TexasHB300vs.HIPAA:WhereTexasGoesFurther

HIPAA is the federal floor for protected health information. Texas HB300 — the state's Medical Records Privacy Act — raises the ceiling. Texas practices, including every physician office, hospital, ASC, dental practice, mental health provider, and DFW-area health system, must comply with both. The areas where HB300 extends HIPAA are specific and enforceable, and most Texas practices we assess have gaps in at least one of them.

This article covers what HB300 is, where it goes further than HIPAA, and what compliance looks like in practice for a DFW-area healthcare organization.

The Baseline: HIPAA Applies

Every HIPAA obligation still applies to Texas entities. The Privacy Rule, Security Rule, Breach Notification Rule, and associated regulations are the federal floor. HB300 does not replace HIPAA. It adds to it.

When HB300 and HIPAA conflict, the stricter requirement applies. In practice, HB300 is typically the stricter of the two on the dimensions below.

Where HB300 Extends HIPAA

1. Broader Definition of "Covered Entity"

HIPAA's definition of covered entity is limited to health plans, healthcare clearinghouses, and healthcare providers who transmit certain health information electronically. HB300's definition is broader. Under Texas law, a "covered entity" is essentially anyone who comes into possession of PHI in the course of their business — including organizations that would not be HIPAA covered entities or business associates.

Examples that are HB300 covered but may not be HIPAA covered:

• Schools that maintain medical records
• Employers that receive employee medical information outside the HIPAA workflow
• Researchers who handle PHI
• Attorneys and accountants who receive PHI in the course of representing healthcare clients (debatable case-by-case, but HB300's broad definition is the starting point)
• Any Texas business that obtains PHI, regardless of industry

Practical implication: if your DFW practice works with vendors, consultants, or contractors who handle PHI, they may have HB300 obligations even if they are not HIPAA business associates.

2. Mandatory Training Requirements

HIPAA requires training, but HB300 specifies it. Every employee of a covered entity must receive training on state and federal health information laws:

• Within 90 days of hire
• Every two years thereafter
• Within a reasonable time after any material change to applicable laws

Training must be documented, and documentation must include the employee's signed acknowledgment of completion. The Attorney General can request training records during an investigation.

The 90-day window is where many Texas practices fall behind. New hires frequently receive orientation-level HIPAA training but not HB300-specific training within the required window. This is a discrete, auditable failure.

3. Consumer Right to Electronic Copy

HB300 gives patients the right to request an electronic copy of their electronic health records, and covered entities must provide it within 15 business days of a written request. HIPAA's Right of Access requires 30 days (extendable by another 30). Texas cuts this in half.

Practical implication: your release-of-information workflow needs to meet the 15-business-day Texas clock, not the 30-day HIPAA clock.

4. Marketing and Sale of PHI

HIPAA requires authorization for marketing and for the sale of PHI, with specific exceptions. HB300 goes further by explicitly prohibiting the sale of PHI unless the individual has given specific authorization — and even then, the authorization must disclose that the entity will be compensated.

Marketing communications using PHI face similar heightened authorization requirements.

5. Disclosure Accounting

HIPAA requires an accounting of disclosures on request. HB300 adds specific requirements around disclosures to external parties and the retention of disclosure logs.

6. Civil Penalties

HB300 imposes civil penalties up to $250,000 per violation for frequent or repeated violations, and up to $5,000 per negligent violation. These are separate from HIPAA penalties — the Texas Attorney General enforces HB300 in addition to any federal OCR enforcement.

What DFW Practices Often Miss

Common gaps we find during Texas healthcare compliance assessments:

• Training cadence drift: staff trained on hire but not within the 90-day window, or biennial refreshers missed
• Record request timing: release-of-information operating on a 30-day HIPAA clock rather than 15-business-day Texas clock
• Vendor assessment gaps: Texas vendors treated as HIPAA business associates only, without consideration of HB300 obligations
• Marketing workflow: practice newsletters, patient testimonial programs, and marketing communications that use PHI without HB300-compliant authorization
• Sale of de-identified data: "de-identified" under HIPAA is not automatically compliant under HB300's sale provisions

Reporting Obligations

Breach notification under HB300 aligns with the Texas Identity Theft Enforcement and Protection Act (§521.053). Texas residents affected by a breach must be notified "without unreasonable delay" — a stricter standard than HIPAA's 60-day outer limit.

For breaches affecting 250+ Texas residents, the Texas Attorney General must be notified. The notification must include specific information and must be provided within 30 days of determining a breach occurred. Note that this is separate from the HHS notification obligation.

For a breach response framework, see our healthcare incident response resources.

Enforcement Profile

The Texas Attorney General has been active in HB300 enforcement, often in parallel with OCR HIPAA actions. Texas-based practices with an OCR resolution agreement typically also face Texas AG follow-up. Budgeting compliance effort for both regulators is prudent.

Action Items for a DFW Practice

• Confirm training documentation meets the 90-day-on-hire and biennial refresh requirements
• Review release-of-information workflow against the 15-business-day Texas clock
• Update authorization forms to explicitly cover HB300 marketing and sale provisions
• Map vendor relationships for HB300 coverage, not just HIPAA BA status
• Ensure breach notification playbook addresses both HHS and Texas AG notification
• Document the HB300-specific risk analysis alongside the HIPAA Security Rule risk analysis

The Texas-Wide Picture

HB300 applies to every Texas healthcare organization — DFW, Houston, Austin, and every smaller market. DFW practices often have additional considerations because of volume (major health systems, large physician groups, specialty ASCs) and the concentration of vendors operating in the market. A DFW-area compliance program should look at HB300 as a first-class requirement, not a footnote to HIPAA.

Intersection With Texas Cybersecurity Notification Law

Texas also has a state cybersecurity notification obligation under §521.053 that applies to breaches of sensitive personal information. For healthcare breaches, this generally aligns with HIPAA and HB300, but triggers and content requirements are not identical. Specifically:

• The 250-resident Texas AG notification threshold is separate from HIPAA's 500-individual media notification threshold
• Content requirements differ — Texas notifications must include specific elements about the nature of the breach and resources available to affected individuals
• Texas AG notification must be submitted via the Texas AG's online portal, with specific metadata

Practice implication: your breach notification playbook should have Texas-specific letter templates and AG submission procedures, not just HIPAA-generic templates.

How HB300 Gets Enforced

Texas AG enforcement of HB300 has followed a consistent pattern: investigation often begins with a referral from HHS (following a HIPAA breach investigation), a complaint from a Texas resident, or a media-reported breach. Typical investigation path involves document production requests covering training records, policies, breach response, risk analyses, and Business Associate Agreements. Settlement agreements include monetary penalties, corrective action plans, and multi-year monitoring periods.

Documentation is the most effective defense. Records of training, risk analyses, and incident response that are current and complete are the difference between a manageable investigation and a costly one.

For a Texas healthcare compliance assessment that specifically addresses HB300 alongside HIPAA, see our healthcare practice page or schedule a consultation with our DFW-based team.