State-specific guidance

HIPAA Business Associate Agreements in Texas — Medical Records Privacy Act and BAA Implications

By BAA Generator Research Team · Published Apr 27, 2026 · Last reviewed Apr 27, 2026 · 6 min read

Quick answer: HIPAA establishes a federal floor for Business Associate Agreements. Texas state law adds requirements above that floor. A BAA executed for a covered entity or business associate operating in Texas should explicitly address the state-specific obligations below — not just the HIPAA baseline. Texas regulators and the state AG can investigate and enforce state law independently of HHS OCR.

Texas laws affecting BAA terms

Texas Medical Records Privacy Act

Tex. Health & Safety Code § 181

Defines "covered entity" more broadly than HIPAA — includes some entities not covered federally. BAs of TX-covered entities must be bound to TX-specific rules.

Texas Identity Theft Enforcement and Protection Act

Tex. Bus. & Com. Code § 521

Sets specific safeguard requirements and breach-notification rules for sensitive personal information.

What Texas BAAs should add to the HHS model

Verify whether the CE qualifies as a Texas-covered entity (broader than HIPAA)
Bind BA to Tex. Health & Safety Code § 181 obligations explicitly
Align breach-notification timing with Tex. Bus. & Com. Code § 521 if stricter

Operational notes

If your covered entity is based in Texas, every BAA you sign with a vendor handling PHI of your patients should bind that vendor to Texas's state-law obligations in addition to HIPAA. The HHS model BAA satisfies federal requirements but doesn't include state-specific language by default.

If your business associate operates in multiple states, you generally bind the BA to the strictest applicable state's requirements rather than each state separately. Practices in Texas typically reference Texas's rules in the BAA's "compliance with applicable law" clause.

For broader 2024–2026 HIPAA Privacy Rule context, see HIPAA BAA requirements. For state law and HIPAA interaction generally, see ComplyCreate's HIPAA vs state privacy laws guide.

Generate a compliant BAA in 5 minutes

HHS model BAA provisions · 45 CFR § 164.504(e) compliant · $49 one-time · clean PDF + editable Word

Generate my BAA → See pricing →

No subscription · PDF + Word · Free watermarked preview

Your practice also needs an NPP

A BAA covers vendor relationships. The Notice of Privacy Practices is the patient-facing document required under § 164.520. Texas state law also affects NPP content.

Generate an NPP at NPP Generator →