What Is the Purpose of Texas House Bill 300 (HB 300)? Strengthening Patient Data Privacy in Texas

HB 300 Overview

Texas House Bill 300 (HB 300) strengthens patient data privacy in Texas by expanding who is regulated, tightening timelines, and elevating accountability for how you handle Protected Health Information. Its core purpose is to ensure Texans’ medical details are collected, used, stored, and disclosed with rigorous safeguards that complement—and in key areas exceed—HIPAA.

HB 300 applies broadly to organizations that touch patient information in Texas, not just traditional healthcare providers. It requires clear Patient Consent Requirements for certain electronic disclosures, faster patient access to records, Workforce Training Compliance tailored to job roles, defined Data Breach Notification steps, and documented Security Controls scaled to your risk profile.

• Broader scope: a wider “Covered Entity” definition than HIPAA.
• Faster access: shorter deadlines to provide records to patients.
• Stronger consent: authorization rules for electronic disclosures beyond treatment, payment, and operations.
• Workforce readiness: role-based training and documentation.
• Incident response: structured Data Breach Notification obligations.
• Accountability: heightened Regulatory Enforcement and penalties for non-compliance.

Covered Entities Definition

Under HB 300, a Covered Entity includes any person, business, or organization that assembles, collects, analyzes, uses, evaluates, stores, or transmits Protected Health Information in Texas for commercial, financial, or professional purposes. This broader definition reaches beyond HIPAA’s traditional categories.

Examples include healthcare providers, health plans, clearinghouses, billing and practice management firms, law firms handling medical records in litigation, researchers, schools and athletic programs maintaining student health files, cloud and IT vendors, call centers, and analytics companies that process PHI. Out-of-state organizations can be Covered Entities if they handle PHI about Texas residents or do business in Texas.

Vendors and contractors that access PHI must follow HB 300’s privacy and security rules through contracts, training, and technical safeguards aligned with Security Controls and minimum-necessary standards.

Employee Training Requirements

HB 300 mandates Workforce Training Compliance tailored to each role’s access and duties. New workforce members must be trained promptly after hire and whenever material legal, policy, or technology changes affect how they handle PHI. Refresher training should occur regularly to maintain awareness and competence.

Your training program should be relevant, practical, and documented. Maintain records of curricula, dates, attendees, and acknowledgments to demonstrate compliance during audits or investigations.

• Role-based content covering Texas HB 300, HIPAA, minimum necessary use, and Patient Consent Requirements.
• Secure handling of PHI across paper, electronic, and verbal channels.
• Incident recognition, reporting, and Data Breach Notification basics.
• Do-and-don’t scenarios for common workflows (scheduling, billing, telehealth, remote work).
• Proof of completion and periodic retraining cadence.

Patient Access to Records

HB 300 speeds up patient access. Upon a valid request and identity verification, you must provide access to a patient’s records within 15 business days. This is stricter than HIPAA’s default 30-day window, so your procedures and staffing should be calibrated to meet Texas timelines consistently.

Provide records in the form and format requested when readily producible, including electronic copies from an EHR. You may charge reasonable, cost-based fees as permitted by law, but fees cannot be used to delay access. Track requests and responses to prove you met the deadline and delivered the scope requested.

Patient Consent for Disclosure

Texas HB 300 adds specific Patient Consent Requirements for certain electronic disclosures of PHI. Outside of treatment, payment, healthcare operations, or other disclosures permitted or required by law, you generally must obtain a patient’s authorization before electronically disclosing PHI. Use clear, standardized forms and capture method, scope, purpose, expiration, and revocation rights.

Document authorizations, honor revocations promptly, and apply heightened protections to sensitive categories (for example, behavioral health or HIV-related information) where other Texas statutes may require additional steps. Keep a disclosure log to demonstrate appropriateness and necessity.

Data Breach Notification Procedures

HB 300 expects a disciplined incident response process that coordinates with Texas breach-notification laws and HIPAA. When you discover a potential breach, move quickly to contain, investigate, and document your findings, then notify required parties within the legally prescribed timelines.

• Immediate actions: contain the incident, preserve evidence, and launch a role-based response with privacy, security, legal, and leadership.
• Risk assessment: determine what PHI was involved, who saw or obtained it, whether data was actually acquired or viewed, and the likelihood of misuse.
• Notifications: provide written notice to affected individuals without unreasonable delay and no later than applicable deadlines (commonly 60 days after discovery under Texas law and HIPAA).
• Regulatory reporting: if a breach affects a significant number of Texas residents (such as 250 or more), notify the Texas Attorney General within the same statutory timeframe; large-scale events may also require notifying consumer reporting agencies as required by law.
• Content of notices: describe what happened, what information was involved, what you’re doing in response, steps individuals can take, and how to reach you for assistance.
• Documentation: keep investigation records, timelines, notices, and remedial actions to demonstrate compliance.

Security Measures and Compliance

HB 300 expects Security Controls that are reasonable and appropriate to your size, complexity, and risk profile. Your safeguards should be layered—administrative, technical, and physical—and proven through documentation, monitoring, and continuous improvement.

Administrative controls

• Governance: assign privacy and security leadership with clear authority and accountability.
• Risk management: conduct periodic risk analyses; remediate gaps with prioritized action plans.
• Policies and procedures: define acceptable use, access, retention, disposal, remote work, and vendor oversight.
• Vendor management: contracts that bind third parties to HB 300 and HIPAA requirements; due diligence and ongoing monitoring.
• Workforce Training Compliance: onboarding, role-based refreshers, attestations, and sanctions for violations.

Technical controls

• Identity and access management: least privilege, strong authentication, timely provisioning and deprovisioning.
• Data protection: encryption in transit and at rest, secure key management, and data loss prevention.
• System hardening and patching: vulnerability management, endpoint protection, and secure configuration baselines.
• Monitoring and audit: centralized logging, alerting, and periodic access reviews to catch inappropriate PHI access.
• Resilience: backups, tested recovery procedures, and segmentation to limit blast radius.

Physical controls

• Facility security: badge access, visitor logging, and camera coverage where appropriate.
• Media and device controls: secure storage, encryption on portable devices, and certified destruction of drives and paper.
• Workstation security: screen locks, privacy filters, and clean-desk practices.

Regulatory enforcement and accountability

HB 300 is enforced through Regulatory Enforcement by the Texas Attorney General and, where applicable, professional licensing boards. Civil penalties can apply per violation and escalate based on factors such as the number of individuals affected, the nature and duration of the violation, and whether the conduct was negligent, knowing, or for financial gain. Remedies can also include injunctions, corrective-action mandates, and recovery of costs and attorneys’ fees.

Conclusion

Texas HB 300’s purpose is to elevate patient data privacy by widening who is covered, accelerating patient access, requiring targeted consent for electronic disclosures, formalizing Workforce Training Compliance, defining Data Breach Notification steps, and demanding right-sized Security Controls. By operationalizing these requirements, you protect patients, reduce legal exposure, and build durable trust.

FAQs

What entities are covered under Texas HB 300?

Any organization that assembles, collects, analyzes, uses, evaluates, stores, or transmits Protected Health Information in Texas for commercial, financial, or professional reasons can be a Covered Entity. This includes traditional healthcare players (providers, plans, clearinghouses) and a wide range of others such as billing services, law firms, schools, researchers, cloud and IT vendors, and call centers—regardless of where they are located if they handle PHI about Texas residents.

How soon must patient records be provided under HB 300?

You must provide access within 15 business days of receiving a proper request and verifying identity. This Texas requirement is faster than HIPAA’s general 30-day timeline, so you should design intake, fulfillment, and quality checks to reliably meet the 15-business-day deadline.

What are the penalties for non-compliance with HB 300?

Penalties are assessed per violation and scale with factors such as negligence versus intentional conduct, the number of individuals affected, the duration and impact of the violation, and whether PHI was misused for financial gain. Consequences can include significant civil fines (rising to six figures for egregious cases), injunctive relief, corrective-action requirements, and attorneys’ fees. Licensing boards may impose additional sanctions, and federal HIPAA penalties can also apply.

How does HB 300 enhance patient privacy beyond HIPAA?

HB 300 goes beyond HIPAA by broadening who qualifies as a Covered Entity in Texas, imposing a faster 15-business-day deadline for patient access to records, requiring role-specific workforce training with documentation, mandating authorization for certain electronic disclosures beyond treatment, payment, and operations, and reinforcing Security Controls and breach-response expectations under state law, backed by active Regulatory Enforcement.