PHI Protection for Texas Clinics: Where HB300 Preempts HIPAA for Stricter Rules
Executive Summary
For Texas clinics, compliance is not a question of choosing between HIPAA and Texas HB 300. Federal law establishes a preemption framework under 45 CFR §§ 160.202–160.205 that determines which rule applies in any given situation involving protected health information (PHI). Under this framework, HIPAA generally preempts contrary state laws unless the state law is more stringent with respect to the privacy of individually identifiable health information. When a state law is more stringent, it controls.
Texas HB 300, codified primarily in Texas Health & Safety Code Chapter 181, contains multiple provisions that exceed the HIPAA baseline. These provisions affect training requirements, patient access timelines, marketing restrictions, authorization standards, and enforcement exposure. For small and mid-sized Texas practices, understanding and documenting when HB 300 controls is essential to reducing enforcement risk and maintaining audit readiness.
Introduction
Texas HB 300 is often described as “stricter than HIPAA,” but that shorthand can be misleading without a clear legal method for application. Clinics are not expected to default blindly to state law. Instead, HIPAA itself supplies the governing analysis. The HIPAA Administrative Simplification Rules include a dedicated preemption subpart that explains when state law controls and why.
This article translates that federal preemption framework into an operational model for Texas clinics. It explains how to identify conflicts, apply the “more stringent” test, and document decisions so that privacy practices remain defensible under both federal and Texas law.
Understanding HIPAA Preemption Under 45 CFR §§ 160.202–160.205
The HIPAA preemption rules provide a structured analysis that applies nationwide, including Texas.
General Rule
HIPAA preempts contrary state laws relating to the privacy of individually identifiable health information.
Key Exception
HIPAA does not preempt a state law if the state law is more stringent than HIPAA with respect to privacy protections or individual rights.
The “More Stringent” Test
A state requirement is more stringent if it:
-
Provides greater privacy protection for the individual; or
-
Grants greater rights of access, control, or limitation over PHI.
Practical Effect for Texas Clinics
When Texas law imposes a higher standard than HIPAA for a specific use or disclosure of PHI, the Texas requirement governs that activity for Texas patients. Clinics should default to the more protective rule once identified.
Texas HB 300 Within the Preemption Framework
Texas HB 300 amended and expanded Health & Safety Code Chapter 181 to align with HIPAA while also imposing additional obligations. Key areas where HB 300 is commonly more stringent include:
-
Mandatory workforce training timelines and documentation
-
Restrictions on marketing uses of PHI
-
Patient access to electronic health records
-
Consent and authorization requirements
-
State-level enforcement mechanisms and penalties
HB 300 expressly requires covered entities to comply with HIPAA while also complying with Chapter 181, subject to preemption principles. This statutory structure mirrors the federal framework rather than replacing it.
OCR Authority and Texas Enforcement Boundaries
The HHS Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. OCR does not enforce Texas statutes. However, OCR expects HIPAA-regulated entities to comply with non-preempted state laws when those laws are more stringent.
Texas HB 300 is enforced by Texas authorities, including the Office of the Attorney General and applicable state licensing agencies. As a result, Texas clinics face dual exposure:
-
Federal enforcement for HIPAA violations
-
State enforcement for violations of Chapter 181 where it is not preempted
Understanding preemption helps clinics manage both risks simultaneously.
Step-by-Step Compliance Workflow for Texas Clinics
Step 1: Identify the PHI Use or Disclosure
Document the PHI involved, the patient’s connection to Texas, the recipient, and the purpose of the disclosure.
Step 2: Compare HIPAA and Texas Requirements
Determine whether Texas law imposes a stricter rule than HIPAA for that specific scenario.
Step 3: Apply the More Stringent Rule
If Texas law provides greater privacy protection or patient rights, apply the Texas standard for that workflow.
Step 4: Document the Decision
Maintain a short written record explaining why the Texas rule controls under 45 CFR §§ 160.202–160.205.
Table: HIPAA Baseline vs. Texas HB 300 Overlay
|
Compliance Area |
HIPAA Baseline |
Texas HB 300 Impact |
Controlling Standard |
|---|---|---|---|
|
Workforce Training |
Required, flexible timing |
Initial training within 60 days and biennial retraining |
Texas HB 300 |
|
Marketing Uses of PHI |
Authorization required with exceptions |
Narrower allowances and clearer prohibitions |
Texas HB 300 |
|
Patient EHR Access |
30 days (with extension) |
15 business days if system capable |
Texas HB 300 |
|
Minimum Necessary |
General standard |
Reinforced through state enforcement |
HIPAA baseline unless stricter |
|
Enforcement |
OCR civil penalties |
State civil and administrative penalties |
Dual enforcement |
Checklist: PHI Protection Self-Audit for Texas Clinics
-
PHI workflows mapped and updated
-
Texas patient scenarios clearly flagged
-
Preemption comparisons documented
-
Workforce training records retained
-
Authorization and disclosure templates reviewed
-
Vendor agreements reviewed for stricter obligations
-
Incident response plan includes state-law review
Common Pitfalls to Avoid
-
Assuming HIPAA always controls without performing a preemption analysis
-
Treating HB 300 as optional guidance rather than enforceable law
-
Failing to document why a stricter rule was adopted
-
Using vendor defaults that conflict with Texas requirements
-
Allowing policies to become outdated after EHR or workflow changes
These gaps often surface during investigations and weaken a clinic’s compliance posture.
Building a Sustainable Compliance Culture
Effective PHI protection depends on consistency rather than complexity. Clinics should assign clear ownership, reinforce expectations through brief training, and normalize early escalation of privacy questions. Maintaining simple documentation of preemption decisions demonstrates good-faith compliance and supports defensibility during audits or complaints.
Conclusion
For Texas clinics, HIPAA and HB 300 operate together through the federal preemption framework. HIPAA establishes the baseline, and Texas law controls when it provides greater privacy protection or stronger patient rights. By applying 45 CFR §§ 160.202–160.205 methodically and documenting decisions, clinics can protect PHI, reduce enforcement exposure, and maintain trust with patients and regulators.
A practical step to reinforce compliance is integrating a compliance system into your operations. These tools monitor requirements, perform ongoing risk reviews, and keep your practice prepared for audits, helping you avoid costly mistakes while presenting a proactive stance to oversight bodies.