Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

Texas H.B.300 Imposes a Number of New Medical Privacy Requirements

(June 30, 2014): The federal Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) work in conjunction to safeguard the privacy of patient health information. Concerned that HIPAA and HITECH did not provide enough safeguards for protected health information (PHI), the Texas legislature passed the Texas Medical Records Privacy Act, H.B.300, which went into effect on September 1, 2012. This law contains more stringent regulation than HIPAA and HITECH because it has a more expansive definition of what constitutes a “covered entity.” It also mandates more frequent employee training and increased penalties for violations.

I.  What is a Covered Entity Under Texas Law — H.B. 300:

Generally, HIPAA considers health care plans and health care providers to be “covered entities.” HITECH expanded the definition of a covered entity to include business associates of a health care provider. Under H.B.300, a covered entity is any individual, business, or organization that:

  1. Engages in the practice of assembling, analyzing, using, collecting, evaluating, storing or transmitting PHI;
  2. Comes into possession of PHI;
  3. Obtains or stores PHI; or
  4. Is an employee, agent, or contractor of a person or entity described in numbers 1-3 above if they create, receive, obtain, maintain, use, or transmit PHI.

Additionally under H.B.300, out-of-state companies that use or disclose PHI in Texas are also considered covered entities. This potentially expands covered entity status to law firms, record storage and disposal companies, accounting firms, auditors, and anyone else who comes into contact with PHI.

II.  More Frequent Employee Training Requirement:

Under HIPAA, employee training regarding protection of PHI is only required within a reasonable amount of time after hiring and when there are any material changes in privacy policies. Under the Texas law, each new employee must complete training regarding both federal and state law related to the protection of PHI within 60 days after his hire date, and the training must be repeated at least once every two years.

III.  Electronic Medical Records Requirement:

H.B.300 requires that covered entities provide patients with electronic copies of their electronic health records within 15 business days of the patient’s written request. Under HIPAA, records must be provided within 30 days of a request.

H.B.300 also prohibits the sale of PHI and requires notice to patients regarding the electronic disclosure of PHI.

IV.  Increased Penalties Under H.B.300:

Covered entities that wrongfully disclose a patient’s PHI will face increased civil penalties under H.B.300, in addition to any penalties for violating federal laws. The Texas law allows for penalties ranging from $5,000 to $1.5 million per year. To determine the penalty amount, H.B.300 lists five factors a court may consider: 1) the seriousness of the violation; 2) the entity’s compliance history; 3) the risks of harm to the patient; 4) the amount necessary to deter future violations; and 5) efforts made to correct the violation.

In addition to fines, a licensed Texas individual’s or facility’s violation is subject to investigation and disciplinary proceedings. If there is evidence that the violations of H.B.300 constitute a pattern or practice, the licensing agency the individual or facility operates under may revoke the individual’s or facility’s license.

H.B.300 also increases criminal penalties for identity theft involving PHI. Previously, a person who accessed, read, scanned, stored, or transferred PHI without the consent of an authorized user was subject to a Class B misdemeanor. Now a person committing this same act to access PHI will be subject to a state jail felony.

V.   Final Remarks:

Texas covered entities should take immediate steps to ensure compliance with both federal and state privacy requirements. They can do so by providing customized employee training on state and federal privacy and security requirements and reviewing and updating policies to incorporate the Texas statutory requirements.

Health care LawyerRobert W. Liles, Esq., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers in HIPAA Omnibus Rule risk assessments, privacy breach matters, State Medical Board inquiries and regulatory compliance reviews. The firm also represents health care providers and suppliers around the country in connection with Medicare audits by ZPICs and other CMS program integrity contractors.  For a free consultation, call Robert at: 1 (800) 475-1906.

Texas Medical Privacy Act Takes Effect

Texas Medical Privacy Act(September 11, 2012):  They say that “Everything is Bigger in Texas,” and its law concerning medical privacy is no exception. The Texas Legislature recently enacted the Texas Medical Privacy Act (TMPA)1, also known as the Texas HIPAA law. The new law substantially increases the compliance burden on medical and service providers, suppliers, business associates, third party payers and just about everyone who handles, transmits or stores Protected Health Information (PHI) or Electronic Protected Health Information (EPHI) in any way. Enforcing the new law is the task of the Texas Health and Human Services Commission (HHSC). The penalties are substantial. The range of civil fines and penalties reflect similar provisions of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). Texas Civil Monetary Penalties (CMPs) include:

  • $5,000 for each negligent violation that occurs within 1 year.
  • $25,000 for each knowing or intentional violation that occurs within 1 year.
  • $250,000 for each knowing or intentional violation by a covered entity where PHI was used for financial gain.
  • Up to $1,500,000 if the frequency of violations establishes a pattern or practice.
  • I.  Who is a “Covered Entity” Under the New Texas Medical Privacy Act?

From a practical point of view, nearly everyone who touches PHI/EPHI is now included. Under Sec. 181.001(b)(2) of the Texas Health & Safety Code, a “Covered Entity” means any person who:

  1. for commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information.

The term includes business associates, health care payors, governments, information or computer management entities, schools, health researchers, health care facilities, clinics, health care providers, or any person who maintains an Internet site potentially conveying PHI;

  1. comes into possession of protected health information;
  2. obtains or stores protected health information under this chapter; or
  3. is an employee, agent, or contractor of a person described by Paragraph (A), (B), or (C) insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.

II.  What Does a Texas Provider Need to Do to Comply With the Texas Medical Practice Act:

The next two months are critical for providers and the following actions must be done immediately before the 60-day grace period expires on October 31, 2012. Action taken now can help limit your potential liability exposure under Texas law.

  1. Employee Training:

  • Train all employees on HIPAA and the Texas Medical Privacy Act within the next 60 days – before 10/31/12. Training must be customized according to the employee’s access and handling of protected health information. Retrain employees every six months, if possible, but no later than year.
  • Train new hires within their first 30 days of employment. Training must be customized according to the employee’s access and handling of protected health information.
  1. Internal Privacy Policies and Procedures – Patient Access to PHI / EPHI:

  • You must provide patients with requested electronic health information (EPHI) records within 15 days, instead of 30 days.

  1. Internal Privacy Policies and Procedures – Encryption and Transmission

  • Transmission and receipt of EPHI through cyberspace requires encryption every single time. If you do not have an effective encryption program, consider it an absolute necessity and get one. Train your employees on how to use it and make encryption of any transmission standard office policy with penalties for failure.
  • Portable devices such as thumb drives can now be purchased with combination locks for security. Thumb drives are not recommended due to their ease of loss and the potential for leaks and breaches. However, if they must be used, then control their use by allowing only approved devices purchased and numbered by the company and assigning them to the party responsible. Devices should be turned in after use with a log date and signature.
  • Consider purchasing cyber-liability insurance for your company or practice.
  1. Business Associate Agreements (BAA)

  • The business associate should notify you immediately of any breach of PHI and provide you with contemporaneous written notification of the facts concerning the breach;
  • Identify or assign a person to notify any patient affected by the breach;
  • Certify that the business associate complies with Texas Health and Safety Code § 181.100 regarding employee training on federal HIPAA and the Texas Medical Privacy Act requirements;
  • Provide certification and supporting documentation of the covered entity’s annual employee training and security analysis, (for example: all employees have been screened on government exclusion lists – GSA, EPLS, State, and have had criminal background checks to comply with DEA regulations).

III.  Final Remarks:

The Texas Legislature has made a strong effort to get ahead of the electronic distribution curve and protect EPHI. The short time frame is essential for enabling compliance and stopping potential problems before they occur. By complying with the more stringent Texas law, providers should be able to avoid many of the pitfalls under the federal HIPAA law. By the same token, failure to train and abide by both federal and state standards can lead to double liability for breaches, leaks and compromised EPHI. Stay ahead of the curve and make the changes necessary to protect your practice or business now.

Robert LilesHealthcare Lawyer counsels providers on HIPAA and TMPA compliance risks, HIPAA breach notification and implementing effective compliance plans.  In addition, Robert performs gap analyses and internal reviews, trains healthcare professionals on compliance issues, and represents providers in Medicaid and Medicare post-payment audits and appeals. For a free consultation, call Robert today at 1-800-475-1906.

1 Texas Medical Privacy Act, Chapter 181 – Medical Records Privacy, eff. Sept. 1, 2012.

What Should I Do If I Discover A Breach of PHI?

(September 6, 2012):  What should you do if you discover a breach of PHI (Protected Health Information). The short answer is: it all depends on who you are. With the rise in concern over and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), patients, families, practitioners, and health care executives need to know how to handle protected health information (PHI).  PHI consists of information that falls into any 1 of 18 established categories which can be used to identify an individual and/or their medical condition or diagnosis. HIPAA is designed to protect patients from the wrongful use or disclosure of PHI, as well as security breaches affecting PHI.  In the past few years, security breaches of PHI have hit epidemic proportions; doctors, nurses, billers, and hospital administrative/executive staff have reported loss or theft of hundreds of laptops, flash drives, CDs, and other portable electronic devices. And as you know, these devices can hold hundreds and even thousands of medical records and other health information containing PHI. So when even a single computer or flash drive is stolen and represents a breach of PHI, the effect of this incident can be felt by every stakeholder and could result in tremendous penalties levied by the Federal government. The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) and its private contractors have recently doled out millions of dollars in fines for HIPAA violations. That’s why it is so important to know how to handle a breach of PHI.

I.  Patients and Their Families:

If you are a patient or a family member of a patient who has concerns over the security of your PHI, or if you know of a specific breach of PHI, this is a serious concern. PHI falling into the wrong hands can and does lead to identity theft and Medicare fraud – those who steal PHI then either sell it to identity thieves or use it for their own gain. This can affect a patient’s bank accounts, credit rating, or reputation. If you know of a security breach of PHI, you should report this incident to OCR. OCR’s website has a section to report complaints, and once OCR receives a complaint, it reviews it and considers opening an investigation into the allegations.

I.  Health Care Providers and Suppliers:

If you are a provider, a breach of PHI is a whole different story. First, you need to determine who is the “covered entity” involved in the breach. Nearly all providers and health care practices are covered entities at this point, but it is important to determine whether it is an individual doctor or nurse practitioner or rather hospital or clinic that is the covered entity. Second, we recommend that you contact your health law counsel to advise you on proper disclosure. There are different reporting obligations for a covered entity depending on the egregiousness of the breach and the number of individuals affected by the breach. For instance, no matter how few people are affected by a breach of PHI, a provider must notify them of the breach. But when the numbers start to get higher, the provider must disclose this even further. For a breach involved 500 or more patients, for instance, the provider must notify the Secretary, HHS, as well as local news media, and keep a notice of the breach up on its website for a period of time. As you can imagine, a breach of PHI of this magnitude can really hurt a provider’s good reputation. And it is important to keep in mind the 4 tiered penalty structure under HIPAA: violations which could not have been reasonably prevented will incur significantly less fines than those which could have prevented and were ignored.

Of course, you can get yourself and your practice into one of the lower tiers by establishing and maintaining an effective Compliance Plan. An effective Compliance Plan is designed to keep you and your staff honest and on the same page about your compliance obligations, and will serve as a roadmap for your organization in how it conducts its business. Compliance Plans should focus not just on HIPAA (though that is a large part), but also on OSHA, Stark, Anti-Kickback, employee relations, codes of conduct, and billing and coding functions. We recommend that you begin establishing your Compliance Plan through a gap analysis: identifying the standards you must meet, assessing your organization’s compliance with those standards, and determining and correcting any gaps found. While this may not eliminate the risk of a breach of PHI, it certainly helps to reduce that chance and also shows the Federal government you are trying to do the right thing.

Robert LilesHealthcare Lawyer counsels providers on HIPAA compliance risks, HIPAA breach notification and implementing effective compliance plans.  In addition, Robert performs GAP analyses and internal reviews, trains healthcare professionals on compliance issues, and represents providers in Medicaid and Medicare post-payment audits and appeals. For a free consultation, call Robert today at 1 (800) 475-1906.

Overseas Outsourced Billing and Coding – Compliance Risks

(August 16, 2012):  Thinking of sending your medical coding and billing functions out of the country? You better think twice. While overseas outsourced billing is growing in popularity for medical office functions, this practice represents a unique and growing set of problems for both physician practices and 3rd party billers. And the news is just getting worse.

I.  HIPAA and HITECH Provisions:

As you know, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects patients’ rights to privacy, and requires that “covered entities” properly secure and safeguard protected health information (PHI). While HIPAA has long represented an administrative headache for many small and medium providers, it has only been more complicated by the rise of electronic data processing and transmission. In 2009, Congress passed the HITECH Act as part of the American Recovery and Reinvestment Act (ARRA). HITECH governs the use and disclosure of e-PHI and related computer systems, and significantly amends portions of HIPAA. For instance, HITECH calls for HIPAA audits, which are currently being conducted around the country. It also created an enhanced penalty structure by which the Office for Civil Rights (OCR) can fine entities up to 1.5 million dollars per year for wrongful use or disclosure and/or breaches of PHI. But what do these laws have to do with outsourced billing?

Plain and simple, a provider cannot relieve themselves of their obligations under HIPAA or HITECH by sending many of their administrative functions offsite. Instead, it’s just the opposite – providers are responsible not only for their practice, but also the acts of their business associates and their respective subcontractors. This is a significant wrinkle in the use of overseas contractors. While there are many benefits, including cost and efficiency (i.e. sending records at the close of business and getting everything back when business starts the next day), these incentives are overshadowed by the problems presented by HIPAA.

II. Compliance Concerns with Outsourced Billing:

First of all, you have no guarantees that a coding and billing business overseas is HIPAA compliant or even understands the law at all. Is the outside entity taking proactive steps to establish administrative, technical, and physical safeguards for your patients’ PHI? Even if they say they are HIPAA compliant, how can you verify that information?  To counter this, many outsourced billing companies, such as those in India or Pakistan, may argue that they will sign a contract indemnifying you for any HIPAA breaches and the resultant penalties. But if something goes wrong (as it inevitably does), obtaining a judgment against the outside entity is next to impossible, takes a substantial amount of time, and costs a lot of money. We had previously reported that the backlog for having a case heard in India was nearly 20 years. But recent estimates by the National Bar Association of India put that figure closer to “350 to 400 years.” That is, if you were to sue an Indian billing company today, you might not go before a judge until AD 2362 – and that’s a long time for your great-grandchildren to wait. Not to mention that suing the outsourced third-party biller for contribution (i.e. the portion of your penalties for which they are reasonably responsible) is extremely difficult and complex.

On top of this, employees of foreign companies have recently been extorting American providers over the PHI in their medical records. In one instance, an employee of a billing company in Pakistan had enough. She didn’t think she was being paid enough and contacted the hospital whose records she was currently working on. She demanded a significant sum of money from the hospital or she would release the medical records on the Internet and anonymously contact United States authorities. Essentially holding the records and the PHI they contained hostage, the worked managed to extort payment from the hospital. And again, attempting to report her to the local authorities or sue her in a court would be a difficult and probably unsuccessful endeavor. When employees from outsourced billing companies have access to this information and bad intentions, they have many providers by the proverbial “short hairs.”

III. Conclusion:

This is why we recommend that healthcare providers “buy American.” The protections of United States law, and the relative ease with which you can resolve any conflicts between your practice and a billing company, more than make up for the additional cost. You should consider retaining an experienced, local 3rd party biller for assistance with medical billing. For more information on coders and billers in your area, we recommend contacting the American Medical Billing Association.

Healthcare LawyerRobert W. Liles counsels providers on HIPAA compliance risks, HIPAA breach notification and implementing effective compliance plans.  In addition, Robert performs gap analyses and internal reviews, trains healthcare professionals on compliance issues, and represents providers in Medicaid and Medicare post-payment audits and appeals. For a free consultation, call Robert today at 1 (800) 475-1906.