When Complying With HIPAA Is Not Enough: Tough New Medical Privacy Laws Are in Effect in Texas
By Jacqueline Klosek, Julia B. Holczer, Achal Oza While many covered entities and business associates are still adjusting to the changes to the Health Insurance Portability and Accountability Act (“HIPAA”) ushered in by the Health Information Technology for Economic and Clinical Health Act, new privacy requirements that are more stringent than HIPAA recently entered into force in Texas. Last June, Governor Rick Perry signed into law Texas House Bill 300 (HB 300), a measure that amends the state’s medical records privacy laws by strengthening privacy protection for protected health information (“PHI”) and increasing penalties for violations. The amendments, which took effect September 1, 2011, provide for health privacy protections in addition to and more stringent than those protections offered HIPAA. The Texas Attorney General will be responsible for enforcing the new requirements and may seek injunctive relief and civil penalties up to $1.5 million annually for violations. Because of the broad scope of Texas health privacy laws, these changes are likely to have significant reach, impacting not only HIPAA-covered entities in Texas, but also governmental entities, schools and universities and other entities in Texas that process PHI. REQUIREMENTS AND LIMITATIONS IMPOSED ON COVERED ENTITIES. HB 300 will primarily impact “covered entities.” However, while the definition of covered entity under HIPAA is limited to health care providers, physicians, health insurers and health care clearinghouses, existing Texas law defines covered entity more broadly as any entity that engages in “assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information,” or that “comes into possession of” or “obtains or stores” PHI. This means that the new requirements of HB 300 could impact a broad group of entities – beyond those subject to HIPAA. The key new obligations imposed on covered entities are discussed further below: A covered entity is required to develop and administer a training program for its employees that covers the details of both the state and federal laws concerning PHI. The training session should specifically be geared towards how these laws relate to (i) the nature of such covered entity’s business and (ii) each employee’s scope of employment. There is no explicit language exempting from this training those employees of a covered entity that do not come into contact with PHI in the scope of their employment. An employee of a covered entity must receive such training within 60 days of such employee’s date of hire, and on a continual basis, no less than once every two years. Each employee who attends a training session must sign in (electronically or in writing) to verify their attendance at such training and the covered entity must maintain records of such attendance. Subject to limited exceptions, a covered entity may not indirectly or directly sell an individual’s PHI. The new measures will generally restrict covered entities from selling PHI. However, a covered entity is permitted to receive a payment or fees from another covered entity in exchange for access to an individual’s PHI solely for the purposes of treatment, payment, health care operations, the performance of an insurance or health maintenance organization function or as otherwise authorized or required by state or federal law. The payment or fees obtained in exchange for the PHI may not exceed reasonable costs of preparing or transmitting the PHI to such covered entity. A covered entity is required to (i) provide notice to an individual (for whom such covered entity creates or receives PHI) when such individual’s PHI is subject to electronic disclosure and (ii) obtain prior (written or orally documented) authorization for such electronic disclosure from the individual. The form of notice is up to the covered entity, as long as the individual is likely to see it (e.g., written notice at place of business, posting on Internet website, or both, etc.). The prior authorization requirement is not applicable if the disclosure is made to another covered entity for the same purposes as outlined above relating to the sale of PHI (e.g., treatment, payment, health care operations, etc.). The new law indicates that the Attorney General will adopt a standard authorization form, which will comply with HIPAA standards. ENHANCED ENFORCEMENT MECHANISMS AND PENALTIES. The new law places its enforcement authority in the hands of the Texas Attorney General, who may pursue an injunction, monetary penalties and disciplinary actions against covered entities that are in violation. In addition to injunctive relief, the Texas Attorney General may institute an action for civil penalties ranging from $5,000 for each negligent violation that occurs in a given year up to maximum of $1.5 million annually. The penalties increase when the acts are deemed intentional and for financial gain. If a covered entity is deemed in violation of the new law and is licensed by a state agency, a disciplinary action may include revocation of the covered entity’s license. HB 300 also provides that the state may conduct audits of a covered entity to determine its compliance with the state’s health privacy requirements. Covered entities and other entities processing the PHI of Texas residents should take note that the new far-reaching obligations have recently entered into force in Texas. Because the law goes beyond the requirements of HIPAA in a number of significant ways, even entities that have very well developed HIPAA compliance programs will likely need to make changes to comply with the Texas law.