When a Texas-based hospital system was fined by the state attorney general for failing to train its workforce on state-specific privacy requirements, the organization's leadership was stunned. They had robust HIPAA policies in place. They conducted annual risk analyses. But they had overlooked a critical layer: HB 300 Texas, a state law that imposes privacy obligations that go well beyond what federal HIPAA rules require. If your organization operates in Texas, understanding HB 300 is not optional — it is a compliance imperative.

What HB 300 Texas Actually Requires

House Bill 300, signed into law in 2011, amended the Texas Health and Safety Code and the Texas Business and Commerce Code to create one of the most aggressive state-level health privacy frameworks in the country. While HIPAA's Privacy Rule (45 CFR Part 164, Subpart E) establishes a federal baseline for protecting protected health information, HB 300 Texas layers additional requirements on top of that baseline.

Here are the key provisions your organization must address:

  • Mandatory employee training: All employees of covered entities and any person who may access, handle, or use PHI must complete privacy training within 60 days of hire — and at least every two years thereafter. This is more prescriptive than the HIPAA workforce training requirement under 45 CFR §164.530(b), which does not specify a recurring schedule.
  • Stricter authorization requirements: HB 300 requires written authorization before a covered entity can use or disclose PHI for marketing purposes. The authorization must be in a specific format with clearly defined elements, going beyond HIPAA's authorization provisions.
  • Consumer access to electronic health records: Covered entities must provide patients access to electronic health records in a specified timeframe and format, reinforcing the rights established under the HIPAA Privacy Rule but with Texas-specific enforcement teeth.
  • Penalties enforced by the Texas Attorney General: Violations can result in civil penalties of $5,000 to $250,000 per violation, depending on the nature of the violation. The Texas AG has independent authority to investigate and prosecute, separate from OCR enforcement at the federal level.

How HB 300 Texas Differs from Federal HIPAA Rules

Healthcare organizations consistently struggle with the relationship between state and federal privacy law. Under HIPAA's preemption analysis (45 CFR §160.203), state laws that are "more stringent" than HIPAA are not preempted — they survive and must be followed alongside federal requirements. HB 300 is a textbook example of a more stringent state law.

Consider the training requirement alone. HIPAA requires covered entities to train their workforce on privacy policies and procedures, but it does not mandate a specific training interval. HB 300 requires training every two years, and the training must specifically cover state law — not just federal HIPAA regulations. This means a generic HIPAA training course, standing alone, will not satisfy the Texas requirement.

The minimum necessary standard under HIPAA limits the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose. HB 300 reinforces this concept and extends certain restrictions to entities that may not qualify as covered entities or business associates under federal law, such as certain employers and educational institutions handling health data.

The Training Requirement Most Texas Organizations Underestimate

In my work with covered entities across Texas, the most common compliance gap I encounter is training. Organizations assume their annual HIPAA awareness training checks the HB 300 box. It does not.

Texas law requires that training cover both state and federal privacy requirements. Your workforce — from front desk staff to IT administrators to business associates — must understand how HB 300 modifies or adds to the HIPAA framework. Failing to document this training with specificity is a liability.

This is where investing in comprehensive HIPAA training and certification that accounts for state-specific requirements becomes essential. Training programs that address only the federal Privacy Rule and Security Rule leave your Texas-based organization exposed to state enforcement actions.

Business Associates Are Not Exempt Under HB 300

A common misconception is that HB 300 applies only to healthcare providers. In reality, the law applies to covered entities, business associates, and any other person who creates, receives, maintains, or transmits protected health information in Texas. This mirrors the expanded scope of HIPAA's Omnibus Rule, which extended direct liability to business associates in 2013.

If your organization shares PHI with third-party vendors, billing companies, IT service providers, or cloud hosting platforms, those entities must also comply with HB 300's training and privacy requirements. Your business associate agreements should reflect both federal and Texas-specific obligations.

Enforcement Is Active — and Separate from OCR

OCR enforcement at the federal level captures headlines, but the Texas Attorney General's office has its own investigative authority and has used it. Texas has pursued enforcement actions independent of the HHS Office for Civil Rights, meaning your organization can face state penalties even if OCR has not opened a federal investigation.

Penalties under HB 300 can reach $250,000 per violation for intentional or knowing breaches. When combined with potential HIPAA penalties — which range from $100 to $50,000 per violation under the tiered structure established by the HITECH Act — the financial exposure for a Texas organization that neglects state compliance is significant.

Steps to Align Your Organization with HB 300 and HIPAA

If your covered entity operates in Texas, take these steps immediately:

  • Conduct a gap analysis comparing your current HIPAA compliance program against HB 300 requirements. Pay special attention to training intervals, authorization forms, and breach notification procedures.
  • Update your Notice of Privacy Practices to reflect Texas-specific patient rights and your organization's obligations under state law.
  • Implement a training program that covers both federal HIPAA regulations and HB 300. Ensure all workforce members complete training within 60 days of hire and every two years thereafter. A robust platform like HIPAA Certify's workforce compliance program can help you document and track completion across your entire organization.
  • Review and update business associate agreements to include Texas-specific compliance obligations.
  • Document everything. Texas regulators, like OCR, expect to see evidence of compliance — not just policies on paper, but records of training completion, risk analyses, and corrective actions.

Federal Compliance Alone Is Not Enough in Texas

HB 300 Texas represents a clear message from state legislators: the federal HIPAA framework is a floor, not a ceiling. Organizations that treat HIPAA compliance as their only obligation are operating with a dangerous blind spot.

The intersection of state and federal privacy law is exactly where HIPAA violations and state enforcement actions originate. Your organization's compliance program must address both layers — and your workforce must be trained to understand the difference. Texas gives you no room for ambiguity on this point.