What are Texas HIPAA Laws? How Does the TMRPA Compare to HIPAA?
HIPAA requires covered entities to provide patients and plan members with copies of their PHI on request and those requests must be honored within 30 days of the request being submitted. In contrast, the TMRPA requires covered entities to provide copies of PHI much more rapidly – within 15 days of a written request being received.
HIPAA requires Privacy Rule and Security Rule training. Neither rule offers much detail as to what the training must consist of. The TMRPA contains much more specific and stringent training requirements. Under the TMRPA, all employees who are required to handle PHI or sensitive personal information (SPI), or are likely to encounter PHI, are required to undergo formal privacy training. This training must be delivered within 60 days of the beginning of employment. In contrast to HIPAA, which does not stipulate how often additional training must be provided, Texas HB 300 requires additional privacy training to be provided at least every two years. Training sessions need to be tailored to the role and responsibilities of the employee. All training must be documented and employees are required to sign to confirm that they have received the training.
What are Texas HIPAA Laws? The TITEPA
The second of the two Texas HIPAA laws is the Texas Identity Theft Enforcement and Protection Act (TITEPA). The scope of TITEPA is broad. The law applies to individuals and businesses (including medical practices) who own, license, or lease certain consumer information known as “sensitive personal information.” TITEPA requires these entities to keep that information secure from data breaches.
Under TITEPA, there are two types of sensitive personal information.
The first type of sensitive personal information includes an individual’s first name or first initial and last name in combination with either a Social Security number; a driver’s license number or government-issued ID number; or a credit or debit card number.
The second type of sensitive personal information consists of information that identifies an individual and that relates to:
- The physical or mental health or condition of an individual;
- The provision of healthcare to an individual; or
- Payment for the provision of healthcare to an individual.
Under TITEPA, businesses, including Texas and HIPAA covered entities, have a duty to protect sensitive personal information.
Under TITEPA, a business must implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.
In addition, a business (i.e., organization), must destroy or arrange for the destruction of customer records containing sensitive personal information (SPI) within the business’s custody or control that are not to be retained by the business. Sensitive personal records include (and contain) PHI. The destruction is to be accomplished by:
- Erasing; or
- Otherwise modifying the sensitive personal information in the records to make the information unreadable or indecipherable through any means.
What are Texas HIPAA Laws? TITEPA Breach Notification
Under TITEPA, a “breach of system security” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted