625 HIPAA Privacy Training

Texas HB 300 Requirements

Covered Entities (CE)

Texas House Bill 300 (HB 300) expands the definition of "covered entities" beyond the federal HIPAA scope to include any individual or organization that:

• Engages in the practice of assembling, collecting, analyzing, storing or transmitting PHI;
• Comes into the possession of PHI;
• Obtains or stores PHI; or
• Is an employee, agent, or contractor of a person described in numbers 1-3 above (if they create, receive, obtain, maintain, use or transmit PHI).

This includes entities such as schools, researchers, internet service providers, and even legal and accounting firms.

Who is exempt? The following are exempt from complying with Texas HB 300:

• Workers' compensation insurance and related entities involved in administering or supporting self-insured workers' compensation benefits.
• Employee benefit plans and associated entities or individuals acting within the scope of the plan.
• Education records covered by the Family Educational Rights and Privacy Act (FERPA).
• Certain information related to offenders with mental impairments.
• Nonprofit agencies that fund health care or prescriptions for indigent individuals, provided their primary business is not health care provision or reimbursement.
• Financial institutions processing specific payment transactions.
• Entities involved in administering or supporting compensation for crime victims.

Employee Training Requirements

All employees who handle PHI must receive training on state and federal privacy laws within 90 days of hire. This training should be tailored to the employee's specific role and responsibilities. Additionally, refresher training is required whenever there is a material change in state or federal law affecting PHI. Employees who complete the training must sign a verification statement, either electronically or in writing. The entity must retain this statement for six years from the signing date.

Patient Rights and Access to Electronic Health Records (EHRs)

Under HB 300, patients have the right to access their electronic health records within 15 business days of a written request. This is different from the federal HIPAA requirement of 30 days.

Authorization for Electronic Disclosure

CEs must obtain patient authorization for any electronic disclosure of PHI, except for purposes related to treatment, payment, healthcare operations, or certain insurance functions. An authorization for disclosure may be written, electronic, or oral, provided that oral authorizations are documented in writing by the CE.

Breach Notification Requirements

According to Texas HB 3746, in the event of a PHI data breach, affected individuals and the Texas Attorney General must be notified promptly. Notifications must include specific breach details and be provided without unreasonable delay, but no later than 60 days after discovery. Beach details that must be included are:

• A detailed description of the breach, including its nature and circumstances.
• The number of Texas residents affected at the time of notification.
• The number of affected residents notified by mail or other direct communication.
• Actions taken in response to the breach.
• Planned measures to address the breach after notification.
• Whether law enforcement is investigating the breach.

Penalties for Non-Compliance

The attorney general can seek civil penalties against a covered entity for violations:

• $5,000 per negligent violation within a year.
• $25,000 per knowing or intentional violation within a year.
• $250,000 per knowing or intentional violation involving protected health information (PHI) used for financial gain.

Civil penalties cannot exceed $250,000 per year if:

• The PHI was encrypted to prevent misuse.
• The recipient did not use or release the PHI.
• The entity had security policies, including employee training, in place at the time of the violation.

If violations occur frequently enough to form a pattern, penalties may reach $1.5 million per year.

When deciding the penalty amount, the court will consider:

• The seriousness of the violation.
• The entity's compliance history.
• The risk of financial, reputational, or other harm to affected individuals.
• Whether the entity was certified under the Texas Health and Safety Code, Section 182.108 at the time of the violation.
• The need to deter future violations.
• The entity’s efforts to correct the violation.

The attorney general can only pursue civil penalties against a licensed entity if referred by its licensing agency.

Knowledge Check Choose the best answer for the question.