Therapy and counseling practices that qualify as HIPAA Covered Entities must provide every workforce member with training on the Privacy Rule, the Security Rule, and the Breach Notification Rule before that individual accesses protected health information, and must repeat that training annually as the accepted industry standard for maintaining ongoing compliance. The Privacy Rule at 45 CFR 164.530(b) requires training that is appropriate to the functions each workforce member performs, which means therapy and counseling practices cannot satisfy the requirement by providing generic healthcare training that does not address the specific PHI handling decisions, disclosure restrictions, and confidentiality obligations that arise in behavioral health settings. The Security Rule at 45 CFR 164.308(a)(5) separately requires an ongoing security awareness and training program for all workforce members who access systems storing or transmitting electronic PHI, creating a training obligation that runs alongside and distinct from the Privacy Rule requirement.
Privacy Rule Training Obligations for Therapy Practices
Privacy Rule training in a therapy or counseling practice must cover the permitted and required uses and disclosures of protected health information, the minimum necessary standard that governs how much PHI may be accessed or shared for a given purpose, and the patient rights that the Privacy Rule grants to clients including the right to access records, request amendments, and receive an accounting of certain disclosures. The Privacy Rule provides separate and stricter protection for psychotherapy notes than for standard clinical records, and training must address that distinction in practical terms: what qualifies as a psychotherapy note, when client authorization is required to disclose one, and how those notes must be stored and handled separately from the rest of the client file. Therapy practices that also serve clients with substance use disorders must include training on 42 CFR Part 2, which imposes consent and disclosure requirements that apply in addition to HIPAA and that override it where the two frameworks conflict.
Security Rule and Breach Notification Training Obligations
Security Rule training must prepare every workforce member who uses electronic systems to recognize security threats, protect their login credentials, handle practice devices securely, and report incidents promptly through the practice’s designated reporting process. The Breach Notification Rule requires training that enables staff to identify when a privacy or security event constitutes a reportable breach and to understand the notification obligations that follow, including the 60-day window for notifying affected clients and the Department of Health and Human Services. Training that addresses only the Privacy Rule without covering Security Rule and Breach Notification Rule content does not satisfy the full scope of what HIPAA requires of therapy and counseling practice workforces.
HIPAA Training for Therapists and Counselors
HIPAA Training for Therapists and Counselors from The HIPAA Journal covers all three required frameworks through modules built around behavioral health practice scenarios, with specific instruction on psychotherapy note protections, overlapping federal confidentiality laws, disclosure decisions in multi-party treatment relationships, and the compliance risks posed by generative AI tools and social media in therapeutic practice settings. The course is self-paced and accessible on any device, with randomized module assessments that confirm genuine understanding before a certificate is issued. An accredited certificate carrying 5.0 CEUs from the Compliance Certification Board is awarded on completion, producing a dated training record that satisfies the six-year retention requirement under HIPAA and supports the annual refresher cycle that industry practice requires of all covered entities providing therapy and counseling services.


