Texas PHI Breach Notification Rules: HIPAA and HB 300 Requirements Explained

HIPAA Breach Notification Requirements

Who must comply

Under HIPAA, covered entities—and their business associates—must notify affected individuals after certain security incidents. The duty applies when there is a breach of unsecured protected health information, meaning PHI that has not been rendered unusable, unreadable, or indecipherable (for example, via strong encryption or destruction).

When notice is required

A breach is presumed reportable unless a documented risk assessment shows a low probability that the PHI was compromised. Assess the nature of the data, the unauthorized person who used or received it, whether it was actually viewed or acquired, and mitigation performed.

Breach notification timelines

• Individuals: without unreasonable delay and no later than 60 calendar days after discovery.
• HHS Secretary: for 500 or more individuals, within 60 days of discovery; for fewer than 500, no later than 60 days after the end of the calendar year in which the breach was discovered.
• Media: if the incident involves 500 or more residents of a single state or jurisdiction, notify prominent media outlets within 60 days.

How to notify and what to include

Send written notice by first‑class mail (or email if the individual agreed). If contact information is outdated for fewer than 10 people, use an alternative like phone. If it is outdated for 10 or more, provide substitute notice on your website or via major media and maintain a toll‑free call center for at least 90 days.

Each notice should: describe what happened (including breach and discovery dates), specify the types of information involved, outline steps individuals can take to protect themselves, explain what you are doing to investigate and mitigate harm, and provide a contact method for questions.

Business associate duties

A business associate that discovers a breach must notify the covered entity without unreasonable delay (no later than 60 days) and share the identities of affected individuals and all relevant facts so the covered entity can meet its obligations.

Texas HB 300 Notification Obligations

How HB 300 interacts with breach notice

Texas HB 300 (the Texas Medical Records Privacy Act) expands who is a “covered entity” under state law to include a broad range of organizations that assemble, collect, analyze, store, or transmit PHI—even beyond HIPAA’s scope. When a breach affects Texas residents, you must follow HIPAA and Texas breach notification timelines; apply whichever is more stringent in practice.

Texas breach notice to individuals

For a breach of system security involving sensitive personal information (which includes data related to an individual’s health, care, or payment for care), Texas requires notice “as quickly as possible,” but not later than the 60th day after you determine a breach occurred. Notification may be delayed if law enforcement advises that notice would impede an investigation. If a single event requires notifying more than 10,000 persons at once, you must also notify the nationwide consumer reporting agencies of the timing, distribution, and content of notices.

Penalties for HIPAA and HB 300 Violations

HIPAA enforcement

HIPAA uses a four‑tier civil penalty structure based on culpability (from lack of knowledge to uncorrected willful neglect). Dollar amounts are adjusted annually for inflation, and OCR considers mitigating and aggravating factors such as the nature and extent of the violation, harm risk, organization size, and corrective actions.

Texas civil penalties

• HB 300 (Health & Safety Code): up to $5,000 per negligent violation per year; up to $25,000 per knowing or intentional violation per year; and up to $250,000 for violations where PHI is used for financial gain. If violations constitute a pattern or practice, courts may impose up to $1.5 million in civil penalties annually, plus injunctive relief.
• Business & Commerce Code (breach notice): separate civil penalties apply for violating the breach law, including $2,000–$50,000 per violation and additional penalties for delayed notification (assessed per affected individual per day), capped per breach.

Criminal exposure in Texas

Beyond civil penalties, certain computer‑crime conduct that often accompanies PHI incidents can be charged under the Penal Code as a Class B misdemeanor and, in specified circumstances, escalates to a state jail felony (for example, breach of computer security or misuse of certain scanning/re‑encoding devices). These offenses are distinct from HB 300 but may arise from the same facts.

Electronic Disclosure Regulations

Notice and patient authorization

HB 300 requires you to post a notice telling patients that their PHI may be subject to electronic disclosure. Except for disclosures for treatment, payment, health care operations, or as otherwise authorized or required by law, you must obtain a separate patient authorization for each electronic disclosure. The authorization may be written or electronic, and oral authorization is permitted only if you document it in writing. The Texas Attorney General provides a standard form that aligns with HIPAA.

Access to Electronic Medical Records

15‑business‑day turnaround for EHR

If you use an electronic health record system that can fulfill the request, you must provide a patient’s electronic medical record within 15 business days of receiving a written request, unless a HIPAA right‑of‑access exception applies. Provide the record in electronic form unless the patient agrees to another format, and charge only permissible, cost‑based fees.

Employee Training Mandates

Who, what, and when

Covered entities must train employees on state and federal PHI requirements as appropriate to their job duties. New hires must complete training no later than the 90th day after hire. If a material change in the law affects an employee’s duties, provide updated training within a reasonable period, and no later than the first anniversary of the change. Keep each employee’s signed training verification (electronic or paper) for six years.

Breach Notification to Texas Attorney General

30‑day AG reporting threshold and content

If a breach involves at least 250 Texas residents, you must electronically notify the Texas Attorney General as soon as practicable and no later than the 30th day after determining the breach occurred. The report must include: a description of the breach and the circumstances, the number of Texans affected and notified, measures taken in response, planned future measures, and whether law enforcement is investigating. The Attorney General publicly posts breach notices (excluding sensitive details) for approximately one year.

Conclusion

To stay compliant, document your risk assessments, track breach notification timelines across HIPAA and Texas law, obtain and record patient authorization for electronic disclosures where required, provide timely EHR access, and keep robust training and breach logs. Aligning your program to both frameworks reduces legal exposure and speeds credible breach response.

FAQs.

What are the notification timelines under HIPAA and Texas HB 300?

Under HIPAA, notify affected individuals without unreasonable delay and no later than 60 days after discovery; notify the media when 500+ residents of a state or jurisdiction are affected; and notify HHS within 60 days for 500+ individuals, or by 60 days after year‑end for fewer than 500. Texas requires individual notice “as quickly as possible,” but no later than the 60th day after you determine a breach occurred. If 250+ Texas residents are affected, you must also notify the Texas Attorney General within 30 days.

How are penalties assessed for PHI breach violations in Texas?

HB 300 allows civil penalties up to $5,000 per negligent violation per year, $25,000 per knowing or intentional violation per year, and $250,000 when PHI is used for financial gain, with up to $1.5 million annually for a pattern or practice. Separately, the state’s breach‑notification law authorizes additional civil penalties (including per‑day fines for delayed notice) and injunctive relief. Criminal charges under other Texas statutes may also apply depending on the conduct.

When must the Texas Attorney General be notified of a breach?

When the breach involves at least 250 Texas residents, you must report to the Attorney General electronically as soon as practicable and not later than 30 days after you determine the breach occurred. Include the incident description, number of residents affected and notified, the measures taken, planned next steps, and whether law enforcement is involved.

What training is required for employees handling PHI?

Provide role‑based training on federal and Texas PHI requirements. New employees must be trained within 90 days of hire, and employees whose duties are affected by a material legal change must receive updated training within a reasonable period and no later than one year after the change. Maintain each employee’s signed verification of training for six years.