By Matt Harrington, BCBA · Behaviorist Book Club · Research-backed answers for behavior analysts
Not automatically. A covered entity under HIPAA is a healthcare provider that transmits any health information in electronic form in connection with a transaction for which the Department of Health and Human Services has adopted a standard — most commonly insurance billing. ABA providers who bill Medicaid, private insurance, or other third-party payers electronically are typically covered entities. Providers who accept only private pay and do not transmit electronic transactions to health plans may not meet the covered entity definition, though many choose to comply voluntarily. If you are unsure of your status, consulting with a healthcare attorney is advisable.
PHI is any individually identifiable health information — including demographic information — that is created, received, maintained, or transmitted by a covered entity. In ABA practice, this includes client names, dates of birth, Medicaid/insurance IDs, diagnoses, session notes, functional behavior assessments, behavior intervention plans, progress reports, and even appointment scheduling information. The key test is whether the information could reasonably be used to identify an individual and relates to their health condition, healthcare provision, or payment for healthcare.
A Business Associate Agreement (BAA) is a contract required between a covered entity and any vendor or service provider who creates, receives, maintains, or transmits PHI on the covered entity's behalf. In ABA practice, BAAs are required with practice management software companies, billing services, cloud storage providers used for client records, telehealth platforms, and even email services if PHI is routinely transmitted through them. The BAA establishes that the vendor will appropriately safeguard PHI and report breaches. Operating with a vendor who handles your PHI without an executed BAA is a HIPAA violation even if no breach occurs.
Home-based ABA programs face several elevated vulnerabilities. Staff often use personal mobile devices to record session data, access client records, or communicate with supervisors — and personal devices are typically not encrypted or subject to organizational security controls. Session notes may be written on paper in client homes and transported without secure handling. Video sessions conducted over consumer platforms without BAAs are common. Verbal discussions of client information in family homes without appropriate consideration of who else is present can constitute HIPAA violations. Organizations should have explicit mobile device policies and training specifically addressing home-based service delivery.
The HIPAA Security Rule requires risk assessments to be performed periodically — though it does not specify a fixed interval. Best practice guidance from the Office for Civil Rights suggests conducting a full risk assessment annually and additionally whenever significant operational changes occur, such as adopting new technology, expanding service lines, experiencing a breach, or changing organizational structure. For small ABA practices, an annual structured review of administrative, physical, and technical safeguards is a reasonable baseline. Larger organizations with more complex ePHI environments may benefit from more frequent targeted assessments.
HIPAA civil penalties are tiered based on culpability, ranging from $100 to $50,000 per violation, with annual caps reaching $1.9 million per violation category. Criminal penalties apply when violations involve knowing misuse of PHI, with fines up to $250,000 and imprisonment up to 10 years for the most serious offenses. State attorneys general may also pursue HIPAA violations under state law. Beyond financial penalties, OCR-imposed corrective action plans can require organizations to implement extensive compliance programs under federal monitoring. For ABA organizations, reputational damage and loss of insurance contracts following a publicized breach often exceed the direct financial penalties.
HIPAA requires covered entities to provide training to all workforce members who may encounter PHI — which in ABA settings includes RBTs, program assistants, and administrative staff, not just BCBAs. Training must cover the organization's HIPAA policies and procedures and be delivered to new staff before they access PHI, with periodic retraining thereafter. Training should be role-specific: an RBT needs to understand data recording confidentiality and device security, while billing staff need deeper knowledge of minimum necessary standards and authorization requirements. Documentation of completed training must be maintained as part of the organization's compliance records.
School-based ABA services involve a complex overlap between HIPAA and FERPA (Family Educational Rights and Privacy Act). When ABA services are provided by the school district as part of a student's IEP, the student's records are typically FERPA-protected rather than HIPAA-protected. When an external ABA provider contracts with a school district, the provider may be a business associate of the district, and the applicable privacy law depends on the funding and service structure. BCBAs working in school settings should understand which law applies to the specific student records they access and should have clear data sharing agreements in place when collaborating with schools.
Upon discovering a potential breach, a BCBA should immediately notify their organization's designated HIPAA Privacy or Security Officer. Do not attempt to investigate or remediate independently. Document what you observed, when, and who else was involved. The organization must then conduct a risk assessment to determine whether the incident constitutes a reportable breach under HIPAA's four-factor test. If a breach is confirmed, the Breach Notification Rule requires notification to affected individuals within 60 days, to HHS, and — for breaches affecting 500 or more individuals — to prominent media outlets. Prompt, accurate reporting is essential to limiting liability.
BHCOE (Behavioral Health Center of Excellence) accreditation evaluates ABA organizations across multiple quality domains, including administrative and ethical standards that encompass HIPAA compliance. Organizations seeking BHCOE accreditation must demonstrate that they have appropriate privacy policies, staff training programs, and data security practices in place. BHCOE reviewers may request documentation of HIPAA training completions, risk assessment records, and privacy policies during the accreditation process. Achieving BHCOE accreditation signals to insurance payers, referring providers, and families that the organization meets a validated standard for operational quality — and HIPAA compliance is a foundational component of that standard.
The ABA Clubhouse has 60+ on-demand CEUs including ethics, supervision, and clinical topics like this one. Plus a new live CEU every Wednesday.
Ready to go deeper? This course covers this topic with structured learning objectives and CEU credit.
Addressing HIPAA Vulnerabilities — Nick Merkin · 0 BACB General CEUs · $0
Take This Course →BACB General CEUs · $0 · BehaviorLive
Research-backed educational guide with practice recommendations
Side-by-side comparison with clinical decision framework
All behavior-analytic intervention is individualized. The information on this page is for educational purposes and does not constitute clinical advice. Treatment decisions should be informed by the best available published research, individualized assessment, and obtained with the informed consent of the client or their legal guardian. Behavior analysts are responsible for practicing within the boundaries of their competence and adhering to the BACB Ethics Code for Behavior Analysts.