LenzABA is a clinical data platform for ABA therapy teams. It combines real-time session data collection, AI-powered clinical alerts, visual analysis tools, and HIPAA-compliant reporting in a single workflow designed for BCBAs and ABA clinics.

Is LenzABA HIPAA compliant?

Yes. LenzABA passes 21 out of 21 HIPAA compliance controls across 6 independent audit rounds. It features a SHA-256 hash-chained tamper-evident audit trail, mandatory MFA enforcement, row-level access control, emergency access protocols with mandatory justification, and a parent portal that enforces the minimum necessary disclosure standard.

What data collection methods does LenzABA support?

LenzABA supports 8 data collection methods: discrete trial training (DTT), frequency/event recording, duration episodes, latency measurement, interval recording (whole, partial, momentary time sampling), ABC data entry, reinforcement logging, and treatment integrity checks.

How does AI work in LenzABA?

LenzABA's AI acts as a clinical co-pilot, not a replacement for clinical judgment. It runs four decision-support algorithms continuously: stagnation detection, mastery prediction, behavior trend analysis, and prompt dependency tracking. It also generates session note drafts that require mandatory BCBA review and approval before finalization.

Can I use LenzABA on tablets and phones?

Yes. LenzABA is mobile-first, designed for the tablets and phones that RBTs carry into sessions. It features large touch targets, minimal taps per trial, offline-first data collection with automatic sync, and responsive layouts optimized for clinical use.

HIPAA Compliance Checklist for ABA Therapy Clinics

ABA therapy clinics handle some of the most sensitive protected health information (PHI) in healthcare — behavioral data, session recordings, family information, and clinical assessments. HIPAA compliance isn't optional, and the penalties for non-compliance are severe. This checklist covers every safeguard category with specific considerations for ABA practice.

Why HIPAA Matters for ABA Clinics

HIPAA violations carry civil penalties ranging from $100 to $50,000 per violation, with annual maximums of $1.5 million per violation category. Criminal penalties can include fines up to $250,000 and imprisonment. But beyond financial penalties, a HIPAA breach can result in:

State licensing board investigations and potential license suspension
Loss of insurance contracts — payers may terminate provider agreements after a breach
Erosion of parent and caregiver trust — families entrust you with their child's most sensitive information
Mandatory breach notification to affected individuals, HHS, and potentially media outlets (for breaches affecting 500+ individuals)
OCR (Office for Civil Rights) corrective action plans that can impose operational requirements for years

ABA clinics are particularly vulnerable because their operations often span multiple settings (clinic, home, school, community), involve mobile devices and tablets, and include workforce members (RBTs) who may use personal devices. This distributed model increases the attack surface and requires deliberate safeguards.

The HIPAA Compliance Checklist

Administrative Safeguards

Administrative safeguards are the policies, procedures, and workforce management activities that protect ePHI.

Designate a Security Officer

Assign a specific individual responsible for developing, implementing, and maintaining your HIPAA security program. In smaller clinics, this is often the clinic director or a BCBA with compliance responsibilities.

Conduct a risk assessment

Perform a comprehensive risk analysis at least annually. Identify all systems that create, receive, maintain, or transmit ePHI. Assess threats, vulnerabilities, and the likelihood and impact of potential breaches.

Implement workforce training

All workforce members — BCBAs, BCaBAs, RBTs, office staff — must receive HIPAA training at onboarding and at least annually thereafter. Document training dates, content, and attendees.

Establish access authorization policies

Define role-based access levels. RBTs should only access data for their assigned clients. BCBAs may access all clients under their supervision. Administrative staff access should be limited to scheduling and billing data.

Develop a contingency plan

Document your data backup procedures, disaster recovery plan, and emergency mode operation plan. Test your backup restoration process at least annually.

Implement workforce sanctions

Establish and communicate a sanctions policy for workforce members who violate HIPAA policies. Document all sanctions applied.

Physical Safeguards

Physical safeguards protect the physical systems, buildings, and equipment that house ePHI.

Facility access controls

Limit physical access to areas where ePHI is accessible — server rooms, offices with workstations displaying client data, file storage areas. Use badge access, locked doors, or sign-in logs as appropriate.

Workstation security

Position workstation screens so they are not visible to unauthorized individuals (parents in waiting rooms, other clients). Implement automatic screen locks after 5 minutes of inactivity.

Device and media controls

Maintain an inventory of all devices that access ePHI (laptops, tablets, phones). Implement remote wipe capability. Establish procedures for device disposal that include data sanitization.

Technical Safeguards

Technical safeguards are the technology and related policies that protect ePHI and control access to it.

Access controls

Implement unique user identification (no shared logins), emergency access procedures, automatic logoff, and encryption of data at rest. Every user must have a unique identifier for audit trail purposes.

Audit controls

Implement hardware, software, or procedural mechanisms that record and examine access to ePHI. Audit logs should capture who accessed what data, when, and what actions were taken. Logs must be tamper-evident and retained per your retention policy.

Integrity controls

Implement mechanisms to ensure ePHI is not improperly altered or destroyed. This includes version control, checksums, and validation processes for data entry.

Transmission security

Encrypt all ePHI transmitted over networks (TLS 1.2 or higher). This applies to data sent between therapist tablets and your server, email communications containing PHI, and API integrations with other systems.

Multi-factor authentication

While not explicitly required by the HIPAA Security Rule, MFA is considered a best practice and is increasingly expected by auditors. Implement MFA for all users accessing ePHI systems.

Breach Notification Requirements

Breach detection and response plan

Document how your organization will detect, investigate, and respond to a suspected breach. Include escalation procedures and designated response team members.

Individual notification

Notify affected individuals without unreasonable delay and no later than 60 days after discovery. Notification must include a description of the breach, the types of information involved, steps individuals should take to protect themselves, and what your organization is doing in response.

HHS notification

For breaches affecting 500 or more individuals, notify HHS within 60 days. For breaches affecting fewer than 500 individuals, notify HHS annually.

Business Associate Agreements & Minimum Necessary Standard

Business Associate Agreements (BAAs)

Execute BAAs with every vendor that accesses, stores, or transmits ePHI on your behalf. This includes your practice management software, data collection platform, cloud storage provider, email service, billing company, and IT support. If a vendor won't sign a BAA, do not use them for PHI.

Minimum necessary standard

Limit PHI disclosures to the minimum amount necessary to accomplish the intended purpose. An RBT does not need access to billing data. A billing specialist does not need access to clinical session notes. Configure your systems to enforce this principle.

ABA-Specific HIPAA Considerations

ABA therapy has unique operational characteristics that create specific HIPAA challenges not found in typical outpatient settings.

Session data on tablets

RBTs collect real-time data on tablets during sessions. These devices must be encrypted, have automatic screen locks, use unique login credentials, and be remotely wipeable. If therapists use personal devices (BYOD), establish a formal BYOD policy with security requirements and install mobile device management (MDM) software.

Parent portal PHI exposure

If you provide parents access to their child's data through a portal, ensure the portal uses HTTPS, requires authentication, and only displays data for their child. Parent accounts should have session timeouts and MFA support. Consider what data parents should and should not see — raw RBT notes vs. BCBA-approved summaries.

Therapist device management

With therapists working across multiple client homes and schools, device tracking becomes critical. Implement check-in/check-out procedures for clinic-owned devices. Require encrypted storage for any offline data. Establish clear policies for what happens if a device is lost or stolen during an in-home session.

In-home and school settings

When delivering services in a client's home or school, ensure conversations about PHI cannot be overheard by unauthorized individuals. Do not leave printed data sheets in unsecured locations. Use secure, encrypted connections when accessing cloud-based systems over the client's WiFi network. Consider using a mobile hotspot for PHI-related data transmission.

How LenzABA Handles HIPAA Compliance

LenzABA is built HIPAA-compliant by architecture — not as an afterthought. Security controls are embedded into the platform at every layer.

21/21 HIPAA security controls

LenzABA implements all 21 required and addressable HIPAA Security Rule safeguards, verified through regular internal audits and documented in our compliance matrix.

SHA-256 hash-chained audit trail

Every PHI access event is logged with a SHA-256 hash chain. Each audit entry includes a hash of the previous entry, creating a tamper-evident, cryptographically verifiable audit trail that cannot be altered without detection.

MFA enforcement via WorkOS AuthKit

Multi-factor authentication is enforced for all users through WorkOS AuthKit. There is no option to disable MFA — it is a mandatory security control built into the authentication flow.

Session revocation and idle timeout

Active sessions are automatically terminated after configurable idle periods. BCBAs can remotely revoke any active session, and session tokens are invalidated immediately upon logout.

Sensitivity-category gating

PHI access is gated by sensitivity categories. The system enforces that users can only access data categories appropriate to their role, implementing the minimum necessary standard at the application level.

Related Resources

Session Notes Template Insurance Reauthorization Template

Ready to automate your clinical documentation?

LenzABA is HIPAA-compliant by architecture — 21/21 security controls, SHA-256 audit trails, and MFA enforcement built into every layer.

View pricing