When a major Texas health system paid $1.6 million in state penalties for unauthorized disclosures of protected health information, it wasn't a federal OCR enforcement action that drove the settlement — it was Texas HB300. Healthcare organizations operating in Texas face a compliance landscape that goes significantly beyond what federal HIPAA rules require, and failing to understand the difference puts your organization at serious financial and legal risk.

What Texas HB300 Requires That Federal HIPAA Does Not

Signed into law in 2011, Texas HB300 amended the Texas Health and Safety Code and the Texas Business and Commerce Code to impose stricter privacy protections for health-related information. While federal HIPAA applies to covered entities and their business associates, Texas HB300 casts a much wider net.

Under HB300, any entity that handles, stores, or transmits protected health information — not just traditional covered entities — must comply with Texas privacy standards. This includes employers, schools, and companies that would never meet the federal definition of a covered entity or business associate under 45 CFR Part 160.

The law also introduced requirements that have no direct federal equivalent:

  • Mandatory employee training within 90 days of hire for any employee who may access or handle PHI, with refresher training required at least every two years.
  • Consumer authorization requirements that exceed the HIPAA Privacy Rule's standards for use and disclosure of PHI, particularly for electronic health records.
  • A private right of action allowing individuals to sue for unauthorized disclosure — a remedy that does not exist under federal HIPAA.
  • Civil penalties up to $250,000 per violation, enforced by the Texas Attorney General, with no cap on aggregate penalties in cases of patterns or practices of violations.

Texas HB300 Training Requirements Your Workforce Must Meet

The training mandate under Texas HB300 is one of the most operationally demanding components for healthcare organizations. Federal HIPAA's Security Rule under 45 CFR § 164.308(a)(5) requires security awareness training, but it provides significant flexibility in how and when that training is delivered.

Texas HB300 is far more prescriptive. Every employee of a covered entity — and every employee of any organization that collects, handles, or has access to protected health information in Texas — must complete HIPAA-aligned privacy training within the first 90 days of employment. This isn't optional. The Texas Health and Human Services Commission sets the curriculum standards, and organizations must be able to document completion.

If your organization operates in Texas and hasn't built this into your onboarding process, you're already exposed. Investing in a structured HIPAA training and certification program that addresses both federal and Texas-specific requirements is the most direct way to close that gap.

How HB300 Interacts with Federal HIPAA Enforcement

A question I hear frequently from compliance officers: does meeting federal HIPAA requirements satisfy Texas HB300? The short answer is no.

HIPAA's preemption standard under 45 CFR § 160.203 provides that state laws that are "more stringent" than HIPAA are not preempted. Texas HB300 is explicitly more stringent in several areas — its broader definition of covered organizations, its training timelines, and its penalty structure all exceed federal minimums.

This means your organization must comply with both frameworks simultaneously. A compliant HIPAA risk analysis under the Security Rule does not excuse you from the separate obligations imposed by Texas state law. OCR enforcement and Texas Attorney General enforcement operate on parallel tracks, and a single breach can trigger investigations from both.

Penalties Under Texas HB300 That Exceed Federal HIPAA Fines

Federal HIPAA penalties under the Omnibus Rule follow a tiered structure, with maximum penalties of approximately $2.1 million per violation category per year (adjusted for inflation). Texas HB300 penalties can actually exceed this in practice for organizations that aren't traditional HIPAA-covered entities.

The Texas Attorney General can pursue civil penalties of $5,000 to $250,000 per violation. In cases involving a pattern or practice of violations, there is no statutory cap. Combined with the private right of action — which allows individual patients to sue for actual damages, including mental anguish — a single unauthorized disclosure event in Texas can generate exposure that dwarfs what OCR would impose federally.

Between 2012 and 2023, the Texas Attorney General's office pursued multiple enforcement actions under HB300, targeting both healthcare providers and non-traditional entities like data brokers that handled health information without adequate safeguards.

Steps to Align Your Compliance Program with Texas HB300

If your organization touches PHI in Texas — even if you don't consider yourself a covered entity under federal law — you need to take specific action:

  • Audit your workforce training program. Verify that every employee who accesses PHI completes compliant training within 90 days of hire and receives refresher training every two years. Document everything.
  • Review your authorization forms. Texas HB300 requires more specific consumer authorizations than the HIPAA Privacy Rule's minimum standards. Your Notice of Privacy Practices and consent documents must reflect Texas law.
  • Apply the minimum necessary standard aggressively. Both federal HIPAA and Texas HB300 require limiting PHI access and disclosure to the minimum necessary for the purpose. Texas enforcement has shown little tolerance for broad, uncontrolled access.
  • Update your business associate agreements. Ensure your contracts with business associates explicitly address Texas HB300 obligations, not just federal HIPAA requirements.
  • Conduct a state-specific risk analysis. Your federal HIPAA risk analysis should be supplemented with an assessment of Texas-specific regulatory exposure, including the broader categories of entities and data covered by HB300.

Building a compliance program that satisfies both federal and Texas requirements doesn't have to mean duplicating effort. A comprehensive workforce HIPAA compliance platform can centralize training documentation, track completion deadlines, and ensure your team understands both layers of obligation.

Why Texas HB300 Compliance Deserves Dedicated Attention

Healthcare organizations consistently underestimate state-level privacy laws, treating them as minor additions to federal HIPAA. In Texas, that assumption is dangerous. HB300's broader scope, stricter timelines, higher penalties, and private right of action create a compliance environment that demands specific, documented effort beyond what federal rules require.

If you operate in Texas, your compliance program must explicitly address Texas HB300 as a standalone regulatory obligation — not an afterthought buried in your federal HIPAA policies. The organizations that get this right build it into their training, their risk analysis, and their day-to-day privacy operations from the start.