HIPAA Compliance in Texas: Federal HIPAA + Texas Medical Records Privacy Act

Texas healthcare providers must comply with both federal HIPAA rules and the Texas Medical Records Privacy Act (TMRPA), codified in Texas Health and Safety Code §181. The TMRPA mirrors and expands HIPAA in several ways, applying to a broader set of entities including self-insured employer health plans. The Texas Health and Human Services Commission (HHSC) enforces the TMRPA, while OCR enforces federal HIPAA — creating two parallel oversight bodies with authority over Texas healthcare organizations.

State Enforcement Agency: Texas Health and Human Services Commission (HHSC) — Health Information Technology Division
Enforces Texas Medical Records Privacy Act; investigates complaints; assesses civil penalties up to $1.5M per violation type per year

State Penalties: TMRPA penalties: $5,000 per negligent violation, $25,000 per knowing violation, $250,000 per intentional violation with data sale intent, up to $1.5M per covered entity per violation type per year.
Federal Penalties: $145–$2,190,294 per violation category per year under HIPAA (2026 adjusted)

How Federal + Texas Law Overlap

HIPAA and the TMRPA largely mirror each other, but TMRPA extends coverage to entities not subject to HIPAA (employer-sponsored health plans). Texas follows HIPAA's breach notification timeline but adds state-specific enforcement through HHSC, which can independently investigate and fine covered entities.

Additional Texas Requirements Beyond Federal Law

TMRPA applies to employers maintaining self-funded health plans, even if those employers are not HIPAA covered entities
Texas requires patients receive a copy of their medical records within 15 business days of request
Breach notification to HHSC is required for breaches affecting Texas residents, in addition to OCR notification
Texas AG has authority to seek civil penalties for TMRPA violations on behalf of Texas residents
TMRPA §181.101 penalties: $5,000 per negligent violation, $25,000 per knowing violation, $250,000 per intentional violation with intent to sell data for financial gain
HB 300 (2012) expanded TMRPA training requirements — covered entities must provide HIPAA/TMRPA training to all employees annually

Key Compliance Requirements for Texas

Conduct annual HIPAA Security Risk Analysis — HHSC and OCR both require documented evidence
Provide annual HIPAA/TMRPA combined workforce training (required by TX HB 300)
Provide patient medical records within 15 business days of written request
Encrypt all electronic devices containing PHI — state and federal guidance align
Execute Business Associate Agreements with all vendors handling Texas patient data
Report breaches to HHSC (state) and OCR (federal) — separate notifications required

Common Violations in Texas

Unencrypted laptops and portable devices lost or stolen at Texas conferences and hospitals
Failure to provide patient records within the 15-business-day Texas deadline
Inadequate business associate agreements with Texas-based billing and IT vendors
Workforce training gaps — Texas HB 300 explicitly requires annual training for all employees
Insider snooping without disciplinary policy enforcement

Recent HIPAA Enforcement in Texas

2018 — MD Anderson Cancer Center (Houston, TX)

Three losses of unencrypted USB drives and laptop containing PHI of 33,500+ patients

Penalty: $4,348,000 OCR civil money penalty — one of the largest HIPAA fines for a single institution

Source: OCR

2019 — Texas Health Resources (Arlington, TX)

Employee improperly accessed and disclosed patient PHI; inadequate workforce training

Penalty: OCR corrective action plan; HHSC investigation

Source: OCR / HHSC

2023 — Texas-area health systems

Multiple large-scale ransomware attacks on TX healthcare providers, including vendor breaches affecting millions of patient records

Penalty: Multiple OCR investigations ongoing; HHSC breach notifications filed

Source: OCR / HHSC

Check Your HIPAA Readiness in Texas

Take our free compliance quiz to see how your organization stacks up against HIPAA requirements in Texas.

Take the Free Quiz → Risk Calculator →

Frequently Asked Questions

What is the Texas Medical Records Privacy Act?

The Texas Medical Records Privacy Act (TMRPA), codified at Texas Health and Safety Code §181, is a state law that mirrors and expands HIPAA. It applies to healthcare providers, health plans, and self-insured employer health plans operating in Texas. It is enforced by the Texas Health and Human Services Commission (HHSC) and the Texas AG.

What are HIPAA fines in Texas?

Federal HIPAA fines range from $145 to $2,190,294 per violation category per year. The Texas TMRPA adds state penalties: $5,000 for negligent violations, $25,000 for knowing violations, and $250,000 for intentional violations involving data sale — up to $1.5M per entity per violation type per year.

How long do I have to provide medical records to patients in Texas?

Texas law requires covered entities to provide patients with copies of their medical records within 15 business days of receiving a written request. This is stricter than HIPAA's 30-day standard. Failure to comply is an independent TMRPA violation subject to HHSC enforcement.

Does Texas require annual HIPAA training?

Yes. Texas House Bill 300 (2012), codified in the TMRPA, explicitly requires covered entities to provide HIPAA and TMRPA training to all employees who have access to protected health information. Training must be conducted at least annually and must cover Texas-specific requirements.

Who enforces HIPAA in Texas?

Two agencies have enforcement authority. OCR (HHS) enforces federal HIPAA and investigates complaints from Texas residents. The Texas Health and Human Services Commission enforces the state TMRPA. Both agencies can independently investigate the same incident, assess separate penalties, and require independent corrective action plans.