HIPAA: New Texas Privacy and Security Laws (HB 300) Take Effect Sept. 1, Resulting in Important Changes to Staff Training on PHI.


Back Arrow

Back To The Calendar


Topic HIPAA: New Texas Privacy and Security Laws (HB 300) Take Effect Sept. 1, Resulting in Important Changes to Staff Training on PHI.
Background The Texas Legislature passed House Bill 300 (HB 300) during its 82nd regular session to amend the Texas Medical Privacy Act (TMPA) and other state privacy/security laws. HB 300 offers more stringent protections for protected health information (PHI) than its federal counterparts, HIPAA and the HITECH Act. Among other things, HB 300 mandates employee training on state and federal laws regarding PHI that is tailored to each employee’s scope of employment. It also puts in place new requirements for notices to patients regarding electronic disclosure of PHI.
Regulating Body Texas Health and Human Services Commission, the Texas attorney general, and the Texas Medical Board (for physicians)
Compliance Date 9/1/2012
Consequences Covered entities that wrongfully disclose a patient’s PHI face increased civil penalties under HB 300, ranging from $5,000 to $1.5 million per year. To determine the penalty amount, a court may consider six factors: 1) the seriousness of the violation, 2) the entity’s compliance history, 3) the risks of harm to the patient, 4) whether the practice was certified by the Texas Health Services Authority as in past compliance with its standards, 5) the amount necessary to deter future violations, and 6) efforts made to correct the violation. Additionally, Texas law includes its own distinct provisions and penalties regarding breaches of computerized data containing "sensitive" personal information. Failure to notify individuals under state law (on or after Sept. 1, 2012) may result in penalties that were heightened under HB 300, including an additional $100 state penalty per individual for each day the notice is not sent, not to exceed $250,000. State penalties are levied in addition to any penalties for violating federal laws.
Next Steps 1. Update policies and procedures to incorporate changes resulting from HB 300. This includes providing the newly required notice to an individual for whom the covered entity creates or receives PHI if the PHI is subject to electronic disclosure. 2. Develop and implement new employee training on state and federal laws concerning PHI for privacy/security compliance. New employees must receive training as it relates to the entity’s particular course of business and the employee’s scope of employment within 60 days of hire. 3. Review your training schedule for existing employees. HB 300 also requires ongoing training on state and federal PHI at least once every two years. Employees are required to sign, electronically or in writing, a statement verifying his or her attendance at the training program. The covered entity is required to maintain the signed statement.
Find out how TMA can help!