Texas Data Privacy and Security Act Compliance: Does the HIPAA Covered Entity Exemption Apply?

TDPSA Overview and Scope

The Texas Data Privacy and Security Act (TDPSA) establishes baseline rules for how organizations collect, use, and disclose personal data about Texas residents. If you act as a Texas Data Controller—determining the purposes and means of processing—you must provide clear notices, honor consumer rights, and put appropriate contracts and safeguards in place.

TDPSA rights typically include the ability for consumers to access, correct, delete, and obtain a copy of their personal data, plus opt-outs from targeted advertising, the sale of personal data, and certain profiling. Controllers must also obtain consent before processing sensitive data and conduct risk-based assessments for higher-risk activities.

The statute’s scope is broad, but it contains important entity- and data-specific carve-outs. Chief among them for healthcare is the Covered Entity Exemption that interacts with the HIPAA Privacy Rule and related security and breach-notification requirements.

HIPAA Covered Entities Defined

Under the HIPAA Privacy Rule, “covered entities” are health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard transactions. “Business associates” are vendors or partners that create, receive, maintain, or transmit protected health information (PHI) for or on behalf of a covered entity.

HIPAA governs uses and disclosures of PHI, establishes patient rights, and mandates administrative, physical, and technical safeguards. If you operate as a covered entity, your core clinical, billing, and plan administration workflows are regulated by HIPAA—even when additional state privacy rules like the TDPSA exist.

Exemptions Under TDPSA

TDPSA contains two key categories of carve-outs that affect healthcare:

• Entity-based exclusions: a Covered Entity Exemption generally removes TDPSA obligations for organizations operating as HIPAA covered entities or business associates when they are performing HIPAA-governed activities.
• Data Processing Exemptions: PHI processed in compliance with HIPAA, de-identified information, publicly available information, and certain public-interest data are out of scope. Many programs involving public health surveillance or reporting also fall within a Public Health Data Exclusion when handled by or for public health authorities under applicable law.

These carve-outs are not blanket passes for everything an organization does. Personal data processed outside HIPAA-regulated functions may still trigger TDPSA duties.

Impact of HIPAA on TDPSA Compliance

If you are a HIPAA covered entity, HIPAA remains the primary regime for PHI. The TDPSA generally defers to HIPAA for that activity, reducing duplicative obligations. However, when you process non-PHI—such as website analytics, marketing leads, event RSVPs, or consumer app data unrelated to treatment, payment, or health care operations—you may act as a Texas Data Controller under the TDPSA and must comply with its requirements.

To operationalize this boundary, segment processing activities into HIPAA-governed and non-HIPAA contexts, inventory data flows, and assign the correct rule set to each. Build your notices, consent flows, vendor contracts, and consumer rights handling to match the applicable regime for each dataset and purpose.

Handling Protected Health Information

PHI processed in accordance with HIPAA is typically outside TDPSA’s scope. Maintain HIPAA-compliant policies, access controls, and minimum necessary use standards, and ensure disclosures align with the HIPAA Privacy Rule. Where feasible, de-identify data; properly de-identified data under HIPAA is generally treated as outside TDPSA’s definition of personal data.

You may see the phrase “Protectable Health Information” in marketing materials; the legally operative term is “protected health information (PHI)” under HIPAA. If you collect health-related details in a consumer context that is not covered by HIPAA—such as a wellness or fitness app offered direct-to-consumer—those details are personal data under the TDPSA and may be considered sensitive, requiring consent before processing.

Application to Business Associates

Business associates benefit from the same general carve-out when acting in their HIPAA capacity. That said, Business Associate Compliance under the TDPSA still matters for activities outside a Business Associate Agreement (BAA)—for example, using non-PHI marketing lists, running product telemetry for a non-HIPAA tool, or servicing non-healthcare clients. In those scenarios, treat your organization as a Texas Data Controller or processor and meet TDPSA requirements.

Map each engagement to its governing contract (BAA vs. data processing agreement), segregate environments for PHI and non-PHI, and ensure your privacy notices and opt-out mechanisms cover non-HIPAA personal data. Train teams to recognize when they are acting under HIPAA versus TDPSA to avoid scope creep.

Implications for Texas Entities

For hospitals, plans, clinics, and health tech vendors, the practical takeaway is to run dual, coordinated programs: keep HIPAA-first controls for PHI, and stand up a TDPSA program for consumer and other non-PHI data. This approach limits risk while avoiding over- or under-application of either framework.

• Build and maintain a data inventory distinguishing PHI, de-identified data, and non-PHI personal data.
• Use layered notices that explain HIPAA practices for PHI and TDPSA rights and opt-outs for consumer data.
• Gate sensitive non-PHI processing behind consent and honor opt-out signals for targeted ads or sales of personal data.
• Align BAAs and processor contracts to the right rule set and limit cross-use between PHI and non-PHI environments.

Conclusion

Yes—the HIPAA Covered Entity Exemption generally applies under the TDPSA, removing duplicative obligations for HIPAA-governed processing. But it is not universal. The moment you handle non-PHI personal data, you should assume TDPSA applies and implement the appropriate notices, rights handling, and controls.

FAQs.

What entities are exempt from the TDPSA?

The TDPSA excludes certain organizations and activities from its scope, including HIPAA covered entities and business associates when acting in their HIPAA roles, as well as other categories specified by law (for example, some government functions and financial institutions under sectoral laws). Always evaluate the specific activity to confirm an exemption applies.

How does HIPAA affect TDPSA obligations?

HIPAA typically governs PHI, and the TDPSA defers to that regime via a Covered Entity Exemption and related Data Processing Exemptions. When you process non-PHI personal data—like consumer marketing or analytics—you must meet TDPSA duties such as notices, consent for sensitive data, and opt-outs.

Are business associates covered under the exemption?

Yes, business associates benefit from the exemption while performing HIPAA-governed services under a BAA. For activities outside that scope (e.g., non-HIPAA products, internal marketing), they should treat the data as subject to the TDPSA and comply accordingly.

What types of data does the TDPSA exclude?

TDPSA excludes PHI processed in compliance with HIPAA, de-identified data, publicly available information, and certain categories processed for public interest purposes (often described as a Public Health Data Exclusion when handled by or for public health authorities). Data collected outside HIPAA contexts, including consumer health app data, is generally in scope.