For a practical next step, review our private infrastructure services, browse the medical practice FAQ, and explore the full WhyNotDoc security blog.
In March 2026, a Dallas dermatology practice received a $340,000 penalty notice that shocked their compliance officer. Their HIPAA program was current, their risk assessment was recent, and their security controls were industry-standard. The violation was none of these. They had failed to comply with Texas Medical Privacy Act requirements that went beyond federal HIPAA standards in three specific ways they had never noticed.
Texas medical practices now operate under a complex regulatory web that extends far beyond HIPAA. Understanding the state-specific requirements that apply to your practice is no longer optional. It is essential for avoiding penalties that can reach $1.5 million per violation category under state law alone.
HIPAA provides a federal floor for medical privacy protection. States can and do impose additional requirements that are more stringent than federal standards. Texas has enacted some of the most comprehensive medical privacy legislation in the nation, creating compliance obligations that catch many practices unaware.
The interaction between federal and state law follows a simple rule: whichever standard is more protective applies. This means Texas practices must comply with both HIPAA and all applicable state requirements, even when they conflict. You cannot choose the easier standard. You must satisfy the stricter one.
The Texas Medical Privacy Act of 2011, commonly called HB 300, remains the cornerstone of state privacy regulation. Its 2026 amendments added significant new requirements that every practice must address:
48-Hour Breach Notification: Texas requires notification to affected patients within 48 hours of discovering a breach involving their electronic health information. This contrasts with HIPAA's 60-day requirement. Many Texas practices design their breach response around federal timelines, creating state violations when notification takes more than two days.
Training Certification Requirements: HB 300 mandates that all employees who handle protected health information complete state-approved training and receive documented certification. This is more stringent than HIPAA's general training requirement. Practices must maintain training records for six years and produce them upon request from the Texas Attorney General.
Electronic Health Information Definition: Texas defines electronic health information more broadly than HIPAA, including any information that exists in electronic form and relates to an individual's physical or mental health. This captures data categories that HIPAA excludes, such as wellness program information and certain employee health records.
Criminal Penalty Expansion: The 2026 amendments expanded criminal penalties for unauthorized access to include negligent handling of credentials. A staff member who writes a password on a sticky note can now face criminal liability if that note enables unauthorized access.
Chapter 521 of the Texas Business and Commerce Code governs the protection of sensitive personal information, including medical data. It creates requirements that differ from HIPAA in critical ways:
Encryption Mandate: Texas requires encryption of sensitive personal information on all portable devices and all transmissions over public networks. While HIPAA "addresses" encryption, Texas mandates it without the flexibility of "addressable" implementation specifications. Unencrypted laptops containing patient information automatically violate Texas law regardless of whether a breach occurs.
Destruction Standards: Texas specifies particular methods for destroying records containing sensitive personal information. Practices must use shredding, pulverizing, or burning for paper records and clearing, purging, or destroying electronic media for digital records. Simple deletion does not satisfy the standard.
Third-Party Vendor Liability: Texas imposes direct liability on covered entities for breaches caused by their vendors. Under HIPAA, business associates bear independent responsibility for their own breaches. Under Texas law, the practice remains liable even when the vendor causes the breach. This creates powerful incentives for rigorous vendor management that go beyond federal requirements.
Texas professional licensing boards have enacted privacy regulations that apply specifically to their licensees:
Texas Medical Board Rule 165.3: Physicians must maintain patient records in a manner that ensures confidentiality and security. The rule specifies that electronic records must have access controls, audit trails, and backup systems. Board enforcement actions for privacy failures can result in license suspension or revocation independent of any HIPAA penalty.
Texas Board of Nursing: Nurses face professional discipline for unauthorized disclosure of patient information even when no HIPAA violation occurs. The Board has interpreted its standards to include inadvertent disclosures, such as discussing patients in public areas where they might be overheard.
Texas State Board of Pharmacy: Pharmacy regulations include specific requirements for protecting prescription information. These rules apply to in-house pharmacies within medical practices, creating compliance obligations that general HIPAA programs may not address.
The Texas Identity Theft Enforcement and Protection Act (TITEPA) creates additional breach notification and prevention requirements:
Attorney General Notification: TITEPA requires notification to the Texas Attorney General within 60 days of any breach affecting more than 250 Texas residents. This is separate from HIPAA notification requirements and applies to a broader range of information types.
Harm Threshold: Unlike HIPAA, TITEPA requires notification regardless of whether the breach creates a significant risk of financial harm. Any unauthorized access to covered information triggers notification obligations, even when the accessed data is not obviously exploitable for identity theft.
Civil Penalty Structure: TITEPA violations carry civil penalties up to $100,000 per violation, with each affected individual constituting a separate violation. This creates exposure that far exceeds HIPAA penalties for large breaches.
The March 2026 enforcement action against Waco Multi-Specialty Group illustrates how state laws create liability beyond HIPAA. The practice experienced a ransomware attack affecting 12,000 patient records. Their response was HIPAA-compliant: they conducted a risk assessment, determined that unauthorized access was not proven, and chose not to notify patients under the harmless breach exception.
The Texas Attorney General disagreed. Under Texas law, ransomware attacks that encrypt patient data constitute unauthorized access regardless of whether exfiltration occurred. The practice's decision to forgo notification violated the 48-hour state requirement. Additionally, forensic analysis revealed that the practice had failed to encrypt backup media as required by Chapter 521, a separate violation.
The final penalty assessment included $180,000 for breach notification failures and $95,000 for encryption violations. The practice's HIPAA-compliant response provided no protection against state enforcement.
Effective compliance requires mapping all applicable requirements and designing controls that satisfy the strictest standard in each category:
Notification Timeline Mapping: Create breach response procedures that meet the most stringent applicable timeline. For Texas practices, this means 48-hour notification to patients regardless of HIPAA's 60-day allowance. Design your incident response plan around state requirements and federal compliance will follow automatically.
Training Program Integration: Incorporate Texas-specific training requirements into your HIPAA training program. Ensure that completion certificates reference both federal and state compliance. Maintain records for the longest applicable retention period.
Encryption Implementation: Treat all portable devices and network transmissions as requiring mandatory encryption. Do not rely on HIPAA's flexibility. Implement encryption for all patient data regardless of location or transmission method.
Vendor Contract Updates: Include Texas-specific liability provisions in business associate agreements. Require vendors to indemnify the practice for breaches caused by vendor negligence. Implement Texas-mandated oversight procedures that exceed HIPAA's general requirements.
We assess your practice against both HIPAA and the full spectrum of Texas medical privacy laws. Our compliance audit identifies gaps between federal and state requirements and provides concrete remediation steps to satisfy both regulatory frameworks.
Call 469-235-4144 or schedule online. We help Texas medical practices navigate complex state and federal privacy requirements.