By now, most providers are well aware that national privacy and security obligations exist on at least two levels. Federal statutes and regulations get the most publicity and dominate most providers’ compliance programs, but state obligations often exist in addition to the more familiar federal structure of HIPAA and HITECH. Providers who do business in multiple jurisdictions must remain vigilant for changes in these state laws, which often require compliance responses unique to the state at issue, particularly in terms of timing, content and basis for notices to individuals that their personal information has been disclosed improperly. In 2012, new statutes in Texas and California will require precisely this sort of state-specific updating to existing compliance programs and procedures. The changes made in Texas are described below. An analysis of California’s new law is available in "California (and Texas) Increase Privacy Requirements."
Texas’s new statute (H.B. No. 300 [PDF]) imposes requirements on “covered entities” as that term is defined by Texas law. The statute also creates several new government task forces and tasks several existing governmental and quasigovernmental entities with additional responsibilities related to making recommendations and reports on the state’s existing procedures for handling protected health information. The new Texas law takes effect September 1, 2012.
Please see full publication below for more information.