What is Texas HB 300?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that defines minimum privacy and security standards for healthcare organizations. PHI stands for Protected Health Information. The HIPAA Privacy Rule provides federal protections for PHI held by covered entities and gives patients a number of rights with respect to that information.
HIPAA naturally covers healthcare organizations based in Texas, but they also must comply with state laws. Texas has some of the most stringent laws in the United States as far as health data is concerned which are detailed in Texas HB 300 (Texas House Bill 300).
Fewer things are as personal, private or important as medical records. Texas lawmakers were serious about protecting sensitive information when they passed TX H.B 300 in 2011. Lawmakers were concerned that the federal HIPAA did not go far enough to safeguard PHI in Texas. TX H.B 300 went into effect on September 1, 2012.
Texas H.B. 300 goes above and beyond federal HIPAA regulations to keep PHI secure. This law serves to increase the number of covered entities that are required to be HIPAA compliant, expand compliance guidelines, and enhance enforcement for Texas entities that are non-compliant. As the saying goes, everything is bigger in Texas. If a Texas organization is found to be non-compliant with HIPAA guidelines it could also be fined for TX H.B. 300 violations.
Texas HB 300 amended four laws in Texas: The Texas Health Code (Chapters 181 and 182), the Texas Business and Commerce Code (Sections 521 and 522), the Texas Government Code (Chapter 531), and the Texas Insurance Code (Chapter 602) and introduced tougher privacy protections for healthcare data than federal HIPAA laws.
Texas HB300 Introduces Stricter Privacy and Security Protections than HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) already requires covered entities (healthcare providers, health plans, and healthcare clearinghouses) and business associates of HIPAA-covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of PHI and protect the privacy of patients and health plan members.
Texas HB 300 takes those requirements a step further, introducing even stricter requirements for covered entities, which under the new laws, also includes individuals and organizations not covered by HIPAA Rules.
- Revised and expanded the definition of a covered entity.
- Increased mandates for HIPAA compliance training.
- Expanded the fines and penalties for both civil and criminal violations.
Who is Required to Comply with Texas HB 300?
Compliance with Texas HB 300 is mandatory for all covered entities that are based in Texas or do business with Texas residents. Covered entities under Texas HB 300 differ from covered entities as defined in HIPAA.
Texas HB 300 expanded the HIPAA definition of covered entity (healthcare providers, health plans, and healthcare clearing houses) to include any entity or individual that possesses, obtains, assembles, collects, analyzes, evaluates, stores, or transmits protected health information in any form.
Under the federal HIPAA law, “covered entities” (i.e. entities that must strictly follow HIPAA) are defined as health care providers, health care plans or medical clearinghouses. Texas H. B. 300 revised and expanded the definition of a covered entity. A covered entity is any Texas individual, business or organization that:
- Engages in the practice of assembling, collecting, analyzing, using, evaluating, storing or transmitting PHI.
- Comes in possession of PHI.
- Obtains or stores PHI.
- Is an employee, agent or contractor or a person or entity described above
it they create, receive, obtain, maintain, use or transmit PHI.
Texas HB 300 therefore applies to all healthcare organizations, including those that are not covered by HIPAA, and also lawyers, schools, universities, researchers, accountants, Internet service providers, IT service providers, government agencies, and individuals who maintain a website that collects, stores, or interacts with PHI. Even if an entity works outside the state of Texas, yet handles patient records or heathcare data for residents of Texas, that entity is required by law to have Texas H.B. 300 Training.
Covered Entities under TX H.B 300
Texas H.B. 300 also strengthened federal HIPAA law by adding a requirement for HIPAA training and shortening time limits for responding to patient requests for medical records.
The Texas state law states that covered entities must offer employees mandatory, customized training regarding both federal and state laws related to the privacy and security of PHI. The training must be customized to the employee’s specific responsibilities. The training must be completed within 90 days of hire date. The covered entity is also required to keep records of signed statements of employees that attended privacy and security training.
HIPAA requires that employees that handle PHI be trained within a reasonable period of time after hired and to be updated on any new information that pertains to HIPAA compliance. Many Texas covered entities are training their employees with Federal HIPAA privacy and security rules, but are not paying attention to Texas H.B. requirements.
Texas covered entities that are non-compliant with Federal HIPAA regulations as well as Texas H.B. 300 requirements will have to pay federal fines and state fines.
Texas H.B. 300 also requires that Texas covered entities provide patients with their health records (HRs) in an electronic format no later than 15 business days after receiving a written request from the patient. HIPAA federal law requires that records be provided within 30 days of the request.
Employees that handle PHI in Texas must be trained on Federal HIPPA privacy and security rules as well as TX H.B. 300 requirements. TX H.B. 300 training is to be completed within 90 days of being hired.
Texas HB 300 Exemptions
The only entities not required to comply with Texas HB 300 are:
• Not-for-profit agencies that pay for healthcare services or prescription drugs for indigent persons if the primary business of the agency is not the provision of healthcare services or reimbursement for healthcare services.
• Workers’ compensation insurance and any entity or individual who acts in connection with the provision, support, administration, or coordination of benefits under a self-insured workers’ compensation program.
• Employee benefit plans and entities or individuals that act in connection with those plans.
• Entities or individuals that provide, administer, support, or coordinate benefits associated with compensation for victims of crime.
• Processing of certain payment transactions by financial institutions and education records covered by the Family Educational Rights and Privacy Act of 1974.
Texas HB 300 and Electronic Health Records
Texas HB 300 introduced new standards for handling electronic health records. A covered entity is prohibited from using PHI for any reason other than the provision of treatment, payment for healthcare, or insurance purposes unless, prior to the disclosure of PHI, the covered entity has obtained written authorization from an individual to disclose their PHI.
HIPAA requires covered entities to provide patients and plan members with copies of their PHI on request and those requests must be honored within 30 days of the request being submitted. Texas HB 300 requires covered entities to provide copies of PHI much more rapidly – Within 15 days of a written request being received.
Texas HB 300 Training for Employees Who Handle PHI
All employees who are required to handle PHI or sensitive personal information (SPI), or are likely to encounter PHI, are required to undergo formal Texas HB 300 training within 60 days of commencing employment. In contrast to HIPAA, which does not stipulate how often additional training must be provided, Texas HB 300 requires additional privacy training to be provided at least every two years. Training sessions need to be tailored to the role and responsibilities of the employee. All training must be documented and employees are required to sign to confirm that they have received the training.
Changes to the Definition of a Covered Entity
The definition of ‘covered entity’ under Texas HB300 differs from the definition of a covered entity under HIPAA. In Texas, a covered entity is considered to be any individual or organization that assembles, collects, analyzes, stores, or transmits the PHI of state residents. That includes any individual or entity that comes into possession of PHI, which includes agents, employees, contractors, and subcontractors that are required to create, receive, obtain, maintain, use, or transmit PHI.
Under HIPAA, schools and other educational institutions, accountancy firms, lawyers, ISPs, and researchers are not considered covered entities, but are required to comply with Texas HB300.
Patient Access to EHRs
HIPAA gives patients the right to obtain copies of their PHI held by HIPAA-covered entities, which must be provided no later than 30 days from the date of the request. Texas HB300 requires access to EHRs to be provided in half the time, with a maximum timeframe for honoring the request of 15 days from the receipt of a written request.
When a covered entity lacks the capability to provide copies of EHRs in electronic format, an alternative format can be used, or paper copies can be provided if the patient agrees in advance.
Enforcement of Compliance with Texas HB300 and HIPAA
The Texas attorney general is granted authorization to impose civil monetary penalties against any individual or entity for non-compliance with any aspect of the legislation. Further, if continued noncompliance is discovered, the state attorney general can have a state license revoked.
What are the Texas HB 300 Penalties for Noncompliance?
Organizations that violate federal HIPAA guidelines could be penalized with hefty fines. Texas H.B. 300 increases civil penalties for individuals and/or organizations that wrongfully disclose a patient’s PHI. To avoid penalties and fines, Texas H.B. 300 compliance is extremely important.
Texas civil penalties range from $5000 to $1.5 million for covered entities that wrongfully disclose PHI. Federal HIPAA Privacy and Security fines range from $100 to $1.5 million annually. A data breach may also be classified as a felony.
Texas H.B. 300 can impose these fines in addition to any federal fines cited by Health and Human Services. Negligence, intent, and evidence of frequency to constitute a pattern are all considered when assessing penalties.
The Texas state Attorney General’s Office enforces Texas H.B. 300. The Attorney General is required to maintain a website with information on consumer privacy rights, which state agencies regulate covered entities, information regarding each agency’s complaint enforcement process and their contact information.
The penalties for noncompliance with Texas HB 300 are severe. The Texas attorney general can issue civil monetary penalties to entities and individuals that fail to comply with the legislation. State licenses can also be revoked in cases where an entity or individual has demonstrated continued noncompliance.
As with HIPAA, the penalties for noncompliance with Texas HB 300 are broken down into tiers:
Tier 1: Up to $5,000 per violation, per year, for violations due to negligence
Tier 2: Up to $25,000 per violation, per year, for a knowing or intentional violation
Tier 3: Up to $250,000 per violation, per year, for an intentional violation for financial gain
The maximum financial penalty is $1.5 million per year in cases where there has been a pattern of noncompliance.
The level of the financial penalty is dictated by the severity of the violation, whether there has been a history of noncompliance, the measures taken to correct the violation, and whether harm has been caused as a result of the violation.
Conclusion: Easy, Fast, Effective Training
Maintaining HIPAA compliance as well as Texas H.B. 300 regulations can be challenging and confusing, but Compliance Learning Solutions can help. Compliance Learning Solutions offers three online compliance courses designed by HIPAA experts.
We know busy professionals want easy, fast, effective compliance training, so our courses can be accessed at any time and users can stop and start at their leisure. We also offer 2.0 continuing education hours approved by The Texas Nurses Association with the Advanced HIPAA Course. Certificates of Completion can be printed or emailed after successful completion of the course.
Because we want our customers to get fast, easy and effective compliance training we offer group management system that allows managers to easily view and monitor employee progress.