This comparison draws in part from “Addressing HIPAA Vulnerabilities” by Nick Merkin (BehaviorLive), and extends it with peer-reviewed research from our library of 27,900+ ABA research articles. The decision framework, BACB ethics code references, and cross-links below are synthesized by Behaviorist Book Club.
View the original presentation →ABA organizations approach HIPAA compliance along a spectrum that ranges from purely reactive — responding to breaches and audits after the fact — to proactively designed systems that prevent violations before they occur. The Compliagent model presented in this course firmly advocates for the proactive end of this spectrum, grounding compliance in ongoing training, documented policies, and regular risk assessments rather than crisis response.
Understanding the practical differences between these approaches helps BCBAs in leadership roles make informed decisions about where to invest organizational resources. A reactive compliance posture may appear less costly in the short term but exposes organizations to catastrophic financial and reputational risk. A proactive posture requires sustained investment but generates compounding returns through breach prevention, staff confidence, and accreditation readiness.
The comparison below examines six critical dimensions of HIPAA compliance practice and contrasts how proactive versus reactive organizations typically approach each one.
| Factor | Evidence-Based Approach | Traditional Approach |
|---|---|---|
| Staff Training | Proactive: Annual role-specific training with scenario-based assessments and documented competency verification for all staff handling PHI | Reactive: One-time onboarding module with no follow-up, no competency testing, and no documentation of training completion |
| Risk Assessment | Proactive: Annual formal risk assessment covering administrative, physical, and technical safeguards with written findings and remediation plans | Reactive: Risk assessment conducted only in response to a breach investigation or OCR audit inquiry |
| Vendor Management | Proactive: Complete inventory of all vendors accessing PHI with executed BAAs on file for each; annual vendor review during contract renewal | Reactive: BAAs obtained only when vendors proactively request them; no systematic inventory of who accesses PHI |
| Breach Response | Proactive: Written breach response plan with designated Privacy Officer, staff knows reporting procedures, practice drills conducted periodically | Reactive: No documented breach response plan; breach response improvised at time of incident with potential delays in required notifications |
| Technology Security | Proactive: Device encryption enforced on all devices accessing PHI, HIPAA-compliant platforms selected during vendor evaluation, mobile device policy enforced | Reactive: Security controls added only after a breach reveals gaps; personal device use for PHI access tolerated without policy enforcement |
| Policy Maintenance | Proactive: Written HIPAA policies reviewed and updated annually and whenever workflows change; staff acknowledge receipt of updated policies | Reactive: Written policies created once at program inception and not revisited; staff unaware of current policy requirements |
The ABA Clubhouse has 60+ on-demand CEUs including ethics, supervision, and clinical topics like this one. Plus a new live CEU every Wednesday.
Use this framework when approaching addressing hipaa vulnerabilities in your practice:
Does the data support a need for intervention? Is there a meaningful impact on the individual's quality of life, safety, or access to reinforcement?
YES → Proceed to assessment NO → Document reasoning, monitor
A functional assessment should guide intervention selection. Avoid defaulting to standard protocols without individual analysis. Consider environmental variables, setting events, and private events.
YES → Select evidence-based approach matched to function NO → Complete assessment first
Goals should be co-developed. Assent and informed consent are ethical requirements. The individual's preferences and values matter in selecting both goals and methods.
YES → Proceed with collaborative plan NO → Engage in shared decision-making
This course covers the clinical and ethical dimensions in detail with structured learning objectives and CEU credit.
Addressing HIPAA Vulnerabilities — Nick Merkin · 0 BACB General CEUs · $0
Take This Course →We extended this decision guide with research from our library — dig into the peer-reviewed studies behind each approach, in plain-English summaries written for BCBAs.
280 research articles with practitioner takeaways
258 research articles with practitioner takeaways
233 research articles with practitioner takeaways
BACB General CEUs · $0 · BehaviorLive
Research-backed educational guide
Research-backed answers for behavior analysts
All behavior-analytic intervention is individualized. The information on this page is for educational purposes and does not constitute clinical advice. Treatment decisions should be informed by the best available published research, individualized assessment, and obtained with the informed consent of the client or their legal guardian. Behavior analysts are responsible for practicing within the boundaries of their competence and adhering to the BACB Ethics Code for Behavior Analysts.