Update from Texas: Understanding the New Privacy Law

This post by Brandon Kulwicki is part of our ongoing series of contributed content.

Last year Governor Rick Perry signed into law Texas House Bill 300 (HB300) which marks a major shift in how Texas views health information privacy and security. The law went into effect on September 1, 2012. The new law expands the definition of a covered entity, mandates new patient privacy protocols for covered entities and implements harsher penalties for privacy violations related to electronic health records. House Bill 300 significantly expands patient privacy protections for Texas covered entities beyond those federal requirements as outlined by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health (or "HITECH") Act.

1. Who Is a Covered Entity?

The expansion of the definition of a covered entity now includes any entity or person that:

• Engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing or transmitting protected health information ("PHI");
• Comes into the possession of PHI;
• Obtains or stores PHI; or
• Is an employee, agent, or contractor of a person described above insofar as the person or entity creates, receives, obtains, maintains, uses or transmits PHI.

Under the new law a "covered entity" is specifically defined to include a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site. The Texas definition is such a broad expansion to the HIPAA definition of covered entity that entire new industries (i.e. law firms, accounting firms, record storage companies) will now have to place safeguards on the handling and potential handling of PHI.

2. What must a Covered Entity Do?

Under the new Texas law, covered entities must now provide customized employee training regarding the maintenance and protection of PHI. Covered entities are required to tailor the employee training to reflect the nature of the covered entity's operations and each employee's scope of employment as they relate to the maintenance and protection of PHI. New employees must complete the training within 60 days of hire and all employees must complete training at least once every two years. Covered entities are required to maintain training attendance records for all employees. These training requirements are notably more stringent than those imposed by HIPAA. Under HIPAA, training is only required within a reasonable amount of time after hiring and when there are any material changes in privacy policies. Under both HIPAA and H.B. 300, "covered entities" must maintain records of every employee's training attendance.

3. What Rights Do Patients Have to their own Electronic Medical Records?

Under HIPAA a covered entity had 30 days to provide copies of medical records, H.B. 300 shortens that time period to requiring a covered entity to produce electronic medical records to the patient within 15 business days of the patient's written request. Additionally, Texas law now mirrors that of HITECH by limiting the sale of PHI and requiring notice to patients regarding the electronic disclosure of PHI.

Covered entities must provide notice to any patient when their PHI will be subject to electronic disclosure unless the electronic disclosure is made for purposes of treatment, payment or health care operations. Most facility operators will already have a compliant notice in their Notice of Privacy Practices and will, for most disclosures be either exempt from the requirement or well prepared for it.

Similar to monitoring of HIPAA by the Office of Civil Rights, House Bill 300 requires the Texas Attorney General to establish and maintain a website that states and explains patients' privacy rights under Texas and federal law. While this website does not currently exist, it is required to list the state agencies that regulate each covered entity, provide each agency's contact information and each agency's complaint enforcement process. The Texas Attorney General will also, starting in 2013, be required to issue an annual report regarding the number and types of complaints pertaining to patient privacy issues.

4. What Happens if I Ignore House Bill 300?

Covered entities that wrongfully disclose a patient's PHI will face increased civil penalties under House Bill 300, in addition to any penalties for violating federal laws. The new Texas law allows for penalties ranging from $5,000 to $1.5 million per year. To determine the penalty amount, House Bill 300 lists five factors a court may consider:

1. the seriousness of the violation;
2. the entity's compliance history;
3. the risks of harm to the patient;
4. the amount necessary to deter future violations; and
5. efforts made to correct the violation.

If a violation is found to be negligent, it can cost up to $5,000 per violation for each year the violation persists. Knowingly or intentionally violating the disclosure laws can cost up to $25,000 per violation each year it persists. If the violation is known or intentional and produces financial gain, the penalty can reach $250,000 per violation for each year that it persists. If the court finds that the violations are a "frequent pattern of practice," a covered entity can face up to $1.5 million dollars in fines as well as license revocation, civil action from the Texas Attorney General, and the Attorney General can independently request an audit by the U.S. Department of Health and Human Services. These penalties are in addition to the similar penalties that can be assessed by HHS under HITECH.

Bottom line: When the federal penalties are combined with the state penalties, a Texas covered entity could face fines up to $3 million per year for the single violation.

Like HITECH, House Bill 300 (HB300) requires covered entities in Texas that handle PHI to provide notification to individuals in the event of a privacy breach. However, House Bill 300 imposes additional penalties for failure to do so. Failure to notify individuals may result in a $100 penalty per individual each day the notice is not sent, but not to exceed $250,000. It may also be treated as a class B misdemeanor.

HB 300 compliance deadline is 60 days after the effective date of September 1st, 2012.