HIPAA Security Risk Assessment for Texas FQHCs
Quick answer: Texas FQHCs operate under both the federal HIPAA Security Rule and the Texas Medical Records Privacy Act (HB 300, codified at Texas Health & Safety Code Chapter 181), which imposes stricter-than-federal requirements — including expanded “covered entity” definitions, mandatory customized employee training within 90 days of hire, and tighter consumer-access timelines. A Texas FQHC’s annual Security Risk Analysis therefore has to document HB 300 training and state breach obligations alongside the federal safeguards.
Why Texas FQHCs Are a Distinct Compliance Case
Texas has the second-largest Federally Qualified Health Center footprint in the country (current counts at data.hrsa.gov), a broad rural and border-clinic distribution, and an enforcement posture under the Texas Attorney General that has produced some of the more aggressive state-level privacy actions in the U.S. On top of HRSA Operational Site Visit review against the Health Center Program Compliance Manual, Texas FQHCs are subject to HB 300 — Texas Health & Safety Code Chapter 181 — which extends “covered entity” status beyond HIPAA’s definition and adds specific workforce-training and consumer-access duties.
OCR’s 2026 enforcement record makes this stack non-negotiable: every Security Rule settlement closed this year traced to an inadequate or missing risk analysis. For a Texas FQHC, that federal exposure compounds with HB 300 enforcement risk if training and access controls aren’t documented.
HB 300 Specifics a Texas FQHC SRA Must Reflect
- Customized workforce training within 90 days of hire, plus retraining at least every two years. Generic HIPAA training is not sufficient under HB 300 — content must be tailored to the employee’s role.
- Consumer access to EHR records within 15 business days of a written request — tighter than HIPAA’s 30-day default.
- Broader “covered entity” scope than federal HIPAA: any person or entity that comes into possession of PHI in Texas may fall under HB 300, even if they aren’t a HIPAA covered entity.
- State breach notification obligations that apply alongside federal requirements.
- Texas AG enforcement authority, with civil penalties scaled to the entity’s size and the nature of the violation.
For a Texas FQHC, every one of those items should be a tracked, evidenced row inside the Security Risk Analysis — not a separate side process. The 2026 SRA worklist needs documented training records by employee, an audited consumer-access workflow with a 15-day clock, an HB 300-aware breach response plan, and a vendor inventory that maps which downstream entities qualify as covered under the state definition.
The Multi-Site “Parent-Child” SRA Model
Texas FQHCs typically run multiple clinic sites and mobile units. The defensible structure is the parent-child model: one entity-level risk analysis covering administrative and technical safeguards (training, audit logs, transmission security, contingency planning), and per-site physical-safeguard walkthroughs at each clinic (facility access, workstation security, device and media controls). The shared layer rolls up; the site layers stay distinct. See the FQHC compliance guide for the broader framework and the SRA primer for the underlying methodology.
Vendor and Business Associate Lessons from 2026
The 2026 wave of business-associate breaches made vendor inventory one of OCR’s most-cited findings. For a Texas FQHC, the BAA review should confirm current safeguards, breach-notification language, and — critically — whether the vendor itself qualifies as a covered entity under HB 300’s broader Texas definition. Direction from the 2025 HIPAA Security Rule NPRM also points toward stricter expectations on backup, disaster recovery, and emergency-mode operations; a 2026 SRA should already be moving that way.
How Medcurity Fits
Medcurity’s HIPAA SRA platform supports HB 300-aware training tracking, per-site walkthroughs for multi-clinic Texas FQHC deployments, OSV-ready output, and worklist-based remediation. The 222-question assessment cites HIPAA Security Rule sections and NIST 800-66 directly, so the audit trail is defensible to both OCR and the Texas AG. Pricing starts at $499/year for small-practice deployments and scales with site count.
See if Medcurity fits your Texas FQHC. Talk to our team about a Texas FQHC deployment.
Frequently Asked Questions
Does Texas HB 300 apply to FQHCs?
Yes. Federally Qualified Health Centers operating in Texas are covered entities under HIPAA and also fall within HB 300’s broader Texas definition. The state law layers on top of federal HIPAA — it does not replace it. A Texas FQHC must comply with both frameworks simultaneously.
How is HB 300 stricter than HIPAA?
HB 300 expands the definition of a covered entity beyond HIPAA, requires customized workforce training within 90 days of hire (not generic HIPAA training), and shortens the consumer-access timeline to 15 business days versus HIPAA’s 30-day default. It also gives the Texas Attorney General direct enforcement authority with state-specific civil penalties.
What training does Texas require?
HB 300 requires Texas covered entities to provide customized training to each employee whose duties involve protected health information. Training must be delivered within 90 days of the employee’s start date, repeated at least every two years, and documented with dated records that can be produced during an audit.
How often must a Texas FQHC redo its SRA?
HIPAA requires the Security Risk Analysis to be reviewed and updated “as needed” and at least annually in practice. For FQHCs, HRSA’s Operational Site Visit cycle effectively reinforces that annual cadence. Any material change — new site, new EHR, new vendor, security incident — should trigger an interim update to the SRA.