HIPAA Training for Mental Health

Psychotherapy notes get extra HIPAA protection. Does your team know the difference?

Name: EZBunny HIPAA Training for Mental Health Practices
Brand: EZBunny
Price: 449.00 USD
Availability: InStock

Session notes, treatment plans, telehealth recordings, client texts asking to reschedule. Your practice handles some of the most sensitive information HIPAA covers, and the rules for mental health records are stricter than most clinicians realize.

Train my therapy team

HIPAA is the federal law that protects patient health information. Annual training is the industry standard.

Breaches affecting 500+ individuals are published on the HHS Breach Portal (the "Wall of Shame"), a permanent, public record. Training your team is the most effective way to avoid it.

And it gets stricter. States like California (CMIA) and Texas (HB 300) impose penalties beyond federal HIPAA. Your team needs to meet the highest standard.

Step 1: Sign up Step 2: Invite team Step 3: Done by lunch

25+ courses your mental health practice actually needs

Beyond HIPAA, your team needs 42 CFR Part 2 training, mandatory reporting, cybersecurity awareness, and state-specific compliance. EZBunny covers it all in one subscription.

Browse All Courses →

Where therapy practices run into trouble

The Risk

How EZBunny Helps

$150,000 fine for a 12-person practice

Counselors ran telehealth sessions on a consumer video app without a BAA. The vendor's support staff could access session recordings. HHS didn't care that the practice was small.

Therapists and staff finish in one sitting

Audio-narrated lessons with knowledge checks your team completes between sessions. No blocked afternoon required.

Session notes living in the wrong places

Progress notes on a personal MacBook. Treatment plans in a shared Google Doc. Intake forms emailed as attachments. Each one is a violation waiting to surface.

One place to see every clinician's status

Your dashboard shows who's trained, who's overdue, and who's new. When a credentialing body asks for proof, export a report and send it over.

Clients text, DM, and reply-all

A client texts their therapist to reschedule. Another messages on Instagram. Someone reply-alls to a group therapy email. Staff need to know which channels are safe and which aren't.

New clinician? Already invited to train

When you add someone to your practice, EZBunny sends them a training invite. When a certificate's about to expire, they get a nudge. You don't chase anyone.

Solo practice, same rules as a hospital

You're a therapist, not a security engineer. But HIPAA doesn't have a practice-size exception. A solo practitioner faces the same rules as a 500-bed hospital.

Certificates that satisfy credentialing boards

Each certificate has a unique ID and public verification link. Licensing boards, insurance panels, and auditors can confirm it in seconds.

One price for therapists, counselors, and office staff. Everyone

No per-seat charges. No hidden fees. Cancel anytime.

How big is your team?

Typical compliance training (5 courses) $4,050/yr

EZBunny $449/yr

Your cost per person $14.97/person/yr

You save $3,601/yr (89%)

Start saving

Compare HIPAA training options for mental health practices →

Beyond HIPAA: All the Training Mental Health Practices Need

HIPAA is just the start. Here's what mental health teams also need.

42 CFR Part 2 (Required if treating SUD)

Many mental health practices treat patients with substance use disorders. 42 CFR Part 2 imposes stricter consent requirements than HIPAA for SUD records - even disclosure to other treating providers requires written patient consent. Training is required for all staff with access to these records.

Mandatory Reporting (Required)

Therapists, counselors, and psychologists have duty-to-warn and mandatory reporter obligations under state law. Your team must understand how to balance HIPAA confidentiality with mandatory reporting requirements for abuse, neglect, and imminent danger. Failure to report is a criminal offense.

Cybersecurity & Phishing

Mental health EHRs and client portals are targets for phishing attacks. Practice management systems and telehealth platforms used by therapists are common attack vectors. Cybersecurity and phishing awareness training is essential for any practice with electronic records.

Telehealth Privacy

Mental health practices have the highest telehealth adoption rate of any specialty. If 50% or more of your sessions are delivered via telehealth, Telehealth Privacy training covers HIPAA-compliant platform requirements, consent, and state-specific telehealth rules.

Documentation & Medical Records

Mental health records have state licensing board requirements and malpractice implications beyond HIPAA. Proper records practices - including separation of psychotherapy notes from the treatment record - protect both your clients and your license.

Cultural Competency

Required for licensed therapists and counselors in CA and NY. Cultural Competency training helps clinicians deliver culturally responsive care - an increasingly important element of practice licensure requirements and therapeutic effectiveness.

Training by Role

Different roles need different courses. Here's a breakdown for mental health teams.

Role	Core Courses	Additional
Licensed Therapist / Psychologist	HIPAA Privacy & Security, Mandatory Reporting, Sexual Harassment Prevention	42 CFR Part 2 if treating SUD; Telehealth Privacy if telehealth
Licensed Clinical Social Worker (LCSW)	HIPAA Privacy & Security, Mandatory Reporting, Sexual Harassment Prevention	42 CFR Part 2 if treating SUD; Cultural Competency
Psychiatric NP / Prescriber	HIPAA Privacy & Security, Mandatory Reporting, Medical Records, Sexual Harassment Prevention	42 CFR Part 2 if treating SUD; CMS FWA if billing Medicare
Practice Manager / Admin	HIPAA Privacy & Security, Medical Records, Sexual Harassment Prevention	Cybersecurity, Phishing & Risk Analysis
Intake Coordinator	HIPAA Privacy & Security, Sexual Harassment Prevention, Business Associate Awareness
Billing Specialist	HIPAA Privacy & Security, CMS FWA, Compliance & Ethics, Medical Records, Sexual Harassment Prevention

State-Specific Requirements

State-specific content currently covers CA, TX, FL, NY, and IL. Additional states may have requirements not listed here.

If you operate in California: CMIA privacy training; cultural competency required for licensed therapists; workplace violence prevention (SB 553)
If you operate in Texas: HB 300 privacy training within 90 days of hire - Texas penalties up to $1.5M per incident
If you operate in Florida: HIV/AIDS training for applicable licensed practitioners per FL Statute 381.0034
If you operate in New York: Infection control every 4 years for licensed clinical staff (PHL Section 239); sexual harassment prevention annually

Proposed changes to the HIPAA Security Rule (expected 2026) may expand telehealth and cybersecurity requirements for mental health practices. Browse all 25+ courses →

HIPAA questions therapists and counselors ask us

What are the HIPAA requirements for telehealth therapy sessions?

Every telehealth session must use a HIPAA-compliant, BAA-backed platform with end-to-end encryption. Therapists must verify client identity at each session, use private settings, and ensure session recordings (if any) are stored in encrypted, access-controlled systems. Standard consumer video tools like FaceTime or Zoom (free tier) do not meet HIPAA requirements without a BAA.

Can therapists email or text clients under HIPAA?

Standard email and SMS are not HIPAA-compliant for sharing any PHI with clients. You can use encrypted email services or HIPAA-compliant client portals for clinical communication. Appointment reminders with no PHI (e.g., "You have an appointment Tuesday at 3pm") are generally permissible, but confirming therapy attendance or sharing clinical details is not.

Do psychotherapy notes have special HIPAA protections?

Yes. Psychotherapy notes receive stronger HIPAA protections than standard medical records. They must be stored separately from the clinical record, and most disclosures require specific patient authorization. Even other healthcare providers generally cannot access them without consent. This applies to both paper and electronic notes.

How does 42 CFR Part 2 affect mental health and substance abuse records?

42 CFR Part 2 imposes stricter consent requirements for substance use disorder records than HIPAA alone. These records require written patient consent for almost all disclosures, including to other healthcare providers. Recent rule changes are aligning Part 2 more closely with HIPAA, but practices treating SUD must still follow the stricter consent requirements. Staff must be trained on both HIPAA and Part 2 obligations.

What HIPAA training do solo therapists and small group practices need?

Every person in your practice who handles PHI must complete HIPAA training, no exceptions, including solo practitioners. Training must cover the Privacy Rule, Security Rule, breach notification procedures, and your practice's specific policies. HIPAA does not prescribe a specific number of hours, but training must be provided at hire and whenever policies change. Annual refresher training is a widely recognized best practice.

Cover your whole practice, solo or group

Set up takes about 5 minutes. Try it free for 14 days.

Get started free

Training requirements vary by organization type, size, state, payer mix, and accreditation. This guide reflects common federal and state requirements as of April 2026 and is not legal advice. Consult your compliance officer or legal counsel for requirements specific to your organization. State-specific content currently covers CA, TX, FL, NY, and IL. Additional states may have requirements not listed here. Last reviewed: April 2026.