What is Texas HIPAA?
Texas has two laws that serve as the state equivalent of the federal Health Insurance Portability and Accountability Act (HIPAA). The first, the Texas Medical Records Privacy Act (“TMRPA”), is essentially Texas’ version of the HIPAA Privacy Rule. The TMRPA regulates covered entities’ use and disclosure of protected health information, and requires covered entities to train their workforce on privacy requirements. A 2012 amendment to the TMRPA, known as HB 300, imposed stricter training requirements and stricter penalties for entities violating Texans’ medical privacy. The second of the two Texas HIPAA laws is the Texas Identity Theft Enforcement and Protection Act (TITEPA). This Texas HIPAA law is Texas’ equivalent of a data breach notification law. The Texas data breach notification law was amended in 2019. The amended law imposes additional breach reporting requirements. Both of the Texas HIPAA laws are discussed below.
Texas HIPAA: The Texas Medical Records Privacy Act
Texas HB 300, which amended the Texas Medical Records Privacy Act, imposes certain requirements on covered entities that are more stringent than those of HIPAA. HB 300 expanded upon existing Texas HIPAA law in three significant ways:
1. HB 300 revised and expanded the definition of a covered entity. Under the federal HIPAA law, “covered entities” (i.e. entities that must strictly follow HIPAA) are defined as health care providers, health care plans, or medical clearinghouses. Under HB 300, the Texas HIPAA law, a covered entity is any Texas individual, business or organization that:
- Engages in the practice of assembling, collecting, analyzing, using, evaluating, storing or transmitting PHI;
- Comes into possession of PHI; or
- Obtains or stores PHI.
The Texas HIPAA definition of PHI is the same as the federal HIPAA definition. However, the Texas HIPAA definition of “covered entity” covers employees, agents, contractors, and people or entities described in the above bullet points, so long as they create, receive, obtain, maintain, use, or transmit PHI. This means that under Texas HIPAA law, a business associate is considered to be a type of covered entity, as are healthcare payers, governmental units, information or computer management entities, schools, and health researchers, among other entities.
2. HB 300 training requirements are stricter than those in the HIPAA Privacy Rule. Under Texas HIPAA law, every covered entity must provide training on PHI to employees, both under the Texas Medical Records Privacy Act, and under HIPAA. While the Texas definition of PHI is the same as the federal HIPAA definition, Texas law on PHI diverges from HIPAA in several ways. One of the differences concerns the right of access. Texas law has a shorter deadline for how promptly an organization must respond to a request to access PHI, than HIPAA does.
Employees of Texas HIPAA covered entities must complete the Texas HIPAA law training no later than the 90th day after their hire. There is no Texas HIPAA certification, just as there is no federal HIPAA certification. If the duties of an employee of a covered entity are affected by a material change in Texas or federal law concerning protected health information, the employee must receive training within a reasonable period, but not later than the first anniversary of the date the material change in law takes effect. A covered entity must require employees who receive training to sign, electronically or in writing, a statement verifying the employee’s completion of training. The covered entity must maintain the signed statement until the sixth anniversary of the date the statement is signed.
3. The penalties for noncompliance with Texas HB 300 can be as costly as the HIPAA fines for a violation. The Texas attorney general can issue civil monetary penalties to entities and individuals that fail to comply with the legislation. State medical licenses can also be revoked in cases where an entity or individual has demonstrated continued noncompliance. As with HIPAA, the penalties for noncompliance with Texas HB 300 are broken down into tiers:
- Tier 1: Up to $5,000 per violation, per year, for violations due to negligence
- Tier 2: Up to $25,000 per violation, per year, for a knowing or intentional violation
- Tier 3: Up to $250,000 per violation, per year, for an intentional violation for financial gain
The maximum financial penalty is $1.5 million per year in cases where there has been a pattern of noncompliance.
Texas HIPAA: The Texas Identity Theft Enforcement and Protection Act
The second of the two Texas HIPAA laws is the Texas Identity Theft Enforcement and Protection Act. This law is Texas’ data breach notification law. It applies to people and entities in Texas, that own or license computerized data in the form of “sensitive personal information.” The law also applies to any entity or person outside of Texas that manages, maintains, and uses sensitive personal information that is owned or stored in Texas. Any person who violates the Act may be liable for civil monetary penalties.
What is “Sensitive Personal Information” Under the Texas Data Breach Notification Law?
“Sensitive Personal Information” consists of an individual’s first name or first initial and last name in combination with any one (or more) of the following items:
- Social Security Number;
- Driver license number or government-issued ID number;
- Bank account number;
- Credit or debit card number; or
- The security codes of those credit or debit cards.
“Sensitive Personal Information” also includes information that identifies a person and relates to:
- The physical or mental health or condition of the individual
- The provision of health care to the individual
- Payment for the provision of health care to the individual
This latter definition of sensitive personal information under the Texas data breach notification law is essentially the same as the definition of PHI under HIPAA – personally identifiable information, combined with information relating to a person’s health status; healthcare they have received, are receiving, or will receive; or healthcare payment.
Under the Texas data breach notification law, businesses must implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect sensitive personal information from unlawful use or disclosure. This component of the Texas data breach notification law is Texas’ equivalent of a HIPAA Security Rule standard.
Under this Texas HIPAA law, an entity must disclose any breach of system security, within 60 days of determining a breach has occurred.
Entities required to provide notification of a data breach of at least 250 Texas residents, must also notify the Texas Attorney General with specific details about the breach, including how many people were affected, and what measures the entity has taken regarding the breach.