Texas healthcare workforces need training on HB 300 and the Texas Medical Records Privacy Act, but five additional Texas statutes impose compliance obligations that healthcare employees operating in the state must also understand, and a training program that addresses only HB 300 leaves staff without instruction on the Texas Identity Theft Enforcement and Protection Act, the Texas Data Privacy and Security Act, the Texas Responsible AI Governance Act, SB1188 on artificial intelligence and electronic health records, and the Texas Medical Practice Act. Texas state law adds requirements on top of federal HIPAA rather than replacing it, and every Texas healthcare organization must satisfy both the federal HIPAA framework and the full scope of applicable Texas statutes simultaneously. Where a Texas law sets a stricter standard than HIPAA, the Texas standard must be followed. Where HIPAA sets a stricter standard, the federal rule applies. Every provision of both the state and federal frameworks carries a compliance obligation, and a workforce trained on only one layer of that structure cannot apply the complete set of rules their role requires.
Why Multiple Texas Laws Govern Healthcare Privacy
The Texas legislature has addressed medical privacy, data security, identity protection, and artificial intelligence governance through separate statutes that each target a distinct area of risk. HB 300 addressed the gap between the federal HIPAA covered entity definition and the broader range of Texas organizations that handle medical records, and strengthened patient rights beyond the federal baseline. But the legislative concerns that produced HB 300 did not disappear after its passage. Identity theft involving medical records, consumer data privacy, the security of health data held outside traditional healthcare settings, and more recently the use of AI tools in clinical and administrative workflows each produced additional legislative responses. The result is a layered body of Texas law that applies to healthcare organizations not as a single unified code but as a collection of statutes that each carry independent compliance and training requirements. An organization that trains on HB 300 alone has addressed one statute in a framework of six.
The Texas Identity Theft Enforcement and Protection Act
The Texas Identity Theft Enforcement and Protection Act governs the handling of sensitive personal information and imposes security and notification obligations on organizations that experience a breach of that information. Medical records qualify as sensitive personal information under the Act, which means healthcare organizations face notification and security requirements under this statute that operate alongside and independently of the HIPAA Breach Notification Rule. Staff whose roles involve the security of patient data, the management of breach incidents, or the handling of records systems need instruction on both the federal breach framework and the obligations this Texas statute adds. A breach affecting patient records in Texas can trigger notification obligations under both frameworks simultaneously, and the timelines and recipients may differ between them.
The Texas Data Privacy and Security Act
The Texas Data Privacy and Security Act establishes consumer privacy rights and organizational obligations for entities that process personal data of Texas residents. Healthcare organizations that process patient data outside the specific contexts covered by HIPAA and HB 300, including through marketing platforms, consumer-facing digital tools, patient engagement applications, and third-party analytics services, may carry obligations under the Act that their HIPAA and HB 300 training does not address. Staff who manage data processing activities, vendor relationships, or patient-facing digital services need instruction on the Act’s requirements for data handling, consumer rights, and organizational accountability so they understand which privacy framework applies in each operational context they encounter.
The Texas Responsible AI Governance Act and SB1188
The Texas Responsible AI Governance Act and SB1188, which specifically governs the use of artificial intelligence in connection with electronic health records, address the compliance obligations that arise when healthcare organizations use AI-assisted tools in clinical documentation, clinical decision support, administrative automation, and patient communications. As AI tools become more widely deployed across Texas healthcare organizations, the workforce members who use those tools need to understand the governance requirements and conduct restrictions that Texas law imposes on their use. Federal HIPAA does not address AI governance directly, and HB 300 predates the legislative response to AI in healthcare. These two statutes fill that gap under Texas law and create training obligations for staff at any Texas healthcare organization that has adopted AI tools in its operations.
The Texas Medical Practice Act
The Texas Medical Practice Act establishes standards for licensed physicians and clinical practitioners in Texas that carry direct implications for patient privacy, records access, disclosure conduct, and records management. Clinical staff at Texas medical practices, hospitals, and specialty clinics operate under obligations that arise from the Medical Practice Act independently of what HIPAA and HB 300 require. Training programs for clinical staff at Texas healthcare organizations must address those practitioner-specific obligations so that clinical employees understand the full scope of the legal standards that govern their handling of patient records and their conduct in clinical settings.
Training That Addresses the Full Texas Statutory Framework
Annual training is industry best practice for Texas healthcare organizations because the state’s legislative activity continues to add and refine obligations that affect the content employees need to understand from year to year. A training program that addressed all six Texas statutes two years ago may not reflect changes enacted since then, and annual training ensures the workforce receives current instruction across the complete statutory framework. The HIPAA Journal’s HIPAA Training for Employees includes an optional Texas Medical Privacy Laws module that covers HB 300 alongside the Texas Identity Theft Enforcement and Protection Act, the Texas Data Privacy and Security Act, the Texas Responsible AI Governance Act, SB1188, and the Texas Medical Practice Act. That module is integrated with the mandatory federal HIPAA training course so Texas healthcare organizations can deliver instruction on the full scope of both federal and state obligations through a single structured annual program, with completion records documenting coverage across every applicable legal framework.
