HIPAA
This SOP outlines HIPAA compliance requirements for protecting client health information.
Core Requirement
“We take precautions and do not disclose any information to third-party individuals about your child’s health information using any modality (written, oral, electronic, etc.). We require written consent from both parties to disclose any information. We maintain your child’s confidentiality, and their health information is protected as we adhere to the HIPAA privacy rule.”
What is Protected Health Information (PHI)?
PHI includes any information that could identify a client, including:
- Client name and contact information
- Diagnosis and medical history
- Treatment plans and progress notes
- Session data and behavioral records
- Photos or videos of clients
- Family information
- Insurance and billing information
Communication Rules
Microsoft Teams
- No personal client information allowed (HIPAA)
- Use client initials only, never full names
- Do not share identifiable details in chats
Phone/Text Messages
- Staff-to-staff communication must go through Teams
- Parent communication can use personal phone but:
- Limited to last-minute cancellations or running late
- Must be in group chat with case BCBA
- If parent texts outside group chat, redirect to group
- Professional communication through Bee-Have email only
- Do not send PHI to personal email accounts
- Use secure methods for sharing sensitive documents
Consent Requirements
Before Sharing Information
Written consent is required from both parties before disclosing any information to:
- Schools
- Other therapy providers
- Family members not on consent form
- Insurance companies (beyond standard billing)
- Anyone outside the treatment team
BACB Code 2.03 (Consultation)
- Do not begin services until written consent from caregivers
- Arrange appropriate consultations and referrals based on client’s best interests
- Subject to applicable law and contractual obligations
Confidentiality in Practice
In the Home
- Keep session notes and data secure
- Do not leave materials where others can see them
- Be aware of who can hear conversations about the client
In Schools
- Follow school confidentiality policies
- Do not discuss client with unauthorized school staff
- Keep data collection devices secure
In Public/Community Outings
- Do not discuss client details where others can hear
- Be discreet about therapy relationship
- Protect client dignity in public settings
On Social Media
- Never post about clients (even without names)
- No photos of clients or their homes
- No “friend” or connection requests with client families
Data Security
Electronic Records
- HiRasmus and Aloha are HIPAA-compliant platforms
- Do not store client data on personal devices
- Do not screenshot client information
Paper Records
- Keep physical documents secure
- Shred documents with PHI when no longer needed
- Do not leave client materials unattended
Photographs/Videos
- Only take with written consent
- Store only on approved, secure platforms
- Delete from personal devices immediately after transfer
Breach Reporting
If you suspect a HIPAA breach (unauthorized disclosure of PHI):
- Immediately notify your BCBA and Admin (Kayla and Louise)
- Document what happened
- Do not attempt to “cover up” the breach
- Cooperate with any investigation
Examples of Breaches
- Sending client info to wrong email address
- Leaving session notes visible to unauthorized person
- Discussing client in public where overheard
- Losing a device with client information
- Posting identifiable information on social media
Annual Training
All staff must complete annual HIPAA training to:
- Understand current regulations
- Review company policies
- Learn about new threats and protections
- Maintain compliance
Consequences of Violations
HIPAA violations can result in:
- Disciplinary action up to termination
- Personal legal liability
- Fines and penalties
- Loss of professional credentials
Quick Reference
| Situation | What to Do |
|---|---|
| Parent asks you to share info with grandparent | Get written consent first |
| Coworker asks about a client not on their case | Do not share |
| You accidentally send info to wrong person | Report immediately to BCBA and Admin |
| School staff asks for therapy details | Verify they have consent on file |
| Family member posts session photo tagging you | Ask them to remove; do not engage |
Related SOPs
- Code of Conduct — Professional standards
- Incident Reporting — Reporting procedures
- Microsoft 365 Training — Secure communication tools