Data Collection in ABA: Mitigating Cyber Liability Risks for Employee-Generated Notes”

Cyber liability risks exist in ABA clinics, especially regarding data collection, and providers must understand how to counteract them to move forward successfully. One of the fundamental responsibilities of any healthcare professional is to ensure the privacy and confidentiality of patient information. It includes providing personal space for patients, safeguarding their personal data, and respecting their personal choices and relationships. The Health Insurance Portability and Accountability Act (HIPAA) ensure that people have privacy in all aspects of patient care. For ABA providers, this includes data collection and storage of patient notes.

HIPAA Requirements for Data Collection

According to HIPAA’s definition, psychotherapy notes include any notes a professional takes during a mental health counseling session. These notes are not typically part of the patient’s medical record but are subject to the same level of confidentiality requirements. HIPAA frees patients with the chance to see their medical records and sensitive health information, but they do not have the right to access psychotherapy notes. Because psychotherapy notes are the ABA provider’s personal notes, they are likely to contain sensitive information. Therefore, therapists should not share them with anyone.

HIPAA Regulations for Psychotherapy Notes

HIPAA allows for the disclosure of psychotherapy notes in only a few instances. These include the following:

  • Assistance to a coroner or medical examiner
  • Cooperation with investigation by the Department of Health and Human Services
  • Notification of appropriate organizations in case of a threat to public health and safety
  • Self-defense in a court proceeding

Consequences of Data Collection Leaks

ABA providers must safeguard any confidential patient information they gather during the treatment in compliance with HIPAA guidelines. Intentional or accidental disclosure of information violating these guidelines undermines the vital trust in the relationship between patient and caregiver and violates the principles of confidentiality and informed consent. Any violation of HIPAA protections, including a data breach or loss of physical paper-based notes, can result in penalties and fines, regardless of how, where, or why the loss occurred. A single HIPAA violation can garner fines ranging from $25,000 to $1.5 million.

How to Safeguard ABA Data Collection

ABA providers must protect physical or electronic psychotherapy notes as they protect all sensitive patient data. Here are some suggestions about how ABA providers safeguard this information against physical loss or cyber liability.

Risk Analysis

Conduct a thorough risk analysis to pinpoint gaps in security methodology. It should include proper training for all staff members and an examination of software provider security.


Encrypting all electronic information for an additional layer of cyber security is critical. Furthermore, there should be limited access to this sensitive information.

Physical Storage

When data collection procedures include taking physical notes on paper, employ special precautions to ensure security. Using a locked cabinet for all paper-based patient data is also paramount.

Intentional Destruction

Follow all legal requirements for medical record retention regarding patient relationships that have lapsed or terminated. When destroying psychotherapy notes, there must be a singular destruction process to prevent anyone from piecing the papers back together. A third-party shredding service is a good option. Lastly, signing a business associate agreement with that organization is a good idea to ensure security.

About Olson Duncan Insurance

At Olson Duncan Insurance, we strive to offer all-inclusive solutions rather than mere quotes or policies. Our clients rely on lasting, trust-based relationships and appreciate the tailored insurance and risk management solutions they receive. Contact Daniel and our team at (310) 373-6441 to discuss your needs or request a quote.