Texas Data Privacy and Security Act: HIPAA Covered Entity Exemption Checklist

Overview of TDPSA Exemptions

The Texas Data Privacy and Security Act establishes consumer rights and governance duties for organizations processing personal data in Texas. Several Texas Data Privacy and Security Act exemptions remove entire categories of entities and data from the law’s scope.

Entity-level exemptions generally include state agencies and political subdivisions, financial institutions subject to GLBA, nonprofit organizations, institutions of higher education, electric utilities/power generators/retail electric providers, and entities governed by HIPAA (covered entities and HIPAA business associates). Small businesses are broadly exempt but must obtain consent before selling sensitive personal data.

Data-level exemptions typically cover protected health information under HIPAA, deidentified data, and information regulated by statutes like FCRA, FERPA, and the Driver’s Privacy Protection Act. Employment-context data is also excluded from consumer coverage.

Definition of HIPAA Covered Entities

HIPAA defines covered entities as health plans, health care clearinghouses, and health care providers who conduct covered transactions under HIPAA electronically (for example, submitting claims or eligibility inquiries). These organizations, and their HIPAA business associates, must safeguard electronic protected health information across administrative, physical, and technical controls.

Business associates are service providers that create, receive, maintain, or transmit PHI on a covered entity’s behalf (such as billing, EHR hosting, or analytics). They are contractually bound by business associate agreements and directly liable for compliance with applicable HIPAA rules.

TDPSA Applicability to HIPAA Covered Entities

Under the TDPSA, covered entities and business associates governed by HIPAA are generally exempt at the entity level. Practically, this means TDPSA obligations do not apply to your organization when you operate in your HIPAA-regulated capacity, including handling PHI and associated operations.

Nuance matters in complex corporate structures. The exemption attaches to the HIPAA-governed entity or business associate. Separate legal entities in your corporate family that are not HIPAA covered entities or business associates can still be subject to the TDPSA. Maintain clear corporate separations and documentation.

Exemption Checklist

• Confirm status as a Health Insurance Portability and Accountability Act covered entity or HIPAA business associate.
• Map data flows to identify PHI, deidentified data, and non-PHI consumer data your entity processes.
• Verify that processing occurs in the HIPAA-governed entity; assess affiliates separately.
• Document the TDPSA exemption rationale and maintain evidence (e.g., BAAs, privacy notices, process maps).
• Establish a process to reassess status after mergers, restructurings, or new lines of business.

SECURETexas Certification Benefits

SECURETexas certification aligns your privacy and security program to HIPAA and the Texas Medical Records Privacy Act. For HIPAA covered entities, certification provides credible evidence of a strong compliance history, which regulators may treat as a mitigating factor in civil money penalty determinations.

Texas courts and regulators may also consider SECURETexas in assessing penalties under state law. Beyond potential penalty mitigation, certification offers practical benefits: structured risk management, repeatable training and documentation, and a third-party attestation you can share with boards, payors, and partners.

Compliance Requirements for Covered Entities

Even with the TDPSA exemption, you must maintain HIPAA and Texas Medical Records Privacy Act compliance. Prioritize a risk-based program that protects electronic protected health information while managing vendors, workforce access, and incident response.

Operational Checklist for Covered Entities

• Governance: Assign accountable privacy and security leaders; keep policies current and role-based.
• Data inventory: Maintain a living map of PHI, ePHI systems, deidentified datasets, and non-PHI consumer data.
• Security safeguards: Enforce HIPAA Security Rule controls, including access management, encryption in transit/at rest where appropriate, logging, and periodic risk analyses.
• Business associates: Execute and track BAAs; evaluate downstream risk; monitor for subprocessor changes.
• Individual rights: Maintain HIPAA-compliant processes for access, amendments, and accounting of disclosures.
• Breach readiness: Run tabletop exercises; maintain incident response playbooks and notification templates.
• Training and documentation: Deliver workforce training and keep records to meet Texas Medical Records Privacy Act compliance expectations.
• Privacy notices: Align patient-facing notices with HIPAA; if you choose to adopt TDPSA-like disclosures as a best practice, do so consistently across channels.

Interaction Between TDPSA and HIPAA

HIPAA and the Texas Medical Records Privacy Act regulate PHI and often impose stricter standards than general consumer privacy laws. Because the TDPSA provides an entity-level exemption for HIPAA-governed covered entities and business associates, HIPAA and Texas law remain your primary compliance anchors for health data in Texas.

If your organization engages in activities outside HIPAA’s scope (for example, through non-HIPAA affiliates or separate legal entities), those entities may fall under the TDPSA. Maintain clear boundaries, contracts, and disclosures to ensure the right framework applies to each activity.

Enforcement and Penalties

The Texas Attorney General exclusively enforces the TDPSA. The statute provides a 30-day cure period before enforcement and authorizes civil penalties of up to $7,500 per violation, with no private right of action. Although HIPAA-governed covered entities and business associates are exempt from TDPSA, they remain subject to HIPAA and Texas Medical Records Privacy Act enforcement.

Under HIPAA, civil money penalties can be significant, and regulators consider mitigating factors such as a strong compliance history. In Texas, SECURETexas certification and demonstrable program maturity can support penalty mitigation analyses. Key takeaway: document your exemption, sustain HIPAA-grade controls, and be prepared to show your work.

FAQs

What entities are exempt from the Texas Data Privacy and Security Act?

Common exemptions include state agencies and political subdivisions, financial institutions subject to GLBA, entities governed by HIPAA (covered entities and business associates), nonprofit organizations, institutions of higher education, and electric utilities/power generators/retail electric providers. Small businesses are largely exempt but must obtain consent to sell sensitive personal data.

How does HIPAA define a covered entity?

Covered entities are health plans, health care clearinghouses, and health care providers who conduct covered transactions under HIPAA electronically. These entities—and their HIPAA business associates—must protect electronic protected health information and comply with HIPAA privacy, security, and breach notification rules.

Are HIPAA-covered entities subject to TDPSA requirements?

Generally no. The TDPSA provides an entity-level exemption for covered entities and business associates governed by HIPAA. However, separate affiliates or lines of business that are not HIPAA-governed may still be subject to the TDPSA, so corporate structure and documentation are critical.

What is the role of SECURETexas certification for HIPAA-covered entities?

SECURETexas certification demonstrates program maturity aligned to HIPAA and the Texas Medical Records Privacy Act. It can serve as evidence of a strong compliance history, support penalty mitigation considerations by regulators, and strengthen your posture with partners, payors, and boards.