Therapy HIPAA Hub
CRITICAL URGENCY — Texas

HIPAA Compliance for Solo Therapists in Houston, Texas — 2026 Guide

Solo therapists are covered entities responsible for all HIPAA compliance personally — no employer to shield liability. This guide covers what solo therapists in Houston must do before the February 16, 2026 HIPAA deadline — including state-specific legal requirements, the most common violations that trigger OCR audits in Texas, step-by-step fixes for each violation, and a full compliance checklist tailored to your practice type.

Solo therapists in Houston bear 100% of HIPAA liability personally — there is no employer or institution to absorb a fine. Houston's large and growing mental health market means increased OCR scrutiny of the solo-practice sector. Most compliance failures for Houston solo therapists occur in the first 12 months after opening a practice, before formal compliance systems are in place.

$41,000

Average HIPAA fine in Texas

Texas OCR region actively audits solo practices.

Source: HHS Office for Civil Rights enforcement data, 2025

Texas Law Requirements for Solo Therapists

Texas Health & Safety Code Chapter 611 imposes mental health record confidentiality requirements that exceed HIPAA in several important areas. Texas law restricts disclosure of therapy records even to the client's own attorney without a court order. Mental health records must be retained for at least 7 years from the last treatment date — 10 years for minor patients. For Houston solo therapists, this means doubled liability: federal OCR enforcement from Region 6 in Dallas, which consistently ranks among the nation's most active enforcement offices, and state-level sanctions from the Texas State Board of Examiners of Professional Counselors. OCR Region 6 specifically targets small solo practices for missing BAAs and outdated Notices of Privacy Practices. A single compliance gap can result in both a federal fine and a state license review simultaneously.

OCR Region 6 (headquartered in Dallas) covers all of Texas and has a track record of auditing Houston solo practices specifically for missing BAAs and outdated NPP documentation.

Top HIPAA Violations for Solo Therapists in Houston — and How to Fix Them

These are the violations OCR most frequently cites for solo therapists in Texas. Each one is fixable — most in under an hour. The cost of not fixing them is significantly higher than the cost of the solution.

1

No BAA with SimplePractice or EHR

HOW TO FIX IT

Open your EHR account settings and locate the Business Associate Agreement — in SimplePractice it is under Settings > Practice > HIPAA. For other platforms, email their support to request the BAA document. Keep a signed copy on file for 6 years.

2

Using Gmail for client communication

HOW TO FIX IT

Create a Google Workspace Business account (from $6/month) and request the HIPAA BAA through the Admin Console, or switch to Hushmail for Healthcare which includes the BAA automatically on all plans.

3

Unencrypted session notes on personal device

HOW TO FIX IT

On Mac: System Settings > Privacy & Security > FileVault. On Windows: Settings > Update & Security > Device Encryption or BitLocker. Create a written one-page device policy even for solo practices.

The #1 Tech Compliance Gap for Solo Therapists in Houston

Missing Business Associate Agreement with telehealth platform

SimplePractice solves this with a signed BAA, encrypted messaging, and HIPAA-compliant telehealth — all in one platform used by 225,000+ therapists.

☀️ Summer 2026 Offer

Trusted by 225,000+ Therapists — Recommended for Solo Therapist in Houston

50% Off Your First 4 Months of SimplePractice

SimplePractice is the #1 HIPAA-compliant practice management platform for therapists. Includes a signed BAA, encrypted messaging, telehealth, and full insurance billing.

✓ 7-day free trial✓ 50% off first 4 months✓ Free credentialing available (up to 2 payers)✓ BAA included
Claim 50% Off SimplePractice →

Limited-time summer offer · No credit card required for trial

Need HIPAA-compliant email only? See Hushmail for Healthcare →

Solo Therapist HIPAA Compliance Checklist — Houston

Work through this checklist to confirm your practice meets the baseline HIPAA requirements for solo therapists in Texas. Every item marked incomplete is a potential OCR audit finding.

Sign a Business Associate Agreement with every vendor storing or transmitting client data: EHR, telehealth platform, email service, and scheduling software

Replace personal Gmail or free email with a HIPAA-compliant service — Hushmail for Healthcare or Google Workspace Business with BAA

Enable full-disk encryption on every device used for client work (FileVault on Mac, BitLocker on Windows)

Complete and document a written Security Risk Assessment (SRA) — HHS provides a free tool at healthit.gov

Update your Notice of Privacy Practices (NPP) to reflect 2026 requirements and post it both in office and on your website by February 16

Establish a written breach notification procedure — you have 60 days from discovery to notify HHS

Set device auto-lock to 5–10 minutes of inactivity on all devices used for client records

Retain all BAAs, policies, and SRA documentation for a minimum of 6 years

This checklist covers the most common compliance gaps for solo therapists in Houston. It is not a substitute for a full HIPAA Security Risk Assessment or legal advice specific to your practice.

Frequently Asked Questions — Solo Therapists in Houston

Does a solo therapist in Houston need to comply with HIPAA?

Solo therapists are covered entities responsible for all HIPAA compliance personally — no employer to shield liability.

What is the average HIPAA fine for therapy practices in Texas?

The average HIPAA fine for therapy practices in Texas is $41,000. Texas OCR region actively audits solo practices.

What are the most common HIPAA violations for solo therapists?

No BAA with SimplePractice or EHR. Using Gmail for client communication. Unencrypted session notes on personal device.

What is the February 2026 HIPAA deadline?

By February 16, 2026, all covered entities including therapy practices must update their Notice of Privacy Practices (NPP) to reflect the new HIPAA Privacy Rule requirements around patient rights and data access. Failure to update is an automatic violation.

What is SimplePractice and does it solve HIPAA compliance?

SimplePractice is a HIPAA-compliant practice management platform used by 225,000+ therapists. It includes a signed Business Associate Agreement (BAA), encrypted client messaging, HIPAA-compliant telehealth, and documentation tools. It does not replace a full Security Risk Assessment but covers most day-to-day compliance gaps.

Does Texas Chapter 611 require anything beyond HIPAA for Houston therapists?

Yes. Texas Health & Safety Code Chapter 611 adds several requirements beyond HIPAA: it restricts disclosure of mental health records to attorneys — even the client's own attorney — without a court order, and it requires retention of records for 7 years (10 for minors). Violations of Chapter 611 are handled by the Texas State Board and can result in license suspension in addition to OCR fines.

How do I know if my current EHR is HIPAA-compliant?

HIPAA compliance is not a certification — it is a contractual relationship. Your EHR is compliant only if they have signed a BAA with your practice and implement appropriate technical safeguards. Request the BAA from your EHR vendor directly. If they refuse to sign one, you must switch EHR platforms — using a non-BAA EHR is a HIPAA violation regardless of how secure the platform claims to be.