Texas Medical Privacy Law

The Texas Medical Privacy Law, regulated by the Texas Attorney General, puts stringent regulations on entities handling ePHI – Electronic Protected Health Information.

It expands the scope of “covered entities” beyond HIPAA, the HITECH Act – Meaningful Use, HIPAA Security and Privacy Rule, Comprehensive Risk Assessment, and BCDR Plan.


Depending on the level of intent (stealing vs. accidental disclosure), penalties can be anywhere from $5,000 to $1.5M for every year of of PHI or ePHI disclosure.

Penalties for non-compliance are the most costly. A HIPAA breach in the state of Texas could cost your organization up to $2000 per record,  per incident.

Additional punitive actions can include revocation of licensing. HB 300 Texas penalties/fines are above and beyond any fines levied by the federal government under HIPAA or HITECH.

Spohn’s Training Group can customize a Security Education Training and Awareness (SETA) program to meet your organization's unique requirements for compliance with TX HB 300.

Get more info

Get more information

Covered Entities

Under Texas HB300 – covered entities include:

  • Those engaged in the practice of assembling, collecting, analyzing, storing or transmitting ePHI or PHI
  • Those that come into the possession of ePHI or PHI
  • Those that obtain or store ePHI or PHI, or is an employee, agent, or contractor of a person described above – if maintaining, using, transmitting, receiving, obtaining, or creating PHI or ePHI. IAW Texas Health and Safety Code, §181.001(b)(2).

Training Requirements

  • All organizations covered under Texas HB 300 must provide on-going training to their employees regarding state and federal laws concerning PHI and ePHI. This goes beyond HIPAA section 164.308(a)(5), which states covered entities must “implement a security awareness and training program for all members of its workforce (including management).”
  • Training must be catered to your particular type of business and tailored to specific job role of the individual employee.
  • The training must be completed no later than the 60th day after the employee’s start date; current employees have 60 days from enactment of the law – October 30th 2012.
  • This training must be ongoing and repeated at least once every two years.
  • Documentation of the training must be maintained for all individuals attending online or classroom training programs. Records may be either electronic or in writing.