What are Texas HIPAA Laws?
There are two Texas medical records privacy laws. These two laws are known as Texas HIPAA laws. The first of the two Texas HIPAA laws is the Texas Medical Records Privacy Act (TMRPA). In 2012, an amendment known as HB 300 was made to the TMRPA. HB 300 significantly strengthened the law. The second of the two Texas HIPAA laws is the Texas Identity Theft Enforcement and Protection Act (“TITEPA”). TITEPA is Texas’ equivalent of the HIPAA Breach Notification Rule. The two Texas HIPAA laws are discussed below.
What are Texas HIPAA Laws? The TMRPA
The first of the two Texas HIPAA laws is the Texas Medical Records Privacy Act (“TMRPA”). The TMRPA regulates covered entities. Under the TMRPA, a covered entity is, any person who:
- For commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information.
- The term includes a business associate, healthcare payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, healthcare provider, or person who maintains an Internet site.
- Comes into possession of protected health information.
- Obtains or stores protected health information.
Under the TMRPA, covered entities also include employees, agents, or contractors of a person described above, to the extent the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.
Obtain the benefits of federal and Texas HIPAA compliance in one place!
The TMRPA definitions of the terms “creates,” “receives,” “maintains,” “transmits,” and “protected health information” are the same as the HIPAA definitions of these terms.
Under the TMRPA, a covered entity is prohibited from using PHI for any reason other than the provision of treatment, payment for healthcare, or insurance purposes unless, prior to the disclosure of PHI, the covered entity has obtained written authorization from an individual to disclose their PHI. The TMRPA definitions of the terms “treatment,” “payment,” and “written authorization” are the same as the HIPAA definitions of those terms.
What are Texas HIPAA Laws? How Does the TMRPA Compare to HIPAA?
HIPAA requires covered entities to provide patients and plan members with copies of their PHI on request and those requests must be honored within 30 days of the request being submitted. In contrast, the TMRPA requires covered entities to provide copies of PHI much more rapidly – within 15 days of a written request being received.
HIPAA requires Privacy Rule and Security Rule training. Neither rule offers much detail as to what the training must consist of. The TMRPA contains much more specific and stringent training requirements. Under the TMRPA, all employees who are required to handle PHI or sensitive personal information (SPI), or are likely to encounter PHI, are required to undergo formal privacy training. This training must be delivered within 60 days of the beginning of employment. In contrast to HIPAA, which does not stipulate how often additional training must be provided, Texas HB 300 requires additional privacy training to be provided at least every two years. Training sessions need to be tailored to the role and responsibilities of the employee. All training must be documented and employees are required to sign to confirm that they have received the training.
What are Texas HIPAA Laws? The TITEPA
The second of the two Texas HIPAA laws is the Texas Identity Theft Enforcement and Protection Act (TITEPA). The scope of TITEPA is broad. The law applies to individuals and businesses (including medical practices) who own, license, or lease certain consumer information known as “sensitive personal information.” TITEPA requires these entities to keep that information secure from data breaches.
Under TITEPA, there are two types of sensitive personal information.
The first type of sensitive personal information includes an individual’s first name or first initial and last name in combination with either a Social Security number; a driver’s license number or government-issued ID number; or a credit or debit card number.
The second type of sensitive personal information consists of information that identifies an individual and that relates to:
- The physical or mental health or condition of an individual;
- The provision of healthcare to an individual; or
- Payment for the provision of healthcare to an individual.
Under TITEPA, businesses, including Texas and HIPAA covered entities, have a duty to protect sensitive personal information.
Under TITEPA, a business must implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.
In addition, a business (i.e., organization), must destroy or arrange for the destruction of customer records containing sensitive personal information (SPI) within the business’s custody or control that are not to be retained by the business. Sensitive personal records include (and contain) PHI. The destruction is to be accomplished by:
- Shredding;
- Erasing; or
- Otherwise modifying the sensitive personal information in the records to make the information unreadable or indecipherable through any means.
What are Texas HIPAA Laws? TITEPA Breach Notification
Under TITEPA, a “breach of system security” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.
Organizations must disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
