What is the Texas Medical Records Privacy Act?
The Texas Medical Records Privacy Act is a law passed by the Texas legislature in 2001 that created Chapter 181 of the Texas Health and Safety Code. Subsequent amendments to the Act have strengthened its privacy protections and increased the penalties for non-compliance. Importantly, the Act can apply to organizations located outside the state of Texas.
The Texas Medical Records Privacy Act came about due to the opinion of the state that the provisions of the first proposed HIPAA Privacy Rule in 1999 did not go far enough to protect the privacy of individually identifiable health information. The legislature subsequently developed standards that apply to medical records belonging to Texas residents.
The adopted standards use the HIPAA Privacy Rule as a base and use many of the same definitions – the major difference being that Chapter 181 of the Texas Health and Safety Code applies to any person or organization (covered entity) that assembles, collects, analyzes, uses, evaluates, stores, or transmits Protected Health Information (PHI).
Therefore, unlike HIPAA – which only applies to health plans, health care clearinghouses, qualifying healthcare providers, and qualifying business associates – the Texas Medical Records Privacy Act applies to sports teams, IT service providers, website owners, lawyers, accountants, etc. who come into possession of, obtain, or store PHI.
As mentioned in the introduction, the Texas Medical Records Privacy Act does not stop at the state’s borders. If a covered entity located outside of Texas assembles, collects, analyzes, uses, evaluates, stores, or transmits the PHI of a Texas resident, they are subject to the Texas Medical Records Privacy Act and the Texas Breach Notification Rule.
HIPAA Training With Texas State Medical Privacy Module Our training targets the mistakes that drive most HIPAA incidents, drawn from 10+ years of our breach reporting and includes comprehensive lessons on Texas medical privacy laws. The Gold Standard in HIPAA Training by The HIPAA Journal Team HIPAA Training With Texas State Medical Privacy Module Our training targets the mistakes that drive most HIPAA incidents, drawn from 10+ years of our breach reporting and includes comprehensive lessons on Texas medical privacy laws. The Gold Standard in HIPAA Training by The HIPAA Journal Team Lessons Cover Emerging Issues Like AI Tools | CEUs & Certificate | Completion Tracking | HIPAA Training for Individuals
The Texas Medical Records Privacy Act vs HIPAA
The HIPAA Privacy Rule created a federal floor of privacy protections but can be preempted by state laws when the state laws provide greater privacy protections or more patients´ rights. For almost ten years, the Texas Medical Records Privacy Act preempted HIPAA in just a few areas (i.e., patient authorizations were required before deidentified PHI could be reidentified). Then came HB 300.
In May 2011, Texas HB 300 updated Chapter 181 of the Texas Health and Safety Code and introduced a number of measures aimed at better protecting PHI following the passage of the HITECH Act. The concern at the time was that the incentivization of EHRs would increase the risk of electronic PHI being accessed impermissibly. Consequently, the key updates implemented via HB 300 included:
- The requirement for covered entities not excluded by §181.154(e) to provide a notice explaining that an individual’s PHI could be disclosed electronically.
- The requirement for covered entities not excluded by §181.154(e) to obtain an authorization for a number of disclosures that would be permitted by the Privacy Rule.
- A total ban on the sale of PHI for any reason other than treatment, payment, healthcare operations, or maintenance operations permitted by the Insurance Code.
- A reduction in the length of time covered entities had to respond to patient access requests when PHI is stored on Electronic Health Records (reduced to 15 days).
- A significant increase in the civil monetary penalties that could be imposed by the Attorney General for violations of the Texas Medical Privacy Act.
The civil monetary penalties for violations of the Texas Medical Records Privacy Act (of up to $250,000 per violation) are in addition to any fines issued by HHS’ Office for Civil Rights for HIPAA violations or issued by the Attorney General for breaches of the Texas Breach Notification Rule. It is important to note that under the Texas Breach Notification Rule, breaches of all types of sensitive information (as defined in Texas §521.022) qualify as notifiable data breaches.
Subsequent Amendments to the Act
There have been a few amendments to the Act since the passage of HB 300. In April 2013, the Texas legislature relaxed the HB 300 training requirements so that initial training had to be provided within 90 days (rather than 60 days) and so that training did not have to be repeated every two years (unless there was a material change to the Code).
Thereafter, other than terminology amendments to account for changes to the Family Code and the Code of Criminal Procedures – and when the Texas Health Service Board was established – the only further amendment was introduced to create an exclusion for certain uses and disclosures of PHI during the COVID-19 pandemic. This exclusion is still in force.
Despite the small number of amendments over the past decade, there is still some confusion about which Rules apply to HIPAA covered entities with regards to the additional protections afforded to residents of Texas. If your organization requires help with complying with the Texas Medical Records Privacy Act – or with any aspect of HIPAA compliance – it is recommended you seek professional compliance advice.
Staff Training for Texas Medical Records Privacy Act and Related Laws
Employees who interact with patient information should receive training on the Texas Medical Records Privacy Act as amended by HB300, including how its stricter provisions on patient privacy, consent, and workforce education apply in practice. This is in addition to HIPAA training. They also need training on the Texas Identity Theft Enforcement and Protection Act and the Texas Data Privacy and Security Act, so they know the state specific expectations for preventing identity theft, securing personal data, and providing Texas compliant breach notifications. Where AI tools or automated decision making are used with health information, training should explain the requirements of the Texas Responsible AI Governance Act and SB1188, which address the safe and compliant use of AI in connection with electronic health records. Finally, staff whose roles are affected should be introduced to the relevant parts of the Texas Medical Practice Act and the applicable sections of the Health and Safety Code and Occupations Code, so their day to day work aligns with both HIPAA and the additional Texas standards that apply to their job.
HIPAA Training With Texas State Medical Privacy Module Our training targets the mistakes that drive most HIPAA incidents, drawn from 10+ years of our breach reporting and includes comprehensive lessons on Texas medical privacy laws. The Gold Standard in HIPAA Training by The HIPAA Journal Team HIPAA Training With Texas State Medical Privacy Module Our training targets the mistakes that drive most HIPAA incidents, drawn from 10+ years of our breach reporting and includes comprehensive lessons on Texas medical privacy laws. The Gold Standard in HIPAA Training by The HIPAA Journal Team Lessons Cover Emerging Issues Like AI Tools | CEUs & Certificate | Completion Tracking | HIPAA Training for Individuals
HIPAA Training
with Free Texas Medical Records Privacy Module
Our HIPAA training includes comprehensive lessons on Texas medical privacy laws including the Texas Medical Records Privacy Act.
The Gold Standard in HIPAA Training
by The HIPAA Journal Team
