HIPAA Compliance for ABA Practices: What You Actually Need to Do
A practical HIPAA compliance guide for ABA practices — the required safeguards, common violations, and how to build a compliance program that works.
9 min readPublished January 18, 2026Updated March 1, 2026ABA Insight Clinical Team
HIPAAcompliancePHIsecurityprivacy
HIPAA Basics for ABA Practices
The Health Insurance Portability and Accountability Act (HIPAA) applies to all ABA practices that transmit protected health information (PHI) electronically — which includes virtually every practice that bills insurance. HIPAA has three main rules that affect ABA practices:
Privacy Rule — Governs how PHI can be used and disclosed
Security Rule — Requires specific safeguards for electronic PHI (ePHI)
Breach Notification Rule — Requires notification when PHI is improperly disclosed
What Counts as PHI in ABA
Protected health information includes any information that can identify a patient and relates to their health condition, treatment, or payment for treatment. In ABA practice, PHI includes:
Client names, dates of birth, addresses
Diagnosis codes (F84.0, etc.)
Session notes and treatment plans
Authorization numbers and insurance information
Video recordings of ABA sessions
Communication about a client's treatment
The Required HIPAA Safeguards
Administrative Safeguards
Privacy Officer: Designate a HIPAA Privacy Officer (can be the owner or a staff member)
Security Officer: Designate a HIPAA Security Officer (can be the same person as the Privacy Officer)
Policies and Procedures: Document your HIPAA policies in writing
Training: Train all staff on HIPAA annually
Business Associate Agreements: Execute BAAs with all vendors who handle PHI (practice management software, billing services, cloud storage providers)
Physical Safeguards
Workstation security: Lock computers when not in use; position screens away from public view
Device controls: Encrypt all devices that store ePHI (laptops, tablets, phones)
Facility access: Control physical access to areas where PHI is stored
Technical Safeguards
Access controls: Limit access to ePHI to staff who need it for their job
Audit controls: Log access to ePHI
Encryption: Encrypt ePHI in transit (use HTTPS for all web-based systems) and at rest
Automatic logoff: Configure systems to log off automatically after a period of inactivity
Common HIPAA Violations in ABA Practices
Violation 1: Texting PHI without encryption. Standard SMS text messages are not HIPAA-compliant. Use a HIPAA-compliant messaging platform (Signal, TigerConnect, etc.) for any communication that includes PHI.
Violation 2: Sharing session videos without authorization. Video recordings of ABA sessions are PHI. They cannot be shared with anyone — including other providers — without a signed authorization from the client's parent or guardian.
Violation 3: Leaving session notes visible. Session notes left on desks or visible on computer screens in public areas are a HIPAA violation. Implement a clean desk policy and screen privacy filters.
Violation 4: Using personal email for PHI. Personal email accounts (Gmail, Yahoo, etc.) are not HIPAA-compliant. Use a HIPAA-compliant email service for any communication that includes PHI.
Violation 5: Missing Business Associate Agreements. If your practice management software, billing service, or cloud storage provider handles PHI, you need a signed BAA with them. Most reputable vendors provide BAAs on request.
Breach Notification Requirements
If PHI is improperly disclosed (a breach), HIPAA requires:
Notification to affected individuals within 60 days of discovering the breach
Notification to HHS (the Department of Health and Human Services)
For breaches affecting 500+ individuals: notification to prominent media outlets in the affected area
What constitutes a breach: Unauthorized access to PHI, loss of a device containing PHI, sending PHI to the wrong recipient, ransomware attacks.
What does not constitute a breach: Encrypted data that is lost or stolen (encryption is a "safe harbor" under HIPAA).
Building a HIPAA Compliance Program
A functional HIPAA compliance program for an ABA practice includes:
Annual risk assessment — Identify where PHI is stored and how it flows through your practice
Annual staff training — Document training completion for all staff
Incident response plan — Know what to do if a breach occurs
Business Associate Agreement tracker — Maintain a list of all vendors with BAAs
Policy review — Review and update HIPAA policies annually
The cost of HIPAA non-compliance is significant: HHS can assess penalties of $100–$50,000 per violation (up to $1.9 million per year for the same type of violation). More importantly, a breach damages client trust in ways that are difficult to recover from.
Disclaimer: This article is for informational purposes only and does not constitute legal, billing, or compliance advice. Payor policies change frequently. Always verify requirements directly with the payor before submitting claims. ABA Insight verifies payor data quarterly — see our Data Methodology for details.
ABA Insight maintains verified authorization requirements, documentation checklists, and CPT rules for all referenced payors. Sign in to access the full database.
Access verified payor requirements for all 192 payors
ABA Insight gives your billing team real-time access to the authorization requirements, documentation checklists, and denial pattern data covered in this article — for every major commercial payor and all 50 state Medicaid programs.