Who Does Texas HB 300 Apply To

In May of 2011, the Texas Legislature attempted to update Chapter 181 of the Texas Health and Safety Code, with new legislation called “HB 300.” “HB” stands for “House Bill.” “300” is not a movie reference, a reference to a number of days, or an amount of money.

Under Texas law, to introduce a bill in the Texas House of Representatives, a state representative must file copies of the bill with the House Clerk, who sequentially numbers each term’s bills in the order in which the clerk receives the bills. HB 300 was the 300th House Bill introduced during the legislative session for 2011. Subsequently, the bill was signed into law by Governor Rick Perry, and went into effect in September of 2012. This article discusses the topic of HB 300 covered entities.

Why Was HB 300 Passed?

“2012” is not a movie reference, either. The bill was signed into law at that time as a response to the 2009 federal HITECH Act. The HITECH Act encouraged healthcare providers to adopt electronic health records.

The main goal of the bill was to strengthen the privacy protections afforded to protected health information and electronic health information, beyond what the federal Health Insurance Portability and Accountability Act (HIPAA) required.

The Texas House, in a Committee Report prepared during the 2011 Regular Section regarding HB 300, describes why it introduced HB 300:

“Provisions of recent federal legislation establish incentives designed to increase the adoption of electronic health record systems among certain health care providers. The expanded use of such systems is likely to lead to the expansion of the electronic exchange of protected health information, which may require stronger state laws to better ensure the protection of that information. H.B. 300 seeks to increase privacy and security protections for protected health information.”

What is Different About HB 300?

HB 300 brought entities that were not regulated by HIPAA, into its regulatory scope.

HB 300 tells us who is regulated by the law, fairly early on in the text, which defines “covered entity” – the group to be regulated.

HB 300 covered entities are people or businesses who:

  • Obtain, come into possession of, assemble, collect, use, analyze, evaluate, store, or transmit PHI.
  • Are employees, agents, or contractors of these people or businesses, to the extent that the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.

The definition of PHI under HB 300 is the same as the definition of PHI under HIPAA.

HB 300 gives specific examples of covered entities. Examples of HB 300 covered entities include

  1. HIPAA business associates
  2. Healthcare payers
  3. Governmental units
  4. Information or computer management entities
  5. Schools
  6. Health researchers
  7. Health care facilities
  8. Clinics
  9. Healthcare Providers
  10. Individuals who maintain an Internet site

What Entities Does HB 300 Cover, Beyond Who HIPAA Covers?

Texas HB 300 expanded the definition of “covered entity” from the HIPAA definition. Healthcare providers and healthcare plans are HB 300 covered entities. As noted above, HIPAA business associates are also HB 300 covered entities. Entities that may NOT be covered by HIPAA are also covered by HB 300. HB 300 covered entities include, as noted above, computer management entities, schools, health researchers, and people who maintain an Internet site, provided these entities obtain, come into possession of, assemble, collect, use, analyze, evaluate, store, or transmit PHI.

What Are Some Specific HB 300 Covered Entities?

HB 300 covered entities may include (among other entities) IT service providers, website owners, accountants, sports teams, and lawyers, if they obtain, come into possession of, assemble, collect, use, analyze, evaluate, store, or transmit PHI.

Many HB 300 covered entities are not covered entities under HIPAA. Under HIPAA, a website owner, say, that merely creates, maintains, receives, and/or transmits PHI is not a covered entity (it’s not a healthcare plan, provider, or healthcare clearinghouse, nor, by virtue of merely being a website, is it a business associate). Under HB 300, though, a website owner IS a covered entity, if the owner obtains, comes into possession of, assembles, collects, uses, analyzes, evaluates, stores, or transmits PHI.

Does HB 300 Regulate Only Texas-Based Covered Entities?

No. Texas-based covered entities (entities incorporated or headquartered in Texas) are subject to HB 300. But what about covered entities who are not incorporated or headquartered in Texas? Are they, too, regulated by HB 300? Are they HB 300 covered entities?

Texas, like every other state, has what is called a “long-arm” statute. The “long-arm” language is a nod to the phrase “the long arm of the law.” A long-arm statute, basically, is a law that allows for a state court to obtain jurisdiction over an out-of-state defendant, on the basis of that person’s violation of a state law – provided the defendant has what’s called a “sufficient connection” with the state.

This long slab of legalese means: If I am a resident of one state (say New York), and I engage in activity that constitutes a violation of another state’s law (say, Texas’ HB 300), I can be sued in a Texas court. This is so, provided I have a “sufficient connection” with Texas. “Sufficient connection” means that I have “sufficient contact” with Texas. “Sufficient contact” arises from the business that I do with Texas (either its government, its residents, or both).

Say again? If I conduct business with Texas residents (by processing, storing, analyzing, evaluating, transmitting, assembling, collecting, or using their PHI), I have “sufficient contact” with Texas, and therefore “sufficient connection.” So, If I violate the terms of HB 300, I can expect that Texas can use its “long arm” jurisdiction, which means that I can be expected to appear in Texas court to defend myself in a legal action brought by the state’s Attorney General. HB 300 is enforced by the Texas Attorney General, who is authorized to file a lawsuit against entities or individuals who violate it.

What Does HB 300 Protect?

We now know who is regulated by HB 300. But who and what does HB 300 protect? The PHI of Texas residents. State courts in Texas exist to enforce the rights of Texas residents. HB 300 allows the Texas Attorney General to sue Texas-based and non-Texas-based HB 300 covered entities in Texas state court for violations of the law. Why? To uphold and vindicate the rights of Texas residents – a quintessential state Attorney General responsibility.