Texas HB 300 Explained with Real-World Scenarios: What You Need to Know for Compliance

Training Requirements for PHI Handlers

Under Texas HB 300, you must provide role-based training on state and federal privacy rules governing Protected Health Information (PHI). New workforce members must complete this training no later than the 90th day after hire, and you must retrain when material legal changes affect job duties. You also need to keep signed verification of completion for six years to demonstrate employee training compliance. ([statutes.capitol.texas.gov](https://statutes.capitol.texas.gov/Docs/HS/htm/HS.181.htm?utm_source=openai))

Training should map to each job’s scope—front-desk staff, clinicians, billing, and IT face different risks. Cover permissible uses and disclosures, minimum necessary standards, electronic disclosure rules, breach response basics, and how to escalate suspected incidents. Periodic refreshers tied to policy updates help maintain a strong compliance culture and reduce civil penalties exposure if issues arise. ([statutes.capitol.texas.gov](https://statutes.capitol.texas.gov/Docs/HS/htm/HS.181.htm?utm_source=openai))

Patient Access to Electronic Health Records

Texas accelerates Electronic Health Record access. If your system can fulfill the request, you must provide a patient’s EHR in electronic form within 15 business days of receiving a written request, unless the patient agrees to another format. HIPAA exceptions to access still apply (for example, certain psychotherapy notes). This Texas timeline is faster than HIPAA’s general 30-day window and is a core Electronic Health Record Access obligation. ([statutes.capitol.texas.gov](https://statutes.capitol.texas.gov/Docs/HS/htm/HS.181.htm?utm_source=openai))

Hospitals and some settings may have additional Texas rules for record delivery. Build a standard intake process that timestamps requests, confirms identity, and tracks fulfillment to meet the 15-business-day deadline consistently. ([statutes.capitol.texas.gov](https://statutes.capitol.texas.gov/Docs/HS/htm/HS.181.htm?utm_source=openai))

Breach Notification Procedures

When unsecured PHI is impermissibly accessed, acquired, used, or disclosed and there is more than a low probability of compromise, HIPAA’s Breach Notification Rule requires you to notify affected individuals without unreasonable delay and no later than 60 calendar days from discovery. For breaches affecting 500+ individuals in a state or jurisdiction, you must also notify prominent media, and you must notify HHS (immediately for 500+; annually for fewer than 500). ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.404?utm_source=openai))

Texas adds separate Texas Attorney General reporting for broader sensitive personal information incidents: if a breach involves 250 or more Texas residents, you must report electronically to the AG as soon as practicable and no later than 30 days after determining a breach occurred, and notify affected consumers. Align your breach playbook to capture counts of Texas residents and trigger Texas Attorney General reporting alongside HIPAA steps. ([statutes.capitol.texas.gov](https://statutes.capitol.texas.gov/docs/bc/htm/bc.521.htm?utm_source=openai))

Penalties and Enforcement

Texas authorizes the Attorney General to seek injunctive relief and civil penalties for violations. Penalties can reach up to $5,000 per negligent violation per year, $25,000 per knowing or intentional violation per year, and $250,000 if PHI is knowingly or intentionally used for financial gain. Courts may also consider factors such as the seriousness of the violation and your remediation efforts. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.201?utm_source=openai))

If violations form a pattern or practice, annual penalties can scale up substantially—up to $1.5 million. In egregious cases, licensing agencies may impose disciplinary action, including probation, suspension, or even license revocation, and may refer matters to the Attorney General. These enforcement levers underscore why timely training, documented policies, and sound safeguards are critical. ([capitol.texas.gov](https://capitol.texas.gov/tlodocs/82R/billtext/html/HB00300E.htm?utm_source=openai))

Compliance Best Practices

Establish a written privacy and security program that maps Texas HB 300 requirements to clear procedures: access control, minimum necessary standards, role-based training, vendor oversight, and tested incident response. Encrypt portable devices, enforce strong authentication, and log PHI access to deter snooping and speed investigations.

Operationalize right-of-access with an intake-to-fulfillment workflow that tracks the 15-business-day EHR deadline and documents any exceptions. Keep a breach decision tree that aligns HIPAA’s 60-day breach notification timelines with Texas Attorney General reporting at 30 days for qualifying incidents. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

As of September 1, 2025, Texas law requires covered entities to prominently post instructions online and onsite for requesting health records and filing complaints. Update your website and lobby signage to meet this new transparency requirement and reduce barriers for patients. ([statutes.capitol.texas.gov](https://statutes.capitol.texas.gov/Docs/HS/htm/HS.181.htm?utm_source=openai))

Real-World Compliance Scenarios

1) Misdirected email with a lab result

Your staff sends a lab result to the wrong patient. Immediately contain the incident, retrieve or securely delete the message if possible, document the event, and perform a HIPAA risk assessment to decide if breach notification is required. If notification is needed, send individual notices within 60 days and record all steps taken. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.404?utm_source=openai))

2) Lost unencrypted laptop

An employee’s unencrypted laptop with PHI is stolen from a car. Because the PHI is unsecured, you will likely have to notify individuals within 60 days and evaluate whether media notice or HHS notice applies. If 250+ Texas residents’ personal information is involved, prepare the Texas Attorney General report within 30 days of determination. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

3) Business associate ransomware incident

Your billing vendor suffers a ransomware attack affecting 800 Texas patients. The business associate must notify you without unreasonable delay. Coordinate investigation, send individual notices within 60 days, file HHS notice for 500+, and submit the electronic Texas Attorney General report within 30 days since 250+ Texans are affected. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html?utm_source=openai))

4) Patient requests an e-copy of records

A patient asks for an electronic copy through your portal. Confirm identity, clarify scope, and deliver the EHR in electronic form within 15 business days if your system can fulfill the request. Track request and response dates to prove compliance. ([statutes.capitol.texas.gov](https://statutes.capitol.texas.gov/Docs/HS/htm/HS.181.htm?utm_source=openai))

5) Employee snooping

An employee views a family member’s chart without a work-related reason. Suspend access, investigate, and apply sanctions. Determine whether the impermissible access constitutes a breach; if so, follow HIPAA’s notification timelines. Retrain staff and reinforce role-based access controls. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Impact on Texas Healthcare Entities

Texas HB 300’s scope is broader than HIPAA’s. “Covered entity” includes not only traditional providers and health plans but also business associates, schools, researchers, and others that assemble, collect, or transmit PHI—even on a nonprofit or pro bono basis. This breadth means more organizations must implement privacy programs that satisfy both state and federal rules. ([law.justia.com](https://law.justia.com/codes/texas/health-and-safety-code/title-2/subtitle-i/chapter-181/subchapter-a/section-181-001/?utm_source=openai))

For healthcare entities, the biggest operational impacts are faster Electronic Health Record Access (15 business days), focused employee training compliance, stricter controls on electronic disclosures, and the need to coordinate HIPAA breach duties with Texas Attorney General reporting. The penalty structure—and potential license revocation for egregious patterns—makes disciplined governance nonnegotiable. ([statutes.capitol.texas.gov](https://statutes.capitol.texas.gov/Docs/HS/htm/HS.181.htm?utm_source=openai))

Conclusion

Build a program that trains people early, responds to requests quickly, tests incident response, and documents everything. By aligning your policies to Texas HB 300’s timelines and enforcement standards, you reduce risk, protect patients, and keep your organization on firm regulatory footing.

FAQs

What are the mandatory training requirements under Texas HB 300?

Employees must receive training on applicable state and federal PHI rules no later than the 90th day after hire, and again when material legal changes affect their duties. Keep signed training attestations for six years. ([statutes.capitol.texas.gov](https://statutes.capitol.texas.gov/Docs/HS/htm/HS.181.htm?utm_source=openai))

How quickly must patients receive their health records?

For electronic health records, Texas requires delivery within 15 business days if your EHR system can fulfill the request and the patient made a written request; HIPAA exceptions to access still apply. ([statutes.capitol.texas.gov](https://statutes.capitol.texas.gov/Docs/HS/htm/HS.181.htm?utm_source=openai))

What actions trigger breach notifications?

A breach of unsecured PHI that poses more than a low probability of compromise triggers HIPAA notification to affected individuals within 60 days (and, where applicable, media and HHS). If an incident involves 250+ Texas residents’ personal information, you must also report electronically to the Texas Attorney General within 30 days of determining a breach occurred. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.404?utm_source=openai))

What penalties apply for noncompliance?

Texas civil penalties can reach up to $5,000 per negligent violation per year, $25,000 per knowing/intentional violation per year, and $250,000 if PHI is used for financial gain; a pattern or practice can reach $1.5 million annually. Licensing boards may also impose discipline, up to and including license revocation. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.201?utm_source=openai))