Texas Medical Records Privacy Act (Texas HIPAA, Tex. Health & Safety Code Ch. 181)
Often called 'Texas HIPAA,' this state law extends HIPAA-like protections to a broader class of 'covered entities,' adds Texas-specific training requirements, and provides for state enforcement.
Primary source
Tex. Health & Safety Code Ch. 181 — Texas Statutes →https://statutes.capitol.texas.gov/Docs/HS/htm/HS.181.htm
Verified May 23, 2026 · This is the authoritative regulator URL. The summary below is a research aid; the linked source controls.
Additional sources
The Texas Medical Records Privacy Act (Tex. Health & Safety Code Ch. 181) — commonly "Texas HIPAA" — provides broader patient privacy protections than federal HIPAA in several respects.
Key features:
- Expanded "covered entity": covers any person engaged in assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information — broader than the HIPAA covered-entity-plus-BA framework.
- Training requirement: every covered entity must provide HIPAA/Texas-privacy training to employees within 90 days of employment, with refresher training at least every two years and additional training within a year after a material change in state or federal privacy law affecting customary employee duties.
- Authorization for electronic disclosures: explicit authorization rules for electronic disclosures.
- Marketing restrictions: prohibits use of PHI for marketing without specific authorization.
- Enforcement: Texas Attorney General may bring civil actions with penalties up to $5,000 per negligent violation, $25,000 per knowing or intentional violation, and up to $250,000 for violations involving disclosure for financial gain.
Practice impact: Texas providers must overlay the training cadence, expanded scope, and electronic-disclosure authorization rules on top of HIPAA compliance. Many Texas-domiciled vendors not strictly business associates under HIPAA still qualify as "covered entities" under Texas HIPAA.
Use this in your workspace
D3rx assembles the documentation linked to this regulation, walks the practical decisions in plain English, and stores the artifacts against the .gov sources cited above. It is an administrative research aid, not a substitute for counsel.
Related regulations
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- RegulationCalifornia Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code 56-56.37)California state law providing broader patient confidentiality protections than HIPAA for medical information held by providers, contractors, and certain employers.
- RegulationFlorida Information Protection Act (FIPA, Fla. Stat. § 501.171)Florida data breach notification and information security law requiring covered entities to maintain reasonable security and to notify affected individuals and the AG of breaches within 30 days.
- RegulationHIPAA Privacy Rule: General Rules for Uses and Disclosures (45 CFR 164.502)The general rules covered entities follow for any use or disclosure of protected health information, including the minimum necessary standard and treatment, payment, and operations exceptions.
- ComplianceTexas HB 300 for Medical Practices: Training, Audits, and What Differs from HIPAATexas HB 300 (Health & Safety Chapter 181) vs HIPAA: broader covered entities, mandatory 90-day training, 15-day EHR access, $1.5M/year AG penalty cap.
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- StateAlaska healthcare compliance overlayAlaska has no state-specific medical-information privacy statute beyond HIPAA, and no health-data-only breach rule.
- StateAlabama healthcare compliance overlayAlabama was the last U.
- StateArkansas healthcare compliance overlayArkansas's Personal Information Protection Act adds 'medical information' to the categories triggering breach notification but does not impose health-information-specific privacy rules beyond HIPAA.
Last reviewed May 23, 2026 · Citation verified May 23, 2026
Research aid, not legal advice. This summary is an administrative research aid prepared by D3rx. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. For authoritative regulatory text follow the primary source link at the top of this page. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.