If you run an ABA clinic, HIPAA is not a paperwork exercise—it is the law governing every session note, parent text, intake form, and insurance record your team touches. The HHS Office for Civil Rights has fined healthcare organizations millions for violations that started with a single unsecured text or a missing vendor agreement.
This listicle covers the seven HIPAA compliance mistakes ABA clinic directors see most often in the field—drawn from de-identified audit findings, payer compliance reviews, and remediation work with multi-location therapy centers. Each mistake includes what went wrong, what it costs, and exactly how to fix it.
For technical implementation details, see our HIPAA compliance guide for software developers. For platform features built around ABA workflows, explore TWO44's autism therapy software.
Mistake 1: Texting PHI on Personal Phones Without Secure Messaging
What clinics do wrong: Therapists and BCBAs text parents updates like "Great session today—[client name] hit 80% on manding goals" from personal iPhones using standard SMS or WhatsApp. That message is PHI. Consumer messaging apps do not sign Business Associate Agreements (BAAs), do not provide audit logs, and do not encrypt messages to HIPAA standards.
Real-world consequence (de-identified): A multi-location ABA provider in the Southeast received an OCR complaint after a parent forwarded a therapist's text thread to a school district. Investigation found dozens of staff using personal phones for PHI. The clinic entered a corrective action plan and paid significant legal and remediation costs—well before any formal fine.
HIPAA fines context: OCR civil penalties range from $100 to $50,000 per violation, capped at $1.5 million per violation category per year. Willful neglect carries the highest tiers.
How to fix it: Ban PHI on personal SMS and consumer apps. Deploy HIPAA-compliant secure messaging inside your EHR or a dedicated healthcare platform with encryption, authentication, audit trails, and a signed BAA. Train staff that "quick texts" are never quick enough to skip compliance.
Using Gmail, Slack, or Dropbox Without a Signed BAA
What clinics do wrong: Intake coordinators email insurance cards to a shared Gmail inbox. Clinical directors drop session videos in personal Dropbox folders. Operations runs on Slack channels named after clients. None of these consumer tools are HIPAA-compliant for PHI unless the vendor signs a BAA—and even then, only specific enterprise configurations qualify.
Real-world consequence (de-identified): A growing ABA startup stored intake packets in Google Drive without a BAA. When they pursued their first payer contract, the compliance audit failed on day one. They had to migrate 400+ active patient records under deadline pressure—delaying enrollment and burning leadership bandwidth.
How to fix it: Inventory every tool that touches PHI. No BAA, no PHI—full stop. Move to HIPAA-eligible email, file storage, and collaboration tools. Document vendor agreements in your compliance binder. See our HIPAA cloud hosting guide for BAA-eligible infrastructure options.
Skipping Workforce HIPAA Training and Access Reviews
What clinics do wrong: New RBTs start without HIPAA onboarding. Annual refresher training is optional or a one-slide email. Access permissions are never revoked when staff leave. The front desk can open every patient chart because "it is easier that way."
Real-world consequence (de-identified): After a staff departure, a clinic discovered a former billing coordinator still had EHR login credentials three months later. No breach occurred—but a mock audit flagged it as willful neglect risk because access reviews were undocumented.
How to fix it: Mandate HIPAA training at hire and annually. Document completion. Implement role-based access so RBTs, BCBAs, intake, and billing see only what they need. Run quarterly access audits and disable accounts on the last day of employment. Our HIPAA guide for ABA therapy centers covers administrative safeguards in detail.
Leaving Session Notes and Behavioral Data on Unsecured Devices
What clinics do wrong: Therapists complete paper data sheets that sit on clipboards in hallways. Tablets with session notes have no passcode. Laptops with PHI are left in cars. Behavioral data collection apps sync to personal cloud accounts.
Real-world consequence (de-identified): A clinic laptop was stolen from a therapist's vehicle. The device was not encrypted. The organization notified affected families, reported to HHS, and offered credit monitoring—total cost exceeded $80,000 in legal, IT, and reputational damage.
How to fix it: Encrypt all devices that access ePHI. Use clinic-managed hardware with MDM policies. Move to digital behavioral data collection inside your HIPAA-compliant EHR. Shred paper PHI promptly; never leave charts visible in therapy rooms.
Sharing Patient Information Without Proper Authorization
What clinics do wrong: Therapists discuss client progress with school staff at IEP meetings without a signed release. Parents request records via Facebook Messenger and staff comply. Siblings' therapists share notes informally because "the family already knows."
Real-world consequence (de-identified): A parent filed a complaint after a therapist verbally shared treatment details with an unauthorized family member in the waiting room. OCR opened an inquiry. The clinic lacked documentation of authorization forms for disclosures—extending the investigation timeline.
How to fix it: Obtain written authorization before any PHI disclosure outside treatment, payment, or healthcare operations. Log disclosures in the patient record. Train staff on the minimum necessary standard. Use secure portals for record requests, not social media.
No Breach Response Plan or Incident Logging
What clinics do wrong: Leadership assumes "we have never been hacked, so we are fine." There is no written incident response plan. Staff do not know whom to notify if a phone is lost or an email goes to the wrong parent. Near-misses are never documented.
Real-world consequence (de-identified): An intake coordinator emailed a treatment plan to the wrong family. The clinic had no breach protocol. By the time leadership involved legal counsel, they had missed internal documentation windows and complicated their regulatory narrative.
How to fix it: Write a breach response plan: contain, investigate, document, notify. HIPAA requires reporting to HHS and affected individuals within 60 days when PHI is compromised. Assign a Privacy Officer. Run a tabletop exercise annually. Near-misses should be logged and reviewed.
Choosing EHR or Scheduling Tools That Are Not HIPAA-Ready
What clinics do wrong: Clinics adopt generic practice management software, spreadsheet scheduling, or free tools that were never designed for behavioral health or HIPAA. Vendors cannot or will not sign a BAA. Authorization tracking, audit logs, and encryption are afterthoughts.
Real-world consequence (de-identified): A clinic scaled to four locations on a non-HIPAA scheduling tool. When their largest payer requested a security attestation, the vendor declined to sign a BAA. The clinic faced a six-month platform migration while actively treating 300+ clients.
How to fix it: Vet every platform before storing PHI. Require a signed BAA, encryption at rest and in transit, role-based access, and audit logging. Choose EHR systems built for ABA therapy with authorization-aware scheduling and integrated secure messaging. Talk to TWO44 about HIPAA-compliant ABA software that covers intake, scheduling, documentation, and billing in one platform.
HIPAA Compliance Checklist for ABA Clinic Directors
- Deploy secure messaging—no PHI on personal SMS or consumer apps
- Sign BAAs with every vendor that touches PHI
- Train staff at hire and annually; document completion
- Encrypt devices; use role-based EHR access
- Obtain authorization before external disclosures
- Maintain a written breach response plan
- Use HIPAA-ready EHR and scheduling platforms built for ABA
Further Reading
- HIPAA Compliance for Software Development: A Developer's Guide
- HIPAA Compliance Guide for ABA Therapy Centers
- 9 ABA Therapy Software Features Your Practice Needs
- Protecting PHI in ABA Therapy: Patient Data Security
- Autism Therapy Software — HIPAA-Compliant ABA Platform
Ready to close HIPAA gaps across your ABA clinic? Book a free consultation with TWO44 to review your client data security practices and technology stack.
