Small Practice Compliance Check: The Texas Medical Records Privacy Act Checklist
Executive Summary
The Texas Medical Records Privacy Act (TMRPA), codified in Texas Health & Safety Code Chapter 181, establishes privacy and security obligations for Texas covered entities that are often more stringent than HIPAA. While HIPAA at 45 CFR Part 164 remains the federal baseline, Texas law controls when it provides greater protections or faster timelines.
For small practices, the most operationally significant Texas requirements include:
-
A notice and per-disclosure authorization model for many electronic PHI disclosures
-
A 15-business-day deadline for providing electronic health records when the EHR can fulfill the request
-
Role-based workforce training within 90 days of hire, with documentation retained
-
A penalty framework tied to negligence, intent, and patterns of conduct
This checklist article converts Chapter 181 into concrete steps, artifacts, and audit routines sized for small clinics.
Introduction
Small practices rarely maintain dedicated compliance departments, yet they face the same statutory obligations as larger systems. Texas expanded its medical privacy law through HB 300 amendments to accelerate patient access to ePHI, tighten rules around electronic disclosures, mandate workforce training timelines, and establish graduated penalty tiers.
HIPAA continues to govern permissible uses and disclosures, safeguards, breach notification, and individual rights. However, when Texas law is stricter, Texas controls. This guide blends the two regimes into a single, auditable checklist designed to reduce enforcement risk and simplify day-to-day decisions.
Understanding Small Practice Compliance Under Chapter 181 and 45 CFR Part 164
Chapter 181 applies to Texas covered entities handling PHI of Texas residents and supplements HIPAA. Key intersections include:
Uses and disclosures
HIPAA permits uses and disclosures for treatment, payment, and health care operations (TPO) without authorization. Texas overlays a notice plus per-disclosure authorization model for many electronic disclosures unless a clear exception applies.
Right of access
HIPAA requires action within 30 days (with one extension). Texas requires access to electronic health records within 15 business days when the EHR can fulfill the request, and generally in electronic form unless the patient agrees otherwise.
Training
HIPAA requires workforce training “as necessary and appropriate.” Texas requires completion within 90 days of hire or role change, retraining after material legal or policy changes, and retention of documentation.
Breach notification
HIPAA governs individual, media, and HHS notifications. Texas separately requires notice to the Texas Attorney General when a breach involves 250 or more Texas residents.
Penalties
Texas penalties escalate based on negligence, knowledge, intent, and patterns, making documentation and corrective action critical.
Operational rule: Treat HIPAA as the minimum standard and layer Texas’s stricter requirements into workflows and templates.
OCR Authority in the Small Practice Compliance Context
The HHS Office for Civil Rights (OCR) enforces HIPAA nationally. Texas authorities enforce Chapter 181. A single incident may therefore trigger parallel reviews. Designing processes to meet the stricter standard by default, and maintaining dated, organized evidence, positions a practice to respond effectively to both.
Step-by-Step Compliance Guide for Small Practices
Each step includes how to comply, evidence to retain, and a low-cost approach.
1. Publish a “Texas-controls-when-stricter” policy
Comply: Add a short addendum stating HIPAA is the baseline and Texas law controls where stricter.
Evidence: Signed policy, version history, staff acknowledgments.
Low-cost: Update the existing HIPAA manual annually.
2. Post an Electronic Disclosure Notice
Comply: Post conspicuous notice in the lobby, check-in area, and on the website.
Evidence: Dated photos/screenshots; website change log.
Low-cost: One laminated sign and a footer link.
3. Screen every electronic disclosure for TPO vs authorization
Comply: Determine whether the disclosure qualifies as TPO or otherwise permitted; if not, obtain a separate authorization.
Evidence: Disclosure decision log; authorizations; recipient verification notes.
Low-cost: Laminated two-column decision card.
4. Meet the 15-business-day ePHI access deadline
Comply: Stamp receipt, calculate the due date, and fulfill electronically when the EHR can do so.
Evidence: Access request form; due-date tracker; delivery proof.
Low-cost: Shared spreadsheet with automated deadline alerts.
5. Complete training within 90 days and on change
Comply: Deliver role-based training and repeat when material law or policy changes occur.
Evidence: Curricula, rosters, signed completion statements.
Low-cost: Short micro-sessions during staff huddles.
6. Encrypt and secure by default
Comply: Use encryption and secure portals; document patient preference if unencrypted delivery is requested.
Evidence: Encryption screenshots; delivery logs; preference notes.
Low-cost: Built-in OS encryption and EHR portal tools.
7. Govern vendors handling PHI
Comply: Maintain a vendor register and agreements requiring confidentiality, security, and incident notification.
Evidence: Executed agreements; annual confirmations.
Low-cost: One-page annual vendor questionnaire.
8. Operate a breach playbook with dual timers
Comply: Track HIPAA and Texas notification thresholds and deadlines concurrently.
Evidence: Incident log; risk assessment; notification proofs; corrective actions.
Low-cost: Spreadsheet with automated counters.
9. Run a light monthly self-audit
Comply: Review five recent disclosures or access requests and close gaps within 14 days.
Evidence: Audit checklist; corrective action log.
Low-cost: Color-coded worksheet.
10. Maintain a one-binder evidence model
Comply: Keep policies, training, vendor records, logs, and incident files indexed by year.
Evidence: The binder or shared drive itself.
Low-cost: Locked folders with standardized naming.
Table: Simplified Self-Audit Checklist
|
Task |
Responsible Role |
Frequency |
Authority |
|---|---|---|---|
|
Texas overlay policy published |
Privacy Officer |
Annual / on change |
Chapter 181 |
|
Electronic disclosure notice posted |
Office Manager |
Quarterly |
Chapter 181 |
|
TPO vs authorization screened |
Workforce |
Every disclosure |
45 CFR § 164.506; Ch. 181 |
|
ePHI access within 15 business days |
Privacy Officer |
Each request |
§ 181.102 |
|
Training completed and retained |
Privacy Officer |
New hire / change |
§ 181.101 |
|
Vendor confirmations |
Administrator |
Annual |
Ch. 181 |
|
Breach playbook executed |
Privacy Officer |
Per incident |
HIPAA + Ch. 181 |
Common Pitfalls to Avoid
-
Assuming all third-party disclosures are authorization-free
-
Defaulting to HIPAA’s 30-day access timeline when Texas requires 15 business days
-
Failing to post or document the electronic disclosure notice
-
Letting vendor defaults over-share PHI
-
Weak documentation of oral authorizations or patient preferences
Best Practices for Small Practices
-
Two-column TPO decision cards at workstations
-
Automated deadline trackers
-
A small template library (notice, authorization, denial, breach checklist)
-
Five-record monthly audits
-
One centralized evidence binder
Building a Culture of Compliance
Leadership emphasis, clear ownership, no-blame escalation, and brief “privacy moments” at staff meetings help embed these requirements into routine operations. Consistency, not complexity, is what regulators look for.
Conclusion
The Texas Medical Records Privacy Act adds concrete, enforceable requirements on top of HIPAA’s national baseline. Small practices that post the required notices, screen electronic disclosures carefully, meet the 15-business-day ePHI access timeline, train staff within 90 days, govern vendors, and document decisions can operate efficiently while minimizing enforcement risk.