What is Texas HB 300?
What is Texas HB 300, who needs to follow the legislation, and what are the fees and penalties for failing to comply? This post talks about these and other vital questions regarding Texas HB 300.
What is Texas HB 300?
The Health Insurance Portability and Accountability Act (HIPAA) is federal legislation that puts minimum privacy and security criteria for healthcare companies. HIPAA normally covers healthcare companies located in Texas, however, they likewise need to follow state regulations. Texas has a number of the most strict regulations in the United States with regards to health information which are specified in Texas HB 300 (Texas House Bill 300).
The Texas legislature passed Texas HB 300 in June 2011. Texas Governor Rick Perry signed it into law with effective date of September 1, 2012.
Texas HB 300 changed four Texas laws: The Texas Health Code (Chapters 181 and 182), the Texas Government Code (Chapter 531), the Texas Business and Commerce Code (Sections 521 and 522) and the Texas Insurance Code (Chapter 602) and created stronger health data privacy protections than HIPAA.
Who Needs to Follow Texas HB 300?
Complying to Texas HB 300 is obligatory for all covered entities located in Texas or conduct business with residents in Texas. Entities covered by Texas HB 300 are different from HIPAA-covered entities as outlined in its terms.
Texas HB 300 extended the HIPAA meaning of covered entity (healthcare providers, healthcare clearinghouses, and health plans) to include any entity or person that owns, acquires, sets up, collects, assesses, evaluates, stores, or sends protected health information (PHI) in any kind.
Texas HB 300 consequently is applicable to all healthcare companies, such as those that aren’t HIPAA-covered, lawyers, educational institutions, universities, accountants, researchers, IT service providers, Internet service providers, government agencies, and people who manage an internet site that records, stores, or accesses PHI.
Exemptions to Texas HB 300
The following entities do not need to follow Texas HB 300 are:
- Non-profit organizations that spend on healthcare services or prescription medications for indigent people when the primary business of the agency isn’t providing healthcare solutions or refund for healthcare services.
- Employees’ compensation insurance and any entity or person who acts in association with the supply, support, management, or coordination of benefits as outlined in a self-insured employees’ compensation plan.
- Employee benefit plans and entities or persons that work in association with those plans
- Entities or persons that offer, administer, support, or put together benefits involved with payment for victims of crime.
- Processing of particular payment transactions by financial companies and education records covered by the 1974 Family Educational Rights and Privacy Act.
Texas HB 300 and Electronic Health Records
Texas HB 300 presented new requirements for dealing with electronic health records. A covered entity is not allowed to use PHI except for the provision of treatment, healthcare payment, or insurance applications, except if, the covered entity has acquired written consent from a person to share their PHI ahead of the PHI disclosure.
HIPAA necessitates covered entities to give patients and plan members their copies of their PHI when requested. The requests should be delivered within 30 days of receiving the request. Texas HB 300 necessitates covered entities to deliver PHI copies faster – within 15 days of receiving a written request.
Texas HB 300 Training for All Workers With Access to PHI
All workers who need to handle sensitive personal information (SPI) or PHI, or will probably come across PHI, must go through formal privacy training in 60 days of being employed. Unlike HIPAA, which doesn’t state when more training should be given, Texas HB 300 demands more privacy training to be given every two years at least. Training sessions must be customized to the role and duties of the worker. All training should be recorded and workers must sign to validate having gotten the training.
What are the Penalties for Texas HB 300 Noncompliance?
There are severe penalties for Texas HB 300 noncompliance. Entities and individuals that are not able to comply with the legislation may be issued civil monetary penalties by the Texas attorney general. State licenses may likewise be suspended when an entity or a person has proven continued noncompliance.
Much like HIPAA, the fines for not complying with Texas HB 300 are divided into three tiers:
- Tier 1: For violations as a result of negligence, up to $5,000 per violation per year
- Tier 2: For a knowing or intentional violation, up to $25,000 per violation per year
- Tier 3: For an intentional violation for monetary gain, up to $250,000 per violation per year
The highest possible financial penalty is $1.5 million annually when there’s a noncompliance pattern.
The level of the financial penalty is determined by the seriousness of the violation, whether or not there is a record of noncompliance, the actions taken to resolve the violation, and whether or not harm resulted from the violation.