Article Updated: July 12, 2026

HIPAA Training for Counseling Practice Administrative Staff

Administrative staff in a counseling practice carry HIPAA training obligations identical to those of the licensed clinicians they support, because their work involves direct and frequent contact with protected health information through scheduling systems, intake forms, insurance records, billing platforms, and client communications, and the Privacy Rule’s workforce training requirement at 45 CFR 164.530(b) applies to every member of a covered entity’s workforce without exception based on job title or clinical status. A receptionist who books appointments, a billing coordinator who submits insurance claims, and an intake coordinator who collects client information at registration each handle PHI in ways that create distinct disclosure risks, and training that addresses only the clinical aspects of HIPAA leaves those roles without the practical guidance their daily tasks require. The Privacy Rule’s minimum necessary standard, the conditions for permissible verbal disclosures, and the correct response to third-party information requests are compliance decisions that administrative staff encounter before a licensed clinician has any involvement in the client interaction.

PHI Exposure Points Specific to Administrative Roles

Administrative staff in counseling practices encounter PHI exposure risks that differ from those faced by treating therapists or counselors. Front desk personnel manage client check-in in spaces where other clients may overhear, handle telephone inquiries from individuals whose authorization to receive client information has not been verified, and process written communications that contain PHI alongside non-clinical correspondence. Billing staff transmit PHI to insurance payers, process explanation of benefits documents containing diagnosis and treatment information, and handle client account records that include sensitive behavioral health data. Intake coordinators collect the most detailed PHI at the point of first contact, often before a formal treatment relationship has been established, and must understand which collection and storage practices the Privacy Rule permits at that stage. Each of these roles requires training on the minimum necessary standard, permissible disclosure conditions, and the correct process for verifying a caller’s or visitor’s authorization before any client information is shared.

Security Rule Training for Administrative Staff

Administrative staff who use scheduling platforms, electronic health record systems, billing software, or client communication tools access electronic PHI as a routine part of their work and fall within the Security Rule’s workforce training requirement at 45 CFR 164.308(a)(5). Security training for administrative roles must address login credential management, the risks of shared workstations or shared login accounts, safe email and messaging practices, the correct handling of devices that may be used outside the office, and the procedure for reporting a suspected security incident to the practice’s designated Security Official. Administrative staff who do not receive security awareness training present an access control and incident reporting gap that the Security Rule’s administrative safeguard requirements are designed to prevent.

HIPAA Training for Therapists and Counselors

HIPAA Training for Therapists and Counselors from The HIPAA Journal is built for all workforce members in behavioral health practices, including administrative and billing staff, not only licensed clinicians. The course covers the Privacy Rule, Security Rule, and Breach Notification Rule through behavioral health scenarios that reflect the situations administrative roles encounter, and includes modules on generative AI risks in administrative workflows and social media compliance. It is self-paced, accessible on any device, and awards an accredited certificate with 5.0 CEUs from the Compliance Certification Board on successful completion, producing a dated training record for each staff member that satisfies HIPAA’s six-year documentation retention requirement.

Author: PJ Murray

PJ Murray is the founder and publisher of The HIPAA Journal. He has more than 10 years of experience writing about HIPAA, healthcare compliance, patient privacy, and the protection of medical records. Through The HIPAA Journal, PJ helps healthcare organizations, business associates, and their employees better understand HIPAA regulations, reduce compliance risks, and strengthen the safeguards used to protect patient information.

PJ has a background in software development, holds an engineering degree, and specializes in the cybersecurity aspects of HIPAA compliance, including data security, medical record protection, and workforce training. He has also played a leading role in the development and launch of The HIPAA Journal Training, which provides HIPAA and cybersecurity training for healthcare organizations, business associates, students, and healthcare-related workforces.

PJ's work focuses on making complex regulatory and technical requirements easier for healthcare professionals and organizations to understand and apply in practice.
Connect on LinkedIn.