Texas Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Texas.
Texas healthcare compliance is shaped by HB 300 (the Texas Medical Records Privacy Act, Texas Health & Safety Code Chapter 181) and the Identity Theft Enforcement and Protection Act (Texas Business & Commerce Code §521.053), which together require breach notification within 60 days after determination of a breach and Attorney General notification when 250 or more Texas residents are affected — the lowest AG-notification threshold among the six largest US states. Civil penalties under the Deceptive Trade Practices Act run $2,000 to $50,000 per violation. Medical records retention is governed by 22 TAC §165.1(b), requiring seven years from last treatment, with a pediatric overlay extending to age of majority plus seven years. The Texas Medical Board separately enforces prescribing standards through the Texas PMP (PMP AWARxE), and the Texas Department of Family and Protective Services (DFPS) requires mandated child-abuse reports within 48 hours. For a Houston, Dallas-Fort Worth, Austin, or San Antonio practice, the regulatory stack — HB 300 + Identity Theft Act + Texas Medical Board + DFPS — creates one of the most multi-agency compliance environments in the country.
Breach Notification Rules
Notification deadline
60 calendar days
Notification must be made as quickly as possible but no later than 60 days after determination of breach. AG must be notified if 250+ Texas residents affected.
AG notification threshold
250+ affected individuals
Notify: AG
Harm analysis required
Penalty range
$2,000-$50,000 per violation under Deceptive Trade Practices Act
Enforcement Posture
The Texas Attorney General has historically pursued breach-notification enforcement under the Identity Theft Enforcement and Protection Act when affected-resident counts exceeded the 250-person AG-notification threshold or when notification timing slipped past 60 days. Enforcement priorities have clustered around large multi-state breaches, ransomware events with delayed disclosure, and HB 300 violations involving improper PHI re-disclosure. The Texas Medical Board separately pursues PDMP noncompliance and prescribing-pattern issues through licensing discipline — with PMP AWARxE check enforcement most concentrated on Schedule II prescriptions where Texas requires the check at every dispensing event. DFPS prosecutes failure-to-report child-abuse cases as Class A misdemeanors, escalating to state jail felony when the failure is intentional concealment. Texas's enforcement posture is active and multi-agency: the AG, Medical Board, and DFPS operate on different referral paths, and a single breach can spawn parallel cases.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 7 years | Last treatment |
| Pediatric | 7 years | Patient turns 18 |
| Mental health | 7 years | Last treatment |
| Radiology | 7 years | Record creation |
Controlled-Substance Prescription Monitoring (Texas PMP)
Texas PMP (PMP AWARxE), administered by the Texas State Board of Pharmacy at texas.pmpaware.net, requires a check on every Schedule II prescription, with delegation permitted to registered clinical staff. Exemptions are practically meaningful for primary-care workflow: hospice patients (a notable exemption that exempts entire palliative episodes), active cancer treatment, ≤3-day ER supplies, inpatient hospital or nursing-facility administration, and medication-assisted treatment for opioid use disorder. The hospice exemption is broad — covers any controlled substance prescribed in the hospice episode — making PMP AWARxE one of the more workflow-friendly PDMPs for hospice and palliative-care specialists.
Check required
schedule_ii
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; Class B misdemeanor for willful noncompliance; fines up to $2,000
Exemptions
Hospice patients, cancer treatment, ≤3 day supply in ER, inpatient hospital or nursing facility, medication-assisted treatment for opioid use disorder
How Texas Rules Hit by Specialty
Pediatrics
Texas's pediatric retention rule under 22 TAC §165.1(b) extends seven years past age of majority — meaning a chart for a patient last seen at age 5 must be retained until age 25. Houston and Dallas pediatric practices should set destruction policies to hold pediatric charts until age 25, not seven years from last visit. Texas Medical Board surveys routinely check pediatric retention, and HB 300 enforcement attaches to improper early-destruction.
Pain management
Texas PMP (PMP AWARxE) check is required on every Schedule II prescription, with carve-outs for hospice, cancer, ≤3-day ER supply, inpatient/nursing-facility, and medication-assisted treatment. Pain-management clinics in Houston, Dallas, and Austin face concentrated Texas Medical Board scrutiny — Class B misdemeanor exposure attaches to willful noncompliance on top of licensing discipline.
Behavioral health
Texas Health & Safety Code Chapter 611 layers enhanced confidentiality on mental-health records beyond the 22 TAC §165.1 seven-year retention rule, and HB 300 imposes additional re-disclosure restrictions on PHI sold or licensed to third parties. A behavioral-health breach affecting 250+ Texas residents triggers AG notification under the Identity Theft Act in addition to standard HIPAA breach response.
Dental practices
Texas dentists prescribing Schedule II analgesics are full participants in the Texas PMP (PMP AWARxE) and are mandated child-abuse reporters under TX Family Code 261.101 — universal mandatory reporting in Texas means every adult is a reporter, with 48-hour timeline and Class A misdemeanor penalties, escalating to state jail felony for intentional concealment.
Mandatory Reporting Obligations
Mandated reporters
All persons including physicians, nurses, dentists, psychologists, and all healthcare professionals (universal mandatory reporting)
Report to
Department of Family and Protective Services (DFPS) or local law enforcement
Timeline
Within 48 hours
Penalty for failure
Class A misdemeanor; state jail felony if the person intended to conceal the abuse
Immunity provision
Good faith reporters immune from civil and criminal liability under TX Family Code 261.106
Mandated reporters
All persons including healthcare professionals who believe an elderly or disabled person is being abused
Report to
Department of Family and Protective Services (DFPS), Adult Protective Services
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability under TX Human Resources Code 48.054
Mandated reporters
Healthcare providers treating injuries from suspected domestic violence or criminal acts
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
Texas Department of State Health Services or local health authority
Timeline
Within 24 hours
Penalty for failure
Class B misdemeanor, up to $180 fine per day
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds or wounds from criminal violence
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Class A misdemeanor
Immunity provision
Good faith reporters immune from civil and criminal liability
Texas Compliance FAQs
Texas requires notification as quickly as possible but no later than 60 days after determination of a breach, under HB 300 and the Identity Theft Enforcement and Protection Act (Texas Business & Commerce Code §521.053). If 250 or more Texas residents are affected, the Texas Attorney General's office must also be notified — the lowest AG-notification threshold among the six largest US states. Civil penalties under the Deceptive Trade Practices Act range from $2,000 to $50,000 per violation.
Yes. PMP AWARxE permits delegation to registered clinical staff including medical assistants, registered nurses, and licensed practical nurses, provided each delegate is enrolled under the supervising prescriber at texas.pmpaware.net. The prescriber remains accountable for the Schedule II check at every dispensing event. Carve-outs cover hospice patients (broadly), active cancer treatment, ≤3-day ER supplies, inpatient/nursing-facility administration, and MAT. Willful noncompliance is a Class B misdemeanor.
Failing to file a mandated gunshot-wound report in Texas is a Class A misdemeanor — up to one year in jail and a $4,000 fine. All healthcare providers treating gunshot wounds or wounds from criminal violence must report to local law enforcement. Good-faith reporters are immune from civil and criminal liability. Texas's reporting trigger is the treatment encounter itself, with no minimum-severity threshold — any treated gunshot wound triggers the report.
Texas requires pediatric record retention until age of majority (18) plus seven years — meaning a chart for a patient last seen at age 5 must be retained until age 25. The rule is set by 22 TAC §165.1(b), and adult retention is also seven years from last treatment. Houston- and Dallas-area pediatric practices should align destruction policies to age 25, not seven years from last visit. Texas Medical Board surveys routinely check pediatric retention.
The Texas Attorney General's office must be notified when a breach affects 250 or more Texas residents — the lowest AG-notification threshold among the six largest US states. Same 60-day window applies to affected individuals and AG filing. Breaches below the 250-resident threshold require individual notification but no AG filing. The Texas AG has been active under the Identity Theft Enforcement and Protection Act, with civil penalties ranging from $2,000 to $50,000 per violation.
Guides & Articles
Stay audit-ready in Texas
GuardWell tracks Texas-specific breach deadlines, retention periods, Texas PMP PDMP queries, and mandatory reporting obligations automatically.