How to Comply with Texas PHI Breach Notification Requirements: A Practical Guide

Assess the Breach Impact

Stabilize, contain, and preserve evidence

Start by isolating affected systems, revoking suspect access, and preserving logs, emails, and device images. Quick containment limits further unauthorized access to PHI and keeps your investigation clean for legal, insurance, and regulatory review.

Determine whether the incident is a reportable breach

Evaluate if PHI was actually compromised, not just exposed. Apply the HIPAA four-factor risk assessment and Texas Health and Safety Code standards: examine the data types involved, the unauthorized person who accessed or received the PHI, whether the data was viewed or exfiltrated, and how effectively you mitigated the risk. Document your reasoning in writing.

Map systems, people, and data

Identify the systems touched, the timeframe, and each individual whose PHI may be impacted. Distinguish Texas residents from others, because Texas PHI Breach Notification Requirements apply alongside HIPAA and may trigger state-specific steps.

Decide if encryption changes the analysis

If PHI was encrypted to strong, industry-recognized standards and keys were not compromised, your risk may be lower. Record the exact controls in place at the time of the event to support your healthcare data security compliance posture.

Notify Affected Individuals

Craft clear, actionable notices

Your notice should plainly explain what happened, what information was involved, what you are doing in response, and what recipients can do next. Include contact options (toll‑free number or email) and offer protective measures where appropriate (e.g., credit monitoring if financial identifiers were involved).

Choose compliant delivery methods

Send written notices directly, typically by first‑class mail or by email if the individual has agreed to electronic notice. If some addresses are out of date or unknown, use substitute notice consistent with HIPAA while keeping the audience and potential harm in mind.

Honor the deadline

Provide notice without unreasonable delay and no later than 60 calendar days after discovery. Build in proofreading, leadership sign‑off, translation needs, and mail-house lead time so you meet the data breach reporting deadline comfortably.

Report to Texas Attorney General

Know when this step is required

File a Texas Attorney General data breach report if the breach affects 250 or more Texas residents. This state report is in addition to individual notifications and any HIPAA reporting to federal regulators.

Prepare the required content

Have the following ready: a description of the nature and circumstances of the Texas Attorney General Data Breach, the number of affected Texas residents, the types of data involved, the date range of the incident, the date notices were sent, the method of distribution, states impacted, remediation steps taken, and a sample of the individual notice.

File on time and keep proof

Submit to the Attorney General without unreasonable delay and no later than 60 days after discovery when the 250‑resident threshold is met. Save submission confirmations and screenshots for your records.

Report to Department of Information Resources

Confirm applicability

This step applies to Texas state agencies, public institutions of higher education, certain local governments, and contractors handling state‑owned or controlled systems or data. Private healthcare entities that are not state agencies typically do not file with DIR.

Submit a Department of Information Resources Incident Report

If applicable, file a Department of Information Resources Incident Report promptly after detection, following your organization’s obligations under Texas rules (such as 1 TAC Chapter 202) and DIR guidance. Coordinate with your security operations, privacy, and legal teams to ensure accuracy and timely escalation of major incidents.

Synchronize messaging

Align DIR reporting with individual and Attorney General notices so facts, dates, counts, and mitigation steps match across filings. Keep a single source of truth for all incident data to avoid inconsistencies.

Maintain Breach Records

Create a defensible documentation package

Maintain the investigation plan, forensic findings, risk assessment, decision memos on reportability, drafts of notices, final mail lists, call center scripts, and copies of all filings (including any Texas Attorney General and Department of Information Resources Incident Report submissions). Version and date each artifact.

Follow retention expectations

Retain breach documentation and related policies for at least six years, consistent with HIPAA retention requirements and Texas Health and Safety Code recordkeeping expectations. Ensure records are secure, searchable, and accessible for audits or inquiries.

Understand Legal Timelines

Key deadlines to calendar

• Individual notices: without unreasonable delay and no later than 60 calendar days after discovery of a breach of unsecured PHI.
• Texas Attorney General: if 250+ Texas residents are affected, file within the same outer 60‑day window.
• HIPAA regulator and media: for breaches affecting 500+ individuals in a state or jurisdiction, notify the federal regulator and prominent media within 60 days; for fewer than 500, report to the regulator no later than 60 days after the end of the calendar year.
• Law enforcement delay: if an official written request states that notice would impede an investigation, delay notifications until the restriction is lifted or the specified period ends.

Timing best practices

Start the clock on the day you confirm a breach and aim to finish well before day 60. Build a timeline that includes executive review and printing/mailing lead times, and rehearse your approval path in advance.

Implement Preventative Measures

Strengthen access and data protections

Limit PHI access to least privilege, require multifactor authentication, encrypt data at rest and in transit, and segment high‑risk systems. Regularly test backups and practice ransomware tabletop exercises so you can restore quickly and avoid prolonged unauthorized access to PHI.

Harden processes and people

Update incident response runbooks, ensure 24/7 escalation paths, and conduct role‑based privacy training consistent with the Texas Health and Safety Code (HB 300) and HIPAA. Track completion, enforce refresher cycles, and verify that vendors meet your PHI Breach Notification Requirements in contracts.

Monitor continuously and remediate fast

Deploy endpoint detection, log aggregation, and alert triage for rapid containment. Use post‑incident reviews to fix root causes, close audit findings, and align with healthcare data security compliance goals.

By assessing impact quickly, notifying the right audiences on time, coordinating Texas Attorney General and DIR reporting when applicable, and preserving a robust record, you can meet Texas PHI Breach Notification Requirements and strengthen your overall security posture.

FAQs

What information must be included in a Texas PHI breach notification?

Include a clear description of what happened, the dates involved, the types of PHI implicated, steps the individual can take to protect themselves, what your organization is doing to investigate and mitigate the incident, and how to contact you (toll‑free number, email, or mailing address). Keep the language straightforward and actionable.

When should breaches be reported to the Texas Attorney General?

Report to the Texas Attorney General when a breach affects 250 or more Texas residents. File without unreasonable delay and no later than 60 days after discovery, and keep proof of submission with your incident file.

How do state agency breach reporting requirements differ?

Texas state agencies, public universities, and certain local governments may have to submit a Department of Information Resources Incident Report in addition to HIPAA and individual notices. The DIR timeline and content are set by Texas rules and DIR guidance, so verify your entity’s specific obligations and escalate major incidents immediately.

What are the penalties for non-compliance with Texas PHI breach rules?

Penalties can include significant civil fines under the Texas Health and Safety Code and federal HIPAA, as well as enforcement actions, settlement agreements, and reputational harm. Failing to meet deadlines, omitting required content, or keeping inadequate records are common drivers of penalties—plan ahead to avoid them.