How Long Does HIPAA Training for Therapists and Counselors Take?

The HIPAA Training for Therapists and Counselors course from The HIPAA Journal takes 2 hours and 25 minutes to complete the mandatory HIPAA rules and regulations content combined with the specialist behavioral health module, with an additional 47 minutes for therapists and counselors who treat clients with substance use disorders and need to complete the 42 CFR Part 2 module, bringing the maximum total training time to 3 hours and 12 minutes. The course is structured in two main content layers: the mandatory HIPAA training that every workforce member in a covered entity must complete, and the specialist module that addresses the privacy and confidentiality obligations specific to therapeutic and counseling practice. Both layers are delivered through the same self-paced online learning management system, allowing staff to distribute the training across multiple sessions rather than completing it in a single block of time.

HIPAA Rules and Regulations Content: 1 Hour 31 Minutes

The mandatory HIPAA rules and regulations content runs for 1 hour and 31 minutes and covers the three regulatory frameworks that apply to every covered entity workforce member. The Privacy Rule modules address permitted and required uses and disclosures of protected health information, the minimum necessary standard, patient rights over their records, the heightened protections that apply to psychotherapy notes, and the conditions under which PHI may be disclosed without client authorization. The Security Rule modules cover the obligations that apply to workforce members who access systems storing or transmitting electronic PHI, including device security, credential management, email protocols, and the correct procedure for reporting a security incident. The Breach Notification Rule content explains when an impermissible disclosure or security event constitutes a reportable breach, what the notification obligations are, and how staff can recognize the types of incidents that trigger those obligations. Each module concludes with a randomized assessment drawn from a pool of over 600 questions, and assessments can be retaken without limit until a passing score is achieved.

Specialist Therapist and Counselor Module: 54 Minutes

The specialist behavioral health module adds 54 minutes of training content that addresses the compliance obligations and disclosure decisions specific to therapy and counseling practice. This content covers the privacy rules that apply when multiple clients share a therapeutic relationship in couples, family, or group sessions, how mandated reporting obligations interact with HIPAA’s standard confidentiality protections, and the conditions under which state minor consent laws affect a therapist’s obligations regarding parental access to a minor client’s records. The module uses real-world behavioral health scenarios throughout, preparing staff for the disclosure decisions they face in practice rather than presenting abstract rule summaries. Additional content addresses the compliance risks of generative AI tools used in clinical documentation workflows and the rules that govern staff conduct on social media in connection with therapeutic practice.

Optional 42 CFR Part 2 Module for SUD Treatment: 47 Minutes

Therapists and counselors whose practice includes clients receiving substance use disorder treatment should complete the optional 42 CFR Part 2 module, which runs for 47 minutes and covers the confidentiality framework that applies to SUD patient records in addition to HIPAA. The module explains what Part 2 is, which records and which staff it covers, when written patient consent is required before a disclosure can be made, how to stay within the scope of that consent, and when a notice of non-redisclosure must accompany a Part 2 disclosure. Scenario-based content prepares staff to handle identity verification requests, resist community or collegial pressure to share Part 2-protected information, avoid multitasking errors when managing both HIPAA-governed and Part 2-governed records, and recognize data segmentation workflows that separate SUD records from the broader client file. Completing this module alongside the mandatory HIPAA content and the specialist behavioral health module brings the total training time to 3 hours and 12 minutes.

Completion Format and Certificate Issuance

All three content layers are delivered through a web-based learning management system accessible on any internet-connected device, including mobile phones, tablets, and desktop computers. The self-paced format means staff are not required to complete the full training duration in a single session; the platform supports pause-and-resume across multiple sittings, allowing training to be scheduled around client appointments and clinical workloads. Closed captions and variable playback speed are available throughout. On completing all mandatory modules and passing all required assessments, each learner receives an accredited certificate carrying 5.0 continuing education units from the Compliance Certification Board. The certificate records the learner’s name, the course title, and the date of completion, satisfying the six-year training record retention requirement that HIPAA imposes on covered entities and providing documentation that an OCR investigation or internal compliance review may request.

PJ Murray

Author: PJ Murray

PJ Murray is the founder and publisher of The HIPAA Journal. He has more than 10 years of experience writing about HIPAA, healthcare compliance, patient privacy, and the protection of medical records. Through The HIPAA Journal, PJ helps healthcare organizations, business associates, and their employees better understand HIPAA regulations, reduce compliance risks, and strengthen the safeguards used to protect patient information. PJ has a background in software development, holds an engineering degree, and specializes in the cybersecurity aspects of HIPAA compliance, including data security, medical record protection, and workforce training. He has also played a leading role in the development and launch of The HIPAA Journal Training, which provides HIPAA and cybersecurity training for healthcare organizations, business associates, students, and healthcare-related workforces. His work focuses on making complex regulatory and technical requirements easier for healthcare professionals and organizations to understand and apply in practice.
You can connect at LinkedIn.