What is Texas HB 300? Updated for 2022
What is Texas HB 300, who is required to comply with the legislation, and what are the penalties for noncompliance? This article answers these and other important questions about Texas HB 300.
What is Texas HB 300?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets minimum privacy and security standards for healthcare organizations. HIPAA naturally covers healthcare organizations based in Texas, but they also must comply with state laws. Texas has some of the most stringent laws in the United States as far as health data is concerned which are detailed in the Texas Health and Safety Code.
In June 2011, Texas HB 300 was passed by the Texas legislature. HB 300 amended four areas of Texas legislature: The Texas Health and Safety Code (Chapters 181 and 182), the Texas Business and Commerce Code (Sections 521 and 522), the Texas Government Code (Chapter 531), and the Texas Insurance Code (Chapter 602) and introduced tougher privacy protections for health data than HIPAA.
Who is Required to Comply with Texas HB 300?
Compliance with Texas HB 300 is mandatory for all covered entities that are based in Texas or do business with Texas residents. Covered entities under Texas HB 300 differ from covered entities as defined in HIPAA.
Texas HB 300 expanded the HIPAA definition of covered entity (healthcare providers, health plans, and healthcare clearing houses) to include any entity or individual that possesses, obtains, assembles, collects, analyzes, evaluates, stores, or transmits protected health information in any form.
Texas HB 300 therefore applies to all healthcare organizations, including those that are not covered by HIPAA, and also lawyers, schools, universities, researchers, accountants, Internet service providers, IT service providers, government agencies, and individuals who maintain a website that collects, stores, or interacts with protected health information (PHI).
Texas HB 300 Exemptions
The only entities not required to comply with Texas HB 300 are:
- Not-for-profit agencies that pay for healthcare services or prescription drugs for indigent persons if the primary business of the agency is not the provision of healthcare services or reimbursement for healthcare services.
- Workers’ compensation insurance and any entity or individual who acts in connection with the provision, support, administration, or coordination of benefits under a self-insured workers’ compensation program.
- Employee benefit plans and entities or individuals that act in connection with those plans
- Entities or individuals that provide, administer, support, or coordinate benefits associated with compensation for victims of crime.
- Processing of certain payment transactions by financial institutions and education records covered by the Family Educational Rights and Privacy Act of 1974.
Texas HB 300 and Electronic Health Records
Texas HB 300 introduced new standards for handling electronic health records. A covered entity is prohibited from using PHI for any reason other than the provision of treatment, payment for healthcare, or insurance purposes unless, prior to the disclosure of PHI, the covered entity has obtained written authorization from an individual to disclose their PHI.
HIPAA requires covered entities to provide patients and plan members with copies of their PHI on request and those requests must be honored within 30 days of the request being submitted. Texas HB 300 requires covered entities to provide copies of PHI much more rapidly – Within 15 days of a written request being received.
HB 300 Training Requirements
All employees who are required to handle PHI or sensitive personal information (SPI), or are likely to encounter PHI, are required to undergo formal privacy training within 90 days of commencing employment (the original 60 day requirement was amended by SB 1609 in 2013). Thereafter, covered entities are required to provide refresher training within a year of a material change in state or federal law concerning PHI that affects the role of an employee. Training sessions need to be tailored to the role and responsibilities of the employee and the interactions they are likely to have with PHI.
HB 300 training should cover the requirements of the legislation, how it increases protections for health information, they types of information covered, how HB 300 relates to medical record access by employees, how healthcare data must be protected, patient authorizations for electronic disclosures of PHI, the reporting of potential violations and the penalties for violations.
All training must be documented, and employees are required to sign to confirm that they have received the training. Training logs may need to be provided in the event of an audit or compliance investigation and must be maintained for six years.
What are the Texas HB 300 Penalties for Noncompliance?
The penalties for noncompliance with Texas HB 300 are severe. The Texas attorney general can issue civil monetary penalties to entities and individuals that fail to comply with the legislation. State licenses can also be revoked in cases where an entity or individual has demonstrated continued noncompliance.
As with HIPAA, the penalties for noncompliance with Texas HB 300 are broken down into tiers:
Tier 1: Up to $5,000 per violation, per year, for violations due to negligence
Tier 2: Up to $25,000 per violation, per year, for a knowing or intentional violation
Tier 3: Up to $250,000 per violation, per year, for an intentional violation for financial gain
The maximum financial penalty is $1.5 million per year in cases where there has been a pattern of noncompliance.
The level of the financial penalty is dictated by the severity of the violation, whether there has been a history of noncompliance, the measures taken to correct the violation, and whether harm has been caused as a result of the violation.
Texas HB300 – FAQs
If a for-profit school in Texas creates, maintains, processes, or transmits health data relating to students, is the school a covered entity under HIPAA?
No. Only healthcare providers, health plans, and health care clearing houses are covered entities under HIPAA. However, the school will be a covered entity under HB300 and will have to implement measures similar to those required by HIPAA in order to secure data and ensure its integrity.
Do employees of HIPAA covered entities in Texas have to undergo both HIPAA training and HB300 training?
As mentioned above, training need to be tailored to the role and responsibilities of the employee and the interactions they are likely to have with PHI. While there are circumstances in which separate training many be beneficial, in most cases HIPAA training and HB300 training can be combined into a single module.
If a HIPAA covered entity in Texas experiences a data breach, could they be liable for two penalties – one for violating HIPAA and one for violating HB300?
In theory yes. It depends on the cause of the data breach, the measures put in place by the covered entity to mitigate its likelihood, and the efforts made after the data breach to control its consequences. Fines for violations of HB300 are issued by the Texas Office of the Attorney General.
Where is the connection between HB300 and the Texas Medical Records Privacy Act?
The Texas Medical Records Privacy Act is the section of the Health and Safety Code updated by HB300. In many areas, the Texas Medical Records Privacy Act is the equivalent of the HIPAA Privacy Rule with elements of the HIPAA Security Rule added.
Does HB300 only apply in Texas?
No. Out-of-state companies that possess, obtain, assemble, collect, analyze, evaluate, store, or transmit PHI in Texas must comply with HB300. Furthermore, HB300 also updated a section of the Business and Commerce Code relating to breach notifications – the Texas Identity Theft Enforcement and Protection Act – which applies to any entity or person inside or outside of Texas that manages, maintains, and uses PHI owned or stored within Texas. With regards to breach notifications, it is important to be aware the threshold for reporting breaches to the Texas Attorney General (250 individuals) is lower than the threshold for reporting breaches to the Office for Civil Rights under HIPAA (500 individuals).