Texas health care providers, health insurers and health clearinghouses face new mandates and increased penalties over the use of electronic health records (EHR) as a result of HB300, which was passed in the 2011 Texas legislative session and signed into law by Governor Rick Perry. The Texas legislation expands privacy rights of patients beyond that contained in federal HIPAA legislation. Under the preemption provision in HIPAA, the stricter Texas law will be applied to covered entities in the state. The new law, which is not effective until September 1, 2012, is designed to better ensure the security and privacy of protected health information (PHI) that is exchanged via electronic means. However, the law will also increase mandates on covered entities (health care providers, health insurers and health clearinghouses), grant new enforcement authority to a variety of state agencies, establish standards for the use of EHR, and increase penalties for the wrongful electronic disclosure of PHI, including creating a new felony for wrongfully accessing or reading of EHR via electronic means.
Covered Entities in Texas Must Conduct On-Going Patient Privacy Training
Under HB300, covered entities must provide on-going training to their employees regarding state and federal law concerning PHI.1 The training must be customized as to the entity’s particular course of business and each employee’s scope of employment. An employee must complete the training no later than the 60th day after the employee is hired, and such training must be repeated at least once every two years. Additionally, all covered entities must maintain records documenting each employee’s attendance at training programs. Such records may be maintained either electronically or in writing.
This training requirement is an expansion of the HIPAA Privacy Rule, which does not require on-going training of existing employees. HIPAA merely requires that employees be trained “within a reasonable period of time” after hiring and any material changes in privacy policies or procedures.2 Although HB300 is not effective until September 1, 2012, covered entities should begin planning now to provide the required training for all of their employees. Such training will have to be customized to reflect each employee’s scope of employment and the particular course of business of each entity.
Increased Patient Rights and Remedies Over Electronic Health Records
The Texas Legislature granted patients additional rights and remedies concerning their EHRs, which place more stringent requirements on covered entities than currently exists under HIPAA. Under HB300, covered entities must provide patients their EHRs in electronic format within 15 business days of receiving a written request.3 The Texas Health and Human Services Commission is to recommend a standard format for the release of EHRs that is consistent with federal law. Additionally, the Texas Attorney General is required to establish a website containing information for patients regarding patients’ medical privacy rights under federal and state law, a list of state agencies that regulate covered entities, detailed information regarding each agency’s complaint enforcement process and contact information for each such agency. The Attorney General must also report annually to the Texas Legislature the number and types of complaints received by state agencies regarding patient complaints over medical privacy.
HB300 also prohibits the sale of PHI, except for treatment, payment, health care operations, performing an insurance function, or as otherwise allowed by federal law. This provision of HB300 is consistent with HIPAA, as amended by the 2009 HITECH Act.4
Covered entities will also have to provide notice to, and obtain authorization from, patients of the electronic disclosure of their PHI, except in instances for treatment, payment or health care operations. The Texas Attorney General will adopt a standard for authorization of such disclosures, consistent with HIPAA and the federal Privacy Rule.
Increased Enforcement Penalties
The Texas Attorney General may institute penalties against covered entities that violate state laws regarding EHRs. Penalties can range from $5,000 to $1.5 million annually for providers that wrongfully disclose a patient’s PHI.5 In determining the amount of penalty, the law provides that a court should consider:
- The seriousness of the violation;
- The covered entity’s compliance history;
- Whether the violation poses a significant risk of financial, reputational, or other harm to the patient;
- The amount necessary to deter future violations; and
- The covered entity’s efforts to correct the violation.
Additionally, the Texas Attorney General may request that the Secretary of the U.S. Department of Health and Human Services audit a covered entity’s compliance with the HIPAA Privacy Rule.6 If the audit shows egregious violations that constitute a pattern or practice, a covered entity may be required to conduct a risk analysis as required under the Privacy Rule,7 and submit the results to the Texas Health and Human Services Commission. The Texas Attorney General will also have to report annually to the Texas Legislature the number of federal audits of covered entities.
Standards for Electronic Sharing of PHI
In earlier legislative sessions, the Texas Health Services Authority (THSA) was created as a public-private collaborative to implement state-level health information technology functions and to serve as a catalyst for the development of a seamless electronic health information infrastructure. HB300 adds to the duties of the THSA by requiring it to develop privacy and security standards for the electronic sharing of PHI.8 The THSA will also establish a process by which a covered entity can be certified for compliance with the standards it develops.
Under HB300, any business (not just a covered entity) that conducts business in Texas that handles PHI must provide notification to Texas residents if their PHI is wrongfully disclosed. This notification requirement is consistent with the requirement in the HITECH Act that subjects vendors of personal health records and their service providers to the same security breach notification requirements as covered entities.9 Any business that fails to make the required notification is subject to state penalties not exceeding $250,000 for a single breach. Moreover, HB300 makes it a state felony if an individual, without the consent of the patient, accesses, reads, scans, stores or transfers PHI via a scanning device or electronic payment card.
Covered Entities Should Begin Compliance Efforts Now
The new requirements placed on covered entities in Texas as a result of HB300 are numerous and extend beyond those requirements contained in HIPAA and the federal Security and Privacy Rules. Even though the new law is not effective until September 1, 2012, covered entities (health care providers, health insurers and health clearinghouses) should begin now their efforts to develop and conduct employee training, change their notices of privacy practices and update policies regarding the security and privacy of patients’ electronic protected health information.