BACB Code 2.03: When Sharing Client Info Crosses the Line

Real confidentiality slips BCBAs make, when you can share, and how to de-identify info to get a second opinion from a BCBA-led CEU.

Key takeaway

BACB Code 2.03 is the rule most BCBAs think they have nailed until Michael Scott walks up to a vending machine, swears his "lips are sealed" about Oscar, and then asks Stanley for an update on "the P situation" before pivoting to "P-A-M" in a stage whisper, which is exactly the kind of gray-zone slip that happens in our field when a clinician truly believes that sharing one small detail will help the client, and the fix is not a vow of silence but a tight script for de-identifying a case so you can still ask a peer for help without leaking a single piece of protected health information.

Watch the full CEU recording

Dunder Mifflin’s Guide to BCBA Ethics: Lessons from The Office

Mellanie Page · 55 min
Watch on openceu.com →
On this page · 9 sections

BACB Code 2.03 is the rule most BCBAs think they have nailed until Michael Scott walks up to a vending machine, swears his "lips are sealed" about Oscar, and then asks Stanley for an update on "the P situation" before pivoting to "P-A-M" in a stage whisper, which is exactly the kind of gray-zone slip that happens in our field when a clinician truly believes that sharing one small detail will help the client, and the fix is not a vow of silence but a tight script for de-identifying a case so you can still ask a peer for help without leaking a single piece of protected health information.

What Code 2.03 covers and where BCBAs slip#

Code 2.03 of the BACB Ethics Code for Behavior Analysts says we protect confidential information about clients, supervisees, trainees, and research participants. That means names, diagnoses, session notes, video clips, payer details, family situations, and anything else that could identify the person you serve. Most BCBAs can recite this rule. The problem is not the rule. The problem is the moments when the rule feels like it is getting in the way of good care.

In the recorded session, Mellanie Page set up the issue with a clip from The Office. Michael Scott tells the camera that Oscar's secret is safe with him. Two scenes later he is at the vending machine asking Stanley about Pam by name, dropping initials, then claiming "we're talking code." The room laughed. Every BCBA in the chat also recognized it. The leak rarely looks like a leak. It looks like a quick favor, a quick question, a quick text.

The slips that show up most often in ABA practice are not malicious. They are these:

  • Using a child's first name in a parking-lot conversation with a co-worker.
  • Texting a screenshot of a graph that includes the client's initials and date of birth.
  • Posting a "de-identified" case in a BCBA Facebook group that still names the school, the city, and the rare diagnosis.
  • Sharing a story at a family event because "no one here knows them."
  • Letting a parent ask about another child on your caseload and answering even a little.

Each one starts with the same belief. You are trying to help. That belief is what makes Code 2.03 sticky, and it is the reason the next section matters more than the rule itself.

The "I'm only telling you because it helps the client" trap#

Page named this trap directly during the talk.

It becomes stickier when we believe we're sharing information that could benefit our client.

That is the moment the rule bends. You are stuck on a tough case. A peer down the hall has run something similar. You tell yourself one sentence of context is fine because the goal is the kid's progress. Then one sentence becomes three. Then the peer asks a clarifying question. Then you answer it. By the end of the conversation you have shared the client's age, school, diagnosis, and the parent's job. None of it was needed to get the clinical input you wanted.

The fix is to separate two things that feel like the same thing. Getting a second opinion is allowed and encouraged. Sharing identifying information is not. You can do the first without doing the second if you script the ask before you open your mouth.

Three settings where confidentiality breaks most often#

Most 2.03 slips happen in three places. Knowing the setting is half the prevention.

The parking lot. You and a coworker walk out together. The case is fresh. You debrief without thinking. The parking lot is not a private space. Family members of other clients park there. So do school staff. Treat it like a public hallway.

The team chat. Slack, GroupMe, and clinical group texts feel internal, but they are not protected like an EHR is. Screenshots get forwarded. Phones get left on counters. Anything that goes in a chat should already be safe to post on a billboard if you stripped the names.

Family events. Holiday parties, school pickups, birthday parties. You see a parent of a current or past client. You mention the case to your sister later that night. Your sister works in the same district. Now you have a HIPAA-style exposure, a BACB issue, and a relationship problem.

The pattern across all three is the same. You are not in session. You feel off-duty. Code 2.03 does not have an off-duty mode.

Release of information: when you actually need it#

A release of information, or ROI, is the document that lets you share identifying information about a client with someone outside the treatment team. You need one before you talk to the speech therapist, the occupational therapist, the school, the pediatrician, the new BCBA taking over the case, or any other outside professional.

A few rules of thumb that came up in the session:

  • You need an ROI for two-way communication, not just to receive information.
  • The ROI should name the specific person or agency you are talking to, not "anyone the parent might want me to talk to."
  • The ROI should list what you can share, for how long, and for what purpose.
  • Verbal consent in a meeting is not an ROI. Get it in writing.
  • Internal team members at your own agency who are part of the treatment plan do not need an ROI, because they are already covered by the original consent the family signed.

If you are not sure whether the conversation needs an ROI, the safe answer is yes. Pause the conversation, get the paperwork, then come back.

How to de-identify a case to ask for help#

This is the part that makes Code 2.03 work in real life. You can still get a peer's clinical opinion on a tough case. You just have to strip the identifiers before you ask. Page walked through a clean example.

I want to know if speech therapy would be helpful for a client who is using an AAC device, but we want to move more toward vocalizations because we're noticing the child is starting to express interest in vocally communicating. You don't know who I'm talking about, right?

Notice what is missing. No name. No initials. No age. No school. No city. No diagnosis. No payer. Just the clinical question and the behavior you are trying to address. The peer can give you a real answer. The client stays protected. This is the BACB-friendly version of asking a smart friend.

A simple template you can keep on a sticky note:

  1. State the behavior or skill in plain clinical terms.
  2. State what you have tried.
  3. State the constraint or context that matters (setting, age range, communication mode).
  4. Ask the specific question you want answered.
  5. Confirm out loud: "You don't know who I'm talking about, right?"

If your peer can guess who the client is from your description, you have not de-identified it. Tighten the language and try again.

There is a small set of situations where Code 2.03 not only allows you to share, it requires it.

  • Risk to the client or others. Abuse, neglect, suicidal statements, homicidal statements, or imminent danger trigger mandatory reporting to the appropriate authority. The form of the report depends on your state and your role, but the duty is the same.
  • Court order or subpoena. A valid court order or subpoena can require disclosure. Talk to your agency's legal contact before you respond.
  • Coordination of care inside your own agency. Other clinicians on the treatment team can see the chart because the family already consented when they signed on.
  • Billing and audits. Payers and BACB audits can request records. The original service agreement covers this.

Outside of these, you need a release. When in doubt, slow down. Page's standing advice in the talk was to call the BACB ethics hotline, talk to a supervisor, or pause the conversation until you have written consent.

A team huddle template that keeps cases private#

Most agencies run a weekly clinical huddle. These huddles are where small leaks become habits. Build the agenda so the structure does the protecting for you.

  • Open with de-identification. First minute of every huddle is a reminder that all cases referenced today use first initials only and no identifying details outside the room.
  • Use case numbers, not names. Pull case numbers from your EHR. Train the team to say "C-417" instead of "Jacob's case."
  • Cap the context. Each presenter gets two sentences of background, then goes straight to the clinical question.
  • Watch for drift. Assign one person to flag identifying details in real time. It is awkward at first. It saves you later.
  • Document the question, not the kid. Notes from the huddle should be safe to leave on a screen share. If they are not, rewrite them.

A huddle that runs this way still moves fast. The team gets the cross-pollination of ideas. The clients stay protected. Code 2.03 gets enforced by the format instead of by willpower.

FAQ#

Is it a HIPAA violation to talk about a client by initials? It can be. Initials count as identifying information when combined with other context like the city, the school, or the diagnosis. HIPAA looks at the full picture, not just the name. The safer default is to strip initials too and use a clinical descriptor.

Can I post a redacted case on a BCBA Facebook group? Be careful. Even when names are gone, you can re-identify a case through the rare diagnosis, the city, the school district, or the timing. If a parent or coworker could read the post and guess who you are talking about, it is not redacted. The de-identified script in the section above is the better path.

Do I need a release of information to talk to the speech therapist? Yes, if the SLP works at a different agency or organization. The ROI should name the SLP, the agency, the purpose of the conversation, what you can share, and how long it is valid. If the SLP is on your own treatment team and the family already consented at intake, you are covered.

What if a parent asks about another client in my caseload? Decline politely and redirect. A line that works: "I can't share anything about other families, the same way I won't share details about yours with anyone else. That protection is one of the reasons families trust this work."

When am I required to break confidentiality? When there is imminent risk to the client or someone else, when there is suspected abuse or neglect, when you receive a valid court order, or when state law requires reporting. Document what you shared, with whom, and why.

Take the full CEU#

This walkthrough pulls one code from a one-hour session that covers six. Watch the full recording for the other codes, the chat-based examples, and the live coaching on the gray-zone questions BCBAs asked in real time.

Watch the full ethics CEU with Mellanie Page

More from this recording

Related · same talk
BACB Code 1.12: The $10 Gift Rule and What to Do at the Holidays
Related · same talk
BACB Code 1.06: How to Expand Your Scope of Competence the Right Way
Related · same talk
BACB Code 1.08: Non-Discrimination and Cultural Responsiveness in ABA
Related · same talk
BACB Code 2.08: How to Communicate About Services Without Overpromising

More on Ethics

Related · same talk
BCBA Personal Values as Your Career Compass
Related · same talk
Writing a Personal Mission Statement as a BCBA (Without the Cringe)
Related · same talk
BCBA Scope of Practice for Grief Work: What You Can and Cannot Do
Related · same talk
Supporting Clients With Disabilities Through Grief: A BCBA Guide