1

House Bill 300The Texas Medical Records Privacy Act

The Impact on all of us*Presented by:

Coleman JohnsonDirector of Contracts, Reporting, Security & Policy

andTerry Alexander

Director of CAH and Rural Hospitals

The West Texas Health Information TechnologyRegional Extension Center (WTxHITREC)

*Disclaimer: Information for educational purposes only, not legal advice.

2

House Bill 300Bill Sponsor: Senator Jane Nelson Senator Nelson represents part of Denton County

and Tarrant County.

Primary Bill Author:Representative Lois Kolkhorst

Joint Bill Author:Representative Elliot Naisthat

HB300 was signed by Governor Rick Perry on 6/17/2011 and went into effect 9/1/2012. The bill itself is only 21 pages long!

HB 300 is available online at: www.capitol.state.tx.us/tlodocs/82R/billtext/pdf/HB00300F.pdf

3

House Bill 300 has 2 Nicknames

“Texas HIPAA”

and

“HIPAA on STEROIDS!”

4

Massive Impact in 21 Pages

Changes Texas Health and Safety CodeChanges to Texas Business and Commerce

CodeChanges to Texas Insurance CodeDramatically Impacts ALL TexansMassive Fines for ViolationsAttorney General Website to Report ViolationsRequires Documented TrainingState to Seize Medical Records

5

Specification Sections of Legislation Amended

Health and Safety Code – Section 181Health and Safety Code – Section 182 Insurance Code – Section 602Business and Commerce Code – Section 521Business and Commerce Code – Section 522

6

Purpose of Act: PROTECTION

Need for protection is obvious. The Ponemom Institute’s December 2011 study – Second Annual Benchmark Study on Patient Privacy and Data Security – estimates that as many as 96 percent of all 72 national healthcare providers surveyed indicated they experienced a data breach in 2010-2011.

Study is available at http://www2.idexpertscorp.com/assets/uploads/PDFs/2011_Ponemon_ID_Experts_Study.pdf

7

What is Protected?Protected Health Information:

For a covered entity that is a governmental unit, HB 300 includes any information that reflects that an individual received health care from a covered entity that is not public information subject to disclosure by Chapter 552 of the Texas Government Code.

For others, the definition of PHI is engrafted from the Health Insurance Portability and Accountability Act “HIPAA”, which is individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.

HB 300 incorporates HIPAA provisions in effect as of Sept. 1, 2011; however, HIPAA has recently been modified under the Omnibus Final Rule. The executive commissioner of the Texas HHSC is to determine whether it is the best interest of the state to adopt any amendments made by the Final Rule.

8

Covered EntitiesCovered entity is defined as any person who:

For commercial, financial or professional gain, monetary fees or dues, or on a cooperative, nonprofit or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing or transmitting protected health information;

Comes into possession of protected health information;Obtains or stores protected health information under

the federal statute and regulations; orIs an employee, agent or contractor of one of these

persons who creates, receives, obtains, maintains, uses or transmits protected health information.

9

In other words, YOU!!

Virtually every Texan will be impacted. If you can spell “PHI”, then you are likely to be affected.

10

Examples (a short list) of Covered Entities Impacted

HospitalsMedical ProvidersEMS/FireSchoolsEmployeesChurchesSports TeamsCamps

AmbulanceLabs ImagingDoctorsTech SupportAdministratorsTransportation IndividualsLaw Firms

11

Restricted ActivitiesUnauthorized Disclosure

Disclosure is defined as any action to “release, transfer, provide access to or otherwise divulge information outside the entity holding the information.” = Very broad definition

Sale of InformationCovered entities may not disclose PHI in exchange for direct

or indirect remuneration, unless disclosure is for: Treatment; Payment; Health Care Operations; or Performing an insurance or health maintenance organization

function.Remuneration may not exceed covered entity's reasonable

cost for preparing or transmitting the PHI.

12

Consumer Access to RecordsIf using an electronic health records system

= Provide record electronically within 15 business days of written request, unless the person agrees to accept the record in another form.

13

Consumer ComplaintsThe attorney general shall maintain a website

for consumers that providers information regarding the agencies the regulate covered entities in Texas and detailed information regarding each agency’s complaint enforcement process.

The attorney general will annually submit a report to the Texas legislature that describes the number and types of complaints received by the attorney general and by other state agencies receiving consumer complaints.

14

Notice and Authorization RequirementsCE must Post Notice: A covered entity that creates

and receives PHI must provide a general notice to individuals if their personal health information is subject to electronic disclosure. This duty to provide notice can be provided by:Posting written notice in place of business;Posting notice on a website; orPosting notice in a place where individuals whose

PHI is subject to electronic disclosure are likely to see the notice.

The notice must be conspicuous and understandable.

15

Even if notice is posted, a covered entity may not electronically disclose an individual’s PHI to any person without a separate authorization for the individual for each disclosure.EXCEPTION: This authorization is not required, however, if the

disclosure is made to another covered entity (as defined by Health and Safety Code Section 181.001 or to any covered entity as defined by Section 602.001 of the Insurance Code) solely for purposes of treatment, payment, healthcare operations, if performing health maintenance organization functions as defined by the Insurance Code or if otherwise authorized or required by state of federal law.

Standard authorization form available at www.oag.state.tx.us/AG_Publications/pdfs/hb300_auth_form.pdf

Notice and Authorization Requirements Continued

16

Breach NotificationCurrent Version The existing statute limited breach

notifications to residents of Texas. Now, HB 300 updates the language to make it apply to all individuals whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person.

If the individual is a resident of a state that has its own related breach provision, the covered entity can comply with that state’s law in terms of notification.

17

Breach NotificationSB 1610

If the individual whose PHI is acquired by an authorized person is a resident of a state that requires notice of a breach of system security, the notice may be provided under that state’s law or under Texas law.

Notice may be given by written notice at the last known address of the individual.

18

Required TrainingCurrent Version

Covered entities must provide a training program pertaining to protected health information.

All new employees must be trained within 60 days of their hire date and the training must be customized for their role.

Each employee must sign a document attesting to their attendance and said documents must be maintained by the covered entity.

All employees must be trained at least once every 2 years.

19

Required TrainingSB 1609 Updates

Each covered entity shall provide training to employees as necessary and appropriate for the employees to carry out the employees’ duties for the covered entity.

An employee must complete training not later than the 90th day after the date the employee is hired.

If duties of an employee are affected by a material change in state or federal law concerning PHI, the employee shall receive training within a reasonable period, but not later than the first anniversary of the date the change in law takes effect.

Employees need to sign a statement verifying completion of training, which shall be maintained until the sixth anniversary of the date it was signed.

20

Enforcement4 general ways the Medical Records

Privacy Act will be enforcedGovernment AuditComplaint filed with attorney general that

leads to investigationState attorney generalWhistleblower suit

21

AuditsThe Texas Health and Human Services Commission

“HHSC”, in connection with the state attorney general, the Texas Health Services Authority “THSA”, and the Texas Department of Insurance, may request that the U.S. secretary of health and human services conduct an audit of a covered entity as to the compliance of the covered entity with HIPAA. The Texas HHSC is also charged with periodic monitoring and to review results of audits.

If the Texas HHSC becomes aware of egregious violations that demonstrate a pattern and practice, it may require a covered entity to submit to the Texas HHSC any federal risk analysis that the covered entity prepares to comply with HIPAA. In addition, if the covered entity is licensed by a state agency, the Texas HHSC may require the agency to conduct an audit to determine compliance.

22

Civil Penalties for NoncomplianceThe state attorney general may institute an

action for civil penalties for violations of the Medical Records Privacy Act under HB 300 not to exceed:$5,000 per violation per year if negligent;$25,000 per violation per year if knowing or

intentional, regardless of the length of time of the violation within the year; or

$250,000 for each violation if knowing or intentional and for financial gain.

$1.5 million annually in the event there is a finding that violations have occurred with a frequency so as to constitute a pattern or practice.

23

Civil Penalties ContinuedFactors for determining the appropriate financial

penalty include:The seriousness of the violation;The entity’s compliance history;Whether the violation poses a significant risk of

financial, reputational or other harm to the individual whose PHI was involved in the violation;

Whether the covered entity was working with or as a certified entity, that is, certified to be in compliance with privacy and security standards being developed by the THSA as per Section 182.108 of the Health and Safety Code;

The amount necessary to deter future violations; andThe covered entity’s efforts to correct the violation.

24

Additional PenaltiesIn addition to civil penalties, a covered entity

that is licensed by a state agency is subject to investigation and disciplinary proceedings, including probation or suspension by the licensing agency.

Penalties for businesses that do not comply with the breach notification provisions include a civil penalty of not more than $100 for each person, per day, that is not notified, with a cap of $250,00 for a single breach, and possible felony charges.

25

Example

Sarah, an EMS worker texts a photo of motorcycle accident with note, “Saw this today,” to her boyfriend, Paul, at the local Volunteer Fire Department, who has just completed HB300 training.

Paul recognizes the motorcycle, and forwards it to his cousin, Clara, whose roommate, Lorenzo, was injured in the accident, asking, “Heard your roommate has two broken legs! Is Lorenzo out of ICU yet?” The cousin replies, “He is better, but please pass it on to church to keep him in their prayers.”

The cousin, Clara, also posts a request to “Pray for Lorenzo Smith, who was hurt in a motorcycle accident, and is in the hospital,” on Facebook. Clara also puts a note in the “In Our Prayers” box at church with Lorenzo’s name, and that he is recovering from an accident.

The pastor, Father Nixon, announces the prayer request to the congregation of 186 people.

In the back of the room is a lawyer, Matthew, who texts his secretary about Lorenzo’s injuries, and asks her to contact him at the hospital regarding his legal representation.

26

Civil Penalties for Noncompliance$5,000 per violation per year if negligent;$25,000 per violation per year if knowing

or intentional, regardless of the length of time of the violation within the year; or

$250,000 for each violation if knowing or intentional and for financial gain.

$1.5 million annually in the event there is a finding that violations have occurred with a frequency so as to constitute a pattern or practice.

27

Number of ViolationsNumber of VIOLATIONS: Sarah, EMS worker, EMS Service, No violation unless

information is identifiable $0 Volunteer Fire Department, - Negligent Release x1 $5000 =

$5000 Paul, at Volunteer Fire Department, - Intentional Release x1

$25,000 = $25,000 Clara, Cousin/Roommate, (reply, Facebook posting, Prayer Box)

- Negligent Release x 3 each $5000= $15,000 Pastor - Negligent Release x 186 each x 5000 = $930,000 Lawyer - Intentional Release for Financial Gain x 1 =

$250,000 Total fines $1,225,000

28

HB 300 Action ItemsTrain StaffUpdate policies and proceduresPost NoticeUpdate Disclosure Authorization FormUpdate BAA

29

Q & A

Contact Information: WTxHITREC Main Number: (806) 743-7960

Director of Critical Accessand Rural Hospitals: Terry Alexander: (214) 236-5327

Director of Regional Coordinators: Bruce Edmunds (915) 727-4727

Director of Contracts: Cole Johnson (806) 743-7960

Regional Coordinators:Becky Jones: (806) 743-7960 Ext: 360(Trusted Advisors) Cappi Phillips: (806) 778-3243

Sharon Rose: (806) 928-6403Leta Cross-Gray: (325) 721-2500

All e-mail addresses are: <first name>.<last name>@ttuhsc.eduExample: terry.alexander@ttuhsc.edu