Are Your Privacy Policies Up to Date?

If you haven't updated your practice's privacy policies in a couple of years, now's the time. The Texas Legislature tinkered with state privacy laws in the 2011 and 2013 sessions, and you may need to get up to date.

Here are some highlights of the state laws.


Texas law requires medical practices to train employees, within 90 days of hire, about state and federal law concerning protected health information (PHI), as necessary for them to carry out their duties. If a material change in state or federal law concerning PHI affects an employee's duties, the employee must receive additional training within a year of the change's effective date. Employees must sign, electronically or in writing, a statement verifying their completion of the training, and the practice must keep the signed statement for six years. Under HIPAA, covered entities must train employees on HIPAA policies and procedures within a reasonable amount of time after hiring and when there are any material changes in privacy policies. HIPAA also requires documentation of the training and maintenance of the documentation.

Patients’ Right to See Their EHR

State law says practices must provide patients electronic copies of their electronic health record (EHR) within 15 business days of the patient's written request for the records.  HIPAA requires practices to provide them within 30 days of the patient's written request.   


  • Maximum state civil penalties for violations of the law can range from $5,000 to $1.5 million per year for unlawful disclosure of a patient’s PHI. In determining an appropriate penalty, a court may consider six factors (1) the seriousness of the violation; (2) the practice’s compliance history; (3) the risk of financial, reputational, or other harm to the affected patient(s); (4) whether the practice was certified by the Texas Health Services Authority as in past compliance with its standards; (5) the amount necessary to deter future violations; and (6) the practice’s efforts to correct the violation.  
  • Under HITECH, practices must notify individuals of certain breaches of their PHI. Additionally, state law includes its own distinct notification provisions and penalties regarding certain breaches of computerized data containing sensitive personal information. Failure to notify individuals under state law also may result in penalties that were including an additional $100 state penalty per individual for each day the notice is not sent, not to exceed $250,000. The state breach notification law applies to any business in Texas that owns or licenses computerized data that includes sensitive personal information, not just medical practices and other covered entities. 

 See the Texas Health and Safety Code, Chapter 181, and the Texas Business and Commerce Code, Chapter 521.

Texas privacy law  coupled with HIPAA privacy audits  place more and more responsibility on practices to protect patient information. You can find several helpful one-hour webinars in the TMA Education Center. In addition, the new edition of TMA's  Policies and Procedures: A Guide for Medical Practices, due out in fall 2013, contains up-to-date privacy practices that meet federal and state law.

 Updated Oct. 28, 2013

NOTICE: This information is provided as a commentary on legal issues and is not intended to provide advice on any specific legal matter.  The Texas Medical Association provides this information with the express understanding that 1) no attorney-client relationship exists, 2) neither TMA nor its attorneys are engaged in providing legal advice and 3) that the information is of a general character. This is not a substitute for the advice of an attorney. While every effort is made to ensure that content is complete, accurate and timely, TMA cannot guarantee the accuracy and totality of the information contained in this publication and assumes no legal responsibility for loss or damages resulting from the use of this content. You should not rely on this information when dealing with personal legal matters; rather legal advice from retained legal counsel should be sought. 

 TMA Practice E-Tips main page  


Last Updated On

October 28, 2013