HIPAA Compliance Texas: HB 300 & SB 1188 Guide

Texas healthcare providers follow two rule sets: federal HIPAA and state health privacy laws that are stricter in many ways than federal rules. Texas covered entities and business associates need to know where the laws differ and where they agree.

Texas Quick Take

HIPAA is the base rule. Texas adds more duties. Train staff every two years. Give patients fast access to records. Report larger breaches to the Texas Attorney General within 30 days. Check vendor contracts. Know where data is stored. If AI is used in care, tell patients clearly. Keep proof of each step.

This guide covers HB 300, Senate Bill 1188, Texas breach notice rules, Attorney General enforcement, and practical compliance steps for Texas providers.

Federal HIPAA in Texas: The Baseline

HIPAA’s Privacy Rule, Security Rule, and Breach Notice Rule apply to covered entities and business associates in Texas. This is true regardless of size or specialty. These federal rules set the basic standards for how covered entities must handle, secure, and disclose protected health information (PHI).

Texas does not have one health privacy law that copies HIPAA. Instead, Texas adds rules through several focused laws. When Texas law is stricter than HIPAA, the stricter rule controls.

Plain-English Texas Checklist

Start with HIPAA. Add Texas rules on top. Keep training records. Review record requests fast. Track every vendor that handles PHI. Make sure each vendor has a signed BAA. Check where data is stored. Do not store health data overseas unless the patient gives written consent. If AI helps with care, tell the patient. If a breach affects 250 or more Texas residents, prepare the AG notice right away. Keep dates, notices, and proof in one file.

Texas State Health Privacy Laws

Texas Medical Records Privacy Act (HB 300 / Chapter 181)

House Bill 300, codified in Chapter 181 of the Texas Health and Safety Code, is the centerpiece of Texas health privacy law. Passed in 2011 and effective since 2012, it is commonly called the Texas Medical Records Privacy Act (TMRPA). HB 300 is significant for two reasons: it covers a broader range of entities than federal HIPAA, and it imposes stricter rules in several operational areas.

Who HB 300 covers: Federal HIPAA applies only to covered entities (healthcare providers, health plans, clearinghouses) and their business associates. HB 300 applies to any person or entity that assembles, collects, analyzes, uses, evaluates, stores, or transmits PHI—a definition broad enough to capture data analytics firms, app developers, health IT vendors, and third-party administrators that fall outside HIPAA’s scope. If your group touches PHI belonging to a Texas resident, HB 300 likely applies.

SB 1188 (2025): Health Data Security and AI Rules

Senate Bill 1188 was signed in 2025 and takes effect on September 1, 2025. It created Chapter 183 of the Texas Health and Safety Code. It covers three areas that HIPAA does not fully cover:

Written security programs: Covered groups must keep a written security program for health record data. It is similar to the HIPAA Security Rule, but Texas can enforce it separately.
Ban on overseas data storage: Identifiable health data may not be stored on servers physically located outside the United States without explicit patient consent. This closes a gap that HIPAA’s business associate framework does not address directly.
AI notices: When AI is used in clinical decisions or treatment advice, healthcare organizations must tell patients. This is one of the first state health privacy rules of its kind.

Texas Identity Theft Enforcement and Protection Act (TITEPA)

The Texas Identity Theft Enforcement and Protection Act is in Chapter 521 of the Business and Commerce Code. It governs breach notices for sensitive personal information, including health information. SB 768 (2023) changed Chapter 521 to require notifying the Texas Attorney General within 30 days of discovering a breach that affects 250 or more Texas residents. This is stricter than HIPAA’s 60-day notice rule for mid-to-large breaches.

Mental Health Records: Texas Health and Safety Code §611

Mental health records in Texas receive an additional layer of protection under Section 611 of the Texas Health and Safety Code. Sharing mental health treatment information usually requires specific written consent. Texas consent rules are more detailed than HIPAA’s general approval rules. Behavioral health providers must follow both frameworks at the same time.

How HB 300 Expands HIPAA’s Reach in Texas

Broader Definition of “Covered Entity” Under HB 300

The practical effect of HB 300’s broader entity definition is that vendor relationships that HIPAA might handle loosely—through a business associate agreement—become direct compliance obligations under state law. A health data analytics company may be a business associate under HIPAA and a covered entity under HB 300. It must follow HB 300 directly, not only through a contract.

Stricter PHI Access Timelines: 15 Days vs. HIPAA’s 30 Days

HIPAA gives covered entities 30 days to respond to a patient’s request for access to their health records (with one 30-day extension). HB 300 cuts that in half: electronic health records must be provided within 15 days of the request. There is no extension available under HB 300 for electronic records. Texas providers must build workflows that can meet the 15-day timeline as their standard operating procedure.

Mandatory Training Every Two Years

HIPAA requires workforce training when policies change and “as necessary and appropriate”—a flexible but vague standard. HB 300 is detailed: initial training must be completed within 60 days of hire, and refresher training is required every two years. Training must cover the rules of Chapter 181 and HB 300 specifically, not just generic HIPAA content. Failure to keep training records is a standalone compliance deficiency under HB 300.

HIPAA permits certain marketing communications using PHI with patient approval. HB 300 imposes a stricter consent standard for any use of PHI for marketing, requiring explicit written approval that goes beyond HIPAA’s general approval form. Texas providers who use PHI for marketing—including appointment reminders sent through third-party platforms—should verify that their approval forms meet HB 300’s rules.

Texas Breach Notice Rules

SB 768 (2023): 30-Day AG Notice for Breaches Affecting 250+ Texans

Effective September 1, 2023, SB 768 amended Business and Commerce Code §521.053 to require notice to the Texas Attorney General within 30 days of discovering a breach if at least 250 Texas residents are affected. This runs concurrently with—and is stricter than—HIPAA’s 60-day rule. For breaches affecting fewer than 250 Texans, the AG notice is not required, but individual notice to affected residents must still occur “as quickly as possible.”

Notice to Patients

Texas requires notice to affected people. Notice may be written. It may be electronic if the person agreed to electronic messages. For very large breaches, substitute notice may include a website post or media notice. The notice content is similar to HIPAA, but it must also meet Texas Section 521.053.

Coordinating Federal HIPAA and Texas Timelines

For any breach that affects 250 or more Texas residents, the effective deadline is 30 days. That is the Texas AG deadline, not HIPAA’s 60-day limit. Covered entities should document the breach discovery date. Send the AG notice by day 30. Send patient notices no later than day 60. Breach response plans must reflect both timelines explicitly.

SB 1188 (2025): What Texas Healthcare Providers Must Know

Health Data Security Rules

Chapter 183 of the Texas Health and Safety Code was created by SB 1188. It requires covered organizations to create and keep a written security program. The law does not list every technical control. The program must be risk-based, reviewed often, and able to detect and respond to security incidents. Organizations that already follow the HIPAA Security Rule have a strong base. They still need to document the program under Chapter 183.

Ban on Overseas Data Storage

SB 1188 prohibits storing identified health data on servers located outside the United States unless the patient provides explicit written consent for overseas storage. This has immediate implications for cloud vendors, EHR platforms, and backup providers that use overseas data centers. Texas healthcare groups should review their vendor agreements and data processing addenda to confirm where they store data. They also need to obtain or update patient consent forms if they store any data overseasly.

AI Deployment Restrictions in Healthcare

When AI is used in clinical decisions, SB 1188 requires notice to patients. This includes diagnostic support tools, treatment recommendation tools, and risk scoring tools. The notice must explain that AI is being used. It should also explain how AI supports the clinical process. Groups using AI tools should update privacy notices and patient intake forms before the tools go live.

Texas HIPAA Penalties and Enforcement

HB 300 Penalty Structure (Up to $250,000 Per Violation)

HB 300 establishes a separate state penalty structure for violations of Chapter 181. Civil penalties range from $5,000 to $25,000 per violation for negligent violations, and up to $250,000 per violation for intentional or knowing violations. For patterns of noncompliance—repeated violations of the same type—the annual cap is $1.5 million. These penalties are imposed by the Texas Attorney General and are entirely separate from federal HIPAA civil monetary penalties imposed by HHS OCR.

Federal OCR Enforcement in Texas

HHS Office for Civil Rights investigates HIPAA complaints and conducts compliance audits in Texas the same as in any other state. Federal HIPAA civil monetary penalties range from $100 to $50,000 per violation, with an annual cap of $1,993,964 per violation category (as adjusted for inflation). Texas providers may face two reviews after a breach: OCR at the federal level and the AG at the state level. Each can lead to separate penalties.

Texas AG Enforcement Authority

The Texas Attorney General has legal power to investigate and enforce violations of HB 300 (Chapter 181), the breach notice rules under Chapter 521, and—effective Sept. 1, 2025—Chapter 183 (SB 1188). The AG’s Consumer Protection Division handles health data privacy enforcement. The AG may seek civil penalties, court orders, and repayment. Unlike HHS OCR, the Texas AG does not have a formal resolution agreement program—enforcement actions are more likely to result in litigation or court-enforceable consent orders.

HIPAA Compliance for Texas Healthcare Providers

Texas Hospitals and Health Systems

Large health systems operating across multiple Texas regions must ensure that their programs address HB 300’s training rules at the system level—tracking two-year refresher cycles across all workforce members. Their breach response plans must incorporate the 30-day AG notice trigger, and any AI-assisted clinical tools deployed system-wide must have SB 1188 notices embedded in patient-facing materials.

Texas Dental Practices

Dental practices are HIPAA covered entities and HB 300 covered entities. The 15-day patient record access timeline applies to electronic dental records. Dental practices using third-party billing companies, patient communication platforms, or imaging vendors must ensure those vendors have signed BAAs (HIPAA) and that those vendors independently comply with HB 300 as covered entities in their own right—not merely as business associates.

Texas Community Health Centers and FQHCs

Federally Qualified Health Centers in Texas receive federal funding and are subject to both HIPAA and HB 300. FQHCs serving low-income populations often use multiple EHR systems and state HIE connections—each a potential HB 300 compliance touchpoint. FQHCs should confirm that HIE agreements cover federal and Texas privacy rules. Workforce training should also cover HB 300.

Texas Telehealth Providers

Telehealth platforms operating in Texas must comply with HB 300 regardless of where the platform company is incorporated. If the platform handles PHI of Texas residents, it is a covered entity under HB 300. Overseas data storage restrictions under SB 1188 are particularly relevant to telehealth platforms that may use cloud infrastructure with overseas nodes. Platform operators should audit their cloud architecture and vendor agreements before September 1, 2025 compliance deadlines.

Texas HIPAA Compliance Checklist

Confirm your group meets HB 300’s broad covered entity definition (not just HIPAA’s)
Update patient record access workflows to meet the 15-day HB 300 timeline for electronic records
Use a two-year HB 300 training cycle with hire-date tracking for all workforce members
Review and update BAAs—confirm all vendors are independently HB 300-compliant
Update breach response plan to trigger Texas AG notice at 30 days for 250+ person breaches
Audit cloud and vendor infrastructure for overseas data storage; obtain patient consent or migrate data
Identify all AI tools used in clinical workflows and prepare SB 1188 patient notices
Use a documented information security program under Chapter 183 (SB 1188)
Review marketing use of PHI against HB 300’s stricter consent rules
Ensure mental health records are handled under both HIPAA and Texas Health and Safety Code §611

Frequently Asked Questions

Does Texas have its own HIPAA law?

Texas has the Medical Records Privacy Act (HB 300, codified in Chapter 181 of the Texas Health and Safety Code), which is stricter than federal HIPAA in several areas. HB 300 covers a broader range of entities than HIPAA, requires patient record access within 15 days (vs. HIPAA’s 30), mandates training every two years, and imposes separate civil penalties up to $250,000 per violation.

What is SB 1188 and what does it require Texas healthcare providers to do?

SB 1188 takes effect on September 1, 2025. It requires a written security program for health data. It also limits overseas storage of identified health data unless the patient gives written consent. If AI is used in clinical decisions or treatment advice, patients must be told.

How quickly must Texas providers notify patients and the government of a data breach?

The HIPAA Breach Notice Rule requires individual notice within 60 days. For breaches affecting 250 or more Texas residents, SB 768 (2023) requires notice to the Texas Attorney General within 30 days of discovery. Always apply the most protective timeline: for mid-to-large breaches in Texas, that means 30 days for AG notice and 60 days for individual notice.

Who enforces HB 300 in Texas?

The Texas Attorney General has statutory enforcement authority over HB 300 (Chapter 181), the breach notice law (Chapter 521), and SB 1188 (Chapter 183). The AG can seek civil penalties up to $250,000 per intentional violation, plus court orders. Federal HIPAA remains enforced by HHS OCR, creating dual enforcement exposure for Texas providers.

What are the penalties for HIPAA and HB 300 violations in Texas?

Texas healthcare providers face dual penalty exposure. Federal HIPAA civil monetary penalties range up to $1,993,964 annually per violation category. Texas HB 300 adds state-level penalties up to $250,000 per violation for intentional acts, with an annual cap of $1.5 million for patterns of noncompliance. Both HHS OCR and the Texas Attorney General have independent enforcement authority.

Does HB 300 apply to business associates and technology vendors?

Yes. Unlike federal HIPAA, which requires business associates to comply through a BAA, HB 300 makes any entity that assembles, collects, analyzes, uses, stores, or transmits PHI a direct covered entity with independent compliance obligations. This means health IT vendors, data analytics firms, and app developers handling Texas resident PHI must comply with HB 300 on their own, not just through contractual delegation.

Conclusion

Texas is one of the strictest states for health privacy compliance. Texas adds more than base HIPAA. HB 300 covers more groups. Patients get faster record access. Staff need training every two years. SB 1188 adds security program, overseas storage, and AI notice rules. One Guy Consulting helps Texas healthcare groups meet both federal HIPAA and Texas law. Book a consultation to assess your current posture.

Sources

Chuck Weiselberg

HIPAA Compliance Consultant | Certified HIPAA Professional (CHP)

Chuck Weiselberg is a C.H.P. (Certified HIPAA Professional) and Founder of One Guy Consulting, a HIPAA compliance SaaS solution. He has 20+ years experience supporting customers in achieving their goals, with 10 of those years' experience as a HIPAA compliance S.M.E. (Subject Matter Expert).

He has helped support thousands of users at healthcare organizations, where he aided Compliance Officers in implementing sensible compliance solutions without any of them failing an audit, or receiving a fine. This success is attributable to a repeatable and proven process, realistic and applicable policies, and intuitive compliance management software that requires no technological know-how.

Learn more about Chuck Weiselberg

Compliance Requirements: Texas