HR Compliance for Small Medical Practices in Texas (HIPAA, OSHA, Employee Documents, and What Owners Miss)

Disclaimer: The information on this website (including all examples, explanations, and content) is for general informational purposes only and should not be considered legal, tax, or HR advice. Employment law and healthcare compliance are complex and fact specific. Always consult with a qualified employment attorney and healthcare compliance specialist about your specific situation.

Medical Practice HR Has Two Compliance Layers

A regular small business has one set of HR compliance items (federal labor law, state labor law, payroll documentation). A medical practice has all of that plus a second compliance layer that includes HIPAA, OSHA bloodborne pathogen requirements, and credentialing documentation for clinical staff.

Most small medical practices handle the second layer poorly. The compliance gap is rarely caught by anything other than a complaint, an audit, or a workplace injury that triggers a review. By the time it shows up, the cost of bringing the practice into compliance is much larger than it would have been to set it up correctly from the beginning.

This post walks through the practical HR compliance items for a small medical practice in Texas. It is not a comprehensive legal guide. For specific situations, work with an employment attorney and (for the healthcare compliance side) a HIPAA and OSHA compliance specialist.

The related operational topics live in our payroll for a small medical practice in Texas guide.

Foundational Employment Documents

These are required for every employee, regardless of practice type.

Form I-9

Federal law requires every employee to complete Form I-9 within three days of hire. The employer reviews supporting documents (passport, driver's license plus Social Security card, etc.) and retains the I-9 for the longer of three years from the hire date or one year from termination.

Common mistakes:

  • I-9 not completed before the first paycheck
  • Improper document review (accepting documents that do not meet the requirements)
  • Failing to retain I-9s for terminated employees for the required period

Form W-4

The federal income tax withholding form. Required before the first paycheck. The employee can update it any time, and the employer must use the updated version going forward.

State New Hire Reporting

Texas requires new hire reporting through the Texas new hire program. See the TWC New Hire Reporting page. Reports are due within 20 days of hire (or earlier under some circumstances).

Personnel File

Each employee should have a personnel file containing:

  • I-9 (kept separately from the rest of the personnel file)
  • W-4
  • Offer letter or employment agreement
  • Job description
  • Performance evaluations and disciplinary documentation
  • Training records
  • License and credentialing documentation (for clinical staff)
  • Separation documentation when applicable

Medical records of the employee (if any) should be kept separately from the personnel file under HIPAA. Medical accommodation requests and related correspondence also stay separate.

Required Workplace Postings

Federal and Texas law require specific workplace postings. The list changes from time to time. The current required postings include:

  • Federal minimum wage poster
  • Federal Equal Employment Opportunity poster
  • Federal Family and Medical Leave Act (FMLA) poster (if FMLA applies — typically 50+ employees, but smaller practices may have it as a courtesy)
  • Federal Employee Polygraph Protection Act poster
  • Texas Workforce Commission posters (unemployment insurance, workers compensation if elected, payday law)
  • OSHA poster (general industry safety and health)

Posters need to be displayed where employees can see them (typically a break room or back office bulletin board). They should be the current versions; old posters do not satisfy the requirement.

The DOL workplace posters page and the TWC labor law posters page are the official sources.

HIPAA Compliance

Medical practices are covered entities under HIPAA. This produces HR specific obligations beyond standard small business compliance.

Workforce Training

Every workforce member who handles protected health information (PHI) must receive HIPAA training. This includes:

  • Initial training within a reasonable time of hire
  • Periodic refresher training (recommendation: annual)
  • Documentation of training completion in the employee file

Practice management staff, billing staff, and clinical staff all need HIPAA training. The depth varies by role, but the requirement applies broadly.

Business Associate Agreements

Vendors that handle PHI on the practice's behalf (billing companies, EHR vendors, shredding services, cloud storage providers, sometimes IT support) need business associate agreements (BAAs). The BAA is a HIPAA specific contract that establishes the vendor's obligations.

Privacy Officer Designation

Covered entities are required to designate a privacy officer. For most small practices, this is a named individual (often the practice manager or the owner) rather than a full time role.

Breach Notification

If a HIPAA breach occurs (unauthorized PHI access, lost laptop with PHI, mistakenly emailed records, etc.), specific notification requirements apply. The breach analysis and notification process are time sensitive. Get HIPAA compliance guidance from a qualified source rather than improvising.

OSHA Bloodborne Pathogen Standard

The OSHA Bloodborne Pathogen Standard applies to most medical practices because of the potential exposure to blood and bodily fluids.

Required Elements

  • Written Exposure Control Plan
  • Annual training for all employees with potential exposure
  • Hepatitis B vaccination offered (at no cost to the employee) to employees with potential exposure
  • Engineering controls (sharps containers, safer needle devices where required)
  • Personal protective equipment provided
  • Post exposure follow up for any exposure incidents
  • Documentation of training and vaccinations

The OSHA bloodborne pathogens standard page has the official requirements.

Common Gaps

  • No written Exposure Control Plan or one that was written years ago and not updated
  • Annual training not documented
  • No record of Hepatitis B vaccination offer to each at risk employee
  • Sharps injury log not maintained

Clinical Staff Credentialing Documentation

Every clinical staff member needs current credentialing documentation in the personnel file:

  • Current license for licensed staff (RN, LVN, NP, PA, MD/DO, MA where certified)
  • Specialty certifications where the role requires them
  • DEA registration for prescribing providers
  • BLS/CPR certifications
  • HIPAA training completion
  • OSHA bloodborne pathogen training completion

The credentialing documentation often gets neglected. License renewals lapse without anyone tracking them. Annual training is given but not documented. Certifications expire and nobody notices until a complaint or inspection.

A simple credentialing tracker (spreadsheet or HR software) that lists each employee, each credential, and the expiration date prevents most of these problems.

Wage and Hour Compliance

Federal wage and hour rules apply to medical practices the same as any other employer.

Minimum Wage

Federal minimum wage applies. Texas does not have a higher state minimum, so federal is the floor. Check current rates on the DOL minimum wage page.

Overtime

Non exempt employees (most medical assistants, nurses, billing staff, front office) are entitled to overtime for hours worked over 40 in a workweek. The exemption tests under the DOL Fact Sheet #17A are strict. Salary alone does not exempt anyone. The duties test has to be met.

Common mistakes:

  • Salaried front office staff classified as exempt without meeting the duties test
  • Off the clock work (charting after hours, prep time before the schedule, lunch breaks not actually taken) not paid as work time
  • Overtime calculation errors when commission or bonus is paid

Meal and Rest Breaks

Federal law does not require meal or rest breaks, but if they are offered, specific rules apply. Texas does not have specific state meal and rest break rules for most employees, but breaks that are interrupted (the medical assistant who eats while charting) are work time.

Anti Discrimination and Harassment

Federal anti discrimination laws apply to medical practices. Title VII (race, color, religion, sex, national origin), ADEA (age), ADA (disability), and other protected classes establish the framework.

Written Policy

The practice should have a written anti harassment and anti discrimination policy that:

  • Defines prohibited conduct
  • Establishes a complaint process
  • Identifies who to report to (with an alternative if the primary contact is the alleged harasser)
  • Confirms no retaliation for good faith complaints

Training

Texas does not require harassment prevention training for private employers, but training is a strong risk reduction measure. Practices with five or more employees benefit from annual training.

Complaint Handling

When complaints arise, the practice needs to:

  • Take the complaint seriously
  • Investigate promptly
  • Document the investigation
  • Take appropriate corrective action if warranted
  • Avoid retaliation

Mishandled harassment complaints are one of the most common sources of employment lawsuits.

Common Medical Practice HR Mistakes

No Employee Handbook

The single most common gap. A handbook is not legally required, but it is the foundation document for most HR processes.

HIPAA Training Done Once and Never Repeated

HIPAA training is not a one time event. Periodic refreshers and documentation matter.

No Documentation of OSHA Bloodborne Pathogen Training

The training is happening. The documentation is missing.

Lapsed Clinical Licenses

License renewals are missed because no one is tracking expirations.

Misclassified Front Office Staff

Salaried front office and billing staff classified as exempt without meeting the duties test.

No Anti Harassment Policy or Training

Or a policy that exists but has not been communicated to staff.

Personnel Files in Disarray

Documents missing, training records absent, performance issues undocumented.

Frequently Asked Questions

Do I need a written employee handbook?

Not legally required, but strongly recommended. The handbook is the foundation for most HR processes and provides legal protection.

How long do I have to keep employment records?

Federal record retention requirements vary. The DOL recordkeeping requirements page covers the basics. I-9s are retained for the longer of three years from hire or one year from termination. Payroll records are typically retained for three years (some require longer). Personnel files are typically retained for at least four years after termination.

What is the difference between HIPAA training and OSHA bloodborne pathogen training?

HIPAA training covers patient privacy and PHI handling. OSHA bloodborne pathogen training covers physical safety from blood and bodily fluid exposure. They are different regulations and require separate training. Some training providers cover both in a combined program.

Do I need a written Exposure Control Plan?

Yes, if the OSHA Bloodborne Pathogen Standard applies to your practice. Almost all medical practices are covered.

Should I outsource HR?

For practices with five or more employees, outsourcing usually makes sense. Smaller practices can sometimes handle HR in house if the owner has the time and the right knowledge. Our companion post on when to hire an outsourced HR service (written for dental practices but applicable to medical practices) covers the decision in more detail.

What about FMLA?

FMLA generally applies to employers with 50 or more employees, so most small medical practices are not covered. Practices approaching that threshold should review the FMLA rules at the DOL FMLA page.

Texas does not require workers compensation. Should I get it anyway?

Most medical practices carry workers comp despite the optional status in Texas. Needle sticks, lifting injuries, slip and falls, and other workplace injuries are real risks in clinical practice. Talk to your insurance agent.

Getting Medical Practice HR Compliance Right

HR compliance for a medical practice is a longer list than it looks on first glance. The foundational items (I-9, W-4, new hire reporting, personnel files, postings) are universal. The clinical layer (HIPAA, OSHA bloodborne pathogens, credentialing) is specific to medical practice and is where most small practices have gaps.

The practices that handle this well have a written handbook, a credentialing tracker, documented training programs, current postings, and consistent personnel file practices. They do not do HR perfectly, but they do enough to avoid most common problems and to defend against the ones that arise.

If you also want the related operational topics, our payroll for a small medical practice in Texas guide covers the staff classification and payroll mechanics, and our bookkeeping for a small medical practice in Texas guide covers the financial side.

We work with medical practice owners across Quinlan, Hunt County, Rockwall, Kaufman, and the greater Dallas area on payroll, HR support, bookkeeping, and the broader operational support that goes with running a practice.

Worried about HR compliance gaps in your practice? Contact us here to talk about getting the foundation set up correctly.