Texas HB 300 (Texas Medical Privacy Act) Explained: Requirements, Training, and Penalties

Overview of HB 300 Provisions

Texas HB 300, the Texas Medical Records Privacy Act, expands privacy protections for Protected Health Information (PHI) and applies to a broad range of covered entities—including many organizations that may not be HIPAA-covered. In Texas, a “covered entity” can include health care providers, clinics, schools, researchers, governmental units, information management vendors, and Business Associates that create, receive, maintain, or transmit PHI. If you handle patient data about a Texas resident, there’s a strong chance HB 300 applies to you. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.001))

• Training compliance: Train employees on state and federal PHI laws by the 90th day of hire; retrain when material legal changes affect job duties; keep signed training verifications. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.101))
• Electronic Health Records (EHR) access: If your EHR system can fulfill it, provide a patient’s EHR within 15 business days of a written request, in electronic form unless the patient agrees otherwise. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.102))
• Patient data disclosure: Post a conspicuous notice that PHI may be disclosed electronically, and obtain a separate authorization for each electronic disclosure outside of treatment, payment, and health care operations (TPO) or other legal exceptions. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.154))
• Marketing and sale restrictions: Obtain clear permission for marketing uses of PHI and do not sell PHI except under narrow exceptions. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.152))
• State regulatory penalties: Civil penalties scale up to $250,000 per violation for financial-gain misuse and up to $1.5 million annually for a pattern or practice, with potential licensing discipline and exclusion from state programs. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.201))

Training Obligations for Covered Entities

You must deliver role-relevant training on state and federal PHI rules to each employee by the 90th day after hire. Training must be tailored to what an employee does with PHI, not just a generic slide deck. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.101))

Refreshers are event-driven: when a “material change” in law affects an employee’s duties, provide updated training within a reasonable period, and no later than the first anniversary of the legal change. Texas no longer imposes a fixed “every two years” cycle; the trigger is a material legal change impacting job functions. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.101))

For training compliance proof, have each trained employee sign (physically or electronically) a statement verifying completion, and retain those verifications for six years. Keep your training outlines, role-based curricula, and completion records aligned to specific job duties to show that content was “necessary and appropriate” for each role. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.101))

PHI Disclosure Requirements

HB 300 sets rules for patient data disclosure that go beyond HIPAA. You must provide a general notice that PHI may be disclosed electronically—post it in your office, on your website, or where patients will see it. Outside of TPO or other legal authorizations, you must obtain a separate authorization for each electronic disclosure; the authorization can be written or electronic, and even oral if you document it in writing. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.154))

Texas also restricts marketing uses of PHI: you need clear and unambiguous permission to use or disclose PHI for marketing, and mailed marketing must include specific sender and opt-out details. You must honor removal requests within 45 days. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.152))

Finally, selling PHI is prohibited except for narrow exceptions (for example, specific TPO or insurance functions). Even where an exception applies, remuneration cannot exceed your reasonable costs of preparing or transmitting the information. Business Associates handling PHI are within Texas’s definition of covered entity and should structure disclosures accordingly. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.153))

Penalties for Non-Compliance

The Texas Attorney General can seek injunctions and civil penalties. Penalties can reach up to $5,000 per negligent violation per year, $25,000 per knowing or intentional violation per year, and $250,000 per violation when PHI is knowingly or intentionally used for financial gain. If violations constitute a pattern or practice, courts may assess up to $1.5 million per year. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.201))

For certain electronic-disclosure violations, if PHI was encrypted, not misused, and you had documented security policies and employee training, courts may cap annual penalties at $250,000 for those violations. Regulators also consider mitigation factors such as seriousness, past history, and remediation efforts. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.201))

In addition to civil penalties, Texas licensing agencies can investigate, suspend, or revoke licenses and may refer egregious cases to the Attorney General. Covered entities can also be excluded from state-funded health care programs for a pattern or practice of violations. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.202))

Recordkeeping and Documentation

Keep your training house in order: obtain signed training verification statements and retain them for six years. Maintain training curricula, attendance logs, and role maps that show each employee’s content was “necessary and appropriate” to their duties. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.101))

Operationalize patient data disclosure controls. Retain your posted electronic-disclosure notice (with effective date), store patient authorizations for non-TPO electronic disclosures, and keep a clear workflow that distinguishes disclosures that require per-disclosure authorization from those that do not. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.154))

Create a time-stamped intake-and-fulfillment log for EHR requests so you can consistently meet the 15-business-day deadline. Document security controls—especially encryption—and workforce training on those controls; such documentation can help limit penalties in certain electronic-disclosure scenarios and demonstrates a mature compliance posture. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.102))

Patient Rights and Notifications

Patients have a state-law right to faster access to their Electronic Health Records: if your system can produce the data, you must deliver the EHR in electronic form within 15 business days of receiving a written request, unless the patient agrees to another format. Standard HIPAA exceptions to access still apply. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.102))

Patients must be notified—via a posted notice—that their PHI may be disclosed electronically, and outside of TPO or other legal bases, their separate authorization is required for each electronic disclosure. You also need clear permission for marketing uses of PHI, and Texas flatly prohibits selling PHI except for narrow exceptions in the law. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.154))

Patients can submit complaints to the appropriate Texas licensing agency or to the Texas Attorney General if they believe their PHI privacy rights were violated under state law. ([texasattorneygeneral.gov](https://www.texasattorneygeneral.gov/consumer-protection/health-care/patient-privacy?utm_source=openai))

Comparisons with HIPAA

• Who is regulated: HIPAA covers health plans, providers, and clearinghouses (plus Business Associates by contract). Texas defines “covered entity” far more broadly, explicitly sweeping in organizations and vendors that assemble, collect, use, store, or transmit PHI—even outside traditional health care. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.001))
• Access timelines: HIPAA allows up to 30 days (with one 30-day extension) to act on access requests; Texas requires EHR delivery within 15 business days when the system can fulfill the request. When both apply, you must meet the stricter Texas timeline. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.524?utm_source=openai))
• Electronic disclosure rules: Texas requires a posted notice and per-disclosure authorization for electronic disclosures outside TPO, a requirement HIPAA does not mirror. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.154))
• Marketing and sale of PHI: Texas codifies stringent marketing permission rules and independently prohibits selling PHI except under narrow exceptions, complementing and in some respects exceeding HIPAA’s guardrails. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.152))
• State regulatory penalties: Texas adds a separate state enforcement layer with civil penalties, licensure actions, and potential exclusion from state programs—on top of federal HIPAA enforcement. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.201))

Bottom line: HB 300 supplements HIPAA with faster EHR access, broader organizational scope, stricter electronic-disclosure rules, and its own state regulatory penalties. If you touch Texas PHI, build your compliance program to meet the stricter state standard where it applies. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.102))

FAQs.

What are the training requirements under HB 300?

You must train employees on state and federal PHI rules “as necessary and appropriate” to their duties, ensure completion by the 90th day of hire, and provide updated training when material legal changes affect their duties (within a reasonable period and no later than one year after the change). Have each trainee sign a completion statement and keep those records for six years. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.101))

How soon must patients receive electronic health records after a request?

If your EHR system can fulfill the request, you must provide the patient’s EHR in electronic form no later than the 15th business day after receiving a written request. This Texas timeline is stricter than HIPAA’s general 30-day window. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.102))

What penalties apply for intentional violations of HB 300?

Knowing or intentional violations can trigger up to $25,000 per violation per year, up to $250,000 per violation if PHI is knowingly or intentionally used for financial gain, and up to $1.5 million annually for a pattern or practice. Courts also weigh factors such as seriousness and remediation, and the Attorney General can seek injunctions. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.201))

Does HB 300 prohibit selling patient health information?

Yes. Texas prohibits disclosing an individual’s PHI in exchange for remuneration, with narrow exceptions (e.g., limited TPO and certain insurance functions). Even when an exception applies, any remuneration is capped at reasonable costs to prepare or transmit PHI. ([texas.public.law](https://texas.public.law/statutes/tex._health_and_safety_code_section_181.153))