Residents of the state of Texas recently received additional protections when Governor Rick Perry signed a measure into law protecting patients’ data in EHRs and increasing penalties for violation of the healthcare privacy laws. The new law is effective September 1, 2012.
Since the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH) in September 2009, healthcare providers and other covered entities have reported thousands of privacy breaches pursuant to HITECH to the Office of Civil Rights (OCR). HITECH defines a healthcare data breach in the electronic age and specifies requirements that covered entities must follow in response to a breach, including investigation, notification and reporting. Once a breach is identified, HITECH requires a covered entity to conduct an investigation and a risk of harm analysis, determine to whom and how a breach notification should be made, and report to the OCR either at the time of the breach or in an annual report. The federal government recently has trained the states’ attorneys general in HITECH specifics increasing the states’ enforcement activity. In response, many states have adopted HIPAA and HITECH outright or stricter privacy and data breach laws. The Texas legislation follows this trend of states enacting state level privacy laws that generally follow HITECH, for the protection of consumers’ electronic PHI and breach notification following unauthorized access.
The Texas Law
The Texas law expands privacy rights contained in HIPAA, mandates stricter training requirements for covered entities, enacts harsher penalties for the wrongful disclosure of PHI and develops additional state level agencies to address and enforce healthcare privacy laws in Texas. Under the new Texas statute, covered entities, such as hospitals, physicians, health plans, healthcare clearinghouses and their business associates, are required to comply with the federal HIPAA privacy standards. According to the preemption provision in HIPAA, this stricter Texas law will apply to all covered entities in the state. Adopting HIPAA, the new law states that an individual’s PHI may not be disclosed without the patient’s authorization, except for purposes of treatment, payment, healthcare operations, insurance purposes, and as otherwise authorized by state or federal law. Covered entities must provide notice to patients of their policies on their website or other prominent place where patients will see it. The law also requires that a covered entity provide an ongoing training program to its workforce covering state and federal law on PHI as it relates to their scope of employment. Such training is to be customized to each employee’s scope and duties at the covered entity. Each employee shall receive training once every two years, and each new employee must complete privacy training within 60 days of hire. The covered entity is to maintain signed documentation of the employees’ attendance at training.
The legislation increases the penalties for the wrongful disclosure of PHI, including monetary penalties, criminal penalties and potential loss of professional and institutional licenses. The civil penalties have been increased to $5,000 per negligent violation, $25,000 per knowing or intentional violation and $250,000, if knowing or intentional and the disclosure is for financial gain. The law allows a safe harbor capping the penalties at $250,000, if the disclosure was made to another covered entity, was encrypted, the recipient did not use or release the PHI, and covered entity has developed and implemented security policies, including training of employees. While this may not seem like much of a safe harbor, the maximum penalty for repeat offenders is increased to $1.5 million. Further, a healthcare provider’s professional or institutional license may be revoked for repeated violations under the new law, and the covered entity also may be excluded from state-funded healthcare programs, such as Medicaid and the Children’s Health Insurance Program. The following are considered when assessing penalties: (1) the seriousness of the violation, (2) the covered entity’s compliance history, (3) significant risk of harm to the individuals, (4) certification of the covered entity, (5) the amount necessary to deter further violations, and (6) efforts to correct the problem. The law also strengthens penalties when a person or entity fails to appropriately notify affected individuals of unauthorized access of their personal information to $100 per each consecutive day for each affected individual not to exceed $250,000 and creates a felony for theft of PHI taken electronically.
Additional Texas Infrastructure
The Texas law puts into place a regulatory framework with the Texas Health and Human Services Commission, Texas Health Care Authority, Texas Department of Insurance and the Texas Attorney General’s office having audit authority to ensure privacy compliance. The Attorney General is charged with setting up a complaince system and privacy information website, already seen in several other states. The Texas Health Care Authority is charged with developing standards for electronic sharing of PHI in compliance with HIPAA/HITECH, to ensure security maintenance and disclosure of records. The legislation also establishes infrastructure to allow covered entities to be certified by the state as compliant with HIPAA and the new state privacy and security standards.
Differences With Federal Law
Much of the Texas law tracks HIPAA/HITECH requirements verbatim. In some instances, the Texas law goes further and is stricter than HIPAA/HITECH in scope and in enforcement. Taken in conjunction with existing Texas law, the HIPAA/HITECH risk of harm analysis is not included as part of the breach determination, instead requiring notification “as quickly as possible” when electronic data is breached, regardless of the potential harm. The breach notification requirements under the Texas law apply to any business in Texas that wrongfully discloses PHI, not just HIPAA Covered Entities and Business Associates. Further, the employee training requirements expand HIPAA, which does not require ongoing training of employees but only training within a reasonable time after hire and when any material change in privacy policies and procedures are made. The Texas training requirement also must be tailored to the employee’s role in the organization, which is more burdensome than the HIPAA requirement.
Overall, the new Texas healthcare privacy law adopts the standards enacted under HIPAA/HITECH and expands the law in key areas. The law mandates stricter training requirements for covered entities, enacts harsher penalties for the wrongful disclosure of PHI and develops additional state infrastructure to address and enforce healthcare privacy laws in Texas. Covered entities in Texas and those doing business with Texas residents face stricter privacy and data breach requirements with state and federal regulatory agencies working in consort.