(September 11, 2012): They say that "Everything is Bigger in Texas," and its law concerning medical privacy is no exception. The Texas Legislature recently enacted the Texas Medical Privacy Act (TMPA)[1], also known as the Texas HIPAA law. The new law substantially increases the compliance burden on medical and service providers, suppliers, business associates, third party payers and just about everyone who handles, transmits or stores Protected Health Information (PHI) or Electronic Protected Health Information (EPHI) in any way. Enforcing the new law is the task of the Texas Health and Human Services Commission (HHSC). The penalties are substantial. The range of civil fines and penalties reflect similar provisions of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). Texas Civil Monetary Penalties (CMPs) include:
- $5,000 for each negligent violation that occurs within 1 year.
- $25,000 for each knowing or intentional violation that occurs within 1 year.
- $250,000 for each knowing or intentional violation by a covered entity where PHI was used for financial gain.
- Up to $1,500,000 if the frequency of violations establishes a pattern or practice.
- I. Who is a “Covered Entity” Under the New Texas Medical Privacy Act?
From a practical point of view, nearly everyone who touches PHI/EPHI is now included. Under Sec. 181.001(b)(2) of the Texas Health & Safety Code, a "Covered Entity" means any person who:
- for commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information.
The term includes business associates, health care payors, governments, information or computer management entities, schools, health researchers, health care facilities, clinics, health care providers, or any person who maintains an Internet site potentially conveying PHI;
- comes into possession of protected health information;
- obtains or stores protected health information under this chapter; or
- is an employee, agent, or contractor of a person described by Paragraph (A), (B), or (C) insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.
II. What Does a Texas Provider Need to Do to Comply With the Texas Medical Practice Act:
The next two months are critical for providers and the following actions must be done immediately before the 60-day grace period expires on October 31, 2012. Action taken now can help limit your potential liability exposure under Texas law.
Employee Training:
- Train all employees on HIPAA and the Texas Medical Privacy Act within the next 60 days - before 10/31/12. Training must be customized according to the employee’s access and handling of protected health information. Retrain employees every six months, if possible, but no later than year.
- Train new hires within their first 30 days of employment. Training must be customized according to the employee’s access and handling of protected health information.
Internal Privacy Policies and Procedures - Patient Access to PHI / EPHI:
- You must provide patients with requested electronic health information (EPHI) records within 15 days, instead of 30 days.
Internal Privacy Policies and Procedures – Encryption and Transmission
- Transmission and receipt of EPHI through cyberspace requires encryption every single time. If you do not have an effective encryption program, consider it an absolute necessity and get one. Train your employees on how to use it and make encryption of any transmission standard office policy with penalties for failure.
- Portable devices such as thumb drives can now be purchased with combination locks for security. Thumb drives are not recommended due to their ease of loss and the potential for leaks and breaches. However, if they must be used, then control their use by allowing only approved devices purchased and numbered by the company and assigning them to the party responsible. Devices should be turned in after use with a log date and signature.
- Consider purchasing cyber-liability insurance for your company or practice.
Business Associate Agreements (BAA)
- The business associate should notify you immediately of any breach of PHI and provide you with contemporaneous written notification of the facts concerning the breach;
- Identify or assign a person to notify any patient affected by the breach;
- Certify that the business associate complies with Texas Health and Safety Code § 181.100 regarding employee training on federal HIPAA and the Texas Medical Privacy Act requirements;
- Provide certification and supporting documentation of the covered entity’s annual employee training and security analysis, (for example: all employees have been screened on government exclusion lists – GSA, EPLS, State, and have had criminal background checks to comply with DEA regulations).
III. Final Remarks:
The Texas Legislature has made a strong effort to get ahead of the electronic distribution curve and protect EPHI. The short time frame is essential for enabling compliance and stopping potential problems before they occur. By complying with the more stringent Texas law, providers should be able to avoid many of the pitfalls under the federal HIPAA law. By the same token, failure to train and abide by both federal and state standards can lead to double liability for breaches, leaks and compromised EPHI. Stay ahead of the curve and make the changes necessary to protect your practice or business now.
Robert Liles counsels providers on HIPAA and TMPA compliance risks, HIPAA breach notification and implementing effective compliance plans. In addition, Robert performs gap analyses and internal reviews, trains healthcare professionals on compliance issues, and represents providers in Medicaid and Medicare post-payment audits and appeals. For a free consultation, call Robert today at 1-800-475-1906.
- [1] Texas Medical Privacy Act, Chapter 181 – Medical Records Privacy, eff. Sept. 1, 2012.