Electronic PHI Disclosure: Understanding HB300's Authorization Requirements for Small Practices

Texas HB300 adds a Texas-specific rule for electronic disclosure of protected health information: unless an exception applies, a covered entity must obtain a separate authorization for each electronic disclosure and must provide patients a posted notice that their PHI is subject to electronic disclosure. HIPAA’s baseline still governs when authorizations are required (45 CFR 164.508) and when TPO activities may proceed without one (45 CFR 164.506). For small clinics, the combination means you should default to Texas’s stricter “per-disclosure authorization” model for electronic sharing outside treatment, payment, and health care operations, while maintaining clear posted notices and tight documentation. Doing so reduces regulatory risk, prevents inadvertent over-sharing, and creates defensible evidence if questions arise.

Electronic workflows multiply the speed, and risk, of PHI disclosures. Patient portals, Direct messaging, secure email, third-party apps, and cloud exporters make it easy to send data quickly to outside parties. Texas HB300 recognizes this by requiring (1) a conspicuous notice that PHI may be electronically disclosed, and (2) a separate authorization for each electronic disclosure unless the disclosure fits a defined exception or is otherwise allowed by the state or federal law. When combined with HIPAA’s national framework, authorizations for marketing, most non-TPO purposes, and certain research vs. permitted TPO disclosures, small practices need a practical playbook to decide when to get an authorization and how to prove it. This article provides that playbook.

Understanding Electronic PHI Disclosure Under Texas Health & Safety Code § 181.154 and 45 CFR 164.508

Texas § 181.154 establishes two core obligations for HB300-covered entities:

1. Notice of electronic disclosure. Clinics must provide notice that PHI is subject to electronic disclosure. General notice may be posted at the clinic, on the website, or where patients will see it. This is in addition to, not a replacement for, HIPAA’s Notice of Privacy Practices.

2. Authorization per electronic disclosure, with exceptions. Except as provided by statute, a covered entity may not electronically disclose an individual’s PHI without a separate authorization for each disclosure. Authorizations may be written or electronic, or oral, if documented in writing by the covered entity. Key exceptions include disclosures to another covered entity (as defined by Chapter 181 for the Texas Insurance Code) for treatment, payment, or health care operations (TPO); and disclosures otherwise authorized or required by state or federal law.
   

HIPAA alignment: HIPAA at 45 CFR 164.506 allows disclosures for TPO without patient authorization, while 45 CFR 164.508 requires authorizations for most non-TPO disclosures (for example, many marketing uses, certain research absent IRB/Waiver criteria, and other purposes not otherwise permitted). Texas’s § 181.154 overlays an electronic-disclosure authorization expectation unless an exception applies, so, in practice, you harmonize by asking: (a) Is it TPO? (b) Is it otherwise required/authorized by law? (c) If neither, obtain an HB300-compliant authorization per disclosure, and ensure the content also meets HIPAA’s authorization content requirements.

Bottom line: Understanding where § 181.154 tightens electronic disclosures helps small practices avoid unlawful sends, reduce penalties, and standardize patient expectations.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) enforces HIPAA’s Privacy Rule, including the authorization content and validity requirements (45 CFR 164.508) and the permitted TPO pathway (45 CFR 164.506). OCR investigations are triggered by complaints, breach reports, and targeted reviews. Texas HB300 is enforced by Texas authorities, but any electronic disclosure misstep can expose the clinic to both federal OCR scrutiny and Texas enforcement. Building a workflow that (1) screens for TPO vs. non-TPO, (2) uses Texas authorization for non-TPO electronic disclosures, and (3) preserves written documentation positions your practice to satisfy either regulator.

The steps below translate § 181.154 and 45 CFR 164.508/164.506 into a lean, auditable clinic process. For each step, we list how to comply, what evidence to keep, and a low-cost option.

1. Post the electronic-disclosure notice in all patient-facing channels.
    How to comply: Add a short “Electronic Disclosure Notice” in your lobby, at check-in, and on your website. Keep language simple and visible.
    Evidence: Dated photos/screenshots of postings; revision log; inclusion in intake packet.
    Low-cost: A one-page laminated sign and a website footer link.

2. Adopt a one-page authorization form aligned to HIPAA content rules.
    How to comply: Build a form that meets HIPAA’s authorization content (description of information, recipient, purpose, expiration, right to revoke, potential for redisclosure, signature/date) and that you can reuse per disclosure. Allow e-signature and document oral authorizations in writing.
    Evidence: Master template; completed forms; e-signature logs; oral-auth documentation.
    Low-cost: Fillable PDF with e-signature enabled; binder for paper backups.

3. Route every electronic disclosure through a TPO-screen.
    How to comply: Before sending any ePHI, staff answer two questions: Is this TPO? If yes, proceed under 45 CFR 164.506 and document the basis. If no, or if you’re unsure, obtain a § 181.154 authorization and verify the recipient.
    Evidence: Disclosure decision log (TPO vs eAuthorization); copies of authorizations; recipient verification notes.
    Low-cost: A two-column checklist laminated at each workstation.

4. Standardize secure electronic channels and capture patient preferences.
    How to comply: Use portal, Direct messaging, or secure email by default. If a patient insists on unencrypted email, warn of risks and document their preference.
    Evidence: Delivery logs; preference notes; screenshots of secure channel settings.
    Low-cost: Built-in portal exports and a secure email option (no add-ons required).

5. Handle third-party apps and designated recipients carefully.
    How to comply: When a patient directs you to transmit ePHI to a third-party app/recipient, confirm identity, obtain the destination details in writing, and determine whether the request is a HIPAA right-of-access flow or a non-TPO disclosure requiring eAuthorization.
    Evidence: Patient directive; determination notes; authorization or access documentation; proof of transmission.
    Low-cost: A one-page “designated recipient” form pre-mapped to your EHR export.

6. Train staff with role-specific scenarios and keep signatures 6 years.
    How to comply: Train new hires within your onboarding window on the TPO screen, when to trigger eAuthorization, documenting oral authorizations, and secure delivery.
    Evidence: Curriculum, rosters, signed attestations, periodic refresh materials.
    Low-cost: 20-minute micro-lessons during staff huddles, with one scenario per role.

7. Audit five disclosures per month; close gaps with corrective actions.
    How to comply: Sample five recent electronic disclosures; verify TPO vs eAuthorization, notice postings, and secure delivery evidence. Correct errors within two weeks.
    Evidence: Audit checklist, findings log, corrective-action tracker with owners/dates.
    Low-cost: Spreadsheet with color-coded status.

8. Coordinate vendors (business associates) on your eAuthorization posture.
    How to comply: Ensure vendors that initiate or facilitate ePHI disclosures understand your Texas per-disclosure expectation and will capture/store authorizations or TPO determinations as applicable.
    Evidence: Updated BAAs/SOWs; vendor confirmations; sample logs; incident contacts.
    Low-cost: Annual one-page vendor questionnaire and addendum.

Case Study

A small Texas cardiology clinic receives an email from a patient asking the clinic to “send my stress-test and visit notes to a life-insurance broker via regular email today.” Staff initially plan to comply, believing the request is a HIPAA access directive. The privacy officer intervenes and applies the TPO screen: because the recipient is a commercial broker unrelated to treatment/payment/operations, the clinic treats this as a non-TPO electronic disclosure requiring a separate eAuthorization under § 181.154. The officer obtains a signature authorization specifying the records and the broker’s address, warns the patient about email risks, and documents the patient’s preference to proceed. The clinic then transmits via secure email with a one-time passcode and confirms receipt.

Two months later, an audit finds a different staff member printed labs for a patient’s employer wellness program and then emailed a PDF to the employer’s coordinator without authorization. Because the clinic had instituted the TPO screen, the error is detected quickly, retraining occurs, and the clinic updates its laminated decision card with explicit examples (employer, school, app vendors = not TPO). The clinic’s quick corrective action, complete documentation, and posted electronic-disclosure notices reduce enforcement exposure.

Running this checklist each month keeps decisions consistent, documentation uniform, and evidence audit-ready.

Common Pitfalls to Avoid Under Texas § 181.154 / 45 CFR 164.508

Electronic disclosures move fast, so common mistakes tend to share two traits: skipping the TPO screen and weak documentation. The pitfalls below link to the law and show the practical consequence.

• Assuming any patient request to send PHI to a third party is “right-of-access” and therefore authorization-free leads to unlawful electronic disclosures when the recipient is not part of TPO. The fix is a short decision tree and a per-disclosure eAuthorization when it’s non-TPO. Consequence: state/federal scrutiny and potential penalties.

• Treating one blanket authorization as permission for recurring disclosures contradicts HB300’s “separate authorization for each electronic disclosure” expectation. Use discrete authorizations per send. Consequence: invalid authorization and compliance risk.

• Failing to post the electronic-disclosure notice deprives patients of the transparency § 181.154(a) requires. Post in the lobby and website, and keep dated proof. Consequence: notice violations and weaker mitigation posture.

• Documenting oral authorizations poorly (no written memo of whom, what, when) undermines your ability to prove valid consent later. Use a short template to memorialize any oral authorization immediately. Consequence: inability to defend the disclosure.

• Letting vendors initiate disclosures without matching your authorization logic creates gaps you own. Update BAAs and collect annual confirmations that vendors honor your TPO/eAuthorization model. Consequence: downstream violations attributed to the clinic.

Closing these gaps reduces incident frequency and strengthens your defense if one occurs.

Small practices need habits that are fast, cheap, and auditable. These practices directly align to § 181.154 and 45 CFR 164.508/164.506:

• TPO First, Then eAuthorization. Make the TPO screen a reflex: if it is not clearly TPO or otherwise required/authorized by law, get an eAuthorization tailored to the specific disclosure.

• Two-Column Decision Card. Laminate a card listing examples of TPO (referrals, payer claims, clearinghouses, quality improvement) vs common non-TPO requests (employers, schools, app vendors, attorneys for non-care matters).

• Template Library. Maintain three ready-to-use tools: Electronic Disclosure Notice, eAuthorization form (e-sign capable), and an oral authorization memo.

• Secure-by-Default Delivery. Default to portal or secure email; if unencrypted email is requested, warm and document preference.

• Five-Record Monthly Audit. Rapid spot checks keep the program on track and turn weak habits into immediate improvements.

These best practices keep decisions consistent across staff and create a paper trail that satisfies auditors and investigators.

Culture ensures the process works on busy days and during staff turnover. Practical moves include:

• Leadership cue. Start the monthly huddle with a two-minute “disclosure moment”: one lesson learned, one metric (e.g., % of non-TPO disclosures with signed eAuthorization), and a quick thank-you to someone who caught a risk.

• Visible ownership. Post who owns eAuthorization templates and who is the on-call privacy contact for unusual requests, plus backups.

• No-blame escalation. Encourage staff to pause and escalate when a request is ambiguous; reward early questions rather than speed without clarity.

• Micro-drills. Practice “Send to employer,” “Send to school,” and “Send to app” scenarios. Each drill ends with one tiny improvement (e.g., updated example list on the laminated card).

• Sustainability. Build the TPO screen and eAuthorization step into onboarding, annual refreshers, and performance discussions.

A steady cadence makes the legally correct path the easiest path.

Texas § 181.154 requires a posted electronic-disclosure notice and a separate authorization for each non-TPO electronic disclosure, with specific exceptions. HIPAA’s 45 CFR 164.506/164.508 provides the national baseline for TPO vs authorization. For small practices, the winning formula is simple: post the notice, run every disclosure through a TPO screen, obtain per-disclosure authorizations for non-TPO cases, use secure delivery by default, and retain clean documentation (including oral-auth memos). With a one-page decision card, e-sign templates, and a five-record monthly audit, clinics can reduce risk dramatically while moving quickly for patients.

Advisers:

• Use OCR’s HIPAA Privacy Rule summaries and authorization guidance as your baseline, then overlay Texas § 181.154 in local SOPs and templates.
• If budgets are tight, keep everything in a shared drive: a template folder (notice, eAuthorization, oral memo), a disclosure decision log, and a monthly five-record audit sheet.
• For scale, consider light compliance/task software that tracks template versions, e-signature events, and audit reminders; many low-cost platforms can be configured in a day.

Next steps

• Today: Post or refresh your Electronic Disclosure Notice and print the two-column TPO vs non-TPO card.

• This week: Enable an e-signature workflow for your eAuthorization template, and add the oral authorization memo to your forms' library.

• This month: Run a 30-minute tabletop using “send to employer” and “send to app” scenarios; close at least two corrective actions from the findings.

• HEALTH AND SAFETY CODE CHAPTER 181. MEDICAL RECORDS PRIVACY (Texas Legislature)

• Texas Health & Safety Code § 181.154 – Notice and Authorization Required for Electronic Disclosure of PHI

• HIPAA Privacy Rule – Uses and Disclosures for Treatment, Payment, and Health Care Operations (45 CFR 164.506) – HHS OCR Summary

• HIPAA Privacy Rule – General Overview (HHS OCR)