Texas Privacy Act: Overview and Compliance Guide

Many countries, states, and jurisdictions have recently passed — or are planning to pass — legislation to protect the privacy and data rights of consumers. The state of Texas is…
David Harrington
5 min read
Last updated June 27, 2023

Many countries, states, and jurisdictions have recently passed — or are planning to pass — legislation to protect the privacy and data rights of consumers. The state of Texas is no exception, having recently introduced the Texas Medical Records Privacy Act (TMRPA). This Texas privacy act is similar to the Health Insurance Portability and Accountability Act (HIPAA) in that it sets forth guidelines for safeguarding private medical records and information.

Discover your weak points and strengthen your resilience: Run a Free Ransomware Readiness Test

In this article, we’ll explore the basics of what the TMRPA is and its key components. You’ll also learn about how this law affects your business, whether you’re a hospital, private physician, or medical insurance provider. Finally, we’ll take you through some best practices on how to protect your patient’s and customer’s medical data in a way that makes you compliant with the Texas Privacy Act.

What is the Texas Privacy Act?

The TMRPA, or Texas Privacy Act, focuses on maintaining the privacy of Protected Health Information (PHI) for patients and customers. According to U.S. law, PHI consists of any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity. A Covered Entity simply being the legal definition of hospitals, care, or insurance providers that are subject to regulations like HIPAA and TMRPA.

However, the TMRPA differs from other regulations like HIPAA and the California Consumer Privacy Act (CCPA) in several key respects. First, the Texas Privacy Act could potentially regulate business entities that aren’t subject to HIPAA, such as health care clearinghouses and business partners of providers. Any organization that collects, stores, or transmits healthcare data — regardless of HIPAA coverage — is subject to the Texas Privacy Act.

Key Components of the Texas Privacy Act

There are several key aspects of the TMRPA to be aware of and that differ substantially from other regulations protecting PHI. Most of these components mirror the key requirements under HIPAA but apply to any organization that serves Texas individuals that handles PHI — not just covered entities as defined under HIPAA.

The Right to Know PHI

Any organization that handles the PHI of Texas consumers must provide written notice of the use and disclosure of PHI if a written request is made. And while the Texas Privacy Act doesn’t contain a specific breach notification requirement, companies are still mandated to notify users as such under Texas’ own breach notification statute

The Right to Obtain a Copy

Anyone that handles PHI in Texas needs to have a form whereby customers can obtain copies of their records. Organizations are permitted to charge a reasonable fee for the copying and mailing or records, but not a retrieval fee. And if you have an electronic health records system, you’ll likely be required to provide copies within 15 days of the request.

The Right to Amendment

Every Texas consumer has the right to request that their PHI be amended or corrected if they believe there’s an error. While you’re not legally required to agree with them and make the correction — consumers can be mistaken — you do have to notify them in writing and explain why their request was denied. You then must submit a statement of disagreement and add it to the patient’s record.

The Right to Limit Use

Finally, Texas consumers have the right to request that you limit the use of their PHI. This includes things like disclosing PHI for marketing purposes or sales calls without express written authorization. And if you do use PHI for physical or email marketing, you’re required to provide notice on that piece of mail explaining the person’s right to be removed and providing a toll-free number they can call and immediately request removal.

Emphasis on Training

The Texas Privacy Act and HIPAA both specify that training is conducted, but HIPAA doesn’t offer much detail as to how it should be conducted. The TMRPA, however, contains more exact training requirements to be in compliance. All employees who handle PHI — or are even likely to encounter it — must undergo formal privacy training within 60 days of beginning employment.

How Does This Affect Your Business?

While the Texas Privacy Act might not significantly affect covered entities that are already HIPAA compliant, if you handle PHI and haven’t been prepared to comply with the above key requirements, you’ll need to begin installing the proper policies and procedures. And for entities that are already HIPAA compliant, an additional emphasis on employee training and education will be required.

From a business standpoint, complying with the Texas Privacy Act will cost additional time, manpower, and resources — at least initially. You’ll need to ensure that all administrative processes are in place to respond properly to things like Right to Know and Right to Amend requests. For companies that weren’t previously subject to HIPAA — but now are as a business partner or PHI handler — it’s wise to work with a compliance partner at the beginning to ensure all your bases are covered.

How to Ensure You’re Meeting Compliance Standards

First and foremost, you’ll need to audit and inventory all of your PHI collection, handling, storage, and transmission activities that are either within Texas borders or that involve Texas consumers to determine the scope of compliance activities. Since the Texas Privacy Act covers an extended ecosystem, this may be the first time your business is subject to any such regulatory requirements.

Next, you’ll need to work with an experienced compliance partner to develop an all-encompassing roadmap. One of the first key issues is making sure you have the technology, staffing, and expertise to handle things like rights requests. It’s critical to make sure that you have adequate internal compliance resources and know-how before you start implementing Texas Privacy Act processes within your organization, and having a compliance partner will help you do so efficiently and cost-effectively.

Finally, you’ll need to develop and implement your training and education program that’s in alignment with the Texas Privacy Act. Not only do employees have to be trained within the first 60 days of hire, but the law also mandates that a refresher training be conducted every two years. Again, working with a compliance partner will help you formulate an appropriate curriculum, ensure that your trainers stay up to date on any changes, and schedule refresher sessions within the mandated time frame.  

Additional Compliance Guides & Information

Complying with the Texas Privacy Act encompasses many core principles required with regard to other regulatory frameworks. Here are some helpful guides to better inform you along the path to Texas Privacy Act compliance:

Azure Compliance for HIPAA & CCPA

Guide to U.S. Data Protection Compliance

Microsoft 365 and HIPAA Compliance

Complete HIPAA Compliance Checklist

Ransomware Guide for Healthcare

Texas Privacy Act FAQs

How Does the Texas Privacy Act Impact Business Owners?

Under this new law, HIPAA-style standards apply to anyone coming in close contact with PHI — not just hospitals, insurance, and healthcare providers. Any organization that handles sensitive medical records in Texas or for Texas consumers is required to comply.

Does the Texas Privacy Act Require Data Breach Reporting?

Directly, no. However, other Texas statutes mandate prompt breach reporting, so organizations should be prepared in the event a breach does occur. While the main difference between the TMRPA and HIPAA is training, you’re not off the hook when it comes to breach reporting.

How Often Does the Texas Privacy Act Mandate Training?

Every employee must receive PHI handling training within the first 60 days of initial hire. It’s also wise to conduct a company-wide training if you’re just now realizing the Texas Privacy Act applies to your business. After that, training must be conducted at least every two years.

How Much Does Texas Privacy Act Certification Cost?

Typically between $2,500 and $5,000. To become compliant, you’ll likely need a HITRUST certified assessor to come onsite to review your PHI handling processes and training program. Certification also expires after one year, meaning you’ll be subject to this cost annually.

Closing Thoughts

The Texas Medical Records Privacy Act is an attempt to keep pace with both the medical privacy concerns of Texas citizens and other similar frameworks across the globe. It ensures that consumers are guaranteed certain rights that also exist under HIPAA, such as the right to know their medical records and submit requests for changes. It also expands the purview of covered entities, making anyone who handles PHI — medical provider or not — subject to requirements. 

And by implementing more specific data handling education and training mandates, the Texas Privacy Act takes big steps to ensure that PHI is never improperly handled, accessed, or transmitted. As an organization, the best steps you can take towards Texas Privacy Act compliance are having the right data protection technology in place and working with an experienced compliance partner to make implementing the right practices quick and cost-efficient.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

nys-shield-act:-updates-to-pii,-data-security,-and-breach-notification- 
NYS SHIELD Act: Updates to PII, Data Security, and Breach Notification  
After the devastating Equifax incident, the New York State legislature introduced the Stop Hacks and Improve Electronic Data Security or SHIELD Act in order to update the  existing  breach rules....
shield-act-will-update-new-york-state’s-breach-notification-law
SHIELD Act Will Update New York State’s Breach Notification Law
Those of you who have waded through our posts on US state breach notification laws know that there are few very states with rules that reflect our current tech realities....
new-pii-discovered:-license-plate-pictures
New PII Discovered: License Plate Pictures
After finishing up some research on personally identifiable information I thought, mistakenly, that I was familiar with the most exotic forms of PII uncovered in recent years, including zip code-birth...
what-is-the-colorado-privacy-law?
What is the Colorado Privacy Law?
On September 1, 2018, the Colorado Protections for Consumer Data Privacy law, HB 18-1128, goes into effect. A bi-partisan group introduced HB 18-1128 in January, and after the usual negotiations,...