What Are Texas HIPAA Laws?

A 2012 amendment to the TMRPA, known as HB 300, imposed stricter training requirements and penalties for entities violating Texans’ medical privacy. The second of the two Texas HIPAA laws is the Texas Identity Theft Enforcement and Protection Act (TITEPA). This Texas HIPAA law is Texas’ equivalent of a data breach notification law. The Texas data breach notification law was amended in 2019, imposing additional breach reporting requirements. Both of the Texas HIPAA laws are discussed below.

Texas HIPAA: The Texas Medical Records Privacy Act

Texas HB 300, which amended the Texas Medical Records Privacy Act, imposes specific requirements on covered entities that are more stringent than those of HIPAA. HB 300 expanded upon existing Texas HIPAA law in three significant ways.

Definition of a Covered Entity Under Texas HB 300

Texas HB 300 revised and expanded the definition of a covered entity. Under the federal HIPAA law, “covered entities” (i.e., entities that must strictly follow HIPAA) are defined as health care providers, health care plans, or medical clearinghouses. 

Under HB 300, the Texas HIPAA law, a covered entity is any Texas individual, business, or organization that:

• Engages in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting PHI;
• Comes into possession of PHI; or
• Obtains or stores PHI.

Under Texas HIPAA law, the definition of PHI is the same as the federal HIPAA definition. However, the Texas HIPAA definition of “covered entity” covers employees, agents, contractors, and people or entities described in the above bullet points, so long as they create, receive, obtain, maintain, use, or transmit PHI. 

This means that under Texas HIPAA law, a business associate is considered to be a type of covered entity, as are healthcare payers, governmental units, information or computer management entities, schools, and health researchers, among other entities.

Texas HIPAA Training Requirements

Texas HIPAA training requirements, imposed by HB 300, are stricter than those in the HIPAA Privacy Rule. Under Texas HIPAA law, every covered entity must provide training on PHI to employees, both under the Texas Medical Records Privacy Act and under HIPAA. 

While the Texas definition of PHI is the same as the federal HIPAA definition, Texas law on PHI diverges from HIPAA in several ways. One of the differences concerns the right of access. Texas law has a shorter deadline for how promptly an organization must respond to a request to access PHI than HIPAA does.

Employees of Texas HIPAA covered entities must complete the Texas HIPAA training requirements no later than the 90th day after their hire. There is no Texas HIPAA certification, just as there is no federal HIPAA certification. Suppose an employee’s duties of a covered entity are affected by a material change in Texas or federal law concerning protected health information. In that case, the employee must receive training within a reasonable period, but no later than the first anniversary of the date the material change in law takes effect. A covered entity must require employees who receive training to sign, electronically or in writing, a statement verifying the employee’s completion of training. The covered entity must maintain the signed statement until the sixth anniversary of the date the statement is signed.

HIPAA Violations in Texas

The penalties for non-compliance with Texas HB 300 can be as costly as the HIPAA fines for a violation. The Texas attorney general can issue civil monetary penalties to entities and individuals that fail to comply with the legislation. State medical licenses can also be revoked in cases where an entity or individual has demonstrated continued noncompliance. 

As with HIPAA, the penalties for non-compliance with Texas HB 300 are broken down into tiers:

• Tier 1: Up to $5,000 per violation, per year, for violations due to negligence
• Tier 2: Up to $25,000 per violation, per year, for a knowing or intentional violation
• Tier 3: Up to $250,000 per violation, per year, for an intentional violation for financial gain

The maximum financial penalty is $1.5 million per year in cases where there has been a pattern of noncompliance.

HIPAA Release Form Texas and TMRPA

While HB 300 didn’t amend Texas release form requirements, it is important to understand the purpose of release forms and the information they should include. Both the TMRPA and HIPAA require covered entities to obtain a release form for use or disclosure of PHI outside of the purpose for treatment, payment, or healthcare operations. 

One instance in which a HIPAA release form would be required in Texas is for marketing purposes. HIPAA release form Texas requirements dictate that patients must sign a release form before their PHI can be used for marketing material, such as patient testimonials on a healthcare provider’s website.

A HIPAA release form in Texas must:

• Include the patient’s contact information
• Allow the patient to select who their information can be disclosed to
• Allow patients to select the purposes for which the covered entity may disclose their PHI for
• Have the patient’s signature and the authorization date

Having a patient’s consent to use or disclose their PHI is not absolute. Patients may revoke their consent at any time.

Please click here for more information and to access a Texas standard HIPAA release form.

Texas Data Breach Notification Law: The Texas Identity Theft Enforcement and Protection Act

The second of the two Texas HIPAA laws is the Texas Identity Theft Enforcement and Protection Act. This law is Texas’ data breach notification law. It applies to people and entities in Texas that own or license computerized data in the form of “sensitive personal information.” The law also applies to any entity or person outside of Texas that manages, maintains, and uses sensitive personal information owned or stored in Texas. Any person who violates the Act may be liable for civil monetary penalties.

Sensitive Personal Information Under the Texas Data Breach Notification Law

“Sensitive Personal Information” consists of an individual’s first name or first initial and last name in combination with any one (or more) of the following items:

• Social Security Number
• Driver license number or government-issued ID number
• Bank account number
• Credit or debit card number
• The security credit or debit cards

“Sensitive Personal Information” also includes information that identifies a person and relates to:

• The physical or mental health or condition of the individual
• The provision of health care to the individual
• Payment for the provision of health care to the individual

This latter definition of sensitive personal information under the Texas data breach notification law is essentially the same as the definition of PHI under HIPAA – personally identifiable information, combined with information relating to a person’s health status; healthcare they have received, are receiving, or will receive; or healthcare payment.

Under the Texas data breach notification law, businesses must implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect sensitive personal information from unlawful use or disclosure. This Texas data breach notification law component is Texas’ equivalent of a HIPAA Security Rule standard.

Under this Texas HIPAA law, an entity must disclose any breach of system security within 60 days of determining a breach has occurred. 

Entities required to provide notification of a data breach of at least 250 Texas residents must also notify the Texas Attorney General with specific details about the breach, including how many people were affected and what measures the entity has taken regarding the breach.