Yundra
← All articlesCompliance Basics

HIPAA Training Requirements for Solo Therapists: What You Actually Need

10 min read

HIPAA requires workforce training. That sounds straightforward until you're a solo therapist wondering: "I am the workforce. Do I need to train myself? What does that even look like?"

The answer is yes — even if you're the only person in your practice, you need documented HIPAA security training. OCR doesn't care that you're a one-person operation. They care that you can demonstrate you understood the security requirements and took steps to implement them.

What HIPAA Actually Requires

The HIPAA Security Rule (45 CFR § 164.308(a)(5)) requires covered entities to:

"Implement a security awareness and training program for all members of its workforce (including management)."

The Privacy Rule (45 CFR § 164.530(b)(1)) separately requires:

"A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information."

For a solo practice, "all members of its workforce" means you. If you have a receptionist, billing assistant, or any contractor who handles PHI, it means them too.

What Topics Must Be Covered

HIPAA doesn't prescribe a specific curriculum, but the training must be "reasonable and appropriate." For a solo therapy practice, your training should cover:

Security awareness topics

  • Password management and multi-factor authentication
  • Phishing and social engineering recognition
  • Secure workstation use (locking screens, physical security)
  • Mobile device security
  • Proper disposal of PHI (paper shredding, secure digital deletion)
  • Encryption requirements

Privacy topics

  • What constitutes PHI and how to identify it
  • Permitted uses and disclosures
  • The minimum necessary standard
  • Patient rights (access, amendment, accounting of disclosures)
  • Your Notice of Privacy Practices

Breach preparedness

  • How to recognise a potential breach
  • Your incident response procedures
  • Breach notification requirements and timelines
  • Who to contact internally and externally

Practice-specific policies

  • Your specific EHR security features and how to use them
  • Your email policy (which provider, what can be sent)
  • Your telehealth security procedures
  • Your backup and recovery procedures

How Often

Initial training: Within a reasonable time after a new workforce member joins. For you as the practice owner, this means when you first establish your compliance program.

Ongoing training: HIPAA doesn't specify a frequency, but the standard recommendation is annual refresher training. OCR expects to see evidence of regular, ongoing training — not a one-time checkbox from five years ago.

When things change: Training is required "periodically" and whenever there are material changes to your policies or procedures. Changed your EHR? New telehealth platform? New location? Update your training.

How to Document It

Documentation is where most solo therapists fall short. You did the training, but you didn't write it down. When OCR asks for training records, you have nothing to show.

What OCR wants to see:

  • Who was trained (your name and title)
  • What topics were covered
  • When the training occurred (specific date)
  • How the training was delivered (online module, self-study, webinar, etc.)
  • Acknowledgment that the training was completed (your signature or electronic equivalent)

A training log doesn't need to be complicated. A simple document with columns for date, trainee name, training topic, delivery method, and signature is sufficient.

Your Yundra Compliance Pack includes a pre-formatted Security Official Designation and Training Log with your first entry pre-filled and template rows for future training sessions.

What Counts as "Training"?

For a solo therapist, training can take many forms:

Self-study. Reading your own policies and procedures, reviewing HIPAA guidance documents, studying the Security Rule requirements. This counts — document it.

Online courses. Numerous HIPAA training courses are available online. Look for ones specifically designed for healthcare providers (not generic corporate compliance). The Yundra Compliance Pack includes a training module with a completion certificate.

Webinars and workshops. Professional associations (APA, NASW, state licensing boards) often offer HIPAA-related continuing education. These count as training — save the certificate.

Vendor training. Your EHR's security features walkthrough, your email provider's HIPAA configuration guide — these count as practice-specific training. Document when you completed them.

The Solo Therapist Training Checklist

Here's a practical annual training schedule:

January: Review and update your Security Risk Analysis. Document the review as training.

April: Complete a HIPAA security refresher (online course or self-study). Document it.

July: Review your vendor list and BAA status. Confirm all BAAs are current. Document the review.

October: Review your incident response plan. Walk through a tabletop exercise (imagine a breach scenario and practice your response steps). Document it.

Any time: When you change vendors, add a location, hire help, or update policies — document the associated training.

What If You Have Staff?

If you have even one employee, contractor, or volunteer who might encounter PHI, they need training too. This includes:

  • Receptionists and office managers
  • Billing assistants (even remote/virtual)
  • Cleaning staff (if they have access to your office where records are visible)
  • IT support (if they access your systems)
  • Supervisees or interns

Each person needs initial training, annual refreshers, and documented completion.

Common Mistakes

"My EHR trained me." Your EHR vendor may have walked you through their platform's features, but that's not comprehensive HIPAA training. It covers one tool, not your entire compliance program.

"I took a course three years ago." Training must be ongoing. A course from 2023 doesn't satisfy 2026 requirements, especially with the February 2026 regulatory updates.

"I didn't document it." Undocumented training is the same as no training in OCR's eyes. Always keep records.

"My staff don't handle PHI." If they're in your office, they might overhear sessions, see appointment schedules, or handle mail. That's PHI exposure. They need training.

Getting Started

If you don't have documented HIPAA training, start today:

  1. Take the free HIPAA assessment to identify your training gaps alongside all other compliance areas
  2. Complete a HIPAA security training module (included in the Yundra Compliance Pack)
  3. Document the training in your training log
  4. Set a calendar reminder for your next training session

The training requirement isn't about checking a box — it's about genuinely understanding how to protect your patients' information. For a solo therapist, that knowledge is your first line of defence.

Take the free HIPAA Risk Assessment →

Find out where your practice stands.

Our free 25-minute assessment checks 40 areas of HIPAA compliance and shows you exactly where your gaps are. See your score instantly.

Free · See your score instantly