Share this article on:
What is Texas HB 300, who is required to comply with the legislation, and what are the penalties for noncompliance? This post answers these and other important questions about Texas HB 300.
What is Texas HB 300?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets minimum privacy and security standards for healthcare organizations. HIPAA naturally covers healthcare organizations based in Texas, but they also must comply with state laws. Texas has some of the most stringent laws in the United States as far as health data is concerned which are detailed in Texas HB 300 (Texas House Bill 300).
Texas HB 300 was passed by the Texas legislature in June 2011 and was signed into law by Texas Governor Rick Perry. The compliance date for Texas HB 300 was September 1, 2012.
Texas HB 300 amended four laws in Texas: The Texas Health Code (Chapters 181 and 182), the Texas Business and Commerce Code (Sections 521 and 522), the Texas Government Code (Chapter 531), and the Texas Insurance Code (Chapter 602) and introduced tougher privacy protections for health data than HIPAA.
Who is Required to Comply with Texas HB 300?
Compliance with Texas HB 300 is mandatory for all covered entities that are based in Texas or do business with Texas residents. Covered entities under Texas HB 300 differ from covered entities as defined in HIPAA.
Texas HB 300 expanded the HIPAA definition of covered entity (healthcare providers, health plans, and healthcare clearing houses) to include any entity or individual that possesses, obtains, assembles, collects, analyzes, evaluates, stores, or transmits protected health information in any form.
Texas HB 300 therefore applies to all healthcare organizations, including those that are not covered by HIPAA, and also lawyers, schools, universities, researchers, accountants, Internet service providers, IT service providers, government agencies, and individuals who maintain a website that collects, stores, or interacts with PHI.
Texas HB 300 Exemptions
The only entities not required to comply with Texas HB 300 are:
- Not-for-profit agencies that pay for healthcare services or prescription drugs for indigent persons if the primary business of the agency is not the provision of healthcare services or reimbursement for healthcare services.
- Workers’ compensation insurance and any entity or individual who acts in connection with the provision, support, administration, or coordination of benefits under a self-insured workers’ compensation program.
- Employee benefit plans and entities or individuals that act in connection with those plans
- Entities or individuals that provide, administer, support, or coordinate benefits associated with compensation for victims of crime.
- Processing of certain payment transactions by financial institutions and education records covered by the Family Educational Rights and Privacy Act of 1974.
Texas HB 300 and Electronic Health Records
Texas HB 300 introduced new standards for handling electronic health records. A covered entity is prohibited from using PHI for any reason other than the provision of treatment, payment for healthcare, or insurance purposes unless, prior to the disclosure of PHI, the covered entity has obtained written authorization from an individual to disclose their PHI.
HIPAA requires covered entities to provide patients and plan members with copies of their PHI on request and those requests must be honored within 30 days of the request being submitted. Texas HB 300 requires covered entities to provide copies of PHI much more rapidly – Within 15 days of a written request being received.
Texas HB 300 Training for Employees Who Handle PHI
All employees who are required to handle PHI or sensitive personal information (SPI), or are likely to encounter PHI, are required to undergo formal privacy training within 60 days of commencing employment. In contrast to HIPAA, which does not stipulate how often additional training must be provided, Texas HB 300 requires additional privacy training to be provided at least every two years. Training sessions need to be tailored to the role and responsibilities of the employee. All training must be documented and employees are required to sign to confirm that they have received the training.
What are the Texas HB 300 Penalties for Noncompliance?
The penalties for noncompliance with Texas HB 300 are severe. The Texas attorney general can issue civil monetary penalties to entities and individuals that fail to comply with the legislation. State licenses can also be revoked in cases where an entity or individual has demonstrated continued noncompliance.
As with HIPAA, the penalties for noncompliance with Texas HB 300 are broken down into tiers:
Tier 1: Up to $5,000 per violation, per year, for violations due to negligence
Tier 2: Up to $25,000 per violation, per year, for a knowing or intentional violation
Tier 3: Up to $250,000 per violation, per year, for an intentional violation for financial gain
The maximum financial penalty is $1.5 million per year in cases where there has been a pattern of noncompliance.
The level of the financial penalty is dictated by the severity of the violation, whether there has been a history of noncompliance, the measures taken to correct the violation, and whether harm has been caused as a result of the violation.