HB 300 training alone does not cover all Texas medical privacy obligations because the Texas legislature has enacted several additional laws that impose separate compliance requirements on healthcare organizations and their workforces operating in the state, and a training program that addresses only House Bill 300 and the Texas Medical Records Privacy Act leaves employees without instruction on the Texas Identity Theft Enforcement and Protection Act, the Texas Data Privacy and Security Act, the Texas Responsible AI Governance Act, SB1188 on AI and electronic health records, and the Texas Medical Practice Act. Texas state law sits on top of federal law rather than replacing it, meaning that HIPAA and every applicable Texas statute apply simultaneously to organizations conducting healthcare operations in the state. Where a Texas law sets a stricter standard than the federal HIPAA framework on a given point, the Texas standard must be followed. Where HIPAA sets a stricter standard than Texas law, HIPAA governs. All provisions of both the federal and state frameworks must be satisfied, and a training program that addresses only one layer of that combined obligation leaves compliance gaps that neither framework permits.
What HB 300 Training Covers and Where It Stops
HB 300 training addresses the Texas Medical Records Privacy Act as amended by House Bill 300, which extended patient privacy protections in Texas beyond the HIPAA baseline by broadening the definition of covered entities under state law, strengthening patient rights over medical records, requiring privacy training for employees who access protected health information, and increasing civil penalties for violations enforced by the Texas Attorney General. That is a substantial compliance scope, and HB 300 training forms the foundation of any Texas-specific medical privacy program. The limitation is that HB 300 addresses patient privacy in the traditional medical records context. It does not address identity theft protections, consumer data privacy rights, the governance of artificial intelligence tools used in healthcare settings, or the conduct standards that apply to licensed clinical practitioners under Texas law. Each of those areas is covered by a separate Texas statute that carries its own compliance and training implications.
The Texas Laws Your Training Must Also Address
The Texas Identity Theft Enforcement and Protection Act imposes obligations on organizations that handle sensitive personal information, including medical data, and creates requirements around notification and security practices that operate alongside the medical privacy protections of HB 300. Employees whose roles involve patient data need to understand both frameworks because a security incident involving protected health information can trigger obligations under both laws simultaneously.
The Texas Data Privacy and Security Act establishes consumer privacy rights and organizational obligations that reach into the healthcare context, particularly for organizations that process personal data of Texas residents. Its requirements on data handling, consumer rights, and organizational accountability interact with HIPAA and HB 300 in ways that affect how employees manage patient and consumer information across the organization’s systems and workflows.
The Texas Responsible AI Governance Act and SB1188, which specifically regulates the use of artificial intelligence in connection with electronic health records, address the growing deployment of automated and AI-assisted tools in clinical and administrative healthcare settings. As generative AI tools, clinical decision support systems, and automated documentation platforms become more common in Texas healthcare organizations, employees using those tools need instruction on the governance requirements and restrictions that apply under state law, not only under the general HIPAA Security Rule framework.
The Texas Medical Practice Act establishes standards for physicians and clinical practitioners that carry direct implications for patient privacy, records management, and disclosure conduct. Clinical staff operating under the Texas Medical Practice Act carry obligations that go beyond the general workforce training requirements of HIPAA and HB 300, and those obligations must be addressed in training programs that reach clinical employees.
Federal and State Law Apply Together, Not Alternatively
A common compliance error in Texas healthcare organizations is treating HB 300 training as a substitute for HIPAA training or treating HIPAA training as sufficient for Texas compliance. Neither position is correct. Federal HIPAA training addresses the Privacy Rule, Security Rule, and Breach Notification Rule obligations that apply nationwide. HB 300 and the other Texas statutes address obligations that apply additionally within the state. An employee who completes only HIPAA training does not understand the Texas-specific requirements their role carries. An employee who completes only HB 300 training has not received the foundational federal HIPAA instruction the Privacy Rule and Security Rule require. Both programs are required, and both must be kept current as federal and state law develop independently of each other.
Annual Training as Industry Best Practice for Texas Healthcare Organizations
Annual training is industry best practice for Texas healthcare workforces because the state’s legislative activity in healthcare privacy, data security, and AI governance has produced new obligations in recent years that did not exist when many organizations last reviewed their training programs. A Texas healthcare organization whose training covers only HB 300 as it was enacted in 2011 does not reflect the current state of Texas medical privacy law, which now includes data privacy, AI governance, and electronic health record regulations that require specific workforce instruction. Annual training gives organizations the opportunity to refresh workforce knowledge across the full scope of applicable Texas laws alongside the federal HIPAA framework, address any legislative changes from the prior year, and produce dated completion records for each employee. The HIPAA Journal’s HIPAA Training for Employees includes an optional Texas Medical Privacy Laws module that covers HB 300 and all five additional Texas statutes that apply to healthcare workforces, integrated with the mandatory federal HIPAA training so employees satisfy both sets of obligations through a single structured program.
