Don’t Mess With Texas—A Summary of State Laws Concerning Health Information

In May of 2011, Texas passed House Bill 300, which amends the Texas Health and Safety Code and contains privacy requirements that are more stringent than the federal privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  In particular, this new Texas law imposes requirements regarding training, electronic health records access, sales of protected health information, notice and authorization for electronic disclosures, enforcement and disciplinary actions, and audits of covered entities. This law was effective on September 1, 2012. So, as move farther into 2013, companies impacted by this Texas law should confirm their compliance with its requirements.

By way of background, the Texas Health and Safety Code contains an expansive definition of a “covered entity,” which is broader than HIPAA’s definition. Under HIPAA a covered entity is a health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with a transaction. In addition, the Health Information Technology for Economic and Clinical Health Act resulted in business associates, as defined under HIPAA, having to comply with the many of the HIPAA privacy and security requirements in the same manner as covered entities.

Under Texas law, a covered entity includes any person who for financial gain engages in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information. This term includes business associates, healthcare payers, governmental units, computer management companies, schools, health researchers, healthcare providers, and internet site providers; who come into possession with or obtain or store protected health information; as well as their employees, contractors, or agents. As a result, a broad array of people and companies, beyond those directly covered by HIPAA, are subject to the Texas law, which is summarized below in more detail.


According to the Texas law, each covered entity must train its employees on state and federal laws regarding protected health information no later than the 60th day after the employee is hired. All employees must receive this training at least once every two years. Each employee must sign a statement verifying the employee’s training. The covered entity must maintain these signed statements. Although HIPAA requires covered entities to train their employees on privacy and security, HIPAA does not provide specific timelines for such training.

Consumer Access to Electronic Health Records

The Texas law requires a healthcare provider that uses an electronic health records system to provide, within 15 business days of a written request, a record in electronic form to the individual, to whom the record relates, unless such individual agrees to accept the record in another form.

Sale of Protected Health Information

Under the law, a covered entity may not disclose an individual’s protected health information to anyone in exchange for remuneration. However, there are exceptions. A covered entity may disclose in exchange for remuneration an individual’s protected health information to another covered entity for the purpose of treatment, payment, healthcare operations, performing an insurance or health maintenance organization function, or as otherwise authorized required by state or federal law.

Notice and Authorization Required for Electronic Disclosures of Protected Health Information

If the individual’s protected health information is subject to electronic disclosure, the law requires a covered entity to provide notice of such electronic disclosure to the individual, who is the subject of the disclosure. The notice may be posted via a written notice in the covered entity’s place of business, on the covered entity’s internet website, or in any other place where the individual, whose protected health information is subject to electronic disclosure, will likely see the notice.

In addition, a covered entity may not electronically disclose protected health information without obtaining an authorization from the individual or the individual’s representative. The authorization may be in written, electronic, or oral form; if the covered entity documents it in writing.

There are exceptions to this requirement. The authorization for electronic disclosures is not required if the disclosure is made to another covered entity for the purpose of treatment, payment, healthcare operations, performing an insurance or health maintenance organization function, or as otherwise authorized required by state or federal law. Sound familiar? In the future, the Texas Attorney General will be adopting a standard form of authorization, which must comply with these Texas requirements as well as HIPAA.

Enforcement and Disciplinary Actions

The Texas legislation changed the amount of civil penalties for violations of the original Texas privacy law. For example, civil penalties for each negligent violation increased from $3,000 to $5,000 and up to $25,000 for each knowing or intentional violation. If the violations occur with a frequency as to constitute a pattern or practice, the court will be able to assess a civil penalty of up to $1.5 million annually. Prior to this Texas law, the total penalty could not exceed $250,000.

Currently, a covered entity is also at risk for disciplinary proceedings, probation, or suspension by a licensing agency, as well as revocation of its license for a violation of the Texas law. However, under the new law, a violation also may result in the referral of the covered entity’s case to the attorney general for potential civil penalties.

Audits of Covered Entities

Finally, the new Texas law provides that the Commission of Health and Human Services (the “Commission”), in coordination with the Texas Attorney General, the Texas Health Services Authority, and the Texas Department of Insurance may request the U.S. Secretary of Health and Human Services to conduct audits of various covered entities to determine compliance with HIPAA; and shall monitor and review periodically the results of such audits.

In addition, if the Commission merely has “evidence” that a covered entity committed violations of the Texas law that are egregious and constitute a pattern or practice, the Commission may require the covered entity to submit to the Commission the results of a risk analysis conducted by the covered entity (if such risk analysis was required under the HIPAA Security Standards); or request a licensing agent, as applicable, to conduct an audit of the covered entity’s system to determine compliance with the Texas law.

So, not only is the new Texas law more stringent than HIPAA, it requires Texas agencies to coordinate privacy and security law enforcement efforts with federal agencies.  As a result, organizations subject to HIPAA and/or the new Texas law had a number of new compliance steps to implement by September of 2012 or else face potential enforcement by both state and federal agencies.

— Cheryl Camin Murray is a shareholder in Winstead’s healthcare industry group.

Posted in Expert Opinions, Government/Law.