Texas HB 300 expands individual privacy protections beyond HIPAA by requiring non-excluded covered entities to obtain an authorization for a number of disclosures of electric Protected Health Information that would be permitted by the HIPAA Privacy Rule.
In 2001, Section 181 of the Texas Health and Safety Code was established by the passage of the Texas Medical Records Privacy Act. The Act protects the privacy of individually identifiable health information by imposing privacy standards on any person or organization that assembles, collects, analyzes, uses, evaluates, stores, or transmits PHI relating to a citizen of Texas.
The Act preempts the HIPAA Privacy Rule inasmuch as it extends the scope of protection beyond HIPAA covered entities and business associates; and, because it applies to PHI relating to a citizen of Texas, it does not matter whether the person or entity covered by the Texas Medical Records Privacy Act is located in the state of Texas or not.
Why Was Texas HB 300 Introduced
Texas HB 300 was introduced in 2011 in response to the passage of the HITECH Act in 2009. Due to HITECH incentivizing the adoption of EHRs via the Meaningful Use program, it was felt that Texas residents needed to be made aware their PHI could be disclosed electronically and – because of the wide range of entities covered by the Act – limits needed to be applied on permissible disclosures.
Therefore, Texas HB 300 requires covered entities not excluded by §181.154(e) to provide individuals with a notice explaining their PHI could be disclosed electronically; and, if the purpose of a disclose is not expressly permitted by Section 181 of the Health and Safety Code, covered entities have to obtain a signed authorization from the patient or the patient’s representative.
Other changes to the Health and Safety Code introduced by Texas HB 300 included tighter restrictions on marketing and the sale of PHI than is allowed by HIPAA, a reduction in the length of time covered entities have to respond to a patient access request, the requirement to obtain an authorization before deidentified PHI is reidentified, and tougher penalties for HB 300 violations.
Changes to the Breach Notification Rule
Texas HB 300 also amended the Texas Business and Commerce Code inasmuch as individuals and entities covered by the Health and Safety Code are required to notify individuals and the State Attorney General of any breach of sensitive information – unlike the HIPAA Breach Notification Rule which limits notifications to those relating to unsecured PHI.
According to the definitions section of the Business and Commerce Code, “sensitive information” includes information that may not relate to an individual’s health condition, treatment for the health condition, or payment for the treatment. For example, if a breach consists of just names and driver’s license numbers, this constitutes a notifiable breach under the Texas Breach Notification Rule.
The Rule applies to HIPAA Covered Entities outside of Texas if they have experience a breach of sensitive information relating to a citizen of Texas, and the penalties for failing to comply with this Rule can be expensive – up to $100 per day per notifiable individual capped at $250,000 per breach in addition to any fines imposed for violations of HB 300 and – if applicable – HIPAA.
Conclusion: Is Your Organization Covered by HB 300?
If your organization assembles, collects, analyzes, uses, evaluates, stores, or transmits any sensitive information relating to a citizen of Texas, it is important to comply with the Texas Medical Records Privacy Act as amended by HB 300 and the Texas Breach Notification Rule. If you are unsure about how to comply with these Acts of legislation – or with any aspect of HIPAA compliance – you should seek professional compliance advice.