a 60-day expiry warning window and a 0–100 per-staff score.

  • Document requirements seed from a 31-item template — 16 personal documents, 8 credentials, 7 mandatory in-services — with role scoping and annual, biennial, or triennial renewal cadences.

  • The audit log CSV export caps at 5,000 rows across 10 columns, and the export itself is recorded as an audit entry with the filters used.

  • The Activity Log filters by actor, source, 21 domains, 12 object types, sensitivity, and date presets, with a one-click filter isolating PHI-access entries.

  • Records packets cover any date range up to 370 days and include only finalized session notes, disclosing the count of non-finalized sessions excluded.

  • Audit entries record protected-field names and counts, never field values, and are written non-blocking so a logging failure never breaks the underlying operation.

  • All three live artifacts exclude clearly marked test or demo records and display how many were held out, so the exclusion is never silent.

Integrations

The Coralia Brain — actions taken by the per-agency AI copilot are stamped as AI-agent audit entries, filterable separately from human activity · Practice-management data import — sessions and supervision logs mirrored from an agency's previous system display their original signature provenance in the records packet — signing timestamps for sessions, signed status for supervision logs · Background jobs — automated tasks write audit entries under their own source label, filterable in the Activity Log · Browser print — the hierarchy PDF (with measured scaling) and the records packet print directly from the browser; no document is sent to an external rendering service

Access control

The Audit Center page and its sidebar card are visible only to users holding either the audit-view permission or the view-all-clients permission; the admin Activity Log requires audit-view. Inside a records packet, date of birth and Medicaid ID remain redacted unless the viewer also holds the dedicated PHI-view permission, and the packet is flagged as redacted.

Frequently asked questions

What can we hand an auditor directly from the Audit Center?

Three artifacts generate live from operational data: the supervision hierarchy prints to a landscape PDF with the chart auto-scaled to fit the page; the consent and signature ledger exports one CSV combining unpublished templates, coverage gaps, and the signing trail; the credential matrix exports its full grid to CSV. Four more cards link to the staff roster, supervision logs, safety event register, and client-technician assignments.

Does Coralia record who viewed a client's protected health information?

Yes. Every PHI access and mutation writes to an append-only audit log stamped with the actor, source, active role, IP address, and the names of the fields read — never their values. Administrators use a one-click filter to isolate PHI-access entries, read them as plain-language summaries, and export up to 5,000 rows to CSV. The export itself is recorded as an audit entry, including the filters used.

Can we tell AI actions apart from human actions in the audit trail?

Yes. Every audit entry carries a source: human user, AI agent, system, background job, data sync, or caregiver. Actions taken by the Coralia Brain — the per-agency AI copilot — are stamped as AI-agent entries automatically, and the Activity Log filters by source. For staff who hold multiple roles, each entry also records the active role the person was working under when they acted.

How do we respond to a payer records request for one client?

Generate a records packet from the client's profile for any date range up to 370 days (the default view covers the last 90). It compiles an identity cover, consent coverage, authorizations with per-code approved and used units, finalized session notes with e-signatures, and supervision delivered in range, and it discloses how many non-finalized sessions were excluded. Date of birth and Medicaid ID stay redacted unless the viewer holds the PHI-view permission.

Doesn't an agency-wide compliance page expose PHI itself?

The Audit Center treats a client's name as identification, visible to users with client-view access, while strict PHI — date of birth, Medicaid ID, contact details, consent body text — is never read by its queries. Opening the consent ledger is itself recorded as a PHI-access audit entry naming the surface and how many records were shown. Coralia is built for HIPAA compliance, and the page is gated by permission.