Texas HB 300 for Medical Practices: Training, Audits, and What Differs from HIPAA
8 min read · Last reviewed May 23, 2026
The Texas Medical Records Privacy Act (Texas Health & Safety Code Chapter 181), known as HB 300, layers a broader covered-entity definition, a mandatory 90-day training cadence, a 15-business-day EHR access deadline, and Texas Attorney General enforcement on top of HIPAA. The single biggest divergence: HB 300's "covered entity" reaches anyone who comes into possession of a Texas resident's PHI, not just HIPAA-regulated providers and plans.
What HB 300 actually requires
HB 300 took effect September 1, 2012 and is codified at Texas Health & Safety Code Chapter 181. It defines "covered entity" at § 181.001 as any person who, for commercial, financial, or professional gain, monetary fees, or dues, "engages, in whole or in part, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information." That sweeps in entities HIPAA does not — IT contractors, attorneys, marketing firms, cloud-storage providers, even some employers handling employee health data.
Core HB 300 obligations:
- Training within 90 days of hire under § 181.101 — every workforce member who handles PHI must complete training specific to the practice's PHI policies and to relevant state and federal law. Retraining at least every two years and within a reasonable time after a material change in policy. The training log must be retained for six years.
- Electronic health record access within 15 business days under § 181.102 — a covered entity that uses an EHR must provide an electronic copy on a patient's written request within 15 business days; HIPAA permits 30.
- Authorization for electronic disclosure under § 181.154 — separate written authorization is required before re-disclosing electronic PHI to a third party, with specific content elements.
- Sale of PHI prohibition under § 181.153 — broader than HIPAA's marketing prohibition; covers any sale of PHI unless an enumerated exception applies.
- Notice when authorization is required under § 181.152 — covered entities must inform patients of the customary disclosures the practice will make.
- Breach notification via Texas Business & Commerce Code § 521.053 — patient notice within 60 days of determination; AG notice required within 30 days of determination for breaches involving 250+ Texas residents.
- Texas Attorney General enforcement with penalties up to $250,000 per violation under § 181.201(b)(3), and an annual cap of $1.5 million for repeated violations of the same nature.
Where Texas is stricter than HIPAA
This is the comparison practices need.
| Topic | HIPAA | HB 300 / Texas | Stricter | |---|---|---|---| | Covered-entity scope | Plans, clearinghouses, treatment providers (45 CFR § 160.103) | Anyone who comes into possession of PHI (Tex. H&S § 181.001) | Texas | | Workforce training cadence | Reasonable to job duties; retrain on material changes (45 CFR § 164.530(b)(2)) | Within 90 days of hire + every 2 years (Tex. H&S § 181.101) | Texas | | Training record retention | Six years from creation (45 CFR § 164.530(j)(2)) | Six years (Tex. H&S § 181.101(c)) | Tie | | EHR patient-access turnaround | 30 days (45 CFR § 164.524(b)(2)) | 15 business days (Tex. H&S § 181.102) | Texas | | Sale of PHI | Authorization required (45 CFR § 164.508(a)(4)) | Sale prohibited absent enumerated exception (Tex. H&S § 181.153) | Texas | | Breach-notice window | 60 days (45 CFR § 164.404) | 60 days for patient notice; 30 days for AG notice at 250+ residents (Tex. B&C § 521.053) | Tie on patient notice; Texas adds and front-loads AG notice | | Civil penalty cap | $2,190,294 / year per identical violation (2026 HHS-adjusted; 45 CFR § 160.404 and 45 CFR Part 102) | $1.5M / year per repeated same-nature violation (Tex. H&S § 181.201) | HIPAA cap higher but Texas runs in parallel | | Enforcement agency | HHS / OCR | Texas AG + DSHS | Texas runs in parallel with HIPAA |
In Texas, the HB 300 training requirement trips up practices that thought their HIPAA training covered it. HIPAA does not specify a 90-day or two-year cadence; HB 300 does. A practice with annual HIPAA training but no documented HB 300-specific training, no 90-day-from-hire timestamp, and no Texas-law content in the curriculum is exposed on a state audit even if its HIPAA program is otherwise solid.
Where HIPAA is stricter than HB 300
HIPAA carries the heavier weight in two areas:
- Security Rule technical safeguards. The HIPAA Security Rule at 45 CFR Part 164 Subpart C prescribes the risk analysis, audit log, encryption-decision, access-control, and contingency-plan structure. HB 300 assumes safeguards exist and adopts the federal posture by reference at § 181.004; it does not add a parallel technical-control regime. Federal Security Rule violations remain the dominant exposure for systemic posture failures.
- Annual penalty cap (in absolute dollars). HIPAA's 2026 HHS-adjusted $2,190,294 annual cap per identical-violation type at 45 CFR § 160.404 (45 CFR Part 102) is higher than HB 300's $1.5M annual cap at § 181.201. For a sustained, willful failure, OCR's CMP exposure is larger than the Texas AG's. Both run in parallel on a single incident.
- Breach risk assessment methodology. HIPAA at 45 CFR § 164.402 defines the four-factor analysis that determines whether an incident is a reportable breach. Texas defers to that methodology and then imposes the additional Texas AG notification at 250+ residents.
Breach notification timeline
Texas uses two stacked statutes:
- Texas Business & Commerce Code § 521.053 — notification to affected Texas residents "as quickly as possible" and not later than 60 days after the date of determination of a breach involving sensitive personal information. Same outer window as HIPAA at 45 CFR § 164.404(b).
- AG notification at 250+ Texas residents — § 521.053(h) requires the practice to notify the Texas Attorney General "as soon as practicable" and not later than 30 days after determination when the breach involves at least 250 Texas residents. The AG publishes a notification roster.
- Out-of-state residents. § 521.053(b) extends Texas notification to non-Texas residents if the resident's home state has no breach-notice statute — uncommon today.
The encryption safe harbor at § 521.002(2) is meaningful: if the personal information was encrypted and the encryption key was not also compromised, notification under § 521.053 may not be triggered. Encryption is the highest-leverage HB 300 control.
Penalties and Texas AG enforcement
The numbers:
- Negligent violation under Tex. H&S § 181.201(b)(1) — up to $5,000 per violation per year.
- Knowing or intentional violation under § 181.201(b)(2) — up to $25,000 per violation per year.
- Knowing or intentional violation for financial gain under § 181.201(b)(3) — up to $250,000 per violation.
- Annual cap under § 181.201(c) — $1.5 million per year for pattern-or-practice violations of the same nature. Texas law does not provide for a doubled or higher annual cap.
- Licensure consequences — Texas Medical Board, Texas Board of Nursing, and DSHS may impose disciplinary action separate from monetary penalties; license revocation under § 181.202 is on the table for systemic failures.
No private right of action under HB 300. A Texas resident cannot sue under Chapter 181 itself. That said, HB 300 violations are frequently pleaded as predicates in negligence and Texas Deceptive Trade Practices Act (DTPA) claims, and the Texas DTPA does carry treble damages and attorney's fees. The litigation exposure is real but indirect.
Parallel HHS/OCR exposure runs at the same time. A single 2,000-patient breach can generate an OCR Resolution Agreement, a Texas AG settlement, and DTPA-pleaded private litigation in the same calendar quarter.
Compliance checklist for Texas practices
A Texas-specific overlay to a HIPAA program:
- HB 300 training within 90 days of hire for every workforce member with PHI access — separately documented from the HIPAA training certificate.
- Two-year HB 300 retraining cadence with calendar reminders per workforce member. Material policy changes trigger interim retraining.
- Six-year retention of every training record under § 181.101(c).
- 15-business-day EHR access protocol — a written request triggers a tracked clock; document the response date and any fee charged.
- Texas-compliant authorization form for electronic re-disclosure under § 181.154, layered with the HIPAA § 164.508 authorization.
- Sale-of-PHI prohibition enforced in vendor contracts and marketing reviews under § 181.153.
- Breach protocol triggering the § 521.053 60-day patient-notice clock and the 30-day AG-notice clock at 250+ residents.
- Encryption posture on every workstation, portable medium, and EHR-bearing device — the § 521.002(2) safe harbor is worth the engineering effort.
- Notice of customary disclosures under § 181.152 distributed alongside the HIPAA Notice of Privacy Practices.
- Out-of-state vendor mapping. Any vendor handling Texas PHI is bound by HB 300 directly. The HIPAA Business Associate Agreement at 45 CFR § 164.504(e) needs a Texas addendum binding the vendor to Chapter 181.
The d3rx compliance binder state-overlay branches on Texas specifically and produces the HB 300 training log structure, 15-day access protocol, sale-of-PHI prohibition addendum, and breach response timeline a Texas practice runs alongside its federal HIPAA backbone. It is an administrative documentation aid; the practice and its counsel remain responsible for executing the controls and responding to AG or OCR inquiries.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — Texas HB 300 for Medical Practices: Training, Audits, and What Differs from HIPAA. We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
Does TX HB 300 training count toward HIPAA's annual training requirement?
Partially. HB 300 training under Texas Health & Safety Code § 181.101 covers state-specific privacy rules — it does not by itself satisfy the HIPAA training standard at [45 CFR § 164.530(b)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530). Practical posture: deliver one training event that covers both HIPAA and HB 300 elements (workforce job duties, applicable state law, sanction policy) and document the dual coverage in the training log. Each workforce member must complete it within 90 days of hire and every two years thereafter under HB 300; HIPAA expects retraining when material changes occur.
Does HB 300 apply if my practice is in Oklahoma but I treat Texas patients?
Yes. HB 300's covered-entity definition at Tex. Health & Safety Code § 181.001 is broader than HIPAA's and reaches any person who 'comes into possession of' protected health information of a Texas resident — including out-of-state providers and vendors. The Texas Attorney General has asserted jurisdiction in enforcement actions against out-of-state actors. Telehealth across state lines into Texas pulls HB 300 in alongside HIPAA.
What is the HB 300 patient-access deadline?
Texas Health & Safety Code § 181.102 requires a covered entity to provide an electronic copy of a patient's EHR within 15 business days of a written request. That is half the time HIPAA permits at [45 CFR § 164.524(b)(2)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524). The fee a practice may charge is capped by Texas Medical Board rule (22 TAC § 165.2).
Are HB 300 fines paid to OCR or to Texas?
Texas. HB 300 is enforced by the Texas Attorney General and the Texas Department of State Health Services. Penalties under Health & Safety § 181.201 are independent of HIPAA's penalty structure at [45 CFR § 160.404](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404). A single breach event can generate parallel HHS/OCR and Texas AG enforcement actions with separate settlement amounts. There is no private right of action under HB 300 itself.
Do I need to encrypt all EHR data under HB 300?
Yes, for electronic patient records. Texas Health & Safety Code § 181.004 incorporates the federal encryption posture but in practice Texas regulators treat the absence of encryption on workstations and portable media as a material gap when investigating a breach. The state breach-notice statute at Tex. Bus. & Com. Code § 521.053 gives an encryption safe harbor — if the breached data was encrypted and the key was not compromised, notification may not be required. Encryption is the single highest-leverage HB 300 control.
What is the Texas breach-notification timeline for a Texas resident's PHI?
Texas Business & Commerce Code § 521.053 requires notification to affected Texas residents 'as quickly as possible' and within **60 days of determination** that a breach occurred, mirroring HIPAA. For breaches affecting 250+ Texas residents, the practice must also notify the Texas Attorney General 'as soon as practicable' and not later than **30 days** after determination — half the patient-notice window. The breach-notice obligations under § 521 run alongside the HIPAA Breach Notification Rule at [45 CFR § 164.404](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404).
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- Texas Health & Safety Code Chapter 181https://statutes.capitol.texas.gov/Docs/HS/htm/HS.181.htm
- 45 CFR § 160.103https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103
- 45 CFR § 164.530(b)(2)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530
- 45 CFR § 164.524(b)(2)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
- 45 CFR § 164.508(a)(4)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.508
- 45 CFR Part 164 Subpart Chttps://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C
- 45 CFR § 160.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404
- 45 CFR § 164.402https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-A/section-164.402
- 45 CFR § 164.404(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404
- 45 CFR § 164.504(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Related across the archive
- ComplianceCalifornia Healthcare Compliance: CMIA + HIPAA — Where They DivergeCalifornia's CMIA (Civ. Code §§ 56–56.37) vs HIPAA: stricter consent, 5-working-day inspection / 15-day copy access, private right of action, up to $25k per knowing-and-willful violation + misdemeanor exposure.
- ComplianceFlorida Healthcare Compliance: FIPA Breach Notification + State SpecificsFlorida Information Protection Act (F.S. § 501.171) vs HIPAA: 30-day breach window, AG notice at 500 residents, $500k penalty cap, F.S. § 456.057 records rules.
- ComplianceNew York SHIELD Act for Medical Practices: The Reasonable Safeguards StandardNY SHIELD Act (Gen. Bus. Law § 899-bb) vs HIPAA for medical practices: reasonable safeguards, expanded breach scope under § 899-aa, 30-day notice outer bound, $250k AG penalty exposure.
- SRAHIPAA Training Requirements for a Small PracticeWhat 45 CFR 164.530(b) and 164.308(a)(5) require for HIPAA workforce training, plus a realistic cadence and documentation approach for a small practice.
- RegulationTexas Medical Records Privacy Act (Texas HIPAA, Tex. Health & Safety Code Ch. 181)Often called 'Texas HIPAA,' this state law extends HIPAA-like protections to a broader class of 'covered entities,' adds Texas-specific training requirements, and provides for state enforcement.
- GlossaryePHI (Electronic Protected Health Information)PHI that is created, received, maintained, or transmitted in electronic form.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.
- StateAlaska healthcare compliance overlayAlaska has no state-specific medical-information privacy statute beyond HIPAA, and no health-data-only breach rule.