by Peg D. Hall and Matt Nickel
Few things are as personal, private or important as one’s medical records. It is not surprising that there is extensive federal and state legislation protecting patient privacy. Nearly everyone is familiar with the federal Health Insurance Portability and Accountability Act (HIPAA). The federal Health Information Technology for Economic and Clinical Health Act (HITECH) is not as well known, yet works in conjunction with HIPAA to safeguard the privacy of health information.
Concerned that HIPAA and HITECH did not provide enough safeguards for protected health information (PHI), the Texas legislature passed H.B. 300 in 2011. This law, containing even more stringent regulation than the federal scheme, will go into effect on September 1, 2012. Because H.B. 300 has potential effects on any entity that comes into contact with PHI (including law firms), it is important that both attorneys and clients understand and prepare for its impact.
H.B. 300 requires that “covered entities” meet several new requirements regarding the privacy and security of PHI. The existing federal and Texas laws have different definitions of what constitutes a “covered entity.” Generally, HIPAA considers health care plans and health care providers to be “covered entities.” The Texas definition is more expansive, defining a “covered entity” as any individual, business or organization that:
- engages in the practice of assembling, collecting, analyzing, storing or transmitting PHI;
- comes into the possession of PHI;
- obtains or stores PHI; or
- is an employee, agent, or contractor of a person described in numbers 1-3 above (if they create, receive, obtain, maintain, use or transmit PHI). Tex. Health and Safety Code, §181.001(b)(2).
Thus, many businesses and individuals currently exempt from HIPAA may soon be subject to the requirements of H.B. 300. In Texas, it is likely that law firms, record storage and disposal companies, accounting firms, auditors, and others may be considered “covered entities.” Accordingly, every business and organization should analyze its contacts with PHI and understand its potential to be a “covered entity” under Texas law.
New Requirements and Potential Penalties
Individuals and entities determined to be “covered entities” under H.B. 300 will face several new requirements, including: new training for employees regarding PHI; additional patient rights related to electronic medical records; and the potential for increased penalties for noncompliance.
1. Employee Training
Under the new Texas law, “covered entities” must provide ongoing, customized training for their employees regarding both federal and state law related to the protection of PHI. The training should be tailored for the employee’s responsibilities and the entity’s contacts with PHI. Each new employee must complete the training within 60 days after his or her hire date, and the training must be repeated at least once every two years. Notably, under HIPAA, training is only required within a reasonable amount of time after hiring and when there are any material changes in privacy policies. Under both HIPAA and H.B. 300, “covered entities” must maintain records of every employee’s training attendance.
2. Patient Rights Regarding Electronic Medical Records
Beginning in September 2012, “covered entities” must provide patients with electronic copies of their electronic health records within 15 business days of the patient’s written request (under HIPAA, records must be provided within 30 days of a request). Additionally, the new Texas law requires the Texas Attorney General to establish a website that explains patient’s privacy rights under Texas and federal law. Also contained in H.B. 300 are provisions that prohibit the sale of PHI and require notice to patients regarding the electronic disclosure of PHI.
3. Increased Penalties
“Covered entities” that wrongfully disclose a patient’s PHI will face increased civil penalties under H.B. 300, in addition to any penalties for violating federal laws. The new Texas law allows for penalties ranging from $5,000 to $1.5 million per year. To determine the penalty amount, H.B. 300 lists five factors a court may consider: 1) the seriousness of the violation; 2) the entity’s compliance history; 3) the risks of harm to the patient; 4) the amount necessary to deter future violations; and 5) efforts made to correct the violation.
Preparing for H.B. 300
This article only provides a glimpse into a few of the requirements of the new Texas law. Any individual, business or organization that may be considered a “covered entity” should thoroughly analyze H.B. 300 to understand and prepare for the new requirements. These efforts should include updating any policies and procedures related to PHI and conducting employee trainings in advance of September 1, 2012.
Peg Donahue Hall is a partner in SNR Denton’s litigation group in Dallas. She can be reached at email@example.com. Matt Nickel is a senior managing associate in SNR Denton’s Dallas office and can be reached at firstname.lastname@example.org.