Intern therapists and counselors working at a HIPAA Covered Entity require HIPAA training within a resonable time after starting work, but best practice is provide HIPAA training before accessing protected health information, because HIPAA defines the workforce as employees, volunteers, trainees, and other persons whose conduct is under the direct control of the covered entity, regardless of whether they are paid, and that definition includes graduate-level interns completing supervised clinical placement hours. A counseling or therapy practice that allows an intern to sit with clients, review session notes, access an electronic health record system, or observe intake procedures without first providing HIPAA training exposes itself to the same regulatory liability as it would if a paid employee accessed PHI without training. The training obligation is triggered by workforce membership and PHI contact, not by employment status, compensation, or the temporary nature of the clinical placement.
Why Intern-Specific Compliance Gaps Arise
Practices that maintain consistent HIPAA training programs for permanent staff sometimes overlook interns because placement periods are short, supervisors assume the intern’s academic program has covered HIPAA, or onboarding processes are not built to accommodate temporary workforce members. Academic HIPAA instruction varies considerably between programs and rarely covers the specific PHI handling decisions, behavioral health disclosure rules, and confidentiality obligations that arise in the practice where the intern is placed. A graduate program may teach that HIPAA exists and describe its general structure, but that does not satisfy the covered entity’s independent obligation to train the intern on its own policies and procedures and on the Privacy Rule and Security Rule requirements that apply to the specific systems and workflows the intern will use. The covered entity bears responsibility for that training regardless of what the intern learned before arriving.
What HIPAA Training for Therapy Interns Must Cover
An intern therapist or counselor must receive training on the Privacy Rule’s requirements for permissible disclosures, the minimum necessary standard, and the heightened protections that apply to psychotherapy notes, because those are the compliance decisions an intern is likely to face within the first days of a clinical placement. Security Rule training covering login credential use, device handling, and incident reporting is equally necessary for any intern who accesses an electronic health record platform or telehealth system. An intern working with clients who have substance use disorders requires training on 42 CFR Part 2 in addition to HIPAA before those interactions begin. The behavioral health context of the placement means the training must go beyond general HIPAA content to address the disclosure scenarios that arise specifically in therapy and counseling settings.
HIPAA Training for Therapists and Counselors
HIPAA Training for Therapists and Counselors from The HIPAA Journal is structured for all workforce members in behavioral health practices, including interns and students on clinical placement, and covers the Privacy Rule, Security Rule, and Breach Notification Rule alongside a specialist module addressing the compliance obligations specific to therapy and counseling settings. The self-paced online format allows interns to complete the training before their first client contact without disrupting placement schedules, and the course awards an accredited certificate with 5.0 CEUs from the Compliance Certification Board on completion, producing a dated training record that the covered entity can retain as documented evidence of onboarding compliance for the duration of the placement and the six-year retention period HIPAA requires.


