Applied Behavioral Analysis Services (ABAS)

ABAS Compliance Program

Policies, standards, and program documents
POL-015

Social Media and Online Conduct

Version 1.0Approved by Benjamin Chouinard · 2026-07-15Review cycle: Annual

Purpose

This policy states how ABAS workforce members conduct themselves in online spaces, on any service and through any device. It exists to protect three things that online activity can put at risk in seconds: client privacy, professional integrity, and the Company's ability to speak with one voice.

The policy is deliberately written without naming any platform, application, or access technology. Services rise and fall, features change, and the devices people use to reach them change faster still. What does not change is the behavior the law and the profession require. A workforce member who understands the principles in this policy can apply them to any service that exists today and any service that appears tomorrow; no revision of this policy is needed when the landscape shifts. [Rec 1; COC-001]

Scope

This policy applies to all ABAS workforce members: employees, interns, contractors, and volunteers. It covers online activity in any form and at any time that touches one of the interests the policy protects:

Nothing in this policy restricts rights protected by Section 7 of the National Labor Relations Act; see the savings clause in the Policy Statement.

Definitions

Term Definition
Social MediaAny online service, application, or feature that lets a person create, share, or interact with content or with other people. The definition is functional: it covers posts, messages, images, audio, video, live streams, comments, reviews, profiles, and communities, in any form, however created, on any service that performs these functions now or in the future.
Online ConductAny act performed through social media as defined above, including passive acts with communicative effect, such as following, connecting with, reacting to, or resharing content or accounts.
Client-Identifying InformationAny information that could identify a current or former client or family, alone or in combination: name, image, voice, video, initials in context, diagnosis, behavior descriptions, schedules, service locations, routines, or distinctive details. In a small community, context identifies people even when names are removed; information is client-identifying whenever a reader who knows the community could make the connection.
Authorized Company CommunicationOnline activity conducted on the Company's behalf by a workforce member the Executive Director has designated for that purpose, on accounts the Company controls.
Protected Concerted ActivityActivity protected by Section 7 of the National Labor Relations Act, including discussing wages, hours, schedules, discipline, or other terms and conditions of employment with coworkers or others, and acting together to improve working conditions.

Policy Statement

5.1 One Standard Everywhere

The standards that govern workforce conduct offline govern it online. The Code of Conduct (COC-001), the Sexual Harassment Prevention Policy (HR-001), HIPAA and Massachusetts privacy law, and the BACB ethics codes apply to online conduct exactly as they apply anywhere else. No service, feature, device, or audience setting changes an obligation. "Private," "temporary," "disappearing," or "closed-group" settings do not make a disclosure lawful or ethical; assume anything shared online can be copied, kept, and read by anyone.

5.2 Client Privacy Is Absolute

Workforce members never share client-identifying information online. This includes:

  1. Protected health information in any form.
  2. Images, audio, or video of clients or their families, including material captured incidentally in the background.
  3. Service locations, schedules, routines, or behavior descriptions that could identify a client, even without a name. Removing a name is not de-identification when context could make the connection.
  4. Discussion of a client interaction, however anonymized it feels, where a reader who knows the community could recognize the people involved.

Workforce members do not initiate or accept personal-account connections with current clients or their family members, and do not interact with client accounts from personal accounts. The professional relationship is conducted through Company channels. This protects clients and protects workforce members from multiple-relationship conflicts under the BACB ethics codes.

Any client media created for a legitimate clinical or Company purpose requires prior written consent from the client's guardian and authorization routed through the Privacy Officer before it is captured, and again before any use.

5.3 Speaking for the Company

Only workforce members designated by the Executive Director speak for ABAS online, and only through accounts the Company controls. Everyone else speaks as themselves. Where a workforce member's ABAS affiliation is visible and the topic touches the Company's field, make clear that views expressed are personal. Never present a personal account, opinion, or endorsement as the Company's.

Workforce members represent their credentials accurately online, and do not solicit testimonials or reviews from current clients or their families. Certificants follow the BACB ethics code provisions on public statements wherever they post.

5.4 Respectful Conduct

Harassment, discrimination, retaliation, threats, and bullying are prohibited online as they are everywhere else, whoever the target: coworkers, clients, families, or members of the public. The reporting routes and protections of HR-001 and the compliance reporting program apply to online conduct in full.

5.5 Confidential Company Information

Confidential business information (finances, payer terms, security practices, personnel matters, information shared in confidence) is not disclosed online without authorization. This obligation does not restrict protected concerted activity; see 5.7.

5.6 Security Behavior

Workforce members protect the credentials of any account that touches Company information, keep personal and Company accounts separate, and report suspected account compromise, impersonation of the Company or a colleague, or attempts to obtain client or Company information through social contact to the HIPAA Security Officer immediately. A disclosure of protected health information through a compromised or careless account is a suspected breach and routes to POL-014 (Breach Notification and Response) the same day.

ABAS does not ask workforce members for the passwords to their personal accounts.

5.7 Protected Activity Savings Clause

Nothing in this policy restricts, and no provision of this policy will be applied to restrict, rights under Section 7 of the National Labor Relations Act or any other lawful right. Workforce members may discuss wages, hours, schedules, discipline, working conditions, and unionization with coworkers or others online, may criticize Company employment practices, and may act together to improve working conditions, without prior approval and without retaliation. Client privacy obligations under law survive this clause; concerted activity does not require disclosing protected health information, and no provision of this clause permits it.

5.8 Enforcement

Violations are handled through the progressive discipline framework, up to and including termination. Violations involving client privacy also route immediately through POL-014, and violations by credentialed staff may carry reporting obligations to their certifying or licensing bodies. Good-faith reports of suspected violations are protected from retaliation.

Procedures

Requesting authorization to communicate for the Company. Send the request to the Executive Director (executive.director@abaswma.org) with the purpose and audience. Authorization names the person, the purpose, and the Company-controlled account; it is not platform-specific and does not transfer.

Client media consent and use. Before capturing any client media for a clinical or Company purpose, route the request to the Privacy Officer (privacy@abaswma.org) for consent verification and authorization. Use beyond the consented purpose requires a new authorization.

When you realize something was shared that should not have been. Act the same day: remove or request removal of the content where possible, and report it. If the content involves client-identifying information or any protected health information, report it immediately to the Privacy Officer under POL-014; the breach clock runs from discovery. For anything else confidential, report to the Compliance Officer (compliance@abaswma.org).

Impersonation or compromise. If an account impersonates the Company or a workforce member, or an account touching Company information may be compromised, report it to the HIPAA Security Officer (security@abaswma.org) immediately. Do not engage with the impersonating account.

Questions before posting. When unsure whether something crosses a line in this policy, ask before posting: the Compliance Officer for policy questions, the Privacy Officer for anything touching clients. A question costs a day; a disclosure can cost a client their privacy and a certificant their credential.

Training

Social media conduct is covered in compliance onboarding and in the annual refresher under the Compliance Training Program (TRN-001). Training teaches the principles, not a service-by-service rulebook: recognizing client-identifying information in context, the small-community identification problem, the separation of personal and Company voice, and the immediate reporting routes when something goes wrong. Scenario examples used in training are updated as the landscape changes; this policy is not.

Reporting

Concern Route When
Client-identifying information or PHI shared onlinePrivacy Officer, privacy@abaswma.org (POL-014)Immediately, same day
Account compromise or impersonationHIPAA Security Officer, security@abaswma.orgImmediately
Harassment or discrimination onlineAny route in HR-001, or hr@abaswma.orgPromptly
Other policy violations or concernsCompliance Officer, compliance@abaswma.orgPromptly
Anonymous reportinghttps://anonymous.abaswma.com/Any time

Good-faith reporting is protected from retaliation under POL-003 (Reporting and Investigation). Concerns about this policy's application to protected concerted activity may be raised through any route above without prior approval of the underlying speech.