Skip to main content

New Texas Electronic Health Record Law Exceeds HIPAA Requirements

Written by Dianne Bourque

Texas covered entities (health care providers, health insurers and clearinghouses) and other entities that use and disclose PHI of Texas residents using electronic health records (EHRs) face new risks and stringent requirements under HB300, a new Texas privacy law. 

The new law, which is effective September 1, 2012, is more stringent than HIPAA, and imposes a variety of new requirements on Texas covered entities and others.  Highlights include the following:

  • Covered entities must provide patients with electronic access to their EHRs within 15 business days of a written request
  • Initial HIPAA training must be provided to an entity’s entire workforce and repeated at least once very two years.
  • Covered entities will have to provide notice to, and obtain authorization from, patients of electronic disclosures of their PHI, except for treatment, payment or health care operations uses. 
  • The Texas Attorney General may request the Department of Health and Human Services to audit a covered entity for HIPAA compliance
  • Any business – not just a covered entity -  that conducts business in Texas involving PHI must provide notification to Texas residents in the event of breach
  • Any business failing to make required breach notifications risks penalties up to $250,000 for a single breach
  • Any individual who accesses, reads, scans, stores or transfers PHI electronically and without authorization may be charged with a felony under Texas law.

More information about the new law is here.


Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.