TX House Bill 300: Everything Is Bigger in Texas
Organizations in Texas that create, store, handle, transmit or have access to protected health information (PHI) need to be informed of TX House Bill 300.
Fewer things are as personal, private or important as medical records. Texas lawmakers were serious about protecting sensitive information when they passed TX H.B 300 in 2011. Lawmakers were concerned that the federal HIPAA did not go far enough to safeguard PHI in Texas. TX H.B 300 went into effect on September 1, 2012.
The Health Insurance Portability and Accountability Act (HIPAA) was created to safeguard PHI. Covered entities and business associates that handle PHI are required by law to follow federal HIPAA regulations. If privacy and security rules are violated then the covered entity and/or business associate may be penalized. Depending on the violation, fines could be quite substantial.
Texas H.B. 300 goes above and beyond federal HIPAA regulations to keep PHI secure. This law serves to increase the number of covered entities that are required to be HIPAA compliant, expand compliance guidelines, and enhance enforcement for Texas entities that are non-compliant. As the saying goes, everything is bigger in Texas. If a Texas organization is found to be non-compliant with HIPAA guidelines it could also be fined for TX H.B. 300 violations.
Texas H.B. 300 made the following changes to federal HIPAA Privacy and Security rules:
- Revised and expanded the definition of a covered entity.
- Increased mandates for HIPAA compliance training.
- Expanded the fines and penalties for both civil and criminal violations.
Under the federal HIPAA law, “covered entities” (i.e. entities that must strictly follow HIPAA) are defined as health care providers, health care plans or medical clearinghouses. Texas H. B. 300 revised and expanded the definition of a covered entity. A covered entity is any Texas individual, business or organization that:
- Engages in the practice of assembling, collecting, analyzing, using, evaluating, storing or transmitting PHI.
- Comes in possession of PHI.
- Obtains or stores PHI.
- If an employee, agent or contractor or a person or entity described above
it they create, receive, obtain, maintain, use or transmit PHI.
Texas lawmakers expanded the definition of a covered entity to account for the many Texas organizations and individuals that do not provide actual care to a patient, but through direct or indirect contact have means to access PHI.
Texas H.B. 300 also strengthened federal HIPAA law by adding a requirement for HIPAA training and shortening time limits for responding to patient requests for medical records.
The Texas state law states that covered entities must offer employees mandatory, customized training regarding both federal and state laws related to the privacy and security of PHI. The training must be customized to the employee’s specific responsibilities. The training must be completed within 90 days of hire date. The covered entity is also required to keep records of signed statements of employees that attended privacy and security training.
HIPAA requires that employees that handle PHI be trained within a reasonable period of time after hired and to be updated on any new information that pertains to HIPAA compliance. Many Texas covered entities are training their employees with Federal HIPAA privacy and security rules, but are not paying attention to Texas H.B. requirements.
Texas covered entities that are non-compliant with Federal HIPAA regulations as well as Texas H.B. 300 requirements will have to pay federal fines and state fines.
Texas H.B. 300 also requires that Texas covered entities provide patients with their health records (HRs) in an electronic format no later than 15 business days after receiving a written request from the patient. HIPAA federal law requires that records be provided within 30 days of the request.
Employees that handle PHI in Texas must be trained on Federal HIPPA privacy and security rules as well as TX H.B. 300 requirements.
TX H.B. 300 training is to be completed within 90 days of being hired.
Organizations that violate federal HIPAA guidelines could be penalized with hefty fines. Texas H.B. 300 increases civil penalties for individuals and/or organizations that wrongfully disclose a patient’s PHI. To avoid penalties and fines, Texas H.B. 300 compliance is extremely important.
Texas civil penalties range from $5000 to $1.5 million for covered entities that wrongfully disclose PHI. Federal HIPAA Privacy and Security fines range from $100 to $1.5 million annually. A data breach may also be classified as a felony.
Texas H.B. 300 can impose these fines in addition to any federal fines cited by Health and Human Services. Negligence, intent, and evidence of frequency to constitute a pattern are all considered when assessing penalties.
The Texas state Attorney General’s Office enforces Texas H.B. 300. The Attorney General is required to maintain a website with information on consumer privacy rights, which state agencies regulate covered entities, information regarding each agency’s complaint enforcement process and their contact information.
Office for Civil Rights could fine Texas Department of Aging and Disability Services (DADS) up to $12 million for a HIPAA violation.
Conclusion: Easy, Fast, Effective Training
Maintaining HIPAA compliance as well as Texas H.B. 300 regulations can be challenging and confusing, but HIPAA Training Solutions can help. HIPAA Training Solutions offers three online compliance courses designed by HIPAA experts.
We know busy professionals want easy, fast, effective compliance training, so our courses can be accessed at any time and users can stop and start at their leisure. We also offer 2.0 continuing education hours approved by The Texas Nurses Association with the Advanced HIPAA Course. Certificates of Completion can be printed or emailed after successful completion of the course.
Because we want our customers to get fast, easy and effective compliance training we offer a data tracking system that allows managers to easily view and monitor employee progress.
This CNE activity has been jointly provided by Terri Goodman & Associates collaboratively with HIPAA Training Solutions. Terri Goodman & Associates is an approved provider of continuing nursing education by the Texas Nurses Association - Approver, an accredited approver by the American Nurses Credentialing Center’s Commission on Accreditation..