Beginner’s Guide to Texas HB 300: What It Is, Who It Covers, and How to Stay Compliant

Texas HB 300 strengthens privacy protections for Protected Health Information (PHI) beyond federal HIPAA. If you handle PHI for Texas patients—whether you are a provider, a vendor, or a support service—this guide shows you who is covered, what training is required, the rights patients hold, and how to maintain compliant records.

Use this overview to confirm whether you are a covered entity, build role-based training, respond to Patient Access Rights on time, and document your program so you can demonstrate compliance if regulators come knocking.

Definition of Covered Entities

Under Texas HB 300, “Covered Entities” include far more than traditional hospitals and clinics. Any person or organization that assembles, collects, analyzes, uses, evaluates, stores, or transmits PHI about a Texas resident may be covered. That can include health plans, billing services, IT vendors, cloud providers, attorneys, accountants, and other business associates that touch PHI.

If you operate in Texas or serve Texas residents and your work brings you into contact with PHI—even indirectly—you should assume HB 300 applies. This broad scope is designed to close gaps where PHI flows through contractors, apps, and support services outside the four walls of a medical practice.

• Examples: medical practices, dental offices, pharmacies, telehealth platforms, claims processors, EHR vendors, shredding and storage companies, and consulting firms handling PHI.
• Key takeaway: Coverage follows the PHI, not the job title. If PHI passes through your systems or staff, treat yourself as a covered entity.

Training Requirements for PHI Handling

HB 300 mandates role-based privacy training so employees, volunteers, and contractors know how to handle PHI relevant to their duties. You must train new workforce members within 90 days of hire and provide refreshers at least once every two years. When laws or your policies change in a way that affects job duties, provide additional, timely training.

Maintain Training Documentation for each person trained. Keep signed acknowledgments and training logs that list dates, topics, and role-based curricula. Retain these records for at least six years. Tailor modules by function—front desk, billing, clinical, IT, marketing—so each person learns the safeguards they actually use.

• Cover access controls, minimum necessary use, secure communication, disposal and media sanitization, breach recognition and reporting, and verification of identity.
• Include vendor oversight expectations for staff who work with business associates and external systems.

Patient Rights under Texas HB 300

Texas HB 300 reinforces Patient Access Rights and adds Texas-specific timelines and restrictions. Patients have the right to receive a notice of privacy practices, access and obtain copies of their PHI, request amendments, and seek restrictions on certain uses and disclosures. They also have the right to an accounting of disclosures and to be notified of qualifying breaches.

You must implement processes that make these rights real: standardized request forms, identity verification, clear fees consistent with state limits, and a reliable fulfillment workflow. Train staff to recognize marketing and fundraising restrictions and to route any unconventional disclosure requests for privacy review.

Penalties for Non-Compliance

Texas can impose Civil Penalties in addition to federal HIPAA fines. Penalties escalate with the actor’s intent and the number of violations. Negligent violations can be fined up to thousands of dollars per violation per year; knowing or intentional violations carry higher amounts; and violations involving the sale or misuse of PHI can reach significantly higher tiers, including six-figure penalties.

Beyond money, the Texas Attorney General may seek Injunctive Relief—court orders to stop unlawful practices, implement safeguards, or submit to oversight. Serious misconduct can also trigger criminal exposure under other state laws, as well as contractual liability with business partners. A strong compliance program reduces these risks and demonstrates good-faith efforts if investigated.

Restrictions on Sale of PHI

HB 300 sharply restricts the sale of PHI. You may not disclose PHI for remuneration without a patient’s valid, written authorization, except for narrow exceptions such as treatment, payment, health care operations, public health reporting, or as otherwise required or permitted by law.

Marketing uses of PHI require special caution. Ensure any communications involving third-party payment or promotion are reviewed for authorization requirements. When possible, use de-identified data. Keep records of authorizations and any remunerated disclosures to show compliance.

Access to Electronic Health Records

If you maintain Electronic Health Records, you must provide access to PHI within 15 business days of a patient’s request—faster than the federal HIPAA baseline. Provide the records in the form and format requested if readily producible; if not, supply a readily usable alternative electronic format.

Adopt a standardized intake and fulfillment workflow: confirm identity, log the request, route to the record custodian, export securely, and transmit through an encrypted channel or secure portal. You may charge a reasonable, cost-based fee permitted under Texas rules. Document each step for audit readiness.

Maintaining Compliance Documentation

Documentation is your evidence. Maintain written privacy policies, procedures, and role-based training plans; Training Documentation with signed acknowledgments; business associate inventories and agreements; risk analyses and remediation plans; incident and breach logs; patient request logs and response timelines; and your current notice of privacy practices.

Keep records for at least six years and review them annually. Perform periodic audits to confirm minimum necessary access, verify user permissions, test deletion and disposal procedures, and spot-check disclosures for proper authorization. Update policies when laws or your operations change, and capture the effective date and approval history.

Bottom line: Texas HB 300 expects you to know who you are (a covered entity if you touch PHI), train your workforce, honor Patient Access Rights on time, restrict marketing and sales of PHI, and keep thorough records that prove it. Doing these consistently protects patients and shields your organization from penalties and injunctions.

FAQs

What entities are considered covered under Texas HB 300?

Any organization or individual that assembles, collects, analyzes, uses, evaluates, stores, or transmits PHI about a Texas resident can be a covered entity. That includes providers, health plans, clearinghouses, and a wide range of business associates such as billing vendors, IT and cloud providers, consultants, and professional services that handle PHI.

What are the training requirements mandated by HB 300?

You must deliver role-based training within 90 days of hire, refresh it at least every two years, and provide additional training when laws or policies materially change. Keep signed acknowledgments and training logs for at least six years to demonstrate compliance.

How can patients access their medical records under HB 300?

Patients have the right to timely access. If you use Electronic Health Records, you must fulfill requests within 15 business days and provide records in the requested electronic form and format when readily producible—or in a readily usable alternative if not.

What penalties can be imposed for non-compliance with Texas HB 300?

Texas can impose civil penalties that scale with intent—from negligent to knowing or intentional violations—with higher penalties when PHI is sold or misused. The Attorney General may also seek injunctive relief to halt violations and require corrective actions, and separate federal HIPAA penalties may apply.