Deadline and new requirements added to Texas breach notification law

November 20, 2019 Cathy Bryant

A new Texas law regarding breaches of patient data will go into effect on January 1, 2020. The law defines a deadline by which Texas businesses must provide notice to affected individuals, requiring notice be provided without unreasonable delay but no later than 60 days after the breach is discovered.

Texas businesses are also required to provide notice to the Texas Attorney General within the same 60 days after the breach is discovered, if the breach involves the sensitive personal information (SPI) of 250 or more Texas residents. (HIPAA requires reporting for 500 or more.)

The addition of this deadline and reporting requirement is the result of new legislation passed in 2019 that amended the Texas Identity Theft Enforcement and Protection Act (TITEPA). (This 60-day window to report a breach is the same as the HIPAA breach notification deadline.)

The notification must include the following:

  1. a detailed description of the nature and circumstances of the breach, or the use of sensitive personal information acquired as a result of the breach;
  2. the number of Texas residents affected by the breach at the time of notification;
  3. any measures taken by the reporting party as a result of the breach;
  4. any measure that the reporting party intends to take regarding the breach after notification; and
  5. whether law enforcement is involved in investigation of the breach.

For physicians

Given these new requirements, you will likely need to change your privacy and security incident reporting action plan. In determining this plan, TMLT strongly recommends that you seek assistance when determining if an incident is reportable. You should also seek assistance when reporting the breach.

Your privacy and security incident reporting plan should include the following.

  • Staff training on how to identify privacy and security incidents and how to notify the practice’s privacy or security officer.
  • Instructions for the privacy or security officer to report the incident to TMLT Claims Department 800-580-8658.
  • Ensuring that you have a current backup process in place and verifying at least once a year that your protected health information can restored from backup.
  • Documentation that you have completed a HIPAA risk assessment, a self-assessment, or an assessment by a third party to identify your practice’s risks and vulnerabilities.
  • A risk management plan to address the risks and vulnerabilities identified in the risk assessment.

To learn more, visit our cyber resource page.

About the Author

Cathy Bryant

Cathy joined TMLT in 2010 and serves as the Senior Compliance and Risk Management Manager. Cathy leads the development and implementation of TMLT’s cyber risk management services. Cathy Bryant can be reached at

Visit Website More Content by Cathy Bryant
Previous Article
What physicians should know about "Letters of Protection"
What physicians should know about "Letters of Protection"

Beware of "Letters of Protection" and "Phantom Damages"

Next Article
Study shows increased cyber security can affect patient outcomes
Study shows increased cyber security can affect patient outcomes

Corrective actions taken to enhance privacy and security may introduce usability issues.

Telemedicine in Texas: Risks, Rewards, and Where We Go Next [CME webinar]

Learn More