Group Webinar: All-In-One
Jun 10, 2025 10:00 AM
Motivity All-In-One
Next Upcoming Sales Demo
Register
No Thanks
Now
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Resources
Blog
Articles
June 2, 2025
3 min read

How to Keep ABA Client Data Safe Beyond HIPAA Labels

Josh Nelson
CXO at ABA Impact
Table of Contents
Example H2
Example H3
Example H4
Written by
Josh Nelson
CXO at ABA Impact
Signup for our Newsletter
Oops! Something went wrong while submitting the form.
Copy
Link

Beyond the "HIPAA-Compliant" Label: Is Your HIPAA-Compliant Software Truly Keeping Your Clients Safe? What You Might Be Overlooking 

As ABA therapy owners, you depend on Software as a Service (SaaS) platforms for managing everything from client records to scheduling and communications. These tools have become the backbone of operational efficiency in your practices, and many of them proudly display the "HIPAA-compliant" label. While that sounds reassuring, it may be giving you a false sense of cybersecurity.

Simply using HIPAA-compliant software does not mean that your ABA practice is fully protected or compliant with the law. Software providers ensure their platforms are built to comply with HIPAA’s requirements, but the reality is more complex. The safety of your client data ultimately hinges on how your practice configures, manages, and uses these tools.

What is SaaS and How Does it Relate to ABA Therapy?

SaaS (Software as a Service) is cloud-based software you access via the internet, without needing to install or maintain it on your own systems. In ABA therapy, SaaS tools are used for managing client records, scheduling, billing, and securely storing documentation. 

These platforms make everyday tasks more efficient, but using them safely requires more than just relying on their HIPAA-compliant labels. Ensuring proper setup, access control, and staff training is essential to keeping sensitive client data secure. 

That includes enabling features like Multi-Factor Authentication (MFA), which adds a critical layer of login protection against unauthorized access. It’s a simple yet powerful safeguard that verifies a user’s identity using a second step, like a temporary code or mobile prompt. Without MFA, even strong passwords are often not enough.

Understanding the Shared Responsibility Model 

Think of SaaS applications as a high-quality safe. The manufacturer guarantees the integrity of the safe, but if you leave it unlocked, use a weak combination, or allow unauthorized access, the fault lies with you. 

The same principle applies to HIPAA-compliant software: your software provider can deliver a secure platform, but securing your practice’s data is a shared responsibility between you and your software providers.

For example, even if your SaaS provider encrypts data and secures their infrastructure, it can’t protect you from poor password practices, untrained employees, or misconfigured settings in your system. That’s your responsibility. You need to think beyond the “compliance label” and focus on how your practice handles data internally. This is where implementing and enforcing MFA becomes non-negotiable because it reduces the risk of someone getting in even when passwords are guessed, phished, or leaked.

Real Threats to Your ABA Practice’s Data

Here are some risks that may be present in your environment and must be safeguarded:

  1. Weak Passwords
    A weak password is an open door for cybercriminals. If your employees reuse simple passwords across platforms, it’s like handing over the keys to sensitive client data. Enforce strong, unique passwords for every account, and regularly update them to reduce this risk.
  2. Lack of Multi-Factor Authentication (MFA)
    MFA adds an extra layer of security by requiring a second form of identification, like a code sent to an employee’s phone. If MFA is not enabled, your practice is exposed to greater risk if a password is compromised. 

It’s one of the most effective and widely recommended defenses against account-based breaches. Cyberattacks increasingly target credential-based access. MFA neutralizes most of these attacks, acting as a digital barrier that blocks outsiders even if they have login info. 

It’s also now considered a baseline requirement by many insurers, cybersecurity frameworks, and HIPAA auditors.

  1. Use of Personal Emails
    Allowing staff to log into SaaS platforms with personal emails is a significant vulnerability. You have no control over the security measures of those personal accounts, which may lack proper password hygiene or MFA, leaving you blind to potential threats.
  2. Phishing Attacks
    No software can fully protect against phishing, where cybercriminals trick employees into divulging sensitive information. Regular training to help your staff recognize phishing attempts is essential in safeguarding your practice from these types of attacks. 

Even here, MFA is super important. If an employee accidentally shares a password, MFA can still prevent access because the attacker won’t have the second authentication factor.

Don’t Assume Your Practice is Secure—Take Action 

To ensure your ABA practice is truly compliant and secure, focus on the following strategies:

  • Set Up Strong Security Policies: Implement strong password requirements and MFA across all SaaS platforms, and ensure your software settings are properly configured for your needs.
  • Conduct Regular Training: Keep your employees up to date on security best practices and how to identify phishing attempts or social engineering threats. Your staff is the first line of defense against potential breaches.
  • Implement a Company-Managed Email System: Ensure all employees use company-managed email addresses with enforced security policies. This gives you control over access to sensitive data and prevents unauthorized logins from unsecured personal accounts.
  • Audit Your Security Practices Regularly: Regularly review and audit your SaaS settings and employee access to ensure compliance with HIPAA and other state-specific regulations. Don't assume that default settings provide adequate security for your practice. As part of this audit, confirm that MFA is active across all user accounts… especially those with admin or billing access.

The Path to Full Security Requires Vigilance

HIPAA compliance is a critical step, but it is only the foundation. Your role doesn’t stop with purchasing compliant software; it’s about how you manage that software and integrate it into your practice. Your systems, policies, and training must align with security best practices to ensure that sensitive data remains protected.

Take the time to look beyond the “HIPAA-compliant” label. Ensure your security measures are strong, your team is well-trained, and your settings are optimized for safety. 

If your platform offers MFA, enable it immediately. If it doesn’t, ask why not. MFA is one of the simplest, most cost-effective ways to dramatically reduce your risk exposure. Make it a core part of your security strategy. Protecting client data is your ongoing responsibility, but by being proactive, you can mitigate risks and maintain the trust of the families you serve.

Related Articles

Employee Spotlight: Tatum Winslow, Director of Clinical Support

Learn a little more about Motivity's Director of Clinical Support

Click, Collect, Connect: Using Digital Tools to Build Inclusive Classrooms

Explore a 3-step approach to leveraging technology for inclusive classrooms, helping all learners feel represented, engaged, and supported i

The Impact of Visuals on Staff and Parent Support

How visuals help support parents, educators and behavior staff in implementing effective strategies to enhance learning and behavior outcome