N NPP Generator
State-Specific

Texas NPP Requirements: HB300 + HIPAA

By NPP Generator Research Team  ·  Published Apr 25, 2026  ·  Last reviewed Apr 28, 2026  ·  7 min read

Need to update your NPP?

Update → Generate new →
Quick answer: Texas covered entities follow HIPAA's NPP rules under 45 CFR § 164.520 plus the stricter Texas Medical Records Privacy Act (HB300). HB300 expands the federal definition of "covered entity," requires biennial HIPAA training, imposes 60-day breach notification, and makes electronic disclosures of PHI subject to specific consent requirements that should be reflected in the NPP.

Texas's Medical Records Privacy Act — usually called HB300 — went into effect in 2012 and was meaningfully strengthened in 2021. Any Texas-licensed practice subject to HIPAA also has to comply with HB300, which is generally more protective. The interaction shows up in a few specific places in your Notice of Privacy Practices.

Family resources. For broader cross-state context, see ComplyCreate's HIPAA vs state privacy laws guide.

How HB300 expands the HIPAA covered-entity definition

HIPAA's covered-entity definition is narrow: providers who electronically transmit PHI in the course of standard transactions, health plans, and clearinghouses. HB300's covered-entity definition is broader. It captures any person, organization, or business that obtains, assembles, collects, analyzes, evaluates, stores, or transmits PHI for any purpose other than the patient's own health care needs. That sweeps in many organizations that aren't HIPAA covered entities but handle PHI — for instance, employers running self-funded health plans, certain wellness vendors, and some HR-adjacent services.

If your Texas practice is HIPAA-covered, you're definitely HB300-covered. If you're a Texas business that touches PHI but isn't HIPAA-covered, you may still be HB300-covered and need NPP-style disclosures.

What HB300 requires that HIPAA does not

Three obligations sit on top of standard HIPAA NPP content for Texas covered entities:

Texas-specific NPP language to include

Texas covered entities should add or reinforce these clauses in the NPP:

Sensitive-record categories with extra Texas protection

Texas applies extra protection to several record categories. The NPP should disclose these as authorization-required uses (or note that disclosure follows the stricter rule):

Distribution and posting in Texas

HIPAA's distribution rules apply uniformly: provide the NPP at the first patient encounter, post it on the practice's public website, and post it visibly at every clinical location. HB300 doesn't add distribution requirements, but a few practical notes for Texas practices:

How this fits with the HHS February 2026 revised model

The HHS February 2026 final rule revised the NPP model and clarified several content requirements. Practices issuing or updating an NPP after February 16, 2026 should align to the new model. Key changes that affect every NPP regardless of specialty include: the addition of mandatory language describing the practice's safeguards against unauthorized AI-driven uses of PHI; updated breach-notification language reflecting Cures Act information-blocking interactions; refined Right of Access language describing electronic-format options; and updated language around marketing communications.

For practices that updated to the HHS Feb 2026 model upon publication, no further regulatory NPP work is required until the next material change. Practices still on pre-February-2026 templates should update before their next material-change cycle to avoid drift.

Common implementation pitfalls

Across audits and routine compliance reviews, several specific implementation pitfalls recur:

Audit-readiness considerations

When OCR or a state regulator audits, the NPP review typically asks for:

Quick reference checklist

When producing or updating an NPP, work through this checklist:

How NPP Generator helps

Producing a HIPAA-compliant Notice of Privacy Practices from scratch — even with the HHS February 2026 model as a starting point — typically takes a few hours of attention to entity-specific details: practice name, locations, Privacy Officer, vendor relationships, state-specific overlays, sensitive-record categories, communication preferences, and effective-date management.

NPP Generator's tool walks through a guided intake, captures the practice-specific information, and produces a formatted PDF and editable Word document aligned to the HHS February 2026 model in about five minutes. The tool also handles state-specific overlay language for the major state-law regimes and produces a current-effective-date document ready for distribution. For practices that need state-specific overlay (Texas HB300, Illinois MHDDC, California CMIA/CCPA, etc.), the tool's state-handler ensures the right elevated-protection language appears in your final document.

About state-law and federal preemption

HIPAA establishes a federal floor for health-information privacy. State laws are not preempted where they are more protective of patient privacy than HIPAA — that's the basic preemption rule under 45 CFR § 160.203. The interaction can be subtle: a state law may be stricter on a specific topic (HIV records, mental-health records, genetic information) without being globally stricter than HIPAA. The NPP must reflect the stricter rule wherever it applies. Practices serving patients in multiple states often issue a single NPP that incorporates the strictest applicable rules across those states; multi-state organizations sometimes use state-specific NPP versions for clarity. For organizations subject to specific federal regimes beyond HIPAA — 42 CFR Part 2 for SUD, FERPA for educational records, Title X for federally-funded family-planning services — the NPP should describe how those regimes interact with HIPAA's framework.

Further reading

For more on the topics covered here:

More state-specific NPP guides

NPP for California NPP for Massachusetts NPP for New York NPP for Florida NPP for Georgia NPP for Illinois NPP for New Jersey NPP for Pennsylvania NPP for Washington

Generate a compliant NPP in 5 minutes

HHS Feb 2026 model · Part 2 SUD language · Section 1557 taglines · whether you're updating or starting fresh.

Update my existing NPP → Generate a new NPP →

No subscription · PDF + Word · Free watermarked preview · See sample →

Related: State-specific NPP guides

Florida Georgia Illinois New Jersey Pennsylvania Washington

Frequently Asked Questions

Does HB300 require a separate Texas NPP?
No, you don't need a separate document. A single NPP that meets HIPAA's 45 CFR § 164.520 requirements and adds the Texas-specific language (training program, electronic-marketing authorization, AG complaint route, sensitive-record categories) satisfies both.
Who enforces HB300 against my practice?
The Texas Attorney General's office enforces HB300 directly. Civil penalties up to $1.5 million per year for violations involving PHI of more than 5,000 patients. The AG can bring actions in addition to OCR's federal HIPAA enforcement.
Does HB300 apply to out-of-state telehealth providers seeing Texas patients?
Yes. If you're providing healthcare services to Texas residents — even from another state via telehealth — HB300 applies to the PHI of those Texas residents. Your NPP should address Texas-specific requirements for those patients.
What's the HB300 training requirement specifically?
HB300 § 181.101 requires that each Texas covered entity provide HIPAA training tailored to the employee's job within 90 days of hire and at least every two years. The training must be documented (signed acknowledgment from each employee). HHS-OCR doesn't require biennial training; HB300 does.
Do I need to update my Texas NPP for the HHS February 2026 revised model?
Yes. The HHS February 2026 final rule modifies NPP content requirements for all HIPAA-covered entities, including those in Texas. Update the NPP to align with the new model and re-distribute when material changes are made.