Even Data Privacy Obligations are Bigger in Texas


Earlier this year, Texas Governor Rick Perry signed into law Texas House Bill (H.B. 300), which presents more stringent requirements for health privacy, data breach notification obligations, and increased fines for violations. The law will become effective September 1, 2012.

The new law adds obligations to Texas Health and Safety Code § 181.001, et al., the state's law on protecting patient health information. Texas' current law applies to "covered entities," defined as any person who "for commercial, financial, or professional gain, monetary fees, or dues [ ], engages [ ] in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information." The term includes any entity who maintains an Internet site that "comes into possession of protected health information" or "obtains or stores protected health information." This definition is much broader than the definition of a "covered entity" provided under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), which only applies to health plans, health care clearinghouses, and health care providers "who transmit[ ] any health information in electronic form in connection with a transaction covered by [HIPAA]." 45 C.F.R. § 160.103(ii)(3).

Under H.B. 300 (the new Texas law), all "covered entities" - as defined under HIPAA - must comply with HIPAA. In addition, H.B. 300 imposes a number of further requirements on "covered entities," as the term is defined by the existing Texas law. Each covered entity shall provide a training program to its employees on HIPAA and Texas' health law; and the employees must complete the training within 60 days after their date of employment and subsequent training at least once every two years. The law also requires covered entities to provide notice to individuals if their personal health information is subject to electronic disclosure. It imposes civil penalties up to $5,000 for violations of the chapter committed negligently, and up to $25,000 for violations committed knowingly or intentionally. Further, the law imposes up to $250,000 for each violation in which the information was used for financial gain. Penalties may be subject to an annual cap of the same amount where certain conditions are met. Repeated violations occurring with a frequency that constitute a "pattern or practice" may be civilly liable for up to $1.5 million.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Reed Smith | Attorney Advertising

Written by:


Reed Smith on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.