Introduced on September 1, 2012, Texas House Bill 300 seeks to enhance patient privacy for HIPAA covered bodies in Texas, to a greater extent than the federal rules included in the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH).
The then Texas Governor Rick Perry signed it into law and, in doing so, amended four existing Texas laws:
- Texas Health Code (Chapters 181 and 182)
- Texas Government Code (Chapter 531)
- Texas Business and Commerce Code (Sections 521 and 522)
- Texas Insurance Code (Chapter 602)
Since these amendments were introduced Texas has what is regarded as the strictest regulations governing the management of healthcare information in the United States. This set of rules includes the requirement for a minimum level of training to be provided in order to achieve compliance and avoid penalties for breaches of the legislation.
HB 300 Training Requirements
HB 300 training has different legal requirements to the requirements set down in HIPAA including:
- Training must be provided no less than 60 days after an individual joins a company/organization.
- Refresher training should be provided once annually and must legally be conducted every two years.
- Training must be designed with the exact duties of an individual, and the way that they manage protected health information, in mind.
- Training must be documented as evidence of it must be provided in any future compliance investigation into a data breach.
While there is a legal requirement for anyone working at a HIPAA-covered entity or Business Associate to undergo HIPAA training and security awareness training, this is not the same as Texas HB 300 training. In order to be compliant with HB 300, and avoid any potential penalties, a training course specifically designed for HB 300 compliance must be provided to all employees.
What are the Chief Differences between HIPAA and Texas HB 300?
While HIPAA has always sought to ensure a basic level of rights for US citizens in relation to the confidentiality, integrity, and availability of protected health information (PHI) and give them adequate authority in relation to the management of their healthcare data, individual US States may pass their own specific legislative Acts if introduces a higher level of security for these areas.
This is what the legislature did in Texas when it passed HB 300. This Bill widened the range of groups included in the definition of covered entities while also adding extra privacy and security requirements to enhance the security of state residents’ personal privacy.
Here we detail some of the major areas where the Texas legislation adds greater security. As mentioned adobe there maximum time frames in place to complete the training of all staff that will be managing/processing the PHI/SPI of Texas residents.
Expanded definition of a Covered Entity (CE)
The legislation states that the definition of a CE includes any “BA, healthcare payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an internet site.”
This basically means anyone that comes into possession of, or stores, PHI in any way along with all staff members, agents, or contractors that meets the criteria mentioned in the above definition.
Formal Standards for Managing Electronic Health Records (EHRs)
If a patient’s PHI is going to be electronically shared, or if a CE is being sent PHI, then the subject must be made aware of this prior to it happening. In order for this process to be completed the subject/patient must provide their legal authorization. The only exceptions to this are if the PHI is being shared to a different CE for treatment, payment, or insurance reasons.
Quicker Patient Access to EHRs
Fifteen business days is the limit for providing patients with access to their EHR following the receipt of a written request. Under HIPAA the time limit for this to be completed is 30 days. It is acceptable, legally, for the EHR to be made available to the patient in any format once the patient agrees to this in advance.
More Accountability for Business Associates (BAs)
All BAs, with the exception of those that have zero contact with PHI, should closely adhere to the following rules for working with a CE:
- Immediate notification of a breach once it is discovered.
- State in all Business Associate Agreements (BAAs) who is responsible for alerting breach-impacted individuals by mail.
- Record all evidence of yearly security audits and complaint employee training.
- Configure encryption of PHI on all mobile technology that PHI is used on.
Unauthorized Sharing of PHI means Stricter Civil & Criminal Sanctions
The sanctions for allowing a breach of Texas HB 300 to occur are calculated according to the extent breach, the compliance record of the CE, the impact of the breach and measures taken to address the breach.
The penalty tier is as follows:
- If the breach was committed negligently = $5,000 per violation
- If the breach was committed knowingly or intentionally = $25,000 per violation
- If the breach was committed intentionally and PHI is being distributed for financial gain = $250,000 per violation
- If the breach is a part of a “pattern of practice” = $1.5 million
What is defined as Personally Identifiable Information (PII) under Texas HB 300?
Under Texas HB 300 Personally identifiable information is considered as all information that relates to an individual which is not already in the public domain. This information could be used to ascertain an individual’s identity, either directly or in combination with different information. The identifiers are the same as those in HIPAA and include names, telephone numbers, email addresses, dates, IP addresses, Social Security numbers, and health insurance numbers.
What is a Covered Entity (CE) under Texas HB 300?
Texas HB 300 defines a CE as any entity or individual that possesses, obtains, assembles, collects, analyzes, evaluates, stores, or transmits protected health information in any form. This is in addition to the HIPAA definition of a CE which includes healthcare providers, health plans, and healthcare clearinghouses.
Basically Texas HB 300 polices all healthcare groups, including those that are not covered by HIPAA. Additionally it governs the actions of law firms, educational institutions, research bodies, accountancy practices, ISPs, IT service providers, government bodies and anyone who manages a website which participates in the gathering, storing or communication of PHI.
Exemptions to Texas HB 300
The entities which do not need to follow Texas HB 300 are:
- Workers’ compensation insurance and any entity or person who is involved with the provision, support, management, or coordination of benefits as listed in a self-insured employees’ compensation plan.
- Non-profit groups investing in healthcare services or prescription medications for indigent people when the main objective of the group is not administering healthcare or funding healthcare.
- Any transaction stipulated the 1974 Family Educational Rights and Privacy Act.
- Groups and individuals that provide or are involved with benefits involved with payment for those impacted by crime.
- Employee benefit plans and entities or individuals whose work is involved in those plans.
HB 300 Training Courses from ComplianceJunction
ComplianceJunction allows you to design your own specific HB 300 training course, although many covered entities decide to choose a third-party course for their employees. It is important that you ensure the training course you provide is made with careful attention to the duties that the employee receiving it is completing.
It is crucial that all courses include at least the following subject areas:
- Introduction to Texas HB 300.
- CEs and Individuals HB 300 Compliance
- Why the law was introduced and why compliance is crucial
- Range of information included
- Patients giving permission for sharing of electronic PHI
- Medical record and PHI acces
- Patient rights in relation to electronic medical records
- PHI electronic disclosures notifications
- Securing PHI
- Notification requirements for a HB 300 violation
- HB 300 breach penalties
It is crucial that all entities impacted by Texas HB 300 adhere to all of the aforementioned rules and conduct the proper training for their workforce on an ongoing basis.
ComplianceJunction training is modular and you can select the most appropriate content for your organization’s training needs like HB 300 Compliance and healthcare cybersecurity. You can view our HB 300 training module by clicking here or complete the form below to find out more about our HIPAA training courses.
Full Access to