On September 1, 2012 Texas law H.B. 300 takes effect and new bureaucratic medical record disclosure rules and penalties will apply to medical practices as well as “any person … who comes into possession of protected health information.” (Texas Health Code Chapter 181.001 as modified by HB 300)
Proponents of the law claim it protects patient privacy. However, like HIPAA, the law provides for disclosure of patient records to certain third parties (for example insurance companies) without the patient’s authorization. (Texas Health Code Chapter 181.154 as modified by HB 300)
The law also gives additional authority to a public-private non-profit corporation (THSA) to develop statewide “standards for the electronic sharing of protected health information” and “a process by which a covered entity may apply for certification by the corporation of a covered entity’s past compliance.” (Texas Health Code Chapter 182 as modified by HB 300)
This law is yet another example of the counterproductive red-tape and bureaucratic interference that continue to push private-practice independent physicians out of practice.
AAPS is working to roll back the mistakes in H.B. 300 but below are key points physicians will need to know and comply with when it becomes law on Sept 1.
(Please note, even if you are not a covered-entity under the federal HIPAA law, these provisions of H.B. 300 apply to you per the definition of “covered entity” in Texas Health Code Chapter 181.001)
- Each covered entity shall provide a training program to employees (within the first 60 days of employment) regarding state and federal law concerning protected health information as it relates to the covered entity’s particular course of business; and each employee’s scope of employment. Employees must review this program at least once every two years. Click here to view a sample training program. A covered entity shall require employees receiving training to sign a statement verifying the employee’s attendance at the training program. The covered entity shall maintain the signed statement. (Texas Health Code Chapter 181.101 as modified by HB 300)
- If a health care provider is using an electronic health records system that is capable of fulfilling the request, the health care provider, not later than the 15th business day after the date the health care provider receives a written request from a person for the person’s electronic health record, shall provide the requested record to the person in electronic form unless the person agrees to accept the record in another form. (Texas Health Code Chapter 181.102 as modified by HB 300)
- The sale of protected health information is prohibited, except “as otherwise authorized or required by state or federal law.” (Texas Health Code Chapter 181.153 as modified by HB 300)
- If there is an unauthorized electronic disclosure of a patient’s PHI, then the patient should be notified. (Business and Commerce Code Chapter 521.053 as modified by HB 300)
- A covered entity shall provide notice to an individual for whom the covered entity creates or receives protected health information if the individual’s protected health information is subject to electronic disclosure. (Texas Health Code Chapter 181.154 as modified by HB 300)
- A covered entity may not electronically disclose an individual’s protected health information to any person without a separate authorization from the individual or the individual’s legally authorized representative for each disclosure. Authorization is not required if the disclosure is made for the purpose of treatment, payment, health care operations; or performing an insurance or health maintenance organization function or as otherwise authorized or required by state or federal law. (Texas Health Code Chapter 181.154 as modified by HB 300)
- Violations of the above and other sections of HB 300 can be penalized with fines up to $1.5 million dollars. (Texas Health Code Chapter 181.201 and Business and Commerce Code Chapter 521.151 as modified by HB 300) Certain violations are a “state jail felony” offense. (Business and Commerce Code Chapter 522.002 as modified by HB 300)
- In addition to fines, a violation by an individual or facility that is licensed by a Texas agency (e.g. Texas Medical Board) is subject to investigation and disciplinary proceedings, including probation or suspension by the licensing agency. If there is evidence that the violations of this chapter constitute a pattern or practice, the agency may revoke the individual’s or facility’s license. (Texas Health Code Chapter 181.202 as modified by HB 300)