Does HIPAA apply to a solo practitioner in Texas?

Yes, in almost every case. A solo physician, dentist, therapist, or other healthcare provider who electronically transmits any health information in connection with a HIPAA-covered transaction (billing, eligibility, claims) is a covered entity under 45 CFR 160.103. Practice size does not matter for HIPAA. A one-person practice has the same Privacy Rule, Security Rule, and Breach Notification Rule obligations as a hospital.

What does Texas HB 300 require that HIPAA does not?

Texas HB 300 amended Chapter 181 of the Texas Health and Safety Code with state-specific overlays on top of HIPAA. The biggest differences are: a 15 business-day window to provide electronic health records to patients under Section 181.102(a) when HIPAA allows up to 30 calendar days, mandatory privacy training for all new employees within 90 days under Section 181.101(b), retraining within one year of any material legal change affecting the role under Section 181.101(c), signed training completion statements retained for 6 years under Section 181.101(d), and a posted notice that PHI may be disclosed electronically under Section 181.154(a). The Texas Attorney General enforces HB 300 separately from federal OCR enforcement of HIPAA.

Can a solo practitioner be penalized under both HIPAA and Texas HB 300 for the same incident?

Yes. Federal HIPAA penalties from HHS Office for Civil Rights and Texas state penalties from the Attorney General are separate enforcement actions. A single breach can produce both a federal Resolution Agreement and a state civil penalty. Under Section 181.201 of the Texas Health and Safety Code, civil penalties run from $5,000 per violation per year for negligent violations to $250,000 per violation where PHI is used for financial gain, with a $1.5 million annual cap for a pattern or practice of violations. The 2026 federal HIPAA annual penalty cap for an identical-provision violation category is $2,190,294 per the inflation adjustment effective January 28, 2026. Both can apply to the same incident.

What is the most common HIPAA gap for solo practitioners in Texas?

The missing or stale Risk Analysis is the most cited gap in OCR investigations of small practices. Every settlement in OCR's Risk Analysis Initiative since late 2024 cited a failure to conduct an accurate and thorough risk analysis required by 45 CFR 164.308(a)(1)(ii)(A). As of April 2026, the initiative has produced 13 settlements. A solo practice with no documented Risk Analysis, or with a generic vendor template that does not reflect the actual practice environment, is the highest-risk profile in front of an OCR investigator.

← Back to Blog

May 8, 2026

HIPAA Compliance for Solo Practitioners in Texas: What Actually Applies

Quick answer

A solo practitioner in Texas who bills electronically is a HIPAA covered entity under 45 CFR 160.103. They also have to comply with Texas HB 300, which amended Chapter 181 of the Texas Health and Safety Code with state-specific overlays on top of HIPAA: a 15 business-day window for electronic record requests, role-based training within 90 days of hire, retraining within one year of any material legal change, signed training records retained for 6 years, posted notice of electronic disclosures, and separate civil penalties from the Texas Attorney General. Federal HIPAA enforcement and Texas HB 300 enforcement are separate. A single breach can produce both.

Most solo practitioners in Texas know they have to comply with HIPAA. Far fewer realize they also have to comply with Texas HB 300, which is the law most often missed in real OCR investigations and Texas Attorney General actions.

This post explains what actually applies, with the specific regulatory citations. It is written for the actual situation a solo practitioner is in: one provider, one or two staff, one EHR, one IT vendor, no privacy officer, no legal department.

You Are a Covered Entity Even If You Are Solo

HIPAA does not have a small-practice exemption. A covered entity is defined at 45 CFR 160.103 as a health plan, a healthcare clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a covered transaction. Covered transactions include billing claims, eligibility checks, and referral certification, among others. If you submit insurance claims electronically, run eligibility checks through a clearinghouse, or use any modern practice management system that does any of these on your behalf, you are a covered entity.

A solo dentist in Sugar Land, a solo therapist in Austin running a cash-pay practice that still verifies insurance, a solo dermatologist in El Paso with a single front-desk staff member, all of them are covered entities. The practice owner has the same HIPAA obligations as a hospital. The size of the practice does not change what HIPAA requires.

Texas adds a second, broader definition. Under Section 181.001(b)(2) of the Texas Health and Safety Code, a covered entity in Texas includes any person who, for commercial gain or otherwise, "engages in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information." Every solo healthcare provider in Texas falls inside that definition, and so does anyone who handles their patient data on their behalf.

What HIPAA Requires of Every Solo Practice

The federal HIPAA Privacy Rule, Security Rule, and Breach Notification Rule apply in full. The pieces that solo practitioners most often miss:

A Risk Analysis

Required at 45 CFR 164.308(a)(1)(ii)(A). Every settlement in HHS OCR's Risk Analysis Initiative cited a failure to conduct an "accurate and thorough" risk analysis. The Initiative reached 13 settlements as of April 2026, when OCR announced four ransomware-related settlements totaling approximately $1.165 million across Regional Women's Health Group ($320,000), Assured Imaging ($375,000), Consociate, Inc. ($225,000), and Star Group LP ($245,000). The pattern in every case is the same: no documented risk analysis, or one so generic it does not describe the actual practice environment. Practice size has not protected anyone. A May 2025 settlement with Vision Upright MRI, a small California radiology provider, included a $5,000 monetary settlement and a corrective action plan with two years of OCR monitoring after OCR found that the practice had never conducted a HIPAA risk analysis.

A Risk Management Plan Tied to the Risk Analysis

Required at 45 CFR 164.308(a)(1)(ii)(B). For each risk identified in the analysis, there must be a documented plan to address it: who is responsible, what they are doing, by when, what the current status is. OCR Director Paula M. Stannard, who was appointed in June 2025, has signaled that the Risk Analysis Initiative is being expanded to explicitly cover risk management. In April 2026, OCR released a guidance video titled "Risk Management Under the HIPAA Security Rule." Identifying risks alone is no longer enough. The follow-through has to be documented.

Workforce Training and Sanctions

Privacy Rule training is required at 45 CFR 164.530(b). Privacy Rule sanctions are required at 45 CFR 164.530(e). Security Rule sanctions are required at 45 CFR 164.308(a)(1)(ii)(C). Even with one staff member, the practice has to train them, document the training, and have a written sanctions policy. The sanctions policy must be applied if a workforce member violates the rules. A policy with no record of ever being applied is read by OCR as a policy that does not function.

Business Associate Agreements

Required at 45 CFR 164.502(e). Every vendor who creates, receives, maintains, or transmits PHI on behalf of the practice has to sign a BAA. For a solo practitioner, this typically includes the EHR vendor, the IT provider, the cloud backup service, the secure email service, and any billing or coding service. A practice without BAAs in place for these vendors has a regulatory gap that an OCR investigator will identify in the first request letter.

Breach Notification

Individual notification is required at 45 CFR 164.404, no later than 60 days following discovery of the breach. Notification to the Secretary of HHS is governed by 45 CFR 164.408: breaches affecting 500 or more individuals must be reported contemporaneously with individual notice (in practice, no later than 60 days from discovery), and breaches affecting fewer than 500 must be reported no later than 60 days after the end of the calendar year in which they were discovered. Most solo practices that discover a breach do not realize the calendar is already running.

A Note on the Pending 2026 Security Rule Update

HHS published a Notice of Proposed Rulemaking on January 6, 2025 that would update the HIPAA Security Rule for the first time in over a decade. As of May 2026, the rule has not been finalized. OCR's Spring 2025 Unified Agenda targeted finalization in May 2026, but practitioner reporting in late April 2026 described that timeline as possible but not guaranteed. The proposed rule would add explicit requirements around encryption, multi-factor authentication, vulnerability scanning, and asset inventory. Solo practices should track this but not yet treat it as binding.

What Texas HB 300 Adds On Top

Texas HB 300 amended Chapter 181 of the Texas Health and Safety Code to extend privacy obligations beyond what HIPAA requires. The pieces that are different from HIPAA, with primary-source citations:

Topic	HIPAA	Texas HB 300
Patient access to electronic records	Up to 30 calendar days	15 business days under §181.102(a)
Workforce training timing	"As necessary and appropriate" with no specific deadline (45 CFR 164.530(b))	Within 90 days of hire under §181.101(b)
Training tailored to role	Required as appropriate to function	Required by statute, "as necessary and appropriate for the employees to carry out the employees' duties" under §181.101(a)
Retraining cadence	For material policy changes within reasonable time	Within one year of any material legal change affecting the role under §181.101(c)
Training records retention	6 years (general HIPAA documentation rule)	Signed completion statements retained 6 years under §181.101(d)
Notice of electronic disclosures	Notice of Privacy Practices covers disclosures generally	Posted notice required that PHI may be disclosed electronically, in office or on website, under §181.154(a)
Authorization for sale or marketing of PHI	Authorization required under HIPAA Privacy Rule	Separate authorization required for each electronic disclosure outside of treatment, payment, or healthcare operations under §181.154(b)
Enforcement	HHS Office for Civil Rights	Texas Attorney General plus Texas licensing agencies under §181.201 and §181.202

The 15-Business-Day Rule Trips Practices Up Most

If a Texas patient submits a written request for their records in electronic form, and your EHR can produce them electronically, Section 181.102(a) requires delivery within 15 business days. HIPAA gives 30 calendar days. A solo practice that operates by the federal calendar will miss the Texas deadline routinely. The Texas Attorney General can act on a patient complaint about a missed 15-day window without any HIPAA finding.

The Training Requirement Is Specific

Texas HB 300 requires that training be tailored to the actual job duties of the workforce member. Generic HIPAA training videos satisfy the federal floor. They do not satisfy the Texas requirement on their own. The training must address how the specific staff member handles PHI in their role. Documentation must include a signed completion statement from each trained employee, retained for six years under Section 181.101(d).

The Penalty Stacking Problem

Federal HIPAA penalties from HHS OCR and Texas state penalties from the Attorney General are separate enforcement actions. A single breach can produce both.

The 2026 federal HIPAA annual penalty cap, for all violations of an identical provision, is $2,190,294. That figure was published in the Federal Register on January 28, 2026 as the inflation-adjusted maximum effective that date.

Texas HB 300 civil penalties under Section 181.201 of the Texas Health and Safety Code run on a tiered structure:

Up to $5,000 per violation per year for negligent violations under §181.201(b)(1)
Up to $25,000 per violation per year for knowing or intentional violations under §181.201(b)(2)
Up to $250,000 per violation for knowing or intentional violations where PHI is used for financial gain under §181.201(b)(3)
$1.5 million annually as the cap if the court finds the violations constitute a pattern or practice under §181.201(c)

The Texas Attorney General enforces HB 300. The Texas Medical Board, the Texas State Board of Dental Examiners, the Texas State Board of Examiners of Psychologists, and other licensing agencies can also impose disciplinary action on a license-holder for a privacy violation under Section 181.202. Section 181.203 also allows exclusion from any state-funded healthcare program for a covered entity found to have engaged in a pattern or practice of violating Chapter 181.

What Solo Practitioners Most Often Miss

From the pattern of OCR enforcement actions and Texas AG complaints, the gaps that show up most often in small-practice investigations:

No Risk Analysis at all, or a vendor template that has never been customized to the practice. This is the single most cited deficiency in OCR settlements.
No Risk Management Plan tied to whatever risk analysis exists. The risks were identified, but no remediation was documented.
Missing Business Associate Agreements with one or more vendors. The IT provider has a BAA, but the cloud backup service or the secure email vendor does not.
Training records that do not exist or are not signed. The staff member completed training, but there is no signed written record retained for six years.
The 15-business-day Texas rule treated as the 30-day federal rule. A patient request comes in, the practice schedules a response within HIPAA's window, and the Texas deadline passes silently.
Sanctions policy on paper but never applied. A workforce member shared a password or accessed a record they should not have, and there is no documented response.
No posted notice of electronic disclosures. The Notice of Privacy Practices covers disclosures generally but does not include the specific electronic-disclosure language Texas requires under Section 181.154(a).

What to Actually Do Next

If you are a solo practitioner in Texas reading this and any of the above describes your practice, the priority order is:

Get a real Risk Analysis written. Either complete one yourself against the HHS-defined elements, or have it done by someone who has done one before. The deliverable is a written document that reflects your actual practice.
Build the Risk Management Plan from the Risk Analysis findings. One row per identified risk, with a remediation plan, owner, and deadline.
Audit your vendor list for BAAs. Make a list of every vendor who touches PHI. Verify each has a current BAA on file. Get one signed for any that do not.
Update training to meet the HB 300 standard. Generic HIPAA video training is not enough on its own. Add the role-specific component, document completion with a signed statement, retain for six years.
Add the 15-business-day rule to your patient access workflow. Whoever processes record requests at your practice needs to know the Texas window is shorter than the federal window.
Post the electronic-disclosure notice in a location patients can see, or include it on your website, per Section 181.154(a).
Document a sanctions policy and apply it consistently when issues arise. Even minor incidents should produce a documented response.

None of this requires a privacy officer or a legal department. It requires the work to be done and the documentation to exist. OCR and the Texas Attorney General both operate on documentation. A practice that can produce the documents in front of an investigator is in a different position than one that cannot.

Need help getting these documents in place?

North Privacy Advisors works with solo practitioners across Texas to build the actual deliverables: written Risk Analysis, Risk Management Plan, BAA tracking, role-based training, sanctions policy, and posted notices.

Book a Consultation

Last Updated: May 8, 2026