Texas physician practices and other health care facilities soon will be required to give more timely and public notice of any breaches of computerized data, including electronic health records (EHRs) and billing information.
During the 2023 regular legislative session, state lawmakers passed Senate Bill 768 by Sen. Tan Parker (R-Flower Mound), which takes effect Sept. 1. The law requires anyone doing business in Texas to notify the state attorney general of computer security breaches involving the sensitive, personal information of at least 250 individuals as soon as possible, and not later than 30 days after discovery, down from 60 days.
Physician practices and other businesses must notify the attorney general’s office of any such breach using its online form. Once notified, the attorney general will add the breach to a publicly accessible listing. Failure to comply could result in a fine of up to $50,000 for each violation, among other consequences. Senator Parker cited an increase in cybercrimes, including identify theft, as a motivation for the law, according to his statement of intent.
Shannon Vogel, associate vice president of health information technology for the Texas Medical Association, notes SB 768 differs from federal rules regarding computer security breaches.
Under HIPAA, physicians and other covered entities must alert affected individuals of any breaches within 60 days of discovery. In cases where a breach has affected 500 individuals or more, they also must alert area media outlets and the U.S. Department of Health and Human Services within the same period. HIPAA violators may incur civil and criminal penalties.
Ms. Vogel encourages Texas physician practices to be mindful of and comply with requirements at both the state and federal levels.
A health care data breach costs $11 million on average, according to IBM Security’s 2023 Cost of Data Breach Report. The top three factors amplifying this cost are security system complexity, security skills shortages, and noncompliance with regulations.
For more information, check out TMA’s HIPAA Resource Center.