HIPAA requires training. Not optional, not "when you get around to it"—required. Yet many solo practitioners and small practices skip formal training, assuming their general knowledge is sufficient. That assumption is a compliance gap waiting to become a problem.
This guide covers what training HIPAA actually requires, how to meet those requirements efficiently, and how to document your compliance.
What HIPAA Requires
The Regulatory Language
HIPAA's Privacy Rule requires:
"A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information."
HIPAA's Security Rule requires:
"Implement a security awareness and training program for all members of its workforce."
Who Must Be Trained
Everyone in your "workforce":
- You (the therapist)
- Employees (full-time, part-time)
- Contractors who access PHI
- Volunteers with PHI access
- Interns and trainees
- Office managers, billing staff, receptionists
Even if you're solo: You must train yourself and document it.
When Training Must Occur
- Initial training: When someone joins your workforce
- Periodic refresher: Regularly thereafter (annually recommended)
- Policy changes: When policies or procedures change
- As needed: Based on role changes or compliance issues
Training Content Requirements
Privacy Rule Training
Must cover:
- What PHI is and how to identify it
- Permitted uses and disclosures
- Client rights (access, amendment, accounting)
- Minimum necessary standard
- Authorization requirements
- Your practice's specific privacy policies
Security Rule Training
Must cover:
- Security threats to ePHI
- How to protect ePHI
- Password and access management
- Recognizing phishing and social engineering
- Proper use of email, texting, telehealth
- Device security (laptops, phones)
- Incident reporting procedures
Practice-Specific Policies
Training should include:
- Your Notice of Privacy Practices
- Your specific procedures for handling PHI
- Who to contact with questions or concerns
- What to do if breach is suspected
Training Options for Solo Practitioners
Option 1: Self-Study with Documentation
You can train yourself if you document it properly.
Steps:
- Review HIPAA regulations (Privacy Rule, Security Rule)
- Review HHS guidance materials
- Complete your practice's policies and procedures
- Document what you reviewed and when
- Test your knowledge (quizzes, checklists)
- Sign attestation that training was completed
Documentation template:
HIPAA Training Record — Self-Study
Name: [Your name]
Date: [Date]
Training completed: Initial HIPAA Privacy and Security Training
Materials reviewed:
- HHS HIPAA Privacy Rule Summary
- HHS HIPAA Security Rule Summary
- [Practice name] Privacy Policies and Procedures
- [Practice name] Security Policies and Procedures
Duration: [X] hours
I attest that I have reviewed the above materials and understand my obligations under HIPAA.
Signature: _____________ Date: ___________
Option 2: Online HIPAA Training Courses
Numerous online courses provide HIPAA training with certificates of completion.
| Provider | Cost | Features |
|---|---|---|
| HIPAA Training (HHS) | Free | Basic overview |
| Compliancy Group | Paid | Comprehensive, certificate |
| HIPAA Exams | ~$30 | Course + certificate |
| LinkedIn Learning | Subscription | Various HIPAA courses |
| APA/ACA/NASW | Varies | Profession-specific options |
What to look for:
- Mental health/therapy-specific content
- Certificate of completion
- Covers both Privacy and Security Rules
- Regularly updated
- CE credits (bonus)
Option 3: Professional Association Training
Mental health professional associations often offer HIPAA training:
- APA (American Psychological Association)
- ACA (American Counseling Association)
- NASW (National Association of Social Workers)
- AAMFT (American Association for Marriage and Family Therapy)
Advantages:
- Tailored to mental health practice
- May include CE credits
- Often affordable for members
Training for Group Practices
All Staff Must Be Trained
Everyone who accesses PHI needs training:
- Clinical staff
- Administrative staff
- Billing personnel
- IT staff with PHI access
- Cleaning staff (if they access areas with PHI)
Documented Training Program
Create a formal training program:
Training policy:
- Who must be trained
- When training occurs
- What topics are covered
- How completion is documented
- Consequences of non-compliance
Training materials:
- Written materials or links to courses
- Practice-specific policies and procedures
- Quizzes or competency assessments
Training records:
- Who was trained
- When training occurred
- What was covered
- Signature or attestation
Sample Training Log
[PRACTICE NAME] HIPAA TRAINING LOG
Employee Name: _____________________
Position: _____________________
Start Date: _____________________
INITIAL TRAINING
Date completed: _____________________
Training method: □ Online course □ In-person □ Self-study
Topics covered:
- ☐ Privacy Rule overview
- ☐ Security Rule overview
- ☐ Practice-specific policies
- ☐ Breach notification procedures
- ☐ Role-specific requirements
Employee signature: _______________ Date: _______
Supervisor signature: _______________ Date: _______
ANNUAL REFRESHER TRAINING
Year: _____ Date: _____ Signature: _____
Year: _____ Date: _____ Signature: _____
Year: _____ Date: _____ Signature: _____
What Happens Without Training Documentation
During an Audit
If HHS investigates and you can't produce training records:
- Evidence of "willful neglect" (higher penalties)
- Required corrective action
- Mandated formal training program
- Ongoing monitoring
After a Breach
If breach occurs and training wasn't documented:
- Indicates inadequate safeguards
- Higher penalties likely
- Personal liability concerns
- Insurance coverage questions
Practical Reality
No documentation = no proof training occurred = violation.
Even if you "know" HIPAA, you must document that knowledge was obtained through training.
Ongoing Compliance
Annual Refresher Training
Best practice is annual refresher training covering:
- Updates to HIPAA regulations
- Changes in technology threats
- Review of practice policies
- Lessons from any incidents
- Reminder of key requirements
Training Triggers
Additional training should occur when:
- New employee joins
- Policies change
- New technology implemented
- Security incident occurs
- Role responsibilities change
- HIPAA regulations update
Staying Current
HIPAA doesn't change frequently, but technology threats do. Keep training current on:
- Phishing attacks
- Ransomware threats
- New social engineering tactics
- Platform-specific security features
Creating Your Training Program
For Solo Practitioners
Minimum requirements:
- Complete initial HIPAA training (course or self-study)
- Document completion with date and attestation
- Review annually and document refresher
- Update when policies or technology change
Time investment: 2-4 hours initial, 1-2 hours annual refresher
For Small Group Practices
Recommended approach:
- Designate HIPAA compliance officer (may be owner)
- Create written training policy
- Select training method (online course recommended)
- Maintain training log for all staff
- Calendar annual refresher training
- Update training when needed
Time investment: 3-5 hours to set up program, 1-2 hours per employee per year
Documentation Best Practices
What to Keep
- Training policy document
- Training materials used
- Completion certificates
- Signed attestations
- Training log with dates
- Evidence of refresher training
How Long to Keep
HIPAA requires retaining documentation for 6 years. Keep training records at least that long.
Where to Keep
- Secure location (not random desk drawer)
- Electronic records should be backed up
- Accessible for audits
- Organized by year/employee
Frequently Asked Questions
- Do I need to be 'HIPAA certified'?
- There's no official 'HIPAA certification' from HHS. Various organizations offer certificates of completion for training courses—these demonstrate training occurred but aren't government certifications.
- How long should training take?
- Initial training typically takes 2-4 hours. Refresher training can be 1-2 hours. Quality matters more than duration—ensure all required topics are covered.
- Can I just read HIPAA and be 'trained'?
- You can self-study, but you must document it properly. Reading the regulations alone doesn't create a training record. Document what you reviewed, when, and sign an attestation.
- Is online training acceptable?
- Yes. Online courses from reputable providers are widely accepted. Keep the certificate of completion.
- What if an employee refuses training?
- Training is required for anyone who accesses PHI. If someone refuses, they cannot be permitted to access PHI. Document the refusal and your response.
- Does my EHR vendor provide training?
- Some do—check with your vendor. But their training typically covers their platform, not comprehensive HIPAA compliance. You still need general HIPAA training.
HIPAA training isn't complicated, but it must be documented. Whether you take an online course or self-study, create a record proving training occurred. Then do it again annually. The few hours invested protect you from the "willful neglect" penalties that turn minor issues into major problems.