Texas' HB 300
One great benefit about being HIPAA compliant is that there is quite a bit of overlapping when it comes to being compliant with multiple other rules. One example of this comprehensiveness is the Texas House Bill 300 and the subsequent Omnibus Rule that has since expanded HIPAA regulation even beyond HB300. Essentially, this means that anyone who is compliant with HIPAA is more than compliant with Texas HB300.
This is certainly a good thing. But what is the HB300 bill and what do organizations need to do to stay compliant with it? Let’s take a look.
What is the Texas HB300 Bill?
The 82nd Texas Legislature enacted House Bill 300, sometimes known as HB300, and it took effect on September 1st, 2012. The bill made major changes to various Texas statutes in order to improve the safeguards and security of protected health information (PHI) when it is stored and handled. Separate from the standards established by HIPAA regulation, the statute includes revisions to Texas’ definition of a Covered Entity (CE).
A focus on customized staff training requirements for covered organizations is at the heart of HB300. All new workers who handle or come into contact with PHI or sensitive personal information must complete privacy training within 60 days of hire, with further training sessions needed every two years. According to HB300, these training sessions must be tailored to each employee's unique function within the business and the precise methods in which they are required to handle PHI or SPI. Upon attendance, sessions must be documented and validated using employee signatures.
New Requirements Under HB300
The definition of a covered entity was broadened significantly under HB300. The statute broadens the definition of a Texas CE to include anyone who collects, analyzes, utilizes, assesses, keeps, or transmits protected health information. Any BA, health care payer, governmental unit, data management entity, health researcher, medical facility, health clinic, care provider, or individual professional who maintains an internet site is now considered a covered entity.
Another thing that HB300 affects is EHRs or electronic health records. Whether a CE develops or receives a patient's PHI, the patient must be notified if their PHI will be exposed electronically. Unless the PHI is being communicated to another CE for treatment, payment, or insurance purposes, the patient must express their legal consent before it can be transmitted. Physicians who utilize EHRs must offer patients with electronic access to their information within 15 days of receiving a written request. This is in contrast to the HIPAA-approved 30-day regulation. If a practitioner is unable to create an electronic copy or if the patient has consented in advance, the data can be delivered in a different format.
Cost of Non-Compliance with HB300
Noncompliance with Texas House Bill 300 carries severe consequences. The Texas Attorney General has the authority to impose civil monetary fines on companies and persons that do not follow the law. In circumstances when a company or individual has exhibited ongoing violations, state licenses can be canceled. The penalties for a violation of Texas HB 300 are divided into levels, similar to HIPAA. The punishment for carelessness is $5,000 per violation per year. The punishment for willful infractions is $25,000 per violation per year. The punishment for deliberate offenses committed for financial gain is $250,000 per violation per year.
HB300 and HIPAA
When HB300 was first passed in 2012, it set a higher standard for applicable Texas companies than HIPAA had at that time. Most of this is due to the bill’s expansion of the Covered Entity role beyond the more narrow definition that HIPAA laid out.
However, less than a year after HB300 went into effect and strengthened the requirements for keeping PHI secure within Texas, HIPAA went through a massive update with the passage of the Omnibus Rule. This new rule took a similar approach as HB300 in that it widened the scope of people and businesses that now had to comply with HIPAA. These laws came into effect around the same time, with around the same intention. But since HIPAA is a national law, it in many ways has overshadowed HB300 since there is much overlap. Next, let’s look at how to comply with HB300.
Staying Compliant With HB300
Luckily, compliance with HB300 isn’t very difficult. If you’re already compliant with HIPAA, you’re most likely compliant with HB300 already.
HB300 includes tougher responsibilities for all firms that handle PHI in any capacity, in addition to a larger definition of a covered company. Unless a BA has no contact with PHI, a few requirements must be incorporated into their communications and interactions with a CE. When a breach is identified, BAs must promptly notify their relevant CE, and if a BA fails to appropriately remedy the breach or is in violation of the HB300 law, the contract must be terminated. BAs must also show that they do yearly security risk evaluations and that their workers have undergone sufficient privacy training.
All persons and organizations that hold, procure, assemble, collect, analyze, assess, keep, or transmit protected health information must teach their employees about the obligations of Texas HB 300 and the existing statutes it modified.
Is HIPAA Compliance Enough to Comply with HB300?
Luckily, if you have achieved and continue to maintain compliance through Accountable’s platform, then you have already gone above and beyond the HB300 requirements. Be sure to continue completing your yearly risk assessments, signing BAAs with anyone that you share PHI with, and training your employees yearly. If you keep up with all of these tasks, then HB300 should not be a concern for you at all!