Texas PHI Breach Reporting: 60‑Day Notices, 30‑Day AG Filing Rules

Texas Data Breach Notification Law

Scope: when Texas law applies to PHI

Texas’ PHI breach notification statute sits within the state’s data breach framework and treats many categories of health information as “sensitive personal information.” If a breach compromises that information, you must satisfy Texas breach reporting compliance requirements in addition to any HIPAA duties. The state rules apply to any person or business that conducts business in Texas and owns or licenses the affected data—even if your headquarters are elsewhere.

What qualifies as a reportable breach

A reportable breach is an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information. Good‑faith access by an employee is not a breach unless the information is misused. If you maintain data on behalf of another entity, you must notify the data owner immediately after discovery so they can fulfill consumer notification requirements.

Core timing rules

Texas sets two key clocks you must manage: (1) notify affected individuals without unreasonable delay and no later than 60 days from the date you determine the breach occurred; and (2) if at least 250 Texas residents are affected, file with the Attorney General within 30 days of that determination. Both clocks allow a temporary delay if law enforcement determines notice would impede an investigation.

Permitted notice methods

You may notify individuals by mail or valid electronic notice. Substitution notice—email, website posting, and statewide media—is allowed only if notice costs exceed $250,000, the number of affected individuals exceeds 500,000, or you lack sufficient contact information.

Reporting Method Requirements

Filing the Data Breach Report form with the Attorney General

When the 250‑resident threshold is met, you must submit the Texas Data Breach Report form electronically. The Attorney General reporting deadline is “as soon as practicable” and no later than 30 days after you determine the breach occurred. Paper, email, or informal submissions don’t satisfy the statute—use the official data breach report form.

What the AG filing must include

• A detailed description of the breach’s nature and circumstances.
• The number of Texas residents affected at the time of filing.
• The number of affected residents already provided notice by mail or other direct method.
• Measures you have taken in response and measures you plan to take next.
• Whether law enforcement is investigating.

Submit updates as facts evolve; do not hold the initial filing past the 30‑day Attorney General reporting deadline while you finalize counts.

How to notify individuals

Direct notices should be clear, conspicuous, and actionable. Describe what happened, the types of data involved, what you are doing, and concrete steps recipients can take. Offer support (e.g., credit monitoring) where appropriate, and provide a dedicated contact channel. Ensure the content aligns with both Texas consumer notification requirements and any HIPAA content expectations.

Coordinating with HIPAA for PHI breaches

For covered entities and business associates, HIPAA requires individual notice without unreasonable delay and within 60 days, media notice if 500 or more individuals in a single state or jurisdiction are affected, and HHS reporting (within 60 days for 500+ individuals; annually for fewer than 500). Align your HIPAA and Texas timelines by starting both clocks on the date you determine a reportable breach occurred, and prepare notices that meet both regimes.

Individual Notification Timelines

When the 60‑day clock starts

The 60‑day period begins on the date you determine a breach of system security occurred—not when remediation completes. You may take time that is necessary to determine scope and restore system integrity, but you should not delay consumer notice for convenience or messaging.

Permissible delays

You may delay notices at the written or documented request of law enforcement if it would impede a criminal investigation. Track the start and end of any hold, and be ready to send notices immediately once the hold lifts.

Notice content and delivery

Use mail or E‑Sign compliant electronic delivery. Make the notice plain‑language, include the breach date or estimated date range, the types of PHI or sensitive personal information involved, what you’ve done to secure systems, and practical protective steps for the individual. Provide a toll‑free number or email for questions.

Notification to Consumer Reporting Agencies

10,000+ threshold and timing

If you must notify more than 10,000 individuals at one time, you must also notify all nationwide consumer reporting agencies of the timing, distribution, and content of the individual notices. Provide this CRA notice without unreasonable delay. This CRA requirement is separate from the Texas AG filing and the individual 60‑day rule.

Public Disclosure Procedures

Attorney General public posting

Texas conducts public breach disclosure by posting a listing of received data breach reports on the Attorney General’s website. The listing excludes sensitive details and security information, is updated within 30 days after the AG receives a new report, and entries are removed after one year if no additional breaches are reported by the same entity during that period.

Practical considerations

Because AG postings are public, prepare accurate, consistent disclosures across your individual notices, AG filing, and any HIPAA media statements. Coordinate legal, privacy, security, and communications teams so the information you provide is defensible and aligned.

Enforcement and Penalties

Civil penalties and injunctive relief

• General penalties: civil penalties of $2,000 to $50,000 per violation for breaches of Chapter 521, enforceable by the Texas Attorney General.
• Late consumer notice penalties: up to $100 per affected individual for each day you fail to take reasonable action to comply with the 60‑day consumer notice rule, capped at $250,000 per breach.
• Additional remedies: the Attorney General may seek injunctive and equitable relief and recover reasonable attorneys’ fees, court costs, and investigative costs.

Compliance takeaways

• Start breach assessment and documentation immediately; log the determination date that triggers the 60‑day and 30‑day clocks.
• Prepare the AG data breach report form in parallel with individual notices to meet both deadlines.
• Evaluate the 10,000‑person threshold early to plan consumer reporting agency notifications.
• Align Texas disclosures with HIPAA requirements for PHI to avoid inconsistent public statements.

Bottom line: Texas PHI breach reporting demands disciplined timelines—60‑day notices to individuals and a 30‑day AG filing—plus careful content and method compliance. Treat the clocks as independent, submit the data breach report form electronically, and document every step to reduce exposure to civil penalties for Texas data breaches.

FAQs

What are the reporting deadlines for Texas PHI breach notification?

You must notify affected individuals without unreasonable delay and no later than 60 days after determining a breach occurred. If at least 250 Texas residents are affected, you must also report the breach to the Texas Attorney General as soon as practicable and within 30 days of that determination.

How must businesses submit breach reports to the Texas Attorney General?

Submit the required information electronically using the official Data Breach Report form. The filing must include a breach description, the number of Texans affected, how many have already received direct notice, steps taken and planned, and whether law enforcement is involved.

When must affected individuals be notified of a PHI breach in Texas?

Send individual notices as soon as you reasonably can and within 60 days of determining that a reportable breach occurred. Notices may be mailed or sent electronically if compliant, and substitution notice is permitted only when costs are extreme, affected individuals exceed 500,000, or you lack sufficient contact information.

What penalties apply for failure to comply with Texas breach notification rules?

Violations can trigger civil penalties of $2,000 to $50,000 per violation, plus additional penalties of up to $100 per affected individual for each day you fail to take reasonable action to meet the 60‑day individual notice requirement, capped at $250,000 per breach. The Attorney General may also seek injunctions and recover fees and costs.