According to the Legislative Budget Board (LBB), HB 3233 is not expected to have a significant fiscal impact on the State of Texas. The analysis concludes that any administrative costs associated with the implementation of the bill—such as monitoring compliance by pharmacy benefit managers (PBMs)—can be absorbed within the existing resources of the Texas Department of Insurance (TDI).

Additionally, the bill is projected to have no significant fiscal implications for units of local government. This is consistent with the scope of the legislation, which regulates PBMs—a sector not generally operated by or under the direct financial influence of local government entities. The implementation mechanisms do not create new enforcement structures or require state subsidies or grant programs.

Overall, HB 3233 presents a fiscally neutral regulatory update. It leverages existing federal designations of state sponsors of terrorism and existing regulatory oversight functions within TDI, allowing for streamlined enforcement without new budgetary outlays. This modest fiscal profile supports the bill’s feasibility from a cost management perspective.

HB 3233 reflects a measured and security-focused approach to the stewardship of sensitive health data by pharmacy benefit managers (PBMs). It prohibits PBMs from storing or processing patient data for Texas residents in countries designated by the U.S. Secretary of State as state sponsors of terrorism. This shift from the originally filed version—which broadly prohibited data storage “outside the United States”—to a targeted list of high-risk nations ensures the bill addresses serious cybersecurity and geopolitical risks without unnecessarily burdening PBMs operating in allied jurisdictions.

The bill analysis underscores the justification for this legislation: the central role PBMs play in handling personal health information and the concentration of market power in the hands of a few large entities controlling 80 percent of the market. The potential for data exposure to foreign actors in adversarial nations represents a credible risk. By restricting data storage to jurisdictions not identified as hostile, the bill enhances protection of Texans’ private health information without overregulating the industry.

From a liberty-principled perspective, HB 3233 advances Individual Liberty by safeguarding medical privacy from malicious state actors, and it embodies Limited Government by relying on existing federal threat designations rather than expanding state regulatory frameworks. It imposes no significant fiscal impact on state or local governments, and the Department of Insurance is expected to absorb any minor administrative responsibilities within current resources.

In light of its narrow, risk-based focus, minimal fiscal impact, and protection of Texas residents’ personal health data from hostile foreign entities, Texas Policy Research recommends that lawmakers vote YES on HB 3233.

• Individual Liberty: This is the principle most directly supported by the bill. H.B. 3233 protects the privacy and security of sensitive patient data by preventing pharmacy benefit managers (PBMs) from storing or processing that data in nations identified as state sponsors of terrorism. The protection of personal health information from foreign adversaries ensures individuals’ right to privacy—an essential liberty guaranteed under both state and federal constitutions. By shielding Texans' data from potentially hostile foreign access, the bill reinforces the state’s duty to safeguard individual rights in the digital domain.
• Personal Responsibility: While the bill does not impose direct obligations on individuals, it reinforces corporate accountability for those entrusted with sensitive data. PBMs—key intermediaries in the healthcare system—are responsible for secure data handling. The law strengthens the expectation that they act responsibly in selecting storage and processing partners that do not pose national security or privacy risks. This promotes a culture of responsibility among large entities that manage personal information.
• Free Enterprise: HB 3233 strikes a balance between market freedom and national security. It does not impose broad or burdensome regulations on business operations within the United States or allied countries. Instead, it narrowly prohibits operations in a few countries specifically designated as state sponsors of terrorism. This avoids significant disruption to the market while ensuring that PBMs do not outsource data processing to regimes with known hostility to American interests. The targeted nature of the restriction allows the free market to function with reasonable guardrails.
• Private Property Rights: The bill does not affect private ownership of data or property but does regulate the location where data can be stored or processed when that data pertains to Texas residents. It does not confiscate or transfer ownership of data or technology infrastructure. Instead, it places a condition on where that data may reside, in alignment with public safety concerns. The impact on property rights is therefore neutral and does not infringe on lawful ownership or use of assets.
• Limited Government: Importantly, the bill adheres to the principle of limited government by not creating new enforcement agencies or broad regulatory authority. It uses existing federal designations to define prohibited countries and relies on the current administrative structure (e.g., Texas Department of Insurance oversight) to ensure compliance. This approach avoids expanding state power unnecessarily while still protecting the public interest. It is a minimalist legislative solution to a high-impact risk.

• SB 1627 (Same As)