Medcurity Logo
Login

HIPAA Compliance in Texas: 2026 Guide for Hospitals, Clinics & CHCs

Texas healthcare providers face a unique compliance stack: federal HIPAA rules, the state’s own HB 300 medical privacy law, Texas Medical Board (TMB) requirements, and the Texas Health and Human Services Commission (HHSC) rules that govern state-funded facilities. In 2026, the federal HIPAA Security Rule added mandatory encryption, MFA, biannual vulnerability scanning, and 72-hour breach reporting—and every Texas covered entity now has to satisfy both federal and state obligations at the same time. This guide walks you through what has changed, who it affects, and how providers in Dallas, Houston, Austin, San Antonio, El Paso, and the Rio Grande Valley are meeting the new bar.

What’s different about HIPAA compliance in Texas

Most states let HIPAA do the heavy lifting on medical privacy. Texas doesn’t. The Texas Medical Records Privacy Act (HB 300), codified in Chapter 181 of the Texas Health and Safety Code, extends HIPAA-like obligations to a much broader set of entities than HIPAA itself reaches. Any person, business, or organization that “engages in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information” in Texas is a covered entity under HB 300—even if HIPAA would classify them as a business associate or wouldn’t reach them at all.

That means the compliance perimeter in Texas is wider. A revenue-cycle vendor, a marketing firm that handles patient outreach, a medical-records scanning service, or a software company whose platform touches PHI can all be regulated directly by Texas even when they’d only be a business associate under federal HIPAA.

If you run a hospital system, an FQHC, a rural clinic, a dental practice, a behavioral-health program, or any business that touches Texas PHI, you need a compliance program that satisfies both frameworks. For a deeper look at building a risk-analysis program that meets the federal floor, start with our 2026 buyer’s guide to HIPAA risk assessment tools.

The 2026 federal HIPAA Security Rule changes, applied to Texas

HHS finalized major updates to the Security Rule in early 2026. The practical effect for Texas providers:

Texas-specific reality check: HHSC, the Texas Attorney General’s office, and the Texas Medical Board have all signaled that state enforcement will mirror federal expectations. HB 300 penalties stack on top of federal OCR penalties—Texas can fine a provider up to $1.5 million per violation category per year under state law, separate from whatever OCR assesses. Multi-state systems are especially exposed because Texas AGs have used HB 300 to reach out-of-state entities that touch Texas patients.

Texas HB 300: what every covered entity must do

On top of HIPAA, HB 300 requires every Texas covered entity to:

  1. Train every employee within 90 days of hire on the specific types of PHI the entity handles and on state and federal privacy laws. Training must be updated when laws change (the 2026 Security Rule update is a training trigger).
  2. Re-train every employee at least once every two years.
  3. Document training in writing and retain records for 6 years.
  4. Provide a notice of privacy practices that meets both HIPAA and HB 300 requirements.
  5. Respond to patient requests for electronic PHI within 15 business days—faster than the 30-day HIPAA standard.
  6. Obtain express authorization before any sale, marketing use, or re-disclosure of PHI—broader than HIPAA’s authorization rules.

The 15-day access turnaround is the one Texas providers get wrong most often. HIPAA gives you 30 days; Texas cuts that in half for electronic records. Practices with paper-first workflows or aging EHRs frequently blow the deadline and pick up complaints that escalate to the state AG.

Texas Medical Board (TMB) rules that intersect with HIPAA

The TMB has its own medical-records rules under 22 TAC Chapter 165. They complement HIPAA but add Texas-specific duties:

If your HIPAA program doesn’t track these timelines inside the same workflow that handles access requests, you’ll end up with a dual system that fails at both. A single request log that stores the HIPAA clock, the HB 300 15-day clock, and the TMB fee-cap in one place is the simplest path to consistency.

Texas HHSC and state-funded providers

The Texas Health and Human Services Commission oversees Medicaid, CHIP, behavioral-health contracts, and a long list of state-licensed facilities: nursing homes, ICF/IIDs, assisted living, hospice, home health, and more. HHSC contracts include HIPAA compliance clauses that go beyond the federal minimum—most require:

Texas providers that serve Medicaid or behavioral-health populations should treat HHSC audits as a near-certain event. If you can’t produce your SRA, your asset inventory, and your BA inventory on demand, expect corrective action plans at minimum.

HIPAA compliance for Texas FQHCs and Community Health Centers

Texas has over 75 Federally Qualified Health Centers serving roughly 1.9 million patients across 640+ sites. The Texas Association of Community Health Centers (TACHC) coordinates policy, training, and shared-services work for much of the state’s FQHC network, and HRSA’s Operational Site Visits have increasingly scrutinized HIPAA risk analyses over the last two years.

Texas FQHCs have two compliance realities that larger hospitals don’t:

  1. Budget constraints that make enterprise tools unreachable. Vanta and Drata quote $30,000-$60,000+ a year, which is not feasible on 330 grant funds.
  2. Multi-site, multi-location workflows where the main clinic, satellite sites, school-based clinics, and mobile units all need to be covered under one SRA.

Our CHC-specific Security Risk Analysis offering was built around those realities—flat pricing, unlimited sites under one organization, and HRSA-ready documentation. For a fuller look at what FQHCs need to do in 2026, see our HIPAA Compliance for FQHCs: Complete 2026 Guide.

And if cost is the first question (it usually is for safety-net providers), our 2026 HIPAA compliance cost breakdown lays out what a proper SRA, policies, training, and ongoing monitoring actually cost for small and mid-sized organizations.

HIPAA compliance for Texas rural hospitals and Critical Access Hospitals

Texas has 157 rural hospitals—more than any other state—and around 80 designated Critical Access Hospitals. Many sit in counties with fewer than 20,000 residents and operate on margins under 2%. A HIPAA breach isn’t just a fine; for a CAH, it can be existential.

The 2026 Security Rule mandates for encryption, MFA, and penetration testing are the hardest lift for this segment because many rural hospitals are still running EHRs on aging servers, have thin or no dedicated IT staff, and share a CIO across 3–5 facilities. Workable approaches we see succeeding:

Our HIPAA Compliance for Rural Hospitals guide goes deeper on staffing models, budget tiers, and sample remediation plans for the rural segment. If you’re specifically running a CAH, pair it with our CAH-specific 2026 guide.

Texas breach-reporting obligations you can’t miss

Texas notification rules operate alongside HIPAA and—post-2026—move faster than federal for some categories:

The fastest clock wins. If an incident triggers all four, you’re working to the 24-hour HHSC window while still documenting for the 72-hour OCR window and the 30-day Texas AG window. A pre-written incident response playbook that lists every notification path by hour and day is the only practical way to get this right under pressure.

Penalties: what Texas enforcement actually looks like

The Texas AG has used HB 300 aggressively in the last three years. Recent enforcement themes:

HB 300 civil penalties run up to $5,000 per negligent violation, $25,000 per knowing/intentional violation, and $250,000 per violation where PHI is used for financial gain—capped at $1.5 million per year per violation category. Federal HIPAA penalties are separate and cap at $2,134,831 per violation category per year (2026 adjusted). A multi-year pattern is the worst case.

Texas HIPAA compliance checklist for 2026

If you run a Texas covered entity or business associate, work through this list in the next 30 days:

  1. Update your HIPAA Security Risk Analysis to reflect the 2026 Security Rule changes (encryption, MFA, pen testing, vulnerability scanning, asset inventory). Use our buyer’s guide to choose a platform that will also generate HB 300–aligned documentation.
  2. Confirm HB 300 training completion for every workforce member in the last 24 months. Schedule re-training if you can’t produce records.
  3. Audit your Notice of Privacy Practices for HB 300 language.
  4. Shorten your records-access workflow to a 15-business-day turnaround for electronic requests.
  5. Inventory every vendor that touches PHI and confirm you have current BAAs and, for Texas-touching vendors, HB 300-compliant authorization language.
  6. Write a 4-track breach response playbook covering OCR (72-hour), Texas AG (30-day), HHSC (same-day), and TMB (case-by-case).
  7. Enable MFA on every ePHI-touching system before your next audit cycle.
  8. Schedule your biannual vulnerability scan and annual penetration test.

How Medcurity supports Texas healthcare providers

Medcurity’s HIPAA compliance platform was built for healthcare organizations that don’t have dedicated privacy or security teams. For Texas customers, that typically looks like:

For a full platform comparison against enterprise tools like Vanta and Drata, see our 2026 HIPAA compliance software comparison. If you’re already shortlisting vendors, our pricing guide walks through what each tier should actually include.

Frequently asked questions

Does Texas HB 300 apply to out-of-state businesses?

Yes. HB 300 can reach any person or entity that handles PHI of Texas residents, even if the entity is based outside Texas. Multi-state SaaS companies, billing vendors, and telehealth providers should assume Texas jurisdiction if they touch Texas patients.

How is HB 300 different from HIPAA?

HB 300 defines “covered entity” more broadly, requires faster electronic-records access (15 business days vs 30), mandates specific workforce training timelines, and adds stricter rules around marketing, sale, and re-disclosure of PHI. HB 300 also allows direct state enforcement by the Texas AG on top of federal OCR action.

What are the penalties for HIPAA violations in Texas?

Federal HIPAA penalties run up to $2,134,831 per violation category per year. HB 300 adds up to $1.5 million per year per violation category, with per-violation amounts ranging from $5,000 to $250,000 depending on intent and financial gain.

Do Texas FQHCs need a separate SRA from their HRSA operational site visit?

The HIPAA Security Risk Analysis and the HRSA Operational Site Visit are separate but overlapping. A well-documented SRA will cover most of what HRSA asks for under Program Requirement 8 (Key Management Controls), but the FQHC still needs to produce SRA documentation on its own timeline—typically annually.

Is Texas an HHS/OCR audit priority in 2026?

OCR audits are randomly sampled, but Texas consistently ranks in the top three states for HIPAA complaints and enforcement actions, largely because of its size and the Texas AG’s active HB 300 program. Texas providers should plan as if federal and state audits are likely.

Medcurity helps healthcare organizations in Texas and across the country run HIPAA risk analyses, manage policies, train workforce members, and document everything auditors and state agencies ask for. Book a demo to see how it works for Texas-specific compliance.

Get HIPAA CompliantTrusted by 1,000+ facilities
Get Started