Texas Data Privacy and Security Act: HIPAA Covered Entity Exemption Explained

Overview of the Texas Data Privacy and Security Act

The Texas Data Privacy and Security Act (TDPSA) establishes consumer privacy rights and duties for organizations that process personal data about Texas residents. It defines roles such as “controller” and “processor,” sets transparency and data minimization requirements, and provides opt-out rights for targeted advertising, sales of personal data, and certain profiling.

TDPSA also contains extensive entity- and data-level carveouts. Among the most important for the health sector is the exemption for HIPAA Covered Entities and their Business Associates. Understanding the scope and limits of that exemption helps you decide when TDPSA applies and when HIPAA or other federal regimes govern instead.

Definition of HIPAA Covered Entities

Under HIPAA, Covered Entities include health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with standard transactions. These organizations create or handle Protected Health Information (PHI) in the course of treatment, payment, and health care operations.

Business Associates are vendors or subcontractors that create, receive, maintain, or transmit PHI on behalf of a Covered Entity. A Business Associate Agreement (BAA) binds these parties to HIPAA’s privacy and security requirements when they work with PHI.

Exemptions for Covered Entities under TDPSA

TDPSA exempts HIPAA Covered Entities and Business Associates when they process data in their HIPAA-regulated capacities. In practice, this means the law does not impose duplicate obligations on PHI or on activities that are already governed by HIPAA and its implementing rules.

• The exemption is role- and context-dependent: it applies when you are acting as a Covered Entity or Business Associate with respect to the data at issue.
• Activities that fall outside HIPAA (for example, consumer marketing data unrelated to patient care) may still be within TDPSA’s scope.
• The exemption complements, but does not weaken, HIPAA; security and breach obligations under HIPAA remain fully in force.

Types of Data Exempt from TDPSA

Several data categories are outside TDPSA’s scope in the health context. The most common include:

• Protected Health Information processed by a HIPAA Covered Entity or Business Associate in connection with treatment, payment, or health care operations.
• De-identified data consistent with HIPAA de-identification standards, as well as aggregate information that cannot reasonably identify a person.
• Substance use disorder patient records protected by 42 U.S.C. § 290dd–2 and the associated confidentiality rules.
• Patient safety work product created or maintained under the Patient Safety and Quality Improvement Act.
• Information processed by financial institutions or their affiliates to the extent it is regulated by the Gramm-Leach-Bliley Act.
• Peer review materials and related evaluations implicated by the Health Care Quality Improvement Act, where applicable.
• Identifiable Private Information used solely for human subjects research under the Common Rule or comparable FDA frameworks, when processed in accordance with those regimes.

Relationship Between TDPSA and HIPAA

TDPSA and HIPAA operate in parallel. HIPAA governs PHI handled by Covered Entities and Business Associates, while TDPSA focuses on consumer privacy for personal data outside HIPAA’s lane. Where HIPAA applies, its requirements control; where HIPAA does not apply, TDPSA may fill the gap.

When the HIPAA exemption typically applies

• Patient registration, clinical documentation, billing, and claims processing involving PHI.
• Vendor services performed under a BAA, such as hosted EHRs, secure messaging, or analytics on PHI for operations.
• Compliance, auditing, and risk management activities tied to HIPAA obligations.

When TDPSA can still apply

• Website and mobile app analytics, cookies, retargeting, or lead generation unrelated to a patient relationship.
• Consumer-facing wellness programs, retail sales, or wearables data outside a HIPAA-covered workflow.
• Events, philanthropy, or community outreach lists not managed as PHI.

The practical takeaway: determine which law applies by examining your role and the data’s purpose, not just whether an organization happens to be a health care entity.

Implications for Healthcare Providers

For providers, the HIPAA Covered Entity exemption reduces duplicative obligations for PHI, but it does not eliminate privacy compliance for all activities. You should separate HIPAA-governed systems and processes from broader consumer or marketing operations that may implicate TDPSA.

• Expect TDPSA duties for non-PHI touchpoints such as public websites, scheduling widgets not tied to a patient account, or third-party advertising tools.
• Maintain clear boundaries between PHI workflows and consumer data to avoid commingling that complicates compliance and responses to rights requests.
• Coordinate with marketing, IT, and compliance so that tagging, pixels, and SDKs do not inadvertently capture PHI or create profiling risks.

Compliance Considerations for Exempt Entities

Even if you qualify for the HIPAA exemption for PHI, build a targeted TDPSA program for non-HIPAA data. Focus on data mapping, vendor diligence, and transparent notices tailored to consumer contexts.

Practical steps

• Map data by system and purpose, labeling each flow as HIPAA (PHI), Part 2, PSQIA, GLBA, research, or TDPSA-governed consumer data.
• Use BAAs for PHI-processing vendors and separate data processing agreements for non-PHI vendors; avoid sending PHI to advertising or analytics tools.
• Implement opt-out mechanisms for targeted advertising and data sales where applicable; treat health-related inferences as sensitive.
• Adopt minimization, retention limits, and role-based access for consumer data; apply strong security controls regardless of regime.
• Update privacy notices to explain how you handle PHI versus consumer data, including disclosures about profiling and sensitive data.
• Prepare to triage consumer rights requests by routing PHI to HIPAA processes and non-PHI to TDPSA processes.

In short, the Texas Data Privacy and Security Act leaves HIPAA obligations intact while carving out HIPAA-regulated activities. Your job is to document the basis for exemption, isolate PHI systems, and apply TDPSA to the remaining consumer data so nothing falls through the cracks.

FAQs.

What entities are exempt from the Texas Data Privacy and Security Act?

Among others, HIPAA Covered Entities and their Business Associates are exempt when acting in their HIPAA-regulated roles. Additional exemptions apply to certain data or organizations governed by federal regimes like the Gramm-Leach-Bliley Act, as well as to specific public and nonprofit entities under the statute’s terms.

How does HIPAA exemption affect TDPSA compliance?

The exemption removes TDPSA obligations for PHI and activities subject to HIPAA, but it does not cover consumer data outside HIPAA. You still need TDPSA controls for non-PHI contexts such as marketing sites, apps, and outreach lists.

What types of data are excluded under the TDPSA?

Key exclusions include Protected Health Information, de-identified data, substance use disorder records protected by 42 U.S.C. § 290dd–2, patient safety work product under the Patient Safety and Quality Improvement Act, financial data regulated by the Gramm-Leach-Bliley Act, certain peer review materials under the Health Care Quality Improvement Act, and Identifiable Private Information used only for research.

Are business associates subject to the TDPSA?

When a vendor is acting as a Business Associate under a BAA and handling PHI, the HIPAA-related exemption applies. If the same vendor processes non-PHI consumer data outside HIPAA (for example, advertising services), that activity can fall under TDPSA.