HIPAA and Texas SB 2610 are not a choice between two rules. HIPAA is the federal standard you already have to meet, and SB 2610 is a Texas liability shield you earn by proving that standard was actually in place. For a Texas healthcare provider, staying compliant with HIPAA is what qualifies you for SB 2610, so the work is one program, documented well enough to survive a lawsuit.
TL;DR. HIPAA is mandatory and carries federal fines. Texas SB 2610, effective September 1, 2025, is a new state safe harbor that blocks exemplary (punitive) damages in a breach lawsuit if you can prove a documented cybersecurity program was running before the breach. For most Texas providers, full HIPAA compliance is the qualifying framework. It does not cover actual damages, class actions, or OCR fines. The catch is proof, because SB 2610 is an affirmative defense and the burden is on you.
Most Texas healthcare owners I talk to read the headline about SB 2610 and hear one of two wrong things. Either “great, a new law protects me now” or “great, another compliance burden on top of HIPAA.” Neither is right. SB 2610 does not add a new checklist and it does not replace HIPAA. It changes what your existing HIPAA work is worth in a courtroom, which is a bigger deal than it sounds. If you run a clinic, a practice, or any business that touches patient data, the smart move is to treat both as one program. Our managed IT for healthcare work has centered on exactly this since well before the state gave it a name.
This post lays out what each law actually requires, where they connect, and the specific things a Texas provider should do before a breach forces the question. I will be honest about what SB 2610 does not do, because the marketing around it has been generous.
What is Texas SB 2610, and how is it different from HIPAA?
Texas SB 2610 is a state law, effective September 1, 2025, that adds Chapter 542 to the Texas Business and Commerce Code. It gives businesses with fewer than 250 employees a safe harbor from exemplary damages after a data breach, as long as they maintained a recognized cybersecurity program. HIPAA is the federal rule that requires healthcare organizations to protect patient data in the first place.
So they operate on different levels. HIPAA tells you what to do and punishes you through federal enforcement if you do not. SB 2610 does not tell you to do anything new. It offers a reward, a shield against one type of legal damages, for having done the security work already. One is a requirement with teeth. The other is an incentive with a very specific, limited payoff. The text of the bill itself makes clear it applies to entities that own or license computerized data containing sensitive personal information, which describes almost every medical practice in the state.

Here is the cleanest way I have found to explain the split to a practice owner.
| HIPAA | Texas SB 2610 | |
|---|---|---|
| What it is | Federal law and regulation | Texas state safe harbor law |
| Who enforces it | HHS Office for Civil Rights | Texas courts, as a legal defense |
| What it does | Requires you to protect patient data | Rewards you for having protected it |
| Applies to | Covered entities and business associates | Texas businesses under 250 employees |
| If you ignore it | Fines, corrective action, reputational harm | You simply lose the shield, nothing added |
| What it protects you from | Nothing, it is the obligation | Exemplary (punitive) damages in a lawsuit |
Does SB 2610 replace HIPAA for Texas healthcare providers?
No, and this is the point that trips people up. SB 2610 does not replace, weaken, or override any HIPAA obligation. You still owe every HIPAA duty you owed on August 31, 2025. What SB 2610 does is lean on HIPAA. The law lets a business qualify for the safe harbor by complying with an established framework it already follows, and it names HIPAA as one of those qualifying frameworks alongside GLBA and PCI DSS.
That design is actually elegant. The legislature did not want to invent a new security standard that lawyers would fight about for a decade, so it borrowed the ones that already exist. For a healthcare provider, that means your path to the SB 2610 shield runs straight through the HIPAA compliance you are supposed to have anyway. Do HIPAA properly and you get the state protection as a byproduct. Do HIPAA sloppily and you lose both the federal standing and the state shield in the same breach.
One more Texas wrinkle worth knowing. HIPAA is not the only patient-privacy rule you answer to here. The state also has its own Texas data privacy and security requirements, and the Texas Medical Records Privacy Act, known as HB 300, defines a “covered entity” far more broadly than HIPAA does. HB 300 sweeps in nearly anyone who assembles, stores, or transmits protected health information, and it gives patients access to electronic records in 15 business days rather than HIPAA’s 30. Texas has been layered on this for years. SB 2610 is the newest floor, not the whole building.
How does the SB 2610 safe harbor actually work?

The safe harbor works as an affirmative defense. That is a legal term worth slowing down on, because it decides everything about how you prepare. An affirmative defense means that after a breach, when someone sues you and asks for punitive damages, the burden is on you to prove you had a qualifying program in place before the breach happened. The court does not assume you were compliant. You have to show it, with records.
The requirements scale with your headcount, which is the part most providers get wrong when they self-assess. SB 2610 sets three tiers.
| Company size | What SB 2610 expects | Practical read for a practice |
|---|---|---|
| Under 20 employees | Basic safeguards like a password policy and documented security training | Small clinics still need written proof, not good intentions |
| 20 to 99 employees | CIS Controls Implementation Group 1, foundational cyber hygiene | A real, maintained control set, reviewed on a schedule |
| 100 to 249 employees | A recognized framework such as NIST CSF, ISO 27001, or HITRUST | Full framework alignment, audited and updated |
For a healthcare organization already under HIPAA, the good news is that HIPAA compliance is accepted at every tier. You do not have to bolt on CIS or NIST separately if your HIPAA program is genuine and documented. But read that word “genuine” carefully. As one plain-language analysis of the law put it, a provider that completed a HIPAA risk analysis but left a known gap in access controls unaddressed does not meet the SB 2610 standard, even after years of operating under HIPAA. Compliance in principle does not count. Documented, maintained compliance at the moment of the breach is the only thing that counts.
And there is a maintenance clause. If your chosen framework gets revised, you have to update your program to match, generally within a year of the new version. A program that was compliant in 2023 and never touched since is not a safe harbor. It is a paper trail that proves you stopped paying attention.
What does HIPAA still require, and where do providers fail?

The HIPAA Security Rule organizes everything into three kinds of safeguards. Administrative, physical, and technical. Under the administrative bucket, the very first requirement is a security risk analysis, and HHS treats that risk analysis as the foundation the rest of your program stands on. If it is missing or thin, nothing above it holds.
Here is what the three safeguard categories cover in plain terms.
- Administrative. Your risk analysis, a written remediation plan, workforce security, a sanctions policy, and regular review of who did what in your systems. This is the paperwork and process layer, and it is where audits usually find the holes.
- Physical. Who can walk up to a server or a workstation, facility access controls, and how you wipe or destroy devices before they leave the building.
- Technical. Access controls, audit logs, encryption of patient data, and authentication. The controls that live in the software.
The failure pattern is remarkably consistent, and it is not exotic hacking. It is the risk analysis. In 2025, according to an enforcement review by the employment and data-privacy firm Ogletree, 76% of OCR enforcement actions included a penalty for a risk analysis failure. Not for a firewall that got beaten. For never properly doing, documenting, and acting on the risk analysis in the first place. If you fix one thing after reading this, make it that. A real risk analysis is also the exact document SB 2610 would ask you to produce in court, which is a nice piece of leverage. One artifact, two jobs.
If you want the practical version of turning these requirements into daily habits, we wrote a cybersecurity checklist for healthcare leaders that keeps it at the operational level rather than the legal one.
The 2025 HIPAA Security Rule overhaul you should plan for
You cannot write about HIPAA in 2026 and skip this. On January 6, 2025, HHS published a proposed rule, an NPRM, that would be the most significant rewrite of the HIPAA Security Rule since 2013. The headline change is that it removes the old distinction between “required” and “addressable” safeguards. Today, some controls are technically optional if you document why. Under the proposal, they all become mandatory.
The proposed baseline is specific and, honestly, overdue. Encryption of patient data both at rest and in transit. Multi-factor authentication. Network segmentation. A maintained technology asset inventory and network map. Vulnerability scans and annual penetration testing. Security incident response and restoration inside a defined window. If your practice has been treating encryption or MFA as a someday project, that someday is being scheduled for you.
The honest caveat is timing. As of the middle of 2026, HHS has not issued a final rule. The comment period closed in March 2025 with thousands of responses, and the regulatory timeline has slipped. So this is not law yet, and I will not pretend it is. But every control in that proposal is already a defensible best practice, and every one of them strengthens your SB 2610 position too. Building toward it now is not a bet on the rule passing. It is just good security that happens to also be forward-compatible.
What does a breach actually cost when you miss both?

This is where the two laws stop being abstract. When a healthcare breach happens, the money comes at you from several directions at once, and SB 2610 only stands in front of one of them.
Start with the raw cost. IBM’s 2025 report put the average healthcare data breach at $7.42 million, keeping healthcare the most expensive industry for the fourteenth year running. Then add HIPAA enforcement. OCR settlements in 2025 ran from $25,000 up to $3 million, and the per-violation annual cap sits around $1.9 million. Then add private lawsuits from affected patients, which is the layer that has exploded in the last few years.
Now here is exactly what SB 2610 does and does not touch in that stack.
| Cost after a breach | Does SB 2610 shield it? |
|---|---|
| Exemplary (punitive) damages in a Texas lawsuit | Yes, if you qualify |
| Actual (compensatory) damages to patients | No |
| Class action liability | No |
| OCR fines and corrective action plans | No |
| Breach notification and remediation costs | No |
| Reputation and patient churn | No |
So SB 2610 is a meaningful shield on one specific, and often the largest and scariest, line item. Punitive damages are the ones juries use to make an example of a defendant, and they can dwarf the actual harm. Blocking them is real value. But if a salesperson tells you SB 2610 makes you “breach-proof” or covers your fines, walk away. It does neither. It rewards good security. It does not substitute for it, and it does not pay your OCR penalty.
What Texas healthcare providers must do now
Strip away the legal language and the to-do list is short and concrete. Every item here does double duty. It satisfies HIPAA and it builds your SB 2610 defense at the same time.
- Run a current, documented HIPAA security risk analysis, and actually remediate what it finds. An analysis with open findings and no action is the single most common enforcement trigger.
- Turn on the controls the 2025 proposal will likely make mandatory. Encryption at rest and in transit, and MFA on everything that touches patient data. Do it now, not when the final rule lands.
- Match your written program to your employee tier under SB 2610, and keep the records that prove it was live before any incident.
- Set a review cadence. Frameworks change, your systems change, and SB 2610 expects you to keep pace within about a year of any framework update.
- Keep the evidence organized. Risk analyses, training logs, policies, and dates. In an affirmative defense, the business that kept clean records wins and the one relying on memory does not.
- Do not forget the Texas-specific layer. HB 300 training and the broader state definition of covered entity still apply on top of HIPAA.
If your practice is in the Metroplex, the same standards apply and the same partners can help. Our healthcare IT services in Dallas follow this exact playbook, and the HIPAA-compliant IT foundation is the same statewide.
Do you actually need a managed IT partner for this?

Straight answer. Not always. A very small practice with a simple setup, a competent office manager, and the discipline to run and document a real risk analysis every year can carry a lot of this internally. If that is you, good. The tools exist and the standards are public.
You start needing a partner when the documentation burden and the technical depth outgrow the time you have. Multiple locations. An EMR and local servers that have to be recovered fast. Staff turnover that keeps resetting your training records. The reality that “we should test our restores” stays on a list nobody gets to. That gap between intending to be compliant and being able to prove it in court is exactly where a managed provider earns its fee, by owning the risk analysis, the controls, the evidence, and the maintenance so it is real on the day it matters instead of the week you meant to get to it.
This is the work Uprite has done for Texas businesses since 1999. We are a Houston-based managed IT and cybersecurity provider, and for healthcare clients we build the security program so that HIPAA compliance and the SB 2610 shield come out of the same documented effort, not two separate scrambles. If you want a clear read on where you stand, our cybersecurity solutions start with an assessment that maps your actual risk and gaps before anyone recommends spending a dollar.
Conclusion
Three things to carry out of this. First, SB 2610 does not replace HIPAA, it rewards you for doing HIPAA well, so the work is one program not two. Second, the shield is powerful but narrow. It blocks punitive damages and nothing else, so it is a reason to secure your data, never an excuse to relax. Third, all of it runs on proof. A documented risk analysis, maintained controls, and clean records are what satisfy the federal rule and what win the state defense.
Pick the weakest link in that chain and fix it this quarter. If you are not sure your last risk analysis was real, or whether it would hold up in front of a regulator or a jury, that is where to start. We are glad to take a look and give you an honest read before a breach makes the question urgent.
What Texas Providers Ask About HIPAA and SB 2610
Does Texas SB 2610 mean I no longer have to worry about HIPAA?
No. HIPAA is still fully in force and still enforced by federal regulators. SB 2610 does not touch your HIPAA duties. It only adds a state-level shield against punitive damages, and it uses your HIPAA compliance as the way to qualify for that shield.
If I am HIPAA compliant, am I automatically protected by SB 2610?
Not automatically. HIPAA is an accepted framework under SB 2610, but the protection depends on documented, maintained compliance at the moment of the breach. A missed risk analysis or a known gap you never fixed can disqualify you, even after years under HIPAA.
What exactly does the SB 2610 safe harbor protect me from?
Only exemplary damages, also called punitive damages, in a Texas breach lawsuit. It does not cover actual damages to patients, class actions, OCR fines, breach notification costs, or reputational harm. It is one shield on a much larger pile of exposure.
Does SB 2610 apply to my practice if I have more than 250 employees?
No. The safe harbor is written for Texas business entities with fewer than 250 employees. Larger organizations are out of scope for SB 2610, though every HIPAA obligation still applies to them in full.
What is the single most common reason healthcare providers fail an audit?
The security risk analysis. In 2025, roughly three out of four OCR enforcement actions involved a risk analysis failure. It is the foundation of the HIPAA Security Rule, and it is also the document SB 2610 would ask you to produce in court.
Do I need to do anything about the proposed 2025 HIPAA changes yet?
They are not final law as of mid-2026, so nothing is strictly required yet. But the proposal points clearly at mandatory encryption, MFA, and network segmentation. Adopting those now improves your security today and gets you ahead of the rule if it passes.










