Prior Authorization for ABA Therapy: A Payer-by-Payer Survival Guide

Prior authorization is the single biggest administrative choke point in ABA practices. Done wrong, it delays care, burns staff hours, and produces denials that are hard to reverse. Done right, it’s a predictable system you can manage.

This guide covers how prior auth works in ABA, what changes by payer, and how to build a workflow that doesn’t stall treatment.

Why ABA Prior Auth Is Different

Most medical specialties deal with prior auth for procedures — one-time events. ABA is different. You’re authorizing ongoing, high-frequency services. A child receiving 20 hours per week generates hundreds of service units per authorization period. Each renewal is another opportunity for denial.

Unlike PT or OT, ABA doesn’t have standardized treatment protocols payers can benchmark easily. This gives payers wide latitude in what they request, approve, and deny. Prior auth often functions as a utilization management tool — payers approve fewer hours than recommended, push for shorter auth periods, and require exhaustive documentation at every renewal.

The BACB’s Ethics Code requires that treatment be driven by individualized clinical assessment, not payer preference.1 But in practice, BCBAs spend hours justifying clinical decisions to non-clinical reviewers. That tension is structural. It doesn’t go away — it gets managed.

The Basic Authorization Flow

  1. DSM-5 ASD diagnosis confirmed
  2. FBA or comprehensive skills assessment completed
  3. Treatment plan drafted: hours, goals, measurable outcomes
  4. Prior auth request submitted
  5. Payer review (1–30+ business days depending on payer)
  6. Authorization issued, modified, or denied
  7. Services begin
  8. Renewal required at auth expiration (typically every 90–180 days)

Every step is a potential delay. Documentation burden alone runs 3–5 hours of clinical time per request. Multiply that across 20 active clients and you’ve got a significant operational cost that never shows up in the revenue cycle report.

Medicaid

Medicaid is the largest payer for ABA in the U.S. All 50 states cover ABA for children with autism following federal mandates and EPSDT requirements.2 But Medicaid is not one entity — it’s 50-plus programs, most administered through managed care organizations (MCOs).

Core requirements across most state Medicaid programs:

  • DSM-5 ASD diagnosis
  • FBA or comprehensive initial assessment
  • Treatment plan with measurable, data-driven goals
  • CPT codes with unit counts matching recommended hours
  • BCBA signature; some states add prescribing physician requirement

Auth periods run 90–180 days. Some states authorize annually. The critical risk isn’t the state program — it’s the MCOs layered on top. Florida Medicaid approval doesn’t mean Sunshine Health, Molina, and WellCare have each authorized services. Those are three separate auth workflows. Miss one, and you’re billing into a void.

Cigna

Cigna’s ABA coverage is governed by Coverage Policy No. 0459, updated periodically. For context on Cigna’s full credentialing and contracting requirements, see our BCBA credentialing guide for commercial payers. Cigna wants to see the clinical argument, not just the clinical conclusion.

Requirements include:

  • DSM-5 ASD diagnosis
  • Comprehensive assessment (ADOS-2, ADI-R, or equivalent) with results attached
  • BCBA-signed treatment plan
  • Goals that are measurable with defined data collection methodology
  • Hours justified by assessment findings, not clinical opinion alone

Cigna flags high-hour requests — typically anything over 25–30 hours/week — for peer-to-peer review. If you’re requesting intensive early intervention for a young child, expect that call. Have the BCBA available and ready with data, not narrative.

Cigna tends toward shorter initial auth periods (often 6 months) and extends based on documented progress. Initial denials are common; appeals with strong documentation often succeed.

Top denial triggers: vague goals, missing baseline data, treatment plan goals that don’t align with assessment findings, or hours requests that exceed what the assessment data supports.

UnitedHealthcare

UHC’s ABA policy follows its Coverage Determination Guidelines for Applied Behavior Analysis.3 Prior auth is required for all ABA services except initial assessments on most plans.

Key requirements:

  • BCBA or BCaBA credentials verified
  • Comprehensive assessment results
  • Goals explicitly linked to assessment data
  • Direct therapy, supervision, and parent training requested separately with individual justifications
  • Progress notes submitted at renewal

UHC has heavily invested in utilization management infrastructure. Their review process can cycle through multiple documentation requests before approval. Start auth requests at least three weeks before anticipated service start. Treat two weeks as your absolute minimum.

One useful difference: some UHC plans allow simultaneous authorization of assessment and treatment, reducing initial delays. Verify plan-specific requirements before assuming this applies.

Top denial triggers: missing BCBA signature, goals not tied to functional outcomes, no baseline data, requesting hours that outpace what the assessment supports.

Anthem (BCBS Affiliates)

Anthem plans vary significantly by state because BCBS is a federated system. Anthem California, Anthem Ohio, and Anthem Georgia each operate with meaningful policy differences.

Anthem’s core ABA policy requires:

  • DSM-5 diagnosis
  • Functional assessment
  • Treatment plan aligned to BACB standards
  • Quarterly progress documentation for all renewals

Anthem uses shorter initial auth periods (often 90 days) and ties renewals to measurable goal progress. If a child is meeting goals ahead of schedule, Anthem may reduce hours at renewal. If goals aren’t being met, Anthem typically requests additional clinical justification rather than automatically approving continuation.

Multi-state practices need to treat each Anthem affiliate as its own payer — auth portals, documentation requirements, and CPT code preferences differ across affiliates.

Common Denial Triggers Across All Payers

  1. Incomplete documentation. Every auth request needs assessment, treatment plan, goals, and provider credentials. Missing any single element is grounds for denial.
  2. Non-measurable goals. “Improve social skills” gets denied. “Client will independently initiate a greeting with a peer across 4/5 opportunities in 3 consecutive sessions” gets approved.
  3. Hours not clinically justified. The number of hours requested must be supported by assessment data. A 40-hour/week request for a child with a mild presentation will not survive review.
  4. Authorization gaps. Services rendered without active auth are unbillable. Renewals need to start 45 days before every auth expiration date.
  5. Wrong CPT codes or modifiers. Using 97153 without proper supervision documentation, or omitting the HQ modifier for group services.
  6. Credentialing not complete. Submitting an auth under a BCBA who isn’t yet paneled creates an automatic denial — this is also one of the top ABA claim denial reasons. Credentialing must be resolved before any auth request goes out under that provider.

Building a Workflow That Doesn’t Stall Care

Practices that handle prior auth consistently treat it as an operations problem, not a clinical one.

What good looks like:

  • Auth calendar. Every active client has an auth expiration date on a shared tracker. Renewals start 45 days out, no exceptions.
  • Templated documentation. Treatment plan templates are designed to meet payer requirements by default. BCBAs don’t rebuild the structure for every auth.
  • Clear ownership. One person owns auth submission and follow-up. Split ownership without a defined handoff protocol means things fall through.
  • Payer-specific checklists. Cigna requirements differ from UHC. A checklist prevents missing required elements by payer.
  • Escalation path. When an auth is pending more than 10 business days, there’s a defined next step: call the payer, request expedited review, document the call.

Prior auth isn’t going away. But it doesn’t have to be the reason care gets delayed.

Ready to build a prior auth system that runs without you managing every detail? See what our ABA practice services include, then book a free 30-minute consultation at abapracticeservices.com.

Footnotes

  1. Behavior Analyst Certification Board. (2020). Ethics Code for Behavior Analysts. Littleton, CO: BACB. Retrieved from https://www.bacb.com/ethics/ethics-code/

  2. Centers for Medicare & Medicaid Services. (2014). EPSDT — A Guide for States: Coverage in the Medicaid Benefit for Children and Adolescents. CMS.gov.

  3. UnitedHealthcare. (2024). Applied Behavior Analysis Services Coverage Determination Guideline. UnitedHealthcareOnline.com.