Texas HB 300: Why Texas Dental Practices Face Stricter Rules Than HIPAA
Texas House Bill 300 — the Texas Medical Records Privacy Act — extends beyond federal HIPAA in ways that directly affect every dental practice in the state. With stricter deadlines, mandatory opt-in for marketing, a private patient right of action, and fines up to $1.5 million per year, Texas operates under the most demanding healthcare privacy framework in the US.
$1.5M
Max annual fine (TX AG)
15 days
Patient records deadline
90 days
New hire training deadline
28,000+
Dentists in Texas
2026 Compliance Note: Texas HB 300 fines are imposed separately from federal HIPAA penalties. A single violation can trigger both Texas AG enforcement ($1.5M cap) and OCR federal action ($1.9M cap) simultaneously — and any Texas patient can also sue your practice directly in state court.
ADA-Endorsed Solution
Get HB 300-Ready with Compliancy Group
Compliancy Group's platform covers both HIPAA and Texas HB 300 requirements — including state-specific training modules, BAA management, and audit-ready documentation.
See How It Works for Texas Practices →Texas HB 300 vs. Federal HIPAA
Where Texas law is stricter, the Texas standard controls — even if your practice is federally HIPAA compliant.
| Rule | Federal HIPAA | Texas HB 300 |
|---|---|---|
| Patient records request deadline | 30 days | 15 days |
| New employee training deadline | No federal mandate | Within 90 days of hire |
| Annual staff training | Required | Required (Texas-specific content) |
| Marketing use of PHI | Opt-out allowed | Opt-in required |
| Patient right to sue | No private right of action | Direct lawsuit in TX court |
| Who must comply | Covered entities + BAs | Any entity touching PHI in TX |
| Max annual fine (state) | $1.9M (federal) | $1.5M + federal on top |
How HB 300 Affects Texas Dental Practices Specifically
X-Ray and Imaging Transfers
When sending dental X-rays or CBCT scans to a specialist or referral network in Texas, the receiving provider is also subject to HB 300. Your BAA with them must reflect Texas law — not just HIPAA. Missing this is one of the most common violations in multi-provider dental networks.
Required Office Notice
Texas law requires dental practices to post a notice informing patients of their rights under HB 300 — separate from the standard HIPAA NPP. This notice must be displayed prominently in the waiting area and provided in writing at the first visit.
Social Media and Before/After Photos
Using patient before/after photos in marketing requires affirmative opt-in under HB 300 — not just a general consent form. A patient who consented to treatment photos but not marketing use can sue your practice directly in Texas court. Separate, written marketing consent forms are required.
Billing and Third-Party Vendors
HB 300 covers billing companies, clearinghouses, and software vendors who touch PHI of Texas patients — even if those vendors are outside Texas. Your contracts with all vendors must include HB 300 obligations or you face direct liability for their actions.
HB 300 Compliance Checklist for Dental Practices
Six steps Texas dental practices should complete immediately.
Update your Notice of Privacy Practices (NPP)
Your NPP must explicitly reference Texas HB 300 and patient rights under state law — not just HIPAA. Post it visibly in your office and give it to every new patient.
Document HB 300 training for all staff
Standard HIPAA training does not satisfy HB 300. New hires must complete Texas-specific privacy training within 90 days. Keep signed training records — the AG can request them.
Review all Business Associate Agreements (BAAs)
Your BAAs must cover Texas law obligations in addition to HIPAA. Imaging labs, billing vendors, and referral networks handling PHI of Texas patients all need updated agreements.
Audit your patient records request process
You have 15 days — not 30 — to fulfill patient records requests in Texas. Review your workflow and ensure front desk staff know the state deadline.
Review your marketing consent process
Texas requires affirmative opt-in before using patient PHI for marketing purposes. Opt-out language (common in HIPAA-only policies) does not satisfy HB 300.
Run a Security Risk Analysis
An SRA documents your compliance posture and is the first thing the Texas AG requests in an investigation. If you haven't done one in the last 12 months, this is your highest-priority action.
2026 Dental HIPAA SOP Kit — Includes Texas HB 300 Templates
47 ready-to-use templates including HB 300-compliant NPP language, BAA templates, staff training sign-off sheets, and a marketing consent form. One-time $149 — instant delivery.
Get the SOP Kit — $149 →Frequently Asked Questions — Texas HB 300
Does Texas HB 300 apply to all dental practices in Texas?
Yes. Texas HB 300 applies to any entity that handles protected health information (PHI) of Texas residents — including dental practices, billing vendors, imaging labs, and referral networks. This is broader than federal HIPAA, which only covers 'covered entities' and their business associates.
How is Texas HB 300 different from HIPAA for dental practices?
HB 300 is stricter in three key ways: (1) patients have 15 days (not 30) to receive their records; (2) new employees must be trained within 90 days of hire; (3) patients can sue your practice directly in Texas court without filing an OCR complaint first.
What are the fines for violating Texas HB 300?
The Texas Attorney General can impose fines of $5,000 per negligent violation and up to $25,000 per knowing violation. Total penalties can reach $1.5 million per year for each category of violation — these are separate from and in addition to any federal HIPAA fines.
Does my dental practice need separate HB 300 training for staff?
Yes. HB 300 requires training that specifically covers Texas patient privacy rights — standard HIPAA training does not satisfy this requirement. New employees must complete HB 300 training within 90 days of hire, and all staff must be retrained annually.
Can Texas dental patients sue my practice under HB 300?
Yes. Unlike federal HIPAA (which has no private right of action), Texas HB 300 gives patients the right to sue dental practices directly in Texas state court for unauthorized disclosure of their PHI. This creates civil liability exposure that does not exist under federal law alone.