(June 30, 2014): The federal Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) work in conjunction to safeguard the privacy of patient health information. Concerned that HIPAA and HITECH did not provide enough safeguards for protected health information (PHI), the Texas legislature passed the Texas Medical Records Privacy Act, H.B.300, which went into effect on September 1, 2012. This law contains more stringent regulation than HIPAA and HITECH because it has a more expansive definition of what constitutes a “covered entity.” It also mandates more frequent employee training and increased penalties for violations.
I. What is a Covered Entity Under Texas Law -- H.B. 300:
Generally, HIPAA considers health care plans and health care providers to be “covered entities.” HITECH expanded the definition of a covered entity to include business associates of a health care provider. Under H.B.300, a covered entity is any individual, business, or organization that:
- Engages in the practice of assembling, analyzing, using, collecting, evaluating, storing or transmitting PHI;
- Comes into possession of PHI;
- Obtains or stores PHI; or
- Is an employee, agent, or contractor of a person or entity described in numbers 1-3 above if they create, receive, obtain, maintain, use, or transmit PHI.
Additionally under H.B.300, out-of-state companies that use or disclose PHI in Texas are also considered covered entities. This potentially expands covered entity status to law firms, record storage and disposal companies, accounting firms, auditors, and anyone else who comes into contact with PHI.
II. More Frequent Employee Training Requirement:
Under HIPAA, employee training regarding protection of PHI is only required within a reasonable amount of time after hiring and when there are any material changes in privacy policies. Under the Texas law, each new employee must complete training regarding both federal and state law related to the protection of PHI within 60 days after his hire date, and the training must be repeated at least once every two years.
III. Electronic Medical Records Requirement:
H.B.300 requires that covered entities provide patients with electronic copies of their electronic health records within 15 business days of the patient’s written request. Under HIPAA, records must be provided within 30 days of a request.
H.B.300 also prohibits the sale of PHI and requires notice to patients regarding the electronic disclosure of PHI.
IV. Increased Penalties Under H.B.300:
Covered entities that wrongfully disclose a patient’s PHI will face increased civil penalties under H.B.300, in addition to any penalties for violating federal laws. The Texas law allows for penalties ranging from $5,000 to $1.5 million per year. To determine the penalty amount, H.B.300 lists five factors a court may consider: 1) the seriousness of the violation; 2) the entity’s compliance history; 3) the risks of harm to the patient; 4) the amount necessary to deter future violations; and 5) efforts made to correct the violation.
In addition to fines, a licensed Texas individual’s or facility’s violation is subject to investigation and disciplinary proceedings. If there is evidence that the violations of H.B.300 constitute a pattern or practice, the licensing agency the individual or facility operates under may revoke the individual’s or facility’s license.
H.B.300 also increases criminal penalties for identity theft involving PHI. Previously, a person who accessed, read, scanned, stored, or transferred PHI without the consent of an authorized user was subject to a Class B misdemeanor. Now a person committing this same act to access PHI will be subject to a state jail felony.
V. Final Remarks:
Texas covered entities should take immediate steps to ensure compliance with both federal and state privacy requirements. They can do so by providing customized employee training on state and federal privacy and security requirements and reviewing and updating policies to incorporate the Texas statutory requirements.
