Texas Medical Records Privacy Act: Ultimate Guide
Post Summary
TMRPA applies to any individual or organization that handles Protected Health Information for commercial, financial, or professional purposes — a scope significantly broader than HIPAA's covered entities. While HIPAA covers health plans, healthcare clearinghouses, qualifying healthcare providers, and qualifying business associates, TMRPA additionally covers IT providers, law firms, accounting firms, website owners, research institutions, sports teams, schools, and employers. Any employee, agent, or contractor of a covered entity who works with PHI is also covered. Critically, TMRPA applies regardless of geographic location — a New York IT firm managing cloud storage for a Texas resident's PHI must comply with TMRPA. Organizations outside Texas must review whether they process or store PHI of Texas residents, as this triggers full TMRPA compliance obligations.
TMRPA enforces several requirements stricter than HIPAA's federal standards. Electronic health record access requests must be fulfilled within 15 business days of a written request — compared to HIPAA's 30-day standard. Employee privacy training must be completed within 90 days of hire — compared to HIPAA's more flexible reasonable period standard, with refresher training required every two years or following material policy changes. Breach reporting to the Texas Attorney General is required when 250 or more Texas residents are affected — a lower threshold than HIPAA's 500-individual federal reporting requirement. Breaches affecting any number must trigger individual notification within 60 days of discovery. All compliance records must be retained for six years and training documentation for five years.
TMRPA places firm restrictions on PHI use that go beyond federal standards. Re-identifying de-identified health information is strictly prohibited — even if an organization has the technical means to reverse the process, doing so violates the Act. Selling PHI is generally forbidden except in specific cases including treatment, payment, healthcare operations, or maintenance as outlined in the Insurance Code. Using PHI for profit outside these exceptions is not permitted. For marketing, organizations must obtain express written authorization from patients before using their PHI for any marketing purpose, and any marketing materials sent via mail or email must include a functional toll-free opt-out number that recipients can use immediately.
Patients have the right to receive electronic health records within 15 business days of a written request. They may request corrections to inaccurate PHI — if an organization denies the request, it must provide written explanation, and patients may submit a statement of disagreement that the organization must permanently attach to their record. Patients may request an accounting of disclosures showing how their PHI has been used or shared. Retrieval fees are strictly prohibited, though organizations may charge reasonable copying and mailing fees. Texas residents have a unique right to request that PHI not be disclosed to health plans when they pay entirely out-of-pocket. For electronic disclosures, organizations must obtain explicit patient consent and post clearly visible plain-language notices of electronic disclosure practices — not buried in lengthy policies.
Negligent violations carry penalties up to $5,000 per instance within a year. Knowing or intentional violations carry up to $25,000 per violation annually. Intentional misuse of PHI for financial gain carries up to $250,000 per violation. Organizations with a pattern or practice of violations face annual penalties up to $1.5 million. Breach notification failures carry fines of $100 per affected individual up to $250,000 total. State licensing agencies may impose probation, suspension, or license revocation, and violators may be excluded from state-funded programs. Vendors and third-party service providers face the same civil penalties as healthcare providers — TMRPA's expanded covered entity definition makes IT providers, law firms, and research organizations directly liable rather than treating them as business associates.
Censinet RiskOps™ helps organizations manage TMRPA compliance by automating risk assessments and securely storing compliance documentation for six years as required. The platform provides real-time visibility enabling administrators to detect unauthorized PHI access or changes quickly, consolidates vendor risk assessments and compliance records to verify that all third-party vendors meet TMRPA standards, and supports the regular audits and gap analyses required to identify compliance gaps before they escalate into violations. For organizations managing multiple vendors with Texas-specific obligations — including the 15-day EHR access requirement and 90-day training deadlines — Censinet RiskOps™ centralizes tracking across the full vendor portfolio, replacing the manual monitoring that creates documentation gaps and missed deadlines.
The Texas Medical Records Privacy Act (TMRPA) is a state law that enforces strict rules for managing Protected Health Information (PHI). Unlike HIPAA, which focuses on specific healthcare entities, TMRPA applies to any individual or business handling PHI for commercial, financial, or professional purposes - including IT providers, law firms, and even sports teams. Organizations outside Texas must also comply if they deal with PHI from Texas residents.
Key highlights of TMRPA:
Compliance involves timely staff training, clear electronic disclosure notices, regular audits, and robust third-party vendor risk management. Non-compliance can result in hefty fines and reputational damage. Whether you're a healthcare provider, IT vendor, or any entity handling PHI, understanding TMRPA is critical to avoid penalties and protect patient privacy.
Responding to requests for medical records and patient access
sbb-itb-535baee
Who Must Comply with TMRPA
TMRPA vs HIPAA: Key Differences in Healthcare Privacy Requirements
This section breaks down who falls under the Texas Medical Records Privacy Act (TMRPA) and highlights how its scope differs from HIPAA.
Organizations and Individuals Covered by TMRPA
TMRPA casts a wide net, covering more entities than most healthcare privacy laws. It applies to anyone or any organization that handles Protected Health Information (PHI) for commercial, financial, or professional purposes [1].
Traditional healthcare entities like hospitals, doctors, nurses, health plans, insurance companies, and clearinghouses are included [3]. But TMRPA goes further, encompassing non-traditional entities such as:
These groups are required to comply if they come into contact with PHI.
"Unlike HIPAA – which only applies to health plans, health care clearinghouses, qualifying healthcare providers, and qualifying business associates – the Texas Medical Records Privacy Act applies to sports teams, IT service providers, website owners, lawyers, accountants, etc. who come into possession of, obtain, or store PHI."
– Steve Alder, Editor-in-Chief,
The Act also extends to "any employee, agent, or contractor" of a covered entity who works with PHI [6]. This means many groups that HIPAA classifies as Business Associates are treated as full-fledged covered entities under TMRPA [5].
How TMRPA Differs from HIPAA compliance Coverage
TMRPA's broader scope requires a different approach compared to HIPAA. Here are the key differences:
Feature
HIPAA
TMRPA
Covered Entities
Healthcare providers, plans, clearinghouses
Any entity handling PHI for gain, including lawyers, IT firms, etc.
Geographic Scope
National (U.S.)
Any entity handling PHI of Texas residents, regardless of location
Training Deadline
Within a reasonable period
Within 90 days of employment
Access Requests
30 days to respond
15 business days for electronic health records
Breach Reporting
500+ individuals for federal reporting
250+ Texas residents for state AG reporting
Businesses outside Texas should review their databases to see if they process or store PHI of Texas residents. If they do, they must comply with TMRPA. This includes setting up training programs, keeping documentation for at least five years, and meeting strict deadlines like the 15-day limit for electronic health record requests [3].
TMRPA Requirements and Rules
TMRPA sets strict guidelines to protect PHI and establish clear operational rules for organizations. By understanding and adhering to these regulations, organizations can avoid violations and safeguard patient privacy.
Restrictions on PHI Use
TMRPA places firm limits on how organizations can use PHI, going beyond federal standards in some areas. For example, re-identifying de-identified health information is strictly prohibited. Even if an organization has the technical means to reverse the de-identification process, doing so is not allowed under the Act.
Another major restriction involves the sale of PHI. Selling PHI is generally forbidden, except in specific cases like treatment, payment, healthcare operations, or maintenance as outlined in the Insurance Code. Using PHI for profit outside these exceptions is not permitted.
Marketing practices face additional scrutiny under TMRPA. Organizations must obtain express written authorization from patients before using their PHI for marketing purposes. Furthermore, any marketing materials sent via mail or email must include a toll-free number for recipients to opt out immediately. This opt-out option must be easy to use and functional. These marketing rules set a higher bar than federal standards, ensuring patients have more control over how their information is used.
Electronic Disclosure and Patient Consent
When it comes to electronic PHI disclosures, TMRPA requires covered entities to obtain explicit patient consent. Additionally, organizations must post a clear and visible notice explaining their electronic disclosure practices, with exceptions outlined in Section 181.154(e). This applies to various forms of digital communication, such as emails, cloud storage transfers, and third-party data sharing.
These notices must not be hidden in lengthy policies. Instead, they should be easy to find and written in plain language so patients can quickly understand how their information is handled in digital environments. Organizations should regularly update their privacy notices to reflect these electronic disclosure requirements.
Texas residents also have a unique right under TMRPA: they can request that PHI not be disclosed to health plans if they pay for a service entirely out-of-pocket. This provision gives patients more control over their information, particularly when they choose to self-pay for healthcare services. These rules on electronic disclosures tie into broader patient rights discussed below.
Patient Rights Under TMRPA
TMRPA grants patients enforceable rights designed to ensure transparency and control over their PHI. For example, organizations using EHR systems must comply with a 15-business-day deadline for providing electronic health records after receiving a written request. This timeline is non-negotiable.
Patients also have the right to request corrections to inaccurate PHI in their records. If an organization denies such a request, it must provide a written explanation. Patients can then submit a statement of disagreement, which the organization must attach to their permanent record. This process allows patients to challenge inaccuracies, even if the organization does not agree with their claims.
Another critical right is the accounting of disclosures, which allows patients to request a detailed report showing how their PHI has been used or shared over a specific period. To meet this requirement, organizations must maintain thorough logs of all PHI disclosures. While they may charge reasonable fees for copying and mailing records, retrieval fees are strictly prohibited under TMRPA. This ensures patients can access their information without facing unnecessary financial barriers.
Penalties for TMRPA Violations
Violating the TMRPA can lead to severe financial repercussions. The Texas Attorney General is empowered to seek both injunctive relief and civil penalties against any covered entity that violates the Act’s requirements [7].
Civil Penalties and Fines
The penalties for TMRPA violations are structured based on the severity and intent behind the infraction:
"A civil penalty assessed under this section may not exceed... $250,000 for each violation in which the covered entity knowingly or intentionally used protected health information for financial gain." - TX Health & Safety Code § 181.201
For organizations with a pattern of violations, courts can impose annual penalties up to $1.5 million [7][9]. When determining the penalty amount, courts consider factors like the seriousness of the violation, the entity’s compliance history, the potential harm to patients, and steps taken to address the issue [7].
Specific provisions apply to electronic disclosures under Section 181.154. If a violation occurs between covered entities for authorized purposes and the organization has encryption protocols, prevents further data release, or demonstrates strong security training, penalties may be capped at $250,000 annually [7].
State licensing agencies can also take action, such as probation, suspension, or revocation of a professional license [8]. Violators may be excluded from state-funded programs [2]. In cases involving breach notification failures, fines of $100 per individual (up to $250,000 total) may apply if proper notifications are not sent [2].
Violation Type
Penalty Amount (Per Violation/Year)
Annual Cap
Negligent
$5,000
N/A
Knowing or Intentional
$25,000
N/A
Intentional for Financial Gain
$250,000
N/A
Pattern or Practice
N/A
$1.5 million
Electronic Disclosure (with mitigating factors)
N/A
$250,000
Beyond financial penalties, TMRPA also holds third-party vendors accountable for violations.
Vendor and Third-Party Liability
Vendors and third-party service providers are equally liable under TMRPA. The Act’s expanded definition of "covered entity" includes vendors such as IT providers, legal firms, and research organizations, making them directly responsible for compliance [9][11]. They face the same civil penalties as healthcare providers, emphasizing the shared responsibility for protecting PHI.
TMRPA requires vendors to notify affected individuals of a breach within 60 days of discovery [3]. If the breach affects over 250 Texas residents, the Texas Attorney General must also be informed [10][11]. Vendors must maintain Business Associate Agreements (BAAs) that outline PHI handling protocols [11]. Additionally, they’re required to provide privacy training to employees within 60 days of their start date, with refresher training every two years [2][4][3].
Healthcare organizations should audit their vendor networks to ensure compliance. This includes verifying that employees have completed required training and that BAAs meet Texas-specific rules, such as the 15-day record access requirement [11]. Tools like Censinet RiskOps™ can assist in managing third-party compliance through effective third-party risk assessments and collaborative workflows.
How to Comply with TMRPA
Meeting TMRPA requirements involves thorough measures across your entire organization and vendor network. Non-compliance can lead to severe penalties, so understanding and implementing these strategies is critical. The TMRPA applies to any entity or individual handling PHI for professional, financial, or commercial purposes, including law firms, IT providers, and researchers [3][1]. Here's a breakdown of the key steps to stay compliant.
Staff Training and Documentation
Employees must undergo TMRPA-specific training within 90 days of their start date [1][3]. This is a stricter timeline compared to HIPAA's "reasonable and appropriate" standard. The training should cover state-specific rules, such as:
Refresher training is essential every two years or whenever there’s a significant policy change [4][3]. As Steve Alder, Editor-in-Chief of The HIPAA Journal, explains:
"The provision of refresher training when there is a material change to policies and procedures is necessary to ensure all members of the workforce affected by the change are made aware of it"
.
If your organization uses automated decision-making tools, the training should also address new requirements like the Texas Responsible AI Governance Act [1].
It’s equally important to maintain thorough records. Keep training documentation for five years and compliance records for six [3][1]. Encourage employees to report potential privacy violations through anonymous channels. This not only helps detect breaches early but also promotes a compliance-focused workplace culture [1].
Technology plays a crucial role in supporting these efforts.
Using Technology for Compliance Management
Managing TMRPA compliance can be daunting, but technology simplifies the process. Automated tools for data discovery and classification can scan emails, cloud storage, and servers to locate and inventory PHI [4][2]. Role-based access systems ensure only authorized personnel can access sensitive information [12][14].
Platforms like Censinet RiskOps™ help healthcare organizations centralize compliance management. This tool automates risk assessments and securely stores documentation for six years [12]. It also provides real-time visibility, enabling administrators to detect unauthorized changes or breaches quickly [2]. For those dealing with multiple vendors, Censinet RiskOps™ consolidates risk assessments and compliance records, ensuring all third-party vendors meet TMRPA standards. Effective vendor oversight is crucial, given the strict penalties for violations.
Regular Audits and Risk Monitoring
Continuous monitoring is vital to identify compliance gaps before they escalate into violations. Regular internal audits ensure that PHI collection, handling, and storage practices align with TMRPA rules [4]. For example, verify that third-party cloud providers store Texas patient records within the United States [12][13].
Data security platforms can assist with ongoing monitoring by tracking PHI access and generating compliance reports [2]. These tools should also alert administrators to suspicious activity or unauthorized changes in real time.
Keep a close eye on business associates, as covered entities can be held accountable for vendor violations if there’s a known pattern of non-compliance [1]. Implement clear disciplinary policies for employees who fail to follow privacy protocols, and always verify the identity of individuals requesting access to medical records to prevent fraud [1]. Regular gap analyses are another proactive step to prevent violations.
Conclusion
The Texas Medical Records Privacy Act (TMRPA) casts a wide net, applying to any organization that handles Protected Health Information (PHI) for commercial, financial, or professional purposes. This includes a broad range of entities like IT vendors, law firms, accountants, and even sports teams [1][2][3]. If your organization deals with patient data from Texas, compliance with TMRPA's stringent rules isn't optional - it's mandatory.
Failure to comply can lead to steep penalties, with fines reaching as high as $250,000 for serious violations [1][2]. Given these potential consequences, relying on manual processes for compliance is risky and inefficient. Tools like Censinet RiskOps™ simplify the process by automating critical tasks such as data discovery, record tracking, and real-time vendor monitoring. Its features, including automated risk assessments and six-year documentation storage, help organizations stay prepared for audits while easing the administrative workload.
Regular audits and continuous monitoring are key to spotting vulnerabilities before they turn into costly violations. By leveraging the right technology and adopting proactive risk management strategies, organizations can meet TMRPA's demanding standards, protect patient privacy, and avoid financial penalties. With the right approach, compliance becomes more manageable and patient data remains secure.
FAQs
Does the Texas Medical Records Privacy Act apply to my business if I’m not in Texas?
The Texas Medical Records Privacy Act (TMRPA) focuses on regulating medical records and the entities handling them within the state of Texas. Its scope is limited to Texas-based operations and does not extend to businesses situated outside the state.
What counts as PHI under TMRPA for non-healthcare companies?
The Texas Medical Records Privacy Act (TMRPA) defines Protected Health Information (PHI) as identifiable health-related data. This includes details like diagnoses, treatments, and medical histories. However, for businesses outside the healthcare sector, personal information typically isn't considered PHI - unless it’s directly tied to medical data managed by entities governed by the law. The TMRPA mainly focuses on healthcare settings and those responsible for handling medical information.
What should we do first to become TMRPA compliant?
To align with the Texas Medical Records Privacy Act (TMRPA), the first step is figuring out if your organization qualifies as a covered entity under the law. This applies to businesses or entities that manage Protected Health Information (PHI) for Texas residents.
Once confirmed, take a close look at your existing policies. Update them to ensure compliance with key requirements, such as securing consent for disclosures, providing patients access to their medical records, and setting up robust data protection measures along with breach response protocols.
Related Blog Posts
- HIPAA PHI Retention Rules: Key Requirements
- How to Secure Cross-Border PHI Data Transfers
- 5 Key HITECH Act Breach Reporting Requirements
- FIPA vs. HIPAA: Differences for Healthcare Data Compliance
{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"Does the Texas Medical Records Privacy Act apply to my business if I’m not in Texas?","acceptedAnswer":{"@type":"Answer","text":"<p>The <strong>Texas Medical Records Privacy Act (TMRPA)</strong> focuses on regulating medical records and the entities handling them <strong>within the state of Texas</strong>. Its scope is limited to Texas-based operations and does not extend to businesses situated outside the state.</p>"}},{"@type":"Question","name":"What counts as PHI under TMRPA for non-healthcare companies?","acceptedAnswer":{"@type":"Answer","text":"<p>The Texas Medical Records Privacy Act (TMRPA) defines <strong>Protected Health Information (PHI)</strong> as identifiable health-related data. This includes details like diagnoses, treatments, and medical histories. However, for businesses outside the healthcare sector, personal information typically isn't considered PHI - unless it’s directly tied to medical data managed by entities governed by the law. The TMRPA mainly focuses on healthcare settings and those responsible for handling medical information.</p>"}},{"@type":"Question","name":"What should we do first to become TMRPA compliant?","acceptedAnswer":{"@type":"Answer","text":"<p>To align with the Texas Medical Records Privacy Act (TMRPA), the first step is figuring out if your organization qualifies as a <strong>covered entity</strong> under the law. This applies to businesses or entities that manage Protected Health Information (PHI) for Texas residents.</p> <p>Once confirmed, take a close look at your existing policies. Update them to ensure compliance with key requirements, such as securing consent for disclosures, providing patients access to their medical records, and setting up robust data protection measures along with breach response protocols.</p>"}}]}
Key Points:
Why does TMRPA's broader scope than HIPAA create compliance obligations for organizations that do not consider themselves healthcare entities?
- Any PHI handling for commercial, financial, or professional purposes triggers TMRPA — TMRPA's covered entity definition is not limited to healthcare providers, health plans, and clearinghouses — it applies to any individual or organization that comes into possession of, obtains, or stores PHI for commercial, financial, or professional purposes. This definition deliberately captures non-healthcare entities that HIPAA does not reach.
- IT providers, law firms, sports teams, and schools as explicitly covered entities — The entities TMRPA explicitly covers beyond HIPAA's framework — IT service providers, legal and accounting firms, website owners, research institutions, sports teams, schools, and employers — are not edge cases. They are organizations whose normal business functions can involve PHI without their operators recognizing a healthcare privacy obligation under federal law.
- Out-of-state organizations subject to TMRPA if they handle Texas resident PHI — Geographic location provides no shelter from TMRPA. A New York IT firm managing cloud storage containing a Texas resident's PHI, or a California law firm accessing medical records in Texas litigation, must comply with TMRPA regardless of where they are incorporated or operate. Organizations should audit their data environments to identify Texas resident PHI wherever it resides.
- Vendors treated as full covered entities rather than business associates — Many organizations that HIPAA treats as business associates — carrying derivative compliance obligations through BAA contractual provisions — are treated as full-fledged covered entities under TMRPA, carrying direct statutory compliance obligations and direct penalty exposure. This distinction means that vendor TMRPA compliance cannot be delegated through contractual language the way HIPAA business associate compliance can be structured.
- Covered entity accountability extending to vendor violations — Healthcare organizations can be held accountable for vendor violations when there is a known pattern of non-compliance by their vendors. This accountability structure creates an affirmative obligation to monitor vendor TMRPA compliance rather than relying on contractual attestations that vendors are meeting their own independent obligations.
- Texas Responsible AI Governance Act adding training scope for automated tools — TMRPA employee training must address new requirements including the Texas Responsible AI Governance Act for organizations using automated decision-making tools. Organizations deploying AI-assisted clinical, administrative, or compliance tools that interact with PHI must incorporate AI governance requirements into their TMRPA training programs.
How do TMRPA's specific compliance requirements for training, record access, breach reporting, and documentation differ from HIPAA's standards?
- 90-day training deadline stricter than HIPAA's flexible standard — HIPAA requires employee privacy training within a reasonable period — a standard that organizations interpret with significant flexibility. TMRPA replaces this flexibility with a mandatory 90-day deadline from the date of employment, applicable to every employee whose role involves PHI access. Refresher training is required every two years and following material policy changes — not merely when convenient.
- 15-business-day EHR access deadline half of HIPAA's standard — HIPAA allows 30 days to respond to patient access requests with a 30-day extension available. TMRPA cuts this to 15 business days for electronic health records with no extension provision — requiring organizations to maintain EHR access workflows capable of fulfilling requests in half the time that HIPAA compliance training may have established as standard.
- 250-resident breach reporting threshold lower than HIPAA's 500-person federal trigger — HIPAA requires reporting to HHS for breaches affecting 500 or more individuals, with a lower threshold triggering annual log submission. TMRPA requires reporting to the Texas Attorney General for breaches affecting 250 or more Texas residents — a threshold that captures incidents HIPAA's immediate reporting requirement does not, requiring Texas-specific breach response tracking that HIPAA compliance programs may not already maintain.
- 60-day individual breach notification applying regardless of affected count — TMRPA requires notifying affected individuals within 60 days of breach discovery regardless of how many people are affected — there is no small-breach exception equivalent to HIPAA's sub-500 annual reporting option. Every breach affecting any Texas resident triggers the 60-day individual notification obligation.
- Six-year compliance record retention and five-year training documentation — TMRPA requires compliance records retained for six years and training documentation retained for five years — record-keeping obligations that align with HIPAA's six-year documentation standard but add the training-specific five-year requirement as a separate obligation organizations must track distinctly.
- Data localization requirement for Texas patient records — Texas law requires third-party cloud providers to store Texas patient records within the United States — a data residency obligation that organizations must verify their cloud providers satisfy and that introduces a vendor due diligence requirement specific to geographic data storage, not present in federal HIPAA requirements.
What PHI use restrictions and patient rights does TMRPA establish and how do they exceed HIPAA protections?
- Absolute prohibition on re-identifying de-identified health information — TMRPA's prohibition on re-identification is absolute — if an organization has the technical capability to reverse the de-identification process, exercising that capability violates the Act regardless of the purpose. This prohibition goes beyond HIPAA's de-identification standards, which focus on the methods used to de-identify rather than prohibiting re-identification as a standalone act.
- PHI sale prohibition with narrow enumerated exceptions — The general prohibition on selling PHI under TMRPA permits sales only for treatment, payment, healthcare operations, or maintenance as specified in the Insurance Code. Any use of PHI for financial gain outside these enumerated exceptions violates TMRPA — a prohibition that applies regardless of whether patients have provided general consent to information sharing.
- Express written authorization and functional toll-free opt-out for marketing — TMRPA's marketing restrictions require express written authorization before using PHI for any marketing purpose, and require that every marketing communication sent by mail or email include a functional toll-free opt-out number. The opt-out mechanism must be immediately usable — not a link to a future preference update process. This standard exceeds HIPAA's marketing authorization requirements in both the consent specificity and the communication-level opt-out obligation.
- Explicit patient consent and visible plain-language notices for electronic disclosures — Electronic PHI disclosures require explicit patient consent and a prominently posted, plain-language notice of electronic disclosure practices — a notice that must be easy to find and not buried within general privacy policies. This notice requirement applies across emails, cloud storage transfers, and third-party data sharing, creating a disclosure transparency obligation that HIPAA's Notice of Privacy Practices does not fully parallel.
- Right to restrict disclosure to health plans for out-of-pocket services — Texas residents have a unique right to request that PHI not be disclosed to health plans when they pay entirely out-of-pocket for a healthcare service. This right gives patients control over insurance-related PHI disclosure in self-pay scenarios — a patient autonomy protection that does not have a direct federal HIPAA equivalent.
- Prohibition on retrieval fees ensuring accessible record requests — TMRPA prohibits retrieval fees for patient record requests while permitting reasonable copying and mailing charges. This prohibition removes a financial barrier that has historically deterred patients from exercising their access rights, establishing a more accessible patient record request standard than HIPAA's fee structure allows.
What is TMRPA's penalty structure and how does vendor and third-party liability operate under the Act?
- Four-tier penalty structure from negligent to intentional financial gain — TMRPA's penalty structure escalates from $5,000 per negligent violation through $25,000 per knowing or intentional violation to $250,000 per violation involving intentional PHI misuse for financial gain. The progression reflects the degree of culpability — negligent failures carry lower penalties than deliberate misuse, but the $250,000 ceiling applies only when PHI is deliberately exploited for financial benefit.
- $1.5 million annual cap for patterns or practices of violation — Organizations whose violations form a pattern or practice — systematic noncompliance rather than isolated incidents — face annual penalties up to $1.5 million. Courts consider the seriousness of violations, compliance history, potential patient harm, and remediation steps taken when determining penalty amounts within the statutory range.
- Breach notification failure carrying $100-per-individual fines up to $250,000 — Failing to provide required breach notifications carries fines of $100 per affected individual up to a $250,000 total cap. This per-individual structure creates a financial incentive for timely notification that is calibrated to breach scale — larger breaches with more affected individuals generate proportionally larger fines for notification failure.
- Professional license consequences extending beyond financial penalties — State licensing agencies may impose probation, suspension, or revocation of professional licenses for TMRPA violations — consequences that can end individual practitioners' careers regardless of whether civil penalties have been paid. Violators may also be excluded from state-funded programs, creating a revenue impact that can exceed the direct civil penalty amounts.
- Electronic disclosure mitigating factors capping penalties at $250,000 annually — For violations specifically involving electronic disclosures between covered entities for authorized purposes, penalties may be capped at $250,000 annually if the organization can demonstrate encryption protocols were in place, further data release was prevented, or strong security training was maintained. These mitigating factors provide some penalty relief for organizations that had adequate security infrastructure even when electronic disclosure violations occurred.
- Vendor direct liability eliminating the HIPAA business associate buffer — TMRPA's direct liability for vendors — through its broad covered entity definition — means that IT providers, law firms, and research organizations cannot rely on BAA contractual structures to limit their penalty exposure the way HIPAA business associate agreements can. Each vendor faces direct Texas Attorney General enforcement for its own TMRPA compliance failures, independent of the healthcare organization it serves.
How should organizations build a TMRPA compliance program covering training, PHI management, audits, and vendor oversight?
- TMRPA-specific training content distinct from HIPAA training — TMRPA training must cover state-specific requirements that HIPAA training does not address: the electronic disclosure notice requirement, the prohibition on re-identifying de-identified data, the 15-business-day EHR response window, the out-of-pocket payment disclosure restriction right, and — for organizations using automated decision tools — the Texas Responsible AI Governance Act requirements. Using HIPAA training as a proxy for TMRPA compliance creates specific gaps in the state-law obligations that directly generate penalty exposure.
- Anonymous reporting channels for early breach detection — Establishing anonymous channels for employees to report potential privacy violations promotes early breach detection before incidents escalate. TMRPA's 60-day individual notification deadline makes rapid breach identification operationally critical — organizations that rely on formal incident discovery processes without anonymous reporting channels will systematically discover breaches later in the 60-day window.
- Automated PHI discovery and classification across emails, cloud storage, and servers — Automated data discovery tools scanning emails, cloud storage, and server environments to locate and inventory PHI provide the PHI visibility that TMRPA's compliance requirements demand. Without automated discovery, organizations cannot verify that their PHI handling practices comply with TMRPA's use restrictions, retention requirements, and disclosure controls across the full scope of their data environment.
- Role-based access ensuring minimum necessary PHI access — Role-based access systems restricting PHI access to authorized personnel enforce TMRPA's minimum necessary access requirements and provide the access control audit trail that compliance monitoring requires. Access certification reviews verifying that role assignments remain current and appropriate are a required component of ongoing TMRPA compliance rather than a periodic optional check.
- Cloud provider data localization verification — Texas patient records must be stored within the United States by third-party cloud providers. Organizations must verify this data residency requirement through vendor due diligence — confirming storage locations, contractual data residency commitments, and the mechanisms by which violations would be detected and reported — rather than assuming that major cloud providers satisfy the requirement without verification.
- Gap analysis and regular internal audits maintaining continuous compliance — Regular internal audits verifying that PHI collection, handling, storage, and disclosure practices align with TMRPA requirements, combined with gap analyses identifying compliance deficiencies before they generate penalties, are the operational foundation of sustainable TMRPA compliance. Continuous monitoring supplementing annual audits detects changes in PHI handling practices that introduce compliance gaps between formal review cycles.
How does Censinet RiskOps™ address the automation, documentation, and vendor oversight requirements of TMRPA compliance?
- Six-year compliance documentation storage meeting TMRPA retention requirements — Censinet RiskOps™ automates secure storage of compliance documentation for six years — satisfying TMRPA's compliance record retention standard and the separate five-year training documentation retention requirement within a single platform rather than maintaining separate storage systems for each documentation category.
- Real-time visibility enabling rapid PHI access and breach detection — The platform provides real-time visibility into PHI access activities, enabling administrators to detect unauthorized access or changes quickly — the operational detection capability that supports meeting TMRPA's 60-day breach notification deadline from rapid discovery rather than delayed identification.
- Vendor compliance consolidation tracking Texas-specific obligations — For organizations managing multiple vendors with TMRPA obligations — including the 15-business-day EHR access requirement, 90-day training deadlines, and BAA terms meeting Texas-specific requirements — Censinet RiskOps™ consolidates vendor risk assessments and compliance tracking across the full portfolio, providing the centralized oversight that manual vendor monitoring cannot sustain at scale.
- Automated risk assessments identifying compliance gaps before violations occur — Automated risk assessment workflows identify gaps in PHI handling practices, vendor compliance, access controls, and documentation before they escalate into TMRPA violations and Attorney General enforcement. The cost of identifying and remediating compliance gaps through automated assessment is substantially lower than the civil penalty exposure that undetected violations create.
- Supporting the third-party vendor audits that covered entity accountability requires — Because TMRPA holds covered entities accountable for vendor violations when there is a known pattern of noncompliance, organizations cannot satisfy their compliance obligations through contract execution alone. Censinet RiskOps™ supports the ongoing third-party vendor audits and compliance verification that active vendor oversight requires — converting the passive contractual compliance model into an actively monitored risk management program.
- Effective third-party risk assessment workflows for TMRPA vendor management — Censinet RiskOps™ enables healthcare organizations to conduct effective third-party risk assessments through collaborative workflows that engage vendors in compliance verification, track remediation of identified gaps, and maintain the documentation trail that demonstrates active vendor oversight — the accountability evidence that both TMRPA enforcement investigations and organizational due diligence require.
