Texas Expands the Privacy Rights of Patients Beyond HIPAA and HITECH

The State Sets Mandatory Deadlines for Training, and Requires Breach Notification for all Healthcare Providers Doing Business in Texas.

Texas, already known  for its strict privacy laws, recently enacted legislation which surprisingly expands privacy rights beyond those proscribed in HIPAA and HITECH.  This new law, HB300, will become effective on September 1, 2012.  It  will increase the scope of training required  by covered entities, require that providers give patients an electronic copy of their EHR, increase penalties for disclosure of PHI, and require any entity doing business in Texas to notify patients in the case of a breach. 

First, the new Texas law mandates that covered entities  provide training regarding the protection of PHI within 60 days of hire, and that they   train  current employees at least once every two years.  While HIPAA requires that CEs provide training, it does not mandate specific time periods, and does not require recurrent training for current employees. 

Additionally, a health care provider must provide an electronic copy of a patient’s Electronic Health Record.  To effectuate this provision, the state will create a commission to develop a standard electronic format for the release of such records.  On a related note, the Texas Attorney General is to create a website containing information about privacy rights under federal and state law.  Additionally the AG must provide reports to the Texas legislature regarding patient privacy complaints. 

Importantly, HB300 creates state-imposed civil penalties for privacy violations.  The act imposes a $5,000 fine for negligent violations, $25,000 fine for knowing and intentional violations, and  $250,000 fine for intentionally using PHI for financial gain.  If a court finds that violations occur frequently so as to constitute a pattern or practice, it may impose a civil penalty of up to $1.5 million annually.  In determining a fine, the court will consider any number of factors including the seriousness of the violation, compliance history, and efforts to correct the violation.  Finally, the AG may request  an audit to determine compliance, and may require that the provider perform a risk analysis.

Critically, any organization conducting business in Texas that handles PHI must notify Texas residents of a breach of PHI.  Failure to make such a notification can subject the entity to a daily fine of up to $100 for each individual to whom notification should be made with a maximum of $250,000 for each breach.

Texas HB300 places new requirements on entities that do business in Texas beyond those required by HITECH.  While similar in some respects to HITECH, the Texas statute requires that providers create and document recurrent training programs for employees.  Accordingly, any provider doing business in Texas is well advised to review its policies to make sure they comply with the new law.