A new Texas law quietly took effect September 1, 2025 – and if you operate a clinic, medical practice, hospital, or any other healthcare entity that handles patient health information, it directly affects you.
Texas House Bill 4224 amended the Texas Health and Safety Code to require covered entities to prominently post clear patient instructions telling them how to get their records, how to reach your licensing board, and how to file a complaint. The law is straightforward, but compliance gaps – especially around online and in-office posting – remain common.
Here is what the law requires, who it applies to, and what steps you should take now.
What Is Texas HB 4224?
Texas HB 4224 adds Section 181.105 to the Texas Health and Safety Code. It requires covered entities to prominently post – both on their website and at any physical facility – detailed instructions covering three specific topics:
- How patients can request their healthcare records from your entity
- How patients can contact the disciplinary or licensing authority for your entity
- How patients can file a consumer complaint as described under Section 181.103 of the Health and Safety Code
The bill passed the Texas House 149-0 and the Texas Senate 31-0 before being signed into law. Its effective date is September 1, 2025.
Who Does HB 4224 Apply To?
The law applies broadly to covered entities – a defined category under Texas Health and Safety Code Chapter 181 that generally covers any person or entity that handles personal health information (PHI).
You are likely a covered entity if your organization does any of the following:
- Assembles, collects, analyzes, uses, stores, or transmits PHI – for commercial, financial, or professional purposes, or even on a nonprofit or pro bono basis
- Comes into possession of PHI in any capacity
- Obtains or stores PHI under the Texas medical records privacy provisions
This encompasses a wide range of organizations:
- Physicians, physician groups, and solo practices
- Hospitals and health systems
- Clinics and ambulatory surgery centers
- Medical spas, IV clinics, and aesthetic practices
- Mental health providers and behavioral health facilities
- Healthcare staffing agencies
- Any entity – including employees, agents, or contractors – that creates, receives, maintains, uses, or transmits PHI
Important exception: The law does not apply to entities that exclusively perform claims processing, data processing, data analysis, utilization review, or billing on behalf of another covered entity that directly provides patient care. If your business only performs these backend functions – and does not provide healthcare services directly to consumers – HB 4224 does not apply.
Why Did the Texas Legislature Pass This Law?
Access to medical records is a HIPAA-protected right. Patients, their parents, guardians, and legal representatives have the right to request their healthcare records – and covered entities are required by law to provide them within specific timeframes.
The problem the bill author identified: each covered entity can have its own policy for how to request records. Those processes can be confusing, hard to find, or inconsistent – even among providers within the same practice group. And when a provider fails to follow its own policy or violates the law, patients often have no idea how to file a complaint – or that they even have the right to do so.
HB 4224 addresses this transparency gap by requiring covered entities to make this information clear and accessible – on your website and in your facility.
What You Must Post – and Where
The law requires covered entities to prominently post detailed instructions in two locations:
1. On Your Website
The posting must be prominent – not buried in a footer, embedded in a dense privacy policy, or hidden behind a login. While the law does not prescribe the exact format, the instructions should be easy to find and clearly written for a general patient audience.
2. At Your Physical Facility
Each physical location where you see patients must also display this information. Reception desks, waiting rooms, and patient check-in areas are logical places to post these instructions.
What the Instructions Must Cover
For each of the three required topics, your posted instructions should give patients a clear, step-by-step process – not just a general statement that a right exists. Consider including:
For medical records requests:
- Who to contact (name, title, or department)
- How to submit a request (form, email, phone, in-person)
- What information the patient must provide
- The timeframe for your response
For licensing authority contact information:
- The name of the applicable licensing or disciplinary authority (e.g., Texas Medical Board, Texas Board of Nursing, Texas State Board of Pharmacy)
- Contact information or the website URL for that authority
For consumer complaints:
- How to file a complaint under Texas Health and Safety Code Section 181.103
- Where the complaint is directed (Texas Attorney General's consumer information website)
- Any applicable process for filing directly with your entity
Frequently Asked Questions
Does HB 4224 create new criminal liability for healthcare providers?
No. The bill does not create new criminal offenses or increase penalties for existing ones. However, non-compliance with the posting requirements – or failures to provide records consistent with existing HIPAA and Texas law – can still give rise to complaints to and investigations by the Texas Attorney General's office, your licensing board, or other regulatory bodies.
Does HB 4224 apply to billing companies and healthcare IT vendors?
Entities that exclusively perform claims processing, data processing, data analysis, utilization review, or billing on behalf of a healthcare provider are exempt from the law's posting requirements. However, if your organization does any of these functions and also has direct patient-facing services, the exemption likely does not apply in full.
Does my HIPAA Notice of Privacy Practices satisfy HB 4224?
Not necessarily. While HIPAA's Notice of Privacy Practices addresses patients' rights to access their records, HB 4224 requires detailed, step-by-step instructions – not just a statement of rights. Your HIPAA notice is a starting point, but additional specific instructions about how to submit a records request, contact your licensing board, and file a complaint will likely also be necessary.
What does "prominently" mean under HB 4224?
The law does not define the term, but the intent is clear: the information should be easy for a patient to find and read without searching through dense legal documents. On your website, a dedicated page accessible from your main navigation or homepage is a reasonable approach. In your facility, a posted notice in a visible patient area – such as a waiting room or check-in counter – satisfies the in-person requirement.
My practice group has multiple locations. Does each one need to comply separately?
Yes. The law applies to "any entity facility," which means each physical location must independently display the required information. A shared website policy may satisfy the online posting requirement for all locations, but each facility must have the information posted on-site.
Protect Your Practice – Get Compliant Now
HB 4224 is one of several Texas healthcare regulatory changes that took effect in 2025.
If you have questions about whether your practice is compliant with HB 4224 or need guidance on reviewing your records request policies, website disclosures, or patient-facing compliance materials, the healthcare attorneys at Hendershot Cowart P.C. can help.
We counsel physicians, medical practices, clinics, healthcare businesses, and healthcare entrepreneurs on regulatory compliance matters across Texas. We focus on practical, actionable guidance that fits your practice – not generic legal advice.
Schedule your healthcare compliance consultation today. Call (713) 783-3110 or contact us online.