HIPAA Training in Texas Explained: HB 300 Scope, Who Needs It, Examples

Scope of Texas HB 300

Texas HB 300 amends the Texas Medical Records Privacy Act to layer state protections on top of HIPAA. It applies to any Texas “covered entity” that creates, receives, maintains, uses, or transmits Protected Health Information (PHI)—a definition that reaches far beyond traditional healthcare providers. You must follow both State and Federal PHI Laws and apply the stricter rule when they differ.

What HB 300 adds beyond HIPAA

• Broader covered entity definition that includes business associates and many non‑healthcare organizations handling PHI in Texas.
• Faster patient access to electronic records (15 business days) and specific rules for electronic disclosure and authorization of PHI.
• Customized, role‑based training requirements and explicit Training Recordkeeping duties for Compliance Verification.

Key terms you will use

• Protected Health Information: individually identifiable health information in any form that relates to a person’s health, care, or payment for care.
• State and Federal PHI Laws: HIPAA’s Privacy and Security Rules plus Texas Health & Safety Code Chapter 181 (HB 300).

Training Requirements and Frequency

HB 300 requires you to provide HIPAA Training in Texas that is necessary and appropriate for each employee’s job duties and the organization’s course of business. Training must explain how your workforce uses, discloses, safeguards, and requests PHI under both state and federal rules.

Timing and refreshers

• New hires: complete training no later than the 90th day after the hire date.
• Material legal changes: provide updated training within a reasonable period, and in all cases no later than one year after the change takes effect.

There is no standing requirement in HB 300 to retrain on a fixed biennial cycle. Many organizations still deliver annual refreshers to reinforce expectations and document ongoing compliance.

Role‑specific content

• Align scenarios, do’s and don’ts, and minimum necessary standards with each role’s day‑to‑day PHI handling.
• Cover your own policies for access, disclosure authorization, breach reporting, and secure technologies employees must use.

Documentation of Training

HB 300 requires Training Recordkeeping sufficient for Compliance Verification. Each trained employee must sign—electronically or on paper—a statement verifying completion. You must retain that signed verification for six years from the signature date.

What to keep on file

• Signed completion statements (retain six years).
• Training date(s), delivery format, and roster to prove who attended.
• Agenda or syllabus and materials used, showing coverage of State and Federal PHI Laws and role‑based topics.
• Any knowledge checks or attestations, plus remedial steps for employees who need follow‑up.

Penalties for Non-Compliance

Texas can enforce HB 300 through injunctions, civil penalties, licensing actions, and program exclusions. Penalties escalate with culpability and the pattern or practice of violations.

Negligent Violation Penalties

• Up to $5,000 per violation in a single year, regardless of how long the violation continues during that year.

Knowing Violation Penalties

• Up to $25,000 per violation in a single year when the violation is committed knowingly or intentionally.

Intentional Violation Penalties

• Up to $250,000 per violation if PHI is knowingly or intentionally used for financial gain.

Additional enforcement levers

• Courts may assess up to $1.5 million annually for violations constituting a pattern or practice.
• Licensing boards can impose probation, suspension, or revocation; entities may be excluded from state‑funded health programs for patterns of non‑compliance.

Examples of Covered Entities

Under HB 300’s broad definition, “covered entities” include many organizations beyond clinics and hospitals. If you obtain, store, transmit, analyze, or otherwise handle PHI in Texas, you likely fall in scope—even if you are based out of state.

• Healthcare providers and facilities: physician and dental practices, behavioral health clinics, ambulatory surgery centers, pharmacies.
• Health plans and intermediaries: payers, TPAs, billing services, clearinghouses, revenue cycle vendors.
• Business associates and service providers: IT managed service providers, EHR and telehealth platforms, cloud and backup providers, call centers, shredding and records storage vendors.
• Professional firms handling PHI: law firms, accountants, consultants working with claims, litigation, or audit files containing PHI.
• Website operators and HIEs: organizations that collect PHI through online intake or exchange systems.
• Schools in limited cases: school health clinics or activities involving PHI outside FERPA‑covered education records.

Compliance Best Practices

Build a living compliance program that operationalizes HB 300 and HIPAA. Your goal is to prevent incidents and to demonstrate Compliance Verification when asked.

Program foundations

• Map PHI flows, identify lawful uses/disclosures, and apply the minimum necessary standard.
• Adopt clear, written policies covering access, authorization for electronic disclosure, retention, and breach response timelines.
• Complete periodic risk analyses and remediate gaps in access controls, encryption, and audit logging.

Training and oversight

• Deliver onboarding within 90 days; schedule targeted refreshers whenever laws or internal policies materially change.
• Maintain Training Recordkeeping for at least six years; audit completion rates and document remedial training.
• Hold vendors to contractual safeguards; verify their training and security practices when they handle your PHI.

Patient rights and transparency

• Be prepared to provide electronic records within 15 business days of a valid request.
• Post required notices about electronic disclosure of PHI and use the state‑approved authorization when needed.

Employee Role-Based Training

HB 300 expects training tailored to your business model and job functions. Focus on realistic scenarios employees face when handling PHI.

Examples by role

• Front desk and schedulers: identity verification, call‑in disclosures, sign‑in sheet etiquette, minimum necessary when speaking in public areas.
• Clinical staff: treatment disclosures, secure messaging, photographing or recording patients, incident reporting and mitigation steps.
• Billing and RCM: payer‑to‑provider disclosures, denials/appeals with attachments, data minimization, and secure file exchange.
• IT and security: access provisioning, encryption at rest/in transit, patching, multi‑factor authentication, log review, vendor access oversight.
• Marketing and outreach: marketing vs. treatment communications, prohibition on sale of PHI for remuneration without a permissible exception.
• Leaders and supervisors: oversight responsibilities, sanctions for violations, documentation standards, and breach decision trees.

Conclusion

HIPAA Training in Texas under HB 300 centers on a broad scope, role‑based content, timely onboarding within 90 days, and meticulous Training Recordkeeping to prove compliance. By aligning your policies, workforce practices, and vendor controls with State and Federal PHI Laws, you reduce risk and stay prepared for audits, investigations, and patient requests.

FAQs.

Who must complete HIPAA training under Texas HB 300?

All employees of Texas “covered entities” who handle or may access PHI must complete training. Because HB 300’s covered entity definition is broad, this includes not only providers and health plans but also business associates and many service organizations that create, receive, maintain, use, or transmit PHI in Texas.

What is the frequency requirement for HIPAA training in Texas?

Employees must complete initial training no later than the 90th day after hire. When there is a material change in State or Federal PHI Laws that affects an employee’s duties, the employee must receive updated training within a reasonable period and, in all cases, within one year of the change. There is no fixed biennial requirement in HB 300.

What records must be kept to prove compliance with HB 300?

You must collect a signed verification (electronic or paper) from each trainee and retain it for six years from the signature date. Keep supporting artifacts—dates, rosters, agendas/materials, and any knowledge checks—to strengthen Compliance Verification and respond to audits.

What are the penalties for failing to comply with Texas HB 300?

Texas may seek injunctions and civil penalties that scale by culpability: up to $5,000 per negligent violation per year, up to $25,000 per knowing or intentional violation per year, and up to $250,000 per violation if PHI is knowingly or intentionally used for financial gain. Patterns or practices can reach $1.5 million annually, and licensing actions or exclusion from state programs can apply for egregious cases.