HB 300 training for healthcare employees in Texas covers the Texas Medical Records Privacy Act as amended by House Bill 300, which expanded HIPAA’s patient privacy protections by broadening the definition of covered entities under Texas law, strengthening patient rights over medical records, increasing civil penalties for violations, and imposing mandatory privacy training obligations on any person or organization that assembles, collects, analyzes, uses, evaluates, stores, or transmits protected health information in connection with a business conducted in Texas. Texas law operates as an overlay on top of federal law, meaning that HIPAA and the Texas Medical Records Privacy Act both apply simultaneously to healthcare organizations and individuals operating in the state. Where the two frameworks address the same issue differently, the stricter standard governs, but this does not mean the less strict provision can be ignored. All requirements of both the federal and state frameworks must be satisfied, and a workforce trained only on federal HIPAA rules without instruction on the additional obligations Texas law imposes does not meet the full compliance standard the state requires.
How Texas Law Expands the Definition of a Covered Entity
One of the most operationally significant differences between HIPAA and the Texas Medical Records Privacy Act is the definition of who the law covers. Federal HIPAA applies to covered entities, which are healthcare providers that transmit health information electronically in covered transactions, health plans, and healthcare clearinghouses, and to business associates that handle protected health information on their behalf. The Texas Medical Records Privacy Act as amended by HB 300 defines a covered entity more broadly to include any person or organization that for commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis engages in whole or in part in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information. That broader definition means organizations that would not qualify as covered entities under federal HIPAA, including certain data analytics companies, healthcare vendors, and independent contractors handling medical records in Texas, may fall within the state’s regulatory scope. HB 300 training must address this distinction so employees understand whether their organization carries obligations that extend beyond the federal framework.
Patient Rights and Disclosure Standards Under Texas Law
HB 300 strengthened patient rights beyond the federal HIPAA baseline in several areas. Training must address how Texas law affects the organization’s obligations when patients request access to their records, request restrictions on disclosures, or seek an accounting of how their information has been shared. Texas law also imposes stricter standards on certain categories of sensitive health information. Employees whose roles involve disclosure decisions, records access requests, or patient communications must understand where the Texas standard exceeds the federal one and apply the more protective Texas rule in those situations. Training that covers only HIPAA’s disclosure framework without addressing the Texas overlay creates a compliance gap precisely in the scenarios where the stricter standard applies.
The Texas Training Mandate Under HB 300
HB 300 imposes a specific and independent training requirement on covered entities operating in Texas. The Texas Medical Records Privacy Act requires covered entities to provide privacy training to employees who have access to protected health information, and that training must address the requirements of Texas law in addition to federal HIPAA standards. The Texas Attorney General has enforcement authority over HB 300 violations and can assess civil penalties independently of any action taken by the federal Office for Civil Rights. A Texas healthcare organization that provides HIPAA training without including a Texas-specific component addressing HB 300 obligations does not satisfy the state’s training mandate, even if the federal training requirement is fully met. The two obligations coexist and must each be addressed.
Other Texas Laws Covered Alongside HB 300
The Texas medical privacy compliance landscape extends beyond HB 300 itself. Training for Texas healthcare employees must also address the Texas Identity Theft Enforcement and Protection Act, which imposes obligations related to the protection of sensitive personal information including medical data. The Texas Data Privacy and Security Act establishes consumer privacy rights and organizational obligations that intersect with healthcare data handling. The Texas Responsible AI Governance Act and SB1188, which regulates AI use in connection with electronic health records, address the growing role of automated tools in clinical and administrative workflows and impose governance requirements that apply in healthcare settings. The Texas Medical Practice Act establishes standards for physicians and clinical practitioners that carry privacy and records management implications. Employees operating in Texas need instruction on how each of these laws interacts with their role and with the federal HIPAA framework they already operate under.
Annual Training as Industry Best Practice for Texas Healthcare Staff
Annual HB 300 training is industry best practice for Texas healthcare organizations because the state’s regulatory environment changes alongside the federal one. Texas has legislated new requirements in areas including AI governance and data privacy that did not exist when HB 300 was originally passed, and that pattern of legislative development is likely to continue. A workforce trained on the Texas medical privacy framework as it existed two or three years ago may not be current on obligations that have since been added or amended. Annual training gives the organization a structured opportunity to refresh workforce knowledge, address any legislative or regulatory changes from the prior year, and produce a dated completion record for each employee that supports both the state training mandate under HB 300 and the federal documentation retention requirements. The HIPAA Journal’s HIPAA Training for Employees includes an optional Texas Medical Privacy Laws module that covers HB 300 and the additional Texas state laws that apply to healthcare workforces, and that can be added to the mandatory HIPAA training course for organizations that need employees to satisfy both federal and Texas state compliance training obligations in a single program.
