What is Texas H.B. 300?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that defines minimum privacy and security standards. This law applies to healthcare organizations. PHI stands for Protected Health Information. The HIPAA Privacy Rule provides federal protections for PHI held by covered entities.
It also gives patients a number of rights regarding their information.
HIPAA naturally covers healthcare organizations based in Texas, but they also must comply with state laws. Texas has some of the most stringent laws in the United States as far as health. The Texas H.B. 300 (Texas House Bill 300) includes these laws.
Fewer things are as personal, private, or important as medical records. Texas lawmakers were serious about protecting sensitive information when they passed TX H.B. 300 in 2011.
Lawmakers were concerned that the federal HIPAA did not go far enough to safeguard PHI in Texas. TX H.B. 300 went into effect September 1, 2012.
Texas H.B. 300 Strict Regulations
Texas H.B. 300 goes beyond federal HIPAA regulations to keep PHI secure.
This law serves to accomplish the following:
What if NOT Compliant?
If a Texas organization is non-compliant with HIPAA guidelines, it could also be fined for TX H.B. 300 violations.
Texas H.B. 300 Amended Laws
Texas H.B. 300 Introduces Stricter Privacy & Security Protections than HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) already requires covered entities (healthcare providers, health plans, and healthcare clearinghouses) and business associates of HIPAA-covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of PHI and protect the privacy of patients and health plan members.
Texas H.B. 300 takes requirements a step further by introducing stricter requirements for covered entities.
These new laws also includes:
Compliance with Texas H.B. 300
Compliance with Texas H.B. 300 is mandatory for all covered entities that are based in Texas or do business with Texas residents. Covered entities under Texas HB 300 differ from covered entities as defined in HIPAA.
Texas H.B. 300 expanded the HIPAA definition of covered entity (healthcare providers, health plans, and healthcare clearing houses) to include any entity or individual that possesses, obtains, assembles, collects, analyzes, evaluates, stores, or transmits protected health information in any form.
Under the federal HIPAA law, “covered entities” are defined as health care providers, plans, or clearinghouses. Texas H. B. 300 revised and expanded the definition of a covered entity.
A covered entity is any Texas individual, business or organization that:
Texas H.B. 300 Application
Texas HB 300 applies to all healthcare organizations, including:
Covered Entities under TX H.B. 300
Texas H.B. 300 also strengthened federal HIPAA law by adding a requirement for HIPAA training and shortening time limits for responding to patient requests for medical records.
The Texas state law states that covered entities must offer employees mandatory, customized training regarding both federal and state laws related to the privacy and security of PHI.
The covered entity is also required to keep records of signed statements of employees that attended privacy and security training.
HIPAA requires that employees that handle PHI be trained within a reasonable period of time after hired and to be updated on any new information that pertains to HIPAA compliance.
Many Texas covered entities are training their employees with Federal HIPAA privacy and security rules, but are not paying attention to Texas H.B. requirements.
Texas covered entities that are non-compliant with Federal HIPAA regulations as well as Texas H.B. 300 requirements will have to pay federal fines and state fines.
Texas H.B. 300 also requires that Texas covered entities provide patients with their health records (HRs) in an electronic format no later than 15 business days after receiving a written request from the patient.
HIPAA federal law requires that records be provided within 30 days of the request.
Texas H.B. 300 Exemptions
The only entities not required to comply with Texas H.B. 300 are:
Texas H.B. 300 & EHRs
Texas H.B. 300 introduced new standards for handling electronic health records.
A covered entity is prohibited from using PHI for any reason other than the provision of treatment, payment for healthcare, or insurance purposes unless, prior to the disclosure of PHI, the covered entity has obtained written authorization from an individual to disclose their PHI.
HIPAA requires covered entities to provide patients and plan members with copies of their PHI on request and those requests must be honored within 30 days of the request being submitted.
Texas H.B. 300 requires covered entities to provide copies of PHI much more rapidly – Within 15 days of a written request being received.
Texas H.B. 300 Training for PHI
All employees who are required to handle PHI or sensitive personal information (SPI), or are likely to encounter PHI, are required to undergo formal Texas H.B. 300 training within 60 days of commencing employment.
In contrast to HIPAA, which does not stipulate how often additional training must be provided, Texas H.B. 300 requires additional privacy training to be provided at least every two years.
Training sessions need to be tailored to the role and responsibilities of the employee. All training must be documented and employees are required to sign to confirm that they have received the training.
Changes to “Covered Entity”
The definition of ‘covered entity’ under Texas H.B. 300 differs from the definition of a covered entity under HIPAA.
In Texas, a covered entity is considered to be any individual or organization that assembles, collects, analyzes, stores, or transmits the PHI of state residents.
That includes any individual or entity that comes into possession of PHI, which includes agents, employees, contractors, and subcontractors that are required to create, receive, obtain, maintain, use, or transmit PHI.
Under HIPAA, schools and other educational institutions, accountancy firms, lawyers, ISPs, and researchers are not covered entities, but MUST comply with Texas H.B. 300.
Patient Access to EHRs
HIPAA gives patients the right to obtain copies of their PHI held by HIPAA-covered entities, which must be provided no later than 30 days from the date of the request.
Texas H.B. 300 requires access to EHRs to be provided in half the time, with a maximum timeframe for honoring the request of 15 days from the receipt of a written request.
When a covered entity lacks the capability to provide copies of EHRs in electronic format, the following may result:
Enforcement of Compliance with Texas H.B. 300 & HIPAA
The Texas attorney general maintains authorization to impose civil monetary penalties against an individual or entity for non-compliance.
If non-compliance continues, the state attorney general may consider state license revocation.
Texas H.B. 300 Penalties (Non-Compliance)
Hefty fines may result for organizations that violate federal HIPAA guidelines. Texas H.B. 300 increases civil penalties for individuals and/or organizations that wrongfully disclose a patient’s PHI.
Texas civil penalties range from $5000 to $1.5 million for covered entities that wrongfully disclose PHI. Federal HIPAA Privacy and Security fines range from $100 to $1.5 million annually.
A data breach may also be classified as a felony.
Texas H.B. 300 can impose these fines in addition to any federal fines cited by Health and Human Services. Negligence, intent, and evidence of frequency to constitute a pattern are all considered when assessing penalties.
The Texas state Attorney General’s Office enforces Texas H.B. 300.
The Attorney General maintains a website, including:
The penalties for noncompliance with Texas H.B. 300 are severe.
The Texas attorney general can issue civil monetary penalties to entities and individuals that fail to comply with the legislation.
Non-compliance on behalf of an entity or individual may result in revocation of a state license.
As with HIPAA, penalties for noncompliance with Texas H.B. 300 visible in tiers:
In other words, the maximum financial penalty is $1.5 million per year in cases where there has been a pattern of non-compliance.
The following determines the amount of financial penalties:
Fast, Effective TX H.B. 300 Training
Maintaining HIPAA compliance and Texas H.B. 300 regulations can be challenging, but Compliance Learning Solutions can help. Compliance Learning Solutions offers three online compliance courses designed by HIPAA experts.
We know busy professionals want easy, fast, and effective compliance training. Therefore, our courses are accessible at any time and users can stop and start at their leisure.
Because…we want our customers to get fast, easy, and effective compliance training we offer a group management system. This system allows managers to easily view and monitor employee progress.