Waitlists, Referrals, and Compliance: Protecting Families While Supporting Access

Families waiting for ABA services are often under tremendous stress, and providers feel that urgency too. Many BCBAs and agency leaders naturally want to help by pointing families toward another provider that may have availability. This impulse comes from a kind and loving place: a genuine desire to see children receive medically necessary care as quickly as possible, even if it means directing them elsewhere.

But here’s the challenge: when agencies or BCBAs share waiting list details with other providers, they risk stepping into serious compliance and ethical trouble. Good intentions do not erase the potential for HIPAA violations, state law breaches, or ethical missteps. To truly serve families, agencies must find ways to collaborate safely and legally. Read on to learn how to do that and download our free referral compliance checklist and sample waitlist referral form.

HIPAA & State Laws: Privacy First

• HIPAA protects any identifiable health information, even if a person has not yet started services. Information collected during intake or for a waiting list—names, diagnoses, insurance details, contact info—is considered Protected Health Information (PHI). Sharing this information without written authorization is a violation.

• State privacy laws may add further requirements, especially for mental health or developmental disability information. These laws can require additional consent, impose stricter notice obligations, or carry harsher penalties. Providers must always follow the standard that offers the greatest protection for the family’s information.

BACB Ethics Code: How It Might Apply

Even if children on waiting lists are not yet official “clients,” the Ethics Code for Behavior Analysts (2020) emphasizes responsible handling of all entrusted information:

• 1.02 Conforming with Legal and Professional Requirements – Analysts must follow laws like HIPAA and state privacy statutes.

• 2.03 Protecting Confidential Information – Confidentiality must be safeguarded in work-related activities, which extends to intake and waitlist contexts.

• 2.04 Disclosing Confidential Information – Disclosure is only permitted with informed consent, for safety, for payment, or when legally required.

• 3.06 Consulting with Other Providers – Collaboration is ethical only when it serves the individual’s best interests and proper consent is obtained.

Key Point: Families trust that information shared during intake or while waiting will be protected just as carefully as information from active clients.

Business Associate Agreements (BAAs)

If agencies anticipate exchanging PHI, they must sign a Business Associate Agreement (BAA). A BAA:

• Defines what information may be shared and for what purpose.

• Establishes minimum safeguards.

• Outlines procedures for breach notifications and accountability.

Without a BAA, sharing PHI (even for referral purposes) is legally insecure and puts both agencies at risk.

Collusion Concerns

Collusion refers to agreements or coordination between businesses that restrict competition or limit consumer choice. In healthcare, this could look like agencies dividing up service areas, swapping clients, or creating “exclusive referral clubs.”

Why is collusion a problem? Because it interferes with the principle that families should have the freedom to choose among all available providers. Regulators view collusion as a threat to fairness in the marketplace, and families may perceive it as providers putting business interests ahead of client needs.

Importantly, intent doesn’t erase perception. Even when actions are motivated by kindness, if agencies coordinate referrals in ways that reduce choice, it could still look like collusion to outsiders—or to auditors.

Example Scenarios

• “Client Swapping” – Agency A and Agency B agree to redirect families based on geography rather than family preference. Families are told where to go instead of being given a choice.

• “Preferred Referral Deals” – Several agencies agree to refer only to each other, bypassing other community options. Families may get faster placements but lose access to the full range of providers.

A Compliant Referral Framework

To balance compassion with compliance, agencies should adopt a single referral framework that keeps families informed, protects their data, and offers flexibility in how information is shared.

Steps in the Framework:

1. Inform families of options

   • Be upfront about wait times.

   • Let families know other providers may have availability.

     • Why it matters: Transparency builds trust and empowers family choice.

2. Seek informed consent in writing

   • Ask families whether they want you to assist with a referral.

   • Document their preferences clearly.

     • Why it matters: Consent is the cornerstone of HIPAA, state laws, and the Ethics Code.

3. Offer levels of disclosure

   • General referral only: Give families contact information for other agencies, and they make the outreach.

   • Deidentified profile: With consent, share non-identifiable information (e.g., “Child, age 5, autism, 20 hours/week, private insurance”).

   • Identifiable PHI: With explicit written release, share limited necessary PHI under a BAA.

     • Why it matters: Families decide how much of their information is shared, ensuring autonomy and compliance.

4. Use BAAs for exchanging PHI

   • Any time identifiable client data is shared between agencies, a BAA must govern the exchange.

   • Why it matters: BAAs create a legally secure framework for handling PHI.

5. Keep families in control

   • Families choose whether they contact the partner agency directly or authorize you to share their details.

   • Why it matters: This avoids the appearance of collusion and ensures the family’s wishes drive the process.

6. Document everything

   • Record consents, disclosures, and agreements.

   • Why it matters: Documentation protects your agency in an audit and demonstrates ethical integrity.

Bottom Line

The urge to share waiting list information comes from a good place—but without safeguards, it can result in HIPAA violations, state law breaches, and ethics code issues. Worse, referral practices that reduce choice may look like collusion, even when meant to help.

The safest approach is to follow a Compliant Referral Framework:

• Always obtain informed consent.

• Use BAAs when PHI is exchanged.

• Let families decide how their information is shared and which agencies they contact.

If your agency has ever struggled with how to handle referrals while protecting client information, you’re not alone.

Most teams aren’t trying to cut corners. They’re trying to help families quickly, and in doing so, they often end up navigating complex privacy, ethical, and regulatory requirements without a clear framework.

That’s exactly where having the right systems in place makes a difference.

Inside the ABA Compliance Collective, we help ABA leaders build practical, compliant processes for situations like this. From referral workflows and consent practices to data sharing policies and documentation standards, you’ll have access to tools, templates, and guidance that help your team act with both compassion and compliance.

If you want to strengthen your referral practices and reduce risk across your organization, you can learn more here:
https://www.abacompliance.com/collective

 While you're thinking about joining the community, please feel free to download two resources normally only available to community members: Our Referral Compliance Self-Audit Checklist and our sample Referral Policy.