The Overlooked Security Gaps That Could Cost Your ABA Business

We’re excited to welcome guest writer Joshua Nelson to this week’s ABA Compliance Chronicle. As co-creator and CXO/CMO of ABA Impact, Joshua helps mission-driven clinician-entrepreneurs build ABA therapy practices that scale without sacrificing ethics, client care, or team well-being.  He also serves as CXO/CMO of WOM Technology Management Group, where he advises on compliance-forward IT and cybersecurity strategies for healthcare and defense organizations.

In his article, Joshua pulls back the curtain on five critical — but often overlooked — security mistakes many practices are making — and what you can do today to protect your clients, your staff, and your organization.

Running an ABA practice is already demanding — hiring staff, managing payers, ensuring client care, and juggling never-ending admin. It’s no wonder that tech, cybersecurity, and HIPAA compliance often end up on the back burner.

But here’s the hard truth:

Most ABA businesses are just one email click, one stolen tablet, or one untrained staff member away from a preventable compliance disaster.

The worst part? You won’t see it coming until it’s too late.

We've reviewed hundreds of ABA companies in the last year. Most of them are doing their best — but even the most passionate providers are unknowingly making serious mistakes that could cost them – and their clients - everything.

Let’s break down the top five.

1. Relying on “HIPAA-Compliant” Software and Thinking That’s Enough

Too many providers assume that if they’re using a HIPAA-compliant EMR or email tool, they’re covered.

They’re not.

Real-world risk: One BCBA uploaded PHI to a personal Google Drive because she couldn’t access the EMR on her phone. It wasn’t malicious — it was a workflow gap. If that device were lost, hacked, or even borrowed by a family member, she’d be facing a reportable breach.

What HIPAA really requires: It’s not just about tools — it’s about policies, procedures, training, and documentation. HIPAA compliance is a system, not a checkbox.

2. Ignoring Mobile Device Vulnerabilities (Because They’re “Just Tablets”)

ABA is one of the most mobile fields in healthcare. RBTs and BCBAs work from clinics, schools, homes, and cars — often using personal or company-issued tablets.

The problem? Most practices don’t have mobile device management (MDM) in place. No encryption. No remote wipe. No access control. In many cases, employees are allowed to use their own personal devices and even use their own personal email accounts to login to company software, accessing sensitive PHI – which is a lot more common than it should be.

Real-world risk: A lost iPad left in a client’s home. A tech-savvy sibling opens Gmail and finds therapy notes. Suddenly, that $400 tablet turns into a $400,000 OCR fine.

The fix: If your team is using mobile devices for work, you must have policies and protections in place — encryption, app restrictions, and the ability to remotely lock or wipe.

3. Not Controlling Who Has Access to What

Your admin shouldn’t be able to see PHI. Your RBTs shouldn’t be logging in as supervisors. And former employees should never be able to access your files, email, or EMR.

But we’ve seen it — too often.

Real-world risk: A disgruntled former employee accessed client records using an old, shared password and leaked them on social media. The agency had no access logs, no password policy, and no audit trail.

Access control is a HIPAA requirement. If you can’t prove who accessed what, when, or why — you’re not compliant.

4. Assuming Your IT Person Has It Handled

We love IT providers. They’re important. But here’s the truth:

Your IT company is not your compliance officer and they’re not going to be the ones held responsible for compliance failures – you, the business owner, will be. And they shouldn’t be the ones deciding your risk tolerance.

The Real Mistake: Many ABA owners (and business owners in general) assume their tech vendor is handling everything “the right way” simply because they’re professionals. But we've audited environments where:

• No email encryption was enabled

• Admin accounts had no multi-factor authentication (MFA)

• Devices were months behind on critical security patches

These aren't rare mistakes — they're recurring patterns we see across ABA businesses, even when they’re paying for monthly IT support, and they have a false sense of security and compliance.

Overbuilt, Oversold, and Under-Compliant

Here’s the other side of the coin:
You could ask your IT company about HIPAA protections and walk away with a quote for an enterprise-grade firewall system or a $10K server migration.

But that might be complete overkill for your clinic — and it still may not cover what HIPAA actually requires, like mobile device management, audit trails, or staff training documentation.

If your IT company is selling you solutions instead of asking for your compliance framework, they’re guessing — and billing you for it.

The Mindset Shift:

You shouldn’t be asking your IT provider what you need.
You should be telling them, “Here’s what we need to implement to meet these compliance and workflow requirements.”

HIPAA gives you the “what.” Your systems and operations define the “how.”
Your IT provider should help you implement the roadmap — not create it from scratch without your oversight.

Bottom Line:

Your tech vendor might be great at setting up networks, printers, or clinic Wi-Fi — but that doesn't mean they understand the privacy and security liabilities tied to behavioral health data.

You need a partner who:

• Understands ABA workflows (not just healthcare in general)

• Knows what HIPAA actually requires — and what’s optional

• Can help you scale your security without locking you into expensive and unnecessary tools

5. Thinking “It Won’t Happen to Me” — Until It Does

Denial isn’t just dangerous — it’s expensive.

Most ABA providers aren’t malicious or negligent. They’re overworked, under-supported, and stretched thin. But HIPAA doesn’t make exceptions for burnout.

Here’s what most owners don’t realize:

• HIPAA doesn’t care if you meant to violate it.

• The Office for Civil Rights (OCR) won’t accept “We didn’t know” as a defense.

• Business insurance might deny coverage if you didn’t have safeguards in place.

But It’s Not Always the OCR Who Finds You First...

You might assume that unless you’re hit with a direct OCR audit, you’re safe.
That’s not how this works.

Medicaid and commercial payers can request proof of HIPAA compliance at any time — and they often do during random desk audits or recoupment reviews.

Why?

Because one of the requirements to legally receive payment for Medicaid claims is that your business is HIPAA compliant. If you can’t produce policies, risk assessments, or training logs, it doesn’t just look bad — it can trigger a full-scale audit.

We’ve seen agencies flagged by payers, then snowball into federal investigations.
The result? Tens of thousands in recouped claims, unpaid invoices, or frozen funding — on top of HIPAA fines.

What’s Really at Stake:

• Up to $50,000 per HIPAA violation

• Thousands in unpaid or recouped claims

• Contract loss or lawsuits from clients/families

• Total shutdown of services — even if unintentional

• Permanent damage to your reputation and staff morale

But There’s a Way Out

We’ve seen small clinics survive audits with minimal penalties — not because they were perfect, but because they had:

• A clear risk assessment

• A written POAM (Plan of Action and Milestones)

• Documented training and security safeguards

• Policies

That’s called “good faith effort.”  And it can make the difference between a warning and a six or seven-figure penalty.

Bottom Line:

No one thinks it’ll happen to them — until it does.
But in compliance, the perception of negligence is just as risky as the violation itself.

If you don’t have documentation to prove you’re working on it, you’re playing Russian roulette with your license, funding, and future.

So, What Can You Do?

Start with a low-friction, high-impact audit readiness assessment.

You don’t need to solve everything today — but you do need to know what’s exposed and what’s working.

An ethical assessment gives you:

• A clear roadmap of what needs to be fixed

• Documentation to show “good faith effort” if you’re audited

• Peace of mind that you’re not flying blind

You’re not failing — you just haven’t built the system yet.
But the longer you wait, the harder (and more expensive) it becomes.

Final Thought

You built your ABA business to change lives — but that mission depends on trust, security, and sustainability.

Take the first step.

Don’t wait for a breach, a fine, or a headline to force your hand. A 90-minute review could save your business, your license, and your sanity.

You don’t need to know all the answers. You just need to ask the right questions.

Quick Tip You Can Implement Today:

Create a “Lost Device Plan” and Share It with Your Team. We've created a sample plan for you here. Even a basic protocol can make a huge difference. Draft a simple 1-page document that says:

• What to do if a work tablet or phone is lost or stolen

• Who to notify immediately

• How to remotely wipe or lock the device (if possible)

• What to document for your records

Then, email it to your team and review it at your next staff meeting.
This shows “good faith effort,” starts the compliance conversation, and gives your staff a clear action plan for one of the most common and costly HIPAA issues in ABA today.