HIPAA Compliance for Counselors

Posted By Steve Alder on Feb 18, 2025

The responsibility for HIPAA compliance for counselors in the healthcare industry can vary depending on a counselor’s HIPAA status and whether a practice is part of a managed care organization – in which case, the structure of the managed care organization can determine who is responsible for HIPAA compliance.

Counselors who qualify as – or who work for – a HIPAA covered entity are required to comply with all applicable standards and implementation specifications of the HIPAA Administrative Simplification Regulations. These not only include the HIPAA Privacy, Security, and Breach Notification Rules, but also the General Provisions in Parts 160 and 164, and the Transactions and Code Sets Rules in Part 162.

The responsibility for determining which standards and implementation specifications apply can vary depending on a counselor’s HIPAA status and what services are contracted out. For example, a sole practitioner counselor that subcontracts claims and billing transactions to a business associate is not required to comply with Part 162 – although it is advisable to monitor business associate compliance.

At the other end of the scale, a counselor who works for a HIPAA covered entity has no responsibility for determining what HIPAA compliance for counselors consists of. Instead, they must comply with the HIPAA policies and procedures implemented by their organization’s HIPAA Privacy and Security Officers and any HIPAA Privacy and Breach Notification standards not covered in HIPAA training.

HIPAA Statuses Explained

There are several different types of HIPAA status that apply to counselors in the healthcare industry. For example, a counselor that operates as a sole practitioner can be a HIPAA covered entity,  a hybrid entity, or an affiliated entity. Even if a counselor does not qualify as any of the above, they could qualify as a business associate if they provide services for or on behalf of a HIPAA covered counselor.

HIPAA covered entities

In the context of HIPAA compliance for counselors, a practice qualifies as a HIPAA covered entity if it conducts electronic healthcare transactions for which the Secretary for Health and Human Services (HHS) has published standards in Part 162 of the HIPAA Administrative Simplification Regulations. The practice also qualifies if it subcontracts healthcare transactions to a business associate.

As a HIPAA covered entity, a sole practitioner counselor is responsible for developing policies and procedures to comply with all applicable standards, providing privacy and security training to employees, and entering into Business Associate Contracts with third parties to whom Protected Health Information (PHI) is disclosed. This includes vendors of practice management software, cloud services, and collection agencies.

HIPAA hybrid entities

A practice can be considered a HIPAA hybrid entity is its business activities include both covered and noncovered functions. In theory, a counselor that bills some clients directly and others through insurance could qualify as a hybrid entity. However, because of the requirement to isolate PHI collected via covered functions from health data collected via noncovered functions, most practices apply HIPAA standards to all health data.

An exception to the above would exist if a counselor provides services in a HIPAA covered private practice and in a public school. While the health data collected via the HIPAA covered private practice would be subject to all applicable HIPAA standards, the health data collected from students would be considered part of the students’ educational records and subject to the Family Educational Rights and Privacy Act (FERPA).

HIPAA affiliated entities

HIPAA affiliated entities are legally separate HIPAA covered entities that designate themselves as a single HIPAA covered entity for the purposes of HIPAA compliance. All units in a HIPAA affiliated entity must comply with a standard set of HIPAA policies and procedures, and although individual units are separately liable for HIPAA violations, the responsibility for determining which standards apply is centralized.

This means that one of the units in the HIPAA affiliated entity takes responsibility for HIPAA compliance, that all units collaborate on which standards apply, or that HIPAA compliance is delegated to a third party. In the case of a managed care organization, this could mean that the organization’s administrator – rather than any particular unit(s) of the organization – is responsible for determining what HIPAA compliance for counselors consists of.

HIPAA Business Associates

Counselors that qualify as HIPAA business associates are counselors that do not qualify as HIPAA covered, hybrid, or affiliated entities, but who provide services to or on behalf of a HIPAA covered, hybrid, or affiliated entity. As a HIPAA business associate, counselors are required to comply with the HIPAA Security and Breach Notification Rules and all applicable standards of the HIPAA Privacy Rule.

Although this means the compliance obligations of a HIPAA business associate counselor are similar to a HIPAA covered entity counselor, HIPAA business associates do not have to develop their own privacy policies and procedures nor provide a HIPAA Notice of Privacy Practices to clients. However, it is worth mentioning that some state privacy regulations do not exempt HIPAA business associates from additional compliance requirements.

Covered Entities’ Workforces

As mentioned above, counselors who work for a HIPAA covered entity have no autonomy over what HIPAA compliance for counselors consists of. This applies regardless of whether a counselor is employed by the HIPAA covered entity, is a volunteer, student, or contractor “under the control of the HIPAA covered entity”, and regardless of whether they are paid by the HIPAA covered entity.

However, whereas HIPAA covered, hybrid, and affiliated entities can have enforcement action taken against them by HHS’ Office for Civil Rights when a HIPAA violation occurs, counselors who work for a HIPAA covered entity can only be sanctioned by the HIPAA covered entity unless the nature of the violation is criminal – in which case the violation could be referred to the Department of Justice and licensing authorities.

HIPAA Training for Counselor Practices

HIPAA training for counselors helps protect sensitive client information by teaching practical privacy, security, and breach response requirements that apply in day-to-day counseling work. High-quality training should focus on real counseling scenarios such as verifying identity before discussing care, applying the minimum necessary standard when coordinating with other providers, handling requests from family members or caregivers, responding appropriately to record requests, and preventing incidental disclosures in waiting areas, phone conversations, and email communications. Security awareness training is also essential because counseling notes, intake forms, and session details are often stored and transmitted electronically through EHRs, telehealth platforms, portals, and mobile devices, increasing exposure to phishing and other threats. Annual HIPAA training is an industry best practice for counseling practices, and it supports consistent compliance by reinforcing safe habits, clear incident reporting steps, and defensible documentation of training completion.

HIPAA Certification for Counselors

HIPAA certification for counselors provides documented proof of completed HIPAA training and is most valuable when it is issued by a reputable provider through a structured, self-paced program with knowledge checks and an immediately issued completion certificate. Alongside practice-level training, individual counselors, including those in solo practice, benefit from completing HIPAA certification training to demonstrate competency, strengthen professional credibility, and keep privacy and security requirements “front of mind” across evolving counseling workflows and technologies.

HIPAA Compliance for Counselors

Most counselors in healthcare are either employed or contracted by group practices and have little say over what HIPAA compliance for counselors consists of. However, counselors that operate as sole practitioners and qualify as HIPAA covered entities usually have responsibility for HIPAA compliance in the practice – unless the practice is part of an affiliated entity or managed care organization administered by a third party.

Sole practitioner counselors who require further information about what HIPAA compliance for counselors consists of should speak with their licensing authority or a professional body, while members of a HIPAA covered entity’s workforce should direct compliance questions to the organization’s HIPAA Privacy Officer. Other parties interested in HIPAA compliance for counselors may find the answers to their questions on HHS’ web site.