HIPAA Compliance Checklist for Houston Medical Offices — 2026
Houston medical offices — including therapist practices, counseling centers, psychiatric clinics, and solo practitioners — must comply with both federal HIPAA requirements and Texas-specific medical privacy laws. This checklist covers every requirement in 2026, organized by category so you can work through it systematically.
The OCR (HHS Office for Civil Rights) has increased enforcement in Texas in recent years. The average HIPAA settlement for Texas medical practices is over $400,000. Most violations come from gaps that take under an hour to fix — which is exactly what this checklist is for.
Updated June 2026 · Covers HIPAA federal requirements + Texas Medical Records Privacy Act
HIPAA Fines for Houston Medical Offices
HIPAA violations are categorized into four tiers based on intent. The fines below apply per violation — and regulators count each patient record as a separate violation.
| VIOLATION TYPE | FINE RANGE | ANNUAL CAP |
|---|---|---|
| No knowledge of violation | $100 – $50,000 per violation | Up to $25,000/year |
| Reasonable cause, no willful neglect | $1,000 – $50,000 per violation | Up to $100,000/year |
| Willful neglect, corrected | $10,000 – $50,000 per violation | Up to $250,000/year |
| Willful neglect, not corrected | $50,000 per violation | Up to $1.9 million/year |
Full HIPAA Compliance Checklist — Houston Medical Offices
Work through each section below. Check each item as you complete it. All 8 sections are legally required for HIPAA compliance — this is not optional.
1. Business Associate Agreements (BAAs)
2. Electronic Systems & Software
3. Physical Safeguards (Houston Office)
4. Staff Training & Policies
5. Security Risk Assessment (Required by Law)
6. Notice of Privacy Practices (NPP)
7. Telehealth (if applicable)
8. Breach Response
Texas-Specific HIPAA Requirements for Houston Offices
Texas medical offices must comply with both federal HIPAA and Texas state law. Where the two conflict, you must meet the stricter requirement.
Texas Medical Records Privacy Act
Texas has its own medical records privacy law (Texas Health & Safety Code §181) that in some cases is stricter than HIPAA. Texas medical offices must comply with both — HIPAA sets the floor, Texas law raises it in several areas including psychotherapy records.
Texas Attorney General breach notification
In addition to HHS notification under federal HIPAA, Texas requires breach notification to the Texas Attorney General for breaches affecting 500+ Texas residents. This is a separate requirement unique to Texas.
Therapist-specific: LPC, LCSW, MFT licensing
Texas-licensed therapists (LPCs, LCSWs, MFTs) must maintain confidentiality under both HIPAA and their licensing board rules. The Texas State Board of Examiners of Professional Counselors and the TSBSWE have additional confidentiality requirements that overlap with but extend beyond HIPAA.
Houston-area insurer requirements
Major Houston insurers including Blue Cross Blue Shield of Texas and UnitedHealthcare Texas require HIPAA compliance documentation as a condition of provider contracts. A compliance gap can result in contract termination and recoupment of payments.
Most Common HIPAA Violations in Houston Medical Practices
These are the violations that trigger the most complaints and OCR investigations in Texas medical offices. Each one is preventable with the checklist above.
No Business Associate Agreement with EHR or billing software
Sign a BAA immediately. Most major EHRs (SimplePractice, TherapyNotes) include BAAs as part of their paid plans.
Using standard Gmail or personal email for patient communication
Switch to a HIPAA-compliant email platform — Google Workspace Business (with BAA), Microsoft 365 Business (with BAA), or Hushmail for Healthcare.
No Security Risk Assessment on file
Complete an SRA using HHS's free tool at healthit.gov/sra. Document results and your mitigation plan. This is legally required and the #1 audit finding.
Outdated Notice of Privacy Practices (not updated for 2026 rule changes)
Update your NPP to reflect the 2026 HIPAA amendments. Required by February 2026 for all covered entities.
PHI stored in non-compliant cloud storage (personal Dropbox, Google Drive without BAA)
Move all PHI to a compliant cloud platform with a signed BAA. Use Google Workspace Business or Microsoft 365 — not personal accounts.
No staff HIPAA training documentation
Train all staff and document training with names, dates, and topics covered. Training must be repeated annually.
Using standard Zoom, FaceTime, or WhatsApp for telehealth sessions
Switch to a HIPAA-compliant telehealth platform (SimplePractice, TherapyNotes, or Doxy.me paid plan) with a signed BAA.
Trusted by 225,000+ Therapists — Recommended for Therapist in Houston
50% Off Your First 4 Months + Free Credentialing
SimplePractice is the #1 HIPAA-compliant practice management platform for therapists. Includes a signed BAA, encrypted messaging, telehealth, and full insurance billing.
Offer valid through July 15, 2026 · No credit card required for trial
Need HIPAA-compliant email only? See Hushmail for Healthcare →
FAQ — HIPAA Compliance for Houston Medical Offices
Is HIPAA compliance required for solo practice therapists in Houston?
Yes. Any therapist, counselor, or mental health professional who transmits health information electronically — which includes billing insurance, sending electronic records, or using an EHR — is a HIPAA-covered entity. Solo practices in Houston are subject to the same HIPAA requirements as large hospital systems, though HHS applies some flexibility in enforcement for smaller practices.
What does the Security Risk Assessment requirement mean for Houston medical offices?
The Security Risk Assessment (SRA) is legally required under the HIPAA Security Rule (45 CFR §164.308(a)(1)). Every covered entity must conduct and document an SRA that identifies all risks to the confidentiality, integrity, and availability of electronic PHI, and must document how those risks are mitigated. For Houston medical offices, HHS's free SRA Tool (healthit.gov) is the most practical starting point. Not having an SRA on file is the single most common finding in HIPAA audits.
Do Houston therapists need to comply with the Texas Medical Records Privacy Act in addition to HIPAA?
Yes. The Texas Medical Records Privacy Act (Texas Health & Safety Code Chapter 181) applies to most Houston healthcare providers and therapists. In some areas — particularly the handling of mental health records and the right of patients to access their records — Texas law is stricter than federal HIPAA. You must comply with both, which means following whichever law is more protective of patient privacy.
What HIPAA-compliant software should a Houston therapy practice use?
For a solo therapist or small group practice in Houston, SimplePractice covers most compliance needs in one platform: it provides a signed BAA, HIPAA-compliant EHR, telehealth, and billing. For email, Hushmail for Healthcare or Google Workspace Business (with BAA enabled) are the most commonly used options. These do not eliminate the need for an SRA and staff training, but they close the most common technology compliance gaps.
How do I report a HIPAA breach if it happens in my Houston practice?
Report breaches to three places: (1) HHS/OCR at hhs.gov/hipaa — breaches affecting 500+ individuals must be reported within 60 days; smaller breaches are reported annually. (2) Affected patients — notify within 60 days of discovering the breach. (3) Texas Attorney General — for breaches affecting 500+ Texas residents, you must also notify the Texas AG. This Texas-specific requirement is separate from the federal HHS report. After reporting, document your breach response and any remediation steps taken.
Is SimplePractice HIPAA-compliant for Houston therapists?
Yes. SimplePractice signs a Business Associate Agreement with all paid plan subscribers, uses AES-256 encryption for data at rest, and provides HIPAA-compliant telehealth, messaging, and billing. It is used by 225,000+ therapists across the US including thousands in Texas. Using SimplePractice does not eliminate all HIPAA requirements — you still need an SRA, staff training, and updated privacy notices — but it closes the most critical technology compliance gaps for Houston therapy practices.