Confidentiality, Documentation, Public Statements, and Social Media
Key Takeaways
- Confidentiality applies to written, verbal, visual, electronic, and informal communication—and to indirect identifiers, not just names.
- Records and documentation must be accurate, timely, secure, and sufficient to support service decisions and lawful disclosure.
- Public statements must be truthful, not misleading, and clear about credentials, evidence, scope, and limits; no guaranteed outcomes.
- Social media does not suspend confidentiality duties—omitting a name does not de-identify a client if a reasonable person could infer identity.
- Before any disclosure, ask: who needs it, what is the minimum necessary, is consent required, is there a legal or safety exception, and how will it be documented?
Confidentiality Is Broader Than Names
A client can be identified by initials, photos, age, school, location, a rare behavior, a schedule, a diagnosis, family details, or a combination of facts. Removing the name is not enough if a reasonable person could infer who the client is. The Code's compassion, dignity, and respect principle includes protecting privacy and confidential information across every medium.
Confidentiality also applies when the audience feels harmless. A closed social-media group, a staff lunch, a ride home with a coworker, a conference hallway, or a graduate-class discussion can each become an unauthorized disclosure. The duty does not depend on whether the listener seems trustworthy; it depends on whether the person has a legitimate need to know and whether the client (or legal guardian) authorized the sharing. Treat any identifiable client information as protected by default.
Documentation and Records Standards
Behavior analysts must create, maintain, and store records that are accurate, timely, secure, and adequate to justify clinical decisions and to permit lawful transfer or disclosure. Sloppy or altered records are both a clinical risk and an integrity violation. The table connects common record failures to the ethical risk they create.
| Record issue | Ethical risk |
|---|---|
| Late data entry | Memory errors and weaker clinical decisions. |
| Missing context | Inaccurate interpretation of behavior change. |
| Altered notes | Misrepresentation and potential billing fraud. |
| Unsecured files | Unauthorized access to private information. |
| Vague progress claims | Misleading stakeholders about effectiveness. |
Records should also be retained and disposed of according to law, contract, and policy, and should be available for orderly transition when a client moves to a new provider (with proper consent). Documentation is the backbone of accountability: if it is not written down accurately and on time, it is hard to defend any decision later.
Public Statements and Social Media
Public statements include websites, résumés, ads, presentations, media interviews, podcasts, posts, testimonials, and comments to stakeholders. Under the integrity principle they must accurately represent services, credentials, roles, evidence, risks, and expected outcomes.
Key rules to remember:
- No guaranteed outcomes. Avoid claims such as "we stop aggression in two weeks." Behavior change is variable and individualized.
- No false credentials or endorsements. Do not imply a specialty, license, or BACB endorsement that does not exist.
- Distinguish evidence-based services from unsupported or fringe claims when describing ABA.
- Social media keeps every confidentiality duty. A photo, a "win story," or a vent about a difficult case can identify a client even without a name. Obtain consent for any identifiable content, and recognize that consent for treatment is not consent to be featured online.
- Testimonials raise risk. Soliciting testimonials from current clients can create pressure and confidentiality exposure; handle them cautiously and per policy.
Limits of Confidentiality and Mandatory Exceptions
Confidentiality is strong but not absolute. Behavior analysts should explain the limits of confidentiality at the outset so clients and caregivers know in advance when information may be disclosed without their permission. The standard exceptions every candidate should recognize:
- Mandated reporting of suspected abuse or neglect of a child, elder, or dependent adult, as required by law.
- Imminent danger—a credible threat of serious harm to the client or an identifiable other.
- Legal compulsion—a valid court order or subpoena.
- Authorized disclosure—the client or guardian has given consent, limited to the minimum necessary.
These exceptions explain why "never share anything, ever" is a wrong answer in a safety scenario: the duty to protect can require disclosure. Conversely, none of these exceptions licenses casual sharing—each is narrow and documented. On the exam, separate a true mandated-reporting or imminent-harm situation (where you disclose to the proper authority) from a convenience or gossip situation (where you do not). The presence of a genuine legal or safety trigger is what flips the answer from 'protect privacy' to 'disclose to the right party.'
Practical Habits That Prevent Breaches
Most confidentiality violations on the exam—and in practice—are not dramatic leaks; they are everyday lapses. Building protective habits prevents them.
- De-identify thoroughly for teaching, supervision, or presentations: remove names, photos, schools, dates, rare-behavior details, and any combination that could re-identify the client.
- Use secure channels for electronic communication and storage; avoid texting or emailing client details over unsecured personal accounts.
- Mind the setting: do not discuss cases in hallways, elevators, ride-shares, or social gatherings where others can overhear.
- Limit access to records to those involved in the client's care, and lock or log out of systems.
- Get separate consent for any use beyond treatment—marketing, research, or social-media content.
These habits connect confidentiality to the broader dignity and integrity principles: protecting a client's information is a concrete way of respecting them, and honest, secure records keep your public and professional statements truthful. On layered items, an option that breaks one of these habits—posting online, oversharing in supervision, or texting client data—is usually the trap, even when the breach seems small or well-intentioned.
A Disclosure Decision Filter
When any item involves sharing information, run a short filter before choosing an answer:
- Who actually needs the information to serve the client or meet a legal duty?
- What is the minimum necessary to accomplish that purpose?
- Is consent required, and from whom (client, guardian, or both)?
- Is there a legal or safety exception—mandated reporting, imminent harm, or a court order?
- How will the disclosure be documented, including what was shared and why?
This filter resolves most confidentiality items. The wrong answers usually over-share (post online, tell a colleague who is not involved, send full records when a summary suffices) or under-protect in a true safety emergency. The right answer respects the minimum-necessary standard, obtains consent unless an exception applies, and documents the disclosure.
A BCBA wants to celebrate a client's progress by posting on a clinic's public social-media page: 'So proud of our 6-year-old at Lincoln Elementary who finally mastered toileting after months of work!' No name is used. Why is this post an ethical problem?
Which marketing statement would MOST likely violate the integrity principle governing public statements?
A BCBA must share information about a client with a new provider during a transition. Applying the minimum-necessary standard, what is the best approach?
Which documentation practice creates the GREATEST ethical risk?