The healthcare industry is no stranger to regulations regarding privacy protection, with HIPAA and HITECH both designed to ensure protected health information (PHI) for patients. Beginning September 1, 2012, with the enactment of Texas House Bill 300 (HB300) those who have access to or use protected health information will be subject to tighter regulations and steeper penalties for violating breach of security.
HB300 was introduced because of concerns that HIPAA and HITECH did not provide enough safeguards for PHI. The bill passed unanimously in June of 2011 by both houses of the Legislature and signed by Governor Rick Perry. One of the most crucial changes brought forth by this bill is the expanded definition of "covered entities." This bill casts a wider net for those who are held liable for maintaining PHI, thus many businesses and individuals previously exempt from HIPAA must now comply under this new law.
The larger definition of covered entities under HB300 include any individual, business, or organization that uses, collects, analyzes, stores, or transmits PHI. It is important to evaluate your level of contact with PHI to determine if your business or individual is considered a "covered entity."
Highlights of changes
Among the changes that affect "covered entities" under HB300 include, providing mandatory training for employees regarding PHI and upholding greater patient rights regarding access to their electronic medical records (EMR), and notification of breach of PHI. Non-compliance with these new standards will face stricter penalties.
Mandatory Employee Training Program
HB300 requires all employees of a covered entity be provided training regarding both federal and state privacy requirements, no later than 60 days following hire date, and training must be repeated every two years. The training programs should also ensure an employee's understanding of the company's "particular course of business" and the individual employee's scope of employment in regards to PHI. Employers must then retain a signed statement verifying the employee's completion of such training.
Patient Rights to Electronic Medical Records
Another change that may affect the business operations involves the patient's right to access personal EMRs. Under HIPAA, healthcare providers had up to 30 days to provide a patient with electronic copies of their EMR, however the new regulation mandates records must be provided to patients within 15 days of written request.
Breach Notification and Potential Penalties
The scope of notification of a breach has also expanded under HB300. Any business that operates in Texas and handles PHI must provide notification of information breach to all patients regardless of residency. Previously breach information was only required for Texas state residents. This poses the possible need to be aware of breach notifications requirements of other states to ensure the proper measures are taken.
Additional guidelines are outlined in HB300 regarding the measures in which individuals must be notified in the case of a breach of information or to inform individuals that their PHI is subject to electronic disclosure. It is also required to obtain unique authorization for each and every electronic disclosure of an individual PHI, under this new law.
Covered entities face increased penalties for failure to make appropriate breach notifications and the several factors determine the severity of the penalty. Wrongfully disclosing a patient's PHI carries additional state penalties, beyond federal penalties, ranging from $5,000 to $1.5 million per year.
Next steps for your practice
These are only a snapshot of the changes provided by HB300. It is important to study and analyze the bill in greater detail to understand and ensure proper measures are taken to meet the new requirements. Begin by identifying if your practice is a "covered entity" under HB300, and then build a plan to put into practice the necessary changes. This exercise may be beneficial to help identify any weaknesses in your current business practice that may increase your exposure to security breaches. If you do not have a crisis management plan in case a breach of PHI occurs, it is important to have such a plan constructed.
Several companies have begun offering customized programs to train employees on PHI regulations, including online resources. Do your research and consult a legal professional if you have questions and need guidance in interpreting the new law and assessing how best to protect your practice.