Beyond HIPAA: Why Your Out-of-State Clinic Needs to Comply with Texas HB300

Texas House Bill 300 (HB300), codified primarily in Texas Health & Safety Code Chapter 181, expands medical records privacy obligations beyond federal HIPAA for any “covered entity” that handles protected health information (PHI) of Texas residents. The statute’s definition of “covered entity” is unusually broad and can reach out-of-state clinics that assemble, use, store, or transmit PHI of Texans, even if the clinic has no physical presence in Texas (Texas Health & Safety Code § 181.001(b)). For small practices, HB300’s stricter rules matter: a 15-business-day window to provide certain electronic records, role-based training within 90 days, and per-disclosure authorization/notice requirements for many electronic disclosures (§§ 181.101, 181.102, 181.154). Aligning HIPAA with HB300 prevents dual-enforcement exposure and ensures consistent, patient-centered privacy operations. This article explains why out-of-state clinics must comply and how to implement practical, low-cost controls.

Small practices outside Texas often assume HIPAA alone governs their medical-records privacy program. That assumption breaks down when your patient population includes Texas residents, telehealth visits originate from Texas IP addresses, or your clinic stores PHI for Texans. HB300 overlays HIPAA with Texas-specific requirements: faster ePHI access when your EHR can fulfill (§ 181.102), a conspicuous notice and per-disclosure authorization framework for many electronic disclosures (§ 181.154), and workforce training deadlines (§ 181.101). HIPAA remains the national baseline (45 CFR Part 164), but when Texas is stricter, Texas controls for Texans’ PHI. For lean clinics, the operational key is building “Texas-aware” intake, disclosure, and breach workflows that default to the stricter rule without adding heavy overhead.

Understanding Beyond HIPAA for Out-of-State Clinics Under Texas Health & Safety Code Chapter 181 and 45 CFR Part 164

Texas HB300 reframes who must comply and how:

1. Who is a “covered entity”. Texas defines “covered entity” broadly as “any person” who, for gain or otherwise, engages in assembling, collecting, analyzing, using, evaluating, storing, or transmitting PHI; the term expressly includes clinics and entities that maintain an Internet site (Texas Health & Safety Code § 181.001(b)). The definition focuses on the handling of PHI, not the clinic’s physical location. If you hold PHI for Texas residents, the statute can apply.

2. HIPAA remains required, and is expressly referenced. Texas incorporates HIPAA’s Privacy and Security standards and requires compliance with both HIPAA and Chapter 181 (Texas Health & Safety Code § 181.004; HIPAA at 45 CFR Part 164). For out-of-state clinics, HIPAA + HB300 is the practical formula for Texans’ PHI.

3. Stricter Texas rules you must implement:

   • Training: Workforce must be trained within 90 days of hire and upon material legal/policy changes, with signed acknowledgments retained (§ 181.101).

   • Right of access for ePHI: When your EHR can fulfill, provide a patient’s requested electronic records within 15 business days (§ 181.102), a faster timeline than HIPAA’s general 30-day standard (45 CFR 164.524).

   • Electronic disclosures: Provide conspicuous notice that PHI may be electronically disclosed and obtain a separate authorization for each electronic disclosure unless an exception applies (e.g., TPO) (§ 181.154; compare 45 CFR 164.506 and 164.508).

   • Enforcement and penalties: Texas civil penalties scale with negligence, intent, and financial gain, with enhanced caps for pattern/practice (§ 181.201).

4. Breach notifications: dual triggers. HIPAA requires individual notices and reports to HHS (45 CFR 164.404, 164.408). Texas separately requires reporting to the Attorney General when a breach affects ≥250 Texas residents (Texas Business & Commerce Code § 521.053(i)). Out-of-state clinics that store Texans’ PHI must count affected Texans and run a Texas AG 30-day timer alongside HIPAA’s timelines.

Why this legal framework reduces risk: Building your program to the stricter of HIPAA or HB300 avoids missed deadlines, weak documentation, and exposure to both OCR and Texas enforcement. For multi-state clinics, a single “Texas-aware” workflow that activates based on patient residency is efficient and defensible.

HIPAA is enforced by HHS’s Office for Civil Rights (OCR), which investigates complaints, breach reports, and targeted reviews (45 CFR Part 164, Subpart D for breaches). OCR focuses on your HIPAA-compliance posture: access timeliness, minimum necessary, safeguards, risk analysis, and breach notifications (45 CFR 164.404, 164.408). Texas authorities, including the Attorney General and relevant health-professions boards, enforce Chapter 181. For an out-of-state clinic, a single incident (for example, a delayed ePHI response to a Texas resident or an electronic disclosure without a Texas-required authorization) can trigger parallel evaluations: OCR for HIPAA conformance and Texas for HB300-specific duties such as § 181.154 notices/authorizations and § 181.102 timelines. Designing policy, training, and evidence to satisfy both regulators is therefore essential. 

These steps translate HB300 to low-overhead operations for clinics that never set foot in Texas, but store or transmit Texans’ PHI.

1. Adopt a “Stricter Rule Governs” Policy Addendum (2 pages).
   How to comply: State that HIPAA is the baseline; for Texas residents’ PHI, Chapter 181 controls where stricter. Enumerate impacts: 90-day training (§ 181.101), 15-business-day ePHI access (§ 181.102), and electronic disclosure notice/authorization (§ 181.154).
   Evidence: Signed addendum; version control; staff acknowledgments retained six years.
   Low-cost: Edit your current HIPAA manual and attach a Texas addendum.

2. Texas-Aware Intake and Residency Flagging.
   How to comply: Add a checkbox and state-of-residency field in new-patient forms and telehealth portals; trigger a “Texas” badge in the EHR.
   Evidence: Completed intake forms; EHR screenshots showing “Texas” tag on chart.
   Low-cost: One extra field in your intake form and an EHR custom flag.

3. Post Conspicuous Electronic-Disclosure Notice (Digital and Physical).
   How to comply: Display a notice stating PHI may be electronically disclosed as allowed by law (clinic website, patient portal landing page, and waiting rooms if any) (§ 181.154(a)).
   Evidence: Dated screenshots/photographs; portal audit logs; versioned notice.
   Low-cost: One graphic and a footer link in your CMS/portal.

4. Per-Disclosure Authorization for Non-TPO Electronic Disclosures.
   How to comply: For non-TPO recipients (e.g., employer, school, patient-chosen app vendor), collect a separate authorization for each electronic disclosure unless another law permits it (§ 181.154(b)–(c)); document oral authorizations in writing.
   Evidence: Completed authorization forms (paper/e-sign), disclosure log entries.
   Low-cost: One e-sign template; a two-column staff “TPO vs. Non-TPO” cheat card.

5. Meet the 15-Business-Day ePHI Access Window When EHR Can Fulfill.
   How to comply: On receipt of a written request, start a 15-business-day clock for electronic copies when your system can fulfill; provide in the requested electronic format if readily producible (§ 181.102). Coordinate with HIPAA’s form/format rights (45 CFR 164.524).
   Evidence: Access tracker showing receipt date, due date, delivery proof.
   Low-cost: A shared spreadsheet with auto-calculated Texas deadlines.

6. Role-Based Training Within 90 Days; Keep Sign-offs.
   How to comply: Train new staff within 90 days and after material changes; include Texas-specific topics: electronic-disclosure authorizations, 15-day access, AG breach reporting threshold (§ 181.101; Texas Bus. & Com. Code § 521.053(i)).
   Evidence: Roster, signed attestations, syllabus, update notices.
   Low-cost: 20-minute micro-modules and templated sign-off forms.

7. Vendor Governance for Cross-Border PHI.
   How to comply: Ensure BAAs and service agreements address encryption, electronic disclosure controls, incident reporting, and Texas-resident handling.
   Evidence: Executed BAAs; annual vendor attestations; incident contact sheet.
   Low-cost: One-page addendum aligning vendors to HB300 duties.

8. Breach Playbook with Dual Timers (HIPAA + Texas AG).
   How to comply: For an incident, open an investigation log; run HIPAA risk assessment (45 CFR Subpart D); tally affected Texas residents; if ≥250, file with Texas AG no later than 30 days after determination (§ 521.053(i)) while meeting HIPAA’s 60-day individual/HHS timing (45 CFR 164.404, 164.408).
   Evidence: Intake timestamp; risk assessment; state-by-state counts; notices; AG confirmation.
   Low-cost: A spreadsheet with “HIPAA 60-day” and “Texas AG 30-day (≥250 Texans)” columns.

9. One-Binder Evidence Model.
   How to comply: Maintain policies, training, e-disclosure notices, authorization templates, access logs, vendor list, encryption screenshots, breach packets, and corrective-action logs in a single folder, indexed by year.
   Evidence: The folder and its dated contents.
   Low-cost: Your existing cloud drive.

10. Monthly Five-Record Self-Audit with 14-Day Remediation.
    How to comply: Sample five recent Texas-resident charts or disclosures; verify residency flag, e-disclosure authorization where needed, 15-day access timeliness, and training currency; close gaps within 14 days.
    Evidence: Audit checklist and corrective-action entries.
    Low-cost: One page, color-coded.

Case Study

A Colorado telehealth clinic treats a Texas resident via video for dermatology follow-up. Two issues arise:

• Access request: The patient emails a request for electronic copies of their visit notes and pathology report. Staff, accustomed to HIPAA’s 30-day window, plan to batch the request with month-end processing. Because the chart is tagged “Texas”, the clinic’s tracker sets a 15-business-day deadline under § 181.102 and fulfills via the portal within nine business days, documenting form/format and delivery.
• Electronic disclosure: The patient asks the clinic to email images to a school athletic trainer. The Texas quick-card flags this as non-TPO. Staff obtain a separate, per-disclosure authorization (e-sign), warn about email risks, and use secure email. The authorization and delivery proof are logged.

Months later, a vendor incident exposes a subset of images. The clinic’s breach playbook tallies 412 affected individuals nationally, 262 of whom are Texas residents. The clinic sends HIPAA notices to individuals, reports to HHS within 60 days, and files to the Texas Attorney General within 30 days of determination because the threshold (≥250 Texans) is met. Evidence includes timestamps, the state tally, notice templates, and submission receipts. The clinic avoids penalties due to timely action, solid documentation, and prior staff training. 

This table prioritizes the few actions that most directly lower enforcement risk for out-of-state clinics handling Texans’ PHI.

Common Pitfalls to Avoid Under Texas Health & Safety Code Chapter 181 / 45 CFR Part 164

Most errors stem from assuming HIPAA alone controls. The following pitfalls are particularly risky for out-of-state clinics.

• Ignoring residency: Failing to flag Texas residents means you miss HB300 timelines and disclosures. Practical consequence: late access and improper e-disclosures increase penalty exposure under § 181.201 and OCR scrutiny for process gaps.
• Using HIPAA’s 30-day access window for Texas ePHI: Texas requires 15 business days when your system can produce ePHI (§ 181.102). Practical consequence: avoidable delays and complaints; fixed by automated Texas timers.
• Sending electronic PHI to non-TPO recipients without per-disclosure authorization: Texas requires a new authorization for each electronic disclosure unless an exception applies (§ 181.154(b)–(c)). Practical consequence: unlawful disclosures and higher penalty tiers.
• Weak training cadence: Skipping the 90-day new-hire training and change-driven refreshers violates § 181.101. Practical consequence: repeat errors that look like pattern/practice under § 181.201(c).
• Single-timer breach workflow: Not running the Texas AG ≥250 residents threshold leads to missed state notices (§ 521.053(i)). Practical consequence: enforcement by Texas AG even if HIPAA notices were timely.

By correcting these, small clinics sharply reduce dual-enforcement risk while improving patient trust.

For small, out-of-state clinics, the goal is to make compliant actions the easiest actions.

• Texas Toggle: A simple “TX” badge in the EHR activates HB300 workflows (15-day access, e-disclosure authorization requirement, AG threshold counter).
• Two-Column Decision Card (TPO vs Non-TPO): Put common recipients on each side; if in doubt, obtain a per-disclosure authorization and document oral approvals in writing.
• Template Library: Keep four live templates: Electronic Disclosure Notice; Texas e-Disclosure Authorization; Oral Authorization Memo; Breach Notification Packet with state tally.
• Dual-Timer Tracker: A shared sheet that tracks HIPAA and Texas AG timelines with auto-reminders.
• One-Binder Evidence: Policies, rosters, BAAs, encryption screenshots, access/disclosure logs, breach packet, and corrective-action log, indexed yearly.

These practices concentrate effort where Texas and HIPAA both look first: timeliness, authorization logic, and documentation.

Culture makes compliance durable across staff changes and busy seasons.

• Leadership cadence: Open monthly huddles with one metric (median days to fulfill Texas ePHI request) and one quick corrective-action update.
• Roles and backups: Post who owns Texas notices/authorizations, the access tracker, and the AG/HHS filing steps, plus backups.
• No-blame escalation: Reward staff for pausing ambiguous requests (e.g., sending PHI to an employer wellness program).
• Micro-drills: Each quarter, practice a Texas ePHI access request and a non-TPO electronic disclosure; update the decision card with lessons learned.
• Onboarding hooks: Make the 90-day training requirement and Texas timers part of basic job expectations, not extra work.

Sustained rhythm keeps the clinic aligned to stricter rules without slowing care.

Summary: If your clinic touches PHI of Texas residents, telehealth, referrals, patient-directed app uploads, or stored records, Texas HB300 likely applies in addition to HIPAA. The safest model is to default to the stricter rule: Texas’s 15-business-day ePHI access when your system can fulfill, per-disclosure electronic-authorization requirements with conspicuous notice, 90-day training, and dual breach timers that include Texas’s AG threshold. With simple templates, a residency flag, and consistent documentation, out-of-state clinics can run a compliant, low-overhead program.

Advisers:

• HHS/OCR rule summaries for HIPAA Privacy, Security, and Breach Notification, authoritative language for policies and staff FAQs.
• eCFR/Federal Register text of 45 CFR Part 164 for citing exact rule provisions.
• Texas Legislature Online text of Chapter 181 and HB300 sections for state-specific requirements (training, ePHI access, electronic disclosures).
• Texas Attorney General breach reporting page to confirm the ≥250-resident threshold and electronic submission process.
  Practical tools: Start with shared-drive templates and a spreadsheet-based timer; layer lightweight compliance/task software only if volumes justify it.

A practical step to reinforce compliance is integrating a compliance system into your operations. These tools monitor requirements, perform ongoing risk reviews, and keep your practice prepared for audits, helping you avoid costly mistakes while presenting a proactive stance to oversight bodies.

• HEALTH AND SAFETY CODE CHAPTER 181. MEDICAL RECORDS PRIVACY (Texas Legislature)
  
• 82nd Legislature – HB 300 (Bill Text Excerpts: § 181.154 Notice and Authorization for Electronic Disclosure)
  
• Texas Business & Commerce Code § 521.053 – Breach Notification; AG Reporting Threshold (≥250 Texans)
  
• HIPAA Privacy Rule – Summary (HHS/OCR)
  
• Breach Notification Rule – Overview (HHS/OCR)
  
• 45 CFR Part 164 – Security and Privacy (eCFR)