Compliance Guide  •  Healthcare

HIPAA Security Rule Compliance for Texas Healthcare

Texas healthcare attacks are up 30% in Q4 2025. The HIPAA Security Rule (45 CFR Part 164 Subpart C) mandates 18 safeguards across Administrative, Physical, and Technical categories — with OCR enforcement at full strength. Map all 18 safeguards to your security posture, understand what auditors look for, and know exactly which CoreReconOS tier covers each control.

CoreReconOS Threat Intelligence  |  June 6, 2026  |  HIPAA Security Rule
Threat Context — Texas Healthcare

Why Texas Healthcare Is in the HIPAA Audit Crosshairs

Attack Surge
Texas healthcare attacks up 30% in Q4 2025. Change Healthcare / Ascension fallout drove unprecedented OCR scrutiny. BCBSTX subsidiary breach exposed 1.1M patient records.
Breach Cost
$10.93M average healthcare breach cost (IBM 2024 Cost of a Data Breach Report). Texas is a top-3 state for healthcare data breach costs.
Dwell Time
207-day median dwell time before detection — attackers spend months inside networks before being spotted.
Texas Rank
Texas ranks among the top 3 states nationally for healthcare data breach costs per incident.
Free HIPAA Posture Assessment — $2,500 Value
Know where you stand before an OCR auditor does.
18-safeguard gap assessment mapped to HIPAA Security Rule. 6-year audit log requirements. Breach notification procedures. Delivered in 5 business days — no cost, no obligation.
Get my free HIPAA assessment →
Used by Texas healthcare organizations preparing for OCR enforcement
Regulatory Map

18 HIPAA Security Rule Safeguards

The HIPAA Security Rule (45 CFR Part 164 Subpart C) establishes 18 safeguards across three categories. NIST SP 800-66r2 provides implementation guidance. HIPAA requires audit log retention for minimum 6 years.

Administrative  —  Safeguard 1
Security Management Process
What auditors look for
Written risk analysis, documented risk management plan, sanction policy for workforce members, system activity review logs
Common gaps
Risk analysis not updated annually, sanction policy absent or not distributed, no systematic information system activity review
Sentinel
Risk assessment engine, risk management tracking, automated sanction policy delivery, monthly activity review reports
Fortress
All Sentinel features plus quarterly risk re-evaluation, documented corrective action plans, continuous monitoring
Command
All Fortress features plus enterprise risk management, board-level reporting, 6-year audit log retention for HIPAA compliance
Administrative  —  Safeguard 2
Assigned Security Responsibility
What auditors look for
Designated security official in writing, contact info in policies, clear chain of responsibility
Common gaps
No named HIPAA security officer, responsibility assigned but not communicated, coverage gaps during absences
Sentinel
Named security officer designation, role documentation, coverage mapping for absences
Fortress
All Sentinel features plus backup officer documentation, responsibility communicated org-wide, Board-level visibility
Command
All Fortress features plus DPO-as-a-service option, governance committee setup, annual responsibility review
Administrative  —  Safeguard 3
Workforce Security
What auditors look for
Authorization procedures before granting access, supervision protocols, background checks for high-access roles
Common gaps
No formal authorization workflow, background checks not completed before access granted, supervision gaps for contractors
Sentinel
Role-based authorization workflows, access request tracking, background check tracking dashboard
Fortress
All Sentinel features plus automated provisioning/deprovisioning, supervision audit logs, contractor access reviews
Command
All Fortress features plus identity governance integration, automated access certification campaigns, zero-trust architecture
Administrative  —  Safeguard 4
Information Access Management
What auditors look for
Access authorization based on role, access agreements signed by workforce, policies for accessing ePHI
Common gaps
No role-based access matrix, access agreements missing or stale, overly broad access grants
Sentinel
Role-based access matrix, access agreement management, ePHI access logging, quarterly access reviews
Fortress
All Sentinel features plus automated access certification, segregation of duties controls, policy enforcement engine
Command
All Fortress features plus advanced access governance, analytics-driven least-privilege enforcement, automated compliance reporting
Administrative  —  Safeguard 5
Security Awareness and Training
What auditors look for
Annual security awareness training for all workforce, periodic reminders, malicious software training, login monitoring, password management
Common gaps
Training completed but not documented, no phishing reminders, password policy not enforced, missing contractor training
Sentinel
Annual training program with documentation, monthly phishing reminders, password policy enforcement, training completion tracking
Fortress
All Sentinel features plus simulated phishing campaigns, role-specific training modules, breach scenario walkthroughs
Command
All Fortress features plus gamified awareness platform, real-time threat briefings, executive tabletop exercises, compliance reporting
Administrative  —  Safeguard 6
Security Incident Procedures
What auditors look for
Documented incident response plan, 24/7 response capability, incident logging, breach notification procedures
Common gaps
No formal IR plan, response capability untested, breach notification procedures not documented, no OCR reporting prep
Sentinel
IR plan documentation, incident classification framework, 24/7 alert monitoring, breach notification checklist
Fortress
All Sentinel features plus SOC-as-a-service, incident response playbook automation, OCR reporting template library
Command
All Fortress features plus dedicated incident response team, ransomware-specific playbooks, HHS OCR notification support, post-incident reporting
Administrative  —  Safeguard 7
Contingency Plan
What auditors look for
Data backup procedures, disaster recovery plan, emergency mode operations plan, annual contingency plan testing
Common gaps
Backups not tested, no documented disaster recovery plan, emergency mode plan missing, no annual testing
Sentinel
Automated backup scheduling, offsite backup storage, disaster recovery checklist, annual DR test documentation
Fortress
All Sentinel features plus cloud backup replication, DR runbook automation, failover testing, alternate site procedures
Command
All Fortress features plus hot-site DR capability, annual DR exercise with documentation, executive continuity planning, BAA-covered cloud storage
Physical  —  Safeguard 8
Facility Access Controls
What auditors look for
Contingency operations procedures, facility security plan, visitor access logs, maintenance records
Common gaps
No visitor log policy, no documented facility security plan, access controls not tested, maintenance records missing
Sentinel
Badge access control system, visitor log policy, facility security assessment, access log retention (6-year HIPAA requirement)
Fortress
All Sentinel features plus biometric access controls, CCTV integration, perimeter security hardening, maintenance scheduling
Command
All Fortress features plus 24/7 physical security monitoring, SOC-affiliated guard services, integrated alarm systems, compliance reporting
Physical  —  Safeguard 9
Workstation Use
What auditors look for
Written policy defining acceptable workstation use, location restrictions, proper workstation handling procedures
Common gaps
No written workstation use policy, location restrictions not communicated, policy not distributed to workforce
Sentinel
Workstation use policy template, policy distribution tracking, acceptable use agreement management
Fortress
All Sentinel features plus policy enforcement engine, endpoint lockdown capabilities, location-based access controls
Command
All Fortress features plus advanced endpoint management, application allowlisting, comprehensive compliance reporting
Physical  —  Safeguard 10
Workstation Security
What auditors look for
Physical safeguards for workstations, automatic logoff, screen lock policies, device placement standards
Common gaps
No automatic logoff configured, workstations in open areas, screen lock policies not enforced, no device placement standards
Sentinel
Automatic logoff configuration, screen lock enforcement, workstation physical security assessment, device placement guidelines
Fortress
All Sentinel features plus full-disk encryption enforcement, USB port controls, workstation hardening scripts, remote wipe capability
Command
All Fortress features plus EDR integration, enterprise workstation management, advanced physical security controls, compliance verification
Physical  —  Safeguard 11
Device and Media Controls
What auditors look for
Media disposal procedures, media re-use policy, accountability logs, data backup and storage procedures
Common gaps
No certified media destruction, accountability logs missing, data not purged before device re-use, backup tapes unencrypted
Sentinel
Certified media destruction vendor coordination, accountability logging, backup encryption (AES-256), media re-use policy
Fortress
All Sentinel features plus electronic media sanitization, backup media management, accountability reporting, BAA-covered storage
Command
All Fortress features plus cloud-based media lifecycle management, automated backup verification, secure data destruction certification
Technical  —  Safeguard 12
Access Control
What auditors look for
Unique user identification, emergency access procedure, automatic logoff, encryption/decryption of ePHI
Common gaps
Shared logins, no emergency access procedure documented, automatic logoff not configured, unencrypted ePHI at rest
Sentinel
Unique ID enforcement per user, MFA deployment, automatic logoff configuration, AES-256 encryption for ePHI at rest
Fortress
All Sentinel features plus single sign-on integration, emergency access procedure automation, contextual access controls, TLS 1.2+ for ePHI in transit
Command
All Fortress features plus zero-trust network access, behavioral analytics, advanced threat detection, continuous compliance monitoring
Technical  —  Safeguard 13
Audit Controls
What auditors look for
Hardware and software audit trails, log retention for minimum 6 years, regular log review process, audit log protection
Common gaps
Insufficient log retention (< 6 years violates HIPAA), logs not reviewed regularly, audit trails not protected from tampering
Sentinel
Automated audit log collection, 6-year retention (HIPAA-required), syslog/CEF/JSON format support, monthly compliance reports
Fortress
All Sentinel features plus SIEM correlation engine, real-time alerting, log integrity protection (hash chaining), advanced threat detection
Command
All Fortress features plus dedicated SIEM correlation rules for HIPAA, behavioral analytics, executive compliance dashboards, audit trail export
Technical  —  Safeguard 14
Integrity
What auditors look for
Mechanism for authenticating ePHI, digital signature support, protection against unauthorized modification
Common gaps
No integrity checking on ePHI, digital signatures not implemented, no protection against unauthorized modification
Sentinel
File integrity monitoring for ePHI repositories, change detection alerts, hash verification, audit of modifications
Fortress
All Sentinel features plus digital signature capabilities, automated integrity verification, content integrity reports
Command
All Fortress features plus blockchain-backed audit trail option, advanced integrity monitoring, compliance-grade timestamping
Technical  —  Safeguard 15
Transmission Security
What auditors look for
Encryption for ePHI in transit (TLS 1.2+), integrity controls on transmissions, transmission logging
Common gaps
ePHI transmitted over unencrypted channels, no TLS enforcement, integrity controls not implemented, transmission logs missing
Sentinel
TLS 1.2+ enforcement for all ePHI transmissions, SSL/TLS inspection, integrity hash verification, transmission logging
Fortress
All Sentinel features plus private API endpoints for ePHI, certificate management, advanced transmission monitoring
Command
All Fortress features plus mTLS implementation, hardware security module (HSM) option, advanced transmission analytics
Other  —  Safeguard 16
Risk Analysis (§ 164.308(a)(1))
What auditors look for
Comprehensive risk analysis of all ePHI systems, documented methodology, regular updates, risk prioritization
Common gaps
Risk analysis not conducted organization-wide, analysis not updated after changes, risks not prioritized, analysis not documented
Sentinel
Risk analysis framework, ePHI inventory, risk scoring methodology, annual risk reassessment with documentation
Fortress
All Sentinel features plus automated risk scanning, continuous risk monitoring, risk treatment planning, executive risk register
Command
All Fortress features plus enterprise risk management platform, real-time risk intelligence, board-level risk reporting
Other  —  Safeguard 17
Risk Management (§ 164.308(a)(5))
What auditors look for
Documented risk management strategy, implementation of security measures, monitoring of risks over time
Common gaps
No formal risk management strategy, security measures not implemented based on risk analysis, no ongoing monitoring
Sentinel
Risk management plan documentation, security measure implementation tracking, quarterly risk reassessment, remediation tracking
Fortress
All Sentinel features plus automated security control deployment, continuous risk monitoring, KPI-based risk tracking
Command
All Fortress features plus enterprise security governance, real-time risk dashboard, integrated compliance management
Other  —  Safeguard 18
Evaluation (§ 164.312(a)(2)(i))
What auditors look for
Regular evaluations of security safeguards, documented evaluation process, remediation of findings
Common gaps
No regular evaluations conducted, evaluation results not documented, findings not remediated, no evaluation schedule
Sentinel
Annual evaluation program, compliance self-assessment toolkit, evaluation documentation, findings tracking dashboard
Fortress
All Sentinel features plus quarterly compliance evaluations, third-party assessment coordination, remediation project management
Command
All Fortress features plus continuous compliance monitoring, OCR-audit-ready evidence packages, board-level evaluation reporting
HHS OCR Enforcement

OCR Is Active. Ransomware = Breach.

Settlement Trends
Anthem $16M. Premera $30M. HHS Office for Civil Rights has collected hundreds of millions in HIPAA enforcement actions. Small providers are not exempt from OCR audit programs.
Ransomware = Breach
HHS guidance: ransomware incidents are presumed to be reportable breaches unless documented proof demonstrates no ePHI was accessed. 60-day notification clock starts at discovery.
60-Day Notification Clock
Unified 60-day rule (2024 update): covered entities must notify affected individuals within 60 days of discovery. OCR must be notified for breaches affecting 500+ individuals.
OCR Audit Program
HIPAA Audits are active. Covered entities and business associates of all sizes are in scope. CoreReconOS Command clients receive OCR-audit-ready evidence packages.
Free $2,500 HIPAA Posture Assessment
Get your free security posture assessment.
18-safeguard gap analysis mapped to HIPAA Security Rule. Log retention review. Breach notification procedures. Delivered in 5 days — no cost, no strings.
Request my free assessment →
HIPAA pre-selected in your assessment form
Related Resources
Threat Intel
Texas Q4 2025 Brief
Texas healthcare attacks up 30% in Q4 2025. BCBSTX breach exposing 1.1M records, Change Healthcare fallout, and OCR enforcement implications.
Comparison
CoreReconOS vs the field
How Sentinel/Fortress/Command tiers stack up against Cybriant, Secureworks, Trustwave, and others — head to head.