HIPAA Compliance for Texas Medical Clinics

Texas medical clinics operate at the intersection of federal HIPAA requirements and the Texas Medical Records Privacy Act, enacted through House Bill 300 and codified primarily at Texas Health & Safety Code Chapter 181. HB 300 is one of the most comprehensive state health privacy laws in the country, and its requirements in several areas exceed what HIPAA mandates. Texas practice administrators must treat HB 300 compliance as a distinct obligation running alongside HIPAA, not as a state-law paraphrase of federal requirements.

HIPAA Baseline Requirements Every Texas Clinic Must Meet

Before addressing Texas-specific requirements, every Texas medical clinic that transmits any health information in electronic form in connection with covered transactions is a HIPAA-covered entity. The core HIPAA obligations are:

Privacy Rule (45 CFR Part 164, Subpart E). Covered entities must implement policies and procedures governing the use and disclosure of PHI, provide patients with a Notice of Privacy Practices, honor patient rights (access, amendment, accounting of disclosures, restrictions), and train workforce members on privacy policies. The Privacy Rule’s administrative requirement at 45 CFR § 164.530 includes workforce training, sanctions, complaint receipt, and documentation.

Security Rule (45 CFR Part 164, Subpart C). Covered entities must conduct a documented risk analysis (§ 164.308(a)(1)), implement administrative, physical, and technical safeguards, execute business associate agreements with all business associates, and maintain security policies and incident response procedures.

Breach Notification Rule (45 CFR Part 164, Subpart D). Covered entities must notify affected individuals within 60 days of discovering a breach, notify HHS, and for breaches affecting 500 or more individuals in a state, notify prominent media outlets in that state.

For a detailed breakdown of HIPAA’s administrative requirements, see HIPAA administrative safeguards. For audit log requirements under the Security Rule’s technical safeguard provisions, see HIPAA audit log requirements for small clinics.

Texas HB 300: Entity Scope Broader Than HIPAA

HIPAA defines covered entities as health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically. Business associates have direct liability under HITECH for Security Rule compliance, but remain business associates — not covered entities — under HIPAA.

Texas Health & Safety Code § 181.001(b)(2) takes a different approach. Under HB 300, “covered entity” includes both HIPAA-covered entities and any person who, for compensation, receives, stores, maintains, uses, or transmits PHI and who is not a HIPAA-covered entity but who performs work related to or on behalf of a HIPAA-covered entity. This brings Texas business associates within the full scope of Chapter 181 as covered entities under Texas law.

In practice, this means:

• A billing company processing Texas patient claims faces direct Texas-law obligations, not just contractual obligations under a BAA
• An IT vendor storing PHI for a Texas clinic is a covered entity under Texas law
• An answering service or after-hours nurse triage service that handles PHI is a covered entity under Texas law

For Texas clinic administrators, this reinforces the importance of tracking vendor BAAs — a vendor’s Texas-law obligations are not limited to what the BAA specifies.

Annual Training Requirement

Health & Safety Code § 181.101 requires every covered entity to provide training to employees regarding the requirements of Chapter 181 and HIPAA. The training must be provided:

• To each employee at least annually
• Not later than the 90th day after the date the employee is hired
• When there are material changes to HIPAA or Chapter 181 affecting the employee’s responsibilities

The “at least annually” requirement is more specific than HIPAA’s standard at 45 CFR § 164.530(b), which requires training “as necessary and appropriate for the members of the workforce to carry out their functions.” A HIPAA-compliant training program that provides comprehensive initial training and then only trains on material policy changes may not satisfy Texas’s annual training mandate if it does not deliver periodic training at least once per year to every PHI-handling employee.

Texas clinics should document:

• The date of each employee’s annual training
• The content covered (Chapter 181 requirements + HIPAA)
• Who delivered the training and in what format
• A record of completion signed or acknowledged by each employee

Training documentation must be maintained as required by Texas Health & Safety Code § 181.201, and the AG may request production of training records during an investigation.

Electronic PHI Disclosure Restrictions

Texas Health & Safety Code § 181.154 imposes additional restrictions on electronic disclosures of PHI. An entity covered by Chapter 181 may not electronically disclose a patient’s PHI unless the patient has consented to electronic disclosure through a method that meets specific requirements, or a specific exception applies.

The Texas Medical Practice Act at Occupations Code § 159.002 provides that a physician may not disclose patient information without written consent from the patient — or as authorized by specific exceptions. For electronic disclosures, the intersection of § 181.154 and § 159.002 means Texas physicians and clinics must have documented consent for electronic PHI disclosures, beyond what HIPAA’s TPO exception alone would require.

Review your electronic communication practices — including EHR access by third parties, electronic referrals, and electronic release-of-records systems — to confirm you have compliant patient authorization before electronic disclosures occur.

Texas AG Enforcement

The Texas AG has authority under Health & Safety Code § 181.201 to investigate violations of Chapter 181 and to seek civil penalties. Penalties range from:

• A minimum of $5,000 for violations that are negligent, up to $25,000 per violation
• Up to $250,000 per violation for violations that are intentional or knowing
• Criminal penalties for intentional violations of Chapter 181 — a third-degree felony for a subsequent offense

The AG may count each day of a continuing violation as a separate violation, and the annual aggregate cap for penalties is $1.5 million per violation category. The Texas AG’s healthcare enforcement focus has included actions against providers for PHI exposure, so Texas clinic administrators should not treat state-level enforcement as a theoretical concern.

State AG Enforcement vs. OCR

Texas clinics may face investigation and penalty from both OCR (under HIPAA) and the Texas AG (under HB 300) for the same underlying incident. OCR and the Texas AG do not coordinate exclusivity — both can act independently. OCR resolution agreements often include corrective action plans (CAPs) that require multi-year compliance monitoring; Texas AG enforcement may impose additional civil penalties concurrently.

Five Action Items for Texas Clinics

1. Implement and document annual PHI training. Create a training calendar that delivers annual training to every PHI-handling workforce member. Document completion records for each employee. Do not rely on new-hire training alone to satisfy § 181.101.

2. Review business associate agreements for Texas-specific obligations. Confirm that every vendor with access to PHI has an executed BAA that covers Texas HB 300 compliance obligations, not only federal HIPAA. Include a representation that the vendor will comply with Chapter 181 requirements directly applicable to it as a covered entity under Texas law.

3. Audit electronic PHI disclosure practices. Identify every electronic channel through which PHI leaves the clinic — EHR integrations, electronic referral systems, patient portal communications, and electronic record release. Verify that patient authorization has been obtained for electronic disclosures where required by § 181.154.

4. Confirm breach notification procedures meet Texas requirements. While Texas’s Chapter 181 deadline tracks HIPAA’s 60-day ceiling, “as soon as possible” language means earlier notification is expected whenever feasible. Build a 30-day target into your incident response plan as an internal benchmark.

5. Maintain a complete risk analysis. Both HIPAA and HB 300 require security risk analysis. Ensure your documented risk analysis is current — updated after any significant change in your clinic’s systems or operations. Use the HIPAA risk analysis worksheet as a starting framework.

Texas-Specific Context: Mental Health Records

Texas clinics providing mental health services must also comply with the Texas Mental Health Code (Health & Safety Code Title 7) and the Texas Medical Practice Act provisions governing mental health record confidentiality. Texas imposes specific restrictions on disclosure of mental health records that operate alongside HIPAA’s psychotherapy note protections. A clinic providing psychiatric medication management or behavioral health services should conduct a specific review of applicable Texas Health & Safety Code provisions beyond Chapter 181.

For a comprehensive overview of HB 300’s relationship with HIPAA, see Texas HB 300 vs HIPAA.

PHIGuard helps Texas clinics document annual training, maintain policy records, and manage breach notification timelines — all with current plan details published on the pricing page. With Texas AG enforcement active and independent of OCR, documented compliance is an operating requirement, not a best practice. See PHIGuard’s compliance tools or review plan pricing.