Skip to content
ABA Ops Compass

3.1 · Operations

Allowed in This Software

More actions

This page is the day-to-day reference for what you can and cannot put into this software right now. The platform is moving through staged compliance work, and the line between allowed and prohibited will shift as each Action Item is completed. Until those are done, keep to the rules below to avoid creating a HIPAA incident on a platform that is not yet fully ready to hold Protected Health Information.

Allowed today

  • Clinic legal name, DBA, address, phone, email, website.
  • Clinic owner, BCBA, and RBT names in their professional capacity.
  • Generic policy and procedure templates, handbook content, ICP copy, internal task lists, deliverable drafts.
  • De-identified examples (all eighteen HIPAA identifiers stripped) used for training material or case studies.
  • Our business’s own operational data: invoices, contracts, consulting hours, internal notes.

Not allowed yet

  • Any real learner first name, last name, or initials used in context.
  • Session notes, progress notes, behavior intervention plans, individualized education plans, treatment plans.
  • Photos of children, photos of intake forms, photos of insurance cards.
  • Parent or caregiver contact information paired with the child’s clinical situation.
  • Medicaid IDs, commercial insurance member IDs, medical record numbers, chart numbers.
  • Anything pasted into the AI extractor that contains any of the above. The current extractor routes through a provider that is not BAA-covered at our tier.

Current technical state

Where each part of the system stands today, as a quick honest snapshot:

  • Storage. In-memory only. No encryption-at-rest control by us, no audit log, no access control. Anything saved here evaporates on server restart.
  • AI extraction. OpenAI gpt-4o-mini via Vercel AI Gateway. No BAA at the current tier. Business operations content only.
  • Authentication. Not yet implemented. Anyone with the URL can see everything.
  • Audit logging. Not yet implemented. We cannot reconstruct who viewed or changed what.
  • Backups. Not yet implemented. State is volatile.

Why these limits exist

The list of restrictions exists because the platform is mid-buildout. Each item on the "not allowed yet" list is gated on a specific Action Item being completed. Once the database is on RDS, authentication is wired through Cognito, audit logging is on, and the AI path moves to Bedrock, the corresponding restrictions can be lifted. Until then, treating the platform as if it were Protected Health Information ready would create real legal exposure.