HIPAA is the floor. In Texas, the ceiling is $1.5 million per year in penalties your team probably doesn't know about.
Texas House Bill 300 broadens who counts as a covered entity, imposes stricter training deadlines than federal law, and adds penalties up to $1.5 million per year. If you operate in Texas, your team needs this training within 90 days of hire - not just when it's convenient.
Start 14-day free trialIf you operate in Texas, HB 300 (Health & Safety Code Chapter 181) imposes privacy training requirements stricter than federal HIPAA.
Course Details
15 minutes
State
Texas Law
Online, self-paced
What your team will learn
- How HB 300 and HIPAA work together (HIPAA is the floor, Texas law adds on top)
- The expanded Texas covered entity definition (broader than federal)
- Training deadlines: 90 days from hire, and again when the law materially changes
- What role-based training actually means under Texas law
- The three-tier penalty structure and how penalties escalate
- Enforcement, patient rights, and the absence of a private right of action
- Texas-specific consent rules for marketing uses of PHI
Who needs this training?
If you operate in Texas, HB 300 applies to all covered entities under Texas Health & Safety Code Chapter 181. The definition is broader than federal HIPAA. R = Required by regulation. S = Strongly recommended.
| Practice Type | Status | Authority |
|---|---|---|
| Physician Practices & Medical Groups | Required (if TX) | TX H&S Code Ch. 181 |
| Dental Offices | Required (if TX) | TX H&S Code Ch. 181 |
| Urgent Care Centers | Required (if TX) | TX H&S Code Ch. 181 |
| Home Health Agencies | Required (if TX) | TX H&S Code Ch. 181 |
| Behavioral Health & SUD Treatment | Required (if TX) | TX H&S Code Ch. 181 |
| Chiropractic Offices | Required (if TX) | TX H&S Code Ch. 181 |
| Physical Therapy & Rehab Clinics | Required (if TX) | TX H&S Code Ch. 181 |
| Ambulatory Surgery Centers (ASCs) | Required (if TX) | TX H&S Code Ch. 181 |
| Pharmacies | Required (if TX) | TX H&S Code Ch. 181 |
| Mental Health Private Practices | Required (if TX) | TX H&S Code Ch. 181 |
| Community Health Centers (FQHCs) | Required (if TX) | TX H&S Code Ch. 181 |
| Telehealth Providers | Required (if TX) | TX H&S Code Ch. 181 |
Which roles must complete this training?
If you operate in Texas, all employees who handle PHI must be trained within 90 days of hire:
- All staff with PHI access: Training within 90 days of hire is mandatory under Texas law
- Clinical staff (physicians, nurses, MAs, therapists): Role-based training on their specific PHI access patterns
- Administrative and billing staff: Training tailored to their PHI access responsibilities
- New hires: Must complete training before the 90-day deadline, not just at the next convenient opportunity
Texas law also requires retraining when the law materially changes or when an employee's role changes their PHI access.
Common Texas HB 300 training questions
How is Texas HB 300 different from HIPAA?
HB 300 expands who counts as a covered entity beyond HIPAA's definition. It requires training within 90 days of hire (HIPAA has no specific deadline), requires training whenever the law materially changes, adds Texas-specific marketing consent rules, and imposes penalties up to $1.5M per year that are separate from federal HIPAA penalties.
What is the 90-day training requirement?
Texas law requires covered entities to provide privacy training to employees within 90 days of hire. Training must also be provided when the law materially changes or when an employee's role changes in a way that affects their access to PHI. Federal HIPAA does not specify a training deadline.
What are the penalties for HB 300 violations?
Texas uses a three-tier penalty structure. Tier 1: $5,000-$25,000 for violations without financial harm. Tier 2: $25,000-$250,000 for patterns of violations. Tier 3: $250,000-$1.5M per year for knowing or intentional violations. These are in addition to any federal HIPAA penalties.
Does HB 300 give patients a private right of action?
No. Unlike California's CMIA, Texas HB 300 does not provide a private right of action. Enforcement is handled by the Texas Attorney General. However, patients can still bring claims under other state law theories (negligence, breach of fiduciary duty).
If you operate in Texas, get your team trained within the 90-day deadline
15 minutes per person. Certificate on completion. Start your 14-day free trial now.
Start 14-day free trialRegulatory Disclaimer
Training requirements vary by organization type, size, state, payer mix, and accreditation. This guide reflects common federal and state requirements as of April 2026 and is not legal advice. Consult your compliance officer or legal counsel for requirements specific to your organization. State-specific content currently covers CA, TX, FL, NY, and IL. Additional states may have requirements not listed here. Last reviewed: April 2026.