A COALFIRE PERSPECTIVE Texas Medical Records Privacy Act Texas House Bill 300 (HB 300) Rick Dakin, CEO & Co-Founder Rick Link, Director Andrew Hicks, Director
Overview The State of Texas has pushed ahead of California and other states as one of the more progressive states in protecting non-public personal information. Protecting citizen privacy is a big deal in Texas. Specifically, the Texas Legislature adopted House Bill 300 (HB 300), which amends the Texas Medical Records Privacy Act (Texas Act) and became effective on September 1, 2012. While the content of the bill is important, the key issue is the way it was adopted. The bill received unanimous approval in both houses and was quickly signed into law by Texas Governor Rick Perry. The bill sets a higher standard enforcing medical record protection and dramatically improves patient/citizen access to their medical records. It also establishes strict guidelines for identifying and reporting data breach information to patients. This legislation raises the privacy expectations of patients and citizens across the country. Since HB 300 is now effective, covered entities in Texas (healthcare providers, health insurers, and health clearinghouses), including out-of-state companies that use and/or disclose protected health information (PHI) in Texas, must be aware of, and take steps to ensure compliance with the new statutory requirements. In particular, HB 300 significantly expands patient privacy protection for covered entities in Texas beyond those federal requirements outlined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act by: Expanding the definition of a "covered entity" to include entities that come into possession of, obtain, assemble, collect, analyze, evaluate, store or transmit PHI. Expanding privacy and data security mandates on covered entities in areas such as: Employee training Patient access to electronic health records (EHRs) Website to communicate a patient s privacy rights regarding PHI under federal and state law A list of state agencies that regulate covered entities and the agency s compliant enforcement process Notice of unauthorized disclosure to patients. Establishing standards for the use of EHRs. Granting audit and enforcement authority to applicable state agencies. Increasing civil and criminal penalties for the wrongful electronic disclosure of PHI. Page 2
The bill summary is intended to provide a high-level orientation of the new legislation and potentially affect the healthcare industry in Texas. More detailed information concerning the Texas Act can be obtained from the state web site: http://www.legis.state.tx.us/billlookup/history.aspx?legsess=82r&bill=hb300 Exceeding HIPAA Privacy Rule requirements, the bill places the following mandates on covered entities in regard to maintaining the confidentiality, availability, and integrity of PHI: Training: Covered entities must provide customized employee training for the maintenance and protection of electronic PHI, set deadlines for completion, and maintain records of completion of training. Training will be required every two years. Consumer Access to EHRs: Patients must be provided with electronic copies (unless the patient is willing to accept this in another form) of their health information within 15 days of the patient s written request for the records. This is stricter than HIPAA s requirement of 30 days and introduces technology challenges to covered entities as they struggle to keep records current and accurate. Consumer Information Website: The Texas Attorney General will maintain a website that summarizes privacy rights, provides contact details for filing disputes and sets compliance enforcement expectations that will affect every covered entity. Consumer Complaint Processing and Reporting: The Attorney General will annually submit a report describing the number and types of complaints received, and the enforcement action taken for each complaint. The information in the report must be sanitized or de-identified to protect the identity of victims. Prohibited Disclosure or Sale of PHI: A covered entity is prohibited from disclosing a patient s PHI to any other person in exchange for direct or indirect payment however, covered entities may disclose a patient s PHI to other covered entities for treatment, payment, health care operations, insurance or HMO functions, or as authorized or required by federal or state law. Consumer Notice and Authorization Required for Electronic Disclosure of PHI: Covered entities are required to provide patients with notice that their PHI is subject to electronic disclosure, even if the disclosure is needed to provide medical services. Page 3
Fines and Penalties A civil penalty assessed under this section may not exceed: (1) $5,000 for each violation that occurs in one year, regardless of how long the violation continues during that year, committed negligently (2) $25,000 for each violation that occurs in one year, regardless of how long the violation continues during that year, committed knowingly or intentionally (3) $250,000 for each violation in which the covered entity knowingly or intentionally used protected health information for financial gain. Civil penalties and fines may increase to $1.5 million if a pattern of neglect is established. The Death Penalty is possible if a pattern of weak controls is demonstrated for an extended period. In those cases, the Attorney General may revoke a covered entity s license to operate. As in cases where criminals forfeit assets to the law enforcement agencies for continued enforcement programs, the state enforcement agencies may retain a portion of the civil penalties for Medical Records Privacy enforcement. The incentive to sustain strict enforcement has been set. Defenses to limit penalties and fines include: Documentation that a formal privacy and security program has been deployed by the covered entity Demonstration that corrective action has been taken Limitation of risk to the patient due to unauthorized disclosure. In most states, encryption of Personally Identifiable Information (PII) or ephi is adequate to demonstrate that risk to the patient has been mitigated. Audits and Risk Assessments The HB 300 asserts that the state will direct federal audits to be conducted by the Department of Health and Human Services; however, the bill is silent when these federal audits will be performed. If the state identifies evidence of violation, the covered entity may be required to submit a written risk analysis to determine if the violation qualifies for enforcement action. Page 4
As with any compliance requirement, it is to the advantage of the covered entity to maintain a current risk assessment that not only demonstrates the level of protection provided to patient data, but also clearly proves that any failure to protect patient data would have been an exception to policy and not a pattern of neglect. Breach Notification While data breach notification is already a part of Texas code, this bill specifically requires covered entities to provide notice of breach that meet specific unauthorized disclosure thresholds. An entity must disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized individual. The disclosure must be made as quickly as possible or as necessary to determine the scope of the breach and restore the reasonable integrity of the system. The breach notification section allows for an additional penalty of $100 per day and up to $250,000 per record, plus notice costs and fraud liability as part of the breach notification provisions. Five Simple Steps to Compliance 1. Establish a risk management program to support protection of sensitive patient data. 2. Document policies and controls regarding patient access to their EHRs to mitigate risks. 3. Train users to implement the controls and privacy program. 4. Deploy a breach notification and incident response plan. 5. Conduct a periodic assessment of the controls and risk management program to demonstrate effective oversight (i.e. avoid claims of a pattern of neglect). Conclusion and Recommendations The Texas HB 300 is a game changer in many ways due to the added enforcement provisions. However, the path forward to maintain compliance with this new legislation requires every covered entity to dust off a proven playbook that has been used by many healthcare organizations for a dozen years. Page 5 DALLAS DENVER LOS ANGELES NEW YORK SEATTLE SAN FRANCISCO WASHINGTON, D.C. 877.224.8077 info@coalfire.com www.coalfire.com