The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a critically important piece of legislation created to introduce minimum security and privacy standards in the healthcare industry. HIPAA is a federal law, organisations working in the healthcare industry in the US are obliged to comply with it, or face harsh penalties otherwise.
While federal laws ensure a baseline standard across the nation, states may have additional laws which healthcare organisations operating in that jurisdiction are required to follow. Texas has some of the most stringent laws in the United States in relation to the security and privacy of health data is concerned. These requirements are detailed in Texas HB 300 (Texas House Bill 300).
Texas HB 300 signed into law by Republican Governor Rick Perry following being passed by the 82nd Texas legislature in June 2011. Organisations were given until September 1, 2012 to comply with Texas HB 300. Texas HB 300 was introduced to amended four laws in Texas: The Texas Health Code (Chapters 181 and 182), the Texas Business and Commerce Code (Sections 521 and 522), the Texas Government Code (Chapter 531), and the Texas Insurance Code (Chapter 602) and introduced tougher privacy protections for health data than HIPAA.
Penalties for HB 300 Violations
Much like HIPAA non-compliance cases, covered entities found to be violating HB 300 will be levied severe penalties.
The Texas attorney general has been granted the ability to issue civil monetary penalties to entities and individuals that fail to comply with Texas HB 300. If an individual or organisation fails to rectify the issue and continues to violate the legislation, it is possible that their state licenses can also be revoked and they will lose the ability to operate in the state of Texas.
As with HIPAA, the penalties for noncompliance with Texas HB 300 are broken down into tiers:
Tier 1: Up to $5,000 per violation, per year, for violations due to negligence
Tier 2: Up to $25,000 per violation, per year, for a knowing or intentional violation
Tier 3: Up to $250,000 per violation, per year, for an intentional violation for financial gain
The maximum financial penalty is $1.5 million per year in cases where there has been a pattern of noncompliance.
The size of the financial penalty levied against the organisation is determined by a number of factors, and are decided case-by-case. These factors include; the severity of the violation, if there is a history of noncompliance, the measures taken to correct the violation, the response of the organisation in the aftermath of the issue, and any damage that an individual may have experienced as a result of the violation.
Covered Entities and Texas HB 300
The definition of a Covered Entity (CE) in Texas HB 300 is more comprehensive than HIPAA’s definition. According to HIPAA, CEs are healthcare providers, health plans, and healthcare clearing houses. Texas HB 300 includes any entity or individual that possesses, obtains, assembles, collects, analyzes, evaluates, stores, or transmits protected health information in any form.
Texas HB 300 therefore applies to all healthcare organizations, including those that are not covered by HIPAA, and also lawyers, schools, universities, researchers, accountants, Internet service providers, IT service providers, government agencies, and individuals who maintain a website that collects, stores, or interacts with PHI.
All CEs that are based in Texas or do business with Texas residents are required to comply with Texas HB 300.
Exemptions to Texas HB 300
There are some categories of organisations which are not required to comply with Texas HB 300. These include:
- Not-for-profit agencies that pay for healthcare services or prescription drugs for indigent persons if the primary business of the agency is not the provision of healthcare services or reimbursement for healthcare services.
- Workers’ compensation insurance and any entity or individual who acts in connection with the provision, support, administration, or coordination of benefits under a self-insured workers’ compensation program.
- Employee benefit plans and entities or individuals that act in connection with those plans
- Entities or individuals that provide, administer, support, or coordinate benefits associated with compensation for victims of crime.
- Processing of certain payment transactions by financial institutions and education records covered by the Family Educational Rights and Privacy Act of 1974.
Any organisation that does not fall into one of the above categories that fails to comply with Texas HB 300 will be subject to the aforementioned penalties.
Texas HB 300 and Electronic Health Records
One of the key aspects of Texas HB 300 was the introduction of new standards and protocols for the handling electronic health records. As electronic health records become more widely used in the healthcare industry, it is critically important that laws are in place to ensure that the integrity of such data is protected.
A covered entity is prohibited from using PHI for any reason other than the provision of treatment, payment for healthcare, or insurance purposes unless, prior to the disclosure of PHI, the covered entity has obtained written authorization from an individual to disclose their PHI.
Texas HB 300 has also cut the time in which a CE has to respond to a request made by an individual to access their PHI in half.
HIPAA requires covered entities to provide patients and plan members with copies of their PHI on request and those requests must be honored within 30 days of the request being submitted. Under the new legislation, copies of PHI must be provided in just 15 days.
Texas HB 300 and Employee Training
Texas HB 300 has introduced stricter requirements on how employees of CEs are trained to handle PHI.
Under Texas HB 300, all employees who are required to handle PHI or sensitive personal information (SPI), or are likely to encounter PHI, are required to undergo formal privacy training within 60 days of commencing employment. Texas HB 300 requires additional privacy training to be provided at least every two years. Training sessions need to be tailored to the role and responsibilities of the employee. All training must be documented and employees are required to sign to confirm that they have received the training.
HIPAA offers no exact stipulations on how or when additional training must be provided to employees.
As a result of Texas HB 300, Texas now has some of the strictest data protection laws in the United States. It has yet to be seen if this sets a precedent for other states to follow suit and introduce similar bills and take the protection of medical information beyond HIPAA.