For a practical next step, review our private infrastructure services, browse the medical practice FAQ, and explore the full WhyNotDoc security blog.
On January 1, 2026, Texas House Bill 300 expansion provisions took effect, creating the most stringent patient privacy requirements in the United States. While HIPAA sets the federal baseline, Texas medical practices now face state-level obligations that exceed federal standards in critical areas. Non-compliance carries penalties of $5,000 per violation, with a maximum of $1.5 million per year for identical violations.
A San Antonio family practice discovered the practical impact in February 2026. Their HIPAA-compliant breach notification procedure failed to meet the new Texas timeline requirements. A three-day delay in patient notification resulted in a $45,000 state penalty, on top of the breach response costs they were already absorbing.
Texas HB 300, originally passed in 2011, received significant amendments in the 2025 legislative session. The expansion provisions specifically address gaps that Texas legislators identified in federal HIPAA enforcement and coverage. The result is a dual compliance environment where practices must satisfy both federal and state requirements simultaneously.
The Texas Attorney General's office, which enforces HB 300, has significantly increased audit activity. In Q1 2026, they announced 23 investigations, compared to 8 in all of 2024. Medical practices represent 67% of these investigations, reflecting the AG's focus on healthcare data protection.
The expanded HB 300 introduces requirements that fundamentally change how Texas medical practices handle patient information. Understanding these requirements is essential for compliance.
1. Enhanced Breach Notification Timeline
HB 300 now requires patient notification within 48 hours of discovering a breach involving more than 250 Texas residents. This is a dramatic compression from HIPAA's 60-day maximum. The notification must include specific elements: the date of discovery, the types of information involved, steps taken to mitigate harm, and contact information for the practice's designated privacy officer.
A Dallas cardiology group experienced the enforcement reality in January 2026. Their electronic health record system experienced a vendor-related data exposure affecting 1,200 patients. The practice followed their HIPAA-compliant procedure, beginning notification preparation immediately. However, they did not complete individual notifications until day five. The Texas Attorney General's office initiated an investigation and assessed a $125,000 penalty for timeline non-compliance.
The practical implication: practices must have pre-positioned notification infrastructure capable of immediate activation. Waiting to develop notification content, secure legal review, or establish contact methods after discovering a breach virtually guarantees non-compliance.
2. Mandatory Electronic Health Record Access Logs
HB 300 now requires Texas medical practices to maintain detailed access logs for all electronic health records, including the specific user, timestamp, records accessed, and purpose of access. These logs must be retained for seven years and must be producible within 72 hours of a patient request or regulatory inquiry.
This requirement creates particular challenges for practices using cloud-based EHR systems. Many cloud vendors provide aggregated access reports rather than granular individual access logs. Practices relying on these vendors face a compliance gap: they are legally responsible for producing records their vendors do not maintain.
A Houston multi-specialty practice discovered this gap during a March 2026 Texas Medical Board inquiry. Their cloud EHR vendor could only provide monthly summary reports of access patterns. The practice could not produce the specific, timestamped access records the inquiry requested. The resulting compliance finding required immediate implementation of supplemental logging systems at a cost of $87,000.
3. Expanded Definition of Covered Entities
HB 300's expanded definition now explicitly includes business associates and subcontractors with access to Texas patient data. This extends liability beyond the practice to any entity that processes, stores, or transmits patient information on the practice's behalf.
The practical impact is significant. A practice's cloud EHR vendor, billing service, transcription provider, and even IT support company are now directly subject to HB 300 requirements. When these entities violate patient privacy, both they and the medical practice face penalties.
More critically, the expanded definition creates new due diligence obligations. Practices must now verify HB 300 compliance for all business relationships involving patient data. Standard HIPAA business associate agreements are insufficient because they do not address Texas-specific requirements.
4. Patient Consent for Marketing Communications
HB 300 now requires explicit, separate consent for any use of patient information in marketing communications. This includes not just third-party marketing but the practice's own promotional activities. Implied consent through treatment relationships or standard intake forms is no longer sufficient.
The marketing consent requirement must include specific elements: the types of marketing communications the patient will receive, the methods of communication (email, text, phone), the right to revoke consent at any time, and a clear statement that treatment will not be affected by consent decisions.
A Fort Worth dermatology practice faced enforcement action in February 2026 for sending promotional emails about cosmetic services to patients who had completed standard intake forms. The forms included general consent for "communications about practice services" but lacked the specific marketing consent HB 300 now requires. The practice paid a $15,000 penalty and was required to implement a new consent management system.
5. Data Minimization and Retention Limits
HB 300 now explicitly requires data minimization: practices may only collect and retain patient information necessary for treatment, payment, and healthcare operations. Information collected for one purpose cannot be retained indefinitely or repurposed without new consent.
Additionally, HB 300 establishes maximum retention periods for different categories of patient information. Adult medical records must be retained for seven years after the last treatment date. Pediatric records must be retained for seven years after the patient reaches age 18. Information not meeting these retention requirements must be securely destroyed.
This requirement conflicts with the data retention practices of many cloud EHR vendors, which maintain records indefinitely unless specifically instructed to delete them. Practices using these vendors must implement active deletion protocols to comply with HB 300 retention limits.
6. Security Incident Response Documentation
HB 300 now requires detailed documentation of all security incidents, regardless of whether they result in breaches. This documentation must include: the date and time of discovery, the nature of the incident, systems and data potentially affected, response actions taken, and post-incident review findings.
These records must be maintained for five years and are subject to Texas Attorney General inspection. The practical implication is that practices must document security incidents they would previously have handled informally: suspicious login attempts, phishing emails reported by staff, antivirus alerts, and system anomalies that turn out to be false positives.
A Midland practice learned the documentation requirement's importance during a March 2026 inquiry. An employee had reported a suspicious email six months earlier. The practice had deleted the email and told the employee to be more careful. No documentation existed. The Attorney General's office cited this as evidence of inadequate security incident management, contributing to a broader compliance finding.
7. Designated Privacy Officer Requirements
HB 300 now requires every medical practice to designate a specific individual as Privacy Officer with documented authority and responsibility for compliance. The Privacy Officer must complete annual training specific to Texas privacy requirements and must be accessible to patients with privacy concerns.
The Privacy Officer's contact information must be included in all breach notifications, posted in physical office locations, and available on the practice website. This individual has legal responsibility for ensuring the practice's privacy compliance program functions effectively.
Texas medical practices now operate in a dual regulatory environment. Understanding where HB 300 and HIPAA overlap, and where they diverge, is essential for compliant operations.
Overlap Areas: Both HB 300 and HIPAA require risk assessments, workforce training, business associate agreements, access controls, and breach response capabilities. Practices can generally satisfy both requirements with unified programs, though Texas-specific elements must be added.
Conflict Areas: Several requirements create compliance tension:
When requirements conflict, HB 300 takes precedence for Texas residents. Practices must comply with the more stringent Texas standard, even when federal requirements would permit less stringent measures.
Implementing HB 300 compliance requires systematic attention to each requirement area.
Immediate Actions (0-30 days):
Short-Term Implementation (30-90 days):
Ongoing Compliance:
HB 300's granular logging and data control requirements create particular challenges for cloud-dependent practices. When patient data resides on third-party infrastructure, achieving the detailed control HB 300 requires becomes difficult or impossible.
Private infrastructure enables direct implementation of HB 300's technical requirements. Practices control their logging systems, can implement custom access tracking, establish precise retention policies, and maintain direct documentation of all security incidents. The compliance advantage is not theoretical. It is the difference between being able to produce required records and being at the mercy of vendor capabilities.
The Texas Attorney General's enforcement actions in Q1 2026 have consistently cited cloud dependency as a complicating factor in compliance findings. Practices that cannot produce required records because their vendors do not maintain them face penalties regardless of their good-faith efforts.
We assess Texas medical practices against HB 300 requirements, identifying compliance gaps and implementing necessary controls. Our compliance assessments include documentation review, technical control verification, and actionable remediation plans.
Call 469-252-7016 or schedule online. We help Texas medical practices meet the most stringent privacy requirements in the nation.