What is Texas HB 300?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that defines minimum privacy and security standards. This law applies to healthcare organizations. PHI stands for Protected Health Information. The HIPAA Privacy Rule provides federal protections for PHI held by covered entities. It also gives patients a number of rights regarding their information.
HIPAA naturally covers healthcare organizations based in Texas, but they also must comply with state laws. Texas has some of the most stringent laws in the United States as far as health. The Texas HB 300 (Texas House Bill 300) includes these laws.
Fewer things are as personal, private, or important as medical records. Texas lawmakers were serious about protecting sensitive information when they passed TX HB 300 in 2011. Lawmakers were concerned that the federal HIPAA did not go far enough to safeguard PHI in Texas. TX H.B 300 went into effect September 1, 2012.
Texas H.B. 300 goes above and beyond federal HIPAA regulations to keep PHI secure. This law serves to accomplish the following:
- Increase the number of covered entities required to be HIPAA compliant
- Expand compliance guidelines
- Enhance enforcement for non-compliant Texas entities
As the saying goes, ‘Everything is bigger in Texas.’
If a Texas organization is non-compliant with HIPAA guidelines, it could also be fined for TX H.B. 300 violations.
Texas HB 300 amended four laws in Texas:
- The Texas Health Code (Chapters 181 and 182)
- Texas Business and Commerce Code (Sections 521 and 522)
- The Texas Government Code (Chapter 531)
- Texas Insurance Code (Chapter 602), and finally, introduced tougher privacy protections for healthcare data than federal HIPAA laws
Texas HB 300 Introduces Stricter Privacy and Security Protections than HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) already requires covered entities (healthcare providers, health plans, and healthcare clearinghouses) and business associates of HIPAA-covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of PHI and protect the privacy of patients and health plan members.
Texas HB 300 takes those requirements a step further by introducing even stricter requirements for covered entities. These new laws also includes:
- Individuals and organizations not covered by HIPAA Rules
- Revised and expanded the definition of a covered entity
- Increased mandates for HIPAA compliance training
- Expanded the fines and penalties for both civil and criminal violations
Who MUST Comply with Texas HB 300?
Compliance with Texas HB 300 is mandatory for all covered entities that are based in Texas or do business with Texas residents. Covered entities under Texas HB 300 differ from covered entities as defined in HIPAA.
Texas HB 300 expanded the HIPAA definition of covered entity (healthcare providers, health plans, and healthcare clearing houses) to include any entity or individual that possesses, obtains, assembles, collects, analyzes, evaluates, stores, or transmits protected health information in any form.
Under the federal HIPAA law, “covered entities” are defined as health care providers, plans, or clearinghouses. Texas H. B. 300 revised and expanded the definition of a covered entity. A covered entity is any Texas individual, business or organization that:
- Engages in the practice of assembling, collecting, analyzing, using, evaluating, storing or transmitting PHI.
- Comes in possession of PHI.
- Obtains or stores PHI.
- Is an employee, agent or contractor or a person or entity described above
it they create, receive, obtain, maintain, use or transmit PHI.
Texas HB 300 applies to all healthcare organizations, including:
- Those that are not covered by HIPAA
- Lawyers, Schools, Universities, and Researchers
- Accountants, Internet Service Providers
- IT Service Providers
- Government Agencies
- Individuals who maintain a website that collects, stores, or interacts with PHI
Even if an entity works outside of Texas, yet handles patient records or healthcare data for residents of Texas, that entity is required to have Texas H.B. 300 Training.
Covered Entities under TX HB 300
Texas HB 300 also strengthened federal HIPAA law by adding a requirement for HIPAA training and shortening time limits for responding to patient requests for medical records.
The Texas state law states that covered entities must offer employees mandatory, customized training regarding both federal and state laws related to the privacy and security of PHI. The training must be customized to the employee’s specific responsibilities. The training must be completed within 90 days of hire date. The covered entity is also required to keep records of signed statements of employees that attended privacy and security training.
HIPAA requires that employees that handle PHI be trained within a reasonable period of time after hired and to be updated on any new information that pertains to HIPAA compliance. Many Texas covered entities are training their employees with Federal HIPAA privacy and security rules, but are not paying attention to Texas H.B. requirements.
Texas covered entities that are non-compliant with Federal HIPAA regulations as well as Texas HB 300 requirements will have to pay federal fines and state fines.
Texas HB 300 also requires that Texas covered entities provide patients with their health records (HRs) in an electronic format no later than 15 business days after receiving a written request from the patient. HIPAA federal law requires that records be provided within 30 days of the request.
Employees that handle PHI in Texas must be trained on Federal HIPPA privacy and security rules as well as TX H.B. 300 requirements. TX H.B. 300 training is to be completed within 90 days of being hired.
Texas HB 300 Exemptions
The only entities not required to comply with Texas HB 300 are:
- Not-for-profit agencies that pay for healthcare services or prescription drugs for indigent persons if the primary business of the agency is not the provision of healthcare services or reimbursement for healthcare services.
- Workers’ compensation insurance and any entity or individual who acts in connection with the provision, support, administration, or coordination of benefits under a self-insured workers’ compensation program.
- Employee benefit plans and entities or individuals that act in connection with those plans.
- Entities or individuals that provide, administer, support, or coordinate benefits associated with compensation for victims of crime.
- Processing of certain payment transactions by financial institutions and education records covered by the Family Educational Rights and Privacy Act of 1974.
Texas HB 300 and Electronic Health Records
Texas HB 300 introduced new standards for handling electronic health records. A covered entity is prohibited from using PHI for any reason other than the provision of treatment, payment for healthcare, or insurance purposes unless, prior to the disclosure of PHI, the covered entity has obtained written authorization from an individual to disclose their PHI.
HIPAA requires covered entities to provide patients and plan members with copies of their PHI on request and those requests must be honored within 30 days of the request being submitted. Texas HB 300 requires covered entities to provide copies of PHI much more rapidly – Within 15 days of a written request being received.
Texas HB 300 Training for Employees Who Handle PHI
All employees who are required to handle PHI or sensitive personal information (SPI), or are likely to encounter PHI, are required to undergo formal Texas HB 300 training within 60 days of commencing employment. In contrast to HIPAA, which does not stipulate how often additional training must be provided, Texas HB 300 requires additional privacy training to be provided at least every two years. Training sessions need to be tailored to the role and responsibilities of the employee. All training must be documented and employees are required to sign to confirm that they have received the training.
Changes to the Definition of a Covered Entity
The definition of ‘covered entity’ under Texas HB 300 differs from the definition of a covered entity under HIPAA. In Texas, a covered entity is considered to be any individual or organization that assembles, collects, analyzes, stores, or transmits the PHI of state residents. That includes any individual or entity that comes into possession of PHI, which includes agents, employees, contractors, and subcontractors that are required to create, receive, obtain, maintain, use, or transmit PHI.
Under HIPAA, schools and other educational institutions, accountancy firms, lawyers, ISPs, and researchers are not covered entities, but MUST comply with Texas HB300.
Patient Access to EHRs
HIPAA gives patients the right to obtain copies of their PHI held by HIPAA-covered entities, which must be provided no later than 30 days from the date of the request. Texas HB300 requires access to EHRs to be provided in half the time, with a maximum timeframe for honoring the request of 15 days from the receipt of a written request.
When a covered entity lacks the capability to provide copies of EHRs in electronic format, the following may result:
- Entity provides an alternative format
- Paper copies available with advance patient consent
Enforcement of Compliance with Texas HB 300 and HIPAA
The Texas attorney general maintains authorization to impose civil monetary penalties against an individual or entity for non-compliance. If non-compliance continues, the state attorney general may consider state license revocation.
What are the Texas HB 300 Penalties for Noncompliance?
Hefty fines may result for organizations that violate federal HIPAA guidelines. Texas H.B. 300 increases civil penalties for individuals and/or organizations that wrongfully disclose a patient’s PHI. To avoid penalties and fines, Texas HB 300 compliance is extremely important.
Texas civil penalties range from $5000 to $1.5 million for covered entities that wrongfully disclose PHI. Federal HIPAA Privacy and Security fines range from $100 to $1.5 million annually. A data breach may also be classified as a felony.
Texas HB 300 can impose these fines in addition to any federal fines cited by Health and Human Services. Negligence, intent, and evidence of frequency to constitute a pattern are all considered when assessing penalties.
The Texas state Attorney General’s Office enforces Texas H.B. 300. The Attorney General maintains a website, including:
- Information on consumer privacy rights
- Which state agencies regulate covered entities
- Information regarding each agency’s complaint enforcement process and their contact information
The penalties for noncompliance with Texas HB 300 are severe. The Texas attorney general can issue civil monetary penalties to entities and individuals that fail to comply with the legislation. Non-compliance on behalf of an entity or individual may result in revocation of a state license.
As with HIPAA, penalties for noncompliance with Texas HB 300 visible in tiers:
- 1: Up to $5,000 per violation, per year, for violations due to negligence
- 2: Up to $25,000 per violation, per year, for a knowing or intentional violation
- 3: Up to $250,000 per violation, per year, for an intentional violation for financial gain
The maximum financial penalty is $1.5 million per year in cases where there has been a pattern of noncompliance.
The following determines the amount of financial penalties:
- The severity of the violation
- Whether there is a history of noncompliance
- The measures taken to correct the violation
- If harm results due to a violation
Conclusion: Easy, Fast, Effective TX HB 300 Training
Maintaining HIPAA compliance and Texas HB 300 regulations can be challenging, but Compliance Learning Solutions can help. Compliance Learning Solutions offers three online compliance courses designed by HIPAA experts.
We know busy professionals want easy, fast, and effective compliance training. Therefore, our courses are accessible at any time and users can stop and start at their leisure. We also offer 2.0 continuing education hours approved by The Texas Nurses Association with the Advanced HIPAA Course. Certificates of Completion are available for printing or emailing after successful completion of the course.
Because we want our customers to get fast, easy, and effective compliance training we offer a group management system. This system allows managers to easily view and monitor employee progress.