Texas HB 300 vs. HIPAA: Key Differences for Clinics

Texas House Bill 300, which took effect September 1, 2012, is codified at Texas Health and Safety Code Chapter 181. It was passed explicitly to strengthen the protections HIPAA provides to Texas patients by expanding the law’s reach, mandating training, increasing penalties, and giving the state independent enforcement authority.

A Texas clinic that is already HIPAA-compliant is not automatically HB 300-compliant. The two frameworks overlap but differ in several areas where HB 300 is stricter.

Who HB 300 covers

HIPAA applies to covered entities — health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with standard transactions.

HB 300 covers any person who assembles, collects, analyzes, uses, evaluates, stores, or transmits protected health information, and any person who comes into possession of protected health information. This extends to employers, data analytics companies, research organizations, and other entities that handle Texans’ health information even if they are not HIPAA covered entities.

For a medical clinic, the practical effect is that HB 300 may capture more of the clinic’s vendor and contractor relationships than HIPAA alone.

Training requirements

Texas Health and Safety Code section 181.101 requires every covered entity to train employees on the requirements of Chapter 181. Training must be completed at least every two years, and the covered entity must document completion.

HIPAA requires workforce training on privacy and security policies as well, but the federal rule does not prescribe a specific interval. HB 300’s two-year interval and documentation requirement are independently enforceable by the Texas AG.

Penalties

Texas HB 300 establishes a tiered civil penalty structure:

• Up to $5,000 per violation for a violation occurring with reasonable cause.
• Up to $25,000 per violation for a violation resulting from negligence.
• Up to $250,000 per violation for a violation resulting from intentional violation or for knowing disclosure for financial gain.

The annual cap for a pattern of violations is $1.5 million per year, separate from the HIPAA civil monetary penalty structure at 45 CFR 160.404.

The Texas AG has authority to bring civil actions without waiting for OCR to initiate a federal proceeding.

Breach notification

Texas Health and Safety Code 181.122 requires a covered entity that discovers a breach to notify affected individuals consistent with HIPAA’s Breach Notification Rule — without unreasonable delay and no later than 60 days after discovery.

HB 300 adds an additional requirement that does not exist under federal HIPAA: if the breach affects 500 or more Texas residents, the covered entity must also notify the Texas AG at the same time it notifies affected individuals. This AG notification is a standalone HB 300 obligation.

What Texas clinics should do beyond their HIPAA program

• Implement documented privacy training on Chapter 181 requirements, separate from or integrated with the clinic’s HIPAA training, and document completion for every employee who handles PHI.
• Set a calendar reminder to repeat training at least every two years.
• Confirm that breach response procedures include Texas AG notification for breaches affecting 500 or more Texas residents.
• Review whether any vendors or contractors that handle clinic health information are covered under HB 300 but not under HIPAA’s BA definitions, and consider contractual protections accordingly.

Related: HIPAA administrative safeguards and HIPAA audit log requirements for small clinics.

PHIGuard tracks training completion records, policy acknowledgements, and incident response for clinics operating under both HIPAA and state law. Plans start at $99 per clinic. See HIPAA compliance for more.