HB300 Training

Although HB300 training is similar to HIPAA training inasmuch as employees of Covered Entities are required to undergo privacy and security training, the extended definition of a Covered Entity under the Medical Records Privacy Act means that more organizations are subject to the Texas legislation – even if they are not physically located in Texas.

In 2011, the Texas legislature passed House Bill 300 (HB 300) to revise several Texas statutes – among them the Medical Records Privacy Act. Although the Medical Records Privacy Act already required Covered Entities to provide training “appropriate for the employees to carry out the employees’ duties”, HB 300 extended the definition of a Covered Entity.

From September 2012, any organization, employee, agent, or contractor who creates, receives, obtains, maintains, uses, or transmits Protected Health Information (PHI) is considered to be a Covered Entity. For the purpose of clarity, the text of the Health and Safety Code specifies some organizations that would not be considered Covered Entities under HIPAA:

“The term includes a business associate, […], governmental unit, information or computer management entity, school, health researcher, […], or person who maintains an Internet site.”

Exemptions to the Medical Records Privacy Act

There are some exceptions and partial exemptions to the definition inasmuch as payment processors, workers´ compensation schemes, and the American Red Cross are exempted from the Medical Records Privacy Act; while educational records covered by FERPA are exempted by the Medical Records Privacy Act, but treatment records are not.

Also not exempted from the Medical Records Privacy Act are organizations, employees, agents, or contractors who are located outside of Texas who create, receive, obtain, maintain, use, or transmit the PHI of a Texas resident if the PHI is collected or stored in Texas – regardless of whether the Texas resident was in Texas at the time the PHI was collected.

Consequently, it is conceivable that many organizations outside of Texas could be subject to Texas´ Medical Records Privacy Act and required to provide HB300 training to employees. For existing HIPAA Covered Entities and Business Associates, HB300 training is similar to HIPAA training. However, for organizations not covered by HIPAA, the following will be of benefit.

Sample HB300 Training Curriculum

Because the Medical Records Privacy Act stipulates HB300 training has to be “appropriate for the employees to carry out the employees´ duties” and because there are so many types of organization classified as Covered Entities, there is no one-size-fits-all HB300 training curriculum. However, the following elements should be included in a training course as a minimum:

  • Introduction to Texas HB 300.
  • Why the law was introduced and why compliance is essential.
  • Types of information covered.
  • Entities and individuals required to comply.
  • Medical record and PHI access.
  • Patient rights over electronic medical records.
  • Notices about electronic disclosures of PHI.
  • Authorizations from patients about electronic PHI disclosures.
  • Breach notification requirements of HB 4390.
  • How to protect PHI.
  • Enforcement of compliance and penalties for violations.

With regards to the frequency of HB300 training, the Medical Records Privacy Act states initial training must be provided to new employees within ninety days of the employee being hired by the Covered Entity, and refresher training has to be provided within a year of a material change in state or federal law concerning PHI that affects the role of the employee.

Differences between HIPAA and HB300

While there are many similarities between HIPAA and HB300, there are also some significant differences. Since 2011, the Medical Records Privacy Act has implemented stricter controls on the allowable uses and disclosures of PHI, and PHI itself can include any personal information “for which there is reasonable basis to believe the information can be used to identify the individual”.

Patients also have enhanced rights under HB300. Similar to HIPAA, patients can request access to medical records and request errors are corrected. However, under HB300 Covered Entities have only fifteen business days to respond to a request. If unjustified delays occur, patients can lodge a complaint with the Texas Attorney General or other public agency overseeing HB300 compliance.

One further difference between HIPAA and HB300 relates to notifying the Texas Attorney General of a data breach. Under HIPAA, Covered Entities are required to report data breaches affecting more than 500 individuals to the Office for Civil Rights. However, under HB300, the Texas Attorney General also has to be notified of data breaches affecting more than 250 individuals.

HB300 Training FAQs

Do HIPAA Covered Entities in Texas have to provide both HIPAA and HB300 training?

Any HIPAA Covered Entity that collects or stores the PHI of Texas residents has to comply with HB300 and provide HB300 training. However, due to the similarities between HIPAA and HB300, HIPAA Covered Entities can train employees on both laws at the same time by replacing clauses of the Privacy and Security requirements with clauses of the Medical Records Privacy Act where more stringent requirements apply.

Why does HB300 take precedence over HIPAA even though the Final Omnibus Rule is more recent?

HIPAA provides a “federal floor of privacy protections for individuals´ individually identifiable health information” and preempts state laws unless state laws are “more stringent” and increase either the responsibilities of Covered Entities or the rights of patients. HB300 does both inasmuch as it extends the definition of Covered Entities, increases the rights of patients, and demands more information is released about data breaches.

What additional information has to be released by Covered Entities about data breaches?

In June 2021, Governor Abbot signed HB 3746 into law, amending the Texas Breach Notification Rule (Section 521.053 of the Business & Commerce Code) by requiring Covered Entities to release additional information about data breaches such as the circumstances of the breach, whether it is known if PHI has been subsequently used or disclosed without authority, and what measures the Covered Entity intends to take to address the cause of the breach.

If school treatment records are not exempted from the Medical Records Privacy Act, do teachers have to undergo HB300 training?

The language of the Act implies that employees should be provided with training as it relates to the scope of their employment. If teachers do not have access to school treatment records or any other non-exempt PHI, they should only need to have an understanding of the privacy clauses of the Medical Records privacy Act to mitigate the risk of an unauthorized verbal disclosure. All other HB300 training will not fulfil the criteria of being “appropriate”.

Where can I find further information about my obligations under the Medical Records Privacy Act?

All organizations that collect or store the PHI of Texas residents should review the text of the Medical Records Privacy Act, and the Texas Health Services Authority has also released guidance on model security policies. Alternatively speak with a company specializing in regulatory compliance. Not only will the company be able to answer questions relating to your specific circumstances, but it should also be able to help you with HB300 training.