Texas House Bill 300, also known as Texas HB300, went into effect on September 1, 2012. This bill significantly expands patient privacy protections for Texas-covered entities beyond those federal requirements known as “HIPAA” and “HITECH.”
How Does Texas HB300 Expand Federal HIPAA Guidelines?
Texas House Bill 300 requirements expanded federal HIPAA requirements by:
- revising the definition of a “covered entity;”
- increasing mandates on covered entities, including requiring customized employee training;
- establishing standards for the use of electronic health records (“EHRs”);
- granting enforcement authority to several state agencies; and
- increasing civil and criminal penalties for the wrongful electronic disclosure of PHI.
Expanded Definition of a Covered Entity
HB300 expanded the definition of covered entities (healthcare providers, health plans, and healthcare clearing houses) to include ANY person who assembles, collects, analyzes, uses, evaluates, stores, or transmits protected health information (PHI) in any form.
A business operating in Texas that is considered a “business associate” under federal HIPAA guidelines is classified in Texas as a “covered entity.” For example, if you are a law firm and you handle PHI, you are now considered a covered entity in Texas and are subject to the Texas HIPAA laws requirements.
The Mandate for Customized Employee Training
Texas HB300 requires customized training. It must cover federal and state regulatory requirements as well as include the covered entity’s course of business. It must also cover employees’ scope of employment as it relates to PHI use and disclosure.
Employees of covered entities must complete training within 90 days after their hire date and ongoing training every year or at least twice every 2 years. Additionally, refresher training needs to be given within a year of material change.
Each employee who attends a training program must sign, electronically or in writing, a statement verifying their attendance at the training program. The business shall maintain the signed training logs in case of audit or compliance investigation for six years.
What Does Texas HB300 Require for Handling Medical Records?
A covered entity is prohibited from using PHI for any reason other than the provision of treatment, payment for healthcare, or insurance purposes unless, prior to the disclosure of PHI, the covered entity has obtained written authorization from an individual to disclose their PHI.
Texas-covered entities must provide patients with their EHRs in electronic format within 15 business days after receipt of a written request.
The scope of notification of a breach has also expanded under HB300. Any business that operates in Texas and handles PHI must provide notification of information breaches to all patients regardless of residency.
Texas HB300 Penalties
Texas H.B. 300 increases civil penalties for individuals and/or organizations that wrongfully disclose a patient’s PHI. Texas civil penalties range from $5000 to $1.5 million for covered entities that wrongfully disclose PHI.
5,000 per violation if the breach was committed negligently.
$25,000 per violation if the breach was committed knowingly or intentionally.
$250,000 per violation if the breach was committed intentionally and PHI is being distributed for financial gain.
$1.5 million if the breach is part of a “pattern of practice”
VanRein Compliance offers a full library of on-demand training to meet your organization’s compliance training needs including HB300. Need custom training? Book a 15-minute call today and let’s chat about your organization’s training needs.