Texas Breach Notification Law for Healthcare: What HIPAA and HB 300 Require

HIPAA Breach Notification Requirements

HIPAA’s Breach Notification Rule requires covered entities and business associates to notify after any breach of unsecured protected health information (PHI). A breach is presumed reportable unless you document a low probability of compromise using HIPAA’s four‑factor risk assessment (nature/extent of PHI, who received it, whether it was actually viewed/acquired, and mitigation). Encryption that renders PHI unusable to unauthorized persons provides a safe harbor. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Timelines and thresholds

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Business associates must notify the covered entity on the same “without unreasonable delay”/≤60‑day timeline. The 60‑day clock starts the day the breach is known or should reasonably have been known. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.404?utm_source=openai))
• Notify HHS/OCR: for breaches involving 500 or more individuals, within 60 days of discovery; for fewer than 500, within 60 days after the end of the calendar year in which the breach occurred. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html?utm_source=openai))
• Notify the media when a breach affects 500 or more residents of a state or jurisdiction, within 60 days of discovery. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Required content of HIPAA notices

Individual notices must include a description of what happened (including dates), the types of PHI involved, steps individuals should take, what you’re doing to investigate and mitigate harm, and your contact methods. Media notices must contain the same elements. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Substitute notice and website posting

If you lack current contact information for fewer than 10 people, use alternative means such as phone or email. If 10 or more are unreachable, provide substitute notice via a prominent homepage posting for 90 days or by major print/broadcast media in areas where affected individuals likely reside, and include a toll‑free number active for 90 days. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.404?utm_source=openai))

Documentation and burden of proof

Maintain breach risk assessments, notices, and related decisions for at least six years; you bear the burden of demonstrating compliance with the Breach Notification Rule. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Texas HB 300 Notification Obligations

Texas HB 300 (Texas Health & Safety Code Chapter 181, the Texas Medical Records Privacy Act) expands obligations beyond HIPAA by broadly defining “covered entity,” imposing workforce training and faster access to electronic health records, and layering state breach reporting requirements via Texas’s Identity Theft Enforcement and Protection Act (Business & Commerce Code Chapter 521). When HIPAA and Texas rules both apply, you should follow the stricter requirement or the shortest applicable deadline. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_title_2_subtitle_i_chapter_181?utm_source=openai))

Workforce training under HB 300

• Train employees on state and federal PHI laws within 90 days of hire and when material legal changes affect their duties; obtain signed acknowledgments and retain training records for six years. ([thsa.org](https://thsa.org/wp-content/uploads/2021/05/THSA_Model_Privacy_Policies_Procedures_10-13.pdf))

Faster access to electronic health records

• If you use an EHR capable of fulfilling requests, you must provide an individual’s electronic health record within 15 business days of a written request (unless the individual agrees to another format or an exception applies). ([statutes.capitol.texas.gov](https://statutes.capitol.texas.gov/DocViewer.aspx?DocKey=HS%2FHS.181&ExactPhrase=False&HighlightType=1&Phrases=Texas%7CBody%7CPro%7C2&QueryText=Texas+Body+Pro+2&utm_source=openai))

Texas breach reporting overlay

• Notify affected individuals “as quickly as possible” and no later than the 60th day after determining a breach occurred, consistent with law enforcement needs and remediation. ([law.justia.com](https://law.justia.com/codes/texas/business-and-commerce-code/title-11/subtitle-b/chapter-521/subchapter-b/section-521-053/?utm_source=openai))
• Notify the Texas Attorney General electronically if the breach involves at least 250 Texas residents, as soon as practicable and no later than 30 days after determining the breach occurred (effective September 1, 2023). The AG report must include specified details such as the nature/circumstances of the breach, number of Texas residents affected and notified, measures taken, and whether law enforcement is investigating. ([texasattorneygeneral.gov](https://www.texasattorneygeneral.gov/consumer-protection/data-breach-reporting?utm_source=openai))

Notification to Affected Individuals

What to send and how to send it (HIPAA)

Send written notice by first‑class mail (or by email if the individual has agreed to electronic notice). Include what happened and when, the types of PHI involved, steps individuals should take, what you are doing to mitigate harm and prevent recurrence, and contact information. Use substitute notice if you lack addresses, as outlined under HIPAA. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Texas‑specific timing and substitute notice

Under Texas’s state data security law, provide notice to Texans without unreasonable delay and within 60 days of determining a breach occurred. Substitute notice (email, conspicuous website posting, and statewide media) is permitted only if notification costs would exceed $250,000, the number of affected persons exceeds 500,000, or you lack sufficient contact information. ([law.justia.com](https://law.justia.com/codes/texas/business-and-commerce-code/title-11/subtitle-b/chapter-521/subchapter-b/section-521-053/?utm_source=openai))

Media Notification Protocols

HIPAA media notice

If a breach involves 500 or more residents of a state or jurisdiction, provide notice to prominent media outlets serving that area without unreasonable delay and within 60 days, with the same content as individual notices. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Texas substitute media and related notices

• Texas permits statewide media publication only as part of substitute notice when statutory thresholds are met (cost, scale, or contact‑info limitations). ([texasattorneygeneral.gov](https://www.texasattorneygeneral.gov/es/node/259096?utm_source=openai))
• If you must notify more than 10,000 people at one time, also notify the nationwide consumer reporting agencies of the timing, distribution, and content of your consumer notices. ([dwt.com](https://www.dwt.com/gcp/states/texas?utm_source=openai))

Documentation and Reporting Procedures

• Activate your incident response plan immediately: contain, investigate, and preserve forensic evidence; document decisions and your HIPAA risk assessment. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))
• Issue HIPAA individual notices within 60 days; for 500+ individuals, post the breach to the HHS portal within 60 days of discovery; for fewer than 500, report to HHS within 60 days after the calendar year ends. Keep copies of all notices. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html?utm_source=openai))
• Make Texas notifications: individuals within 60 days; Texas Attorney General via the online portal within 30 days if ≥250 Texans are affected (effective September 1, 2023). ([texasattorneygeneral.gov](https://www.texasattorneygeneral.gov/consumer-protection/data-breach-reporting?utm_source=openai))
• Notify consumer reporting agencies if more than 10,000 people are notified at one time. ([dwt.com](https://www.dwt.com/gcp/states/texas?utm_source=openai))
• Retain HIPAA and HB 300 documentation (risk assessments, policies, notices, training acknowledgments) for at least six years. ([thsa.org](https://thsa.org/wp-content/uploads/2021/05/THSA_Model_Privacy_Policies_Procedures_10-13.pdf))

Enforcement and Penalties

HIPAA violations may lead to civil monetary penalties that scale by culpability (from lack of knowledge up to willful neglect), with annual caps per violation type and potential corrective action plans and monitoring. Penalty amounts are adjusted annually and can be significant for breach‑related noncompliance. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Texas imposes separate sanctions. Under the Identity Theft Enforcement and Protection Act, violations can trigger civil penalties of $2,000–$50,000 per violation, plus an additional penalty of up to $100 per affected individual per day for delays in required consumer notice (capped at $250,000 per single breach). The Attorney General may also seek injunctive relief. ([oag.state.tx.us](https://www.oag.state.tx.us/consumer-protection/file-consumer-complaint/consumer-privacy-rights/identity-theft-enforcement-and-protection-act?utm_source=openai))

HB 300 adds health‑specific penalties under Texas Health & Safety Code §181.201 that escalate based on intent and patterns of conduct, including increased caps up to $1.5 million annually for egregious “pattern or practice” violations. Sanctions may also include disciplinary action against state‑licensed entities. ([iapp.org](https://iapp.org/news/a/2012-06-01-i-think-they-mean-it-the-new-medical-records-privacy-law-in-tex?utm_source=openai))

Additional State Breach Notification Rules

If your breach involves residents of multiple states, you must satisfy each applicable state’s breach reporting requirements; Texas law expressly allows you to notify out‑of‑state residents under their state’s law. Map the strictest timing and content rules and follow the most protective standard across all populations. ([mintz.com](https://www.mintz.com/mintz-matrix/texas?utm_source=openai))

Special note on non‑HIPAA health apps

Vendors of personal health records and certain health apps that are not HIPAA‑regulated may be subject to the FTC’s Health Breach Notification Rule, which has its own timelines and media notice triggers. Coordinate any FTC obligations with HIPAA/Texas notices to avoid conflicts or delays. ([ftc.gov](https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0?utm_source=openai))

Conclusion

For healthcare organizations serving Texans, compliance means layering HIPAA’s breach notification rule with Texas HB 300 and the state’s data security statute: complete the HIPAA risk assessment, notify individuals within 60 days, report large breaches to HHS and the media, file the Texas Attorney General notification within 30 days if 250+ Texans are affected, and document everything. Building these steps into your incident response plan ensures you meet every federal and state breach reporting requirement. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

FAQs.

What are the notification timelines under Texas HB 300?

Texas breach notices follow Business & Commerce Code §521.053: notify affected individuals without unreasonable delay and no later than 60 days after determining a breach occurred; if 250 or more Texans are affected, notify the Texas Attorney General electronically within 30 days of determination (effective September 1, 2023). ([law.justia.com](https://law.justia.com/codes/texas/business-and-commerce-code/title-11/subtitle-b/chapter-521/subchapter-b/section-521-053/?utm_source=openai))

How does HIPAA define a reportable breach?

A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security. It is presumed reportable unless a documented four‑factor risk assessment shows a low probability that PHI was compromised; properly encrypted or destroyed PHI is not “unsecured” and is outside the notification duty. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Who must be notified in a healthcare data breach?

Typically: (1) affected individuals (HIPAA and Texas), (2) HHS/OCR (timing depends on the number of individuals), (3) prominent media if 500+ residents of a state/jurisdiction are affected (HIPAA), (4) the Texas Attorney General within 30 days if 250+ Texans are affected, and (5) nationwide consumer reporting agencies if you notify more than 10,000 people at one time. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html?utm_source=openai))

What penalties apply for non-compliance with Texas breach laws?

Violations can trigger $2,000–$50,000 per‑violation civil penalties under the state data security law, plus up to $100 per affected individual per day for delayed consumer notice (capped at $250,000 per single breach). Separately, HB 300 authorizes health‑specific penalties that escalate with intent and may reach an annual cap of $1.5 million for egregious, patterned violations. ([oag.state.tx.us](https://www.oag.state.tx.us/consumer-protection/file-consumer-complaint/consumer-privacy-rights/identity-theft-enforcement-and-protection-act?utm_source=openai))