SECURETexas Certification – Is It Right for Your Organization?

SECURETexas was created per Texas House Bill 300 in 2011 to help covered entities in Texas demonstrate that they have met privacy and security standards to reduce regulatory penalties, mitigate risk, and increase business partner and consumer confidence in the protection of protected health information (PHI).

About SECURETexas

The SECURETexas Health Information Privacy and Security Certification was designed to help manage the risk that electronic health records pose to privacy and security due to the increasing use of technologies. The Texas Legislature developed this program through the Texas Health Services Authority (THSA) and included compliance with both federal and state laws, including Health Insurance Portability and Accountability Act (HIPAA).

For organizations that fail to meet state laws, such as the Texas Medical Records Privacy Act, Texas covered entities can face the following potential civil penalties:

  • $5,000 for each violation that occurs in one year, committed negligently
  • $25,000 for each violation that occurs in one year, committed knowingly or intentionally
  • $250,000 for each violation in which the covered entity knowingly or deliberately used PHI for financial gain
  • Up to $1,500,000 if the court finds that the violations have occurred with a frequency to constitute a pattern or practice

Organizations seeking SECURETexas will need to pay to achieve certification, which is separate from the cost of conducting the assessment through a vendor. The price is scaled based on the covered entity’s number of employees:

Number of Employees Price
1 – 25 employees $250
26 – 101 employees $500
101 – 500 employees $1,000
501 – 1000 employees $2,500
More than 1000 employees $5,000


Previously, SECURETexas certification could exclusively be achieved through HITRUST. However, as of 2017, organizations can conduct the SECURETexas Health Information Privacy and Security Certification through a preferred vendor, or by utilizing a recognized framework that meets some or all of the assessment requirements, such as the HITRUST CSF and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Who Needs SECURETexas?

SECURETexas applies to covered entities based in Texas. A “covered entity” is an organization that uses, stores, and/or exchanges PHI, as defined by Texas Medical Records Privacy Act.

Benefits of SECURETexas Certification

While SECURETexas Health Information Privacy and Security Certification is voluntary, it can help organizations in several ways, such as:

  1. Minimizing potential fines and/or penalties
  2. Increasing the confidence of consumers and business partners in your data security and privacy controls
  3. Providing organizations with third-party evidence of a covered entity’s compliance with privacy and security rules
  4. Potentially streamlining audits and/or reviews by the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) or other states

How A-LIGN Helps Achieve SECURETexas Certification

As a SECURETexas Preferred Vendor and HITRUST assessor firm, A-LIGN can validate the implementation of the required controls. A-LIGN has deep experience in conducting HITRUST assessments and working with healthcare organizations in meeting their SOC, HIPAA, HITRUST, and penetration testing requirements.

Additionally, A-LIGN has experience in assessing against NIST frameworks, such as NIST 800-53 and NIST 800-171, and can help organizations utilize the NIST Cybersecurity Framework in order to meet the assessment requirement for SECURETexas Certification.

For more information on SECURETexas certification and how A-LIGN can help, reach out to [email protected] or call 888-702-5446 to get started today.