HB 300 training must cover the expanded covered entity definition under Texas law, the strengthened patient rights that Texas law provides beyond the federal HIPAA baseline, the mandatory privacy training requirement specific to Texas, and the civil penalty structure enforced by the Texas Attorney General, none of which appear in federal HIPAA training because they are established by Texas state law rather than by the federal regulations that HIPAA training addresses. Texas medical privacy law sits on top of federal HIPAA, meaning both legal frameworks apply at the same time to healthcare organizations operating in Texas. Where Texas law sets a stricter standard than HIPAA on any point, the Texas standard governs. Where HIPAA sets a stricter standard, the federal standard applies. All provisions of both the state and federal frameworks must be satisfied in full, and a workforce that has received only federal HIPAA training does not understand the additional obligations Texas law imposes on their organization and on their individual conduct.
The Expanded Texas Covered Entity Definition
Federal HIPAA defines a covered entity as a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically in covered transactions. That definition excludes many organizations that handle medical records in Texas without qualifying as covered entities under federal law. The Texas Medical Records Privacy Act as amended by HB 300 defines a covered entity to include any person or organization that for commercial, financial, or professional purposes engages in assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information. That broader definition reaches vendors, contractors, data processors, and other organizations operating in Texas that would have no HIPAA training obligation under the federal framework. Employees of organizations that fall within the Texas definition but outside the federal definition need HB 300 training to understand that they carry state compliance obligations their employer’s existing HIPAA program does not address.
Strengthened Patient Rights Under Texas Law
HIPAA establishes a federal baseline of patient rights over protected health information. Texas law extends those rights in several areas, imposing stricter standards on certain disclosure categories and giving patients greater protections in specific contexts than the federal framework requires. An employee trained only on federal HIPAA patient rights understands the federal baseline but may not know when a Texas patient’s rights exceed that baseline and require a more protective response. HB 300 training must address where Texas law diverges from federal HIPAA on patient rights so that employees make the correct determination when a disclosure decision arises and apply the stricter Texas standard rather than the permissive federal one.
The Texas Attorney General Enforcement Structure
Federal HIPAA is enforced by the Office for Civil Rights at HHS. HB 300 is enforced by the Texas Attorney General under a separate civil penalty structure that operates independently of any federal action. Employees and compliance officers who understand only the federal enforcement mechanism do not know that the Texas Attorney General can open an independent investigation, assess civil penalties under the Texas tiered structure, and require corrective action without any involvement from OCR. HB 300 training must explain the state enforcement authority so that organizations and employees understand the full regulatory exposure they carry when operating in Texas, which is materially different from the exposure they would carry in a state that does not supplement HIPAA with its own enforcement regime.
The Additional Texas Laws Beyond HB 300
HB 300 training addresses the Texas Medical Records Privacy Act, but Texas healthcare workforces must also receive instruction on several additional state statutes that carry independent compliance and training obligations. Federal HIPAA training does not address any of these laws, and HB 300 training does not address them either. The additional Texas statutes that must be covered in a complete Texas healthcare training program are:
- The Texas Identity Theft Enforcement and Protection Act, which governs the protection of sensitive personal information including medical data and imposes security and breach notification obligations that run alongside HIPAA and HB 300.
- The Texas Data Privacy and Security Act, which establishes consumer privacy rights and organizational data handling obligations that interact with how healthcare organizations manage patient and consumer information.
- The Texas Responsible AI Governance Act, which imposes governance requirements on organizations using artificial intelligence tools in healthcare settings.
- SB1188, which specifically regulates the use of artificial intelligence in connection with electronic health records and imposes conduct requirements on healthcare organizations using AI-assisted clinical or administrative tools.
- The Texas Medical Practice Act, which establishes privacy and records management standards for licensed clinical practitioners that carry training implications for clinical staff at any Texas healthcare organization.
A training program that covers only federal HIPAA and HB 300 leaves employees without instruction on all five of these statutes, each of which creates obligations that apply to their role under Texas law.
Structuring Training to Cover the Full Texas Requirement
A compliant training program for Texas healthcare employees must address federal HIPAA as the foundational layer of compliance, HB 300 and the Texas Medical Records Privacy Act as the primary state supplement, and the five additional Texas statutes as separate but equally binding obligations. The most practical approach integrates all of those components into a single structured program so that completion produces a training record demonstrating instruction across the full scope of applicable law. Annual training is industry best practice because both the federal HIPAA framework and the Texas state framework change over time, and the content employees need to understand must reflect the current state of both. The HIPAA Journal’s HIPAA Training for Employees includes an optional Texas Medical Privacy Laws module covering HB 300 and all five additional Texas statutes alongside the mandatory federal HIPAA curriculum, allowing Texas healthcare organizations to satisfy the full scope of their state and federal training obligations through a single annual program.
