Everything is bigger in Texas….even their version of HIPAA regarding medical records privacy.
Texas Legislature adopted House Bill 300 known as HB 300 effective September 2012 which amended the Texas Medical Records Privacy Act. HB 300 significantly expanded patient privacy protections compared to the federal counterpart outlined in the Health Insurance Portability and Accountability Act of 1996 known as HIPAA.
This article briefly explores the more restrictive requirements to provide insight regarding necessary updates for covered entities located in Texas as well as entities that conduct business there.
First, please note that HB 300 greatly expanded the definition of “covered entities.” According to the Department of Health and Human Services, a covered entity under HIPAA’s regulation is
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
However, according to HB 300, a covered entity means any person who:
(A) For commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information. The term includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site;
(B)Comes into possession of protected health information;
(C)Obtains or stores protected health information; or
(D) Is an employee, agent, or contractor of a person described by Paragraph (A), (B), or (C) insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.
As you note from the definition, Texas’ health and safety rule affects just about anyone who comes in contact with protected health information. Therefore, it is imperative that you update your training and corresponding policies and documentation.
Training is specifically addressed in Texas’ Medical Records Privacy rule. Texans never graduate from HIPAA and HB 300 training. As such, new employees, regardless of their background, must complete training within 90-days of hire. Previously under the 2012 version, training was 60 days—so be sure to update your policies with current information.
Training content must address both state and federal regulations and be appropriate for the employees’ duties within the covered entity. For example, if you are a dental practice, the training should be relevant for a dental office. This is commonsensible. In order for training to be meaningful and relevant, it must reflect the day-to-day activities of the entity. As such, reconsider out-of-the-box training options and whether or not such training meets your needs within the definition of the code.
Thereafter, training takes place within a reasonable period once a material change in state or federal law concerning protected health information takes effect that affects the duties of an employee, but not later than one year of the material change’s effective date. Note that many covered entities are yet following the previous rule of every two years.
Training documentation must specifically include a statement verifying the employees’ completion of training whether it is in electronic or written format. Maintain such attendance records for six years.
Texas law requires entities to provide patients with electronic copies of their record within fifteen days of a patients’ written request—unlike HIPAA’s thirty days.
Covered entities must provide notice both at the place of business and on the Internet if a website is maintained regarding the fact that the patients’ protected health information is subject to electronic disclosure.
Penalties are bigger in Texas also. In addition to injunctive relief, the Texas Attorney General may institute an action for civil penalties from $5,000 per violation each year the violation persists for negligence. Knowingly or intentionally violating the law costs $25,000 per violation each year the violation persists. Intentional violation such as unlawful selling of protected health information is $250,000 per violation. Therefore, violations can cost up to millions of dollars…in addition to fines issued by the Department of Health and Human Services under HITECH Act.
The Texas Attorney General may also revoke the covered entity’s license as well as exclude them from state programs.
The Texas Attorney General submits an annual report the number and types of complaints received and the enforcement action taken. Please visit:https://www.texasattorneygeneral.gov/consumer/hipaa.shtml.
Breach is unauthorized acquisition, access, use or disclosure of unsecured protected health information which compromises the security or privacy of protected health information (and electronic health information). Breach notification is required of covered entities and business associates of unsecured protected health information (not encrypted). If a breach occurs, breach notification must take place according to the timeline outlined by HIPAA.
Don’t forget about HIPAA’s security risk analysis and corresponding risk management plan. This process allows covered entities the opportunity to assess the threats and vulnerabilities to the security of the protected health information created, maintained, amended and transmitted and make the necessary changes to comply with the law.
In summary, Texans who qualify as “covered entities” must revise employee training programs to implement HB 300 as well as policies on patients’ access to their electronic health information. Update the Notice of Privacy Practices and Business Associate Agreements to reflect the enhanced provisions of Texas law.
Provide notice to patients and obtain permission that their information may be electronically disclosed. Encrypt protected health information particularly on mobile, portable devices. Encrypt emails that contain protected health information. Remember, breach notification is required for unsecure protected health information.
NOTE: Reading this article does not constitute legal advice or an attorney-client relationship. This article is for informational purposes only.