{{#if events}} {{#events}}
{{moment startDate format='MMMM'}} {{moment startDate format='DD'}}


{{#if evDesc}} {{truncate evDesc 50}} {{/if}}

Register Now
{{/events}} {{/if}}

General Overview

The Texas Legislature passed House Bill 300 (HB 300) during its 82nd regular session, amending the Texas Medical Practice Act and other state privacy laws to provide greater protection for individuals’ sensitive personal information and imposing more stringent requirements for compliance than HIPAA, HITECH and other federal privacy laws.  In particular, HB 300:

  • Incorporates and expands application of the HIPAA Privacy and Security Rules and HITECH provisions.
  • Broadens the scope of the rules to include entities that would not otherwise be considered “covered entities” or “business associates” under federal law.
  • Imposes breach notification requirements on a larger class of entities and for Information that would not be considered “protected health information” (PHI) under existing federal law.
  • Requires all “covered entities” to provide all employees with training regarding both federal and state privacy requirements.
  • Provides for consumer access to electronic health care records (EHR) in a shorter time period than that required by HIPAA.
  • Permits the Executive Commissioner of the Texas Health and Human Services Commission to recommend a standard electronic format for release of EHR.
  • Mandates new notice and authorization requirements for electronic disclosure of PHI.
  • Increases civil penalties and makes licensees subject to investigation and discipline by state licensing agencies.
  • Creates new areas of state agency regulation, audit and enforcement.

As this law is already in effect, it is important to (1) update your privacy and security policies in procedures, (2) provide training to all employees that meets both state and federal requirements and is specific to each employee’s scope of employment, and (3) to make sure that you have an updated Notice of Privacy Practices, a Notice of Electronic disclosure, an Authorization for Electronic Disclosure form and other compliance documentation in place.  To ensure that you are in compliance you should contact your attorney and persons knowledgeable in the area of federal and state privacy law.


Click here for a full list of requirements.

Training Required
Covered Entities must provide training to every employee regarding federal and state privacy and security laws concerning the use and disclosure of Sensitive Personal Information (“SPI”), including Protected Health Information (“PHI”).  The training must be specific to Covered Entity’s course of business and the employee’s scope of employment.  Covered Entities must provide training within sixty (60) days of an employee’s hire date, and all employees must receive training every two (2) years.  Covered Entity employees are required to sign a statement verifying attendance at the training and the Covered Entity must maintain a record of signed statement within its privacy law compliance documentation. Training Available

Audits, Enforcements & Penalties

Frequently Asked Questions