What is Texas HB 300, who needs to follow the legislation, and what are the fees and penalties for failing to comply? This post talks about these and other vital questions regarding Texas HB 300.
What is Texas HB 300?
The Health Insurance Portability and Accountability Act (HIPAA) is federal legislation that requires healthcare companies, health plans, and health care clearing house to comply with minimum privacy and security standards. HIPAA preempts state privacy and security standards unless a state introduces more stringent standards.
In Texas, legislators felt more stringent standards were necessary than are required by HIPAA, and – in 2011 – the Texas legislature updated the existing Medical Records privacy Act (Chapters 181 and 182 of the Texas Health and Safety Code) with the passage of Texas HB 300. Subsequent amendments have since introduced further requirements.
Who Needs to Follow Texas HB 300?
Texas HB 300 extended the HIPAA definition of a covered entity (healthcare companies, health plans, and health care clearinghouses) to include any entity or person that owns, acquires, sets up, collects, assesses, evaluates, stores, or sends the protected health information (PHI) of Texas residents.
Texas HB 300 consequently applies to healthcare companies – even if they were not previously covered by HIPAA – as well as other organizations that meet the criteria for being a covered entity – such as lawyers, educational institutions, accountants, sports clubs, government agencies, and individuals who own or manage an Internet website that records, stores, or accesses PHI.
Exemptions to Texas HB 300
The following entities who do not need to follow Texas HB 300 are:
- Non-profit organizations that spend on healthcare services or prescription medications for indigent people when the primary business of the agency isn’t providing healthcare solutions or refund for healthcare services.
- Employees’ compensation insurance and any entity or person who acts in association with the supply, support, management, or coordination of benefits as outlined in a self-insured employees’ compensation plan.
- Employee benefit plans and entities or persons that work in association with those plans
- Entities or persons that offer, administer, support, or put together benefits involved with payment for victims of crime.
- Processing of particular payment transactions by financial companies and education records covered by the 1974 Family Educational Rights and Privacy Act.
Texas HB 300 and Electronic Health Records
Texas HB 300 introduced new requirements for dealing with electronic health records. A covered entity is not allowed to use PHI except for the provision of treatment, healthcare payment, or insurance applications unless the covered entity has acquired written consent from a person to share their PHI ahead of the PHI disclosure.
HIPAA necessitates covered entities to give patients and plan members their copies of their PHI when requested. The requests should be delivered within 30 days of receiving the request. Texas HB 300 necessitates covered entities to deliver PHI copies faster – within 15 days of receiving a written request.
Texas HB 300 Training for All Workers with Access to PHI
All workers with access to sensitive personal information (SPI) or PHI, or will probably come across PHI, must go through formal privacy training in 90 days of being employed. Unlike HIPAA, which doesn’t state when more training should be given, Texas HB 300 demands further privacy training within a year of a material change in state or federal law concerning PHI affects a worker´s role.
Training sessions must be customized to the role and duties of the worker. And all training should be recorded. Workers must sign the documentation to validate having gotten the training and the records of training must be maintained for six years so they are available to public agencies in the event of a compliance audit or breach investigation.
What are the Penalties for Texas HB 300 Noncompliance?
There are severe penalties for Texas HB 300 noncompliance. Entities and individuals that are not able to comply with the legislation may be issued civil monetary penalties by the Texas Attorney General. State licenses may likewise be suspended when an entity or a person has proven continued noncompliance.
Much like HIPAA, the fines for not complying with Texas HB 300 are divided into four tiers:
- Tier 1: For violations as a result of negligence, up to $5,000 per violation per year
- Tier 2: For a knowing or intentional violation, up to $25,000 per violation per year
- Tier 3: For an intentional violation for monetary gain, up to $250,000 per violation per year
- Tier 4: The highest possible financial penalty is $1.5 million annually when there’s a noncompliance pattern.
The level of the financial penalty is determined by the seriousness of the violation, whether or not there is a record of noncompliance, the actions taken to resolve the violation, and whether or not harm resulted from the violation.