The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act are federal rules governing patient privacy. HIPAA defines entities bound by the privacy standards as “covered entities” and includes; health plans, healthcare clearinghouses and healthcare providers who conduct certain financial and administrative transactions electronically. HITECH expanded some of the HIPAA rules, requirements and penalty provisions to include business associates of covered entities.
Texas has gone a step further. The Texas Legislature adopted House Bill 300, which amended the Texas Medical Records Privacy Act of the Texas Health and Safety Code and took effect on September 1, 2012. HB 300 revised and expanded the definition of a covered entity in Texas. The Texas Health and Safety Code defines covered entities as any individual, business or organization that:
· Engages in the practice of assembling, collecting, analyzing, using, evaluating, storing or transmitting protected health information (“PHI”);
· Comes into possession of PHI
· Obtains or stores PHI
· Is an employee, agent or contractor of a person or entity described above if they create, receive, obtain, maintain, use or transmit PHI. Tex
Under HITECH (passed in late 2009), law firms representing covered entities were required to safeguard PHI and were subject to fines and penalties similar to their healthcare clients. HB 300 defines any law firm handling medical records, health insurance records or healthcare billing records as a covered entity. This means that plaintiff firms, previously exempt from many HIPAA regulations, are now considered covered entities. Also included are record retrieval companies, court reporting firms, legal copy companies, schools, accounting firms and many other businesses. Under HB 300 they all must follow the new requirements and may be subject to new fines and penalties.
HB 300 Requirements and Penalties for Covered Entities Include:
Employee Training: Covered entities must now provide ongoing, customized training on both the federal and state laws for employees within 60 days of hire and again at least once every two years. Tex. Health and Safety Code, §181.101(b)
Electronic Health Records (“EHRs”): Covered entities utilizing an electronic health records system must provide a record in electronic form to the patient within 15 business days of receiving a written request. Tex. Health and Safety Code, §181.102(b)
Fines and Penalties: Civil penalties range from $5000 to $1.5 million for covered entities that wrongfully disclose PHI. HB 300 can impose these fines in addition to any federal fines imposed by Health and Human Services. Negligence, intent and evidence of frequency to constitute a pattern are all considered when assessing the penalties. Tex. Health and Safety Code, §181.201(b)
Law firms, litigation support companies and any other business engaging in the use or storage of PHI must take appropriate safeguards to comply with HB 300. Policies and procedures involving the proper storage and destruction of paper and electronic PHI, data encryption, user IDs and passwords for electronic devices, facility access and security measures and employee training must be implemented immediately.
U.S. Legal Support employs a full time HIPAA Privacy Officer with over 20 years’ experience in compliance and privacy and provides CLEs on HIPAA as well as HIPAA and HITECH consulting.
For information on a HIPAA CLE for your firm or training on HIPAA and HB 300,
Heather L. Hughes, J.D.
HIPAA Privacy Officer
U.S. Legal Support