Texas AG HIPAA Enforcement: What Clinics Need to Know

Texas passed HB 300 in 2011, creating one of the most specific state-level health privacy enforcement frameworks in the country. Your clinic faces two separate enforcement systems: OCR for federal HIPAA compliance and the Texas AG for Health & Safety Code Chapter 181 compliance. Both can pursue the same underlying incident simultaneously — and each can result in penalties independent of the other.

For a full analysis of HB 300 versus HIPAA, see Texas HB 300 vs HIPAA. This article focuses specifically on how the Texas AG enforces HB 300 and what documentation Texas clinics need to defend against state enforcement.

Texas Health & Safety Code Chapter 181 and HB 300

Texas Health & Safety Code Chapter 181 governs the privacy of protected health information in Texas. HB 300, enacted in 2011, significantly expanded Chapter 181 by:

• Extending coverage beyond HIPAA covered entities to include any entity that creates, receives, obtains, maintains, uses, or transmits PHI in the course of business in Texas, regardless of whether they are a HIPAA covered entity;
• Requiring annual privacy training for employees who have access to PHI;
• Setting civil penalties for violations enforceable by the Texas AG;
• Requiring covered entities to maintain a current privacy policy.

The entity scope is broader than HIPAA: non-covered entities — such as businesses that receive PHI from covered entities for business purposes outside a formal BAA, school district employee health benefit programs, or certain employer-sponsored programs — may be subject to Chapter 181 even if they are not HIPAA covered entities.

HB 300 Annual Training Requirement

What § 181.101 requires

Texas Health & Safety Code § 181.101 requires covered entities to provide training on the requirements of Chapter 181 to each employee of the covered entity who is likely to have access to protected health information. The training must be provided not less than once per year.

How HB 300 training differs from HIPAA training

HIPAA’s Security Rule at 45 CFR § 164.308(a)(5) requires covered entities to implement a security awareness and training program for all members of the workforce. HIPAA’s Privacy Rule at 45 CFR § 164.530(b) requires training of all members of the workforce on the covered entity’s privacy policies and procedures.

Neither HIPAA provision specifies annual training explicitly. HIPAA requires training “as necessary and appropriate for each member of the workforce” and “when material changes” are made to policies. A covered entity that provides training once at hire and refreshes only when something changes may technically satisfy HIPAA.

HB 300 is explicit: annual training is mandatory for every employee with access to PHI. There is no “as necessary” qualification. Every year, every covered employee must receive training. This creates a concrete, calendar-based compliance obligation.

What the training must cover

The training must cover the requirements of Chapter 181 — Texas’s health privacy law, which incorporates and expands HIPAA. Topics a compliant annual training should include:

• The types of PHI covered by Chapter 181;
• Permitted uses and disclosures under Texas law (which is generally more restrictive than HIPAA’s default rules);
• Patient rights under Chapter 181;
• Breach notification requirements;
• Consequences of violations, including potential civil penalties.

Training content should be documented in detail. If the AG investigates, you must be able to show not just that training occurred, but what it covered.

Documenting annual training

This is the single most important compliance record for HB 300 purposes. For each training session, document:

• The date training was provided;
• The names of all employees who received training;
• The content covered (a training syllabus or module description);
• The trainer or training system used;
• Employee acknowledgment of completion (signature, electronic confirmation, or test score).

A clinic that cannot produce annual training records for all employees with PHI access has no defense against an HB 300 training enforcement action.

Texas AG Enforcement of Chapter 181

The Consumer Protection Division

The Texas AG’s Consumer Protection Division enforces Chapter 181. The Division has broad investigative authority, including the ability to issue civil investigative demands (subpoenas) for documents and information.

Civil penalty structure

Under Texas Health & Safety Code § 181.202, a covered entity that violates Chapter 181 is liable for a civil penalty. The penalty framework:

• Violations that occur more than 30 days after notice of noncompliance: up to $10,000 per violation per day;
• Intentional violations: up to $25,000 per violation per day;
• Cumulative cap: $1.5 million per calendar year for violations of a single Chapter 181 requirement.

These penalties are separate from and cumulative with OCR’s HIPAA civil monetary penalty tiers, which can also reach $1.9 million per violation category per year (adjusted for inflation). A single data incident at a Texas clinic can trigger both federal HIPAA penalties and Texas AG civil penalty litigation.

How Texas AG investigations are initiated

Texas AG investigations of Chapter 181 are typically complaint-driven or incident-driven:

Consumer complaints. Patients who believe their PHI was misused or improperly disclosed can file complaints through the Texas AG’s consumer complaint portal. The AG reviews health privacy complaints and may open an investigation.

Breach notifications. Breach notifications submitted under Texas Business & Commerce Code § 521.053 that reveal patterns of inadequate security or privacy practices may prompt AG interest in whether Chapter 181 compliance contributed to the breach.

Referrals from other agencies. The Texas Medical Board, the Texas Department of State Health Services, and other state agencies may refer matters to the AG when their own investigations reveal potential Chapter 181 violations.

Media reports. Significant healthcare data incidents reported in Texas media may prompt AG inquiries.

How Texas AG investigations differ from OCR

Legal standard. OCR investigates compliance with specific HIPAA requirements. The AG investigates compliance with Chapter 181, including the annual training requirement — a specific obligation that OCR does not enforce because HIPAA does not require annual training by that name.

Enforcement mechanism. OCR resolves investigations through corrective action plans and resolution agreements, with civil monetary penalties imposed administratively. The Texas AG can file a civil suit in state district court seeking civil penalties — the outcome is a court judgment, not an administrative resolution agreement.

Focus on training. HB 300’s annual training requirement is the most distinctive aspect of Chapter 181 enforcement. OCR investigations rarely focus on whether training happened annually — OCR looks at whether training was adequate and documented. The Texas AG specifically examines whether every employee with PHI access received training within the past year.

No private right of action. Unlike California’s CMIA, Chapter 181 does not create a private right of action for patients. Only the Texas AG can bring a civil penalty action. This makes AG enforcement the primary litigation risk — not patient lawsuits.

Texas Data Breach Notification: § 521.053

Texas Business & Commerce Code § 521.053 requires any person who conducts business in Texas and owns or licenses computerized data containing sensitive personal information to notify affected Texas residents of a breach as quickly as possible and within 60 days of discovering the breach.

Alignment with HIPAA

Texas’s 60-day deadline aligns with HIPAA’s 60-day ceiling. The two laws have different triggering conditions and notice content requirements, but the timeline is consistent. Texas clinics should calibrate breach response to meet both standards simultaneously.

AG notification for large breaches

Texas Business & Commerce Code § 521.053(j) requires entities that send notices to more than 250 Texas residents to also notify the Texas AG. This AG notification must occur at the time the individual notices are sent. This is an additional obligation alongside HIPAA’s requirement to notify HHS for breaches affecting 500 or more individuals in a state.

Content requirements

Texas requires breach notifications to include:

• A description of the breach;
• The type of sensitive information exposed;
• Contact information;
• Steps the individual can take to protect themselves.

This aligns with HIPAA’s notice content requirements at 45 CFR § 164.404(c). See HIPAA breach notification templates for a template framework that can be adapted to meet both sets of requirements.

Documentation for Defending Against Chapter 181 Enforcement

Texas clinics need the following documentation to defend against AG enforcement:

Annual training records. Complete records for every annual training cycle, with documentation of every employee who received training and what training covered. This is non-negotiable — without it, there is no defense against a training violation claim.

Written privacy policy. Chapter 181 requires covered entities to maintain a current, written privacy policy. It must be available to employees and patients.

Risk analysis and risk management documentation. Evidence that the clinic assessed security and privacy risks and implemented measures to address them. See HIPAA risk analysis worksheet as a starting framework.

Breach response records. Documentation of how each security incident was assessed, what the breach determination was, and what notifications were provided. Include timelines demonstrating compliance with the 60-day deadline.

Vendor management. Business Associate Agreements and evidence that vendors were assessed for compliance. Chapter 181 extends to business associates — confirm your BAA program is current. See how small clinics track vendor BAAs.

Privacy policy acknowledgments. Employee sign-offs confirming receipt and review of the clinic’s privacy policy — annually, consistent with the training requirement.

Responding to a Texas AG Inquiry

If the Texas AG contacts your clinic regarding a Chapter 181 matter:

1. Engage Texas healthcare compliance counsel immediately. The AG’s civil investigative demands are legally compelled.
2. Preserve all potentially relevant records.
3. Review the demand carefully and respond through counsel.
4. Demonstrate remediation. The AG’s enforcement posture considers whether the organization has corrected the problem.

See HIPAA administrative safeguards for the federal baseline that also supports Texas Chapter 181 compliance.

PHIGuard supports Texas clinics with annual training tracking, compliance documentation, vendor BAA management, and incident response — with a BAA included at every plan level and no per-user fees. Visit phiguard.app/hipaa or review pricing.