Each patient file you create is more than a clinical record; it’s a vault of deeply personal information. And in Texas, guarding that vault means navigating a complex web of both state and federal privacy laws.
Are your current policies airtight? Can your staff confidently respond to a records request, a data breach, or a departing physician’s transition plan? Many practices assume they’re compliant — until they discover a gap during an audit or request.
If that sounds familiar, you’re not alone. Texas laws add additional layers to HIPAA with faster turnaround times, stricter definitions, and tougher penalties. Even a small oversight can lead to costly consequences.
Let’s break down the key medical records laws in Texas, clarify how they differ from federal requirements, and give you clear, practical steps to help ensure your practice stays compliant and confident (and confidential).
The Health Insurance Portability and Accountability Act (HIPAA) is the federal foundation for safeguarding patient data. Enacted in 1996, HIPAA established national standards for protecting patient health information. It governs how healthcare providers, health plans, and healthcare clearinghouses must handle protected health information (PHI). Business associates, such as third-party billing services or IT providers, must establish compliance through formal business associate agreements (BAAs).
HIPAA consists of several key rules:
Privacy Rule: Defines PHI and sets standards for its use and disclosure, particularly for treatment, payment, and healthcare operations (TPO). It also grants patients the right to access, review, and request corrections to their medical records.
Security Rule: Requires healthcare organizations to establish safeguards — administrative, physical, and technical — to protect electronic PHI. This includes measures like encryption, access controls, and regular risk assessments.
Breach Notification Rule: Mandates timely notification (no later than 60 days after discovery) to affected individuals and the Department of Health and Human Services (HHS) when unsecured PHI is compromised.
HIPAA sets the baseline, but Texas privacy laws often impose stricter standards that expand your obligations as a provider.
When a state law provides greater privacy protection than HIPAA, the state law generally pre-empts HIPAA. This means if Texas law is stricter, it supersedes the federal law.
Need a Quick Way to Check Your Compliance Status?Download our free Basic HIPAA Compliance Checklist to identify gaps, strengthen your protocols, and ensure your practice is meeting both federal and Texas requirements. |
Patient privacy protections in Texas are reinforced through the Medical Records Privacy Act (TMRPA) and the Medical Practice Act.
The Texas Medical Records Privacy Act (TMRPA — Health & Safety Code Chapter 181) expands beyond HIPAA in several ways:
Broader scope: TMRPA applies to a wider range of entities than HIPAA, including any business that “assembles, collects, analyzes, uses, evaluates, stores, or transmits” PHI of Texas residents — even businesses not traditionally classified as healthcare providers.
Faster record access: Under TMRPA, you must provide patients with access to their medical records within 15 business days of a request. HIPAA allows up to 30 days.
Fee restrictions: Only reasonable, cost-based charges for copying records are allowed. Administrative or retrieval fees are not permitted.
Stricter marketing rules: PHI cannot be used or sold for marketing purposes without explicit patient authorization, even if de-identified.
Disclosure transparency: Providers are required to inform patients in writing when their protected health information (PHI) may be shared electronically.
Mandatory training: All employees who will handle PHI must receive training within 60 days of their start date and refresher training at least every two years.
The Texas Medical Practice Act (Texas Occupations Code Chapter 159 & 165) governs the state’s practice of medicine and outlines specific responsibilities for physicians regarding records.
Physician’s duty to maintain records: Physicians must maintain clear, complete medical records that document the diagnosis, treatment, and care. This includes patient identity, visit dates, test results, prescriptions, and follow-up recommendations.
Record retention requirements: This is a common point of confusion. The Texas Medical Practice Act provides clear guidelines:
For adult patients: You must retain medical records for a minimum of seven years from the date of last treatment by the physician. “Treatment” can include phone calls, prescription refills, or other patient contact.
For minor patients: Retain medical records for at least seven years after the last treatment or until the patient turns 21, whichever is longer.
Litigation hold: Physicians must retain records related to unresolved civil, criminal, or administrative proceedings.
Release of medical records: Specifies procedures for releasing records to patients, authorized representatives, or third parties. Patients typically must provide written authorization, except in cases involving TPO or public health needs. Practices must pay special attention to sensitive information (e.g., mental health, substance abuse, HIV/AIDS records), which often requires separate, specific consent.
TITEPA adds another layer of accountability. It applies to all businesses handling sensitive personal information, not just PHI. Key provisions include:
Security requirements: Entities are required to establish administrative, physical, and technical safeguards to ensure the protection of sensitive personal data.
Breach reporting: If a data breach affects more than 250 Texas residents, the business must notify the Texas Attorney General, in addition to any HIPAA-mandated disclosures.
When a physician leaves a practice, Texas Medical Board Rule §163.4 outlines specific responsibilities to ensure continuity of care and proper record transfer.
Patient notification: The departing physician is primarily responsible for ensuring patients receive reasonable notification and the opportunity to obtain copies of their records or arrange for their transfer. This applies even if the departing physician is part of a group practice.
Methods of notification:
Direct communication: A letter or email must be sent to each patient seen by the departing physician in the last two years. First-class mail is recommended, with certified mail for high-risk patients.
Public notice: You must post a notice prominently in the practice office and on the practice website at least 30 days before the departure. Publishing the notice in newspapers is an optional alternative.
Content: The notice must include the effective date of departure, clear instructions on how to obtain or transfer records, the new practice’s name/location (if applicable), details of the new record custodian, applicable fees for records, and a statement about record destruction after the retention period. The notice can’t solicit or persuade patients to follow the departing physician.
Practice responsibilities: The practice must provide the departing physician with a list of patients seen in the last two years. No remaining physician may interfere with the departing physician’s duty to provide these notices.
Record custodianship: The physician or practice must arrange a secure storage place for original medical records, consistent with privacy laws and safe from hazards. The physician, or their designated representative, must inform the Texas Medical Board of who will maintain the records and how patients can access them. The appointed custodian is responsible for maintaining the confidentiality of the documents and responding to future patient requests.
Limited administrative resources often make it challenging for smaller healthcare providers to stay fully compliant. Common pitfalls include:
Missed record access deadlines: Failing to provide records within Texas’s 15-day window can result in fines.
Outdated business associate agreements: These must be current and comprehensive, clearly outlining data handling responsibilities.
Inconsistent training: Irregular or insufficient training can leave employees unaware of privacy protocols and risks.
Insufficient data security: Failing to implement encryption, access controls, and secure disposal methods exposes PHI to potential breaches.
Improper disposal of records: Practices must destroy paper and digital PHI in a way that prevents unauthorized access.
Violations of release of medical records laws in Texas, HIPAA, or state-specific acts can lead to:
HIPAA: Fines range from $100 to $50,000 per violation, with annual caps up to $1.5 million. Criminal charges apply in intentional or malicious breaches and may include steep fines and jail time.
Texas Medical Records Privacy Act: Civil penalties can reach $250,000 per violation. Knowingly disclosing PHI without consent may result in higher penalties.
Texas Medical Practices Act: May trigger disciplinary action by the Texas Medical Board, including license suspension or revocation.
Reputational damage: A breach can erode patient trust, trigger public complaints, and attract heightened scrutiny from regulators.
To meet your legal responsibilities and protect your patients, implement these best practices:
Establish written policies: Document and regularly update your procedures for managing medical records, from collection to release.
Provide targeted training: Onboard new staff with role-specific training and offer refreshers at least annually.
Conduct risk assessments: Perform regular audits to identify vulnerabilities in your data privacy and security protocols.
Maintain strong BAAs: Ensure vendors with PHI access have a signed, up-to-date agreement.
Invest in secure systems: Use EHR software with built-in security features. Encrypt all devices, implement multi-factor authentication, and keep strong firewalls.
Assign a compliance lead: A designated privacy officer helps enforce internal policies and respond to incidents.
Monitor regulatory changes: Stay current with updates from the Texas Medical Board, HHS OCR, and industry-specific news.
Texas medical records laws set a high bar — and for good reason. They protect patient privacy, clarify physician responsibilities, and shape the standards of ethical care across the state.
Meeting those standards takes more than basic awareness. It requires documented policies, consistent training, secure technology, and a commitment to staying current with every regulatory update. With the right approach, your practice can avoid costly missteps and reinforce the trust your patients place in you.
Ready to assess your compliance? Connect with 99MGMT for a personalized review of your medical record management strategy.