Texas recently enacted House Bill 300 (the Law). Its primary purpose is to add significant privacy requirements to the Texas Medical Records Privacy statute, but lurking among those provisions are amendments to Texas’s breach notification law which, if triggered, purport to require notice in all 50 states. Importantly, Texas is one of only a handful of states that covers health information, raising the question: is there now an effective 50 state breach requirement covering health data?

The Law applies Texas’s breach notification requirements to organizations “conducting business” in the state of Texas. The Law does not define what “conducting business” in Texas means, but a business that maintains a physical presence in Texas or has regular commercial dealings with Texas residents likely will be covered by the Law.

If a covered business suffers a breach, the Law requires that breach notification be given to affected residents of Texas and affected residents of “another state that does not require [breach notification].” If the other state’s law also requires breach notification, then the Texas requirements are deemed satisfied when notice is provided to the other state’s residents in keeping with the other state’s law. If the other state’s law does not require notification, but Texas law applies (i.e., the business operates in the state, etc.) and would require notice, then breach notification will have to be provided to residents of the other state following Texas requirements for notification. The result is that breaches affecting residents of other states will have to be analyzed under both the law of the state where an affected person resides and Texas law to determine if breach notification is required.

So if there are affected persons in Texas and other states, how do you compare laws to decide whether Texas requires breach notification in other states, even if those states would not require it? Factors to consider in that analysis may include:

The Law becomes effective on September 1, 2012, and carries financial penalties for violations. A covered business may be subject to penalties for violations if the business “fails to take reasonable action to comply.” Such failures are penalized at a rate of $100 per affected person, per day that the failure persists, up to a maximum of $250,000 per breach. At this rate, the maximum penalty would be reached relatively easily – a breach affecting just 250 people, accompanied by a failure to take reasonable action for 10 days, adds up to a $250,000 penalty.

The practical outcome is that any entity conducting business in Texas will have to analyze Texas breach notification requirements in essentially every potential breach affecting U.S. residents to determine whether Texas law dictates that notification is due, even in cases where information about Texas residents was not implicated in the incident.

Elizabeth Johnson, an attorney no longer with Poyner Spruill, was the original author of this article.

◀︎ Back to Thought Leadership