HB300 Compliance in Texas

Texas HB300 (Texas House Bill 300) was passedd into law by State governor Rick Perry back in June 2011. The Bill made major changes to state legislation covering the privacy and security of protected health information (PHI) for people and groups that assemble, gather, analyze, store, or transmit PHI. The Texas HB300 compliance date was September 1, 2012.

Texas HB300 Brought in Stricter Privacy and Security Safeguards than HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) already obligates covered groups (healthcare providers, health plans, and healthcare clearinghouses) and business associates of HIPAA-covered groups to adapt safeguards to ensure the confidentiality, integrity, and availability of PHI and protect the privacy of patients and health plan subscribers.

Texas HB300 takes those requirements a little further, bringing in even stricter requirements for covered groups, which under the new legislation, also incorporates people and organizations not covered by HIPAA Rules.

The current laws amended by Texas HB300 were:

  1. Texas Health Code, Chapters 181 and 182
  2. Texas Business and Commerce Code, Sections 521 and 522
  3. Texas Government Code, Chapter 531
  4. Texas Insurance Code, Chapter 602

Amendments to the Definition of a Covered Entity

The definition of ‘covered entity’ under Texas HB300 is different from the definition of a covered entity under HIPAA. In Texas, a covered group is defined as any individual or organization that assembles, gathers, analyzes, stores, or shares the PHI of state residents. That includes any person or group that comes into possession of PHI, which includes agents, employees, contractors, and subcontractors that are required to develop, receive, obtain, maintain, use, or share PHI.

Under HIPAA legislation, schools and other educational bodies, accountancy firms, lawyers, ISPs, and researchers are not classified as covered entities, but are required to comply with Texas HB300.

The only exceptions to this are:

  • Staff benefit plans and any entity or person that is acting in relation to with such a plan
  • Employee compensation insurance and any entity or individual that is acting in connection with the provision, administration, support, or coordination of benefits under a self-insured workers’ compensation program
  • Persons or groups that supply, administer, support, or coordinate benefits linked with compensation for victims of crime
  • The processing of certain payment transactions by financial bodies
  • Non-profit agencies that pay for prescription drugs and healthcare services for indigent people, but only if the primary business of the agency is not the provision of healthcare/reimbursement for medical treatments, etc.
  • Education records included in the Family Educational Rights and Privacy Act of 1974

Training Requirements for Staff Required to Manage PHI

When a staff member joins a company, or their job description changes to include the handling of PHI or sensitive personal information (SPI), that individual must be given privacy training within 60 days of the date of hire or change to their job description. Ongoing training is also necessary with a minimum of two sessions to be completed by relevant staff every two years. The training sessions must be officially recorded, and a signature must be obtained from the employee to prove the training session has been provided.

The content of the training sessions should focus to the individual and reflect the nature of PHI/SPI access and handling duties that they carry out.

Handling of Electronic Health Records Standards (EHRs)

The only permissible disclosures of electronic PHI are between covered groups for treatment, payment or insurance purposes. All other disclosures mean that the patient must to be notified in advance and for written authorization to be obtained before ePHI is shared.

EHRs Access for Patients

HIPAA allocates patients the right to download copies of their PHI held by HIPAA-covered entities, which must be supplied within 30 days from the date of the request. Texas HB300 requires access to EHRs to be supplied in half that time, with a maximum time frame for honoring the request within 15 days of the receipt of a written request.

When a covered group lacks the capability to supply copies of EHRs in electronic format, an alternative format can be implemented, or paper copies can be provided if the patient agrees beforehand.

Texas HB300 and HIPAA: Enforcement of Compliance

The Texas attorney general is given the authorization to sanction civil monetary penalties against any person or body for non-compliance with any aspect of the legislation. Furthermore, if continued noncompliance is discovered, the state attorney general can have a state license taken away.

Unauthorized Disclosures of ePHI: Civil and Criminal Penalties

As is the case with HIPAA, the penalties for noncompliance are layered and based on the level of knowledge of the breach, the reason why the breach took place, the damage caused due to the violation, and the measures taken to remedy the violation.

  • Tier 1 applies when a violation happened as a result of negligence. The highest penalty is $5,000 per violation per annum.
  • Tier 2 applies when the violation happened with the knowledge of the covered group. The highest penalty is $25,000 per violation per annum.
  • Tier 3 applies when the violation was intentional and PHI was shared or passed on for financial gain. The highest penalty is $250,000 per violation.
  • If a pattern of noncompliance is identified, the highest possible penalty is $1.5 million.

HIPAA Violation Penalties

Most Common HIPAA Violations Causes