On April 18, 2026, Governor Abbott signed House Bill 2847, creating the most comprehensive state-level cybersecurity mandate for healthcare organizations in the nation. The legislation, effective September 1, 2026, requires all Texas medical practices with 10 or more providers to implement specific technical controls, undergo annual third-party security assessments, and report certain security events to the Texas Department of State Health Services within 24 hours. A Dallas multi-specialty practice discovered the law's immediate impact when their malpractice insurer notified them that coverage would be contingent on HB 2847 compliance beginning October 1, 2026.
HB 2847 represents a fundamental shift from HIPAA's flexible "addressable" implementation specifications to mandatory technical requirements with specific compliance deadlines and enforcement mechanisms. The law establishes minimum security standards that exceed current HIPAA requirements, creates new reporting obligations, and authorizes the Texas Attorney General to impose civil penalties up to $25,000 per violation per day. For Texas medical practices, compliance is no longer optional, and the consequences of non-compliance extend beyond regulatory penalties to insurance coverage, business associate relationships, and professional licensure.
The Dallas practice's compliance gap analysis revealed that their existing HIPAA security program satisfied only 62% of HB 2847's mandatory requirements. Critical gaps included missing multi-factor authentication on administrative accounts, absence of endpoint detection and response capabilities, and lack of documented vulnerability management procedures. Remediation would require $47,000 in technology investments and 120 hours of administrative time to complete before the September 1 deadline.
Who Must Comply with HB 2847
The legislation applies broadly across the Texas healthcare ecosystem with tiered requirements based on organization size:
Covered entities. HB 2847 applies to all healthcare providers licensed in Texas, including physicians, physician groups, dentists, podiatrists, and optometrists. The law specifically includes medical practices regardless of corporate structure, meaning solo practitioners operating as PLLCs are covered if they meet size thresholds. The 10-provider threshold includes all physicians, nurse practitioners, and physician assistants who provide patient care under the practice's authority.
Tiered requirements. Practices with fewer than 10 providers face modified requirements focused on basic security controls and incident reporting. Practices with 10-49 providers must implement all technical controls and undergo biennial security assessments. Practices with 50 or more providers face the full mandate including annual third-party assessments, dedicated security personnel, and quarterly reporting to DSHS.
Business associates. The law extends certain requirements to business associates handling Texas patient data, including mandatory encryption, incident notification, and compliance attestation. Texas medical practices must obtain and maintain HB 2847 compliance documentation from all vendors with access to patient information.
Out-of-state providers. Healthcare providers licensed in other states who treat Texas patients through telemedicine or multi-state practice arrangements must comply with HB 2847 requirements for their Texas patient data. This provision captures providers who may not realize their Texas patient populations trigger state-specific mandates.
Mandatory Technical Controls
HB 2847 establishes specific technical requirements that go beyond HIPAA's flexible framework:
Multi-factor authentication. All administrative accounts, remote access systems, and systems containing protected health information must implement MFA using phishing-resistant methods. SMS-based and email-based MFA are explicitly prohibited for administrative access. The law requires FIDO2 security keys or equivalent hardware-based authentication for privileged accounts. Practices must document MFA implementation and maintain records of authentication method selection.
Encryption requirements. HB 2847 mandates AES-256 encryption for data at rest and TLS 1.3 for data in transit. The law specifically requires field-level encryption for patient data in databases, not merely disk-level encryption. Email containing patient information must use end-to-end encryption, and backup systems must implement encryption with keys stored separately from backup data.
Endpoint protection. All endpoints accessing patient data must implement next-generation antivirus or endpoint detection and response solutions. The law requires behavioral analysis capabilities, not merely signature-based detection. Practices must maintain 90 days of endpoint telemetry and demonstrate capability to isolate compromised systems within 15 minutes of detection.
Network segmentation. Medical practices must implement network segmentation that isolates critical systems, medical devices, and guest networks. The law requires documented network diagrams showing segmentation boundaries and access control lists. Practices must demonstrate that ransomware or malware on one segment cannot propagate to other segments containing patient data.
Vulnerability management. HB 2847 requires monthly vulnerability scanning with documented remediation timelines. Critical vulnerabilities must be remediated within 7 days, high-severity within 30 days, and medium-severity within 90 days. Practices must maintain vulnerability scan records for 3 years and demonstrate consistent remediation performance.
Assessment and Reporting Obligations
The law creates new operational requirements that affect practice workflows and administrative burden:
Third-party security assessments. Practices with 10 or more providers must undergo security assessments by qualified independent assessors. Assessments must evaluate all HB 2847 technical controls, review documentation, and test security effectiveness. The first assessment must be completed by March 1, 2027, with subsequent assessments annually for large practices and biennially for medium practices.
Incident reporting. HB 2847 requires notification to DSHS within 24 hours of discovering any security incident affecting 500 or more patients, any ransomware deployment, or any unauthorized access to administrative accounts. This 24-hour requirement runs parallel to HIPAA's 60-day patient notification and may require reporting before the full scope of an incident is understood.
Annual attestation. All covered practices must submit annual compliance attestations to DSHS beginning January 1, 2027. Attestations require confirmation that all mandatory controls are implemented, documentation is current, and no reportable incidents occurred during the attestation period. False attestation constitutes a separate violation subject to penalties.
Documentation requirements. The law mandates specific documentation including security policies, risk assessments, incident response plans, business associate agreements, and training records. Documentation must be maintained for 6 years and made available to DSHS upon request within 48 hours.
Enforcement and Penalties
HB 2847 establishes aggressive enforcement mechanisms with significant financial consequences:
Civil monetary penalties. The Texas Attorney General may impose civil penalties of up to $25,000 per violation per day. Violations include failure to implement required controls, failure to report incidents within 24 hours, failure to undergo required assessments, and false attestations. The law explicitly permits penalty stacking, meaning multiple violations can result in substantial aggregate penalties.
Licensure consequences. The Texas Medical Board, Board of Dental Examiners, and other licensing authorities must consider HB 2847 violations in licensure decisions. Repeated or willful violations may result in license suspension, probation, or revocation. The law creates a reporting obligation between DSHS and licensing boards that ensures compliance failures affect professional standing.
Private right of action. HB 2847 creates a limited private right of action allowing patients to sue for violations that result in unauthorized disclosure of their medical information. Successful plaintiffs may recover actual damages, statutory damages up to $10,000 per violation, and attorney fees. This provision incentivizes plaintiff attorneys to monitor compliance and pursue violations.
Insurance implications. The law permits insurers to condition coverage on HB 2847 compliance and requires notification to insurers of any violations. Malpractice insurers, cyber insurers, and general liability carriers are incorporating HB 2847 compliance into underwriting and claims handling. Non-compliant practices face coverage limitations, premium increases, or policy non-renewal.
Compliance Timeline and Preparation
HB 2847's September 1, 2026 effective date creates an urgent preparation timeline:
Immediate: Conduct Compliance Gap Analysis
Evaluate current security controls against HB 2847's mandatory requirements. Identify gaps in MFA implementation, encryption coverage, endpoint protection, network segmentation, and vulnerability management. Document findings and estimate remediation costs and timelines. The Dallas practice's gap analysis required 40 hours of administrative time and identified 14 specific control deficiencies.
May-June 2026: Implement Technical Controls
Deploy missing security technologies including MFA hardware keys, EDR platforms, network segmentation infrastructure, and vulnerability scanning tools. Update encryption implementations to meet field-level requirements. Document all implementations with configuration details and implementation dates. Prioritize controls based on risk and implementation complexity.
July-August 2026: Develop Documentation and Procedures
Create required documentation including updated security policies, risk assessments, incident response plans, and training materials. Establish 24-hour incident reporting procedures with DSHS notification workflows. Train staff on new controls and updated procedures. Test incident response and reporting capabilities through tabletop exercises.
September 1, 2026: Achieve Compliance
Complete implementation of all mandatory controls and documentation. Conduct final compliance verification against HB 2847 requirements. Engage qualified assessor for practices requiring third-party assessment by March 2027. Submit initial attestation documentation to DSHS by January 1, 2027.
Practical Implementation Considerations
HB 2847 compliance requires thoughtful implementation that balances security effectiveness with operational practicality:
Medical device integration. Many medical devices cannot support modern authentication or encryption requirements. Practices must implement compensating controls including network isolation, monitoring, and access restrictions. Document why each device cannot meet requirements and what compensating controls provide equivalent protection.
Remote access complexity. The MFA requirements affect all remote access including physician home access, vendor support connections, and business associate integrations. Implementing hardware-based MFA across diverse user populations requires careful planning and user support. Consider zero-trust architecture that reduces reliance on VPN-based remote access.
Business associate management. HB 2847 requires practices to obtain compliance attestations from all vendors handling Texas patient data. Many business associates are unprepared for these requirements and may resist contractual modifications. Practices must evaluate whether to terminate non-compliant vendor relationships or accept compliance gaps with compensating controls.
Resource allocation. Full HB 2847 compliance requires significant investment in technology, assessment services, and administrative time. Small practices may struggle to allocate resources while maintaining patient care operations. Consider shared security services, managed security providers, or practice group collaborations that distribute compliance costs.
Conclusion
Texas HB 2847 establishes mandatory cybersecurity requirements that fundamentally change the compliance landscape for medical practices. The law's specific technical controls, aggressive enforcement mechanisms, and September 2026 effective date create urgent preparation requirements for Texas healthcare organizations.
The Dallas practice's experience demonstrates that existing HIPAA compliance programs may satisfy only a portion of HB 2847 requirements. The gap between current state and mandated controls requires significant investment in technology, documentation, and assessment services. Practices that delay preparation risk non-compliance penalties, insurance complications, and licensure consequences.
Effective compliance requires immediate action to assess current state, implement missing controls, develop required documentation, and establish ongoing compliance operations. The law's 24-hour reporting requirement and annual attestation obligations create permanent operational changes that practices must integrate into their security programs. For Texas medical practices, HB 2847 represents the new baseline for healthcare cybersecurity, and compliance is essential for continued operation.
HB 2847 takes effect September 1, 2026, with penalties up to $25,000 per violation per day. If your Texas medical practice has not begun compliance preparation, you have less than 5 months to implement mandatory controls, develop documentation, and establish reporting procedures before the law becomes enforceable.