New Law Protects Health Information
Legislative Affairs Feature – December 2011
Tex Med. 2011;107(12);39-42.
By Ken Ortolon
Austin orthopedic surgeon and Texas Medical Association President C. Bruce Malone, MD, says protecting the privacy of patients' personal health information is critical to good medical care.
"As a physician, I cannot provide the best treatment to my patients unless they share with me all of their medical history," Dr. Malone said in March during testimony before a House committee looking at medical records privacy. "That can include 'sensitive health information' such as HIV, sexually transmitted diseases, mental health, drug and alcohol abuse, and domestic violence. My patients share that information with me expecting that I will respect their privacy to the utmost."
But the advent of electronic medical records (EMRs) and the Obama administration's push to get physicians to adopt EMRs widely is increasing concern among patient privacy advocates about the security of personal health information. Many feel privacy protections included in the federal Health Insurance Portability and Accountability Act (HIPAA) are not adequate to prevent misuse of private medical records.
Now a new law – backed by TMA and passed by the Texas Legislature in 2011 – soon will put some new teeth into medical record privacy enforcement in Texas. House Bill 300, by state Rep. Lois Kolkhorst (R-Brenham), prohibits selling protected health information and imposes fines of up to $1.5 million on entities that violate patient privacy rights.
TMA supported the bill after working closely with Representative Kolkhorst to ensure it would not penalize physicians or other health care professionals for inadvertent errors in the legitimate sharing of patient information for treatment, payment, or operational purposes.
Dr. Malone says TMA is a strong proponent of protecting patient privacy, and HB 300 should go a long way toward preventing flagrant commercial misuse of individual patient health information.
"We supported this bill because protecting patient privacy is critically important," Dr. Malone said. "And we didn't want people to be able to commercially abuse confidential health information."
Some health information privacy experts say HB 300 has essentially set the bar for other states' responses to medical record privacy concerns.
Removing Commercial Value
Nora Belcher, executive director of the Texas e-Health Alliance (TEHA), says HB 300 proponents wanted to "remove any commercial value" from personal health information. The bill certainly appears to meet that goal.
HB 300 prohibits anyone responsible for maintaining or transmitting protected health information or who may come into possession of it from selling it. That includes physicians, other health care professionals, hospitals, clinics, health plans, information or computer management entities, and virtually anyone else who has access to confidential patient records.
It does not prohibit disclosing protected health information for treatment, payment, or for performing insurance or HMO functions. It does, however, limit how much a person or entity can charge for providing such information to the reasonable cost of preparing or transmitting the data.
The bill also:
- Requires physicians and others to train their employees every two years on state and federal laws protecting private health information (HIPAA has a similar requirement);
- Permits the Texas Health and Human Services Commission, in consultation with the Texas Department of State Health Services, the Texas Medical Board (TMB), and the Texas Department of Insurance, to create a standard electronic format for releasing electronic medical records; and
- Requires the attorney general to maintain a website with information on consumer privacy rights.
At TMA's urging, Representative Kolkhorst amended the bill to make sure that state health licensing agencies, such as TMB, maintain the primary responsibility for policing the inappropriate release of health information by their licensees. The bill does, however, authorize those agencies to refer egregious cases to the attorney general for prosecution.
HB 300 also significantly increases maximum fines for violation of patient privacy rights. Previous law capped those fines at $3,000 per violation. Under the new law, fines rise to $5,000 per violation in instances where violations are committed negligently, $25,000 per violation for knowingly or intentionally releasing data, and $250,000 if the personal health information is used for financial gain.
If a court finds a pattern or practice of violations, the penalty goes up to as much as $1.5 million. The law directs the courts to base penalties on:
- The seriousness of the violation.
- The violator's compliance history.
- Whether the patient was harmed.
- Whether the violator participated in a Texas Health Services Authority (THSA) certification process. (THSA is the agency responsible for setting state standards for privacy and security of electronic health data by health information exchanges and was charged in HB 300 with setting up a process whereby entities that deal with personal health information can achieve certification for compliance with those standards.)
- How much of a fine might be needed to deter future violations.
- The violator's efforts to correct the offense.
Where's the Privacy?
Representative Kolkhorst, who chairs the House Committee on Public Health, says the federal government's push to get physicians and other health care professionals to adopt EMRs is a big driver of concerns about security of patients' private health information. That concern prompted House Speaker Joe Strauss (R-San Antonio) to direct her committee to study the issue during the interim before the 2011 legislative session.
During hearings on the issue, the committee heard considerable testimony that HIPAA privacy regulations had been largely ineffective.
According to data published in April 2007 in Health Law Alert, more than 26,000 complaints were filed nationally for violations of HIPAA privacy provisions between 2003 and 2007. But only 350 of those complaints were referred to the U.S. Department of Justice for criminal enforcement, and only four of those were actually prosecuted.
Ms. Belcher, whose group is a policy and advocacy organization representing health information technology stakeholders, says several consumer groups are concerned health plans, vendors, providers, or others are selling personal information. While there actually is little evidence of that, TMA officials say there are several reasons why some entities might seek to acquire personal health information.
Employers could use such data to screen potential employees with medical histories that might result in higher health care costs for their company, says Troy Alexander, associate director of TMA's Legislative Affairs Department. Credit card companies and life insurance companies also might use personal health data to determine a person's credit risk or eligibility for insurance.
Ms. Belcher adds that it is legal to sell deidentified records for research or other purposes. The problem, she adds, is that technology could enable an unscrupulous person to reidentify somebody's personal data.
"If you buy enough databases, you can mine the data and reprofile patients," she said.
While that is illegal in Texas, Ms. Belchers says, the bill sponsor and proponents wanted to "aggressively make sure that doesn't happen."
TMB officials say the board disciplined a couple of physicians for selling medical records over the past five years, but such violations are not a big problem. However, TMA officials say the threat of for-profit companies engaging in the commerce of patient information is a much more concrete threat.
TMB Executive Director Mari Robinson, JD, says the board handles fewer than 20 privacy violation complaints each year. Some recent actions involved physicians dictating notes into a patient's record during an airline flight within earshot of other passengers, failing to properly dispose of records, and inadvertently including a patient's records in those of another patient released to another physician.
Representative Kolkhorst sees great potential for EMR systems to help improve care and cut waste in health care, but says patients must know their information is secure.
The "spirit" of HB 300 is "to say to our patients that your most precious data is secure and that it's not going to be used for profiting," she said. "With that security, I believe the public will trust us and there will not be an outcry to do away with electronic health records."
Protecting Simple Errors
While TMA supported HB 300, it had some initial concerns. One version gave the attorney general primary authority to enforce privacy violations by physicians and other licensed health care professionals. TMA believed, and Representative Kolkhorst agreed, that authority should remain with TMB and other health professional licensing agencies.
TMB's Ms. Robinson does not expect significant changes in how the board handles privacy violations as a result of HB 300.
The original bill also would have imposed the stiff penalties for simple errors in physician offices, such as an employee entering the wrong patient identifiers when transmitting multiple records for billing. The bill was amended to exclude fines in such situations.
Representative Kolkhorst praised TMA and other interested groups for working closely with her during the interim and through the legislative session to produce a "consensus" bill. "When we first filed, it wasn't perfect but through the process we were able to work out some of the kinks."
The measure will not take effect until Sept. 1, 2012. Representative Kolkhorst says she delayed implementation because she wanted to give physicians, health plans, and others who could face penalties plenty of time to gear up to comply with the new law.
Dr. Malone does not believe the law will be onerous on physicians. While staff training in handling of personal health information is required, physician offices should already be doing that.
And, with the exclusion of hefty fines for inadvertent errors, he does not expect physicians to face the stiff penalties.
"These fines are not going to happen from inadvertent violations," he said. "These fines are going to occur because of flagrant, commercial uses of private health information, and we think the language is specific enough it is not going to be something that a doctor is going to do without knowing it."
Ken Ortolon can be reached by telephone at (800) 880-1300, ext. 1392, or (512) 370-1392; by fax at (512) 370-1629; or by email.
December 2011 Texas Medicine Contents
Texas Medicine Main Page