The 15-Day Rule: How Small Clinics Must Speed Up Patient Access to Electronic PHI Under HB300
Executive Summary
Texas Health & Safety Code § 181.102, enacted through HB 300, imposes a 15-business-day deadline for providing patients access to their electronic protected health information (ePHI) when a provider uses an electronic health record (EHR) system capable of fulfilling the request. This timeline is significantly shorter than HIPAA’s general 30-day right-of-access period under 45 CFR § 164.524, which allows one additional 30-day extension in limited circumstances.
For small clinics serving Texas residents, the stricter Texas deadline controls when applicable. Missing the 15-business-day window can result in complaints, investigations, and state-level enforcement actions. This article explains the rule, clarifies how it interacts with HIPAA, and provides a lean, defensible workflow that small practices can implement without expensive technology.
Introduction
Patient access to medical records has shifted from a slow, back-office task to a time-sensitive compliance obligation. Texas HB 300 reflects this reality by accelerating access to electronic records when systems are capable of producing them. For small clinics with limited staffing, the 15-business-day requirement can appear challenging. In practice, compliance depends less on technology and more on intake discipline, identity verification, standardized exports, and deadline tracking.
This guide translates § 181.102 into an operational process that meets Texas timing requirements while remaining consistent with HIPAA’s rules on form, format, fees, and denials.
Understanding the 15-Day Rule Under Texas Health & Safety Code § 181.102
Section 181.102 establishes a specific obligation tied to electronic records:
-
If a health care provider uses an EHR system capable of fulfilling the request, the provider must provide access to the individual’s electronic health record no later than the 15th business day after receiving a written request.
-
The record must be provided in electronic form, unless the individual agrees to another format.
-
The statute does not require disclosure of information that HIPAA permits a provider to deny or except under 45 CFR § 164.524.
Practical implications
-
The 15-business-day clock starts upon receipt of a written request from the patient or an authorized personal representative.
-
If the EHR can generate the requested information, the Texas deadline applies.
-
HIPAA’s substantive rules still govern form and format, reasonable cost-based fees, and grounds for denial, but they do not extend the Texas timeline except when issuing a timely, compliant HIPAA denial.
For Texas clinics, the safest operational approach is to default to the 15-business-day standard for ePHI and layer HIPAA’s substantive access rules on top.
Enforcement Authority and Oversight Context
The HHS Office for Civil Rights (OCR) enforces HIPAA’s right-of-access provisions, including timeliness, form and format, and fees. OCR does not enforce Texas statutes. Texas authorities, including the Office of the Attorney General and licensing boards, enforce § 181.102.
As a result, a delayed access request can trigger dual exposure:
-
Federal scrutiny under HIPAA for access failures
-
State enforcement for missing the 15-business-day deadline
A workflow that consistently meets the Texas timeline while honoring HIPAA requirements reduces risk on both fronts.
Step-by-Step Compliance Guide for Small Practices
Each step identifies how to comply, evidence to retain, and a low-cost implementation option.
Step 1: Standardize intake and start the clock
Comply: Accept written requests (paper, portal, or email), stamp the received date, and log a due date at T+15 business days.
Evidence: Access request form; tracker entry with due date.
Low-cost: One-page intake form plus a shared spreadsheet that auto-calculates due dates and flags Day 10 and Day 14.
Step 2: Verify identity with scripts
Comply: Use standardized verification for in-person, phone, email, and personal-representative requests.
Evidence: Verification checklist and copies of authority documents.
Low-cost: Laminated verification quick-cards.
Step 3: Triage EHR capability within two business days
Comply: Confirm whether the EHR can fulfill the request and identify any items outside the system.
Evidence: Triage note indicating EHR capability.
Low-cost: “EHR capable: Yes/No” column in the tracker.
Step 4: Apply HIPAA form and format rules
Comply: Provide ePHI in the requested electronic format if readily producible; document third-party directives.
Evidence: Fulfillment record noting format and recipient.
Low-cost: Predefined export options (portal download, secure email, encrypted media).
Step 5: Calculate fees correctly
Comply: Apply HIPAA’s reasonable cost-based fee limits; consider no-fee electronic delivery when feasible.
Evidence: Fee worksheet or zero-fee notation.
Low-cost: Simple spreadsheet template.
Step 6: Use partial grants and compliant denials
Comply: Provide non-excepted records within 15 business days and issue HIPAA-compliant denials for the rest when applicable.
Evidence: Denial letter and redaction notes.
Low-cost: Editable denial templates.
Step 7: Deliver securely and confirm receipt
Comply: Use portal or secure email; document patient preference if unencrypted email is chosen.
Evidence: Delivery log and confirmation.
Low-cost: Portal audit trail or delivery checklist.
Step 8: Close out and retain records
Comply: File all request materials and track cycle time.
Evidence: Completed access packet and KPI summary.
Low-cost: Annual “Right-of-Access” folder and rolling dashboard.
Table: Texas 15-Day Rule vs. HIPAA Right of Access
|
Requirement |
HIPAA (45 CFR § 164.524) |
Texas HB 300 (§ 181.102) |
Controlling Standard for Texas ePHI |
|---|---|---|---|
|
Response time |
30 days (+ one extension) |
15 business days |
Texas |
|
Electronic format |
Required if readily producible |
Required unless patient agrees otherwise |
Texas + HIPAA |
|
Fees |
Reasonable, cost-based |
Not expanded |
HIPAA |
|
Denials/exceptions |
Specific grounds |
HIPAA grounds preserved |
HIPAA |
Simplified Self-Audit Checklist
-
Written request date logged and due date calculated
-
Identity and authority verified
-
EHR capability confirmed within two business days
-
ePHI delivered electronically or alternative agreed
-
Fees calculated per HIPAA or waived
-
Partial grants and denials documented correctly
-
Delivery confirmed and packet retained
Common Pitfalls to Avoid
-
Defaulting to HIPAA’s 30-day timeline when the EHR can fulfill the request
-
Waiting for a “perfect” full chart instead of producing readily available ePHI
-
Inadequate identity verification for remote requests
-
Charging impermissible fees
-
Issuing blanket denials instead of partial grants
Best Practices for Sustainable Compliance
-
Set an internal 10-business-day target to create buffer
-
Pre-configure common EHR export kits
-
Cross-train a backup staff member
-
Track median fulfillment time quarterly
-
Convert near-misses into brief training updates
Conclusion
Texas Health & Safety Code § 181.102 accelerates patient access to electronic health records by imposing a 15-business-day deadline when EHR systems are capable of fulfillment. Small clinics that stamp requests on receipt, verify identity promptly, confirm EHR capability, and standardize electronic delivery can meet this requirement consistently. By defaulting to the stricter Texas timeline while applying HIPAA’s substantive access rules, clinics protect patients, reduce enforcement risk, and maintain a clean audit trail.
Consider leveraging a compliance automation tool to streamline your efforts. Such platforms help you document and manage obligations, conduct regular risk assessments, and remain audit-ready, reducing liabilities while signaling accountability to regulators and patients alike.