8.4 Confidentiality, Privacy, and Information Handling

Confidentiality follows the information

Confidentiality is not limited to formal medical records. It follows client information wherever the RBT encounters it: a data sheet in a backpack, a graph on a tablet, a caregiver text, a video used for supervision, a session note, a school hallway conversation, a team meeting, or a photo that includes the client in the background. TCO task F.5 asks RBTs to identify and comply with requirements for collecting, using, storing, protecting, and disclosing confidential information.

The exact legal and workplace rules can vary by setting, but the RBT's default behavior should be privacy-protective and supervisor-directed.

Collecting information means gathering only what the plan, data system, workplace policy, or supervisor direction requires. The RBT should avoid adding unnecessary personal details to notes. If the relevant variable is that the caregiver reported the client slept three hours, the note should not include unrelated family conflict discussed in the room unless policy and supervisor direction require it for service reasons. More information is not always better. Unnecessary details can increase privacy risk and distract from clinically relevant observation.

Using information means accessing it for legitimate service purposes. An RBT may need to read the behavior plan, data definitions, emergency procedures, and communication notes for a client they serve. That does not authorize browsing other clients' records, showing data to friends, or discussing a case for entertainment. Curiosity is not a service purpose. Training discussions also need care: deidentifying information may not be enough if details still make the client recognizable in a small community, clinic, classroom, or online group.

Storing and protecting information means following workplace rules for paper and electronic materials. Paper data sheets should not be left visible in a car, waiting room, cafeteria, or shared classroom. Tablets should be locked when not in use. Photos and videos should be taken only when authorized and stored only in approved systems. Personal phones are a common risk. Even a well-intended photo of materials, a screenshot of a graph, or a text to a coworker can become an unauthorized disclosure if it includes client information or is sent through an unapproved channel.

Disclosing information means sharing it with someone else. The RBT should know who is authorized to receive client information: supervisor, assigned team members, caregivers with proper role, school staff as permitted by the service arrangement, or other approved stakeholders. The RBT should not assume that any employee in the building, any relative, or any interested professional has a right to details. If a person asks, 'How is he doing in therapy?' the RBT should consider authorization before answering.

A general polite response may be appropriate, but progress details, behavior data, and plan components should be shared only through approved channels.

Scenario: After a session, a parent from another family sees the RBT in the waiting room and asks whether the RBT's client still has aggression at school. The parent says both families know each other. The RBT should not confirm or deny client details. A strong response is brief and respectful: the RBT cannot discuss another client's services, and any questions should go through the appropriate service channels. The RBT then documents or reports the request if workplace policy requires it.

Scenario: A supervisor asks the RBT to record a short video for feedback on prompting. The RBT should check the approved process before recording. Questions include whether consent or authorization is in place, what device may be used, where the file must be stored, who may view it, and when it must be deleted if deletion is part of policy. The ethical issue is not whether the video could improve services; it probably could. The issue is whether the information is collected and protected according to requirements.

Privacy workflow for RBTs:

1. What information is being collected or shared?
2. Is it necessary for the assigned service purpose?
3. Who is authorized to access it?
4. What channel or storage system is approved?
5. Could the client be identified directly or indirectly?
6. If unsure, stop the disclosure, protect the information, and ask the supervisor or follow workplace policy.

Confidentiality also includes dignity. People receiving services should not have to wonder whether their behavior, diagnosis, home situation, or progress is being discussed casually. Caregivers should not hear another client's details and then worry their own family is being discussed the same way. A privacy-protective RBT helps maintain trust in the service system. For exam preparation, remember that the safest answer is rarely to share more because the listener seems trustworthy. The RBT should use approved channels, share only what is necessary, and seek direction when uncertain.