Texas House Bill 300 Significantly Expands State’s Patient Privacy Protections for Covered Entities

Texas House Bill 300 Significantly Expands State's Patient Privacy Protections for Covered Entities

Texas patient privacy protections will soon become more substantial. During the 82nd legislative session in 2011, the Texas Legislature adopted House Bill 300 ("HB 300"), which amends the Texas Medical Records Privacy Act ("Texas Act") and takes effect on September 1, 2012.[1] Since HB 300's effective date is nearing, Texas covered entities, including out-of-state companies that use and/or disclose protected health information ("PHI") in Texas, must be aware of, and take steps now to ensure compliance with, the new statutory requirements. In particular, HB 300 significantly expands patient privacy protections for Texas covered entities beyond those federal requirements as outlined by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health (or "HITECH") Act[2] by:

  • revising the definition of a "covered entity";
  • increasing mandates on covered entities, including requiring customized employee training;
  • establishing standards for the use of electronic health records ("EHRs");
  • granting enforcement authority to several state agencies; and
  • increasing civil and criminal penalties for the wrongful electronic disclosure of PHI.

HB 300 significantly expands the definition of a Texas "covered entity."[3] Beginning September 1, a "covered entity" will be defined as any person/entity who:

    1. for commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information;
    2. comes into possession of protected health information;
    3. obtains or stores protected health information under this chapter; or
    4. is an employee, agent, or contractor of a person described by Paragraph (A), (B), or (C) insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.

This revised definition is broad and includes not only health care providers but those entities and individuals who under the "HIPAA Privacy Rule," a federal regulation that protects the privacy of individually identifiable health information, would be classified as business associates and health care payers. In addition, the Texas Act's "covered entity" definition includes governmental units, information or computer management entities, schools, health researchers, health care facility, clinics, and persons who maintain an Internet site. As a result, this revision impacts any entity that conducts business in Texas and collects, uses, and/or stores PHI.

In addition to expanding the definition of a "covered entity," mandatory customized employee training regarding state and federal patient privacy and security laws is one of the significant changes to the Texas Act through the adoption of HB 300.[4] Training must cover federal and state regulatory requirements as well as include the covered entity's course of business and employees' scope of employment as it relates to PHI use and disclosure.[5] Employees of covered entities must complete training at least once every two years and not later than 60 days after their hire date.[6] This training requirement is an expansion of the HIPAA Privacy Rule, which does not currently require customized staff training. Instead, HIPAA requires that employees be trained "within a reasonable period of time" after hire and after any material changes in applicable policies.[7]

Under the new law, Texas covered entities must provide patients with their EHRs in electronic format within 15 business days after receipt of a written request. The Texas Health and Human Services Commission will soon recommend a standard format for the release of EHRs that is consistent with federal law.[8] Also, following the Office of Civil Rights' recent lead, the website of the Office of the Attorney General of Texas will contain consumer access to public health information to educate members of the public,[9] including the steps to take to file a complaint with applicable state agencies and their contact information. These state agencies will file annual complaint reports to the Attorney General of Texas. Then, the Attorney General will provide an annual report to the Texas Legislature that includes an overview and statistical analysis of the complaints received.

The law also broadens the scope of covered entities' Notice of Privacy Practices or other general notices to inform patients about how their e-PHI is used and disclosed.[10] Note that for some entities, this will mean the need to issue a notice if the PHI is subject to electronic disclosure, e.g., for entities such as business associates that would not be required to issue a Notice of Privacy Practices under the HIPAA Privacy Rule. In addition, HB 300 authorizes civil penalties ranging from $5,000 to $1.5 million for data breaches, depending on the severity of the breach, the covered entity's compliance program, if entity was certified,[11] and its efforts to correct the violation.[12] Besides these increased civil monetary penalties, a data breach may also be classified as a felony.[13]


With the September 1, 2012, effective date quickly approaching, Texas covered entities should take immediate steps to ensure compliance with the new more stringent state requirements. To meet this deadline, covered entities should ramp up their efforts to provide customized employee training on state and federal privacy and security requirements, update their Notice of Privacy Practices, and review and update policies to incorporate the new statutory requirements.

* * *

This Client Alert was authored by Pamela D. Tyner. For additional information about the issues discussed in this Client Alert, please contact the Epstein Becker Green attorney who regularly handles your legal matters.

The Epstein Becker Green Client Alert is published by EBG's Health Care and Life Sciences practice to inform health care organizations of all types about significant new legal developments.

Lynn Shapiro Snyder, Esq.



[1] Texas House Bill 300 amends Chapter 181, Texas Medical Records Privacy Act of the Texas Health and Safety Code.

[2] 45 C.F.R., Parts 160 and 164.

[3] Section 181.001(b), Texas Health and Safety Code.

[4] Section 181.101, Texas Health and Safety Code.

[5] Section 181.101(a), Texas Health and Safety Code.

[6] Section 181.101(b), Texas Health and Safety Code.

[7] 45 C.F.R. Section 164.530 (b)(2). The HIPAA Privacy Rule also requires that covered entities document training that has been provided.

[8] HIPAA allows covered entities 30 days to respond to a request to provide copies of EHRs.

[9] Section 181.104, Texas Health and Safety Code.

[10] Section 181.154, Texas Health and Safety Code.

[11] Section 182.108(d) of the Texas Health and Safety Code authorizes the Texas Health Services Authority to establish a certification process for covered entities based on their past compliance with applicable privacy and security standards. This statute was also added through the adoption of HB 300.

[12] Section 181.201, Texas Health and Safety Code.

[13] Section 522.002(b), Texas Business and Commerce Code.