Privacy Policy

Regulatory Compliance Overview

Behavioral Solutions (“Company,” “we,” “us,” or “our”) is committed to protecting the privacy, confidentiality, and security of all personal information, protected health information (“PHI”), personally identifiable information (“PII”), and clinical and education records entrusted to us by our clients, their families, students, stakeholders, and website visitors. We maintain this Privacy Policy in compliance with all applicable federal, state, and professional regulatory requirements governing the delivery of Applied Behavior Analysis (ABA) services in the Commonwealth of Virginia.

Scope of This Policy

This Privacy Policy applies to all individuals who receive ABA services from Behavioral Solutions, including clients, parents, legal guardians, legally authorized representatives, caregivers, stakeholders, supervisees, trainees, research participants, and visitors to our website. This policy covers all services delivered in person, via telehealth, and through our website throughout the Commonwealth of Virginia, and via telehealth to the extent permitted by applicable law.

This Privacy Policy describes how we collect, use, disclose, retain, and safeguard information in connection with the ABA services we provide. It has been developed to ensure full compliance with the following laws, regulations, professional standards, and ethical codes:

Scope & Applicability

This Privacy Policy applies to all individuals who receive, inquire about, or are referred for Applied Behavior Analysis (ABA) services through Behavioral Solutions, located in Richmond, Virginia. This includes, but is not limited to:

• Current and former clients receiving direct ABA services
• Parents, caregivers, legally authorized representatives, and family members of clients
• Stakeholders as defined by the BACB Ethics Code for Behavior Analysts, meaning individuals “other than the client, who [are] impacted by and invested in the behavior analyst’s services (e.g., parent, caregiver, relative, legally authorized representative, collaborator, employer, agency or institutional representative, licensure board, funder, third-party contractor for services)” (BACB, 2020, Glossary)
• Students receiving ABA services through educational settings, including services under Individualized Education Programs (IEPs) or 504 Plans
• Supervisees and trainees accruing fieldwork hours toward BCBA, BCaBA, or RBT certification
• Referral sources, collaborating professionals, and third-party contractors
• Visitors to our website at https://www.behavioral-solutions.org/

This policy covers all personal, clinical, educational, and health-related information collected, used, stored, transmitted, or disclosed in connection with our services, whether obtained in person, through telehealth, in writing, via phone, email, text message, video conferencing, or any other communication modality, consistent with the BACB Ethics Code requirement that the Code “applies to behavior analysts’ professional activities across settings and delivery modes (e.g., in person; in writing; via phone, email, text message, video conferencing)” (BACB, 2020, Scope of the Code).

Definitions

HIPAA-Related Terms

• “Protected Health Information” (PHI) means individually identifiable health information transmitted or maintained in any form or medium, as defined under 45 CFR § 160.103.
• “Covered Entity” means a health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with a HIPAA-covered transaction, per 45 CFR § 160.103.
• “Business Associate” means a person or entity that performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access to PHI, per 45 CFR § 160.103.
• “Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, per 45 CFR § 164.402.

BACB-Related Terms

• “Client” means “the direct recipient of the behavior analyst’s services” (BACB, 2020, Glossary).
• “Stakeholder” means “an individual, other than the client, who is impacted by and invested in the behavior analyst’s services (e.g., parent, caregiver, relative, legally authorized representative, collaborator, employer, agency or institutional representative, licensure board, funder, third-party contractor for services)” (BACB, 2020, Glossary).
• “Informed Consent” means “the permission given by an individual with the legal right to consent before participating in services or research, or allowing their information to be used or shared” (BACB, 2020, Glossary).
• “Behavioral Services” means “services that are explicitly based on the principles and procedures of behavior analysis and are designed to change behavior in meaningful ways” (BACB, 2020, Glossary).
• “Confidential Information” includes all information related to client services, assessments, behavior-change interventions, data, documentation, and verbal, written, or electronic communications as described in BACB Ethics Code Standard 2.03.

Education-Related Terms

• “Education Records” means records directly related to a student and maintained by an educational agency or institution, or by a party acting for the agency or institution, as defined under FERPA, 20 U.S.C. § 1232g(a)(4).
• “Personally Identifiable Information” (PII) within the FERPA context includes information that can be used to distinguish or trace an individual student’s identity, per 34 CFR § 99.3.

Virginia Law Terms

• “Health Record” has the meaning set forth in Virginia Code § 32.1-127.1:03.
• “Consumer” means a natural person who is a resident of the Commonwealth acting only in an individual or household context, as defined in the VCDPA, Va. Code § 59.1-575.
• “Personal Data” means any information linked or reasonably linkable to an identified or identifiable natural person, excluding de-identified data or publicly available information, per Va. Code § 59.1-575.

Information We Collect

Behavioral Solutions collects the minimum information necessary to provide effective ABA services and meet our legal and ethical obligations. Categories of information we may collect include:

A. Personal Identifying Information

Full legal name, date of birth, address, telephone number(s), email address, Social Security Number (only when required for insurance billing), insurance information, and emergency contact information for clients, parents, and legally authorized representatives.

B. Clinical and Health Information

Diagnoses, medical histories, medication lists, assessment results (including functional behavior assessments and skills assessments), behavior-change intervention plans, treatment goals, session notes, data sheets, progress reports, behavior data, graphed outcomes, discharge summaries, and referral documentation.

C. Educational Records

When providing services in educational settings or in collaboration with educational institutions, we may access or create records including Individualized Education Programs (IEPs), 504 Plans, progress monitoring data, Functional Behavioral Assessments (FBAs), Behavioral Intervention Plans (BIPs), related correspondence with school personnel, and other information classified as education records under FERPA and Virginia Code Title 22.1.

D. Supervision and Training Records

For supervisees and trainees, we collect fieldwork verification forms, supervision contracts, performance evaluations, competency assessments, and related supervision documentation, consistent with BACB requirements and BACB Ethics Code Standard 4.05, which requires behavior analysts to “create, update, store, and dispose of documentation related to their supervisees or trainees by following all applicable requirements” (BACB, 2020).

E. Website and Digital Information

When you visit our website, we may collect standard internet log information, IP addresses, browser type, referring URLs, pages visited, and cookies. No clinical or PHI is collected through our website without explicit informed consent and appropriate encryption.

F. Financial and Billing Information

Insurance identification numbers, billing codes, payment history, authorization numbers, and related financial documentation necessary for service billing and reporting, consistent with BACB Ethics Code Standard 2.06 requiring accuracy in service billing and reporting (BACB, 2020).

Legal Basis for Collection & Processing

Behavioral Solutions collects and processes personal information under the following legal bases:

• Consent: Where you or your legally authorized representative have provided informed consent, including as required by HIPAA (45 CFR § 164.508), FERPA (34 CFR § 99.30), and BACB Ethics Code Standard 2.11, which states: “Behavior analysts are responsible for knowing about and complying with all conditions under which they are required to obtain informed consent from clients, stakeholders, and research participants” (BACB, 2020).
• Treatment, Payment, and Healthcare Operations: HIPAA permits the use and disclosure of PHI without individual authorization for treatment, payment, and healthcare operations as defined at 45 CFR § 164.506.
• Legal Obligation: Where processing is necessary for compliance with applicable federal and Virginia laws, including mandated reporting requirements under Virginia Code § 63.2-1509 and BACB Ethics Code Standard 3.01, which requires behavior analysts to be “knowledgeable about and comply with applicable laws and regulations related to mandated reporting requirements” (BACB, 2020).
• Legitimate Professional Interest: Where processing is necessary for providing effective behavioral services, maintaining professional standards, and ensuring quality care consistent with the BACB Ethics Code’s core principle that “behavior analysts work to maximize benefits and do no harm” (BACB, 2020, Core Principles).
• Educational Necessity: Where permitted under FERPA’s “legitimate educational interest” exception (34 CFR § 99.31(a)(1)) or IDEA’s requirements for the provision of a Free Appropriate Public Education (FAPE).

How We Use Your Information

• Service Delivery: Conducting assessments, designing and implementing behavior-change interventions, collecting and analyzing data, and monitoring client progress, consistent with BACB Ethics Code Standards 2.13 through 2.18 (BACB, 2020).
• Treatment Coordination: Collaborating with other providers and coordinating care, consistent with BACB Ethics Code Standard 3.06: “Behavior analysts arrange for appropriate consultation with and referrals to other providers in the best interests of their clients, with appropriate informed consent” (BACB, 2020).
• Supervision and Training: Providing supervision to RBTs, BCaBAs, and trainees in compliance with BACB Standards 4.01 through 4.12 (BACB, 2020) and Virginia Board of Medicine regulations at 18 VAC 85-150.
• Billing and Payment: Processing insurance claims, collecting payments, verifying insurance eligibility, and conducting utilization review.
• Quality Assurance: Conducting internal reviews, evaluating program effectiveness, and ensuring compliance with professional, legal, and regulatory standards.
• Legal Compliance: Meeting mandated reporting obligations, responding to lawful court orders or subpoenas, and complying with state licensure requirements under Virginia Code § 54.1-2957.16.
• Educational Services: Participating in IEP team meetings, developing FBAs and BIPs, reporting progress to educational agencies, and coordinating services under IDEA and Virginia special education regulations (8 VAC 20-81).
• Communication: Contacting you regarding appointments, service updates, and other matters directly related to your care.

Confidentiality Protections

Per BACB Ethics Code Standard 2.03 (Protecting Confidential Information): “Behavior analysts take appropriate steps to protect the confidentiality of clients, stakeholders, supervisees, trainees, and research participants; prevent the accidental or inadvertent sharing of confidential information; and comply with applicable confidentiality requirements (e.g., laws, regulations, organization policies). The scope of confidentiality includes service delivery (e.g., live, teleservices, recorded sessions); documentation and data; and verbal, written, or electronic communication” (BACB, 2020).

Per BACB Ethics Code Standard 3.10 (Limitations of Confidentiality): “Behavior analysts inform clients and stakeholders of the limitations of confidentiality at the outset of the professional relationship and when information disclosures are required” (BACB, 2020).

Per BACB Ethics Code Standard 5.02 (Confidentiality in Public Statements): “In all public statements, behavior analysts protect the confidentiality of their clients, supervisees, and trainees, except when allowed. They make appropriate efforts to prevent accidental or inadvertent sharing of confidential or identifying information” (BACB, 2020).

Disclosure of Information

Behavioral Solutions discloses confidential information only in strict compliance with BACB Ethics Code Standard 2.04 (Disclosing Confidential Information), which states: “Behavior analysts only share confidential information about clients, stakeholders, supervisees, trainees, or research participants: (1) when informed consent is obtained; (2) when attempting to protect the client or others from harm; (3) when attempting to resolve contractual issues; (4) when attempting to prevent a crime that is reasonably likely to cause physical, mental, or financial harm to another; or (5) when compelled to do so by law or court order. When behavior analysts are authorized to discuss confidential information with a third party, they only share information critical to the purpose of the communication” (BACB, 2020).

Categories of Authorized Disclosures

• Treatment Providers: To other healthcare professionals involved in the client’s care, with appropriate consent or as permitted by HIPAA for treatment purposes.
• Insurance and Funders: To health insurance companies, managed care organizations, and other third-party payers for payment and utilization review, consistent with BACB Ethics Code Standard 3.07 (BACB, 2020).
• Educational Agencies: To school districts and educational personnel pursuant to FERPA-compliant consent, IDEA requirements, or the “legitimate educational interest” exception under 34 CFR § 99.31(a)(1), and consistent with Virginia Code Title 22.1 and VDOE regulations at 8 VAC 20.
• Legal Requirements: To law enforcement or government agencies when required by law, including mandated reporting, responses to valid court orders, and compliance with Virginia Board of Medicine inquiries under 18 VAC 85-150.
• BACB: In response to lawful BACB investigations of alleged ethical violations, as required by BACB Code-Enforcement Procedures.
• Business Associates: To third-party service providers who perform functions on our behalf and have executed HIPAA-compliant Business Associate Agreements, per 45 CFR § 164.502(e).
• Supervisees and Trainees: Behavioral data and clinical information necessary for supervision and training purposes, under appropriate confidentiality protections, consistent with BACB Ethics Code Standards 4.05 and 4.06 (BACB, 2020).

HIPAA Compliance

Behavioral Solutions complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. § 1320d et seq., and its implementing regulations at 45 CFR Parts 160 and 164, including the Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, 42 U.S.C. § 17932.

Notice of Privacy Practices

Behavioral Solutions provides a separate, detailed Notice of Privacy Practices (NPP) as required by 45 CFR § 164.520. The NPP describes your rights and our obligations regarding your PHI. A copy is provided to every client or legally authorized representative at the initiation of services and is available upon request.

Your HIPAA Rights

• Right to Access (45 CFR § 164.524): You have the right to inspect and obtain a copy of your PHI maintained by Behavioral Solutions.
• Right to Amend (45 CFR § 164.526): You have the right to request amendments to your PHI if you believe the information is inaccurate or incomplete.
• Right to an Accounting of Disclosures (45 CFR § 164.528): You have the right to receive an accounting of certain disclosures of your PHI.
• Right to Request Restrictions (45 CFR § 164.522(a)): You have the right to request restrictions on certain uses and disclosures of your PHI.
• Right to Confidential Communications (45 CFR § 164.522(b)): You have the right to request that we communicate with you by alternative means or at alternative locations.
• Right to a Paper Copy of the NPP (45 CFR § 164.520(c)): You have the right to obtain a paper copy of our Notice of Privacy Practices.
• Right to Be Notified of a Breach (45 CFR § 164.404): You have the right to receive notification in the event of a breach of your unsecured PHI.

Breach Notification

In the event of a breach of unsecured PHI, Behavioral Solutions will comply with all breach notification requirements under 45 CFR §§ 164.400–164.414 and the HITECH Act. Affected individuals will be notified without unreasonable delay and no later than sixty (60) calendar days following discovery of the breach. Behavioral Solutions will also comply with the Virginia breach notification requirements under Virginia Code § 18.2-186.6.

FERPA & Education Records Compliance

When Behavioral Solutions provides ABA services in educational settings or creates records that qualify as “education records” under FERPA, 20 U.S.C. § 1232g, and its implementing regulations at 34 CFR Part 99, we comply with all applicable FERPA requirements.

• Prior Written Consent: We will not disclose PII from education records without prior written consent from the parent or eligible student, except as permitted under FERPA’s enumerated exceptions at 34 CFR § 99.31.
• Legitimate Educational Interest: When Behavioral Solutions operates as a contracted service provider for a local educational agency (LEA), school personnel may access education records under the “legitimate educational interest” exception at 34 CFR § 99.31(a)(1).
• Right to Inspect and Review: Parents and eligible students retain the right to inspect and review education records maintained by Behavioral Solutions on behalf of an educational agency, per 34 CFR § 99.10.
• Right to Request Amendment: Parents and eligible students may request amendment of education records believed to be inaccurate or misleading, per 34 CFR § 99.20.
• Right to a Hearing: If a request for amendment is declined, the parent or eligible student has the right to a hearing under 34 CFR § 99.21.
• Redisclosure Restrictions: Any party receiving PII from education records is prohibited from redisclosing such information without prior consent, per 34 CFR § 99.33.

IDEA, ESSA & Civil Rights Compliance

Individuals with Disabilities Education Act (IDEA)

When providing ABA services to students with disabilities under IDEA (20 U.S.C. §§ 1400–1482) and 34 CFR Part 300, Behavioral Solutions adheres to the confidentiality provisions at 34 CFR §§ 300.610–300.627, including:

• Parental consent before the educational agency discloses PII to parties other than officials of participating agencies, per 34 CFR § 300.622
• Maintenance of records of access to education records, including the name of the party, the date access was given, and the purpose of authorization, per 34 CFR § 300.614
• The right to request destruction of PII when information is no longer needed to provide educational services, per 34 CFR § 300.624

Every Student Succeeds Act (ESSA)

Behavioral Solutions supports compliance with ESSA, 20 U.S.C. § 6301 et seq., by maintaining data privacy protections consistent with ESSA’s requirements for the protection of student data and PII.

Civil Rights Compliance (Titles VI & IX)

Behavioral Solutions does not discriminate in the provision of services on the basis of race, color, national origin (Title VI of the Civil Rights Act of 1964, 42 U.S.C. § 2000d), or sex (Title IX of the Education Amendments of 1972, 20 U.S.C. § 1681), consistent with BACB Ethics Code Standard 1.08 (Nondiscrimination): “Behavior analysts do not discriminate against others. They behave toward others in an equitable and inclusive manner regardless of age, disability, ethnicity, gender expression/identity, immigration status, marital/relationship status, national origin, race, religion, sexual orientation, socioeconomic status, or any other basis proscribed by law” (BACB, 2020).

Department of Education Organization Act

Behavioral Solutions recognizes the authority of the U.S. Department of Education as established by the Department of Education Organization Act (20 U.S.C. § 3401 et seq.) and complies with all applicable federal education laws administered thereunder.

Virginia Department of Education (VDOE) Compliance

• 8 VAC 20-81 (Special Education Regulations): Governing the provision of services to students with disabilities under IDEA, including confidentiality of student records.
• Virginia Standards of Quality (SOQ), Code of Virginia § 22.1-253.13:1 et seq.: Including standards for instruction and student achievement applicable to ABA services in educational settings.
• Code of Virginia § 22.1-287 et seq.: Governing the confidentiality of scholastic records.
• Code of Virginia § 22.1-279.6: Standards of conduct and related privacy considerations.

BACB Ethical Obligations

All BCBAs, BCaBAs, and RBTs employed by or contracted with Behavioral Solutions are required to adhere to the applicable BACB ethics codes. The BACB Ethics Code for Behavior Analysts (BACB, 2020), updated August 2024, and the RBT Ethics Code 2.0 (BACB, 2021), updated August 2024, are enforced in all professional activities.

Key Privacy-Related Ethics Standards

• Standard 1.02 (Conforming with Legal and Professional Requirements): “Behavior analysts follow the law and the requirements of their professional community (e.g., BACB, licensure board)” (BACB, 2020).
• Standard 2.03 (Protecting Confidential Information): Requires appropriate steps to protect confidentiality and prevent accidental or inadvertent sharing (BACB, 2020).
• Standard 2.04 (Disclosing Confidential Information): Limits disclosure to five specified circumstances (BACB, 2020).
• Standard 2.05 (Documentation Protection and Retention): “Behavior analysts are knowledgeable about and comply with all applicable requirements (e.g., BACB rules, laws, regulations, contracts, funder and organization requirements) for storing, transporting, retaining, and destroying physical and electronic documentation related to their professional activities” (BACB, 2020).
• Standard 2.11 (Obtaining Informed Consent): Requires compliance with all conditions for obtaining informed consent, including “before initial implementation of assessments or behavior-change interventions, when making substantial changes to interventions, when exchanging or releasing confidential information or records” (BACB, 2020).
• Standard 3.04 (Service Agreement): Requires signed service agreements outlining responsibilities, scope, Code obligations, and complaint procedures (BACB, 2020).
• Standard 3.10 (Limitations of Confidentiality): Requires disclosure of confidentiality limitations at the outset of the professional relationship (BACB, 2020).
• Standard 3.11 (Documenting Professional Activity): Requires detailed, high-quality documentation for accountability and compliance (BACB, 2020).
• Standard 4.05 (Maintaining Supervision Documentation): Requires retention of supervision documentation “for at least 7 years and as otherwise required by law” (BACB, 2020).
• Standard 5.10 (Social Media Channels and Websites): “Behavior analysts are knowledgeable about the risks to privacy and confidentiality associated with the use of social media channels and websites and they use their respective professional and personal accounts accordingly” (BACB, 2020).

RBT Ethics Code (2.0) — Privacy Provisions

Per RBT Ethics Code 2.0, Standard 2.08: RBTs “comply with applicable legal and professional requirements (e.g., privacy laws, licensure requirements)” and “maintain confidentiality when interacting with client information and records” (BACB, 2021). Standard 2.09 states: “RBTs do not share identifying information (e.g., photos, videos, written information) about clients on social media” (BACB, 2021). Standard 2.10 states: “RBTs only discuss confidential client information under the direction of their supervisor unless allowed by law for a valid reason (e.g., protecting the client or others from harm)” (BACB, 2021).

Upcoming BACB Changes (2026–2027)

Behavioral Solutions remains current with all BACB requirement changes. As announced in BACB Newsletters through February 2026:

• Effective January 1, 2026: Updated RBT eligibility requirements, including new 40-hour training standards aligned with the RBT Test Content Outline (3rd ed.) and transition to two-year RBT recertification cycles with 12 Professional Development Units (PDUs) per cycle.
• Effective January 1, 2027: Updated BCBA and BCaBA certification pathway requirements, including revised coursework requirements, fieldwork form changes, and discontinuation of BCBA Pathways 3 and 4. Our supervision practices and documentation protocols will be updated to reflect the 2027 Monthly and Final Fieldwork Verification Forms.
• Continuing Education: BCBAs must obtain 32 CEUs per two-year recertification cycle, including 4 CEUs in ethics and 4 CEUs in supervision (for supervisors), per current BACB requirements.

Virginia State Law Compliance

Virginia Behavior Analyst Licensure (Va. Code § 54.1-2957.16)

All behavior analysts employed by Behavioral Solutions are licensed through the Virginia Board of Medicine pursuant to Virginia Code § 54.1-2957.16, which requires documentation that the applicant “conducts his professional practice in accordance with the Behavior Analyst Certification Board ethics code for behavior analysts and any other accepted professional and ethical standards the Board deems necessary.” Behavioral Solutions’ privacy practices comply with the standards of practice established by the Board of Medicine at 18 VAC 85-150.

Virginia Health Records Act (Va. Code § 32.1-127.1:03)

Behavioral Solutions complies with the Virginia Health Records Act governing the privacy, access, and maintenance of health records. Patients and their legally authorized representatives have the right to access, copy, and request amendments to health records.

Virginia Consumer Data Protection Act (VCDPA), Va. Code § 59.1-575 et seq.

To the extent applicable, Behavioral Solutions complies with the VCDPA, effective January 1, 2023, as amended (including amendments effective January 1, 2026). We honor consumer rights including the right to access, correct, delete, and obtain a portable copy of personal data, as well as the right to opt out of targeted advertising, the sale of personal data, and profiling.

Virginia Consumer Protection Act (VCPA) — SB 754 (Eff. July 1, 2025)

Behavioral Solutions complies with SB 754 amendments to the VCPA, which prohibit obtaining, disclosing, selling, or disseminating personally identifiable reproductive or sexual health information without consumer consent.

Virginia Breach Notification (Va. Code § 18.2-186.6)

In the event of an unauthorized access or acquisition of unencrypted computerized personal information, Behavioral Solutions will provide notification to affected individuals and the Virginia Attorney General’s Office without unreasonable delay.

Mandated Reporting (Va. Code § 63.2-1509)

Behavioral Solutions personnel are mandated reporters under Virginia law. Suspected child abuse or neglect is reported to the local Department of Social Services or the Virginia Child Abuse Hotline as required. Such reporting may require disclosure of otherwise confidential information without the client’s or stakeholder’s consent.

Virginia Scholastic Records (Va. Code § 22.1-287 et seq.)

When Behavioral Solutions creates or maintains records that constitute scholastic records under Virginia Code § 22.1-287 et seq., such records are maintained, accessed, and disclosed in compliance with applicable Virginia education privacy laws, the Standards of Quality (Va. Code § 22.1-253.13:1 et seq.), and VDOE regulations.

Children’s Privacy

Given that ABA services frequently involve minor children, Behavioral Solutions maintains heightened privacy protections for all individuals under the age of eighteen (18).

• Parental Consent: All informed consent for services, disclosure of information, and use of data regarding minor clients is obtained from a parent or legally authorized representative, consistent with HIPAA, FERPA, IDEA, COPPA, Virginia law, and BACB requirements.
• COPPA Compliance: Our website does not knowingly collect personal information from children under thirteen (13) without verifiable parental consent, per COPPA, 15 U.S.C. § 6501 et seq.
• VCDPA Child Protections: Behavioral Solutions complies with the VCDPA’s requirements regarding the processing of personal data of known children.
• Assent: We seek assent from clients unable to provide informed consent, defined by the BACB as “vocal or nonvocal verbal behavior that can be taken to indicate willingness to participate in research or behavioral services by individuals who cannot provide informed consent (e.g., because of age or intellectual impairments)” (BACB, 2020, Glossary).
• Photographic and Video Protections: Consistent with BACB Ethics Code Standard 5.10, photographs, videos, and other digital content depicting minor clients are never published on personal social media accounts. Professional publication requires informed consent as specified in Standard 5.10 (BACB, 2020).

Data Security Measures

Behavioral Solutions implements comprehensive safeguards to protect all personal, clinical, educational, and health information in compliance with the HIPAA Security Rule (45 CFR Part 164, Subpart C), VCDPA data security requirements (Va. Code § 59.1-578(A)(3)), and professional standards.

Administrative Safeguards

• Designation of a Privacy Officer and Security Officer
• Workforce training on HIPAA, FERPA, BACB ethics, and Virginia privacy requirements upon hiring and annually
• Background checks for all personnel who access PHI or education records
• Written policies and procedures governing the use, access, and disclosure of protected information
• Sanction policies for workforce members who violate privacy and security policies
• Incident response procedures for investigating and addressing potential data breaches

Technical Safeguards

• Access controls including unique user identification, automatic logoff, and role-based permissions
• Encryption of PHI at rest and in transit using industry-standard protocols (AES-256 or equivalent)
• Audit logging and monitoring of access to electronic records
• Secure, encrypted communication channels for telehealth and electronic correspondence containing PHI
• Regular security risk assessments as required by 45 CFR § 164.308(a)(1)
• Data backup and disaster recovery procedures

Physical Safeguards

• Facility access controls to limit physical access to locations where PHI is stored
• Secure storage of physical records in locked cabinets within secured areas
• Workstation use and security policies
• Device and media controls for disposal, re-use, and movement of electronic media containing PHI

Data Retention & Destruction

Behavioral Solutions retains all documentation in compliance with the most stringent applicable retention requirement:

• HIPAA: Covered entity documentation must be retained for six (6) years from the date of creation or the date when the document was last in effect, whichever is later, per 45 CFR § 164.530(j).
• BACB: Supervision documentation must be retained “for at least 7 years and as otherwise required by law,” per BACB Ethics Code Standard 4.05 (BACB, 2020).
• Virginia Law: Health records must be retained for a minimum of six (6) years from the last date of service for adult patients, and for minors, until the patient reaches the age of eighteen (18) plus the applicable retention period, consistent with Virginia Code § 32.1-127.1:03.
• FERPA/IDEA: Education records are retained in accordance with the applicable LEA’s retention schedule and IDEA requirements at 34 CFR § 300.624.

Behavioral Solutions applies the longest applicable retention period to ensure compliance across all governing frameworks.

Your Rights

Under HIPAA

Right to access, amend, receive an accounting of disclosures, request restrictions, request confidential communications, receive breach notification, and obtain a copy of the Notice of Privacy Practices. (See Section 9.)

Under FERPA & IDEA

Right to inspect and review education records, request amendment, consent to disclosures, file complaints with the U.S. Department of Education, and request destruction of PII when no longer needed. (See Sections 9 and 10.)

Under the VCDPA (Va. Code § 59.1-577)

If applicable, you have the right to: (1) confirm whether a controller is processing your personal data and access such data; (2) correct inaccuracies; (3) delete personal data; (4) obtain a portable copy in a readily usable format; and (5) opt out of targeted advertising, sale of personal data, or profiling.

Under the BACB Ethics Code

Consistent with BACB Ethics Code Standard 3.09: “When providing services at the request of a third party to a minor or individual who does not have the legal right to make personal decisions, behavior analysts ensure that the parent or legally authorized representative is informed of the rationale for and scope of services to be provided, as well as their right to receive copies of all service documentation and data” (BACB, 2020).

Under Virginia Health Records Law

Under Virginia Code § 32.1-127.1:03, you have the right to access and obtain copies of your health records, request corrections, and receive an accounting of disclosures.

Nondiscrimination

Behavioral Solutions will not discriminate against any individual for exercising their privacy rights under any applicable law, regulation, or professional standard, consistent with Title VI of the Civil Rights Act of 1964, Title IX of the Education Amendments of 1972, and BACB Ethics Code Standard 1.08 (BACB, 2020).

Informed Consent

Behavioral Solutions obtains informed consent in compliance with all applicable requirements. The BACB Ethics Code defines informed consent for information use and sharing as requiring communication about: “(1) the purpose and intended use; (2) the audience; (3) the expected duration; (4) the right to decline or withdraw consent at any time; (5) potential risks or benefits; (6) any limitations to confidentiality or privacy; (7) whom to contact for questions or concerns at any time; and (8) the opportunity to ask questions and receive answers” (BACB, 2020, Glossary).

Behavioral Solutions provides all required information in understandable language and confirms comprehension before obtaining consent, consistent with BACB Ethics Code Standard 2.08, which requires behavior analysts to “use understandable language in, and ensure comprehension of, all communications with clients, stakeholders, supervisees, trainees, and research participants” (BACB, 2020).

Consent is documented in writing and maintained in the client’s record. Consent may be revoked at any time in writing, subject to applicable limitations.

Telehealth & Technology

When Behavioral Solutions delivers services via telehealth, we maintain all privacy and confidentiality protections applicable to in-person services. This is consistent with the BACB Ethics Code’s scope provision that the Code “applies to behavior analysts’ professional activities across settings and delivery modes (e.g., in person; in writing; via phone, email, text message, video conferencing)” (BACB, 2020, Scope of the Code).

Telehealth Privacy Measures

• All telehealth sessions are conducted using HIPAA-compliant, encrypted platforms with Business Associate Agreements in place
• Clients and stakeholders are informed of the privacy risks inherent in technology-based service delivery prior to initiation of telehealth services
• Informed consent specific to telehealth is obtained, including risks related to technology failure, unauthorized interception, and limitations of telehealth modalities
• Session recordings, if any, are stored, retained, and destroyed in compliance with all applicable requirements
• Behavioral Solutions complies with Virginia telehealth regulations and licensure requirements

Website Privacy

• Our website may use cookies and similar tracking technologies to improve user experience. No PHI, education records, or clinical information is collected through the website without appropriate consent and encryption.
• Third-party analytics tools, if used, are configured to anonymize IP addresses and do not collect PII.
• Links to external websites are provided for informational purposes only. Behavioral Solutions is not responsible for the privacy practices of third-party websites.

Complaints & Enforcement

Consistent with BACB Ethics Code Standard 3.04, which requires that service agreements include “procedures for submitting complaints about a behavior analyst’s professional practices to relevant entities (e.g., BACB, service organization, licensure board, funder)” (BACB, 2020), Behavioral Solutions provides the following complaint avenues:

Internal Complaints

You may file a privacy complaint directly with Behavioral Solutions’ Privacy Officer using the contact information provided in Section 22. All complaints will be investigated promptly and confidentially. Behavioral Solutions will not retaliate against any individual for filing a complaint in good faith.

External Complaint Options

• U.S. Department of Health and Human Services, Office for Civil Rights (HIPAA): www.hhs.gov/hipaa/filing-a-complaint or 1-800-368-1019.
• Behavior Analyst Certification Board (BACB): Notice of Alleged Violation process at www.bacb.com.
• Virginia Board of Medicine: Virginia Department of Health Professions at www.dhp.virginia.gov or (804) 367-4600.
• U.S. Department of Education, Student Privacy Policy Office (FERPA): 400 Maryland Avenue SW, Washington, DC 20202-8520 or studentprivacy.ed.gov.
• Virginia Attorney General’s Office (VCDPA/VCPA): www.oag.state.va.us.

Changes to This Privacy Policy

Behavioral Solutions reserves the right to amend this Privacy Policy at any time in response to changes in applicable laws, regulations, BACB requirements, or our professional practices. Material changes will be communicated to clients and stakeholders through written notice and/or posting on our website.

Consistent with BACB Ethics Code Standard 3.04, any updates that materially affect the terms of existing service agreements will be reviewed with and signed by the client and/or relevant stakeholders, as the standard requires: “Updated service agreements must be reviewed with and signed by the client and/or relevant stakeholders” (BACB, 2020).

We encourage you to review this policy periodically. Continued use of our services after the effective date of any amendment constitutes acceptance of the revised policy, except where additional consent is required by law.

Legal Citations & References

Governing Authorities:

Federal Laws & Regulations

• Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. § 1320d et seq.; 45 CFR Parts 160 & 164
• Health Information Technology for Economic and Clinical Health (HITECH) Act, 42 U.S.C. § 17932
• Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g; 34 CFR Part 99
• Individuals with Disabilities Education Act (IDEA), 20 U.S.C. §§ 1400–1482; 34 CFR Part 300
• Every Student Succeeds Act (ESSA), 20 U.S.C. § 6301 et seq.
• Department of Education Organization Act, 20 U.S.C. § 3401 et seq.
• Title VI of the Civil Rights Act of 1964, 42 U.S.C. § 2000d
• Title IX of the Education Amendments of 1972, 20 U.S.C. § 1681
• Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq.

Virginia Laws & Regulations

• Virginia Code § 54.1-2957.16 — Licensure of Behavior Analysts
• Virginia Code § 54.1-2957.17 — Exceptions to Licensure Requirements
• 18 VAC 85-150 — Regulations Governing the Practice of Behavior Analysis
• Virginia Code § 32.1-127.1:03 — Health Records Privacy
• Virginia Consumer Data Protection Act (VCDPA), Va. Code § 59.1-575 et seq.
• Virginia Consumer Protection Act (VCPA), Va. Code § 59.1-196 et seq., as amended by SB 754 (Eff. July 1, 2025)
• Virginia Code § 18.2-186.6 — Breach of Personal Information Notification
• Virginia Code § 63.2-1509 — Mandated Reporting of Child Abuse/Neglect
• Virginia Code Title 22.1 — Education (including §§ 22.1-253.13:1 et seq. [SOQ], 22.1-287 et seq. [Scholastic Records], 22.1-279.6 [Standards of Conduct])
• 8 VAC 20-81 — Regulations Governing Special Education Programs for Children with Disabilities in Virginia
• 8 VAC 20-10/11 — Public Participation Guidelines

Professional Standards

• Behavior Analyst Certification Board. (2020). Ethics code for behavior analysts. Updated 08/2024. https://bacb.com/wp-content/ethics-code-for-behavior-analysts/
• Behavior Analyst Certification Board. (2021). RBT ethics code (2.0). Updated 08/2024. https://www.bacb.com/rbt-ethics-code/
• BACB Newsletters: December 2025, February 2026 (upcoming requirement changes)
• BACB. (2025). 2027 BCBA requirements. Updated 02/2026. https://www.bacb.com/2027-bcba-requirements/