Texas HIPAA Training Requirements
Texas HIPAA training requirements, imposed by HB 300, are stricter than those in the HIPAA Privacy Rule. Under Texas HIPAA law, every covered entity must provide training on PHI to employees, both under the Texas Medical Records Privacy Act and under HIPAA.
While the Texas definition of PHI is the same as the federal HIPAA definition, Texas law on PHI diverges from HIPAA in several ways. One of the differences concerns the right of access. Texas law has a shorter deadline for how promptly an organization must respond to a request to access PHI than HIPAA does.
Employees of Texas HIPAA covered entities must complete the Texas HIPAA training requirements no later than the 90th day after their hire. There is no Texas HIPAA certification, just as there is no federal HIPAA certification. Suppose an employee’s duties of a covered entity are affected by a material change in Texas or federal law concerning protected health information. In that case, the employee must receive training within a reasonable period, but no later than the first anniversary of the date the material change in law takes effect. A covered entity must require employees who receive training to sign, electronically or in writing, a statement verifying the employee’s completion of training. The covered entity must maintain the signed statement until the sixth anniversary of the date the statement is signed.
HIPAA Violations in Texas
The penalties for non-compliance with Texas HB 300 can be as costly as the HIPAA fines for a violation. The Texas attorney general can issue civil monetary penalties to entities and individuals that fail to comply with the legislation. State medical licenses can also be revoked in cases where an entity or individual has demonstrated continued noncompliance.
As with HIPAA, the penalties for non-compliance with Texas HB 300 are broken down into tiers:
- Tier 1: Up to $5,000 per violation, per year, for violations due to negligence
- Tier 2: Up to $25,000 per violation, per year, for a knowing or intentional violation
- Tier 3: Up to $250,000 per violation, per year, for an intentional violation for financial gain
The maximum financial penalty is $1.5 million per year in cases where there has been a pattern of noncompliance.
HIPAA Release Form Texas and TMRPA
While HB 300 didn’t amend Texas release form requirements, it is important to understand the purpose of release forms and the information they should include. Both the TMRPA and HIPAA require covered entities to obtain a release form for use or disclosure of PHI outside of the purpose for treatment, payment, or healthcare operations.
One instance in which a HIPAA release form would be required in Texas is for marketing purposes. HIPAA release form Texas requirements dictate that patients must sign a release form before their PHI can be used for marketing material, such as patient testimonials on a healthcare provider’s website.
A HIPAA release form in Texas must:
- Include the patient’s contact information
- Allow the patient to select who their information can be disclosed to
- Allow patients to select the purposes for which the covered entity may disclose their PHI for
- Have the patient’s signature and the authorization date
Having a patient’s consent to use or disclose their PHI is not absolute. Patients may revoke their consent at any time.
Please click here for more information and to access a Texas standard HIPAA release form.
Texas Data Breach Notification Law: The Texas Identity Theft Enforcement and Protection Act
The second of the two Texas HIPAA laws is the Texas Identity Theft Enforcement and Protection Act. This law is Texas’ data breach notification law. It applies to people and entities in Texas that own or license computerized data in the form of “sensitive personal information.” The law also applies to any entity or person outside of Texas that manages, maintains, and uses sensitive personal information owned or stored in Texas. Any person who violates the Act may be liable for civil monetary penalties.
Sensitive Personal Information Under the Texas Data Breach Notification Law
“Sensitive Personal Information” consists of an individual’s first name or first initial and last name in combination with any one (or more) of the following items:
- Social Security Number
- Driver license number or government-issued ID number
- Bank account number
- Credit or debit card number
- The security credit or debit cards
“Sensitive Personal Informat