What are the HIPAA Laws in Texas?

Posted By Steve Alder on Jan 19, 2026

The HIPAA laws in Texas are the same as they are anywhere else in the country because HIPAA sets a federal floor of privacy standards for healthcare information – not a federal ceiling. HIPAA does not prevent states from enacting legislation with stronger privacy protections; and, under HIPAA’s preemption framework, state laws that are more protective of individual privacy apply rather than the equivalent provision of HIPAA.

Most states have enacted legislation with provisions that apply rather than the equivalent provision of HIPAA. Often these relate to activities that are permitted by HIPAA but not required – for example, when a state mandates reporting non-accidental injuries. In other cases, state laws may require faster responses to patient access requests or relate to a particular area of healthcare – for example, HIV/AIDS test results.

What is Different about the HIPAA Laws in Texas

What is different about the HIPAA laws in Texas – and the state laws that overlay them – is that while most states limit the applicability of their healthcare privacy laws to organizations doing business in the state, Texas extends the reach of some privacy and breach notification legislation to organizations operating outside the state.

Not only do these extensions apply to organizations operating outside the state but, if such an organization collects “qualifying information” from a Texas resident who is also outside the state at the time, Texas laws still apply. (Note: the definition of Protected Health Information in Texas is broader than the definition of PHI under HIPAA).

The Broader Applicability of HIPAA Laws in Texas

Furthermore, some HIPAA laws in Texas apply to any person, organization, agent, contractor, or employee who comes into possession of, obtains, or stores Protected Health Information and who:

“For commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information”.

The definition of a Covered Entity in Texas not only includes organizations that qualify as Covered Entities and Business Associates under HIPAA but also many types of organizations whose primary business is not regulated by HIPAA. Examples include:

• State government social services departments
• Vendors of fitness apps that collect user information
• Personal injury law firms that maintain health information
• University athletics programs – including those out of state
• Life insurance companies that underwrite a Texas resident
• Telehealth platforms used to provide virtual consultations
• Vendors of DNA testing kits that collect and analyze saliva samples

With regards to public schools, student health data is exempt from the Texas Medical Records Privacy Act because it is protected by the federal Family Educational Rights and Privacy Act (FERPA). However, electronic breaches of other personal identifying information maintained by public schools must still be notified to the Texas Attorney General in accordance with the Identity Theft Enforcement and Protection Act.

Workforce Training Requirements for Qualifying Covered Entities

Organizations that qualify as Covered Entities under any applicable Texas legislation have more specific training requirements than Covered Entities under HIPAA. Qualifying organizations must provide training on privacy and security policies within 90 days of a new staff member joining the workforce, with further training required whenever there is a “material change” to a policy or procedure that affects their role.,

In addition, the HIPAA Security Rule requirement of providing an ongoing security awareness and training program also exists. This means that all members of the workforce must undergo regular security awareness training regardless of their access or use of Protected Health Information. The provision of training and the content of the training must be documented and the documentation retained for a minimum of six years.

Additional Workforce Training is Necessary when Applicable

Thereafter, depending on the nature of services provided by the Covered Entity and the roles of workforce members, it may be necessary to provide training on the Texas medical records privacy Act (as amended by HB300), the Texas Identity Theft Enforcement and Protection Act, and the Texas Data Privacy and Security Act, so workforce members know the state specific expectations for preventing identity theft, securing personal data, and providing Texas compliant breach notifications.

Where AI tools or automated decision making are used with health information, training should explain the requirements of the Texas Responsible AI Governance Act and SB1188, which address the safe and compliant use of AI in connection with electronic health records. Finally, staff whose roles are affected should be introduced to the relevant parts of the Texas Medical Practice Act and the applicable sections of the Health and Safety Code and Occupations Code, so their day-to-day work aligns with both HIPAA and the additional Texas standards that apply to their job.