Last month, Texas Governor Rick Perry signed a health privacy bill into law that imposes new obligations exceeding the requirements in the HIPAA Privacy Rule.  The law, which will become effective on September 1, 2012, incorporates the expanded definition of the term “covered entity” in Texas’s existing health privacy law and could have a broad impact on many non-HIPAA covered entities.

Under the Texas law, the term “covered entity” includes any entity that engages in “assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information,” as well as any entity that “comes into possession of” or “obtains or stores” protected health information (“PHI”).  Notably, the new Texas health privacy law:

  • Requires all employees of covered entities to undergo training on HIPAA and Texas’ health privacy law within 60 days of hiring (and at least once every 2 years);
  • Bans the disclosure of PHI for remuneration, except that covered entities may disclose PHI to other covered entities for treatment, payment, health care operations, insurance or HMO functions, or as authorized or required by federal or state law;
  • Requires covered entities to provide notice to individuals that their PHI is subject to electronic disclosure and obtain authorization for any electronic disclosure of PHI (apart from disclosures of PHI to other covered entities for treatment, payment, health care operations, insurance or HMO functions, or as authorized or required by federal or state law);
  • Mandates that health care providers provide individuals with access to their PHI within 15 days of their request;
  • Authorizes the Texas Attorney General, Texas Health Services Authority or Texas Department of Insurance to conduct compliance audits of covered entities that have consistently violated the Texas law; and
  • Obligates the Texas Health Services Authority to develop privacy and security standards for the electronic sharing of PHI.

Read the text of H.B. 300.