Article Updated: July 11, 2026

How Often Should a Therapy Practice Provide HIPAA Training?

A therapy practice must provide HIPAA training to new workforce members before they access patient records and must repeat that training at least annually as a matter of accepted industry best practice, with additional training required whenever policies change, a regulatory update affects compliance obligations, or a security incident indicates a gap in staff understanding. The Privacy Rule at 45 CFR 164.530(b) requires training within a reasonable period of a workforce member joining the practice and whenever material changes to policies or procedures occur. The Security Rule at 45 CFR 164.308(a)(5) requires an ongoing security awareness and training program, which regulators and compliance professionals consistently interpret to require at minimum annual reinforcement.

Annual Training as the Accepted Standard

Annual HIPAA refresher training is the industry standard across all covered entity settings, and therapy practices are not exempt from that standard regardless of their size or the number of clients they serve. A sole practitioner who completed training at onboarding but has not returned to the material since then may be operating on outdated knowledge of disclosure rules, breach notification procedures, or the security controls required for the electronic systems they use. Annual training resets that baseline, incorporates any regulatory amendments or HHS guidance issued since the previous cycle, and reinforces the compliance behaviors that protect client PHI in day-to-day practice.

Therapy-Specific Triggers for Additional Training

Beyond the annual cycle, therapy practices must provide additional training when specific events occur. A change to the practice’s Notice of Privacy Practices requires updated training on the new terms. A transition to a new electronic health record system or telehealth platform requires updated training on the ePHI security obligations associated with that system. A reported breach or near-miss incident requires retraining of the workforce members involved. A change in the practice’s client population that brings new federal confidentiality obligations into play, such as beginning to treat clients with substance use disorders and triggering 42 CFR Part 2, requires training on the additional framework before those clients are seen.

HIPAA Training for Therapists and Counselors

HIPAA Training for Therapists and Counselors from The HIPAA Journal is structured to serve both initial onboarding training and annual refresher cycles. The course covers the Privacy Rule, Security Rule, and Breach Notification Rule through modules built around behavioral health scenarios, and includes content on psychotherapy note protections, overlapping federal confidentiality frameworks, and the compliance risks of generative AI and social media use in therapeutic practice. It is self-paced, accessible on any device, and awards an accredited certificate with 5.0 CEUs on completion, producing a dated training record that satisfies the six-year documentation retention requirement under HIPAA.

Author: PJ Murray

PJ Murray is the founder and publisher of The HIPAA Journal. He has more than 10 years of experience writing about HIPAA, healthcare compliance, patient privacy, and the protection of medical records. Through The HIPAA Journal, PJ helps healthcare organizations, business associates, and their employees better understand HIPAA regulations, reduce compliance risks, and strengthen the safeguards used to protect patient information.

PJ has a background in software development, holds an engineering degree, and specializes in the cybersecurity aspects of HIPAA compliance, including data security, medical record protection, and workforce training. He has also played a leading role in the development and launch of The HIPAA Journal Training, which provides HIPAA and cybersecurity training for healthcare organizations, business associates, students, and healthcare-related workforces.

PJ's work focuses on making complex regulatory and technical requirements easier for healthcare professionals and organizations to understand and apply in practice.
Connect on LinkedIn.