On September 1, 2012, a new law will go into effect in Texas that imposes new requirements on organizations that maintain protected heath information (PHI).  The new legislation, HB 300, imposes even tighter standards than required by the federal Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

Who Does HB 300 Apply To?

Like HIPAA and HITECH, HB 300 applies to “covered entities.”  But the definition of a covered entity under HB 300 is broader than the definition of a covered entity under HIPAA (expanded by HITECH).  A “covered entity” under HB 300 is any individual, business or organization that:

  • Engages in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting PHI;
  • Comes into possession of PHI;
  • Obtains or stores PHI; or
  • Is an employee, agent, or contractor of a person described in the above three categories, if they create, receive, obtain, maintain, use, or transmit PHI.

In short, HB 300 would theoretically apply to entities such as law firms that maintain medical records in prosecuting/defending lawsuits, schools that maintain or use PHI, and information management entities that transfer and sell PHI.

What Does HB 300 Require?

HB 300 imposes a number of requirements on covered entities, including but not limited to:

Employee Training – Covered entities must train their employees regarding federal and state law related to the protection of PHI.  The training must be specifically tailored for the employee’s responsibilities and the ways in which the covered entity uses PHI.  New employees must be trained within 60 days of their hire dates, training should take place at least once every two years, and upon the completion of a training program, the employee must sign a statement verifying the employee’s attendance at the training program.  The covered entities must maintain these signed employee statements.  In contrast, HIPAA requires training only within a reasonable period of time after an employee is hired or whenever there are material changes to privacy policies.

Patient Record Requests – HB 300 requires covered entities to provide patients with electronic copies of their electronic health records within 15 business days of the patient’s written request.  This requirement differs from HIPAA, which allows covered entities 30 days to respond to such requests.

Disclosure of PHI – HB 300 prohibits the sale of PHI.  Additionally, a covered entity may only disclose PHI to another covered entity for the purpose of treatment, payment, health care operation, performing an insurance or health maintenance organization function, or as otherwise authorized or required by state or federal law.  If disclosure is made, then the covered entity must give notice to patients about the disclosure.

Consumer Information Website – The Texas Attorney General must maintain a website explaining consumer privacy rights regarding PHI under Texas and federal law, a list of the state agencies that regulate covered entities, detailed information about each agency’s complaint enforcement process, and contact information for each agency for reporting a violation of HB 300.

Audits of Covered Entities – Texas’s Health and Human Services Commission may request that the U.S. Secretary of Health and Human Services conduct an audit of a covered entity to determine compliance with HIPAA and the commission must periodically monitor and review the results of those audits.

What Are The Consequences For Violating The Law?

HB 300 imposes significant civil penalties, ranging from $5,000 to $1.5 million, on covered entities that fail to comply with its requirements.  The Texas Attorney General is responsible for pursuing these penalties.  In determining the amount of a penalty imposed, the court will consider the seriousness of the violation, the entity’s compliance history, the risk of harm to the patient, the amount necessary to deter future violations, and efforts made to correct the violation.

To the extent the violation arises from a failure to comply with the disclosure requirements of HB 300, factors that may limit a covered entity’s liability include whether the disclosed information was encrypted, whether the recipient did not use or release the PHI, and whether the covered entity had developed, implemented, and maintained security policies, including training of its employees responsible for the security of PHI.

What’s The Point?

The point is that your business needs to evaluate whether HB 300 applies to you.  Are you a covered entity under this new, broader definition?  Do you have training policies and procedures in place that meet the requirements of HB 300?  Are you ready to respond quickly to requests for PHI?  Even if the law doesn’t apply to you, best practices in your industry might make it wise to become compliant, as concerns about the privacy and security of PHI continue to grow.


DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.