Medical couriers operating in Texas carry a dual compliance burden that goes beyond the federal HIPAA framework. This is because the Texas Health and Safety Code Chapter 181 relating to the privacy of medical records – sometimes referred to as HB 300 – designates any individual or organization that handles Protected Health Information in Texas as a Covered Entity, regardless of whether that organization qualifies as a covered entity or Business Associate under federal HIPAA definitions.
This means that a medical courier operating in Texas is simultaneously a HIPAA Business Associate under federal law and a Covered Entity under Texas state law, and must satisfy the compliance obligations imposed by both frameworks. HB 300 extends the definition of a covered entity beyond the federal scope, applying Texas privacy protections to any person or organization that assembles, collects, analyzes, uses, evaluates, stores, or transmits Protected Health Information in connection with a business, including medical courier services that transport PHI between healthcare facilities across the state.
The penalties for violations of HB 300 are assessed independently of federal HIPAA penalties, meaning that a Texas medical courier that fails to meet state requirements faces regulatory exposure on two fronts simultaneously. Annual HIPAA training is the accepted industry best practice, and in Texas that training must address both the federal HIPAA framework and the additional obligations imposed by HB 300 on any individual or organization handling PHI within the state.
What HB 300 Requires Beyond Federal HIPAA
HB 300 imposes training requirements that go further than the federal HIPAA mandate. Under HB 300, covered entities, which in Texas includes medical couriers, must provide privacy training to employees who have access to PHI, and that training must specifically address the requirements of Texas law in addition to federal HIPAA standards. The Texas Attorney General has enforcement authority over HB 300 violations and can impose civil penalties independently of any action taken by HHS’ Office for Civil Rights at the federal level. A medical courier in Texas that provides HIPAA training without a Texas-specific module addressing HB 300 requirements does not satisfy the full scope of the state training obligation.
The HIPAA Journal’s HIPAA Certification for Medical Couriers is an online course satisfying HIPAA training requirements regarding HIPAA rules and regulations medical courers, and includes an optional Texas-specific module addressing HB 300 requirements at no additional cost. This makes it suitable for medical courier organizations and individual couriers who must satisfy both federal and Texas state compliance obligations.
Certification Benefits for Texas Medical Couriers
For an individual medical courier working in Texas, holding certification that covers both federal HIPAA requirements and HB 300 obligations provides documented evidence of compliance with the full scope of applicable law, which covered entity clients in Texas require from their Business Associate partners as a condition of the vendor relationship. Certification protects the individual courier in the event of a state or federal investigation by establishing a record that training on the applicable standards was completed before any incident occurred. Organizations that maintain current certified training records across their Texas courier workforce are better positioned commercially and regulatorily than those whose training documentation does not reflect the state-specific requirements that apply to their operations.
