Texas Medical Records Privacy Act

Similar documents
Evolution of HB 300. HIPAA passed in 1996 Originally, HIPAA only directly impacted certain covered entities :

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

Texas House Bill 300 & HIPAA. A MainNerve Whitepaper

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300)

Privacy Legislation and Industry Security Standards

what your business needs to do about the new HIPAA rules

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA and Mental Health Privacy:

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

HIPAA PRIVACY AND SECURITY AWARENESS

lsh!urology ASSOCIATES OF HOUSTON, P.A.

REGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI

Somansa Data Security and Regulatory Compliance for Healthcare

HIPAA Orientation. Health Insurance Portability and Accountability Act

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

COMPLIANCE ALERT 10-12

HIPAA Overview. Darren Skyles, Partner McGinnis Lochridge. Darren S. Skyles

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

BUSINESS ASSOCIATE AGREEMENT

Our Commitment to Information Security

University Healthcare Physicians Compliance and Privacy Policy

Building Trust and Confidence in Healthcare Information. How TrustNet Helps

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

View the Replay on YouTube

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

Isaac Willett April 5, 2011

Getting Hip to the HIPAA and HITECH Act Compliance

Presented by Jack Kolk President ACR 2 Solutions, Inc.

New Privacy Laws Impacting the Health Care Work Place

TJ RAI, M.D. THERAPY MEDICATION WELLNESS PRIVACY POLICY STATEMENT

Privacy & Security Matters: Protecting Personal Data. Privacy & Security Project

HIPAA Security Rule Compliance

SECURETexas Health Information Privacy & Security Certification Program FAQs

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

Understanding Health Insurance Portability Accountability Act AND HITECH. HIPAA s Privacy Rule

THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations

HIPAA 101. March 18, 2015 Webinar

Am I a Business Associate?

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

HIPAA PRIVACY FOR EMPLOYERS A Comprehensive Introduction. HIPAA Privacy Regulations-General

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

SDC-League Health Fund

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies

DETAILED NOTICE OF PRIVACY AND SECURITY PRACTICES OF THE Trustees of the Stevens Institute of Technology Health & Welfare Plan

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA and HITECH Compliance for Cloud Applications

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA Violations Incur Multi-Million Dollar Penalties

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

HIPAA Violations Incur Multi-Million Dollar Penalties

BUSINESS ASSOCIATE AGREEMENT. Recitals

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

BUSINESS ASSOCIATE AGREEMENT TERMS

HIPAA Employee Training Guide. Revision Date: April 11, 2015

HIPAA Privacy at SCG...

OFFICE OF CONTRACT ADMINISTRATION PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

NOTICE OF HIPAA PRIVACY AND SECURITY PRACTICES

Can Your Diocese Afford to Fail a HIPAA Audit?

Data Breach, Electronic Health Records and Healthcare Reform

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

HIPAA Compliance and the Protection of Patient Health Information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

An Employer s Introduction to HIPAA Prepared by Ballard, Rosenberg Golper & Savitt, LLP

BUSINESS ASSOCIATE AGREEMENT

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

Overview of the HIPAA Security Rule

Whitefish School District. PERSONNEL 5510 page 1 of 5 HIPAA

OCR HIPAA AUDITS THEY RE BACK!

New HIPAA regulations require action. Are you in compliance?

Bridging the HIPAA/HITECH Compliance Gap

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

BUSINESS ASSOCIATE AGREEMENT

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Notice of Privacy Practices

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

Business Associate Liability Under HIPAA/HITECH

OCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013

NOTICE OF HEALTH INFORMATION PRIVACY PRACTICES (HIPAA)

Are You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar

2016 OCR AUDIT E-BOOK

HIPAA BUSINESS ASSOCIATE AGREEMENT

This form may not be modified without prior approval from the Department of Justice.

HIPAA in an Omnibus World. Presented by

Transcription:

A COALFIRE PERSPECTIVE Texas Medical Records Privacy Act Texas House Bill 300 (HB 300) Rick Dakin, CEO & Co-Founder Rick Link, Director Andrew Hicks, Director

Overview The State of Texas has pushed ahead of California and other states as one of the more progressive states in protecting non-public personal information. Protecting citizen privacy is a big deal in Texas. Specifically, the Texas Legislature adopted House Bill 300 (HB 300), which amends the Texas Medical Records Privacy Act (Texas Act) and became effective on September 1, 2012. While the content of the bill is important, the key issue is the way it was adopted. The bill received unanimous approval in both houses and was quickly signed into law by Texas Governor Rick Perry. The bill sets a higher standard enforcing medical record protection and dramatically improves patient/citizen access to their medical records. It also establishes strict guidelines for identifying and reporting data breach information to patients. This legislation raises the privacy expectations of patients and citizens across the country. Since HB 300 is now effective, covered entities in Texas (healthcare providers, health insurers, and health clearinghouses), including out-of-state companies that use and/or disclose protected health information (PHI) in Texas, must be aware of, and take steps to ensure compliance with the new statutory requirements. In particular, HB 300 significantly expands patient privacy protection for covered entities in Texas beyond those federal requirements outlined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act by: Expanding the definition of a "covered entity" to include entities that come into possession of, obtain, assemble, collect, analyze, evaluate, store or transmit PHI. Expanding privacy and data security mandates on covered entities in areas such as: Employee training Patient access to electronic health records (EHRs) Website to communicate a patient s privacy rights regarding PHI under federal and state law A list of state agencies that regulate covered entities and the agency s compliant enforcement process Notice of unauthorized disclosure to patients. Establishing standards for the use of EHRs. Granting audit and enforcement authority to applicable state agencies. Increasing civil and criminal penalties for the wrongful electronic disclosure of PHI. Page 2

The bill summary is intended to provide a high-level orientation of the new legislation and potentially affect the healthcare industry in Texas. More detailed information concerning the Texas Act can be obtained from the state web site: http://www.legis.state.tx.us/billlookup/history.aspx?legsess=82r&bill=hb300 Exceeding HIPAA Privacy Rule requirements, the bill places the following mandates on covered entities in regard to maintaining the confidentiality, availability, and integrity of PHI: Training: Covered entities must provide customized employee training for the maintenance and protection of electronic PHI, set deadlines for completion, and maintain records of completion of training. Training will be required every two years. Consumer Access to EHRs: Patients must be provided with electronic copies (unless the patient is willing to accept this in another form) of their health information within 15 days of the patient s written request for the records. This is stricter than HIPAA s requirement of 30 days and introduces technology challenges to covered entities as they struggle to keep records current and accurate. Consumer Information Website: The Texas Attorney General will maintain a website that summarizes privacy rights, provides contact details for filing disputes and sets compliance enforcement expectations that will affect every covered entity. Consumer Complaint Processing and Reporting: The Attorney General will annually submit a report describing the number and types of complaints received, and the enforcement action taken for each complaint. The information in the report must be sanitized or de-identified to protect the identity of victims. Prohibited Disclosure or Sale of PHI: A covered entity is prohibited from disclosing a patient s PHI to any other person in exchange for direct or indirect payment however, covered entities may disclose a patient s PHI to other covered entities for treatment, payment, health care operations, insurance or HMO functions, or as authorized or required by federal or state law. Consumer Notice and Authorization Required for Electronic Disclosure of PHI: Covered entities are required to provide patients with notice that their PHI is subject to electronic disclosure, even if the disclosure is needed to provide medical services. Page 3

Fines and Penalties A civil penalty assessed under this section may not exceed: (1) $5,000 for each violation that occurs in one year, regardless of how long the violation continues during that year, committed negligently (2) $25,000 for each violation that occurs in one year, regardless of how long the violation continues during that year, committed knowingly or intentionally (3) $250,000 for each violation in which the covered entity knowingly or intentionally used protected health information for financial gain. Civil penalties and fines may increase to $1.5 million if a pattern of neglect is established. The Death Penalty is possible if a pattern of weak controls is demonstrated for an extended period. In those cases, the Attorney General may revoke a covered entity s license to operate. As in cases where criminals forfeit assets to the law enforcement agencies for continued enforcement programs, the state enforcement agencies may retain a portion of the civil penalties for Medical Records Privacy enforcement. The incentive to sustain strict enforcement has been set. Defenses to limit penalties and fines include: Documentation that a formal privacy and security program has been deployed by the covered entity Demonstration that corrective action has been taken Limitation of risk to the patient due to unauthorized disclosure. In most states, encryption of Personally Identifiable Information (PII) or ephi is adequate to demonstrate that risk to the patient has been mitigated. Audits and Risk Assessments The HB 300 asserts that the state will direct federal audits to be conducted by the Department of Health and Human Services; however, the bill is silent when these federal audits will be performed. If the state identifies evidence of violation, the covered entity may be required to submit a written risk analysis to determine if the violation qualifies for enforcement action. Page 4

As with any compliance requirement, it is to the advantage of the covered entity to maintain a current risk assessment that not only demonstrates the level of protection provided to patient data, but also clearly proves that any failure to protect patient data would have been an exception to policy and not a pattern of neglect. Breach Notification While data breach notification is already a part of Texas code, this bill specifically requires covered entities to provide notice of breach that meet specific unauthorized disclosure thresholds. An entity must disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized individual. The disclosure must be made as quickly as possible or as necessary to determine the scope of the breach and restore the reasonable integrity of the system. The breach notification section allows for an additional penalty of $100 per day and up to $250,000 per record, plus notice costs and fraud liability as part of the breach notification provisions. Five Simple Steps to Compliance 1. Establish a risk management program to support protection of sensitive patient data. 2. Document policies and controls regarding patient access to their EHRs to mitigate risks. 3. Train users to implement the controls and privacy program. 4. Deploy a breach notification and incident response plan. 5. Conduct a periodic assessment of the controls and risk management program to demonstrate effective oversight (i.e. avoid claims of a pattern of neglect). Conclusion and Recommendations The Texas HB 300 is a game changer in many ways due to the added enforcement provisions. However, the path forward to maintain compliance with this new legislation requires every covered entity to dust off a proven playbook that has been used by many healthcare organizations for a dozen years. Page 5 DALLAS DENVER LOS ANGELES NEW YORK SEATTLE SAN FRANCISCO WASHINGTON, D.C. 877.224.8077 info@coalfire.com www.coalfire.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information