Texas Data Breach Notification Law

Texas HB 300 amended the TMRPA. HB 300 requirements include the following:

1. Certain entities defined as “covered entities” under the TMRPA, must respond to patient requests for access to electronic health records within 15 days of the request
2. Certain entities defined as “covered entities” under the TMRPA, may not sell patient PHI in the absence of a patient authorization
3. Certain entities defined as “covered entities” under the TMRPA, must provide notices to patients of electronic disclosures of their PHI, and must obtain patient authorization for such disclosures

The other Texas law that addresses health information privacy (as well as consumer privacy generally) is the Texas Identity Theft Enforcement and Protection Act (ITEPA). This Texas data breach notification law went into effect in 2009, was amended by HB 300 in 2012, and was amended by HB 4390 in 2020. The Texas data breach notification law is discussed below.

Who is Subject to the Texas Data Breach Notification Law?

The Texas data breach notification law applies to people and entities in Texas, that own or license computerized data in the form of “sensitive personal information.” The law also applies to any entity or person outside of Texas that manages, maintains, and uses sensitive personal information that is owned or stored in Texas. Any person who violates the Act may be liable for civil penalties, issued by the Texas Attorney General.

What is Sensitive Personal Information (SPI)?

SPI includes a Texas resident’s first name or initial and last name in combination with any one or more of the following pieces of information:

• Social Security number
• Driver’s license number or government-issued identification number
• Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account
• Information that identifies an individual and relates to:
  • The physical or mental health or condition of the individual
  • The provision of health care to the individual
  • Payment for the provision of health care to an individual.

The definition of sensitive personal information under the Texas data breach notification law is similar to the definition of PHI under HIPAA – personally identifiable information, combined with information relating to a person’s health status; healthcare they have received, are receiving, or will receive; or healthcare payment.

What Obligations Does ITEPA Impose?

The Texas data breach notification law, ITEPA, imposes an obligation on persons who conduct business on Texas and who own or license computerized data that includes sensitive personal information.

These persons, under the Texas data breach notification law, must disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose SPI was, or is reasonably believed to have been, acquired by an unauthorized person.

Under the ITEPA a breach is defined as “an unauthorized acquisition of computerized data,” that compromises the “security, confidentiality, or integrity” of sensitive personal information. 

What Are the Penalties for an ITEPA Violation?

When ITEPA was passed in 2009, the penalty for an ITEPA violation was a liability to Texas for a civil penalty of at least $2,000 but no more than $50,000 for each violation. ITEPA provided that the Texas Attorney General could bring a lawsuit to recover this money. In 2012, HB 300 strengthened this provision of ITEPA by providing for a civil penalty of up to $100 for each individual to whom notification is due, for each consecutive day that someone fails to comply with ITEPA.

What Amendments Did HB 4390 Make to ITEPA?

Before ITEPA was amended by HB 4390 in 2020, individuals who conducted business in Texas and owned or licensed computerized data that includes sensitive personal information, were required to disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

HB 4390 added this requirement to the Texas data breach notification law:

The disclosure must  be made without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred

HB 4390 and subsequent legislation also added this requirement to the Texas data breach notification law:

A person who is required to disclose or provide notification of a breach of system security must notify the Texas Attorney General of that breach not later than the 60th day after the date on which the person determines that the breach occurred if the breach involves at least 250 residents of Texas. The notification must be submitted electronically using a form accessed through the Attorney General’s website and must include:

• Detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach
• The number of residents of this state affected by the breach at the time of notification
• The number of affected residents that have been sent a disclosure of the breach by mail or other direct method of communication at the time of notification
• The measures taken by the person regarding the breach
• Any measures the person intends to take regarding the breach after the notification under this subsection
• Information regarding whether law enforcement is engaged in investigating the breach

What Does Compliancy Group’s HB 300 Program Offer?

Compliancy Group’s HB 300 Program can be used by entities subject to the law to monitor their HB 300 compliance. The program contains an HB 300 policy template, a series of program controls (actions to take), and a QuickStart guide that entities covered by the law can use to create and maintain an HB 300 compliance program.