Social Media and Online Conduct
Purpose
This policy states how ABAS workforce members conduct themselves in online spaces, on any service and through any device. It exists to protect three things that online activity can put at risk in seconds: client privacy, professional integrity, and the Company's ability to speak with one voice.
The policy is deliberately written without naming any platform, application, or access technology. Services rise and fall, features change, and the devices people use to reach them change faster still. What does not change is the behavior the law and the profession require. A workforce member who understands the principles in this policy can apply them to any service that exists today and any service that appears tomorrow; no revision of this policy is needed when the landscape shifts. [Rec 1; COC-001]
Scope
This policy applies to all ABAS workforce members: employees, interns, contractors, and volunteers. It covers online activity in any form and at any time that touches one of the interests the policy protects:
- Any service. The policy applies by function, not by name. If a service lets a person post, share, message, stream, comment, review, react, or otherwise create or interact with content or people, this policy governs conduct on it. This includes services that do not exist yet.
- Any device or access method. Obligations do not change with the technology used to reach a service. A post is a post whether it was made from a Company workstation, a personal device, a wearable, or any technology that appears later.
- Personal and work activity. Authorized Company communication is covered in full. Personal activity is covered only where it touches a protected interest: client privacy and confidentiality, confidential Company information, professional ethics obligations, representation of the Company, or the lawful-conduct standards that already govern workplace behavior. Purely personal online life that touches none of these is not the Company's business, and this policy does not reach it.
Nothing in this policy restricts rights protected by Section 7 of the National Labor Relations Act; see the savings clause in the Policy Statement.
Definitions
| Term | Definition |
|---|---|
| Social Media | Any online service, application, or feature that lets a person create, share, or interact with content or with other people. The definition is functional: it covers posts, messages, images, audio, video, live streams, comments, reviews, profiles, and communities, in any form, however created, on any service that performs these functions now or in the future. |
| Online Conduct | Any act performed through social media as defined above, including passive acts with communicative effect, such as following, connecting with, reacting to, or resharing content or accounts. |
| Client-Identifying Information | Any information that could identify a current or former client or family, alone or in combination: name, image, voice, video, initials in context, diagnosis, behavior descriptions, schedules, service locations, routines, or distinctive details. In a small community, context identifies people even when names are removed; information is client-identifying whenever a reader who knows the community could make the connection. |
| Authorized Company Communication | Online activity conducted on the Company's behalf by a workforce member the Executive Director has designated for that purpose, on accounts the Company controls. |
| Protected Concerted Activity | Activity protected by Section 7 of the National Labor Relations Act, including discussing wages, hours, schedules, discipline, or other terms and conditions of employment with coworkers or others, and acting together to improve working conditions. |
Policy Statement
5.1 One Standard Everywhere
The standards that govern workforce conduct offline govern it online. The Code of Conduct (COC-001), the Sexual Harassment Prevention Policy (HR-001), HIPAA and Massachusetts privacy law, and the BACB ethics codes apply to online conduct exactly as they apply anywhere else. No service, feature, device, or audience setting changes an obligation. "Private," "temporary," "disappearing," or "closed-group" settings do not make a disclosure lawful or ethical; assume anything shared online can be copied, kept, and read by anyone.
5.2 Client Privacy Is Absolute
Workforce members never share client-identifying information online. This includes:
- Protected health information in any form.
- Images, audio, or video of clients or their families, including material captured incidentally in the background.
- Service locations, schedules, routines, or behavior descriptions that could identify a client, even without a name. Removing a name is not de-identification when context could make the connection.
- Discussion of a client interaction, however anonymized it feels, where a reader who knows the community could recognize the people involved.
Workforce members do not initiate or accept personal-account connections with current clients or their family members, and do not interact with client accounts from personal accounts. The professional relationship is conducted through Company channels. This protects clients and protects workforce members from multiple-relationship conflicts under the BACB ethics codes.
Any client media created for a legitimate clinical or Company purpose requires prior written consent from the client's guardian and authorization routed through the Privacy Officer before it is captured, and again before any use.
5.3 Speaking for the Company
Only workforce members designated by the Executive Director speak for ABAS online, and only through accounts the Company controls. Everyone else speaks as themselves. Where a workforce member's ABAS affiliation is visible and the topic touches the Company's field, make clear that views expressed are personal. Never present a personal account, opinion, or endorsement as the Company's.
Workforce members represent their credentials accurately online, and do not solicit testimonials or reviews from current clients or their families. Certificants follow the BACB ethics code provisions on public statements wherever they post.
5.4 Respectful Conduct
Harassment, discrimination, retaliation, threats, and bullying are prohibited online as they are everywhere else, whoever the target: coworkers, clients, families, or members of the public. The reporting routes and protections of HR-001 and the compliance reporting program apply to online conduct in full.
5.5 Confidential Company Information
Confidential business information (finances, payer terms, security practices, personnel matters, information shared in confidence) is not disclosed online without authorization. This obligation does not restrict protected concerted activity; see 5.7.
5.6 Security Behavior
Workforce members protect the credentials of any account that touches Company information, keep personal and Company accounts separate, and report suspected account compromise, impersonation of the Company or a colleague, or attempts to obtain client or Company information through social contact to the HIPAA Security Officer immediately. A disclosure of protected health information through a compromised or careless account is a suspected breach and routes to POL-014 (Breach Notification and Response) the same day.
ABAS does not ask workforce members for the passwords to their personal accounts.
5.7 Protected Activity Savings Clause
Nothing in this policy restricts, and no provision of this policy will be applied to restrict, rights under Section 7 of the National Labor Relations Act or any other lawful right. Workforce members may discuss wages, hours, schedules, discipline, working conditions, and unionization with coworkers or others online, may criticize Company employment practices, and may act together to improve working conditions, without prior approval and without retaliation. Client privacy obligations under law survive this clause; concerted activity does not require disclosing protected health information, and no provision of this clause permits it.
5.8 Enforcement
Violations are handled through the progressive discipline framework, up to and including termination. Violations involving client privacy also route immediately through POL-014, and violations by credentialed staff may carry reporting obligations to their certifying or licensing bodies. Good-faith reports of suspected violations are protected from retaliation.
Procedures
Requesting authorization to communicate for the Company. Send the request to the Executive Director (executive.director@abaswma.org) with the purpose and audience. Authorization names the person, the purpose, and the Company-controlled account; it is not platform-specific and does not transfer.
Client media consent and use. Before capturing any client media for a clinical or Company purpose, route the request to the Privacy Officer (privacy@abaswma.org) for consent verification and authorization. Use beyond the consented purpose requires a new authorization.
When you realize something was shared that should not have been. Act the same day: remove or request removal of the content where possible, and report it. If the content involves client-identifying information or any protected health information, report it immediately to the Privacy Officer under POL-014; the breach clock runs from discovery. For anything else confidential, report to the Compliance Officer (compliance@abaswma.org).
Impersonation or compromise. If an account impersonates the Company or a workforce member, or an account touching Company information may be compromised, report it to the HIPAA Security Officer (security@abaswma.org) immediately. Do not engage with the impersonating account.
Questions before posting. When unsure whether something crosses a line in this policy, ask before posting: the Compliance Officer for policy questions, the Privacy Officer for anything touching clients. A question costs a day; a disclosure can cost a client their privacy and a certificant their credential.
Training
Social media conduct is covered in compliance onboarding and in the annual refresher under the Compliance Training Program (TRN-001). Training teaches the principles, not a service-by-service rulebook: recognizing client-identifying information in context, the small-community identification problem, the separation of personal and Company voice, and the immediate reporting routes when something goes wrong. Scenario examples used in training are updated as the landscape changes; this policy is not.
Reporting
| Concern | Route | When |
|---|---|---|
| Client-identifying information or PHI shared online | Privacy Officer, privacy@abaswma.org (POL-014) | Immediately, same day |
| Account compromise or impersonation | HIPAA Security Officer, security@abaswma.org | Immediately |
| Harassment or discrimination online | Any route in HR-001, or hr@abaswma.org | Promptly |
| Other policy violations or concerns | Compliance Officer, compliance@abaswma.org | Promptly |
| Anonymous reporting | https://anonymous.abaswma.com/ | Any time |
Good-faith reporting is protected from retaliation under POL-003 (Reporting and Investigation). Concerns about this policy's application to protected concerted activity may be raised through any route above without prior approval of the underlying speech.