HIPAA Compliance for ABA Agencies

HIPAA compliance is one of the lowest-effort, highest-leverage operational investments an ABA agency can make. Done routinely — as habits rather than as a panicked annual project — it is straightforward. Done as an afterthought, it accumulates into a real liability. The agencies that handle HIPAA cleanly all do the same thing: set up the structure on day one, then make documentation a routine part of operations.

This guide is not legal advice. Consult your own counsel for specific compliance questions. It is a working operational map of what HIPAA actually asks of an ABA agency.

The three rules: Privacy, Security, Breach Notification

HIPAA at the agency-operations level is essentially three rules:

1. Privacy Rule. Governs how protected health information (PHI) can be used and disclosed. Sets the rules around patient consent, minimum necessary disclosure, and patient rights (access, amendment, accounting of disclosures).
2. Security Rule. Governs how electronic PHI must be protected — administrative, physical, and technical safeguards. Requires a Security Risk Assessment.
3. Breach Notification Rule. Governs what to do when PHI is improperly accessed or disclosed. Sets timelines for notifying affected individuals, HHS, and (for breaches over 500 individuals) the media.

All three apply to ABA agencies as covered entities the moment a single client record exists.

Step 1 — Sign BAAs with every vendor that touches PHI

A Business Associate Agreement (BAA) is required between your agency and any third party that handles PHI. The list is longer than most operators expect:

• Your clinical platform (CentralReach, Rethink, Theralytics, etc.)
• Your billing service or RCM vendor
• Your e-signature tool (DocuSign, Dropbox Sign, GoodABA's built-in signing)
• Your fax service (SRFax, eFax)
• Your phone system (RingCentral, OpenPhone, Dialpad) if voicemails or texts contain PHI
• Your email system (Google Workspace, Microsoft 365 — both require BAAs for HIPAA coverage)
• Your forms tool (Jotform Gold, IntakeQ — Typeform's standard plans do NOT cover HIPAA)
• Your video conferencing for telehealth (Doxy.me, Zoom for Healthcare — standard Zoom is NOT HIPAA-eligible)
• Cloud storage (Google Drive on Workspace with BAA, Dropbox Business with BAA)
• Any third-party that processes PHI on your behalf

BAA-less workflows are the single most common HIPAA failure for new ABA agencies. Audit your vendor list quarterly.

Step 2 — Run a Security Risk Assessment

The HIPAA Security Rule requires a Security Risk Assessment (SRA). The SRA documents threats to electronic PHI and the safeguards in place against them. There are three categories of safeguards:

• Administrative. Policies, procedures, training, sanctions for violations, designated security officer.
• Physical. Locked doors, locked cabinets, device disposal procedures, workstation security.
• Technical. Access controls, encryption at rest and in transit, audit logs, automatic logoff.

The federal HHS provides a free Security Risk Assessment Tool that walks small organizations through the assessment. Use it. Document findings, document remediation, repeat annually.

Step 3 — Train staff and document the training

Every workforce member who touches PHI needs HIPAA training:

• At hire (before access to PHI)
• Annually thereafter
• Whenever policies change

Training does not need to be expensive — there are reputable online HIPAA training providers in the $20–$50 per person range. Document who completed training and when. The documentation matters more than the training itself in audits.

Step 4 — Encrypt devices and connections

Encryption is not legally mandatory under HIPAA but it is the practical defense against breach notification requirements. If a laptop with PHI is lost and the laptop is encrypted, no breach notification is generally required (the encryption is treated as a safe harbor). If the laptop is unencrypted, full breach notification kicks in.

Encrypt every device that touches PHI: laptops, tablets, phones. Use HTTPS everywhere. Use encrypted email for any external PHI exchange.

Step 5 — Log access and audit it

Most clinical platforms include audit logging — who accessed which client record when. Turn it on. Review it periodically. The Security Rule requires audit logs; payer audits look at them.

Step 6 — Build a breach response plan before you need it

The Breach Notification Rule requires:

• Notification to affected individuals within 60 days of discovery
• Notification to HHS within 60 days for breaches affecting under 500 individuals (annually) or immediately for breaches over 500
• Notification to prominent media in the affected state for breaches over 500 individuals

Have the plan written before the breach. Know who calls counsel, who drafts the notification letters, who notifies HHS. Reading the rules during the crisis is the wrong time.

Step 7 — Document everything

The single most-leveraged HIPAA habit is documentation. The Privacy Officer's role, the Security Officer's role, training records, BAAs, SRA findings, breach incidents and responses, policy versions and updates — all need to be documented and retained for at least 6 years.

Audits look at documentation completeness first. Substantive compliance gaps are sometimes recoverable; missing documentation rarely is.

How GoodABA helps

GoodABA's document signing, communications log, and central client record give agencies a HIPAA-eligible workspace for the operations layer that matters most — intake forms, signed consents, family messages, document storage. The BAA is signed with every Pro account. For broader vendor coverage, see the BAA list above and audit quarterly.

For audit preparation specifically, see the ABA audit preparation guide.

FAQ

Are ABA agencies HIPAA-covered entities?

Yes — agencies that bill insurance (commercial or Medicaid) for ABA services are HIPAA-covered entities under the standard "health care provider that transmits health information electronically" definition.

Do small ABA agencies have any HIPAA exemptions?

No. HIPAA applies regardless of size. Solo BCBAs billing insurance are subject to the same Privacy, Security, and Breach Notification rules as large agencies.

What's the penalty for a HIPAA violation?

Penalties scale with severity and intent — from $100 per violation for unknowing violations up to $50,000+ per violation for willful neglect. Patterns of violation can produce penalties in the millions.

How often should I update HIPAA training?

Annually at minimum, plus whenever policies materially change. Document each training cycle.

Related guides

• ABA Audit Preparation Guide
• ABA Medicaid Audit Preparation Checklist