Texas Medical Privacy Law
The Texas Medical Privacy Law, regulated by the Texas Attorney General, puts stringent regulations on entities handling ePHI – Electronic Protected Health Information.
It expands the scope of “covered entities” beyond HIPAA, the HITECH Act – Meaningful Use, HIPAA Security and Privacy Rule, Comprehensive Risk Assessment, and BCDR Plan.
Depending on the level of intent (stealing vs. accidental disclosure), penalties can be anywhere from $5,000 to $1.5M for every year of of PHI or ePHI disclosure.
Penalties for non-compliance are the most costly. A HIPAA breach in the state of Texas could cost your organization up to $2000 per record, per incident.
Additional punitive actions can include revocation of licensing. HB 300 Texas penalties/fines are above and beyond any fines levied by the federal government under HIPAA or HITECH.
Spohn’s Training Group can customize a Security Education Training and Awareness (SETA) program to meet your organization's unique requirements for compliance with TX HB 300.
Get more information
Under Texas HB300 – covered entities include:
- Those engaged in the practice of assembling, collecting, analyzing, storing or transmitting ePHI or PHI
- Those that come into the possession of ePHI or PHI
- Those that obtain or store ePHI or PHI, or is an employee, agent, or contractor of a person described above – if maintaining, using, transmitting, receiving, obtaining, or creating PHI or ePHI. IAW Texas Health and Safety Code, §181.001(b)(2).
- All organizations covered under Texas HB 300 must provide on-going training to their employees regarding state and federal laws concerning PHI and ePHI. This goes beyond HIPAA section 164.308(a)(5), which states covered entities must “implement a security awareness and training program for all members of its workforce (including management).”
- Training must be catered to your particular type of business and tailored to specific job role of the individual employee.
- The training must be completed no later than the 60th day after the employee’s start date; current employees have 60 days from enactment of the law – October 30th 2012.
- This training must be ongoing and repeated at least once every two years.
- Documentation of the training must be maintained for all individuals attending online or classroom training programs. Records may be either electronic or in writing.