Covered entities must also notify an individual if a breach of that individual’s sensitive personal information, including that individual’s protected health information, has occurred, meaning if that information was acquired or reasonably believed to have been acquired by an unauthorized person.

Although HB300 does not specifically define “sensitive personal information”, it incorporates the definition set forth in the Texas Business and Commerce Code and thus includes:

  • an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:
    • Social Security number;
    • Driver’s license number or government issued identification number; or
    • Account number or credit or debit card number in combination with any required security code,
      access code, or password that would permit access to an individual’s financial account; or
  • information that identifies an individual and relates to:
    • the physical or mental health or condition of the individual;
    • the provision of health care to the individual;
    • or payment for the provision of health care to the individual.

This means that documents that you handle on a daily basis, such as initial client information sheets, tax returns, bank statements, etc. may fall under the umbrella of sensitive information that must be safeguarded pursuant to HB300.