Texas House Bill 300 Overview
On September 1, 2012, the Texas Legislature passed House Bill 300 (H.B. 300) in an effort to enhance the safeguards for Protected Health Information (PHI). This law serves to increase the number of entities that are required to be HIPAA compliant, expands upon the guidelines that they must follow, and increases the penalties if they are found to not be in compliance.
Under the federal HIPAA law, “covered entities” (i.e. entities that must strictly follow HIPAA) are defined as health care providers, health care plans or medical clearinghouses. Under Texas H.B. 300, the state government has extended the definition of “covered entities” to include any individual, business or organization that does one of the following:
- Engages in the practice of assembling, collecting, analyzing, storing or transmitting PHI
- Comes into the possession of PHI
- Obtains or stores PHI
- Is an employee, agent, or contractor of a person described in number 1-3 above (if the employee, agent or contractor creates, receives, obtains, maintains, uses or transmits PHI).
This revision effectively expands the requirement to be HIPAA compliant to any entity that comes into any type of contact with PHI.
H.B. 300 also strengthens the federal HIPAA law by adding a requirement for employee training, shortening time limits for responding to patient requests for medical records and by increasing penalties for non-compliant entities.
The new Texas Law states that “covered entities” must supply their employees with training regarding both federal and state law related to the privacy of the PHI. This training must be tailored to the entities’ line of business and to the specific role of the employee receiving the training. This training must be done within 60 days of the employee’s hire date and has to be repeated at least every two years. Additionally, the “covered entities” must keep record of employee attendance during the trainings.
Patient Rights Regarding Electronic Medical Records
When electronic health records are requested by a patient, the “covered entity” must deliver them to the patient within 15 business days of the patient’s written request. The federal HIPAA law requires that they be provided within 30 days of the request. In addition, H.B. 300 strengthens the proscription for selling medical information for share or profit.
On top of the federal penalties given for violating a patient’s PHI, H.B. 300 increases civil penalties for those who wrongfully disclose a patient’s PHI. To avoid these penalties, H.B. 300 compliance is extremely important. Texas law outlines penalties ranging from $5,000 to $1.5 million per year. The varying penalty amounts can be determined by the courts regarding the following five factors:
- violation severity;
- entity’s compliance history;
- level of risk to harm patient;
- the amount necessary to deter “covered entities” from future violations, and;
- efforts made to fix this violation.
The information provided in this article was derived from the Texas Health and Safety Code, Chapter 181.001(b)(2).