Last month, a pain management clinic in Killeen confirmed that an attacker had been inside their network for two months before anyone noticed. In that time, the intruder had access to patient names, Social Security numbers, dates of birth, diagnoses, medication records, insurance information, and financial account data. The clinic, Integrated Pain Associates, announced the incident on April 30, 2026. They are still working through individual patient notifications.
For healthcare practices across Central Texas, this is not a distant story. It is a preview of what happens when the day-to-day demands of running a clinic crowd out the compliance work that federal and state law now require.
If you are running a small practice β a family medicine office in Temple, a physical therapy group in Georgetown, a specialty clinic in Taylor β the question is not whether a breach could happen to you. The question is whether you could prove, on demand, that you did everything HIPAA and Texas law required before it did.
What Happened in Killeen
Integrated Pain Associates is a pain and spine specialty clinic serving patients in the Killeen area. Their forensic review confirmed that unauthorized access to their network began around February 24, 2026. The breach was not discovered until weeks later. The attacker had access to a wide range of protected health information β PHI in the language of HIPAA β covering potentially thousands of patients.
The types of data exposed are among the most sensitive a healthcare provider can hold. Social Security numbers combined with diagnosis information and financial account data create exactly the conditions identity thieves and fraud networks are looking for. The clinic is now offering credit monitoring services to affected individuals and managing a patient notification process that, under HIPAA, has a hard deadline.
This kind of dwell time β an attacker moving freely through a network for weeks or months β is common in healthcare breaches. It happens because small practices typically do not have the monitoring tools or IT staff to detect unusual activity in real time. By the time a breach is identified, the damage is already done.
What HIPAA Requires of Your Practice Right Now
The HIPAA Security Rule has always required healthcare organizations to protect electronic PHI. What is changing in 2026 is the specificity of those requirements, and the degree to which HHS and the Office for Civil Rights are enforcing them.
HHS published sweeping proposed updates to the HIPAA Security Rule in December 2024 β the most significant changes since the original rule was enacted. Healthcare practices need to understand what is expected, because auditors and cyber insurance carriers are already asking for evidence of compliance.
The requirements that practices need to address now include mandatory encryption of PHI both at rest and in transit, which means the data cannot travel across your network or sit on a server in readable form. Multi-factor authentication is required for every system that accesses PHI. Vulnerability scans must be performed at least every six months. A documented incident response plan must exist before a breach occurs β not after. And the 72-hour clock for reporting a breach affecting 500 or more patients to the Office for Civil Rights is not a suggestion.
The 72-hour clock is where most small practices stumble. In a real incident, 72 hours passes very quickly when you are simultaneously trying to contain the breach, understand what was taken, notify patients, and brief legal counsel. Without a documented response plan and a clear chain of communication, that deadline is almost impossible to meet.
Texas Goes Further: What HB 300 Adds on Top
If you are a healthcare provider in Texas, HIPAA is the floor, not the ceiling. Texas House Bill 300 β also known as the Texas Medical Records Privacy Act β imposes requirements that go beyond federal law in several important ways.
The most significant difference for breach situations is the Texas Attorney General notification requirement. If a breach affects 250 or more Texas residents, your practice must notify the Texas AG electronically within 30 days of determining the breach occurred. This is a separate obligation from the HIPAA breach notification rule, and it applies at a lower threshold β HIPAA requires HHS notification when 500 or more individuals are affected.
Missing that 30-day AG window carries real consequences. The Texas AG can impose fines of $100 per breached record per day for late notification, up to a maximum of $250,000.
That is before the civil penalties for the underlying violation. For an intentional HB 300 violation β which includes failure to implement required safeguards when you knew the requirement existed β penalties can reach $250,000 per violation. A pattern of noncompliance can reach $1.5 million in a single year.
These numbers are not reserved for large hospital systems. Over 55 percent of HIPAA enforcement actions target small practices and individual providers. The Office for Civil Rights does not scale its enforcement expectations to the size of your operation.
Why Small Practices Are the Most Exposed
A solo practitioner or a small specialty group faces the same compliance burden as a large health system, with a fraction of the internal resources to meet it.
Most small practices in Central Texas do not have a full-time IT director. The person responsible for technology is often also managing scheduling, billing, and vendor relationships. The HIPAA risk assessment β a required document that must be current, comprehensive, and auditor-ready β frequently gets deferred until a renewal or an audit forces the issue.
The other common gap is access control. PHI should only be accessible to the people who need it for their specific role. In practice, shared credentials, former employee accounts that were never deactivated, and over-provisioned access to billing and records systems are common in small practices. An attacker who gets one set of credentials should not be able to reach everything. In many small practice environments, they can.
This is not a criticism. It is the operational reality of running a small healthcare business without dedicated IT support.
How CTTS Helps Central Texas Practices Stay Compliant
At CTTS, we provide managed IT services Texas healthcare practices can rely on to meet HIPAA requirements without building an internal compliance team from scratch. We have worked with practices across the region β from small specialty clinics to multi-location groups β and the compliance gaps we find are consistent.
Here is how we approach it.
A Current HIPAA Risk Assessment Your Auditor Can Actually Read
The HIPAA Security Rule requires a risk assessment, but it does not specify a format. What auditors, cyber insurers, and OCR investigators actually need is a document that identifies your specific assets, maps the threats to those assets, evaluates existing controls, and documents a remediation plan for the gaps.
We build that document with you and keep it current. When your carrier asks for it at renewal or an investigator requests it after an incident, it is ready.
Tightening Access to PHI
Not every person in your practice needs access to every patient record. We audit who has access to what, remove accounts that are no longer active, and implement role-based access controls so that a front desk employee and a billing specialist are not looking at the same data as your clinical staff.
This step alone eliminates a significant category of risk. If an attacker compromises a low-privilege account, they should not be able to reach your entire patient database.
A Documented Incident Response Plan Built for the 72-Hour Clock
Most practices do not have an incident response plan. When a breach happens, they are making decisions under pressure with no playbook. We build that plan before the event β who gets called, in what order, what gets preserved, what gets reported, and to whom.
The plan also accounts for the 30-day Texas AG notification window. Knowing that obligation exists and having it built into your response process is the difference between a manageable incident and a compliance failure on top of a security failure.
Take the Next Step
The Killeen practice is still working through individual patient notifications. That process is expensive, time-consuming, and damaging to the trust that small practices depend on.
If you are a healthcare provider in Central Texas and you are not certain your HIPAA risk assessment is current, your PHI access controls are tight, and your incident response plan is documented β now is the right time to find out.
Schedule a free assessment with CTTS today!
Frequently Asked Questions
Does HIPAA apply to small medical practices and clinics?
Yes. HIPAA applies to any healthcare provider that transmits health information electronically β which includes virtually every practice that submits insurance claims. There is no size exemption. A solo practitioner faces the same core compliance obligations as a large hospital system under the HIPAA Security Rule. What differs is scale, but not requirement. OCR enforcement data consistently shows that small practices and individual providers account for more than half of all enforcement actions, in part because smaller organizations often have fewer resources dedicated to compliance documentation.
What is the difference between HIPAA and Texas HB 300 for my practice?
HIPAA is the federal floor β it sets minimum requirements for protecting patient health information across the country. Texas House Bill 300 goes further in several areas. It applies to a broader category of entities, imposes additional training and notice obligations, and requires notification to the Texas Attorney General within 30 days when a breach affects 250 or more Texas residents. HIPAA's comparable notification threshold is 500 individuals. If a breach occurs, your practice may be liable for violations of both laws simultaneously. The penalties are separate and can stack.
How do I know if my practice's HIPAA risk assessment is current?
A HIPAA risk assessment is considered current if it accurately reflects your current environment β your systems, your staff, your vendors, and your data flows. If you have added new software, changed EHR systems, hired or lost staff with PHI access, or onboarded new business associates since your last assessment, it needs to be updated. A useful benchmark: if you cannot describe the specific threats to each type of PHI your practice holds, or if you do not have a written remediation plan for the gaps identified in your last assessment, the document is not audit-ready. CTTS can review what you have and tell you where the gaps are in a single session.
Contact CTTS today for IT support and managed services in Austin, TX. Let us handle your IT so you can focus on growing your business. Visit CTTSonline.com or call us at (512) 388-5559 to get started!