Texas HB 300: What It Is
Texas Health and Safety Code Chapter 181 — commonly known as HB 300 — was enacted in 2011 and significantly expanded healthcare privacy requirements for Texas-based entities. It applies to a broader set of organizations than federal HIPAA and imposes additional training, consent, breach notification, and penalty provisions. For Texas medical practices, HB 300 compliance is not optional — and it is separate from HIPAA.
Key Texas HB 300 Requirements
- Training within 90 days of hire — All employees with PHI access must complete Texas-specific privacy training within 90 days of employment (federal HIPAA does not specify this timeline)
- Biennial training refresh — Training must be repeated at least every two years for all covered employees
- Broader entity coverage — HB 300 covers entities that may not be HIPAA covered entities — any person who assembles, collects, analyzes, uses, evaluates, stores, or transmits PHI for commercial purposes may be subject to Texas law
- Electronic disclosure restrictions — Written authorization is required before electronically disclosing PHI in most circumstances
- EHR audit controls — Covered entities with EHR systems must implement electronic audit controls tracking PHI access
Texas HB 300 Penalties
- Negligent violation: $5,000 per violation
- Knowing or intentional violation: $25,000 per violation
- Violation with intent to sell PHI: $250,000 per violation
These penalties are enforced by the Texas Attorney General and are in addition to any federal HIPAA penalties imposed by OCR. Texas can pursue civil actions independently of federal enforcement.
Texas Breach Notification Requirements
In addition to the federal HIPAA 60-day breach notification window, Texas law requires notification to affected individuals "as quickly as possible." For breaches affecting 250 or more Texas residents, notification to the Texas Attorney General is required. AuditVault includes a dual breach notification workflow covering both HHS and Texas AG requirements.
Texas Medicaid: HHSC Exclusion Screening
Practices participating in Texas Medicaid must screen against the Texas Health and Human Services Commission (HHSC) exclusion list — separate from the federal OIG LEIE. An individual excluded from Texas Medicaid is not necessarily on the federal list. Both must be checked monthly, with documentation. AuditVault screens both lists in a single monthly workflow.
Texas Medical Records Privacy Act (TMRPA)
The Texas Medical Records Privacy Act provides additional patient rights protections that overlay HIPAA's privacy requirements. AuditVault's policy library and patient rights tracking cover TMRPA requirements as part of the Texas compliance module.
Built in Dallas. Built for Texas.
Birkert Technology is a Dallas-based company. AuditVault is designed from the ground up for the Texas market — full HB 300 compliance controls are built in, not bolted on. We understand the Texas regulatory environment because we operate in it.
Read more: Texas HB 300: What Healthcare Organizations Must Do to Comply