Introduced on September 1, 2012, Texas House Bill 300 (HB 300) expands the existing privacy requirements of the Texas Medical Records Privacy Act to any individual or organization that has access to the Protected Health Information (PHI) or Sensitive Personal Information (SPI) of any Texas resident – irrespective of where the individual, organization, or resident is located in the world.
The then Texas Governor Rick Perry signed Texas HB 300 into law and, in doing so, amended four existing Texas laws:
- Texas Health Code (Chapters 181 and 182)
- Texas Government Code (Chapter 531)
- Texas Business and Commerce Code (Sections 521 and 522)
- Texas Insurance Code (Chapter 602)
These amendments ensure Texas has some of the strictest privacy and security regulations covering healthcare information in the United States.
HB 300 Training Requirements
Texas HB 300 and the existing laws it amended oblige all individuals and organizations that possess, obtain, assemble, collect, analyze, evaluate, store, or transmit protected health information (hereafter referred to as covered entities) to train their workforce on the requirements of the legislation.
HB 300 training has different legal requirements to the requirements of HIPAA:
- Training must be provided no later than 90 days after an individual joins a company/organization.
- Refresher training should be provided within a year of a material change affecting the role of the employee.
- Training must be tailored to the duties of an individual, and the way protected health information is handled.
- Training must be documented as evidence of training must be provided in the event of a compliance investigation.
While there is a legal requirement for anyone working at a HIPAA-covered entity or Business Associate to undergo HIPAA training and security awareness training, this is not the same as Texas HB 300 training. In order to be compliant with HB 300, and to avoid potential penalties, a training course specifically designed for HB 300 compliance must be provided to all employees.
What are the Chief Differences between HIPAA and Texas HB 300?
HIPAA set basic security standards that must be followed to ensure the confidentiality, integrity, and availability of protected health information. HIPAA also introduced new rights for individuals over their healthcare data and stipulated the allowable uses and disclosures of protected health information and the management of healthcare data. Individual US states may pass their own specific legislative acts to improve privacy protections for state residents if they feel that the basic level of protection provided through the federal HIPAA law is insufficient.
This is what the legislature did in Texas when it passed HB 300. This bill widened the definition of covered entities while also adding extra requirements to enhance safeguards and ensure the privacy of state residents’ data.
Here we detail some of the main areas where the Texas legislation improves protections for state residents and their healthcare data. As mentioned above, there are strict time frames for providing training for all employees who manage, process, or interact with the protected health information (PHI) and sensitive personal information (SPI) of Texas residents.
Expanded definition of a Covered Entity (CE)
Texas HB 300 expanded the HIPAA definition of a covered entity (healthcare provider, health insurer, and healthcare clearinghouse) to also include any “BA, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an internet site.” That means that anyone who comes into possession of PHI or SPI is required to comply with Texas HB 300.
Formal Standards for Managing Electronic Health Records
If a patient’s PHI is going to be electronically shared, or if a covered entity is being sent PHI, then the data subject must be made aware of this prior to it happening. In order for this process to be completed, the subject/patient must provide their legal authorization. The only exceptions to this are if the PHI is being shared for treatment, payment, or insurance reasons.
Quicker Patient Access to Electronic Healthcare Data
Fifteen business days is the limit for providing patients with access to their health records electronically following the receipt of a written request. Under HIPAA, the time limit for this to be completed is 30 days. It is acceptable, legally, for healthcare records to be made available to the patient in any format if the patient agrees to this in advance.
More Accountability for Business Associates (BAs)
All Business Associates, with the exception of those that have zero contact with PHI, should closely adhere to the following rules when working with a covered entity:
- Immediate notification of a breach once it is discovered.
- State in all Business Associate Agreements (BAAs) who is responsible for alerting breach-impacted individuals by mail.
- Record all evidence of yearly security audits and employee training.
- Implement encryption of PHI on all mobile technology.
Strict Civil & Criminal Sanctions for HB 300 Violations
Sanctions and penalties can be imposed for any violation of the requirements of Texas HB 300. The penalties are divided into tiers based on the extent to which the covered entity was aware the requirements of the legislation were being violated.
The penalty tier is as follows:
- Violations committed negligently = $5,000 per violation
- Violations committed knowingly or intentionally = $25,000 per violation
- Violations committed intentionally and when PHI is misused for financial gain = $250,000 per violation
- When a violation is part of a pattern of noncompliance – Maximum penalty of $1.5 million.
When determining an appropriate penalty within the above tiers, consideration will be given to the compliance record of the covered entity, the impact of the breach on Texas residents, measures that were taken to address the violation and prevent it from happening again, and the number of individuals affected.
What is Defined as Personally Identifiable Health Information under Texas HB 300?
Under Texas HB 300, personally identifiable health information is considered to be information that relates to an individual which is not already in the public domain if that information could be used to ascertain an individual’s identity, either directly or in combination with different information. The identifiers are the same as those in HIPAA and include names, telephone numbers, email addresses, dates, IP addresses, Social Security numbers, and health insurance numbers.
Exemptions to Texas HB 300
The entities which do not need to follow Texas HB 300 are:
- Workers’ compensation insurance and any entity or person who is involved with the provision, support, management, or coordination of benefits as listed in a self-insured employees’ compensation plan.
- Non-profit groups investing in healthcare services or prescription medications for indigent people when the main objective of the group is not administering healthcare or funding healthcare.
- Any transaction stipulated the 1974 Family Educational Rights and Privacy Act.
- Groups and individuals that provide or are involved with benefits involved with payment for those impacted by crime.
- Employee benefit plans and entities or individuals whose work is involved in those plans.
HB 300 Training Courses from ComplianceJunction
Many covered entities decide to choose a third-party course for their employees rather than developing their own training courses. ComplianceJunction provides a Texas HB 300 training course with scope for customization to suit your exact needs.
If you are designing your own training course or choosing a third-party solution, it is important to ensure that training provided to the workforce is tailored to the role and responsibilities of each employee.
It is crucial that all courses include at least the following subject areas:
- Introduction to Texas HB 300.
- Covered entities and individuals required to comply with HB 300.
- Why the law was introduced and why compliance is mandatory.
- Types of information covered.
- Authorizations for sharing of electronic PHI.
- Medical record and PHI access.
- Patient rights in relation to their electronic medical records.
- Notifications about electronic disclosures of PHI.
- Securing PHI.
- Notification requirements for privacy violations.
- HB 300 penalties and sanctions.
It is important all entities required to comply with Texas HB 300 adhere to all of the aforementioned rules and conduct the proper training for their workforce on an ongoing basis.
ComplianceJunction training is modular, you can select the most appropriate content for your organization’s training needs, including HB 300 compliance and security awareness training.
You can view our HB 300 training module by clicking here or complete the form below to find out more about our HIPAA training courses.