Texas Data Privacy Law for Healthcare: TDPSA, HB 300, and HIPAA Explained

Overview of Texas Data Privacy Laws

Texas healthcare organizations operate under a layered framework. HIPAA sets the federal baseline for Protected Health Information, HB 300 strengthens protections within the Texas Health and Safety Code, and the Texas Data Privacy and Security Act (TDPSA) governs broader consumer personal data outside HIPAA. Understanding where each law applies is essential for effective Data Privacy Compliance.

In practice, you often manage two data universes. PHI generated in care delivery is primarily regulated by HIPAA and HB 300. Personal data collected through websites, apps, cookies, and marketing—such as device IDs or precise geolocation—can fall under TDPSA’s Consumer Data Protection rules when it is not PHI.

• HIPAA: Applies to covered entities and business associates handling PHI.
• HB 300: Texas-specific duties that broaden who is regulated and tighten timelines for Texas patients.
• TDPSA: State privacy law for Texans’ personal data outside HIPAA, emphasizing Personal Data Rights and transparency.

Key Provisions of TDPSA

Scope and Applicability

TDPSA applies to controllers and processors that conduct business in Texas or target Texas residents and process personal data. While PHI processed in compliance with HIPAA is generally outside TDPSA’s scope, non-PHI consumer data collected by healthcare entities—think web analytics, patient portal tracking cookies, or wellness app data—can be in scope.

Personal Data Rights

Texas residents gain actionable rights over their personal data. You must provide clear methods to: access and obtain a copy (portability), correct inaccuracies, delete personal data, and appeal denied requests. Texans may also opt out of targeted advertising, the sale of personal data, and certain profiling that has legal or similarly significant effects.

Controller Duties

Controllers must practice purpose limitation, data minimization, and implement reasonable Healthcare Data Security measures. You need a concise privacy notice describing categories of personal data, purposes, how to exercise rights, and your appeal process. Contracts with processors must include documented instructions, confidentiality, and security obligations.

Sensitive Data and Consent

Sensitive personal data—such as precise geolocation, biometric identifiers, genetic data, and health-related information—generally requires opt-in consent before processing. If you handle children’s data, obtain appropriate authorization and apply heightened safeguards consistent with Consumer Data Protection principles.

Risk Assessments and Response Timelines

High-risk processing (for example, targeted ads using sensitive attributes or large-scale profiling) should be supported by data protection assessments. You must respond to verified consumer requests within statutorily defined windows and maintain records that demonstrate your program’s effectiveness.

Health Data Protections under HB 300

Broader Coverage Under Texas Law

HB 300, codified in the Texas Health and Safety Code, regulates any individual or organization that creates, receives, maintains, or transmits PHI in Texas—even if it is not a HIPAA “covered entity.” This broader definition means vendors, professional services firms, and others handling PHI are within scope.

Patient Rights and Faster Timelines

HB 300 strengthens patient access by requiring you to provide medical records more quickly than HIPAA’s baseline. Texans are entitled to timely access to their PHI, and your procedures must reflect the shorter state timeline and clear fee rules.

Electronic Disclosures and Marketing Limits

Texas requires specific notice regarding the electronic disclosure of PHI and appropriate authorization when a disclosure is not for treatment, payment, or health care operations. HB 300 also tightens restrictions on using PHI for marketing or sale without valid authorization.

Training, Policies, and Documentation

You must train workforce members on federal and Texas health privacy requirements within 60 days of hire and at least every two years, with role-based content. Maintain documentation of completion, content, and retraining after material policy changes.

Breach and Complaint Handling

For a breach involving PHI or sensitive personal information, provide Data Breach Notification to affected individuals and, when thresholds are met, to state authorities within the required timeframes. Keep incident logs, cooperate with investigations, and remediate promptly.

HIPAA Requirements and Scope

Who Is Covered and What Is PHI

HIPAA applies to health plans, health care clearinghouses, and providers who transmit certain transactions electronically, as well as their business associates. PHI is individually identifiable health information related to a person’s past, present, or future health, care, or payment.

Privacy Rule Essentials

Key duties include the minimum necessary standard, permitted uses and disclosures (TPO), a Notice of Privacy Practices, and processes for access, amendments, and accounting of disclosures. You need sanctions for violations and a complaint intake process.

Security Rule Safeguards

• Administrative: risk analysis, risk management, workforce training, and contingency planning.
• Physical: facility access controls, device/media protections, and secure disposal.
• Technical: access controls, authentication, encryption, and audit controls.

Breach Notification Rule

When unsecured PHI is compromised, evaluate the risk of compromise and notify affected individuals, and when applicable regulators, without unreasonable delay and within prescribed deadlines. Coordinate notices with any Texas requirements that also apply.

Compliance Obligations for Healthcare Entities

Build a Unified, Risk-Based Program

• Map data: distinguish PHI from non-PHI personal data to apply HIPAA/HB 300 versus TDPSA correctly.
• Update notices: align your HIPAA NPP and your TDPSA privacy notice to explain rights and processing purposes clearly.
• Consent and opt-outs: capture authorizations for PHI where required and provide TDPSA opt-out controls for targeted ads, sales, and profiling.
• Rights operations: stand up intake, verification, routing, and fulfillment for access, correction, deletion, and portability.
• Vendor governance: execute Business Associate Agreements for PHI and processor contracts for TDPSA, with security and audit clauses.
• Security program: implement administrative, physical, and technical safeguards proportionate to risk; test them regularly.
• Assessments: conduct periodic risk analyses and data protection assessments for high-risk processing.
• Incident readiness: maintain an incident response plan that meets HIPAA, HB 300, and Texas breach rules.
• Training and awareness: deliver HB 300–compliant training and track completion and effectiveness.
• Recordkeeping: document decisions, assessments, and responses to establish accountability.

Enforcement and Penalties

TDPSA Enforcement

The Texas Attorney General enforces TDPSA. Expect investigative inquiries, cure opportunities in some cases, injunctive relief, and civil penalties calculated per violation. There is no private right of action under TDPSA.

HB 300 Remedies

HB 300 authorizes civil penalties that scale with the nature, extent, and duration of a violation, with enhanced exposure for intentional misuse or financial gain. Professional licensing boards may also impose corrective actions or discipline related to privacy lapses.

HIPAA Consequences

OCR enforces HIPAA through audits, corrective action plans, and tiered civil monetary penalties that increase with culpability and persistence. State attorneys general may bring actions under federal law, creating parallel exposure for significant incidents.

Practical Risk Management

Most enforcement risk stems from repeatable failures: weak access controls, delayed breach notices, and ignoring consumer or patient requests. Proactive governance, timely remediation, and well-documented safeguards substantially reduce penalty risk.

Employee Training and Data Security Practices

Deliver HB 300–Compliant Training

• Onboard within 60 days; retrain at least every two years and after material changes.
• Tailor modules by role (front desk, nursing, billing, IT) and include HIPAA, HB 300, and TDPSA touchpoints.
• Track attendance, comprehension, and acknowledgments; keep materials and rosters for audits.

Strengthen Healthcare Data Security

• Access controls and MFA for all systems housing PHI or personal data.
• Encryption in transit and at rest; device management for laptops and mobiles.
• Network segmentation, patching cadence, and vulnerability management.
• Audit logs with regular review; rapid deprovisioning on role change or departure.

Incident Response and Breach Readiness

• Playbooks covering investigation, containment, notification, and regulatory reporting.
• Tabletop exercises simulating ransomware, misdirected email, and lost device scenarios.
• Communication templates for patients, regulators, and business partners.

Conclusion

For Texas healthcare, HIPAA governs PHI, HB 300 sharpens state-specific duties, and TDPSA extends Personal Data Rights to non-PHI consumer data. A unified, risk-based program—anchored in clear notices, strong security, timely rights fulfillment, and robust training—keeps you compliant and strengthens patient trust.

FAQs

What entities are exempt from TDPSA?

TDPSA includes several exemptions. PHI processed in compliance with HIPAA is generally outside its scope. Certain data sets (such as research under specific frameworks, de-identified data, and student records under other laws) are excluded, and some entities—like state government bodies—are exempt. Small businesses have modified duties but must obtain consent before selling sensitive data.

How does HB 300 enhance HIPAA protections?

HB 300 broadens who is regulated in Texas, accelerates patient access timelines, requires Texas-specific, role-based training, and adds rules for electronic disclosure and marketing uses of PHI. It complements HIPAA by tightening safeguards and accountability within the Texas Health and Safety Code.

What are the penalties for violating Texas health data laws?

Violations can trigger investigative actions, corrective mandates, and civil monetary penalties calculated per violation, with higher exposure for intentional or reckless conduct. Penalties may come from the Texas Attorney General under TDPSA or HB 300, licensing boards for professional discipline, and federal OCR for HIPAA noncompliance.

How does Texas law affect patient data rights?

Under HB 300 and HIPAA, patients can access and obtain copies of their PHI on faster Texas timelines and expect limits on electronic disclosures and marketing without authorization. TDPSA adds consumer rights—access, correction, deletion, portability, and opt-outs—for personal data that is not PHI, expanding control over how their information is used.