A therapy practice must provide HIPAA training to new workforce members before they access patient records and must repeat that training at least annually as a matter of accepted industry best practice, with additional training required whenever policies change, a regulatory update affects compliance obligations, or a security incident indicates a gap in staff understanding. The Privacy Rule at 45 CFR 164.530(b) requires training within a reasonable period of a workforce member joining the practice and whenever material changes to policies or procedures occur. The Security Rule at 45 CFR 164.308(a)(5) requires an ongoing security awareness and training program, which regulators and compliance professionals consistently interpret to require at minimum annual reinforcement.
Annual Training as the Accepted Standard
Annual HIPAA refresher training is the industry standard across all covered entity settings, and therapy practices are not exempt from that standard regardless of their size or the number of clients they serve. A sole practitioner who completed training at onboarding but has not returned to the material since then may be operating on outdated knowledge of disclosure rules, breach notification procedures, or the security controls required for the electronic systems they use. Annual training resets that baseline, incorporates any regulatory amendments or HHS guidance issued since the previous cycle, and reinforces the compliance behaviors that protect client PHI in day-to-day practice.
Therapy-Specific Triggers for Additional Training
Beyond the annual cycle, therapy practices must provide additional training when specific events occur. A change to the practice’s Notice of Privacy Practices requires updated training on the new terms. A transition to a new electronic health record system or telehealth platform requires updated training on the ePHI security obligations associated with that system. A reported breach or near-miss incident requires retraining of the workforce members involved. A change in the practice’s client population that brings new federal confidentiality obligations into play, such as beginning to treat clients with substance use disorders and triggering 42 CFR Part 2, requires training on the additional framework before those clients are seen.
HIPAA Training for Therapists and Counselors
HIPAA Training for Therapists and Counselors from The HIPAA Journal is structured to serve both initial onboarding training and annual refresher cycles. The course covers the Privacy Rule, Security Rule, and Breach Notification Rule through modules built around behavioral health scenarios, and includes content on psychotherapy note protections, overlapping federal confidentiality frameworks, and the compliance risks of generative AI and social media use in therapeutic practice. It is self-paced, accessible on any device, and awards an accredited certificate with 5.0 CEUs on completion, producing a dated training record that satisfies the six-year documentation retention requirement under HIPAA.


