Texas Data Breach Notification Law

Texas Data Breach Notification Law

Two Texas laws regulate Texans’ health information privacy. The first, the Texas Medical Records Privacy Act (“TMRPA”), is Texas’ version of HIPAA. The TMRPA regulates covered entities’ use and disclosure of protected health information, and requires covered entities to train their workforce on the law’s requirements, and the requirements of HIPAA. The TMRPA underwent a major overhaul in 2012, when Texas HB 300 was signed into law. Texas HB 300 amended the TMRPA to impose stricter training requirements and stricter penalties for entities violating the law’s provisions. 

The other Texas law that addresses health information privacy (as well as consumer privacy generally) is the Texas Identity Theft Enforcement and Protection Act. This Texas data breach notification law was also amended by HB 4390, and went into effect on January 1, 2020. The Texas data breach notification law is discussed below.

Who is Subject to the Texas Data Breach Notification Law?

The Texas data breach notification law applies to people and entities in Texas, that own or license computerized data in the form of “sensitive personal information.” The law also applies to any entity or person outside of Texas that manages, maintains, and uses sensitive personal information that is owned or stored in Texas. Any person who violates the Act may be liable for civil penalties, issued by the Texas Attorney General.

What is “Sensitive Personal Information” Under the Texas Data Breach Notification Law?

“Sensitive Personal Information” is defined as an individual’s first name or first initial and last name in combination with any one (or more) of the following items:

  • Social Security Number
  • Driver license number or government-issued ID number
  • Bank account number
  • Credit or debit card number
  • The security codes of those credit or debit cards

“Sensitive Personal Information” also includes information that identifies an individual and relates to:

  • The physical or mental health or condition of the individual
  • The provision of health care to the individual
  • Payment for the provision of health care to the individual

The definition of sensitive personal information under the Texas data breach notification law is essentially the same as the definition of PHI under HIPAA – personally identifiable information, combined with information relating to a person’s health status; healthcare they have received, are receiving, or will receive; or healthcare payment.

Under the Texas data breach notification law, businesses must implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect sensitive personal information from unlawful use or disclosure.

What is a Data Breach Under the Texas Data Breach Notification Law?

A data breach is defined by the Texas data breach notification law as “an unauthorized acquisition of computerized data,” that compromises the “security, confidentiality, or integrity” of sensitive personal Information. 

Under the Texas data breach notification law, an entity must disclose any breach of system security, after discovering or receiving notification of the breach. Disclosure must be made to any individual whose sensitive PI was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made without unreasonable delay, and, in any event, no later than the 60 days after determining that a breach occurred.  

There is an additional requirement for those entities required to provide notification of a data breach of at least 250 Texas residents. These entities must notify the Texas Attorney General of the breach no later than 60 days after determining a breach has occurred. The notification must contain the following language:

  • A detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach
  • The number of Texas residents affected by the breach at the time of notification
  • The measures taken by the entity regarding the breach
  • Any measures the entity intends to take regarding the breach after notification
  • Information regarding whether law enforcement is investigating the breach

If an entity is required to notify, at one time, more than 10,000 individuals of a breach, the entity must also notify all consumer reporting agencies of the timing, distribution, and content of the notices. The notification to consumer reporting agencies must be made “without unreasonable delay.”

Meet All Your HIPAA Requirements

Our software provides everything you need to satisfy state and federal HIPAA laws.

Global CTAs Image