New Patient Forms: The HB300 Requirement for a Notice on Electronic Disclosures

Texas HB300 requires covered entities to give patients conspicuous notice that their protected health information (PHI) may be electronically disclosed, and, outside of treatment, payment, and healthcare operations, generally to obtain a separate authorization for each electronic disclosure. This requirement is codified at Texas Health & Safety Code § 181.154 and interacts directly with HIPAA’s rules for TPO uses at 45 CFR 164.506 and HIPAA authorizations at 45 CFR 164.508. For small practices, the operational impact lands on new-patient intake: your forms, lobby signage, and portal must all consistently present the electronic disclosure notice while your workflow distinguishes disclosures that require per-disclosure authorization. Implementing a simple posting-plus-authorization process reduces complaint risk, clarifies staff decisions, and provides the documentation regulators expect.

Many small clinics believe HIPAA alone governs their privacy program. In Texas, HB300 adds state-specific steps that tighten how electronic PHI moves, especially for disclosures outside TPO. The most visible of these is the notice obligation: patients must be told, in clear and conspicuous terms, that their PHI may be disclosed electronically. Because intake is where relationships begin and permissions are established, the new-patient packet and portal are the best places to satisfy the posting requirement and to collect any separate authorizations when a patient asks for electronic disclosures beyond TPO. This article translates § 181.154 and the relevant HIPAA provisions into the exact intake artifacts, scripts, and logs a small practice can run with modest tools.

Understanding the HB300 Electronic Disclosure Notice Requirement Under Texas Health & Safety Code § 181.154; HIPAA TPO and Authorization Cross-References (45 CFR 164.506 and 164.508)

Texas § 181.154 creates two core duties that must be reflected in your intake process:

1. Provide notice that PHI may be electronically disclosed.
   A covered entity must give general notice that an individual’s PHI is subject to electronic disclosure. The statute permits multiple posting avenues: a written notice in your place of business, a notice on your website/portal, or posting “in any other place” where patients are likely to see it. Intake forms are a natural location to reiterate this notice so that your documentation shows the patient saw it when registering.

2. Obtain a separate authorization for each electronic disclosure outside TPO.
   Except for statutory exceptions, electronic disclosure to “any person” requires a separate authorization for each disclosure. Texas allows written, electronic, or even oral authorization if the oral instruction is documented in writing by the covered entity. HIPAA provides the familiar dividing line: 45 CFR 164.506 permits certain uses/disclosures for treatment, payment, and healthcare operations without authorization; 45 CFR 164.508 addresses authorizations for uses/disclosures beyond those defaults. The Texas rule adds specificity and a “per-disclosure” discipline for electronic sends to non-TPO recipients.

Why this matters financially and operationally.
Patients frequently request electronic sends to schools, employers, attorneys, coaches, apps, or family members. Without a per-disclosure authorization, a routine accommodation can become a violation. Posting the required notice and embedding a per-disclosure workflow in new-patient forms keeps your decisions consistent and auditable. Understanding this framework reduces risk because your evidence package, notice postings, form copies, and logs, matches what regulators review when evaluating complaints or incidents.

HHS’s Office for Civil Rights (OCR) enforces HIPAA’s Privacy, Security, and Breach Notification Rules. OCR investigates complaints, breach reports, and conducts compliance reviews; it assesses whether your policies, training, and authorizations meet HIPAA standards. In parallel, Texas authorities (e.g., the Attorney General) enforce § 181.154’s posting and authorization elements. In practice, a single mis-step, say, emailing a lab summary to a school nurse at a parent’s request without a valid per-disclosure authorization, can raise questions under both HIPAA (impermissible disclosure if not otherwise permitted; 45 CFR 164.508) and HB300 (missing separate authorization for electronic disclosure; missing conspicuous notice). Designing intake so that you default to the stricter control (post the notice, collect the authorization, unless it is TPO) minimizes the chance that either authority finds a deficiency.

The following steps directly align your new-patient process to § 181.154 and the corresponding HIPAA rules. For each step, we include how to comply, what evidence to keep, and a low-cost implementation tip.

1. Publish your electronic disclosure notice, everywhere patients look.
   How to comply: Draft clear language stating that PHI may be electronically disclosed as permitted by law. Post it at check-in, in the lobby, and on the website/portal; echo the text in the new-patient packet.
   Evidence: Photos of lobby signage with date, portal screenshots, and a copy of the intake packet version.
   Low-cost tip: Use a single page with large font and a plain-English headline; add the notice as a persistent banner in your patient portal.

2. Add a “TPO vs. non-TPO” question to intake.
   How to comply: Place a checkbox matrix on the forms: “I want my information electronically sent to: [another provider/plan (TPO)] [school/employer/attorney/app/family (non-TPO)].”
   Evidence: Completed forms and the intake checklist that routes non-TPO selections to authorization capture.
   Low-cost tip: Convert your paper form to a simple PDF with checkboxes; autosave scans to a “New Patient” folder.

3. Embed a per-disclosure authorization request for non-TPO selections.
   How to comply: When a patient selects a non-TPO recipient, prompt for a separate authorization for that disclosure. Use a form that captures recipient identity, specific information, purpose, expiration, and revocation rights.
   Evidence: Signed authorization (e-sign or wet ink), or written documentation of an oral authorization.
   Low-cost tip: Keep a two-page authorization aligned to HIPAA elements and the Texas standard authorization model; store it with the visit date in a “Disclosures” subfolder.

4. Create an “e-disclosure register”.
   How to comply: Log each non-TPO electronic disclosure: date, recipient, basis (authorization or exception), staff initials, and delivery method.
   Evidence: A spreadsheet or table exported monthly; attach the related authorization.
   Low-cost tip: Use a cloud spreadsheet with data validation (drop-downs for recipient types and delivery modes).

5. Train staff to screen requests and push to the right workflow.
   How to comply: Within 90 days of hire and on material changes, train on the notice requirement, the TPO vs non-TPO decision, and how to handle requests to “email it to my coach/employer/app.”
   Evidence: Attestations, slide handout, and a one-page desk reference.
   Low-cost tip: Use a 10-minute micro-module and a three-question quiz; keep results with personnel files.

6. Verify recipient identity for non-TPO electronic sends.
   How to comply: Before sending, confirm the recipient’s email, fax, portal ID, or app connection; document how you verified.
   Evidence: Verification notes (e.g., “called 555-0123; spoke with coach; confirmed address”).
   Low-cost tip: Add a “verification” column to your register; require staff initials.

7. Document patient preferences for unencrypted transmission.
   How to comply: Default to portal or secure message. If a patient insists on unencrypted email, provide a brief risk warning and record the preference.
   Evidence: Signed or initialed preference acknowledgment.
   Low-cost tip: Add a one-paragraph “unencrypted preference” section to your authorization template.

8. Refresh notice text when laws or policies materially change.
   How to comply: If you change EHRs, add new electronic pathways, or materially update your privacy policy, re-issue the notice and record the effective date.
   Evidence: Version history; screenshots of updated postings.
   Low-cost tip: Keep the notice as a snippet block so you can update it once and republish to all places.

9. Audit five new-patient packets per month.
   How to comply: Confirm a posted notice exists, the TPO vs non-TPO screen is completed, and any non-TPO selection has a matching authorization and verification entry.
   Evidence: A one-page audit checklist and a corrective-action log that closes gaps within 14 days.
   Low-cost tip: Rotate the reviewer to build muscle across roles.

10. Align your policy with “stricter rule governs”.
    How to comply: Add a two-page addendum stating the practice will follow HIPAA and apply Texas requirements where stricter, specifically referencing § 181.154 and the authorization rule for non-TPO electronic disclosures.
    Evidence: Versioned policy with staff acknowledgments.
    Low-cost tip: Print and insert into your existing HIPAA manual; collect signatures during a staff huddle.

Case Study

A three-provider pediatrics clinic revamped its intake process but omitted the HB300 electronic disclosure notice. Parents routinely asked the practice to email vaccination records to schools and camp programs. Staff assumed a general “yes” at registration covered these electronic sends. One parent complained that a camp received more information than intended, prompting a review.

What investigators requested: copies of posted notices, website/portal screenshots, intake packets, authorization forms for the camp emails, and a log of disclosures.

What the clinic could show: HIPAA policies and general authorization templates, but no conspicuous electronic disclosure notice and no separate per-disclosure authorizations for the emails to camps. The patient portal had no banner explaining that PHI may be electronically disclosed.

Corrective actions: Within two weeks, the clinic posted lobby notices, added a portal banner, inserted a TPO vs non-TPO checkbox into new-patient forms, and deployed a per-disclosure authorization template and an e-disclosure register. It retrained staff with a 12-minute module and added a mini-audit.

Outcome: The clinic handled parent complaints, tightened its scope of records sent to camps, and avoided further escalation. The swift, documentable remediation aligned intake with § 181.154 and HIPAA authorization requirements and closed the gaps that triggered the complaint.

A short, focused checklist helps small practices verify compliance while generating evidence that mitigates penalties if a complaint arises.

By running this checklist, you ensure the notice is posted, the intake screen is used, and every non-TPO electronic send is backed by a compliant authorization, substantially reducing complaint risk.

Common Pitfalls to Avoid Under § 181.154 and 45 CFR 164.506/164.508

Even well-run clinics stumble on predictable issues. Address the following to prevent avoidable violations.

• Assuming a general HIPAA acknowledgment covers non-TPO electronic sends. A broad consent is not the same as the separate, per-disclosure authorization Texas expects for many electronic disclosures outside TPO. Practically, this creates gaps staff may not recognize until a complaint. Addressing it by embedding a per-disclosure step in intake keeps you aligned.
• Posting the notice only on paper, not in the portal. Patients increasingly interact online. If the portal lacks a banner or notice page, your “conspicuous” posting is incomplete. Duplicating the text in both places ensures patients see it before requesting electronic sends.
• Emailing to third parties without recipient verification. A mistyped address turns a courtesy into an incident. A one-line verification note prevents most misdirected emails and demonstrates diligence.
• Bundling too much information into non-TPO sends. If a camp needs only immunizations, do not send the entire chart. Keeping the authorization request specific (information, purpose, expiration) maintains minimum-necessary discipline.
• Neglecting to renew or version the notice after system changes. New EHRs, apps, or exchange partners are “material changes.” Republish your notice and retrain staff, so the new workflows are reflected in intake.

Avoiding these pitfalls shortens the path from request to compliant delivery and strengthens your audit posture.

The best practices below are inexpensive and directly address § 181.154 and HIPAA cross-references.

• Two-pane decision card at every workstation. Left pane lists routine TPO transmissions (provider-to-provider, plan billing). Right pane lists common non-TPO electronic requests (schools, employers, attorneys, personal apps, extended family) that trigger per-disclosure authorization.
• Portal banner with evergreen notice language. Keep a permanent banner or footer link with clear notice text and a link to your privacy practices. This satisfies the “conspicuous” standard in the online space.
• Authorization template pack. Maintain a short form for one-time sends and a slightly longer one for periodic disclosures (for example, monthly school updates). Both should specify scope and expiration.
• One-folder “e-disclosure register”. Keep a dated spreadsheet and scan or upload authorizations alongside. This creates a complete evidence trail in minutes.
• Five-record monthly spot check. Review a handful of new-patient packets and recent non-TPO sends; close gaps quickly and file proof of remediation.

These practices keep the compliant action faster than the risky one and generate the artifacts that regulators ask for first.

Sustainable compliance comes from habits. For small teams, culture means clarity about what to do in common scenarios.

• Leaders set the tone at intake. Start monthly huddles with one metric, “percent of new-patient packets that include the TPO vs non-TPO screen”, and publicly recognize staff who caught a risky send and routed it to authorization.
• Name owners and backups. Post who owns the notice postings, portal banner, authorization templates, and the e-disclosure register; assign backups for vacations.
• Normalize the pause. Staff should feel comfortable asking, “Is this TPO, or do we need a per-disclosure authorization?” in front of patients without blame.
• Quarterly micro-drills. Practice two scenarios: (1) parent asks to email immunizations to a camp; (2) patient asks to forward records to an employer HR portal. Update scripts and templates after each drill.
• Onboarding hooks. Make the decision card and notice script part of day-one training; collect acknowledgments and file them with HR.

Culture turns the statute from a compliance burden into a reliable routine.

The cleanest way to comply with HB300’s electronic disclosure notice rule is to make intake your control center. Post a conspicuous notice in the lobby and portal, use forms that separate TPO from non-TPO requests, and capture a per-disclosure authorization whenever a patient wants PHI sent electronically to a non-TPO recipient. Tie each send to a simple register entry with recipient verification. These steps are inexpensive, easy to teach, and produce the evidence that resolves most complaints.

Advisers

• Use HHS/OCR’s HIPAA summaries to align your authorization content with 45 CFR 164.508 and to reinforce staff understanding of 45 CFR 164.506 TPO rules.
• Consult the state statute for the exact posting and per-disclosure requirements in § 181.154.
• Refer to the Texas Attorney General’s standard Authorization to Disclose PHI form as a model for your own template.
• If budgets are tight, run the program with a shared drive, e-sign for authorizations, and a simple spreadsheet for the e-disclosure register; consider light workflow tools only as volumes grow.

Next steps

• Today: Post notice text in the lobby and portal; insert the notice and TPO/non-TPO question into the new-patient packet.
• This week: Deploy the per-disclosure authorization template and the e-disclosure register; train staff with a short module.
• This month: Run a five-record intake audit; close any gaps within 14 days; schedule the next quarterly micro-drill.

• H.B. No. 300
• Breach Reporting – HHS Office for Civil Rights
• Texas Business & Commerce Code § 521.053 – Breach Notification to Individuals and the Attorney General
• Data Breach Reporting – Texas Office of the Attorney General