Even Data Privacy Obligations are Bigger in Texas

more+
less-

Earlier this year, Texas Governor Rick Perry signed into law Texas House Bill (H.B. 300), which presents more stringent requirements for health privacy, data breach notification obligations, and increased fines for violations. The law will become effective September 1, 2012.

The new law adds obligations to Texas Health and Safety Code § 181.001, et al., the state's law on protecting patient health information. Texas' current law applies to "covered entities," defined as any person who "for commercial, financial, or professional gain, monetary fees, or dues [ ], engages [ ] in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information." The term includes any entity who maintains an Internet site that "comes into possession of protected health information" or "obtains or stores protected health information." This definition is much broader than the definition of a "covered entity" provided under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), which only applies to health plans, health care clearinghouses, and health care providers "who transmit[ ] any health information in electronic form in connection with a transaction covered by [HIPAA]." 45 C.F.R. § 160.103(ii)(3).

Under H.B. 300 (the new Texas law), all "covered entities" - as defined under HIPAA - must comply with HIPAA. In addition, H.B. 300 imposes a number of further requirements on "covered entities," as the term is defined by the existing Texas law. Each covered entity shall provide a training program to its employees on HIPAA and Texas' health law; and the employees must complete the training within 60 days after their date of employment and subsequent training at least once every two years. The law also requires covered entities to provide notice to individuals if their personal health information is subject to electronic disclosure. It imposes civil penalties up to $5,000 for violations of the chapter committed negligently, and up to $25,000 for violations committed knowingly or intentionally. Further, the law imposes up to $250,000 for each violation in which the information was used for financial gain. Penalties may be subject to an annual cap of the same amount where certain conditions are met. Repeated violations occurring with a frequency that constitute a "pattern or practice" may be civilly liable for up to $1.5 million.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.

Published In: Administrative Agency Updates, Health Updates, Labor & Employment Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Reed Smith | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »