In May 2011, the Texas Legislature updated the Texas Health and Safety Code, with new legislation called “HB 300.” “HB” stands for “House Bill.” HB 300 was the 300th House Bill introduced during the legislative session for 2011. Subsequently, the bill was signed into law by Governor Rick Perry, and went into effect in September of 2012.
This article covers what entities are regulated by Texas HB 300. The article begins with a discussion of the law that was amended by HB 300. That law is known as the Texas Medical Records Privacy Act, or TMRPA.
What is the Texas Medical Records Privacy Act (TMRPA)?
In June of 2001, Texas Governor Rick Perry signed the Texas Medical Records Privacy Act into law. The Act was designed to bring Texas into compliance with Federal standards on patient privacy.
The TMRPA brought entities that were not regulated by HIPAA, into its regulatory scope, by creating and regulating a class of entities called “covered entities.” The TMRPA defines covered entities as people or businesses who:
- Obtain, come into possession of, assemble, collect, use, analyze, evaluate, store, or transmit PHI
- Are employees, agents, or contractors of these people or businesses, to the extent that the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information
The definition of PHI under HB 300 is the same as the definition of PHI under HIPAA.
The TMRPA gives specific examples of who may be a TMRPA “covered entity.” Examples of “TMRPA-covered entities” may include:
- HIPAA business associates
- Healthcare payers
- Governmental units
- Information or computer management entities
- Schools
- Health researchers
- Health care facilities
- Clinics
- Healthcare Providers
- Individuals who maintain an Internet site
What Does the TMRPA Protect?
The TMRPA protects the PHI of Texas residents. The TMRPA authorizes the Texas Attorney General to sue TMRPA-covered entities in Texas state court for violations of the law. Lawsuits may be brought for injunctive relief (a court order requiring an entity to stop violating the law).
When the TMRPA Was Passed, What Did it Prohibit?
The TMRPA, when passed in 2001, prohibited the marketing of patient PHI and the use of patient PHI in marketing communications, without patient consent or authorization. The TMRPA also prohibited re-identifying individuals who were the subject of PHI, without obtaining required authorization or consent.
Does the TMRPA Regulate Non-Texas Entities?
Covered entities located and doing business in Texas may be subject to one or more TMRPA provisions. Can an entity that is not located in Texas, but that does business with Texas residents, be a “covered entity” subject to one or more provisions of the TMRPA?
Maybe. People or entities not located in Texas who do business with Texas residents by processing, storing, analyzing, evaluating, transmitting, assembling, collecting, or using their PHI, may be subject to part or all of the TMRPA. Whether a person or entity located outside of Texas who does business with a Texas resident is subject to the TMRPA is a legal question for which legal advice should be sought.
What is Texas HB 300?
Texas HB 300 amended the TMRPA in several key aspects, by introducing the following requirements:
- Certain entities defined as “covered entities” under the TMRPA, must train their employees on PHI
- Certain entities defined as “covered entities” under the TMRPA, must respond to patient requests for access to electronic health records within 15 days of the request
- Certain entities defined as “covered entities” under the TMRPA, may not sell patient PHI in the absence of a patient authorization
- Certain entities defined as “covered entities” under the TMRPA, must provide notices to patients of electronic disclosures of their PHI, and must obtain patient authorization for such disclosures
In addition, HB 300 empowers the Texas Attorney General to seek monetary relief (in addition to the existing injunctive relief) against entities that violate HB 300.
There are other potential penalties for an HB 300 or TMRPA violation. If there is evidence that a covered entity subject to the TMRPA has committed violations of the TMRPA that are egregious and constitute a pattern or practice, Texas may:
- Revoke the covered entity’s license
- Refer the covered entity’s case to the attorney general for the institution of an action for monetary relief.
A TMRPA violation may also result in a covered entity’s being excluded from participating in any state-funded health care program, if a court finds the covered entity engaged in a pattern or practice of violating the TMRPA.
Why Was HB 300 Passed?
The HB 300 amendment to the TMRPA was passed in response to the 2009 federal HITECH Act. The HITECH Act encouraged healthcare providers to adopt electronic health records.
A goal of HB 300 was to strengthen the privacy protections afforded to protected health information and electronic health information, beyond what the federal Health Insurance Portability and Accountability Act (HIPAA) required.
The Texas House, in a Committee Report prepared during the 2011 Regular Section regarding HB 300, describes why it introduced HB 300:
“Provisions of recent federal legislation establish incentives designed to increase the adoption of electronic health record systems among certain health care providers. The expanded use of such systems is likely to lead to the expansion of the electronic exchange of protected health information, which may require stronger state laws to better ensure the protection of that information. H.B. 300 seeks to increase privacy and security protections for protected health information (PHI).”
What Are Other Provisions of HB 300?
HB 300 also revised the Texas Business and Commerce Code (TBCC). The Texas Business and Commerce Code contains a law known as the Identity Theft Enforcement and Protection Act (ITEPA). ITEPA was passed in 2009, to protect Texas residents from identity theft, and from breaches of their sensitive personal information (SPI).
