Texas HB300 (Texas House Bill 300) was passed into law by State governor Rick Perry in June 2011. The Bill made major changes to state legislation covering the privacy and security of protected health information (PHI) for covered entities that assemble, gather, analyze, store, or transmit PHI. The Texas HB300 compliance date was September 1, 2012.
Texas HB300 Brought in Stricter Privacy and Security Safeguards than HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) already obligates covered groups (healthcare providers, health plans, and healthcare clearinghouses) and business associates of HIPAA-covered entities to adopt safeguards to ensure the confidentiality, integrity, and availability of PHI and protect the privacy of patients and health plan subscribers.
Texas HB300 takes those requirements further, bringing in even stricter requirements for covered entitiess, which under the new legislation, also incorporates people and organizations not covered by HIPAA Rules.
The current laws amended by Texas HB300 were:
- Texas Health Code, Chapters 181 and 182
- Texas Business and Commerce Code, Sections 521 and 522
- Texas Government Code, Chapter 531
- Texas Insurance Code, Chapter 602
Amendments to the Definition of a Covered Entity
The definition of ‘covered entity’ under Texas HB300 is different from the definition of a covered entity under HIPAA. In Texas, a covered group is defined as any individual or organization that assembles, gathers, analyzes, stores, or shares the PHI of state residents. That includes any person or group that comes into possession of PHI, which includes agents, employees, contractors, and subcontractors that are required to develop, receive, obtain, maintain, use, or share PHI.
Under HIPAA legislation, schools and other educational bodies, accountancy firms, lawyers, ISPs, and researchers are not classified as covered entities, but are required to comply with Texas HB300.
The only exceptions to this are:
- Staff benefit plans and any entity or person that is acting in relation to with such a plan
- Employee compensation insurance and any entity or individual that is acting in connection with the provision, administration, support, or coordination of benefits under a self-insured workers’ compensation program
- Persons or groups that supply, administer, support, or coordinate benefits linked with compensation for victims of crime
- The processing of certain payment transactions by financial bodies
- Non-profit agencies that pay for prescription drugs and healthcare services for indigent people, but only if the primary business of the agency is not the provision of healthcare/reimbursement for medical treatments, etc.
- Education records included in the Family Educational Rights and Privacy Act of 1974
Training Requirements for Staff
When a staff member joins a company, or their job description changes to include the handling of PHI or sensitive personal information (SPI), that individual must be given privacy training within 90 days of the date of hire or change to their job description. Ongoing training is also necessary whenever a material change in state or federal law concerning PHI affects the role of staff. The training sessions must be officially recorded, and a signature must be obtained from the employee to prove the training session has been provided.
The content of the training sessions should focus to the individual and reflect the nature of PHI/SPI access and handling duties that they carry out.
Handling of Electronic Health Records Standards (EHRs)
The only permissible disclosures of electronic PHI are between covered entities for treatment, payment, or insurance purposes. All other disclosures written authorization from the subject of the disclosure in advance of ePHI being shared.
Medical Record Access for Patients
HIPAA allocates patients the right to request copies of PHI held by HIPAA-covered entities, which must be supplied within 30 days from the date of the request. Texas HB300 requires access to medical records to be provided in half that time, with a maximum time frame for honoring the request being 15 days.
When a covered entity lacks the capability to supply copies of a patient´s medical records in electronic format, an alternative format can be implemented, or paper copies can be provided if the patient agrees beforehand.
Texas HB300 and HIPAA: Enforcement of Compliance
The Texas Attorney General has the authority to sanction civil monetary penalties against any person or body for non-compliance with any aspect of the legislation. Furthermore, if continued noncompliance is discovered, the state attorney general can have a state license taken away.
Unauthorized Disclosures of ePHI: Civil and Criminal Penalties
As is the case with HIPAA, the penalties for noncompliance are layered and based on the level of knowledge of the breach, the reason why the breach took place, the damage caused due to the violation, and the measures taken to remedy the violation.
- Tier 1 applies when a violation happened as a result of negligence. The highest penalty is $5,000 per violation per annum.
- Tier 2 applies when the violation happened with the knowledge of the covered group. The highest penalty is $25,000 per violation per annum.
- Tier 3 applies when the violation was intentional and PHI was shared or passed on for financial gain. The highest penalty is $250,000 per violation.
- Tier 4 applies if a pattern of noncompliance is identified. The highest possible penalty under tier 4 is $1.5 million per violation.