Identify and Comply With Requirements for Collecting, Using, Protecting, and Disclosing Confidential Information

If you work in ABA—whether as a BCBA, clinic owner, senior RBT, or supervisor—you handle confidential client information every day. Session notes, behavioral data, video recordings, health details, even a client’s identity itself: all of it is sensitive and protected by professional and legal standards. Yet many practitioners are uncertain about exactly what they’re allowed to collect, how they can use it, when they must protect it, and when disclosure is appropriate or required.

This article walks you through the four core duties you have around confidential information: collecting data thoughtfully, using it only for agreed purposes, protecting it with real security measures, and disclosing it only with proper permission or when law requires it. We’ll cover the practical steps you need at intake, during ongoing services, when others ask for information, and when unusual situations—like a subpoena or suspected breach—arise.

By the end, you’ll have a clear framework for handling confidential information that keeps your clients’ trust intact, keeps your practice legally sound, and reduces your exposure to preventable errors.

What Counts as Confidential Information in ABA

In ABA practice, confidential information is any data that identifies or relates to a client and their services. This includes obvious things like a client’s name, address, and diagnosis. But it also includes behavioral data (frequency counts, data sheets, progress notes), assessments and testing results, session recordings or photographs, health information, treatment plans, and communications with the client or family.

The key point: confidentiality protects not just what you know about a client, but the fact that someone is receiving your services at all. A guardian might consent to you sharing behavior data with a school, but may not want the school to know their child is in ABA therapy.

Confidential information differs from anonymous or de-identified data—information where the client’s identity has been removed or disguised. De-identified data can sometimes be shared with fewer restrictions, though it still requires careful handling because some people can be re-identified if enough details remain.

Your Four Core Responsibilities

Collecting: Gather Only What You Need

The principle is simple: collect the minimum necessary information to provide good care and maintain accurate records. When you begin services, ask: “What specific data do I actually need to assess this client, monitor progress, and coordinate care?”

For example, if you’re tracking behavior frequency in a school setting, you need the date, time, behavior definition, and count. You probably don’t need the client’s full medical history, insurance details, or a video of the incident—unless those details are clinically relevant. This data minimization reduces the risk that information will be lost or misused.

Document your data-collection practices in your intake process. Explain to guardians what information you will collect and why. If you plan to use video, audio, or photographs for supervision, training, or other purposes, that requires a separate conversation—not just a checkbox on a general intake form.

Using: Stick to Your Agreed Purpose

Once you collect confidential information, you can use it only for the purposes the client or guardian agreed to. If a guardian signed consent for you to collect behavioral data for treatment and supervision, that consent covers those two things. It doesn’t automatically allow you to use the same data for staff training, research, marketing, or publication.

This is where many ABA providers stumble. A general intake signature saying “information will be shared as needed” is vague and easily misunderstood. Guardians may think “as needed” means clinical coordination; you may think it includes staff training.

Clearer language works better: “Your child’s behavioral data will be used to guide treatment decisions and will be reviewed with supervising BCBAs to ensure quality care. Video of sessions will not be recorded unless we request separate permission.”

When you use client data—for notes, treatment planning, or supervision—keep a brief record of who accessed it and why. This is especially important for electronic records, where device logs or access controls can track who opened a file and when.

Protecting: Keep Confidential Information Secure

Protecting confidential information means actively preventing unauthorized access or accidental loss. This isn’t a one-time step; it’s an ongoing practice across your whole operation.

Physical security matters. Client files should be stored in a locked cabinet or drawer, not left on a desk or in a car. Only staff who need a specific file should know where it is. If you transport records, use a secure container and never leave them unattended.

Electronic security is equally critical. All devices storing client information—laptops, tablets, phones—should have a strong password or PIN. If a device is lost or stolen, encryption ensures the data can’t be read. On iPhones and iPads, a PIN provides encryption; on Macs, use FileVault; on Windows Pro, use the built-in encryption tools. If you use cloud storage, make sure the platform uses encryption and that you have a vendor agreement with confidentiality commitments.

Common vulnerabilities include weak passwords, phishing emails, unsecured WiFi networks, and failure to log out of shared devices. Train your team on these basics. Even one careless click can expose client information.

Set a clear policy: which devices can store client data? Which applications? Who has access to what? Update these policies as your practice grows or technology changes.

Disclosing: Share Only With Permission or When Required by Law

The strictest rule: don’t disclose confidential information to anyone outside your team without the client’s informed permission or a legal mandate.

When a guardian gives permission, make sure it’s informed and specific. Informed consent means they understand:

• What information will be shared (e.g., “behavior frequency data,” not “your child’s entire clinical file”)
• Who will receive it (e.g., “your child’s classroom teacher,” not “anyone at the school”)
• Why it’s being shared (e.g., “to help the teacher support your child’s progress”)
• How long the permission lasts (e.g., “this school year” or “until discharge”)

Different situations call for different levels of detail. Sharing behavioral data with a teacher for classroom coordination differs from sharing with an insurance company for billing. Each may require separate consent, or at least a clear conversation about scope.

A written authorization to release information to third parties should clearly name the recipient, the information to be released, and the purpose. Don’t assume a general intake consent covers these releases. Keep a copy of any signed authorization.

There are exceptions where disclosure is required or allowed without consent:

• Legal orders (subpoenas, court orders) require release, though you should verify validity and consult your supervisor or attorney first
• Mandated reporting of abuse, neglect, or imminent safety threats is a legal duty that overrides confidentiality
• Emergency situations may require sharing information to prevent serious harm
• Internal team communication for treatment is allowed without additional consent, as long as team members have a legitimate need to know

Whenever you disclose information—with consent, under legal order, or due to emergency—document it. Record who received the information, what was shared, when, and why. This creates an audit trail and protects you if questions arise.

Why This Matters: The Bigger Picture

Confidentiality isn’t just a compliance checklist. It’s the foundation of trust between you and the families you serve. Families share deeply personal information—struggles, fears, behaviors that embarrass them, past traumas. They do this because they believe you’ll keep that information safe and use it only to help. When you mishandle confidential information, you damage that trust, often irreparably.

From a legal standpoint, confidentiality duties are rooted in professional ethics codes, state licensing laws, and federal regulations like HIPAA. Breaches can result in complaints, fines, and lawsuits. But beyond legal risk, there’s a human one: a client harmed by a privacy breach may withdraw from services, warn other families away, or suffer real psychological injury.

Confidentiality also supports better clinical work. When clients trust that their information is protected, they’re more open in sessions and more willing to engage in challenging interventions. When team members have clear access to only the data they need, they can focus on what matters most. When you use data only for its intended purpose, you reduce incidental harm.

Key Features of Confidentiality Compliance

To handle confidential information well, your practice should have clear practices across these areas:

Purpose-limited collection means collecting only data that serves treatment, assessment, supervision, or administration. Before adding a new data point—like starting to record video—ask: “Do we actually need this, and do we have consent?”

Informed permission ensures clients and guardians understand and agree to how you collect, use, and share their information. This isn’t a one-time signature; it’s an ongoing conversation, especially when you introduce new types of data collection.

Security controls include physical locks, passwords, encryption, access logs, secure disposal of old records, and regular staff training. These aren’t optional add-ons; they’re professional standards.

Minimum necessary disclosure means sharing only as much as required for the specific purpose. A teacher doesn’t need your entire assessment report to modify classroom strategies; a summary of key target behaviors and effective reinforcers is enough.

Documentation is your evidence trail. Record when you obtained consent, what was consented to, who received what information, and when. If something goes wrong, clear documentation shows you acted in good faith.

An important boundary: emergencies and legal orders can override routine consent rules. If a client is in immediate danger, you can and must share information with emergency responders. If a court orders records released, you must comply while still asserting applicable privilege and limiting disclosure. These exceptions don’t mean consent doesn’t matter; they mean consent isn’t always the controlling factor.

When and How to Apply These Principles

The real test comes in daily moments when you face actual decisions about what to share and how.

Get quick tips

One practical ABA tip per week.

No spam. Unsubscribe anytime.

At intake and assessment: Before services begin, explain your confidentiality practices clearly. Use language like: “We’ll collect behavioral data to understand your child’s needs and monitor progress. This information is protected and shared only with people directly involved in care. If we want to use video or photos for training or supervision, we’ll ask for separate permission. Do you have questions about what we’ll collect or how we’ll use it?”

When introducing new data collection methods: If you’re considering video feedback, photo-based behavior charts, or recording sessions, don’t assume existing consent covers these. Have a conversation: “We’d like to record a 10-minute video of your child’s session so the supervising BCBA can review it. The video will be stored securely and deleted after 30 days. May we do that?” Get written confirmation.

When sharing with schools, insurance, or other providers: Verify you have a signed authorization naming the recipient and type of information. Don’t assume a provider “needs” everything; share the minimum necessary. A school doesn’t need your diagnostic assessment for classroom support; they need a brief summary of what works. Keep a log: “Shared behavior frequency data with Teacher Smith, 5/12/24, for classroom planning.”

When a subpoena or court order arrives: Don’t release records immediately. Notify your supervisor or consult legal counsel. Verify the order is legitimate. If privilege applies, assert it in writing and wait for a judge to rule. Release only records specifically named. Document the date you received the request, who you consulted, what you released, and to whom.

When using client data for training, research, or publication: Original treatment consent doesn’t cover these uses. Obtain separate documented permission, or de-identify material thoroughly. If you de-identify, document your process and consider whether someone could still identify the client from remaining details.

Real-World Examples in ABA

Example 1: Cloud Storage and Explicit Consent

A BCBA begins using a data-collection app that syncs to cloud storage. The intake form says families agree to “data collection as needed for treatment,” but doesn’t mention cloud storage or synchronization.

The problem: Cloud storage involves third-party servers and new security considerations. The family didn’t explicitly agree to this method.

The right approach: Contact the family: “We use a secure app to record behavior data. It syncs to a cloud server with encryption, which our team accesses to monitor progress. The server is run by [Company X], and we have a business associate agreement with them. Do you agree to this, or would you prefer paper data sheets?” Get written confirmation.

Why it matters: Explicit consent for storage methods shows respect for the family’s autonomy and protects you if the cloud provider experiences a breach.

Example 2: Supervision vs. External Sharing of Video

A behavior technician records a video of a client performing a new skill. The intake consent authorizes video for clinical supervision. The technician shares the video with a teacher to show the skill being performed.

The problem: The consent authorizes supervision, not sharing with the school. The teacher isn’t a supervising BCBA; this changes the purpose and audience.

The right approach: Before sending the video, check with the BCBA. Better yet, contact the family: “We have a great video of your child’s new skill. The teacher asked if she could see it. May we share it?” If the family says no, respect that. If yes with conditions, follow them exactly.

Why it matters: Even small changes in who receives information require checking consent. Families may have different comfort levels with different audiences.

Common Mistakes and Misconceptions

Mistake 1: Assuming one signature covers everything. Many practices have families sign a general intake consent, then months later want to use a client video in training or share data with a new provider. Don’t assume old consent applies. Different types of sharing—especially external, public-facing, or research uses—need their own permission.

Mistake 2: Sharing too much information. When a teacher or school district requests information, practices often send the full file. Share only what answers the specific question. If the teacher asks about morning transitions, send a targeted summary, not the entire assessment.

Mistake 3: Failing to document verbal consent. A guardian calls and says, “Email my child’s progress report to the school.” You do it but never write down the consent. Always get written permission when possible, or send a follow-up email: “I shared your child’s progress report with [School] today as you requested.”

Mistake 4: Confusing confidentiality with privacy and privilege. Confidentiality is your professional duty to keep information private. Privacy is the client’s right to control information about themselves. Privilege is a legal protection preventing forced testimony about certain communications. They overlap but aren’t identical.

Mistake 5: Not updating consent when practice changes. You start using a new record system, hire a new supervisor, or shift to remote sessions. Review your original consent: does it still apply? Often, a brief email explaining the change and confirming comfort is all you need.

Ethical Considerations and Responsibilities

Confidentiality reflects your respect for the people you serve. This means thinking beyond minimum legal requirements.

Secondary use without consent: Client data collected for treatment shouldn’t be used for research, marketing, or training without additional consent or thorough de-identification. If you recorded a session for supervision, the client consented to supervision, not training videos.

Access and supervision: Supervisors need access to supervisee records. But limit access to what each team member needs. A behavior technician working with two clients shouldn’t access notes from other clients. A new intern shouldn’t have full file access until trained and assigned.

Mandated reporting: If you have reason to believe a child is being abused or neglected, or there’s imminent risk of harm, you must report, even if it violates confidentiality. Document your decision and help families understand this exception upfront.

Documentation and accountability: When you disclose information outside normal channels, document the date, what was shared, who received it, and why. If a breach occurs, document your response: what did you do, who did you notify, what steps did you take to prevent recurrence?

Practice Questions to Test Your Understanding

Question 1: A guardian signed your intake form two years ago. Today, the client’s teacher asks for a behavior log. Your intake form says “information will be shared as needed.” Should you send the full log?

Best answer: No—send only minimum necessary information after confirming with the guardian and documenting the disclosure.

Why: The “as needed” language is too vague. Confirm what the guardian understands and is comfortable with.

Question 2: You recorded a session for the supervising BCBA. A researcher asks to use it for a study. Can you share it?

Best answer: No—get separate documented consent specifically for research use.

Why: The original consent was for supervision, not research. Research is a secondary purpose requiring its own permission.

Question 3: You receive a subpoena demanding all records for a client in a custody dispute. What’s the best immediate action?

Best answer: Consult legal counsel before releasing anything. Verify the subpoena, document the request, and release only records specifically named.

Why: Subpoenas sometimes exceed their authority. Consulting counsel ensures compliance while protecting the client.

Question 4: A guardian withdraws consent for using their child’s photo in training after it was already shown once. What should you do?

Best answer: Stop using the photo, remove or exclude it from recordings if possible, and document the withdrawal and actions taken.

Why: Families can withdraw consent at any time. Honor that by ceasing use and limiting further dissemination.

Question 5: A BCBA stores client data on a personal laptop with no password protection. How should this be handled?

Best answer: Move data to a secure, approved location with password protection and encryption, and report any potential exposure following agency protocol.

Why: Unencrypted devices without password protection are serious vulnerabilities. Data must be protected proactively.

Related Concepts That Support Confidentiality

Informed consent is closely related. Before you collect or use information, the client or guardian must understand and agree. Informed consent explains how data will be used; confidentiality ensures you keep that promise.

Data minimization means collecting only what you need. Less data means less to protect and less risk if a breach occurs.

De-identification and anonymization reduce privacy risk. De-identification removes direct identifiers; anonymization aims to prevent re-identification even with contextual information. Both require care—what looks de-identified might still allow re-identification.

Record retention and destruction policies determine how long you keep files and how you dispose of them safely. Confidentiality includes protecting information after services end.

Mandated reporting and safety exceptions create important limits. When safety is at risk, you have a duty to report, even if it violates confidentiality.

Professional boundaries and social media interact with confidentiality. Never post identifying client information on social media. Even a photo with the client’s back turned might be recognizable.

Frequently Asked Questions

What exactly counts as “confidential information” in ABA?

Anything that identifies or relates to a client: name, behavioral data, session notes, assessments, recordings, health information, treatment plans, and even the fact that someone is receiving services.

Do I always need written consent to record sessions?

Best practice is yes. Before recording, get explicit permission explaining why you’re recording, where it will be stored, who will access it, and how long you’ll keep it. A checkbox on an intake form usually isn’t enough.

Can I share client information with other professionals on the treatment team?

Yes—but only to the extent necessary for treatment. All team members should have a legitimate need to know. Share only information directly relevant to their role, and document what you shared and why.

What should I do if I think a record has been breached?

Secure systems to prevent further access, notify your supervisor, follow your agency’s incident protocol, and document the timeline. Assess whether information was actually compromised or just at risk. Consult legal counsel about whether to notify affected clients. Always conduct a post-incident review.

Is de-identified data safe to use for training or publishing?

It’s lower risk but not risk-free. Consider whether someone could identify the client from remaining details. When possible, obtain consent for secondary uses even if data is de-identified. Document your de-identification process.

How long should I keep client records after services end?

This varies by state law and agency policy. Many practices follow a 5- to 7-year timeline post-discharge, but some situations require longer retention. Consult your agency policy. When disposing of records, use secure destruction and keep a destruction log.

Key Takeaways

Confidential information is the lifeblood of your therapeutic relationship with families. Handling it well—collecting only what you need, using it only as agreed, protecting it actively, and disclosing it only with permission or legal mandate—shows respect and builds trust.

The four core duties are simple to state and sometimes challenging to practice consistently. Make it concrete: train your team on password protocols, create templates for consent and authorization, build a disclosure log into your documentation system, and establish a clear incident response plan. When decisions are unclear, ask your supervisor before acting.

Remember that confidentiality isn’t just a box to check. It’s an expression of your commitment to the families who rely on you. By protecting their information, you protect their dignity, their autonomy, and their ability to trust you with their most private concerns.