Texas House Bill 300 & HIPAA. A MainNerve Whitepaper

Transcription

1 A MainNerve Whitepaper

2 Overview If you do business in Texas and your organization handles, creates, stores, transmits or has access to electronic patient healthcare information, you need to be mindful of Texas HB300. Everything is bigger in Texas! This statement also applies to the size and scope of The Texas House Bill 300 Privacy and Security Rule which goes above and beyond Federal HIPAA regulations to ensure the Privacy and Security of Patient Healthcare Information. Not only must organizations and providers comply with stringent State & Federal regulations concerning privacy and electronic data security, they must also guard against identity theft as well as more complex scenarios of hacking, spoofing, viruses, male ware, and actual theft of critical and sensitive data. The federal Health Insurance Portability and Accountability Act (HIPAA) was put into effect to safeguard the privacy of health information; however, the legislature in Texas was concerned that HIPAA did not go far enough to safeguard electronic protected health information (PHI). This concern resulted in Texas House Bill (HB) 300, which amends several Texas privacy statutes. The Texas HB 300, Texas Laws of 2011, Ch. 1126, was passed in 2011 and went into effect September 1, At the basic level, Texas as with many other states have taken the premise of the Federal HIPAA regulations and further expanded the definition of what is considered Protected Health Information, and who is considered a Covered Entity. Texas has also expanded the applicable fines and penalties both Civil and Criminal for violations of the Security and Privacy Rule under HB300. On September 1, 2012 Texas H.B. 300 took effect and new bureaucratic medical record disclosure rules and penalties now apply to medical practices as well as any person who comes into possession of protected health information. (Texas Health Code Chapter as modified by HB300 We will take a look at the changes Texas has made to overall Security and Privacy and how you can best prepare for these change as to not be caught off guard. Covered Entity Expansion of the definition causing more organizations to be considered a Covered Entity Increased Mandates Covered Entities are required to go beyond HIPAA for training and release of patient information. Stronger Enforcement Penalties State penalties apply in addition to Federal penalties.

3 Covered Entity Revision Assembling, Collecting, Analyzing, Using, Evaluating, Storing or Transmitting. The Texas HB 300 revised definition of a covered entity (CE) is broad and includes not only health care providers but also other entities and individuals who previously were classified as business associates and health care payers. Under this new law, an entity is a covered entity and subject to the state s privacy rules when it: Engages in whole or in part in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information. This definition includes an Internet site, a business associate (BA), health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, or clinic of health care provider. Comes into possession of protected health information. Obtains or stores protected health information under this chapter. Is an employee, agent, or contractor of a person described above? This revised definition of a CE impacts any entity that conducts business in Texas and collects, uses, and/or stores PHI. This means that business associates (BAs) of physician practices will also be accountable to the provisions of HIPAA and HB300 unless they have no contact with PHI. The rational for the expansion of the definition of a Covered Entity in HB300 is to account for the many organizations that do not provide actual care, yet rather through an indirect or direct means have access to protected healthcare information. Under Texas HB300, information such as Bob Jones setting an appointment with a Psychiatrist can be seen as protected healthcare information as there is little doubt as to the services Bob will receive when seeing a Psychiatrist. This can also be said for an OBGYN, STD testing facility or Cancer treatment center. In an effort to provide minimal safeguards for patient information, Texas HB300 added many more organizations and individuals to the pool of Covered Entities. HIPAA covered entities include healthcare providers, healthcare clearing houses, health plans, and any of their business associates. Texas on the other hand defines a covered entity in several ways, the most encompassing of which states that a covered entity is any person who comes into possession of protected health information As the exchange of patient healthcare information increases, so does the need for means and measures to protect this information while still providing reasonable access by patients and those who need access.

4 Increased Mandates Texas HB300 Preempts Federal HIPAA Requirements. The greatest challenge most organizations face in dealing with the complex regulations surrounding protected healthcare information is appreciating not only the Federal HIPAA requirements but also appreciating when certain State regulations preempt the Federal requirements. Such is the case with employee training and release of patient healthcare records as outlined in Texas HB300. Additional Training: One of the most significant changes to the Texas Act through the adoption of HB300 is the mandatory, customized, employee training regarding state and federal patient privacy and security laws. Many breaches of PHI may be avoided if employees understand privacy policies and remain highly attentive to PHI as defined by HIPAA. The new law requires that the training include the course of business of the CE, and it must be tailored to the employee s specific responsibilities and types of contact with PHI. The organization is further required to maintain a log with employee signatures verifying their attendance at the training. This training must be completed by the employee of a CE once every two years and not later than 60 days after hire date. This training requirement is an expansion of the HIPAA Privacy Rule that does not currently require customized staff training. Texas covered entities are required to provide a training program to their employees regarding state and federal medical privacy laws as they relate to the entity s particular course of business and each employee s scope of employment HIPAA currently only requires that employees be trained with a reasonable period of time after hire and after any material changes in application policies. Many Texas based organizations spend time and resources on in depth Federal HIPAA training while giving no attention to the State Privacy and Security requirements. Texas based organizations should make sure the training they are providing reflects the Texas HB300 requirements.

5 Release of Patient Information: Texas HB300 also requires Texas Covered Entity s to provide patients with their health records (HRs) in an electronic format no later than 15 business days after receiving a written request. This mandate differs from HIPAA, which allows 30 days to provide patients with their Healthcare Records. A standard format to make the release of Electronic Healthcare Records consistent with federal law has been recommended by the Texas Health and Human Services Commission. In addition, the HB300 law broadens the scope of Notice of Privacy Practices (NPP) or other general notices to inform patients about how their e-phi is used and disclosed. Organizations should update their Notice of Privacy Practices and revise policies on patient access to their Electronic Healthcare Records. The new timeline for release of patient s healthcare information is only half the time currently allowed under Federal HIPAA regulations. As with most instances, the modification to the release of patient healthcare information requirements by Texas HB300 is an effort to provide better care and better access to providers for the public. The quicker patient information can be accessed, the higher the level of care can be provided to the consumer.

6 Stronger Enforcement Penalties: As with most regulations, there is little acceptance without some teeth or motivation for following the requirements, this is the cause for Texas to implement fines and penalties on top of the already stringent Federal HIPAA penalties. The enforcement of Texas House Bill 300 privacy protections is conducted through financial penalties, disciplinary actions, and audits that are intended to deter additional breaches. The court when determining the consequence of a breach may consider several factors: Seriousness of the violation by a CE CE s compliance history Harm done to individual(s) through the breach Efforts made by the CE to correct the violation Civil penalties may be assessed up to: $5,000 per violation if committed negligently $25,000 per violation if committed knowingly or intentionally Texas House Bill 300 allows for a $5,000 civil penalty for each violation committed negligently; $25,000 civil penalty for each violation committed knowingly or intentionally; and $250,000 civil penalty for each violation committed knowingly or intentionally for financial gain. $250,000 per violation if committed intentionally for financial gain $1.5 million if a pattern of practice is found The website of the Office of the Attorney General of Texas contains consumer access to public health information to educate members of the public, including steps to take to file a complaint with applicable state agencies and their contact information. The Attorney General of Texas will file an annual report that includes an overview and statistical analysis of the complaints received.

7 Preparing Your Organization for HB300: Texas HB 300 is more protective of patients, but increases cyber liability risks for CEs. There are several immediate steps a CE can take to help reduce these risks: Immediately ramp up efforts to provide customized employee training on state and federal privacy and security requirements Revise employee privacy training materials and policies Revise policies on patients access to their EHRs Update Notice of Privacy Practices Revise business associates (BA) agreements to include Immediate notification when a breach is discovered Clarification of who notifies affected individuals by mail, who incurs the cost Contract termination if BA fails to comply with privacy laws or take reasonable steps to fix the breach Evidence that BA performs security risk analysis at least annually Evidence that BA provides required privacy training to employees Stronger enforcement penalties Encode PHI stored on mobile devices Encode PHI sent electronically Advancements in health information technology increases ease of access to patient healthcare information not only for those who should have access but also for those who should not. Increased vulnerability of health information requires increased protection. Any person who comes in contact with PHI and does business in Texas must comply with Texas HB300. Detailed documentation and strong procedures can mean the difference between a single, noncompliant event and a pattern of practice. Conclusion Understanding State & Federal HIPAA regulations can be daunting, yet the experienced professionals at MainNerve can assist your organization in better understanding and meeting those requirements. Texas HB300 is just one initiative that many states are taking to provide ease of access and a higher level of patient care. By appreciating whether Texas HB300 applies to your organization you can better prepare for implementation of the requirements for Covered Entity s as well as best train your staff and avoid State and Federal penalties.

8 Top Five Ways to Protect Your Network References House Bill 300, 82d Leg., (Tex. 2011) 4. H.B. 300, supra note 4