What is Texas HB300?

Posted By Steve Alder on Jan 12, 2026

Texas HB300 is a bill passed by the Texas legislature in 2011 that updates Chapter 181 of the Texas Health and Safety Code relating the privacy of medical records which overlays HIPAA where more stringent protections exist. The bill has significant implications for many organizations based in Texas – and those outside the State – that assemble, collect, analyze, use, evaluate, store, or transmit the Protected Health Information of Texas residents.

In June 2001, Governor Rick Perry signed the Texas Medical Privacy Act into law. The Act created Chapter 181 of the Texas Health and Safety Code and brought the State’s medical records privacy provisions broadly into line with those of the proposed HIPAA Privacy Rule. However, there were some notable differences between the Texas Medical Privacy Act and the HIPAA Privacy Rule:

• The definition of Covered Entities in the Texas Medical Privacy Act goes beyond the definition of Covered Entities in HIPAA.
• The Texas Medical Privacy Act has fewer permissible uses and disclosures of Protected Health Information (PHI) than HIPAA.
• Different provisions exist for uses and disclosures of psychotherapy notes and for uses and disclosures of PHI for research purposes.
• The Texas Medical Privacy Act prohibited the use, disclosure, or sale of PHI for marketing purposes without an authorization (this provision was later included in the HIPAA Privacy Rule).
• The civil penalties for violations of the Texas Medical Privacy Act were (at the time) much higher than the civil penalties for violations of HIPAA.
• The Texas Medical Privacy Act prohibited the reidentification of PHI without the subject’s authorization. HIPAA has no such prohibition.

Previously, HIPAA had created a “federal floor” of privacy protection for individually identifiable health information which preempts State law unless a State law provides more patients’ rights or has greater privacy protections. Where the above provisions provide more patients’ rights or greater privacy protections, the Texas Medical Privacy Act applies to entities covered by the Act.

Which Entities are Covered by the Texas Medical Privacy Act?

All entities (individuals, businesses, organizations, etc.) that assemble, collect, analyze, use, evaluate, store, or transmit Protected Health Information (PHI) of Texas residents are covered by the Texas Medical Privacy Act regardless of where the entity is located. In theory, an entity located in New York could be covered by the Act if it stores the PHI of a resident of Austin.

In many cases, a Business Associate under HIPAA is a Covered Entity in their own right under the Texas Medical Privacy Act unless the Business Associate creates, collects, maintains, or transmits PHI for or on behalf of a HIPAA Covered Entity. In these circumstances, a Business Associate Agreement must still be in place and the Business Associate must comply with areas of HIPAA not covered by the Texas Medical Privacy Act – e.g., security and awareness training and the minimum necessary standard.

To clarify the situation with regards to healthcare providers, those that qualify as HIPAA Covered Entities are required to comply with the HIPAA Administrative Simplification Provisions (which include the HIPAA Privacy and Security Rules), unless a provision of the Texas Medical Privacy Act overlays HIPAA. Healthcare providers that do not qualify as HIPAA Covered Entities (because – for example – they bill clients directly), must comply with the Texas Medical Privacy Act.

Other examples of entities covered by the Texas Medical Privacy Act can include IT service providers, website owners, accountants, sports teams, and lawyers if they assemble, collect, analyze, use, evaluate, store, or transmit Protected Health Information (PHI) of Texas residents. It is also the case that any individual, business, or organization that collects, uses, stores, or transmits “sensitive personal information” is required to comply with the State’s Breach Notification requirements.

What is Texas HB300?

As mentioned above, Texas HB300 is a bill passed in 2011 to update Chapter 181 of the Health and Safety Code. The Bill was introduced in light of the HITECH Act which incentivized the meaningful use of Electronic Health Records (EHRs). The Texas legislature felt the incentivization of EHR adoption would increase electronic exchanges of PHI and that stronger State laws were necessary to increase the privacy and security protections for PHI. The primary changes to Chapter 181 were:

Limitations on Disclosures of electronic PHI

Texas HB300 limits permissible disclosures of electronic PHI (without a patient’s authorization) to treatment, payment, healthcare operations, and certain insurance or HMO operations. Covered Entities must provide a notice to each individual advising them of the limitations on electronic disclosures in addition to providing a Notice of Privacy Practices if the organization qualifies as a HIPAA Covered Entity.

Increased Requirements for Patient Authorizations

Texas HB300 introduces the requirement for Covered Entities to obtain patient authorizations for each electronic disclosure not permitted or exempted by Chapter 181 of the Health and Safety Code. The Texas Attorney General was instructed to adopt a standard authorization form for all entities. It is not mandatory for Covered Entities to use the HB300 authorization form provided any alternative complies with HIPAA, the Texas Medical Privacy Act, and other applicable laws.

Patient Access to Electronic PHI Stored on EHRs

The HIPAA Privacy Rule already had provisions requiring Covered Entities to provide individuals with copies of their PHI within thirty days of a request. However, for the Texas legislature, this period of time seemed too generous. Texas HB300 includes a clause stipulating that, when a healthcare provider uses an EHR capable of responding to a patient access request, the request should be responded to within fifteen days.

Exceptions When the Sale of PHI is Permitted

The original Medical Records Privacy Act prohibited the use, disclosure, or sale of PHI without an individual’s authorization. Texas HB300 relaxed the general prohibition to allow the sale of PHI without an individual’s authorization when the sale is to another Covered Entity for treatment, payment, health care operations, or insurance/HMO activities. However, the remuneration a Covered Entity can receive for the sale of PHI is limited to the cost of preparing and transmitting the PHI.

Employee HB300 Training Requirement

HB300 introduced mandatory employee HB300 training “regarding the State and Federal laws concerning PHI” within 60 days of commencing employment (*). The training should be tailored to the nature of the Covered Entity’s business and each employee’s scope of employment. In addition, refresher training must be provided whenever there is a material change to a State or Federal law that affects the role of the employee. The completion of training must be attested to by employees.

(*) A subsequent amendment in 2013 (SB1609) increased the time limit for the completion of training from 60 days to 90 days and also removed the requirement for refresher training to be provided every two years. Note: HIPAA Covered Entities and Business Associates are still required to provide ongoing security and awareness training under §164.308(5)(i) of the HIPAA Security Rule.

Penalties for Non-Compliance with Texas HB300

When the Texas Medical Privacy Act was passed in 2001, it included penalties for non-compliance with the Act that were higher than HIPAA. Each violation of the Act could attract a financial penalty of $3,000 (up to a maximum penalty of $250,000), Covered Entities could be excluded from State programs such as Medicare, and State licensed Covered Entities could have their license to practice revoked. These penalties were in addition to those imposed by HHS’ Office for Civil Rights.

When the HITECH Act gave HHS’ Office for Civil Rights the authority to pursue higher settlements for violations of HIPAA, the Texas legislature followed suit – not only increasing each individual penalty of a violation of HB300, but also implementing a tiered penalty structure similar to that introduced by the HITECH Act.

Tier 1: Up to $5,000 per violation for violations due to negligence

Tier 2: Up to $25,000 per violation for a knowing or intentional violation

Tier 3: Up to $250,000 per violation for an intentional violation for financial gain

The maximum financial penalty was increased to $1.5 million per year for cases in which there was a pattern of noncompliance. Unlike the penalties for violations of HIPAA which increase each year to account for inflation, the penalties for violating HB300 have not increased since 2011.

However, unlike HIPAA, The Texas Medical Records Privacy Act as amended by HB300 also authorizes disciplinary action by licensing boards, exclusion from state healthcare programs, and the mandatory mitigation of improper disclosures – with Attorney General enforcement via court orders when necessary.

Amendments to Texas’ Breach Notification Requirements

A few years prior to the passage of HB300, Texas had passed the Identify Theft and Enforcement Act requiring all businesses in Texas to notify affected individuals following a breach of “sensitive personal information” (Note: not necessarily health information). Texas HB300 amended the relevant section of the Business and Commerce Code to require entities covered by the Medical Privacy Act to notify residents of Texas of a data breach even if the Covered Entity is located outside Texas.

Covered Entities are required to notify the Texas Attorney General of all data breaches affecting 250 or more Texas residents; and, if a Covered Entity fails to comply with the breach notification requirements within 60 days, they can be fined $100 per individual, per day, up to a maximum of $250,000 per breach. Again, these penalties are additional to any imposed by HHS’ Office for Civil Rights for non-compliance with the HIPAA Breach Notification Rule.

Medical Privacy Act and HB300 Exemptions

The Medical Privacy Act and HB300 exempt certain entities from complying with Chapter 181 of the Health and Safety Code. Similar to HIPAA, employers are exempted in their roles of an employer (i.e., medical information maintained in an employment record is not PHI) except for the provisions of the Code relating to deidentified information and the marketing or sale of medical information.

The Texas Mutual Insurance Company (formerly the Texas Workers’ Compensation Insurance Fund) and workers’ compensation insurance companies are also partially exempted inasmuch as licensees are required to comply with Texas Insurance Code 28B “within the scope of the Medical Privacy Act”. Other entities exempted from compliance with the Medical Privacy Act and HB 300 include:

• Not-for-profit agencies that pay for healthcare services or prescription drugs for indigent persons if the primary business of the agency is not the provision of healthcare services or reimbursement for healthcare services.
• The American Red Cross in the context of accessing PHI necessary to perform its duties to provide disaster relief, disaster communications, or emergency leave verification services for military personnel.
• Covered agencies (under §614.017 of the Health and Safety Code) with respect to the disclosure, receipt, transfer, or exchange of PHI relating to certain individuals in the custody of a covered agency or under its supervision.
• Financial institutions in their role as payment processors. This includes when PHI or sensitive personal information is disclosed to settle a billing or payment dispute or when disclosed to a consumer reporting agency.
• Schools and other educational institutions that are subject to the Family Educational and Privacy Rights Act (FERPA) in respect of medical information relating to students. (Note: Non-student medical information is not exempted).
• Employee benefit plans and entities or individuals that act in connection with those plans (Note: Employee benefit plans exempted from the Texas Medical Privacy Act and HB300 may still be required to comply with HIPAA).
• Entities or individuals that provide, administer, support, or coordinate benefits associated with compensation for victims of crime (added by Texas HB300).

While these entities may be exempted from complying with the Texas Medical Privacy Act and HB300, it is important to be aware that the exemptions may not apply to other Chapters of the Texas Code. For example, Chapter 159 of the Occupations Code governs communications between physicians and patients and when PHI can be disclosed to third parties without authorization, while Chapter 611 of the Health and Safety Code includes exemptions to the Occupations Code.

Additional Texas Medical Privacy and Security Laws

In addition to HIPAA and HB300, employees also need training on the Texas Identity Theft Enforcement and Protection Act and the Texas Data Privacy and Security Act, so they understand their responsibilities for protecting Texans’ personal data, detecting and responding to incidents, and issuing state specific breach notifications. If the organization uses AI or automated systems with health information, Texas HB300 training should cover the Responsible AI Governance Act and SB1188, which address the use of AI with electronic health records and set expectations for oversight and risk management. In addition, staff whose duties are affected should receive role focused training on the Texas Medical Practice Act and relevant parts of the Health and Safety Code and Occupations Code, so their everyday decisions comply with both HIPAA and the layered state requirements that apply in Texas.

Texas HB300 – FAQs

If a public school in Texas creates, maintains, processes, or transmits health data relating to students, is the school a Covered Entity under HIPAA?

If a public school in Texas creates, maintains, processes, or transmits health data relating to students, the school is not a Covered Entity under HIPAA because health data relating to students is considered to be part of a student’s education record under the federal Family Educational Rights and Privacy Act (FERPA). Both HIPAA and Chapter 181 of the Texas Health and Safety Code (the Medical Privacy Act as amended by HB 300) exempt health data covered by FERPA.

Do employees of HIPAA Covered Entities in Texas have to undergo both HIPAA training and HB300 training?

Employees of HIPAA Covered Entities in Texas have to undergo both HIPAA training and HB300 training. Employees of businesses or organizations that qualify as HIPAA Covered Entities or Business Associates also have to participate in an ongoing security and awareness training program as mandated by the Administrative Safeguards of the HIPAA Security Rule.

If a HIPAA Covered Entity in Texas experiences a data breach, could they be liable for two penalties – one for violating HIPAA and one for violating HB300?

If a HIPAA Covered Entity experiences a data breach, they could be liable for two penalties – one for violating HIPAA and one for violating HB300. In addition, if the Covered Entity fails to notify affected individuals and (where appropriate) the Office of the Texas State Attorney and HHS’ Office for Civil Rights in a timely manner, it could face two further penalties for violating the breach notification requirements.

Where is the connection between HB300 and the Texas Medical Privacy Act?

The connection between HB300 and the Texas Medical Privacy Act is that the Texas Medical Privacy Act is the section of the Health and Safety Code updated by HB300. In many areas, the Texas Medical Privacy Act is the equivalent of the HIPAA Privacy Rule with elements of the HIPAA Security Rule added.

Does HB300 only apply in Texas?

HB300 does not only apply in Texas. Out-of-state companies that possess, obtain, assemble, collect, analyze, evaluate, store, or transmit PHI in Texas must comply with the Texas Medical Privacy Act and HB300. Of note, HB300 also updated a section of the Business and Commerce Code relating to breach notifications, which applies to any entity or person inside or outside of Texas that manages, maintains, and uses PHI owned or stored within Texas.

With regards to breach notifications, it is important to be aware the threshold for reporting breaches to the Texas Attorney General (250 individuals) is lower than the threshold for reporting breaches to the Office for Civil Rights under HIPAA (500 individuals), and that breach notifications are required in Texas when any breach of sensitive personal information occurs – the information accessed, acquired, or compromised due to the breach does not have to be health information for a notification to be necessary.

How does HB300 limit permissible uses and disclosures of PHI?

HB300 limits permissible uses and disclosures of PHI by only allowing disclosures for treatment, payment, healthcare operations, or insurance/HMO purposes. Many uses and disclosures permitted by HIPAA under §164.512 of the HIPAA Privacy Rule (“… when an opportunity to agree or object is not required) are not permitted by HB300.

However, the Texas Medical Privacy Act does allow for disclosures required by law. For example, it is not an impermissible disclosure under HB300 if a healthcare provider reports child abuse or neglect as required by Texas’ Family Code 262.101.

Is there any difference in the HB300 definition of PHI?

There is no difference in the HB300 definition of PHI. The Texas Medical Privacy Act uses a very similar definition of PHI to the HIPAA General Rules with the minor exceptions that the HIPAA definition clarifies that PHI can be oral, electronic, or paper, and that PHI is individually identifiable health information created or transmitted by a Covered Entity.

If a patient believes their PHI has been impermissibly disclosed, who do they complain to?

If a patient believes their PHI has been impermissibly disclosed, who they complain to can depend on the entity responsible for disclosing the information. If the entity is a Covered Entity under HIPAA, the patient can complain to the entity, HHS’ Office for Civil Rights and/or the Texas State Attorney. If the entity is not a Covered Entity under HIPAA, the patient can complain to the entity or the Texas State Attorney.

How is a sports team a Covered Entity under HB300?

A sports team is a Covered Entity under HB300 if it creates, receives, receives, or transmits any individually identifiable health information about a team member. There are no special exemptions for entity’s who do not usually engage in healthcare or health insurance operations – every individual, business, or organization in Texas that has contact with individually identifiable health information is potentially a Covered Entity under HB300.

Have there been any further updates to Section 181 of the Health and Safety Code since HB300?

The have been several updates to Section 181 of the Health and Safety Code since HB300 – mostly administrative updates or repeals of subsections no longer in force. Most recently, Section 181 of the Health and Safety Code was updated in 2021 (by SB930) in response to the COVID-19 pandemic. This update permitted the disclosure of PHI to report communicable diseases in certain facilities.

Who enforces HB300?

HB300 is enforced by the Texas State Attorney via the Texas Health Services Authority and Texas Health and Human Services Commission in consultation with the Department of State Health Services, the Texas Medical Board, and the Texas Department of Insurance. Each agency has a role to play in upholding the standards of the Medical Privacy Act – similar to how HHS’ Office for Civil Rights and the Centers for Medicare and Medicaid Services share responsibility for upholding the HIPAA Administrative Simplification Regulations.

What is Texas HB300 and why was it introduced?

Texas HB300 is a bill passed by the Texas legislature in 2011 that updates Chapter 181 of the Texas Health and Safety Code. It was introduced to increase the privacy and security protections for Protected Health Information (PHI) in light of the HITECH Act which incentivized the adoption of Electronic Health Records (EHRs), which in turn increased the risk of data breaches due to more PHI being stored and transmitted electronically.

How does the Texas Medical Privacy Act define Covered Entities?

The Texas Medical Privacy Act defines Covered Entities as all entities (individuals, businesses, organizations, etc.) that assemble, collect, analyze, use, evaluate, store, or transmit Protected Health Information (PHI) of Texas residents, regardless of where the entity is located and regardless of where the subject of the PHI was located at the time PHI was collected.

What are the differences between the Texas Medical Privacy Act and the HIPAA Privacy Rule?

The differences between the Texas Medical Privacy Act and the HIPAA Privacy Rule include the broader definition of Covered Entities, fewer permissible uses and disclosures of PHI, different provisions for the use and disclosure of psychotherapy notes, and the prohibition of the reidentification of PHI without the subject’s authorization.

How does Texas HB300 change the requirements for patient authorizations?

Texas HB300 changes the requirements for patient authorizations from those in HIPAA by requiring Covered Entities to obtain a patient authorization for each electronic disclosure of PHI not expressly or exempted from Chapter 181 of the Health and Safety Code. This differs from HIPAA inasmuch as some electronic disclosures of PHI can be made with a patient’s verbal consent or when the disclosure is considered to be in the best interest of the patient.

What are the provisions of Texas HB300 regarding patient access to electronic PHI stored on EHRs?

The provisions of Texas HB300 regarding patient access to electronic PHI stored on EHRs are the same as HIPAA inasmuch as, if PHI is stored in the form or format requested by a patient, Covered Entities must provide the information in the requested form or format. If the PHI is not available in the requested format, it must be provided via hard copy or another format agreed with the patient.

The difference between the two sets of regulations is that Texas HB300 only gives Covered Entities fifteen days to respond to a patient access request, whereas the HIPAA Privacy Rule currently allows Covered Entities thirty days to respond to a patient access request. However, changes to the existing HIPAA timeframe have been proposed that would reduce the time allowed to fifteen days.

How does Texas HB300 permit the sale of PHI without an individual’s authorization?

Texas HB300 permits the sale of PHI without an individual’s authorization when the sale is to another healthcare provider for treatment, payment, health care operations, or to a group plan for insurance and health maintenance operations. However, the remuneration a Covered Entity can receive for the sale of PHI is limited to the cost of preparing and transmitting the PHI.

What training requirements did Texas HB300 introduce?

The training requirements introduced by Texas HB300 were that Covered Entities had to provide training “regarding the State and Federal laws concerning PHI” within 60 days of commencing employment, with refresher training every two years and whenever there was a material change to state and federal laws that affected individuals’ roles.

An amendment to HB300 passed in 2013 extended the time allowed for initial training to be provided from 60 days to 90 days and removed the requirement for refresher training to be provided every two years. However, many compliance experts agree that refresher training should be provided at least annually to prevent poor practices developing into a culture of non-compliance.

What are the penalties for non-compliance with Texas HB300?

The penalties for non-compliance with Texas 300 have a tiered structure, with penalty limits increasing according to the nature and severity of non-compliant events. The limits range from up to $5,000 per violation for negligence to up to $250,000 per violation for an intentional violation for financial gain. The maximum financial penalty was increased to $1.5 million per year for cases in which there was a pattern of noncompliance.