April 6, 2026

Texas Healthcare Providers: New State Law Now Requires You to Post These 3 Things for Patients

Keith Lefkowitz Hendershot Cowart P.C. + Follow Contact LinkedIn Facebook X Send Embed A new Texas law quietly took effect September 1, 2025 – and if you operate a clinic, medical practice, hospital, or any other healthcare entity that handles patient health information, it directly affects you.

Texas House Bill 4224 amended the Texas Health and Safety Code to require covered entities to prominently post clear patient instructions telling them how to get their records, how to reach your licensing board, and how to file a complaint. The law is straightforward, but compliance gaps – especially around online and in-office posting – remain common.

Here is what the law requires, who it applies to, and what steps you should take now.

What Is Texas HB 4224?

Texas HB 4224 adds Section 181.105 to the Texas Health and Safety Code. It requires covered entities to prominently post – both on their website and at any physical facility – detailed instructions covering three specific topics:

1. How patients can request their healthcare records from your entity
2. How patients can contact the disciplinary or licensing authority for your entity
3. How patients can file a consumer complaint as described under Section 181.103 of the Health and Safety Code The bill passed the Texas House 149-0 and the Texas Senate 31-0 before being signed into law. Its effective date is September 1, 2025.

Who Does HB 4224 Apply To?

The law applies broadly to covered entities – a defined category under Texas Health and Safety Code Chapter 181 that generally covers any person or entity that handles personal health information (PHI).

You are likely a covered entity if your organization does any of the following:

• Assembles, collects, analyzes, uses, stores, or transmits PHI – for commercial, financial, or professional purposes, or even on a nonprofit or pro bono basis
• Comes into possession of PHI in any capacity

• Obtains or stores PHI under the Texas medical records privacy provisions
  This encompasses a wide range of organizations:

• Physicians, physician groups, and solo practices

• Hospitals and health systems

• Clinics and ambulatory surgery centers

• Medical spas, IV clinics, and aesthetic practices

• Mental health providers and behavioral health facilities

• Healthcare staffing agencies

• Any entity – including employees, agents, or contractors – that creates, receives, maintains, uses, or transmits PHI
  Important exception: The law does not apply to entities that exclusively perform claims processing, data processing, data analysis, utilization review, or billing on behalf of another covered entity that directly provides patient care. If your business only performs these backend functions – and does not provide healthcare services directly to consumers – HB 4224 does not apply.

Why Did the Texas Legislature Pass This Law?

Access to medical records is a HIPAA-protected right. Patients, their parents, guardians, and legal representatives have the right to request their healthcare records – and covered entities are required by law to provide them within specific timeframes.

The problem the bill author identified: each covered entity can have its own policy for how to request records. Those processes can be confusing, hard to find, or inconsistent – even among providers within the same practice group. And when a provider fails to follow its own policy or violates the law, patients often have no idea how to file a complaint – or that they even have the right to do so.

HB 4224 addresses this transparency gap by requiring covered entities to make this information clear and accessible – on your website and in your facility.

What You Must Post – and Where

The law requires covered entities to prominently post detailed instructions in two locations:

1. On Your Website

The posting must be prominent – not buried in a footer, embedded in a dense privacy policy, or hidden behind a login. While the law does not prescribe the exact format, the instructions should be easy to find and clearly written for a general patient audience.

2. At Your Physical Facility

Each physical location where you see patients must also display this information. Reception desks, waiting rooms, and patient check-in areas are logical places to post these instructions.

What the Instructions Must Cover

For each of the three required topics, your posted instructions should give patients a clear, step-by-step process – not just a general statement that a right exists. Consider including:

For medical records requests:

• Who to contact (name, title, or department)
• How to submit a request (form, email, phone, in-person)
• What information the patient must provide

• The timeframe for your response
  For licensing authority contact information:

• The name of the applicable licensing or disciplinary authority (e.g., Texas Medical Board, Texas Board of Nursing, Texas State Board of Pharmacy)

• Contact information or the website URL for that authority
  For consumer complaints:

• How to file a complaint under Texas Health and Safety Code Section 181.103

• Where the complaint is directed (Texas Attorney General's consumer information website)

• Any applicable process for filing directly with your entity
  Frequently Asked Questions

Does HB 4224 create new criminal liability for healthcare providers?

No. The bill does not create new criminal offenses or increase penalties for existing ones. However, non-compliance with the posting requirements – or failures to provide records consistent with existing HIPAA and Texas law – can still give rise to complaints to and investigations by the Texas Attorney General's office, your licensing board, or other regulatory bodies.

Does HB 4224 apply to billing companies and healthcare IT vendors?

Entities that exclusively perform claims processing, data processing, data analysis, utilization review, or billing on behalf of a healthcare provider are exempt from the law's posting requirements. However, if your organization does any of these functions and also has direct patient-facing services, the exemption likely does not apply in full.

Does my HIPAA Notice of Privacy Practices satisfy HB 4224?

Not necessarily. While HIPAA's Notice of Privacy Practices addresses patients' rights to access their records, HB 4224 requires detailed, step-by-step instructions – not just a statement of rights. Your HIPAA notice is a starting point, but additional specific instructions about how to submit a records request, contact your licensing board, and file a complaint will likely also be necessary.

What does "prominently" mean under HB 4224?

The law does not define the term, but the intent is clear: the information should be easy for a patient to find and read without searching through dense legal documents. On your website, a dedicated page accessible from your main navigation or homepage is a reasonable approach. In your facility, a posted notice in a visible patient area – such as a waiting room or check-in counter – satisfies the in-person requirement.

My practice group has multiple locations. Does each one need to comply separately?

Yes. The law applies to "any entity facility," which means each physical location must independently display the required information. A shared website policy may satisfy the online posting requirement for all locations, but each facility must have the information posted on-site.

Send Print Report

Related Posts

• Texas Medical Board Proposes Strict New Rules for Ketamine Therapy Clinics: What Physicians Need to Know
• MSO for Med Spas: How Non-Physicians Can Own & Operate in Texas
• Texas Healthcare Employers: Audit and Update Non-Compete Agreements for SB 1318 Compliance BEFORE They Auto-Renew

Latest Posts

• Texas Healthcare Providers: New State Law Now Requires You to Post These 3 Things for Patients
• Inevitable Disclosure Doctrine in Texas – Protecting Trade Secrets When Employees Join Competitors See more »

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
Attorney Advertising.

©
Hendershot Cowart P.C.

Written by:

Hendershot Cowart P.C. Contact + Follow Keith Lefkowitz + Follow more less

PUBLISH YOUR CONTENT ON JD SUPRA

• ✔ Increased readership
• ✔ Actionable analytics
• ✔ Ongoing writing guidance Join more than 70,000 authors publishing their insights on JD Supra

Start Publishing »

Published In:

Covered Entities + Follow Disclosure Requirements + Follow Health Care Providers + Follow Health Insurance Portability and Accountability Act (HIPAA) + Follow Healthcare + Follow Healthcare Facilities + Follow HIPAA Privacy Rule + Follow Medical Records + Follow New Legislation + Follow Patient Privacy Rights + Follow PHI + Follow Posting Requirements + Follow Regulatory Requirements + Follow State Legislatures + Follow Texas + Follow Administrative Agency + Follow Health + Follow Privacy + Follow more less

Hendershot Cowart P.C. on:

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra: Sign Up Log in ** By using the service, you signify your acceptance of JD Supra's Privacy Policy.* - hide - hide