What Are the Texas Medical Privacy and Identity Theft Protection Acts?

Texas Medical Privacy and Identity Theft Protection Acts

Texas has two laws that provide HIPAA-like protections for Texas residents’ health information. The first of the two “Texas HIPAA laws” is the Texas Medical Records Privacy Act (TMRPA), and the second of the two Texas HIPAA laws Is the Identity Theft Enforcement and Protection Act (ITEPA). The TMRPA, the first of the two Texas HIPAA laws, provides privacy protections for the PHI of Texas residents, while ITEPA, the second of the two Texas HIPAA laws, requires entities to notify Texas residents and the Texas Attorney General of breaches of Texas residents’ sensitive personal information. These two Texas HIPAA laws are discussed below.

The Texas Medical Records Privacy Act (TMRPA)

The first of the two Texas HIPAA laws is the Texas Medical Records Privacy Act (“TMRPA”). The TMRPA regulates what the law calls “covered entities.”

Under the TMRPA, covered entities (which include HIPAA business associates, health researchers, and healthcare providers, among other entities) are those people and entities that do business in Texas, or that do business with Texas residents, and either:

  1. Have a Texas resident’s protected health information (PHI); or
  2. Are the employees, agents, or contractors of someone (an entity or person) with that PHI.

The TMRPA, when passed in 2001, prohibited the marketing of patient PHI and the use of PHI in marketing, without patient consent or authorization. The TMRPA was amended in 2011, by Texas House Bill 300, also known as HB 300.

HB 300 regulates TMRPA-covered entities. HB 300 amended the TMRPA in several key areas, introducing the following requirements:

  1. Certain entities defined as “covered entities” under the TMRPA must train their employees on PHI
  2. Certain entities defined as “covered entities” under the TMRPA must respond to patient requests for access to electronic health records within 15 days of the request
  3. Certain entities defined as “covered entities” under the TMRPA may not sell PHI, in the absence of certain exceptions
  4. Certain entities defined as “covered entities” under the TMRPA must provide notices to patients of electronic disclosures of their PHI, and must obtain patient authorization for such disclosures

In addition, HB 300 empowers the Texas Attorney General to seek monetary relief against entities that violate the TMRPA.

How Does the TMRPA Compare to HIPAA?

HIPAA requires covered entities to provide patients and plan members with copies of their PHI on request and those requests must be honored within 30 days of the request being submitted. In contrast, the TMRPA requires covered entities to provide copies of requested EHR records within 15 days of a written request being received.HIPAA requires Privacy Rule and Security Rule training. The TMRPA, as amended by HB 30, has a training component. The TMRPA, as amended by HB 300, requires that certain covered entities regulated by the law train employees on state and federal law concerning PHI. Such training must be provided as necessary and appropriate for the employee to carry out the employee’s duties for the covered entity.  All training must be documented and employees are required to sign a statement verifying training completion.

The Identity Theft Enforcement and Protection Act (ITEPA)

The second of the two Texas HIPAA laws is the Identity Theft Enforcement and Protection Act (ITEPA). ITEPA was passed in 2009, to protect individuals from identity theft, and to provide for mandatory notification of breaches of individuals’ sensitive personal information (SPI).

What is Sensitive Personal Information?

SPI includes an individual’s first name or initial and last name in combination with any one or more of the following pieces of information:

  • Social Security number
  • Driver’s license number or government-issued ID number
  • Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account
  • Information that identifies an individual and that relates to:
    • The physical or mental health or condition of an individual
    • The provision of healthcare to an individual
    • Payment for the provision of healthcare to an individual

What Obligations Does ITEPA Impose?

ITEPA imposes an obligation on persons who conduct business in Texas and who own or license computerized data that includes sensitive personal information. These persons must disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose SPI was, or is reasonably believed to have been, acquired by an unauthorized person.

Under ITEA. A person who is required to disclose or provide notification of a breach of system security must notify the Texas Attorney General of that breach as soon as practicable, and not later than the 30th day after the date on which the person determines that the breach occurred, if the breach involves at least 250 Texas residents. Notification to the Texas Attorney General must be submitted electronically using a form accessed through the Attorney General’s website and must include:

  • A detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach
  • The number of residents of this state affected by the breach at the time of notification
  • The number of affected residents that have been sent a disclosure of the breach by mail or other direct method of communication at the time of notification
  • The measures taken by the person regarding the breach
  • Any measures the person intends to take regarding the breach after the notification
  • Information regarding whether law enforcement is engaged in investigating the breach

What Are the Penalties for an ITEPA Violation?

When ITEPA was passed in 2009, the penalty for an ITEPA violation was liability to Texas for a civil penalty of at least $2,000 but no more than $50,000 for each violation. ITEPA provided that the Texas Attorney General could bring a lawsuit to recover this money. In 2012, HB 300 strengthened this provision of ITEPA by providing for a civil penalty of up to $100 for each individual to whom notification is due, for each consecutive day that someone fails to comply with ITEPA.

What Does Compliancy Group’s HB 300 Program Offer?

Compliancy Group’s HB 300 Program can be used by entities subject to the law to monitor their HB 300 compliance. The program contains an HB 300 policy template, a series of program controls (actions to take), and a QuickStart guide that entities covered by the law can use to create and maintain an HB 300 compliance program.