AI, Data Privacy & Compliance for Texas Businesses (HIPAA, PCI, SOC 2, CMMC, TDPSA)
If you run a clinic, a billing office, a payments shop, or a defense subcontractor, the first AI question is rarely "what can it do?" — it is "can I use it without breaking my compliance obligations?" This page maps the frameworks a Texas small business actually faces and shows exactly which infrastructure controls — data residency, encryption, access control, audit logs — support each one. It is written to be honest about the boundary: private AI infrastructure supports your compliance program; it does not certify you, and nothing here is legal advice.
Read this first — what we do and don't do
TIS builds and secures private AI infrastructure that supports your compliance obligations. We are not a law firm, auditor, or compliance certifier and do not provide legal advice — consult your own counsel or compliance advisor.
In practice that means we provide the controls — on-premise data, encryption, access control, and audit logging — that feed your compliance evidence. Your QSA, CPA, C3PAO, or counsel handles certification and legal sign-off. We never claim to hold a certification we do not hold, and we never tell you a build makes you "compliant." It makes you better positioned, with controls you can point an auditor to.
Why cloud AI is a compliance headache
Compliance is mostly about control: who can read the data, where it physically lives, how long it is kept, and whether you can prove all of that. A cloud AI API quietly undermines every one of those. Your inputs leave the building, many vendors retain them per their terms — sometimes to train future models — and the data sits in regions and backups you cannot point to or audit.
Private, on-premise AI removes the vendor from the path. The model and the records it reads stay on hardware you own, so data residency, retention, and access become things you set and can demonstrate. That is the foundation every framework below builds on. The deeper privacy case lives on our business data privacy page; the infrastructure itself is our private AI infrastructure work.
TDPSA — the Texas Data Privacy and Security Act
The TDPSA is Texas's consumer data-privacy law, effective July 1, 2024, with the third-party opt-out provision (§541.055(e)) effective January 1, 2025. It is enforced exclusively by the Texas Attorney General, with a 30-day cure period and civil penalties of up to $7,500 per violation.
Here is the part most coverage gets wrong for small businesses: the TDPSA largely exempts small businesses as defined by the U.S. Small Business Administration. The one notable carve-out is that even an exempt small business still needs consent to sell sensitive personal data. So if you are a Texas SMB, do not assume the TDPSA loads broad obligations onto you — in most cases it does not. Confirm your own status with counsel rather than taking a blanket reading.
What private AI does here is keep the question small: when sensitive data never leaves your building and is never handed to a vendor that might sell or repurpose it, the riskiest TDPSA scenario simply does not arise.
HIPAA Security Rule — protecting ePHI on-prem
If you handle electronic protected health information (ePHI), the HIPAA Security Rule expects safeguards around access control, encryption, and audit logging — and audit records are commonly retained for six years. Keeping ePHI on a server in your own building, rather than pasting it into a public AI tool, is the single biggest move toward supporting that posture: the data stays where your access controls and logs apply.
About AES-256, TLS 1.3, MFA and immutable logs — read carefully
You will see claims online that HIPAA "requires" AES-256, TLS 1.3, MFA, and immutable audit logging. That is not accurate today. Those specific items come from a proposed update to the HIPAA Security Rule — an NPRM published January 6, 2025 — that would mandate them and remove the current "required vs. addressable" distinction. That rule is proposed, not final.
We treat those measures two ways, honestly. First, AES-256 at rest and TLS 1.3 in transit are security best practice we apply by default regardless of any rulemaking. Second, the proposed rule is something to watch, not a current requirement — so we will never present these as today's HIPAA mandates. How encryption actually gets applied on a build is covered on our encryption for private AI page; access roles and MFA on AI access control.
PCI-DSS 4.0 — keeping AI clear of card data
If you touch payment card data, PCI-DSS 4.0 applies. How you attest depends on merchant level: smaller merchants generally use a self-assessment questionnaire (SAQ), while larger merchants require a formal audit performed by a Qualified Security Assessor (QSA). Either way, the assessment is something you or a QSA do — not something TIS performs.
The infrastructure side is where we help. The cleanest pattern is to keep the AI server segmented away from the cardholder data environment entirely — a separate VLAN, no card data sent to the model, TLS 1.3 on the wire, and MFA on endpoints. That way the AI box supports your controls without expanding your cardholder-data scope.
SOC 2 — feeding the evidence, not signing the report
SOC 2 is a flexible framework built on the Trust Services Criteria, and the report must be signed by a licensed CPA. A Type II report evaluates how your controls actually operated over a window of roughly six to twelve months. You cannot be "SOC 2 certified" by a hardware vendor — the CPA performs the examination.
What private AI contributes is evidence. Access control with defined roles, encryption at rest and in transit, and immutable, who-accessed-what audit logs are exactly the kind of operating controls a SOC 2 examination looks for. We build those in so there is something concrete to hand your CPA — see AI access control for the role design that backs it.
CMMC 2.0 / NIST SP 800-171 — for DoD subcontractors
If you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as a DoD subcontractor, CMMC is the program that applies. Per the Federal Register, the CMMC final rule was published September 10, 2025, and the program rollout began November 10, 2025; the phase introducing Level 2 third-party certification is reported to begin November 10, 2026. Re-verify these dates against the Federal Register before relying on them, since rulemaking timelines move.
The two levels differ a lot. Level 1 covers FCI with 15 requirements (FAR 52.204-21) and an annual self-assessment. Level 2 covers CUI with 110 requirements (NIST SP 800-171 Rev 2), assessed either by self-assessment annually or by a C3PAO every three years. An on-prem AI build with NIST 800-171-aligned controls — access control, immutable logging, encrypted storage, no outbound egress — supports that effort, but the assessment is done by your C3PAO or your own self-assessment, not by TIS.
Control-to-framework map
Each row is an infrastructure control TIS can build; each column is a framework it helps support. "Supports" means the control feeds your evidence or reduces your exposure — it never means TIS certifies you against that framework.
| Infrastructure control | HIPAA | PCI-DSS 4.0 | SOC 2 | CMMC / 800-171 | TDPSA |
|---|---|---|---|---|---|
| Data residency (on your hardware in Texas) | Supports | Supports | Supports | Supports | Supports |
| AES-256 encryption at rest | Supports* | Supports | Supports | Supports | Supports |
| TLS 1.3 encryption in transit | Supports* | Supports | Supports | Supports | — |
| RBAC (role-based access control) | Supports | Supports | Supports | Supports | — |
| MFA on inference endpoints | Supports* | Supports | Supports | Supports | — |
| Immutable / tamper-evident audit logs | Supports* | Supports | Supports | Supports | — |
| Retention you set (6-yr where needed) | Supports | Supports | Supports | Supports | Supports |
| No outbound egress / segmentation | — | Supports | Supports | Supports | Supports |
* For HIPAA, AES-256, TLS 1.3, MFA, and immutable logging are best-practice controls we apply by default; they also appear in a proposed 2025 update to the HIPAA Security Rule (NPRM, January 6, 2025) that is not yet final. "Supports" means the control feeds your compliance program — TIS does not certify, audit, or provide legal advice. TDPSA largely exempts SBA-defined small businesses except for selling sensitive data without consent.
How TIS builds to support these frameworks
The practical path is the same regardless of which acronym applies to you: keep the regulated data on hardware you own, encrypt it at rest and in transit, lock down who can reach the model, and log access in a way you can hand to an auditor. We hand-build the server, configure those controls, and install it on-site — then your compliance professionals do the certification.
The best starting point is a scoped review of what you actually face. Our colleagues run an AI readiness audit that maps your obligations to a concrete build before anyone spends a dollar. From there, the specifics live on encryption for private AI, AI access control, and AI backup & disaster recovery.
Supporting regulated businesses across the Houston metro
Clinics, billing and accounting offices, payments shops, and defense subcontractors across Houston, Sugar Land, Katy, and the Fort Bend area can keep regulated data on a server in their own building — with the encryption, access control, and audit logs their compliance program expects. See our Texas service areas.
Compliance questions
Does private AI make my business HIPAA, PCI, SOC 2 or CMMC compliant?+
No. Private AI infrastructure supports your compliance program by keeping regulated data on-premise with encryption, access control, and audit logs. Certification stays with your auditor, assessor, QSA, CPA, C3PAO, or counsel — TIS builds the infrastructure, it does not certify your organization.
Does the Texas Data Privacy and Security Act (TDPSA) apply to my small business?+
In most cases the TDPSA largely exempts small businesses as defined by the SBA, with one notable carve-out: you still need consent to sell sensitive personal data. So do not assume the TDPSA imposes broad obligations on a Texas SMB — it generally does not. Confirm your status with your own counsel.
Are AES-256 and MFA required by HIPAA today?+
Not as explicit, named mandates in the current HIPAA Security Rule. A proposed update (an NPRM published January 6, 2025) would require AES-256 at rest, TLS 1.3 in transit, MFA, and immutable audit logging — but that rule is proposed, not final. We use AES-256 and TLS 1.3 as security best practice regardless, and treat the proposed rule separately.
We are a DoD subcontractor — does private AI help with CMMC?+
It can support your effort. On-prem AI with NIST SP 800-171-aligned controls — access control, encryption, immutable logging, no outbound egress — supports a CMMC posture for FCI and CUI. But a C3PAO assessment (Level 2) or your self-assessment (Level 1) handles the certification, not TIS.
Why is cloud AI a compliance headache?+
With a vendor API in the path, your inputs leave your control: many vendors retain inputs per their terms, sometimes to train models, and the data sits in regions and backups you cannot point to. Private, on-premise AI removes the vendor from the path, so regulated data stays on a box you own.
Do you provide legal or audit advice?+
No. TIS builds and secures private AI infrastructure that supports your compliance obligations. We are not a law firm, auditor, or compliance certifier, and we do not provide legal advice. Consult your own counsel or compliance advisor for legal and audit sign-off.
Back to Private AI Security · related: business data privacy, encryption for private AI, and AI access control · or book an AI readiness audit.
Use AI without breaking your compliance obligations
Tell us your industry and the data you handle — we'll scope a private AI build with the encryption, access control, and audit logs your compliance program needs, installed on-site across Houston and Fort Bend County. We support your program; your professionals certify.