Earlier this year, Texas Governor Rick Perry signed into law Texas House Bill (H.B. 300), which presents more stringent requirements for health privacy, data breach notification obligations, and increased fines for violations. The law will become effective September 1, 2012.

The new law adds obligations to Texas Health and Safety Code § 181.001, et al., the state's law on protecting patient health information. Texas' current law applies to "covered entities," defined as any person who "for commercial, financial, or professional gain, monetary fees, or dues [ ], engages [ ] in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information." The term includes any entity who maintains an Internet site that "comes into possession of protected health information" or "obtains or stores protected health information." This definition is much broader than the definition of a "covered entity" provided under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), which only applies to health plans, health care clearinghouses, and health care providers "who transmit[ ] any health information in electronic form in connection with a transaction covered by [HIPAA]." 45 C.F.R. § 160.103(ii)(3).

Under H.B. 300 (the new Texas law), all "covered entities" - as defined under HIPAA - must comply with HIPAA. In addition, H.B. 300 imposes a number of further requirements on "covered entities," as the term is defined by the existing Texas law. Each covered entity shall provide a training program to its employees on HIPAA and Texas' health law; and the employees must complete the training within 60 days after their date of employment and subsequent training at least once every two years. The law also requires covered entities to provide notice to individuals if their personal health information is subject to electronic disclosure. It imposes civil penalties up to $5,000 for violations of the chapter committed negligently, and up to $25,000 for violations committed knowingly or intentionally. Further, the law imposes up to $250,000 for each violation in which the information was used for financial gain. Penalties may be subject to an annual cap of the same amount where certain conditions are met. Repeated violations occurring with a frequency that constitute a "pattern or practice" may be civilly liable for up to $1.5 million.

Please see full alert below for more information.