Texas HB 300 Training Checklist: Required Topics, Documentation, and Refresher Frequency

Training Requirements Within 90 Days

You must train each workforce member on Texas HB 300 and related Federal and State HIPAA Laws no later than 90 days after the person is hired. Aim to complete training before the individual first handles Protected Health Information (PHI) whenever possible.

Provide additional training within a reasonable period whenever a team member’s job duties change in ways that affect PHI handling. Extend the same timeline to temporary staff and contractors who will access PHI.

Quick-start checklist

• Assign role-based HB 300 training upon hire (or engagement) with a clear due date inside 90 days.
• Block time for new hires to finish training before PHI access goes live.
• Trigger retraining automatically after any role change impacting PHI.
• Collect Training Verification Statements immediately after completion.

Training Content Tailored to Duties

HB 300 requires Training Tailoring Requirements: content must fit each person’s duties. Avoid one-size-fits-all slide decks. Map modules to the risks and tasks of each role and system they use.

Core topics for all workforce members

• Definition and examples of Protected Health Information (PHI) and identifiers.
• Permitted uses and disclosures, minimum necessary, and need-to-know access.
• Patient rights under Texas law and HIPAA, including faster access timelines in Texas and limits on marketing/sale of PHI.
• Administrative, physical, and technical safeguards; secure email, texting, and remote work practices.
• Incident recognition, internal reporting, breach notification steps, and workforce sanctions.

Role-based enhancements

• Front desk/revenue cycle: identity verification, release-of-information, authorizations, and conversations at check-in.
• Clinicians: documentation, care coordination, telehealth, and sensitive data (behavioral health, minors).
• IT/security: access provisioning, auditing, encryption, device/media disposal, and vendor oversight.
• Business associates: contract-bound responsibilities, subcontractor controls, and breach cooperation.

Training Documentation and Recordkeeping

Your records must show who trained, on what, when, and how. Maintain Training Completion Documentation and signed Training Verification Statements in each person’s file. Use a centralized log to track delivery and due dates.

What to retain

• Curriculum outline and learning objectives aligned to duties.
• Date of delivery, duration, and delivery method (e-learning, live, hybrid).
• Roster of attendees, completion status, and any quiz or competency results.
• Signed verification statements and acknowledgments of privacy/security policies.
• Evidence of instructor qualifications or course source, if applicable.

Follow Compliance Record Retention practices by keeping training records and verification statements for at least six years. Archive updates whenever material changes occur and link them to the affected roles.

Refresher Training on Material Changes

Deliver a Material Change Refresher within a reasonable period whenever state or federal privacy rules or your internal PHI-handling policies materially change. Update only the personnel whose duties are affected, but document who received what and why.

When to trigger a refresher

• New or revised Federal and State HIPAA Laws or Texas-specific privacy requirements.
• Deployment of new EHR modules, patient portals, messaging tools, or devices.
• Policy changes to disclosures, marketing, fundraising, or data retention and disposal.
• Security events revealing a training gap (e.g., phishing, misdirected mailings).

Biannual Training Frequency

Plan recurring training at least once every two years to stay compliant. Many organizations schedule an annual touchpoint plus microlearning to reinforce behaviors without overwhelming staff.

Clarity on terminology

HB 300 requires training at a minimum every two years (biennial). Some people informally say “biannual,” but your written policy should clearly state “at least once every two years” to align with the statute.

Operational tips

• Use a learning management system to auto-assign biennial courses and send reminders.
• Rotate role-based scenarios every cycle to keep content relevant and engaging.
• Bundle HB 300 updates with annual HIPAA and security awareness to reduce downtime.

Penalties for Non-Compliance

Texas HB 300 is enforced by the state, with civil penalties that scale by severity and intent, plus potential injunctive relief and attorney’s fees. Separate federal HIPAA penalties may also apply for the same incident, and contractual remedies can arise with business associates.

Gaps most often cited include failure to train within 90 days, lack of Training Verification Statements, missing refresher training after material changes, inadequate Training Tailoring Requirements, and poor recordkeeping. Robust documentation significantly reduces enforcement risk.

Covered Entities Obligations

Texas defines covered entities broadly. If you create, receive, maintain, use, or transmit PHI in connection with providing or supporting health care or related operations, you likely fall within scope. That includes providers, health plans, clearinghouses, and business associates such as billing services, EHR vendors, and other service providers handling PHI.

Your obligations include delivering role-based training on PHI, collecting and retaining Training Verification Statements, keeping Compliance Record Retention for at least six years, refreshing training upon material changes, and ensuring contractors with PHI access complete appropriate training.

FAQs

What topics must Texas HB 300 training cover?

Your program should address Federal and State HIPAA Laws, PHI definitions and identifiers, permitted uses/disclosures and minimum necessary, patient rights and access timelines in Texas, safeguards for electronic PHI, incident reporting and breach notification, workforce sanctions, and role-specific procedures (e.g., release-of-information, vendor oversight, and secure communications).

How often is refresher training required under HB 300?

At least once every two years for all applicable staff, plus a Material Change Refresher within a reasonable period whenever laws or internal PHI-handling policies change in ways that affect employee duties.

What documentation is necessary to prove training compliance?

Maintain Training Completion Documentation (curriculum, dates, method, roster, and results) and signed Training Verification Statements for each person, linked to your policies. Keep these records as part of your Compliance Record Retention for at least six years and log any material-change refreshers by role.

Who is required to complete HB 300 training?

All workforce members of covered entities whose duties involve PHI must train within 90 days and on a two-year cycle, including employees, agents, and contractors. Business associates and their subcontractors must also complete appropriate training under their contractual and statutory obligations when they handle PHI.