Skip to Main Content
Running a medical practice in Texas means wearing a lot of hats. Between managing patients, overseeing staff, handling billing, and growing your business, it is easy to treat HIPAA compliance as something you will get to eventually. That mindset is exactly what federal investigators are counting on.HIPAA violations do not only happen at large hospital systems. Solo physicians, small clinics, med spas, telemedicine providers, and specialty practices face the same federal scrutiny, and often have fewer internal resources to catch problems before they escalate into investigations.This checklist is built for Texas healthcare providers who want a practical, actionable breakdown of what HIPAA compliance actually looks like in day-to-day practice. Whether you are setting up a new practice, auditing an existing one, or responding to a concern, this guide will help you identify gaps and close them before they cost you.If you are looking for legal support in building or reviewing your compliance program, Dike Law Group works with Texas medical practices to develop and strengthen HIPAA compliance systems from the ground up.

What Is HIPAA and Why Does It Matter for Texas Providers?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets national standards for protecting sensitive patient health information. It applies to all covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates.

If you treat patients, bill insurance, or handle protected health information (PHI) in any form, HIPAA applies to your practice. There are no exemptions for small practices or solo providers.

Texas also adds a layer of state-level obligations through the Texas Medical Records Privacy Act (TMRPA), which in some cases is stricter than federal HIPAA standards. When state law provides greater protection than HIPAA, the stricter standard applies.

What Can Happen If You Are Not Compliant?

The consequences are serious and can include:

  • Civil monetary penalties ranging from $100 to $50,000 per violation, with annual caps up to $1.9 million per violation category
  • Criminal charges for intentional misuse of PHI
  • Corrective Action Plans (CAPs) imposed by the Office for Civil Rights (OCR)
  • Mandatory compliance audits and monitoring
  • Reputational damage that affects patient trust and practice value

The HHS Office for Civil Rights enforces HIPAA and actively investigates complaints. Audits can be triggered by a single patient complaint, a data breach, or even a random selection by OCR.

Who Does This Checklist Apply To?

This checklist applies to any Texas-based healthcare provider that handles PHI. That includes:

  • Primary care and specialty physician practices
  • Medical spas offering clinical services
  • Telemedicine providers
  • Mental and behavioral health practices
  • Urgent care clinics and freestanding ERs
  • IV hydration and concierge medicine providers
  • Dental, chiropractic, and other allied health offices
  • Nonprofit healthcare organizations

If your practice operates under a Management Services Organization (MSO) structure, both the MSO and the clinical entity may have separate HIPAA obligations depending on how PHI flows between them.

The Core HIPAA Rules: A Quick Reference

Before diving into the checklist, it helps to understand the three primary rules that govern HIPAA compliance.

HIPAA RuleWhat It CoversWho It Affects
Privacy RuleHow PHI may be used and disclosedAll covered entities and business associates
Security RuleSafeguards for electronic PHI (ePHI)All covered entities and business associates
Breach Notification RuleRequirements when a PHI breach occursAll covered entities and business associates

Each rule carries its own set of required and addressable implementation specifications. “Required” means you must implement it. “Addressable” means you must assess whether it is reasonable and appropriate for your practice, and document your decision either way.

Section 1: Administrative Safeguards Checklist

Administrative safeguards are the policies, procedures, and management processes that form the backbone of your HIPAA program. OCR audits almost always start here.

Have You Designated a HIPAA Privacy Officer and Security Officer?

Every covered entity must designate at least one person responsible for HIPAA compliance. In small practices, this is often the same individual. This person is responsible for developing policies, training staff, and handling complaints.

The role does not require a specific credential, but it does require genuine accountability. Assigning the role to someone without the time or authority to act on compliance issues creates more risk than it resolves.

Do You Have a Risk Analysis and Risk Management Plan?

A formal, documented risk analysis is one of the most cited missing elements in OCR enforcement actions. This is not optional. Under the Security Rule, you must:

  • Identify where ePHI is stored, received, maintained, and transmitted
  • Assess potential threats and vulnerabilities to that data
  • Evaluate the likelihood and impact of each risk
  • Implement security measures to reduce risks to a reasonable level
  • Document the entire process and review it regularly

The HHS Security Risk Assessment Tool is a useful starting point for smaller practices, but a risk analysis alone is not a compliance program. It must be paired with a risk management plan that actually addresses what you found.

Are Your Workforce Training Requirements Met?

All workforce members who handle PHI must receive HIPAA training. This includes full-time employees, part-time staff, contractors, and volunteers. Training must be:

  • Provided at initial hire
  • Updated when policies change
  • Documented with records of who completed it and when

A training log is not just a best practice. It is evidence that your practice takes compliance seriously if OCR ever comes knocking.

Do You Have Sanctions Policies for Workforce Violations?

Your policy manual must include documented consequences for workforce members who violate HIPAA. This policy needs to be real, applied consistently, and communicated clearly to staff. A sanctions policy that exists on paper but is never enforced may actually increase your liability in an investigation.

Is There a Process for Reviewing Information System Activity?

You must have procedures to regularly review logs of system access, user activity, and any unusual behavior involving ePHI. This applies whether you use an electronic health records (EHR) system, a cloud-based platform, or a combination of tools.

Section 2: Physical Safeguards Checklist

Physical safeguards govern access to your physical facilities and the equipment you use to access ePHI.

Is Physical Access to PHI Properly Restricted?

  • Are areas where PHI is stored or accessed restricted to authorized personnel only?
  • Do you have a process for granting and revoking physical access when staff join or leave?
  • Are workstations positioned so that screens cannot be viewed by unauthorized individuals or patients?
  • Do you have policies for how workstations, laptops, and mobile devices should be used and secured?

Do You Have Device and Media Controls?

Any device that stores or accesses ePHI must be tracked and secured. Your practice should have documented policies covering:

  • How devices containing ePHI are disposed of (hard drives must be wiped or destroyed)
  • How portable media such as USB drives are used and tracked
  • What happens to devices when an employee leaves
  • How hardware is reused or reassigned within the practice

A single improperly disposed-of laptop with patient records can trigger a reportable breach. This is an area where small practices often have significant gaps.

Section 3: Technical Safeguards Checklist

Technical safeguards are the technology-based controls you use to protect ePHI from unauthorized access.

Are Access Controls in Place for Your Systems?

  • Does each user have a unique login? Shared passwords are a common violation.
  • Is access limited to the minimum necessary for each user’s role?
  • Do you have automatic logoff enabled on workstations and devices?
  • Do you use multi-factor authentication for systems that access ePHI?

Is Your Data Encrypted?

Encryption is technically an “addressable” specification under HIPAA, but if you choose not to encrypt ePHI, you must document a reasonable alternative. In practice, encryption is the safest path. If a device is stolen but the data is encrypted, it may not constitute a reportable breach.

Encryption should apply to:

  • Laptops and mobile devices
  • Email communications containing PHI
  • Cloud storage systems
  • Data transmitted across networks

Do You Have Audit Controls?

Your systems must generate and retain audit logs that track who accessed ePHI, when, and what they did. These logs need to be reviewed regularly and retained per your records retention policy. In Texas, medical records must generally be retained for at least seven years from the date of the last medical service.

Section 4: Privacy Rule Requirements Checklist

The Privacy Rule governs how you use and disclose PHI and what rights patients have over their information.

Is Your Notice of Privacy Practices (NPP) Current?

Your NPP must be:

  • Provided to every new patient at or before their first service delivery
  • Posted in a visible location at your practice
  • Available on your website if you maintain one
  • Updated to reflect any changes to your privacy practices
  • Written in plain language that patients can understand

Many practices create an NPP during setup and never revisit it. If your NPP does not reflect how your practice actually uses PHI today, including any telemedicine services or new technology platforms, it needs to be updated.

Do You Have a Minimum Necessary Policy?

You may only use, disclose, or request the minimum amount of PHI necessary to accomplish the intended purpose. This applies to internal use as well. Not every employee needs access to every patient record. Your policies should reflect this principle in practical terms.

Can Patients Exercise Their Rights?

Under HIPAA, patients have specific rights you must be prepared to honor:

  • Right to access and receive a copy of their records (within 30 days, or 15 days if records are electronic)
  • Right to request amendments to their records
  • Right to an accounting of disclosures
  • Right to request restrictions on certain uses and disclosures
  • Right to receive communications by alternative means (e.g., receive mail at a different address)

You need documented procedures for each of these rights and staff who know how to respond when a patient invokes them.

Do You Have a Process for Handling Complaints?

Patients have the right to file a complaint about your privacy practices, either with your practice or directly with OCR. You must have a clear, documented complaint process and a designated person to receive and respond to complaints. Retaliation against patients who file complaints is strictly prohibited and independently enforceable.

Section 5: Business Associate Agreements Checklist

Any third party that creates, receives, maintains, or transmits PHI on your behalf is a business associate. You are required to have a signed Business Associate Agreement (BAA) in place before sharing PHI with them.

Have You Identified All of Your Business Associates?

This list is often longer than practices expect. It can include:

  • EHR and practice management software vendors
  • Medical billing companies
  • IT service providers with access to your systems
  • Cloud storage and email service providers
  • Transcription services
  • Answering services that take patient messages
  • Collection agencies
  • Attorneys who receive PHI in the course of representation
  • Consultants who access patient data for quality improvement

Missing a BAA with even one vendor creates potential liability. A BAA does not guarantee the vendor will protect your data, but it creates a contractual framework that establishes responsibility.

If you are evaluating your contracts or vendor relationships, Dike Law Group offers healthcare contract review services to help practices identify gaps.

Are Your BAAs Compliant with Current Requirements?

HIPAA BAAs must include specific required elements. Templates downloaded from the internet may be outdated or missing key provisions. Your BAAs should be reviewed by a healthcare attorney to confirm they meet current standards and appropriately address the specific services your vendor provides.

Section 6: Breach Notification Requirements

Despite best efforts, breaches happen. What matters is whether you respond correctly when they do.

Do You Know What Constitutes a Breach?

A breach is any impermissible use or disclosure of PHI that compromises its security or privacy, unless you can demonstrate that the probability of PHI being compromised was low under a four-factor risk assessment. Common breach scenarios include:

  • Sending a patient’s records to the wrong person
  • A stolen laptop containing unencrypted patient data
  • Unauthorized access by a workforce member
  • A ransomware attack that affects your EHR system
  • Misdirected email containing PHI

What Are Your Notification Timelines?

Notification TypeWho Must Be NotifiedDeadline
Affected IndividualsPatients whose PHI was involvedWithin 60 days of discovery
HHS SecretaryOffice for Civil RightsWithin 60 days (500+ individuals) or annually (fewer than 500)
MediaProminent media in affected stateWithin 60 days if 500+ individuals in one state affected

Texas law may impose additional obligations depending on the nature of the breach. Practicing without a breach response plan is a significant risk.

Section 7: Policies and Procedures Documentation

HIPAA requires that your compliance program be documented in writing. This is not bureaucratic overhead. Documentation is your evidence of compliance in an audit.

What Policies Does Your Practice Need?

  • Privacy policies addressing use and disclosure of PHI
  • Security policies for electronic systems and devices
  • Workforce training and sanctions policies
  • Breach notification procedures
  • Patient rights procedures
  • Business associate management procedures
  • Minimum necessary policies
  • Social media policies that address PHI
  • Telehealth-specific policies if applicable

Policies must be retained for at least six years from the date of creation or the date they were last in effect. If your practice offers telemedicine, your compliance documentation should reflect the specific risks associated with remote services. Dike Law Group advises telemedicine providers on compliance requirements specific to virtual healthcare delivery.

Texas-Specific HIPAA Compliance Considerations

Texas providers must navigate both federal HIPAA requirements and state-specific laws. Here are key Texas-specific points that affect your compliance program.

Texas Medical Records Privacy Act (TMRPA)

The TMRPA covers a broader range of entities than HIPAA and applies to any person who obtains, assembles, compiles, or uses protected health information. This includes entities that may not qualify as covered entities under federal law. Penalties under Texas law can be independent of and in addition to federal HIPAA penalties.

Texas Medical Board Requirements

The Texas Medical Board (TMB) has its own rules about medical records access, retention, and patient rights that interact with HIPAA. Violations can result in licensing discipline separate from any federal enforcement action. Licensing defense is a core service area for Dike Law Group if you face a TMB complaint tied to records or privacy issues.

Medical Spa and Aesthetic Practice Considerations

Medical spas in Texas that perform clinical services handle PHI the same way any other medical practice does. If your med spa uses intake forms, stores treatment records, or transmits patient data to third-party platforms, your HIPAA obligations are fully in effect. Texas med spa compliance requires careful attention to both HIPAA and state licensing requirements.

Common HIPAA Compliance Mistakes Texas Practices Make

These are the gaps that repeatedly appear in enforcement actions and OCR audits.

  • No formal risk analysis. The single most common finding in OCR audits. “We think our systems are secure” is not a risk analysis.
  • Outdated or missing BAAs. Practices switch vendors, add software, or expand services without updating their BAA inventory.
  • Using personal email for PHI. Gmail, Yahoo, and similar accounts do not meet HIPAA security standards without additional controls and a BAA.
  • Texting patient information from personal phones. Standard SMS is not a secure method for transmitting PHI.
  • Posting on social media without caution. Even a photograph that incidentally identifies a patient can be a violation.
  • Inadequate training documentation. Verbal training with no records does not satisfy HIPAA requirements.
  • Ignoring the minimum necessary standard. Giving all staff access to all records for convenience creates significant risk.
  • Not updating the Notice of Privacy Practices. Changes to your practice model, technology, or data uses require an updated NPP.

How Often Should You Review Your HIPAA Compliance Program?

HIPAA compliance is not a one-time event. Your program should be reviewed:

  • Annually as a matter of standard practice
  • After any security incident or breach
  • When you add new technology, software, or vendors
  • When you hire or lose significant staff
  • When you change your service model (e.g., adding telemedicine or a new location)
  • When regulatory guidance changes

Annual compliance reviews should include a refreshed risk analysis, review of all BAAs, updated staff training, and a review of your policies against current law. Working with a healthcare compliance attorney on an annual basis is one of the most cost-effective risk management investments a practice can make.

What Should You Do If You Discover a Potential Violation?

First, do not ignore it. Many practices make the situation worse by hoping it will not be discovered. If you identify a potential HIPAA issue:

  1. Document what happened immediately while details are fresh
  2. Contain the situation to prevent further disclosure or access
  3. Conduct a four-factor risk assessment to determine if it meets the definition of a breach
  4. Consult with a healthcare attorney before making notifications or public statements
  5. Follow the breach notification process if required
  6. Document your response thoroughly
  7. Identify the root cause and implement corrective measures

Self-disclosure of a breach, when handled correctly, generally results in significantly better outcomes than having OCR discover a covered-up violation. Cooperation and documentation of corrective action are factors OCR considers in determining penalties.

If you are facing a HIPAA investigation or have received an OCR complaint, Dike Law Group’s healthcare investigations practice can help you navigate the process.

Frequently Asked Questions About HIPAA Compliance for Texas Medical Practices

Does HIPAA apply to small or solo physician practices in Texas?

Yes. HIPAA applies to any covered entity regardless of size. Solo practitioners who transmit PHI electronically in connection with certain standard transactions are covered entities subject to the full range of HIPAA requirements. There is no small-practice exemption, though implementation strategies may look different at smaller practices.

What is the difference between HIPAA and the Texas Medical Records Privacy Act?

HIPAA is a federal law that applies to covered entities and business associates. The Texas Medical Records Privacy Act (TMRPA) is a state law that applies more broadly and in some cases provides stronger patient protections. When state law is more protective than federal law, the state standard applies. Texas providers must comply with both.

Do I need a Business Associate Agreement with my EHR vendor?

Yes. Any vendor that creates, receives, maintains, or transmits PHI on your behalf is a business associate. Your EHR vendor, billing service, cloud storage provider, and many others fall into this category. A signed BAA must be in place before you share PHI with them. If your current BAA is missing or outdated, that is a compliance gap that should be addressed promptly. Dike Law Group can help you review and update your business associate agreements.

Can I text patients about their healthcare?

Standard SMS text messaging does not meet HIPAA’s technical safeguards for ePHI because it is not encrypted end-to-end. Practices can text patients if they use a HIPAA-compliant messaging platform with a BAA in place, and if patients have provided informed acknowledgment of the communication method. Texting PHI from a personal phone using standard SMS creates significant risk.

What triggers an OCR HIPAA investigation?

OCR investigations can be triggered by a patient or former employee complaint, a self-reported breach, media coverage of a security incident, or a random audit as part of OCR’s audit program. OCR receives tens of thousands of complaints annually and prioritizes based on severity and potential systemic impact. A single complaint from a patient about how their records were handled can result in a full investigation of your practice’s compliance program.

How long do I need to keep HIPAA-related policies and documentation?

HIPAA requires that covered entities retain documentation of their policies, procedures, and records related to HIPAA compliance for at least six years from the date of creation or the date last in effect, whichever is later. Texas medical records themselves must generally be retained for at least seven years from the date of the last medical service under Texas Medical Board rules.

Does HIPAA apply to my medical spa in Texas?

If your medical spa provides clinical services, employs or contracts with licensed medical professionals, and maintains patient treatment records, HIPAA almost certainly applies. Medical spas that perform injectable treatments, laser procedures, or other medical-grade services are treating patients, and their records are protected health information. Compliance requirements for Texas med spas include both HIPAA and state-level obligations.

What is a HIPAA risk analysis and how often should I do it?

A risk analysis is a required assessment under the HIPAA Security Rule where you identify all locations of ePHI, assess potential threats and vulnerabilities, and evaluate the likelihood and impact of each risk. It is not a one-time requirement. Best practice is to conduct a fresh risk analysis at least annually and after any significant change to your practice’s technology, operations, or service model. The HHS Security Risk Assessment Tool is available for smaller practices.

Take Action Before There Is a Problem

HIPAA compliance is not about checking boxes. It is about building a practice culture where patient data is genuinely protected, your workforce understands their responsibilities, and your systems are designed to catch problems early. The practices that fare best in OCR investigations are not necessarily those with perfect records. They are the ones that documented their efforts, responded promptly, and worked with qualified legal counsel from the start.

At Dike Law Group, healthcare law is the only thing we do. We work with Texas medical practices of all sizes, from solo physicians to multi-location healthcare organizations, to build HIPAA compliance programs that actually hold up. Whether you need a compliance audit, help drafting policies, BAA review, or representation in an investigation, our team is ready to help.

Our office is located at 6160 Warren Parkway, Ste. #100, Frisco, TX 75034. You can also find us on Google Maps here. Call us at (972) 290-1031 or schedule a consultation online to discuss your practice’s compliance needs. The best time to address a HIPAA gap is before it becomes an OCR investigation.

Disclaimer: This article is intended for general educational purposes only and does not constitute legal advice. For guidance specific to your situation, please consult a qualified healthcare attorney familiar with Texas law and federal HIPAA requirements.

 

author avatar
Doris Dike Founder & Healtcare Attorney
Doris Dike, Esq., founder of Dike Law Group. Dike Law Group specializes in legal services for the healthcare industry, with a focus on MedSpa compliance, MSO structures, and regulatory matters for medical practices. Key search terms highlight their expertise in telehealth, IV hydration clinics, and medical contract review for entrepreneurs.