Texas HB300: What You Need to Know

Texas House Bill 300, known commonly as HB300, was passed by the 82nd Texas Legislature and went into effect on September 1, 2012. The law significantly amends several Texas laws to increase the protections and security associated with the storage and handling of protected health information (PHI). The law also incorporates changes to the definitions of a Texas Covered Entity (CE) separate from the criteria laid down by HIPAA regulation. The main components of HB300 are listed below, followed by detailed explanations:

  • The expanded definition of a CE that operates or does business in Texas
  • Broader regulation regarding CEs, including customized employee training
  • Formal standards for the handling of electronic health records (EHRs)
  • Faster Patient Access to EHRs
  • Greater accountability for Business Associates (BAs)
  • Stricter civil and criminal penalties for unregulated electronic disclosure of PHI
  • Selected state agencies’ authority to enforce these regulations

Expanded Definition of a CE

Under HB300, the definition of a CE is now far more extensive. The law expands the definition of a Texas CE to include:

  • Any person who assembles, collects, analyzes, uses, evaluates, stores, or transmits PHI. CEs now refer to any “BA, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an internet site.”
  • comes into possession of PHI
  • obtains or stores PHI
  • Any employee, agent, or contractor of any person who meets the above criteria and handles PHI in any way

Customized Employee Training Requirements

All new employees who, in any way, handle or encounter PHI or sensitive personal information (SPI) are required to undergo privacy training within 60 days of hiring, with additional training sessions completed at least once every two years. Under HB300, these training sessions need to be customized to an employee’s individual role in an organization and must take into account the specific ways in which they are expected to handle PHI or SPI. Sessions must be documented and verified with employee signatures upon their attendance.

Standards for Handling EHRs

If a CE creates or receives a patient’s PHI they must notify that patient if their PHI is going to be electronically disclosed. Before the PHI can be transmitted, the patient needs to give their legal authorization, unless it’s being transmitted to another CE for use in treatment, payment, or insurance purposes.

Faster Patient Access to EHRs

Physicians who use EHRs must provide patients access to their records in electronic form within 15 business days of having received a written request. This is in contrast to the 30 day rule that HIPAA allows. The records can be provided in a different format if a practice is unable to produce an electronic copy, or if the patient has agreed in advance.

Greater Accountability for BAs

Along with the broader definition of a CE, HB300 also incorporates stricter accountability for all businesses that handle PHI in any way. Unless a BA has absolutely no contact with PHI, they need to incorporate the following regulations into their communications and interactions with a CE:

  • BAs must immediately notify their corresponding CE when a breach is discovered
  • Business Associate Agreements (BAAs) must specify if the BA or CE will notify breach-affected individuals by mail, in addition to who will incur the cost
  • Contract termination if a BA fails to properly address a breach or is non-compliant with HB300 regulation
  • BAs must provide evidence that they perform annual security risk analyses
  • BAs must provide evidence that their employees have received the proper privacy training
  • BAs must encrypt PHI on mobile devices, during electronic or online exchanges of PHI, and in other high risk circumstances

Stricter Enforcement Penalties

HB300 is primarily enforced through financial penalties and disciplinary actions if an audit detects a breach in compliance. The consequences of the breach should be determined by the severity of the violation, the practice’s history of compliance, the harm that has been done as a result of the breach, and the remediation measures taken to correct the violations. Fines in civil suits are broken down as follows:

  • $5,000 per violation if the breach was committed negligently
  • $25,000 per violation if the breach was committed knowingly or intentionally
  • $250,000 per violation if the breach was committed intentionally and PHI is being distributed for financial gain
  • $1.5 million if the breach is a part of a “pattern of practice”

Texas HB300