What is Texas HIPAA: Texas HIPAA Laws

Texas HIPAA Laws

Texas has two laws that serve as the state equivalent of the federal Health Insurance Portability and Accountability Act (HIPAA). The first, the Texas Medical Records Privacy Act (“TMRPA”), is essentially Texas’ version of the HIPAA Privacy Rule. The TMRPA regulates covered entities’ use and disclosure of protected health information and requires them to train their workforce on privacy requirements.

A 2012 amendment to the TMRPA, known as HB 300, imposed stricter training requirements and penalties for entities violating Texans’ medical privacy. The second of the two Texas HIPAA laws is the Texas Identity Theft Enforcement and Protection Act (TITEPA). This Texas HIPAA law is Texas’ equivalent of a data breach notification law. The Texas data breach notification law was amended in 2019, imposing additional breach reporting requirements. Both of the Texas HIPAA laws are discussed below.

Texas HIPAA: The Texas Medical Records Privacy Act

Texas HB 300, which amended the Texas Medical Records Privacy Act, imposes specific requirements on covered entities that are more stringent than those of HIPAA. HB 300 expanded upon existing Texas HIPAA law in three significant ways.

Definition of a Covered Entity Under Texas HB 300

Texas HB 300 revised and expanded the definition of a covered entity. Under the federal HIPAA law, “covered entities” (i.e., entities that must strictly follow HIPAA) are defined as health care providers, health care plans, or medical clearinghouses. 

Under HB 300, the Texas HIPAA law, a covered entity is any Texas individual, business, or organization that:

  • Engages in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting PHI;
  • Comes into possession of PHI; or
  • Obtains or stores PHI.

Under Texas HIPAA law, the definition of PHI is the same as the federal HIPAA definition. However, the Texas HIPAA definition of “covered entity” covers employees, agents, contractors, and people or entities described in the above bullet points, so long as they create, receive, obtain, maintain, use, or transmit PHI. 

This means that under Texas HIPAA law, a business associate is considered to be a type of covered entity, as are healthcare payers, governmental units, information or computer management entities, schools, and health researchers, among other entities.

Let’s Simplify Compliance

Do you need help with HIPAA and HB 300? We can help!

Learn More!
HIPAA Seal of Compliance

Texas HIPAA Training Requirements

Texas HIPAA training requirements, imposed by HB 300, are stricter than those in the HIPAA Privacy Rule. Under Texas HIPAA law, every covered entity must provide training on PHI to employees, both under the Texas Medical Records Privacy Act and under HIPAA. 

While the Texas definition of PHI is the same as the federal HIPAA definition, Texas law on PHI diverges from HIPAA in several ways. One of the differences concerns the right of access. Texas law has a shorter deadline for how promptly an organization must respond to a request to access PHI than HIPAA does.

Employees of Texas HIPAA covered entities must complete the Texas HIPAA training requirements no later than the 90th day after their hire. There is no Texas HIPAA certification, just as there is no federal HIPAA certification. Suppose an employee’s duties of a covered entity are affected by a material change in Texas or federal law concerning protected health information. In that case, the employee must receive training within a reasonable period, but no later than the first anniversary of the date the material change in law takes effect. A covered entity must require employees who receive training to sign, electronically or in writing, a statement verifying the employee’s completion of training. The covered entity must maintain the signed statement until the sixth anniversary of the date the statement is signed.

HIPAA Violations in Texas

The penalties for non-compliance with Texas HB 300 can be as costly as the HIPAA fines for a violation. The Texas attorney general can issue civil monetary penalties to entities and individuals that fail to comply with the legislation. State medical licenses can also be revoked in cases where an entity or individual has demonstrated continued noncompliance. 

As with HIPAA, the penalties for non-compliance with Texas HB 300 are broken down into