This comparison draws in part from “Addressing HIPAA Vulnerabilities” by Nick Merkin (BehaviorLive), and extends it with peer-reviewed research from our library of 27,900+ ABA research articles. The decision framework, BACB ethics code references, and cross-links below are synthesized by Behaviorist Book Club.
View the original presentation →One of the most consequential decisions a behavior analyst makes is not just what intervention to use, but how to approach the clinical question in the first place. For addressing hipaa vulnerabilities, the difference between an evidence-based, individualized approach and a traditional, protocol-driven one can significantly impact outcomes.
This guide lays out the key factors side by side to support your clinical decision-making.
| Factor | Evidence-Based Approach | Traditional Approach |
|---|---|---|
| Staff Training | Proactive: Annual role-specific training with scenario-based assessments and documented competency verification for all staff handling PHI | Reactive: One-time onboarding module with no follow-up, no competency testing, and no documentation of training completion |
| Risk Assessment | Proactive: Annual formal risk assessment covering administrative, physical, and technical safeguards with written findings and remediation plans | Reactive: Risk assessment conducted only in response to a breach investigation or OCR audit inquiry |
| Vendor Management | Proactive: Complete inventory of all vendors accessing PHI with executed BAAs on file for each; annual vendor review during contract renewal | Reactive: BAAs obtained only when vendors proactively request them; no systematic inventory of who accesses PHI |
| Breach Response | Proactive: Written breach response plan with designated Privacy Officer, staff knows reporting procedures, practice drills conducted periodically | Reactive: No documented breach response plan; breach response improvised at time of incident with potential delays in required notifications |
| Technology Security | Proactive: Device encryption enforced on all devices accessing PHI, HIPAA-compliant platforms selected during vendor evaluation, mobile device policy enforced | Reactive: Security controls added only after a breach reveals gaps; personal device use for PHI access tolerated without policy enforcement |
| Policy Maintenance | Proactive: Written HIPAA policies reviewed and updated annually and whenever workflows change; staff acknowledge receipt of updated policies | Reactive: Written policies created once at program inception and not revisited; staff unaware of current policy requirements |
The ABA Clubhouse has 60+ on-demand CEUs including ethics, supervision, and clinical topics like this one. Plus a new live CEU every Wednesday.
Use this framework when approaching addressing hipaa vulnerabilities in your practice:
Does the data support a need for intervention? Is there a meaningful impact on the individual's quality of life, safety, or access to reinforcement?
YES → Proceed to assessment NO → Document reasoning, monitor
A functional assessment should guide intervention selection. Avoid defaulting to standard protocols without individual analysis. Consider environmental variables, setting events, and private events.
YES → Select evidence-based approach matched to function NO → Complete assessment first
Goals should be co-developed. Assent and informed consent are ethical requirements. The individual's preferences and values matter in selecting both goals and methods.
YES → Proceed with collaborative plan NO → Engage in shared decision-making
This course covers the clinical and ethical dimensions in detail with structured learning objectives and CEU credit.
Addressing HIPAA Vulnerabilities — Nick Merkin · 0 BACB General CEUs · $0
Take This Course →We extended this decision guide with research from our library — dig into the peer-reviewed studies behind each approach, in plain-English summaries written for BCBAs.
280 research articles with practitioner takeaways
258 research articles with practitioner takeaways
233 research articles with practitioner takeaways
BACB General CEUs · $0 · BehaviorLive
Research-backed educational guide
Research-backed answers for behavior analysts
You earn CEUs from a dozen different places. Upload any certificate — from here, your employer, conferences, wherever — and always know exactly where you stand. Learning, Ethics, Supervision, all handled.
No credit card required. Cancel anytime.
All behavior-analytic intervention is individualized. The information on this page is for educational purposes and does not constitute clinical advice. Treatment decisions should be informed by the best available published research, individualized assessment, and obtained with the informed consent of the client or their legal guardian. Behavior analysts are responsible for practicing within the boundaries of their competence and adhering to the BACB Ethics Code for Behavior Analysts.