PHI Sale Exceptions: What HB300 Allows for Treatment, Payment, and Operations

Texas HB300 draws a sharp line against selling protected health information (PHI). However, it also recognizes practical, patient-serving exceptions when PHI disclosure enables treatment, payment, and health care operations (TPO). Under Texas Health & Safety Code § 181.153, a covered entity may not disclose PHI in exchange for remuneration, with narrow exceptions including disclosures to another covered entity for treatment, payment, or health care operations and for certain insurance or HMO functions; § 181.154 addresses notice and authorization for electronic disclosures, with similar TPO exceptions. In parallel, HIPAA’s 45 CFR § 164.502(a)(5)(ii) prohibits the sale of PHI without specific authorization, while 45 CFR § 164.506 permits TPO disclosures without authorization and § 164.508(a)(4) sets special authorization requirements for any permitted “sale” of PHI. For small clinics, understanding how HB300 and HIPAA interlock in TPO scenarios is essential to speed care, get paid, and avoid unlawful “sales” that can trigger enforcement. Properly classifying disclosures, documenting cost-based fees, and maintaining tight vendor contracts keeps Texas practices compliant and out of penalty territory.

Small Texas clinics must move patient data every day: sending referrals, submitting claims, working denials, and reconciling quality metrics. HB300, the Texas Medical Records Privacy Act, adds state-level guardrails on top of HIPAA, particularly by banning the sale of PHI for remuneration and by requiring notice/authorization for electronic disclosures unless an exception applies. The good news is that both legal frameworks converge on a familiar anchor: TPO. If a disclosure falls within treatment, payment, or health care operations, you typically do not need a patient authorization, and the transaction will generally not be treated as a prohibited sale, provided no remuneration beyond reasonable, cost-based fees changes hands and all other conditions are met. This guide translates those rules into step-by-step controls your front desk, medical records clerks, and billing vendors can actually use.

Understanding PHI Sale Exceptions for TPO Under Texas HB300 and HIPAA

Texas HB300’s § 181.153 states that a covered entity may not disclose PHI “in exchange for direct or indirect remuneration”, except when disclosing to another covered entity for treatment, payment, or health care operations (TPO) or for certain Insurance Code § 602.053 insurer/HMO functions; otherwise, disclosure must be “authorized or required by law”. It further limits any remuneration for certain insurance/HMO-related disclosures to the reasonable costs of preparing or transmitting PHI. Texas § 181.154 separately requires notice and authorization for electronic disclosures, but exempts TPO, insurer/HMO functions, and disclosures otherwise required or authorized by law. These two sections work together: § 181.153 polices remuneration and “sale”, while § 181.154 governs electronic disclosure consent, both carving out TPO.

HIPAA aligns with that structure. 45 CFR § 164.502(a)(5)(ii) prohibits the sale of PHI, defining it as a disclosure where the covered entity receives remuneration in exchange for the PHI. Crucially, the regulation lists exclusions, including disclosures for treatment and payment pursuant to § 164.506(a) and certain health care operations, provided only a reasonable, cost-based fee to prepare or transmit PHI is received. In short, TPO disclosures without profit and consistent with HIPAA are not a “sale”. If a transaction involves remuneration for the data itself, HIPAA requires an authorization under § 164.508(a)(4), and Texas § 181.153 would independently prohibit the transaction unless a statutory exception applies. Together, these rules reduce risk by ensuring PHI flows for patient care and payment while blocking data monetization.

Why mastering this legal framework reduces risk and penalties: Small clinics frequently interact with billing services, clearinghouses, referral partners, and payers. Mislabeling a paid data feed as “operations” when it really compensates the clinic primarily for the data can trigger the HIPAA sale-of-PHI prohibition and violate HB300’s remuneration ban. Building a TPO-first decision pathway and rejecting any payments that exceed cost-based fees sharply lowers enforcement exposure.

The Office for Civil Rights (OCR) at HHS enforces HIPAA’s Privacy Rule, including the sale-of-PHI prohibition and TPO provisions (45 CFR § 164.502, § 164.506, § 164.508). OCR opens investigations based on complaints, breach reports, and compliance reviews. If your clinic improperly accepts remuneration for disclosing PHI outside the enumerated HIPAA exceptions, OCR can investigate, require corrective action, and impose civil monetary penalties. Separately, Texas HB300 is enforced by Texas authorities (including the Attorney General). Therefore, a single misstep can invite dual oversight: OCR for federal HIPAA violations and the Texas AG for HB300 violations. Complaints from patients, business associate incidents, or payer audits can all trigger reviews.

Triggers to expect:

• Patient complaints alleging PHI disclosure to third parties with “kickbacks” or marketing.

• Breach notifications that reveal a pattern of remunerated data sharing.

• Random/OCR compliance reviews following large breaches or vendor enforcement actions.

• Texas AG inquiries on HB300 compliance where remuneration or electronic disclosure notice/authorization is in question.
  Understanding that OCR handles the federal side while Texas handles the state side helps small practices design controls that satisfy both standards at once.

Because TPO exceptions carry the workload for day-to-day patient care, controls must be simple, repeatable, and documented.

1. Classify the Disclosure (T, P, or O).
   How to comply: On every outbound disclosure outside routine claim flows, tag it as Treatment, Payment, or Operations (or “Not TPO”). If Not TPO, pause and route to privacy officer.
   Required evidence: A brief note in the EHR or disclosure log indicating the purpose and recipient’s covered-entity status.
   Low-cost implementation: Add quick-pick T/P/O buttons to your disclosure request form; use a shared spreadsheet if your EHR lacks fields.

2. Verify Recipient Status and Need-to-Know.
   How to comply: Confirm whether the recipient is a covered entity or business associate and that the disclosure is the minimum necessary for the stated purpose (operations/payment; minimum necessary does not apply to treatment).
   Required evidence: Recipient’s NPI or contract/BAA on file; documentation of data elements disclosed.
   Low-cost implementation: Maintain a one-page roster of frequent recipients, indicating their status and permitted datasets.

3. Screen for Remuneration (Cost vs. Profit).
   How to comply: Determine whether any payment is tied to the data itself. If remuneration exceeds a reasonable, cost-based fee for preparing/transmitting PHI, treat it as a sale and require HIPAA authorization (and consider whether Texas § 181.153 prohibits it).
   Required evidence: A simple internal cost worksheet showing labor/time, system fees, media/secure transfer costs.
   Low-cost implementation: Use a spreadsheet template with default cost rates (e.g., staff minutes × hourly rate plus secure transfer fees).

4. Apply the Texas Electronic Disclosure Rule.
   How to comply: For electronic disclosures, ensure notice was provided and authorization is on file unless the disclosure is for TPO, insurer/HMO functions recognized in statute, or otherwise authorized/required by law.
   Required evidence: The patient’s acknowledgement of electronic disclosure notice (e.g., in new-patient forms) and, when required, a signed authorization.
   Low-cost implementation: Embed the electronic disclosure notice in intake packets and your portal welcome email; capture e-signatures.

5. Use Strong Business Associate Agreements (BAAs).
   How to comply: Execute BAAs with any vendor handling PHI. The BAA should forbid remunerated disclosures that constitute a sale, limit fees to cost-based amounts for PHI preparation/transmission, and require sub-BAAs as needed.
   Required evidence: Executed BAA; vendor SOC 2 or equivalent; due-diligence checklist.
   Low-cost implementation: Start with HHS sample clauses; maintain a one-page BAA compliance checklist per vendor.

6. Log Disclosures and Denials.
   How to comply: Maintain a disclosure log for non-routine disclosures, recording purpose (T/P/O), data elements, recipient, cost recovery, and authorization status.
   Required evidence: Periodic log review and exception report by the privacy officer.
   Low-cost implementation: A protected spreadsheet with monthly sign-off.

7. Train on Red Flags.
   How to comply: Educate staff that any offer to pay the clinic for data is a red flag; route to privacy officer immediately.
   Required evidence: Training rosters within 90 days of hire and at least every 2 years; refreshers after material changes.
   Low-cost implementation: 30-minute micro-learning module with 3 scenario quizzes.

8. Respond to Requests Outside TPO.
   How to comply: For marketing, research with remuneration, or third-party data feeds, require a HIPAA-valid authorization that clearly states remuneration, or decline the request.
   Required evidence: Authorization forms meeting § 164.508 content; legal review for unusual transactions.
   Low-cost implementation: Keep a pre-vetted authorization template; train staff to say “We need a signed authorization.”

9. Perform Quarterly Mini-Audits.
   How to comply: Sample 10 disclosures per quarter; verify TPO tagging, recipient status, cost worksheet, and notice/authorization where applicable.
   Required evidence: Audit checklist and corrective-action items.
   Low-cost implementation: Assign to office manager with privacy officer oversight.

Case Study

A three-provider Texas clinic considered a “data-sharing stipend” from a revenue cycle analytics firm that wanted monthly exports of payer-adjudicated claims with diagnosis codes and demographic fields. The vendor offered $300/month “for effort”. The clinic believed this was operations, but the stipend exceeded the clinic’s cost-based fee (estimated at $45/month for staff time and secure transfer). The privacy officer compared the arrangement to HIPAA’s sale-of-PHI rule and Texas HB300 § 181.153. Because the payment was tied to the data feed itself and exceeded reasonable costs, the disclosure would likely be treated as a sale under HIPAA absent a § 164.508(a)(4) authorization explicitly stating remuneration. HB300 would separately prohibit such remunerated disclosures except for narrow exceptions. The clinic declined the stipend, negotiated a no-remuneration clause, and limited the export to minimum necessary fields for documented operations (denial management).

Outcomes:

• Legal: Avoided a likely HIPAA sale-of-PHI authorization requirement and state-law prohibition.

• Financial: No penalty risk; vendor accepted a cost-based fee of $45/month for file preparation.

• Reputational: Transparency preserved trust; patients were not asked to sign unusual authorizations that might raise questions.

Common Pitfalls to Avoid Under the Cited Rules

Before listing pitfalls, remember that most daily disclosures are legitimate TPO and not sales. Pitfalls arise when money for data is involved or when operations are stretched beyond their legal scope.

• Treating vendor “stipends” as harmless. Payments that exceed cost-based preparation/transmission fees can convert an operations disclosure into a sale under 45 CFR § 164.502(a)(5)(ii), risking HIPAA violations and conflicting with Tex. § 181.153. The practical consequence is potential enforcement and required authorizations that are burdensome and reputationally risky.

• Calling marketing “operations”. If the purpose is to encourage product/service purchase unrelated to the patient’s care, it is marketing and typically requires authorization (45 CFR § 164.508). Mislabeling invites OCR findings and patient complaints.

• Skipping Texas electronic disclosure notices. Failing to give the notice required by § 181.154 (and obtaining authorization when applicable) exposes the clinic to state enforcement and undermines patient trust.

• Over-disclosing data elements. TPO does not license sending full records indiscriminately. Over-disclosure can violate minimum necessary for operations/payment and increase breach exposure.

• Weak BAAs. Vendors that resell, repurpose, or mine PHI without explicit limits can drag a clinic into noncompliance. HIPAA § 164.502(e) and § 164.504(e) require BAAs with strong controls; Texas law adds risk when remuneration is involved.

Wrapping up: A simple red-flag + cost-basis protocol prevents most pitfalls and keeps TPO disclosures squarely within the HB300/HIPAA safe lane.

These practices help small clinics do the right thing quickly:

• Adopt a TPO Decision Card. A laminated card at each workstation with three questions: “Is it Treatment, Payment, or Operations? Is the recipient a covered entity/BA? Is any money tied to the data?” Staff can resolve 90 percent of scenarios at the point of need (45 CFR § 164.506; § 164.502(a)(5)(ii)).

• Standardize Cost-Based Fees. Set a clinic-wide schedule for labor minutes, export time, and secure transmission costs to ensure any permitted fees remain cost-based (HIPAA sale exclusion; Tex. § 181.153(b) for insurer/HMO functions).

• Hard-stop for Remuneration. Configure a privacy officer “hard-stop” when any vendor proposes payment linked to a data feed; require legal review and, if applicable, patient authorization under § 164.508(a)(4).

• Strengthen BAAs with Data Use Controls. BAAs should include no resale/no secondary use, sub-BAA flow-downs, breach notice timelines, and audit rights (§ 164.502(e), § 164.504(e)).

• Keep Authorization Templates Ready. For disclosures outside TPO (marketing, research with remuneration), maintain a compliant authorization template explicitly stating remuneration (§ 164.508).

• Log and Trend. Monthly disclosure log reviews surface patterns, such as a vendor requesting more fields than needed. Early detection avoids scope creep.

When implemented together, these practices reduce ambiguity, channel disclosures into TPO lanes, and make any non-TPO request immediately visible.

Culture turns rules into reflexes. Start by giving every staff member a clear playbook and pairing it with oversight that is encouraging, not punitive.

• Staff training with scenarios. Use three short scenarios quarterly (referral, payer audit, vendor “stipend”) so people practice the TPO/cost-basis test.

• Leadership modeling. Physicians and administrators should refuse non-TPO data requests and explain why to staff, reinforcing that protecting PHI is part of patient care.

• Feedback loop. Create an email alias or form (“Privacy Check”) where staff can ask, “Is this a sale?” The privacy officer responds within one business day.

• Metric: zero unauthorized remunerated disclosures. Track this as a standing quality metric with board/owner oversight.

• Post-incident learning. If a disclosure is questioned, hold a 15-minute huddle to review the TPO decision and cost analysis, then update the playbook.

A supportive culture prevents mistakes and shows regulators that compliance is intentional and continuous.

For small Texas clinics, HB300 and HIPAA align on a core point: don’t sell PHI. TPO disclosures are permissible without authorization, but any payment tied to the data itself is a red flag. Keep remuneration to reasonable, cost-based preparation/transmission fees, deliver Texas-required electronic disclosure notices, and use robust BAAs to close downstream risks.

Advisers:

• HHS/OCR HIPAA Guidance (free): Use the eCFR text for § 164.502, § 164.506, and § 164.508 as your ground truth and incorporate into staff training.

• Federal Register (free): The 2013 Omnibus Rule preamble explains the sale-of-PHI concept in plain language; excerpt key paragraphs for your policy binder.

• Templates & Logs (low-cost/in-house): Build your disclosure log and cost worksheet in a spreadsheet; adopt low-cost secure transfer (encrypted email with TLS, secure portals).

• Vendor Risk Management (budget-friendly): Ask vendors for existing SOC 2 summaries or HIPAA attestations rather than commissioning new audits.

These advisers and tools give small practices everything needed to stand up an HB300/HIPAA-aligned process without expensive software.

• H.B. No. 300
• Breach Reporting – HHS Office for Civil Rights
• Texas Business & Commerce Code § 521.053 – Breach Notification to Individuals and the Attorney General
  
• Data Breach Reporting – Texas Office of the Attorney General