Texas PHI Breach Notification Checklist: Timelines, Who to Notify, Documentation

Texas Data Breach Notification Requirements

Texas law and HIPAA work together. If a breach involves Protected Health Information (PHI) or “sensitive personal information” of a Texas resident, you must notify affected individuals as quickly as possible under the Unreasonable Delay Standard and, in all cases, no later than 60 days after discovery or determination of a breach. Texas Health and Safety Code Chapter 181 requires HIPAA-covered entities and business associates to follow HIPAA’s breach rules, and Texas Business & Commerce Code adds state-specific recipients and content for certain notices.

At-a-glance timelines

• Individuals: without unreasonable delay and no later than 60 days after discovery/determination.
• Texas Attorney General: if the breach affects 250 or more Texas residents, notify as soon as practicable and no later than 30 days after you determine a breach occurred.
• U.S. Department of Health & Human Services (HHS) OCR: for 500+ individuals, notify within 60 days; for fewer than 500, submit a Breach Notification Electronic Submission within 60 days after the end of the calendar year in which the breach was discovered.
• Media notice: if 500+ residents of the same state or jurisdiction are affected, notify a prominent media outlet in that area within 60 days.
• Consumer Reporting Agency Notification: if 10,000 or more individuals are affected nationwide, notify the nationwide consumer reporting agencies without unreasonable delay.
• Third-party data owners: if you maintain but do not own the data, notify the data owner immediately after discovery.

What triggers a notice

• Texas: unauthorized acquisition of unencrypted “sensitive personal information.”
• HIPAA: any impermissible use or disclosure of unsecured PHI unless a documented risk assessment shows a low probability that the PHI was compromised.

Sensitive Personal Information Definition

Texas defines “sensitive personal information” to include several data categories that can trigger notice obligations. For healthcare organizations, the most relevant are below.

Data elements that trigger notice

• First name or initial and last name in combination with any of the following:
  • Social Security number.
  • Driver’s license or other government identification number.
  • Financial account, credit card, or debit card number with any required access code, password, or security code.
• Biometric identifiers (for example, fingerprint, voiceprint, retina or iris image).
• Sensitive Personal Health Information that identifies an individual and relates to the individual’s physical or mental health condition, provision of health care, or payment for health care, when created by or derived from a health care provider, health plan, employer, or health care clearinghouse.

Standalone demographic data (for example, name alone or address alone) does not trigger the Texas notice requirement unless combined with another triggering element or unless PHI is compromised under HIPAA.

Notification Methods

Use methods that are timely, reliable, and prove delivery. Your method may be dictated by HIPAA, Texas law, or both.

How to notify individuals

• Written notice by first-class mail to the last known address; or
• Electronic notice if the individual has agreed to receive electronic communications, consistent with HIPAA and federal e-sign rules.
• Substitute notice if you lack sufficient contact information, the affected population is very large, or costs would be excessive. Substitute notice typically includes a combination of email (when available), conspicuous posting on your website, and notice to major statewide media.

What the individual notice must include

• A clear description of what happened (including the date of the incident and discovery, if known).
• The types of information involved (for example, names, SSNs, medical record numbers, diagnosis, treatment information).
• Steps individuals should take to protect themselves.
• What you are doing to investigate, mitigate harm, and prevent recurrence.
• How to contact you for more information (toll-free number, email, or postal address).

How to notify regulators and others

• Texas Attorney General: file the state notice with required content (entity identity and contact, general incident description, number of affected Texas residents, total affected nationwide, data types, and remediation status).
• HHS OCR: submit the Breach Notification Electronic Submission through the OCR breach portal on the timeline that corresponds to the number of affected individuals.
• Media: for 500+ individuals in a state or jurisdiction, provide press notice to a prominent outlet.
• Consumer reporting agencies: send notification to the nationwide agencies if the breach affects 10,000+ individuals.

Penalties for Non-Compliance

Civil Penalties for PHI Breaches can be significant. Under Texas Health and Safety Code Chapter 181, the attorney general may seek civil penalties per violation, with higher penalties for knowing or intentional violations and for any disclosure or use of PHI for financial gain. Courts may also order injunctive relief and recovery of costs and attorneys’ fees.

These state penalties are in addition to federal HIPAA enforcement, which can impose tiered penalties for lack of compliance, willful neglect, or failure to correct—often far exceeding state fines when violations are widespread or repeated.

Exemptions from Notification

• Data Encryption Exemption: no notice is required if the compromised data was encrypted and the encryption key was not acquired or compromised.
• Good-faith acquisition: acquisition by an employee or agent for a legitimate purpose is not a breach if the data is not used or subject to further unauthorized disclosure.
• Law enforcement delay: notification may be delayed at the written request of law enforcement if notice would impede an investigation.
• HIPAA low-probability finding: after a documented risk assessment, if you determine a low probability of compromise, HIPAA notice may not be required (state notice rules may still apply if sensitive personal information was acquired).
• Other regulated entities: if another federal law or regulator requires a breach notice process that you follow (for example, financial institutions under GLBA), that may satisfy Texas’s general data-breach framework for those specific data sets.

Documentation Best Practices

Strong records prove compliance and support defensibility. Maintain a complete breach file for each event—even when you conclude notice is not required.

What to capture

• Incident timeline, investigation steps, and containment actions.
• HIPAA risk assessment worksheets and your conclusion (including rationale for low-probability or notification decisions).
• Copies of all individual notices, call-center scripts, FAQs, and any media statements.
• Regulatory submissions: confirmation pages or receipts for the Texas Attorney General filing and the HHS OCR Breach Notification Electronic Submission.
• Consumer Reporting Agency Notification letters (if applicable) and mailing or transmission proofs.
• Vendor and business associate communications, contracts, and indemnity notices.
• Post-incident remediation plans, policy updates, and workforce training attestations.

Retention

• Retain breach-related documentation and relevant privacy/security policies for at least six years to align with HIPAA recordkeeping expectations.

Compliance Timeline Management

Use a structured playbook so you can meet both HIPAA and Texas deadlines and satisfy the Unreasonable Delay Standard.

Operational timeline

• Day 0–1: detect, contain, and preserve evidence; loop in privacy, security, legal, and leadership.
• Day 1–10: complete preliminary fact-finding; begin HIPAA risk assessment; assess whether “sensitive personal information” or PHI is implicated; engage forensics if needed.
• Day 1–20: decide whether notice is required; draft notices; prepare regulator submissions and media plan.
• By Day 30: if 250+ Texas residents are affected, submit the Texas Attorney General notice.
• By Day 60: send individual notices; for 500+ individuals, submit HHS OCR notice and, if 500+ in a state or jurisdiction, issue media notice.
• As soon as practicable: if 10,000+ individuals are affected, notify the nationwide consumer reporting agencies.
• By 60 days after the end of the calendar year: file the year-end HHS OCR report for breaches affecting fewer than 500 individuals.
• Post-notice: implement remediation, complete root-cause analysis, retrain workforce, and update risk management plans.

Summary

This Texas PHI Breach Notification Checklist centers on acting quickly, documenting thoroughly, and notifying the right parties on time. Follow HIPAA’s content and 60‑day deadline for individuals, add Texas Attorney General notice for larger Texas incidents, notify HHS OCR and media when thresholds are met, and preserve evidence of every step you take.

FAQs

What are the notification timelines for Texas PHI breaches?

You must notify affected individuals without unreasonable delay and no later than 60 days after discovery or determination of a breach. If 250+ Texas residents are affected, notify the Texas Attorney General as soon as practicable and within 30 days of determining a breach occurred. For HIPAA, notify HHS OCR within 60 days for breaches involving 500+ individuals; for fewer than 500, file by 60 days after the end of the calendar year. Media notice is required for 500+ in a state or jurisdiction, and consumer reporting agencies should be notified without unreasonable delay if 10,000+ individuals are affected.

Who must be notified in a Texas PHI breach?

Notify impacted individuals; the Texas Attorney General if 250 or more Texas residents are affected; HHS OCR (always, with timing based on the number of affected individuals); and, for 500+ in a state or jurisdiction, a prominent media outlet. If 10,000+ individuals are affected, notify the nationwide consumer reporting agencies. If you are a vendor or business associate that maintains data for a covered entity, notify the data owner promptly.

What personal information triggers breach notification in Texas?

Texas uses the “sensitive personal information” standard, which includes a name plus SSN, driver’s license or government ID number, or financial account data with any required access code; unique biometric identifiers; and Sensitive Personal Health Information created by or derived from a health care provider, health plan, employer, or health care clearinghouse. PHI under HIPAA also triggers notice unless a risk assessment shows a low probability of compromise.

What penalties apply for failure to comply with Texas breach notification laws?

Under Texas Health and Safety Code Chapter 181, the attorney general can seek civil penalties per violation, with higher amounts for knowing or intentional violations and for disclosures made for financial gain, plus injunctive relief and recovery of costs. These state penalties are in addition to potential federal HIPAA penalties for noncompliance.