Does Your Small Practice Need a Security Plan? OSHA Recommendations (OSHA Guidelines)

Small healthcare practices often ask whether they need a “security plan.” If the intent is to protect patients’ medical information and avoid privacy penalties, Texas has a specific legal framework: Texas Health and Safety Code Chapter 181, commonly known as HB 300. HB 300 expands privacy and security obligations for any covered entity handling PHI of Texas residents and can be stricter than HIPAA. For Texas clinics, a practical “security plan” is a documented privacy and security program that satisfies Chapter 181’s authorization, training, disclosure, and safeguarding requirements, aligned with HIPAA where applicable. Building this plan now reduces enforcement risk from the Texas Attorney General, mitigates breach impact, and strengthens patient trust.

Many small practices equate “security plan” with workplace safety or general IT checklists. In Texas, the operative legal question is: do you handle protected health information about Texas residents. If yes, HB 300 applies, and you must implement reasonable administrative, physical, and technical safeguards, support patient rights, use compliant authorization forms, and train your workforce on state and federal privacy rules. Because HB 300 can exceed HIPAA in scope and strictness, a Texas-tuned plan prevents gaps that could lead to state penalties, licensing board actions, and reputational damage. This article translates HB 300 into a lean, auditable program suitable for clinics with limited budgets and small teams.

Understanding Does Your Small Practice Need a Security Plan Under Texas Health and Safety Code Chapter 181 HB 300

HB 300 amended and strengthened Chapter 181 of the Texas Health and Safety Code, creating a state privacy regime for medical records that applies broadly to “covered entities,” including health care providers, facilities, business associates, research entities, and even certain information management organizations that “assemble, collect, analyze, use, evaluate, store, or transmit” PHI of Texas residents. Chapter 181 also clarifies the interplay with HIPAA. Entities that are HIPAA covered entities must comply with HIPAA and, where Texas law is more stringent, must also comply with Chapter 181. Practically, this means a Texas clinic cannot assume HIPAA-only policies will suffice.

The statute directs the state executive commissioner to adopt rules consistent with HIPAA privacy standards and to review subsequent federal amendments for Texas adoption. It assigns responsibilities among state agencies and underscores that PHI handled by Texas governmental covered entities is not public information. Enforcement lives with the Texas Attorney General, who can seek injunctive relief and civil penalties, and licensing agencies may pursue disciplinary actions, including suspension or revocation, for egregious or patterned violations.

For a small practice, the legal takeaway is simple: your “security plan” must be a documented privacy and security program that reflects Chapter 181’s stricter scope, robust authorization requirements, timely breach response, and ongoing training obligations. Understanding this framework reduces risk of civil penalties, limits operational disruption after incidents, and provides defensible evidence during investigations.

HIPAA’s Privacy, Security, and Breach Notification Rules are enforced by the U.S. Department of Health and Human Services Office for Civil Rights. OCR investigates federal HIPAA violations and can levy civil monetary penalties and impose corrective action plans. However, OCR does not enforce Texas HB 300. Under Chapter 181, the Texas Attorney General is the principal state enforcer, and Texas licensing boards can impose discipline for violations by licensees. In practice, a Texas small practice may face dual exposure: OCR for HIPAA issues and the Texas Attorney General or a licensing board for Chapter 181 violations. A well-built plan therefore aligns with both frameworks, adopting the stricter provision where differences exist.

Below is a pragmatic path to stand up an HB 300-compliant privacy and security program that doubles as your “security plan.” Each step includes how to comply, the artifacts you should keep, and low-cost implementation ideas.

1. Determine whether you are a covered entity under Chapter 181
   How to comply: Review your operations against the statute’s covered entity definition. If you touch PHI of Texas residents for care, billing, operations, or as a services vendor, you likely qualify.
   Artifacts: A one-page applicability memo describing why you are a covered entity, signed by the owner or administrator.
   Low-cost tip: Use a simple spreadsheet to list all PHI inputs and outputs, including vendors.

2. Map HIPAA and Texas HB 300 scoping together
   How to comply: Document whether you are a HIPAA covered entity or business associate. Note that Chapter 181 applies in addition to HIPAA where more stringent.
   Artifacts: A “scoping matrix” referencing HIPAA and Chapter 181; a statement that Texas-stricter provisions control where applicable.
   Low-cost tip: A single matrix tab in your PHI inventory suffices.

3. Adopt the Texas standard authorization form for non-TPOR uses and disclosures
   How to comply: For disclosures outside treatment, payment, or health care operations, obtain a valid authorization that meets Texas requirements.
   Artifacts: The state-standard authorization form and your procedure for when to use it; version control and retention.
   Low-cost tip: Store a locked PDF template in a shared folder and embed it in your EHR’s forms.

4. Implement reasonable administrative, physical, and technical safeguards
   How to comply: Create policies commensurate with your size and risk, including minimum necessary access, secure workstation use, media disposal, encryption at rest and in transit where feasible, and vendor management with BAAs or Texas-appropriate contract terms.
   Artifacts: A concise Privacy and Security Program document set; risk analysis notes; access logs; encryption settings; vendor list with agreements.
   Low-cost tip: Turn on device encryption and automatic screen lock; restrict USB access; use EHR audit logs.

5. Workforce training tuned to Texas
   How to comply: Provide training on both HIPAA and Chapter 181, including patient rights, authorization form use, breach reporting, and your internal reporting channels. Train new hires promptly and refresh staff when policies materially change.
   Artifacts: Training curriculum, attendance logs, quizzes or attestations, update notices when policies change.
   Low-cost tip: Deliver 30-minute micro-modules during staff huddles; keep sign-in sheets.

6. Patient rights and disclosures
   How to comply: Respect patient access rights consistent with HIPAA while applying Texas-specific stricter limits where they exist, and ensure your Notice of Privacy Practices reflects Texas requirements.
   Artifacts: Current NPP; request/response logs; denial templates; fee schedule for copies if applicable.
   Low-cost tip: Post the NPP at reception and on your website; keep an access-request checklist at the front desk.

7. Breach response and notifications
   How to comply: Maintain a written incident response plan that identifies who triages suspected breaches, how you risk-assess incidents, deadlines for notifications under Texas law, and when to coordinate with OCR for HIPAA notices.
   Artifacts: Incident log; decision trees; draft notification templates; timelines; law-enforcement delay memo template if needed.
   Low-cost tip: Use a one-page flowchart and a 48-hour internal escalation timer.

8. Vendor and data-sharing controls
   How to comply: Identify all vendors that receive PHI and ensure you have appropriate HIPAA BAAs and Texas-appropriate contract clauses that address confidentiality, breach reporting, and permitted uses.
   Artifacts: Vendor register; executed agreements; due-diligence notes; periodic vendor attestations.
   Low-cost tip: Annually email vendors a short questionnaire about safeguards and contacts.

9. Complaints and enforcement readiness
   How to comply: Provide clear patient complaint channels and maintain an internal log. Prepare a minimal “investigation packet” demonstrating training, policies, and past corrective actions for rapid response to state inquiries.
   Artifacts: Complaint log; response templates; corrective action plans; summary of last self-audit.
   Low-cost tip: Keep a single PDF portfolio that you can hand to regulators on request.

10. Annual review and corrective action
    How to comply: Review your program at least annually or after material changes EHR migration, new location, new vendor. Assign corrective actions with owners and dates.
    Artifacts: Annual review memo; updated policy versions; closed-loop corrective action list.
    Low-cost tip: Calendar a recurring one-hour review, then capture two to three improvement items each cycle.

Case Study

A four-provider family practice in Central Texas migrated to a new cloud EHR and began emailing unencrypted appointment reminders from a general office account. A patient complained that the reminder included a diagnostic detail visible in the subject line and that the clinic shared PHI with a third-party scheduling vendor without proper authorization. The practice opened an incident, halted the reminder workflow, and performed a risk assessment. The review discovered the vendor received PHI under a generic IT services agreement that lacked Texas-specific privacy terms. The clinic notified affected patients within the state-prescribed period, updated its Notice of Privacy Practices, and executed a compliant vendor agreement. It also rolled out staff refresher training focused on authorization, minimum necessary, and email hygiene.

Outcome: The clinic avoided prolonged enforcement by quickly correcting practices, demonstrating reasonable safeguards, and documenting remedial training and contract fixes. Had the clinic ignored the complaint or failed to notify within the required timeframe, it risked civil penalties from the Texas Attorney General and potential licensing scrutiny. The post-incident improvements cut future exposure and strengthened the clinic’s audit posture.

Using this checklist quarterly creates a steady cadence of verification and improvement that aligns your security plan with Texas expectations and demonstrates ongoing diligence.

Common Pitfalls to Avoid Under Texas Health and Safety Code Chapter 181

Before listing pitfalls, remember that many enforcement problems begin with small governance gaps. The pitfalls below tie directly to Chapter 181 compliance and your day-to-day operations.

• Relying on HIPAA-only templates and ignoring Texas-specific stricter provisions leads to authorization and training gaps. This increases the risk of state-level penalties and licensing issues if a complaint arises.
• Using generic vendor contracts without Texas-specific privacy language creates uncertainty about permitted uses, breach reporting, and PHI safeguards. If a vendor incident occurs, the practice may lack leverage and face added scrutiny.
• Failing to refresh training when policies change causes staff to continue outdated practices, such as insecure emailing of PHI. This heightens breach risk and weakens your defense in an investigation.
• Treating breach assessment as an informal conversation rather than a documented decision process results in missed notifications or late timing, which can aggravate enforcement outcomes.
• Not aligning your Notice of Privacy Practices with Texas requirements creates patient confusion and complaints, increasing the likelihood of regulatory attention.

By systematically addressing these pitfalls with targeted policies, training, and documentation, a small practice materially reduces the likelihood and impact of violations under Chapter 181.

Best practices must be affordable, simple to run, and auditable. The following are calibrated for small Texas clinics.

• Keep a single “Privacy and Security Program” binder or folder that includes your policy index, the Texas authorization form, training materials, vendor list, incident playbook, and last self-audit. This makes audits faster and signals control.
• Use role-based access in your EHR and email, with quarterly reviews to remove access for former or transferred staff. This supports minimum necessary and incident containment.
• Encrypt portable devices and disable auto-forwarding to personal email. This reduces the risk of inadvertent PHI disclosure from lost or misdirected devices and accounts.
• Run quarterly micro-tabletops using recent near-misses or complaints as scenarios. Practice triage, authorization checks, and notification decision-making against Texas standards.
• Standardize how you redact or minimize PHI in reminders, billing communications, and referrals. Small content templates prevent accidental over-disclosures.

These practices raise your control maturity without large spend and directly support the behaviors that matter in investigations: awareness, prevention, and rapid correction.

Culture is what turns policy pages into daily habits. In a small practice, the owner or medical director sets the tone.

• Leadership visibility: Start monthly staff meetings with a two-minute privacy moment that revisits a single rule or recent incident.
• Clear roles: Post a one-page “who to call” for privacy questions, suspected breaches, and authorization issues.
• Safe reporting: Allow anonymous reporting of suspected privacy issues; praise early reporting even when it reveals mistakes.
• Measured improvement: Track two metrics each quarter for leadership review, such as time to revoke access for departing staff and time to complete training for new hires.
• Recognition: Acknowledge staff who catch potential disclosures before they happen. This reinforces vigilance and encourages peer coaching.

When these cultural elements are steady, the program keeps improving even with staff turnover and operational changes.

For Texas small practices, the best answer to “Do we need a security plan” is yes, in the form of a concise, documented privacy and security program aligned with Texas Health and Safety Code Chapter 181 HB 300 and HIPAA. The essentials are clear: confirm your covered entity status, use the state standard authorization for non-TPOR disclosures, maintain reasonable safeguards, train your workforce with Texas-specific content, keep a breach playbook with timelines, and manage vendors who touch PHI. Doing these consistently prevents most privacy failures and positions your practice well if a complaint arrives.

Advisers

• Affordable software: Consider a lightweight policy and training tracker that stores attestations, vendor lists, and incident logs. If budgets are tight, a structured SharePoint or Google Drive plus a spreadsheet tracker is sufficient when paired with disciplined version control.
• Free government resources: Use HHS OCR’s HIPAA summaries to align your federal baseline and then tighten where Texas is stricter. Check your professional licensing board communications for any Texas-specific reminders, and consult the Texas Attorney General’s consumer privacy resources to calibrate your complaint handling.

Next steps
Appoint a Privacy Officer, finalize your Texas authorization form and breach response playbook, run a 30-minute staff refresher, and schedule a one-hour annual review. Within 30 days, complete a vendor contract sweep and close any gaps. Keep everything in one place so you can demonstrate control quickly if regulators ask.

• HEALTH AND SAFETY CODE CHAPTER 181. MEDICAL RECORDS PRIVACY
• 82nd Legislature HB 300 Enrolled Bill Text
• HIPAA for Professionals Overview HHS OCR
• Breach Notification Rule Summary HHS OCR