What is Texas HB 300?

/ Categories Compliance and Regulations / by

What is Texas HB 300, who needs to follow the legislation, and what are the fees and penalties for failing to comply? This post talks about these and other vital questions regarding Texas HB 300.

What is Texas HB 300?

The Health Insurance Portability and Accountability Act (HIPAA) is federal legislation that requires healthcare companies, health plans, and health care clearing house to comply with minimum privacy and security standards. HIPAA preempts state privacy and security standards unless a state introduces more stringent standards.

In Texas, legislators felt more stringent standards were necessary than are required by HIPAA, and – in 2011 – the Texas legislature updated the existing Medical Records Privacy Act (Chapters 181 and 182 of the Texas Health and Safety Code) with the passage of Texas HB 300. Subsequent amendments have since introduced further requirements.

Who Needs to Follow the Texas Medical Records Privacy Act?

The original Medical Records Privacy Act in 2001 extended the HIPAA definition of a covered entity (healthcare companies, health plans, and health care clearinghouses) to include any entity or person that owns, acquires, sets up, collects, assesses, evaluates, stores, or sends the protected health information (PHI) of Texas residents.

By extending the scope of who qualifies as a covered entity, the Medical Records Privacy Act expanded individual privacy protections beyond HIPAA to all organizations that meet the criteria for being a covered entity. This also means that organizations who would otherwise qualify as business associates under HIPAA are now covered entities.

Exemptions to the Texas Medical Records Privacy Act

The following entities who do not need to follow the Texas Medical Records privacy Act include:

  • Non-profit organizations that spend on healthcare services or prescription medications for indigent people when the primary business of the agency isn’t providing healthcare solutions or refund for healthcare services.
  • Employees’ compensation insurance and any entity or person who acts in association with the supply, support, management, or coordination of benefits as outlined in a self-insured employees’ compensation plan.
  • Employee benefit plans and entities or persons that work in association with those plans
  • Entities or persons that offer, administer, support, or put together benefits involved with payment for victims of crime.
  • Processing of particular payment transactions by financial companies and education records covered by the 1974 Family Educational Rights and Privacy Act.

Texas HB 300 and Electronic Health Records

Texas HB 300 introduced new requirements for disclosing electronic health records. A covered entity is not allowed to use PHI except for the provision of treatment, healthcare payment, healthcare operations, or HMO/insurance applications unless the covered entity has acquired written authorization from a person to share their PHI ahead of the PHI disclosure.

The authorization requirements of Texas HB 300 expands individual privacy protections beyond HIPAA inasmuch as disclosures of electronic PHI permitted by HIPAA in §164.512 of the HIPAA Privacy Rule must not be authorized by the patient unless the disclosure is required by law. For example, reporting child abuse is mandatory in Texas.

HIPAA necessitates covered entities to give patients and plan members their copies of their PHI when requested. The requests should be delivered within 30 days of receiving the request. Texas HB 300 necessitates covered entities to deliver PHI copies faster – within 15 days of receiving a written request.

Texas HB 300 Training for All Workers with Access to PHI

All workers with access to sensitive personal information (SPI) or PHI, or will probably come across PHI, must go through formal privacy training in 90 days of being employed. Unlike HIPAA, which doesn’t state when more training should be given, Texas HB 300 demands further privacy training within a year of a material change in state or federal law concerning PHI affects a worker´s role.

Training sessions must be customized to the role and duties of the worker. And all training should be recorded. Workers must sign the documentation to validate having gotten the training and the records of training must be maintained for six years so they are available to public agencies in the event of a compliance audit or breach investigation.

What are the Penalties for Texas HB 300 Noncompliance?

There are severe penalties for Texas HB 300 noncompliance. Entities and individuals that are not able to comply with the legislation may be issued civil monetary penalties by the Texas Attorney General. State licenses may likewise be suspended when an entity or a person has proven continued noncompliance.

Much like HIPAA, the fines for not complying with Texas HB 300 are divided into four tiers:

  1. Tier 1: For violations as a result of negligence, up to $5,000 per violation per year
  2. Tier 2: For a knowing or intentional violation, up to $25,000 per violation per year
  3. Tier 3: For an intentional violation for monetary gain, up to $250,000 per violation per year
  4. Tier 4: The highest possible financial penalty is $1.5 million annually when there’s a noncompliance pattern.

The level of the financial penalty is determined by the seriousness of the violation, whether or not there is a record of noncompliance, the actions taken to resolve the violation, and whether or not harm resulted from the violation.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.

Related News

Stay Connected

  • Twitter
  • LinkedIn
  • Reddit
  • Mastodon

Subscribe

*Our Privacy Policy and Terms & Conditions