Why Privacy Settings Matter More for ABA Practices Than Other Businesses
Most practice owners think switching their Facebook group privacy settings makes them HIPAA-compliant. It doesn’t.
Here’s what actually happens: A parent posts in your private group asking, “Has anyone else’s kid struggled with aggression during toilet training? We’re working with Sarah on Tuesdays and Thursdays.” Another parent responds, “Oh yes! Our BCBA suggested we try X, and it’s been working great.”
You just had a PHI discussion in writing. The fact that only 247 people can see it instead of the entire internet doesn’t make it compliant.
The problem isn’t that parents are malicious—they’re trying to help each other. But the moment someone identifies their child is receiving services from your practice and describes any aspect of their treatment or behavior, you’ve got protected health information floating around in a platform that isn’t designed for healthcare compliance. Facebook’s terms of service explicitly state they’re not a HIPAA-compliant platform. There’s no Business Associate Agreement. There’s no encryption that meets healthcare standards.
Your insurance policy probably doesn’t cover this
Most professional liability policies require you to have “reasonable safeguards” in place to protect PHI. When a parent posts identifiable information in your Facebook group and you don’t immediately remove it, you’re not maintaining reasonable safeguards.
I’ve talked to practice owners who assumed their insurance covered social media issues. Then they actually read their policy and found clauses about electronic communications and PHI. Some policies specifically exclude coverage for violations that occur through social media platforms.
It’s not just about what YOU post. You’re responsible for moderating the space. If parents are discussing their children’s diagnoses, behaviors, or treatment details in your group, and you’re not actively preventing it, you’re creating a compliance liability.
Private groups feel safe—they’re not
You control who gets in. You approve every member. But that’s not the same as secure or compliant.
If a parent screenshots a conversation from your private group and shares it elsewhere, you have no control over where that information goes. If a parent’s Facebook account gets hacked, whoever has access can now see everything in your private group.
The privacy setting changes how many people can stumble across the group. It doesn’t change Facebook’s fundamental architecture or your compliance obligations.
Look at your group’s description and pinned post. Do you have clear rules about not sharing specific information about children, treatment plans, or behaviors? If parents want to discuss challenges, are you directing them to contact their BCBA directly instead of posting in the group?
If you don’t have those rules posted and actively enforced, add them today. Better yet, rethink whether a Facebook group is the right tool for what you’re actually trying to accomplish.
Here’s what creates risk: “We have a 6-year-old in Grayslake who elopes during transitions” — that’s a violation.
Private Facebook Groups Are NOT HIPAA Compliant (Here’s What That Means)
Facebook doesn’t sign Business Associate Agreements (BAAs) for groups. They sign BAAs for their Workplace product — a completely separate platform. Your private Facebook group, even with all the privacy settings maxed out, is not covered. Any protected health information (PHI) shared in the group is a compliance violation.
What Actually Counts as PHI in Group Discussions
You can’t mention client names, ages, specific behaviors tied to identifiable information, or session details. Even if you think you’re being vague.
Here’s what creates risk:
“We have a 6-year-old in Grayslake who elopes during transitions” — that’s a violation. Small town, specific age, specific behavior? Someone could identify that child.
“Parent asked about potty training strategies for their daughter who just turned 4” — still a violation. You’ve shared that you have a client with a daughter that age working on toileting.
“Client’s mom keeps canceling Tuesday sessions” — violation. You’ve confirmed someone is your client.
What you CAN discuss: “What strategies work for elopement during transitions?” or “How do you handle frequent cancellations?” No client details. No identifying information. Just general professional questions.
The Group Rules Language That Actually Protects You
Your group rules need to spell this out explicitly. Don’t assume people understand HIPAA. Most parents and staff don’t.
Copy this into your group rules:
“This group is NOT HIPAA-compliant. Do not share any information about specific clients, including names, ages, locations, behaviors, or session details. Discuss general topics and strategies only. Posts that include identifiable client information will be removed immediately, and repeat violations will result in removal from the group. If you need to discuss a specific case, contact [your clinic email] directly.”
Pin that to the top of your group. Reference it when you approve new members. When someone posts something that gets close to the line, comment publicly: “Great question — can you repost this without the client-specific details so we can discuss the general strategy?”
This does two things. It protects you legally, and it trains your group members on what’s acceptable.
What This Means for Your Group Strategy
You can still run an active, helpful Facebook group. You just can’t use it for case consultations or client-specific discussions. Use it for general ABA topics, community resources, practice updates, and professional development questions.
Want to discuss a specific case? Move that conversation to a HIPAA-compliant platform. Email, your practice management system, or a secure messaging tool with a BAA in place.
The engagement piece still works — being helpful in other groups, commenting with general advice, sharing resources. Just never discuss your clients by name or with enough detail that someone could identify them. Even in a private group. Even if you think only your staff can see it. Just like talking about ABA outcomes requires careful consideration, managing group content needs the same care.
Set the boundary clearly in your rules, enforce it consistently, and you can still build community without risking your practice.
Beyond Privacy Settings: The Other Controls That Protect Your Practice
Most practice owners set their group to Private and call it a day. But the privacy toggle is just the first layer. The settings that actually protect your practice from compliance headaches live in the membership and admin controls most people never touch.
Membership Questions Are Your First Line of Defense
Before someone joins your group, you can require them to answer screening questions. This isn’t about being exclusive—it’s about filtering out spam accounts, competitors mining your content, and people who aren’t actually part of your target audience.
Set up 2-3 questions that force real humans to respond. “What brings you to this group?” catches most bots. “Where is your child receiving services?” or “What city are you located in?” helps you verify they’re actually in your service area if you’re running a local group.
Make them write a sentence. Review every answer before approving. Facebook lets you decline members and automatically block them from requesting again. Use this. If someone’s profile looks fake or their answers are nonsense, decline and block.
Post Approval Isn’t Just for Public Groups
Even in a Private group, post approval can save you from compliance disasters. When members can post freely, you’re one angry parent away from someone sharing identifying information about another family, or a staff member venting about a client by name.
Turn on post approval if your group includes current clients, especially if you’re mixing clients and staff. Yes, it creates more work for admins. But approving posts takes 30 seconds. Dealing with a HIPAA complaint takes 30 hours and potential fines.
Admin Activity Log Is Your Compliance Receipt
Under “Moderate Group,” there’s an activity log that tracks every admin action—who approved what post, who removed which member, who changed group settings. This log is your documentation if something goes wrong.
If a member later claims they were removed unfairly or a post was deleted inappropriately, you have a timestamped record. If you’re ever audited for how you handle protected information in digital spaces, this log shows you had oversight processes in place.
Set Admin Permissions Based on Actual Roles
Not every admin needs full control. Facebook lets you assign different permission levels—moderator versus admin. Your front desk staff who help approve membership requests don’t need the ability to delete the entire group or change privacy settings.
Give the minimum permissions needed for someone’s actual role. Only practice owners or directors should have full admin rights. This prevents accidental changes and reduces risk if someone leaves your practice on bad terms.
Go to your group settings, review your current admins, and adjust permissions. Then turn on membership questions if you haven’t already. These two changes take 10 minutes and prevent most of the problems I see practices deal with later.
Download our free Facebook Group SOP — how to build community that drives referrals.