Mandatory Medical Privacy Regulations in Texas You Must Enforce Across Your Organization
In addition to HIPAA and the Texas Medical Records Privacy Act/HB300, several other laws apply to the privacy and security of medical records in Texas. Laws such as the Texas Identity Theft Enforcement and Protection Act, the Texas Data Privacy and Security Act, the Texas Responsible AI Governance Act, SB1188 and the Texas Medical Practice Act create a layered system of protections that often go beyond HIPAA’s minimum requirements.
- Evolution of Medical Privacy Laws in Texas
- The Texas Identity Theft Enforcement and Protection Act (TITEPA)
- The Texas Data Privacy and Security Act (TDPSA)
- The Texas Responsible AI Governance Act
- SB1188
- The Texas Medical Practice Act
- Training Employees for Overlapping Texas Medical Privacy Laws
Evolution of Medical Privacy Laws in Texas
Before HIPAA, medical confidentiality in Texas was governed mainly by the Texas Health and Safety Code, which already limited how health information could be used and disclosed, and gave patients rights to see their records. HIPAA then introduced federal privacy and security rules, but only for a narrower group of “covered entities.” To close that gap, Texas passed the Texas Medical Records Privacy Act in 2001, extending HIPAA-style protections to more organizations that handle Texans’ health information. HB300, passed in 2011, strengthened that Act by tightening rules for electronic disclosures, shortening deadlines for responding to patient access requests, and expanding breach notification requirements. HB300 is important, but it operates alongside a broader set of Texas privacy and security laws.
HIPAA Training With Texas State Medical Privacy Module Our training targets the mistakes that drive most HIPAA incidents, drawn from 10+ years of our breach reporting and includes comprehensive lessons on Texas medical privacy laws. The Gold Standard in HIPAA Training by The HIPAA Journal Team HIPAA Training With Texas State Medical Privacy Module Our training targets the mistakes that drive most HIPAA incidents, drawn from 10+ years of our breach reporting and includes comprehensive lessons on Texas medical privacy laws. The Gold Standard in HIPAA Training by The HIPAA Journal Team Lessons Cover Emerging Issues Like AI Tools | CEUs & Certificate | Completion Tracking | HIPAA Training for Individuals
The Texas Identity Theft Enforcement and Protection Act (TITEPA)
The Texas Identity Theft Enforcement and Protection Act (TITEPA) is not limited to healthcare, but it heavily affects healthcare organizations because it applies to any business that handles personal identifying information about Texas residents. Its definition of “sensitive personal information” is broader than HIPAA’s definition of PHI, so some data that is not PHI still has to be protected as if it were. Organizations must secure this information, dispose of it safely, and notify individuals (and sometimes the Attorney General) if computerized sensitive personal information is acquired by an unauthorized person. Because these requirements sit next to HIPAA’s breach rules, many healthcare organizations in Texas treat all patient-related information like PHI and apply HIPAA-level safeguards across the board.
The Texas Data Privacy and Security Act (TDPSA)
The Texas Data Privacy and Security Act (TDPSA) is aimed at consumer data generally, but it also touches healthcare. Covered entities and business associates are exempt for PHI but not for other personally identifying data they collect, such as marketing lists, website tracking data, appointment booking details, or some HR data. For this non-PHI data, organizations must limit collection to what is necessary, obtain informed consent for certain uses (such as targeted marketing), and honor rights to access, correct, or request deletion where those rights apply. Deletion rights do not override medical record retention requirements, so PHI and medical records still must be kept according to Texas rules.
The Texas Responsible AI Governance Act
The Texas Responsible AI Governance Act and SB1188 add AI- and EHR-specific obligations. The AI Governance Act applies broadly to developers and users of AI, including healthcare organizations that use AI in clinical or administrative workflows. Patients must be told when AI is used in diagnosis or clinical decision support (outside emergencies), and patient authorization is required if PHI is sent to AI systems for purposes beyond treatment, payment, healthcare operations, or required-by-law disclosures.
SB1188
SB1188 goes further by requiring AI-generated diagnostic outputs to be reviewed under standards set by the Texas Medical Board and documented in the medical record, and by imposing specific security and functionality requirements on EHRs. It restricts storing certain data types in EHRs, such as credit scores or voter-registration status, and sets rules around parental access to minors’ electronic records – with exceptions for sensitive services such as reproductive, substance use, or mental health care.
The Texas Medical Practice Act
The Texas Medical Practice Act and related code provisions add professional and confidentiality duties for licensed healthcare professionals on top of all this. In many cases, state law requires written consent for disclosures that go beyond treatment, payment, healthcare operations, or disclosures explicitly required by law, and adds extra protections for especially sensitive categories such as mental health, substance use, HIV testing, and genetic information. These provisions are updated regularly and can override or refine how other laws apply in specific scenarios.
Training Employees for Overlapping Texas Medical Privacy Laws
Because all of these Texan laws overlap, organizations that handle medical information about Texas residents generally follow a “most protective law wins” approach. HIPAA and the Texas Medical Records Privacy Act/HB300 are central pieces of Texas medical privacy law, but real-world practice is also shaped by TITEPA, the TDPSA, the Responsible AI Governance Act, SB1188, and the Medical Practice Act.
Texas health privacy obligations extend beyond HB300 and HIPAA. Employees who handle patient information should receive training that covers the full Texas landscape: HIPAA and the Texas Medical Records Privacy Act/HB 300, the Texas Identity Theft Enforcement and Protection Act, the Texas Data Privacy and Security Act, the Responsible AI Governance Act, SB 1188, and the Texas Medical Practice Act. Comprehensive training helps staff recognize when Texas rules are stricter than HIPAA, apply the most protective standard, and follow clear procedures for consent, access, disclosures, incident reporting, and AI or EHR use.
Organizations should incorporate these state requirements into onboarding and annual refresher training, including their business associate staff training, and instruct employees to speak with the Privacy or Compliance Officer whenever a situation is unclear. This approach ensures HIPAA-Covered Entities and HIPAA Business Associates comply with Texas state regulations as well as federal HIPAA requirements.
HIPAA Training With Texas State Medical Privacy Module Our training targets the mistakes that drive most HIPAA incidents, drawn from 10+ years of our breach reporting and includes comprehensive lessons on Texas medical privacy laws. The Gold Standard in HIPAA Training by The HIPAA Journal Team HIPAA Training With Texas State Medical Privacy Module Our training targets the mistakes that drive most HIPAA incidents, drawn from 10+ years of our breach reporting and includes comprehensive lessons on Texas medical privacy laws. The Gold Standard in HIPAA Training by The HIPAA Journal Team Lessons Cover Emerging Issues Like AI Tools | CEUs & Certificate | Completion Tracking | HIPAA Training for Individuals
HIPAA Training
with Free Texas Medical Records Privacy Module
Our HIPAA training includes comprehensive lessons on Texas medical privacy laws including HB300.
The Gold Standard in HIPAA Training
by The HIPAA Journal Team
