Share this article on:
Texas HB300 (Texas House Bill 300) was signed into law by State governor Rick Perry in June 2011. The Bill made significant changes to state laws covering the privacy and security of protected health information (PHI) for individuals and organizations that assemble, collect, analyze, store, or transmit PHI. The Texas HB300 compliance date was September 1, 2012.
Texas HB300 Introduced Stricter Privacy and Security Protections than HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) already requires covered entities (healthcare providers, health plans, and healthcare clearinghouses) and business associates of HIPAA-covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of PHI and protect the privacy of patients and health plan members.
Texas HB300 takes those requirements a step further, introducing even stricter requirements for covered entities, which under the new laws, also includes individuals and organizations not covered by HIPAA Rules.
The existing laws updated by Texas HB300 were:
- Texas Health Code, Chapters 181 and 182
- Texas Business and Commerce Code, Sections 521 and 522
- Texas Government Code, Chapter 531
- Texas Insurance Code, Chapter 602
Changes to the Definition of a Covered Entity
The definition of ‘covered entity’ under Texas HB300 differs from the definition of a covered entity under HIPAA. In Texas, a covered entity is considered to be any individual or organization that assembles, collects, analyzes, stores, or transmits the PHI of state residents. That includes any individual or entity that comes into possession of PHI, which includes agents, employees, contractors, and subcontractors that are required to create, receive, obtain, maintain, use, or transmit PHI.
Under HIPAA, schools and other educational institutions, accountancy firms, lawyers, ISPs, and researchers are not considered covered entities, but are required to comply with Texas HB300.
The only exceptions are:
- Employee benefit plans and any entity or person that is acting in connection with such a plan
- Worker’s compensation insurance and any entity or person that is acting in connection with the provision, administration, support, or coordination of benefits under a self-insured workers’ compensation program
- Persons or entities that provide, administer, support, or coordinate benefits associated with compensation for victims of crime
- The processing of certain payment transactions by financial institutions
- Not-for-profit agencies that pay for prescription drugs and healthcare services for indigent persons, but only if the primary business of the agency is not the provision of healthcare/reimbursement for medical services
- Education records covered by the Family Educational Rights and Privacy Act of 1974
Training Requirements for Employees Required to Handle PHI
When an employee joins a company, or their job description changes to require the handling of PHI or sensitive personal information (SPI), that individual must receive privacy training within 60 days of the date of hire or change to their job description. Ongoing training is also required with a minimum of two sessions to be completed by employees every two years. The training sessions must be documented, and a signature must be obtained from the employee to confirm the training session has been provided.
The content of the training sessions should be specific to the individual and reflect the nature of PHI/SPI access and handling required.
Standards for the Handling of Electronic Health Records (EHRs)
The only allowable disclosures of electronic PHI are between covered entities for treatment, payment, or insurance purposes. All other disclosures require the patient to be notified in advance and for written authorization to be obtained before ePHI is disclosed.
Patient Access to EHRs
HIPAA gives patients the right to obtain copies of their PHI held by HIPAA-covered entities, which must be provided no later than 30 days from the date of the request. Texas HB300 requires access to EHRs to be provided in half the time, with a maximum timeframe for honoring the request of 15 days from the receipt of a written request.
When a covered entity lacks the capability to provide copies of EHRs in electronic format, an alternative format can be used, or paper copies can be provided if the patient agrees in advance.
Enforcement of Compliance with Texas HB300 and HIPAA
The Texas attorney general is granted authorization to impose civil monetary penalties against any individual or entity for non-compliance with any aspect of the legislation. Further, if continued noncompliance is discovered, the state attorney general can have a state license revoked.
Civil and Criminal Penalties for Unauthorized Disclosures of ePHI
As with HIPAA, the penalties for noncompliance are tiered and based on the level of knowledge of the violation, the reason why the violation occurred, the harm caused as a result of the violation, and the measures taken to correct the violation.
- Tier 1 applies when a violation occurred due to negligence. The maximum penalty is $5,000 per violation during a single year.
- Tier 2 applies when the violation occurred with the knowledge of the covered entity. The maximum penalty is $25,000 per violation during a single year.
- Tier 3 applies when the violation was intentional and PHI was disclosed or distributed for financial gain. The maximum penalty is $250,000 per violation.
- If a pattern of noncompliance is discovered, the maximum penalty is $1.5 million.