How HIPAA’s Covered Entity Exemption Works Under the Texas Data Privacy and Security Act
Overview of the Texas Data Privacy and Security Act
The Texas Data Privacy and Security Act (TDPSA) establishes baseline duties for businesses that process Texans’ personal data. It took effect on July 1, 2024, and centers on transparency, purpose limitation, data minimization, reasonable security, consumer rights, and consent for sensitive data. For many health-sector organizations, the most consequential provision is how HIPAA’s covered entity exemption functions.
The law’s scope is broad: it applies to entities doing business in Texas or offering products or services to Texas residents, with a limited small-business carve‑out. It also contains a State Agency Exemption, meaning state agencies fall outside the statute. Understanding these lines is essential for sound data privacy compliance and for avoiding duplicative or conflicting obligations.
Scope of HIPAA Covered Entities
HIPAA “Covered Entities” include health plans, health care clearinghouses, and most health care providers that transmit health information in electronic form. “Business Associates” are vendors or service providers that create, receive, maintain, or transmit Protected Health Information (PHI) on a covered entity’s behalf. PHI is individually identifiable health information related to an individual’s health status, provision of care, or payment for care.
Because HIPAA was designed to govern PHI across treatment, payment, and operations, many day‑to‑day clinical and revenue cycle workflows already operate under prescriptive privacy, security, and breach rules. The TDPSA recognizes that framework and carves out activities covered by HIPAA and HITECH, preventing double regulation where HIPAA already applies.
Specific Exemptions for HIPAA Covered Entities
The TDPSA exempts Covered Entities and Business Associates to the extent they are regulated by HIPAA for the processing at issue. In practice, activities involving PHI under HIPAA’s rules are outside TDPSA’s controller obligations, including consumer access and deletion under state law, opt‑out signals for targeted advertising, and data protection assessments for those HIPAA‑governed operations.
However, organizations should test each use case. Data that is not PHI—such as website analytics, advertising identifiers, or mobile app telemetry for general marketing—may fall outside HIPAA. If an activity is not governed by HIPAA, the TDPSA can apply unless another exemption does. Mapping where HIPAA ends and TDPSA begins is the key to avoiding gaps.
Types of Data Exempt Under the TDPSA
- Protected Health Information processed by Covered Entities and Business Associates under HIPAA and HITECH.
- De‑identified data meeting HIPAA’s de‑identification standard.
- Clinical Trial Data processed in accordance with recognized research protocols and oversight.
- Research records and identifiable private information used for human‑subjects research under applicable ethics and institutional review requirements.
- Data processed by a Texas state agency (State Agency Exemption).
- Publicly available information and other categories excluded by statute, in line with common state privacy law carve‑outs.
These exemptions are narrow and activity‑based. If the same organization processes personal data outside these categories (for example, consumer marketing profiles unrelated to PHI), those datasets may still be subject to the TDPSA.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
Implications for Compliance
Create a data inventory that distinguishes PHI from non‑PHI across systems. Label systems and data elements so you can route requests correctly and apply the right rule set—HIPAA rights for PHI and TDPSA rights for consumer personal data where applicable. This PHI/non‑PHI demarcation is the single most important operational control.
Update privacy notices to explain which data sets are governed by HIPAA versus state privacy law. Build a triage workflow for consumer requests so PHI follows HIPAA access rules, while non‑PHI consumer data receives TDPSA responses (confirm, access, correction, deletion, and portability as applicable).
Review vendor contracts. When a vendor is a Business Associate, HIPAA terms control PHI. For marketing, analytics, or other non‑PHI services, use TDPSA‑aligned data processing addenda and ensure opt‑out mechanisms for targeted advertising or sale are honored where required.
Obtain opt‑in consent before processing sensitive personal data that is not PHI. Train teams to avoid commingling PHI with consumer marketing data, and perform DPIAs for high‑risk non‑PHI activities when the TDPSA requires them.
Relationship Between TDPSA and HIPAA
HIPAA and the TDPSA are complementary: HIPAA focuses on the confidentiality, integrity, and availability of PHI in care and payment contexts, while the TDPSA governs broader consumer personal data. Both demand transparency and appropriate security, but their rights frameworks differ. For example, HIPAA’s Right of Access is narrower in scope but more prescriptive for PHI, whereas the TDPSA creates consumer rights for non‑PHI personal data.
De‑identification illustrates the interaction. If data is de‑identified under HIPAA’s standard, it is generally outside HIPAA and also typically exempt under the TDPSA’s de‑identification carve‑out. Conversely, identifiable consumer data collected on a hospital’s public website for advertising may be in scope for TDPSA controls even though the same entity is a HIPAA Covered Entity for clinical operations.
Enforcement and Penalties Under TDPSA
The Texas Attorney General enforces the TDPSA. There is no private right of action. The statute provides a cure period for certain violations and authorizes civil penalties of up to $7,500 per violation, along with injunctive relief. Documenting your HIPAA versus TDPSA scoping decisions, consent records, and request‑handling procedures will be crucial evidence of good‑faith compliance.
Conclusion
In short, How HIPAA’s Covered Entity Exemption Works Under the Texas Data Privacy and Security Act comes down to activity scope: PHI under HIPAA sits outside the TDPSA, while non‑PHI consumer data may be covered. Clear data mapping, precise notices, disciplined vendor management, and tailored request workflows let Covered Entities and Business Associates honor both regimes without conflict.
FAQs
What entities are exempt from the TDPSA due to HIPAA?
Covered Entities and Business Associates are exempt for processing that is governed by HIPAA and HITECH. When they handle PHI within HIPAA’s rules, the TDPSA’s controller obligations do not apply to that activity.
How does the exemption affect data handling requirements?
HIPAA continues to control PHI, including privacy notices, access rights, and security safeguards. The TDPSA may still apply to non‑PHI consumer data (for example, marketing or analytics data), so you should route requests and controls by dataset—HIPAA rules for PHI, TDPSA requirements for in‑scope non‑PHI.
Are business associates subject to the TDPSA?
Business Associates are generally exempt when they process PHI under HIPAA. If a Business Associate handles non‑PHI consumer data or provides services outside HIPAA’s scope, the TDPSA can apply to those activities unless another exemption covers the data.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
