HIPAA/HITECH and Texas Privacy Laws Comparison Tool ... - TMLT


HIPAA/HITECH and Texas Privacy Laws Comparison Tool ... - TMLT

HIPAA/HITECH and Texas Privacy Laws

Comparison Tool

Updated 2013

Federal and Texas Privacy & Security Requirements

Minimizing Your Risk of Violations


The information contained in this document highlights the various laws and statutes set forth below. It does not, nor does it intend to, address all provisions of the specific laws and

statutes cited herein. Further, the statutes and laws referenced in this tool are not an exhaustive list of federal and Texas privacy laws. This document is intended merely as an aid to

assist physicians and their office staff in understanding their obligations under the changes to privacy provisions found in House Bill 300 (HB 300), Senate Bill 1609 (SB1609) and

Senate Bill 1610 (SB 1610) as compared to the various federal privacy counterparts set forth in HIPAA/HITECH and HIPAA Omnibus Rule. TMLT makes no representation that

compliance with the provisions set forth in this tool will constitute full compliance with the various federal and state privacy laws. The information presented should be used as a

resource, selected and adapted with the advice of your attorney. It is distributed with the understanding that TMLT and its affiliates are not engaged in rendering legal services.

© Copyright 2013 TMLT



For medical practices, or Covered Entities (CE) in Texas, and now their Business Associates (BA), minimizing your risk of violations with federal and

Texas privacy laws is not a onetime event. The laws and rules keep changing. It is essential that CEs and BAs understand the federal and Texas

laws and their associated rules and how they apply to the organization.

In January 2013, the HIPAA Omnibus Rule, also known as the “Final Rule” was released. The changes in this rule are significant and will once again

require CEs and BAs to make changes to their standard business processes. All CEs and BAs must be compliant by September 23, 2013, with a few

exceptions. Making the necessary changes is very important since the enforcement and the associated civil monetary penalties are greatly

increased with the Final Rule. After reviewing this tool you should consider:

1. Reviewing and updating policies and procedures

2. Reviewing and updating Notice of Privacy Practices (NPP)

3. Retraining workforce on the changes

4. Preparing/reviewing and amending Business Associate Agreements (BAA)

In 2011, members of the Texas legislature passed House Bill 300 (HB 300) to add further safeguards for protected health information (PHI) for

patients being treated by Texas physicians. The HB 300 changes that were made to existing Texas privacy laws are more stringent than those found

in the federal laws — Health Insurance Portability and Accountability Act (HIPAA) and Health Information and Technology for Economic and Clinical

Health Act (HITECH) — and went into effect September 1, 2012. The recently concluded 2013 Texas legislature again brought changes to the Texas

Medical Records Privacy Act and Identity Theft Enforcement and Protection Act (ITEP). These changes were made at the urging of TMLT and were

supported by TMA to help Texas physicians comply with the 2011 changes by easing the burden of educating staff as well as clarifying reporting

requirements of ITEP.

Again it is very important for physicians and their office staff to be familiar with the existing laws and changes to those laws in order to minimize

the risk of violations. Consequences may include the assessment of civil penalties in Texas in addition to penalties for violating the federal laws.

This comparison chart is made available from TMLT, to help you review the changes to the federal and Texas privacy laws. Physician practices, as

CEs, and their BAs should take this opportunity to review their existing HIPAA/HITECH policies, procedures and practices. Further, modifications to

these existing policies, procedures, and practices will need to be made to reflect the requirements under the revised Texas privacy laws and the Final

Rule. HIPAA Privacy and Security are the foundation for the many changes we have seen on both a federal and state level as well as the changes

that are sure to come as technology continues to change and immediate access to health records evolves.

TMLT has additional resources available and can provide customized consultation services to help your practice.

Call Stephanie Downing at 1-800-580-8658, extension 4884 or email consultingwebmail@tmlt.org for more information.






HIPAA Privacy Rule: Effective 4/14/2003

HIPAA Security Rule: Effective 4/20/2005

HITECH in effect since 2009

CEs required to develop policies and procedures, conduct training, and

change notice of privacy practices and BAAs in accordance with

HIPAA/HITECH privacy and security requirements.


TX HEALTH & SAFETY § 181, 182 – HB 300

Effective date of 2011 changes to TX HEALTH & SAFETY § 181, 182: 9/01/2012

SB 1609: 6/14/2013


Effective date 9/01/2012

SB 1610: Effective 6/14/2013

Omnibus Rule

Effective date: 3/25/ 2013

Compliance date: 9/23/2013

Compliance date for updating BAAs:

o You may have additional time to comply with updating your


o The Omnibus Rule provides up to a one year extension (until

9/22/2014) for updating BA contracts that are not otherwise

modified after 3/26/2013.

o You may want to consult legal counsel to determine if you meet

this expectation.


Health Plan

Health Care Clearinghouse

Health Care Provider transmitting electronic personal health

information (ePHI) in connection with a transaction covered by

Subchapter A of HIPAA regulations

Omnibus Rule

No change to the definition of a CE

Texas Medical Records Privacy Act

Any person who:

assembles, collects, analyzes, uses, evaluates, or transmits PHI for

commercial, financial or professional gain, monetary fees, dues or on

cooperative, nonprofit or pro bono basis;

comes into possession of PHI; or

obtains or stores PHI.

Includes: BA, health care payor, government unit, information or computer management

entity, school, health researcher, health care facility, clinic, health care provider, or

person who maintains an internet site.






Employees to be trained on HIPAA requirements regarding PHI & ePHI

To be afforded as necessary and appropriate to carry out employees’

job functions

New employees to be trained within reasonable period of time after

being hired

All employees to receive training for any material changes in HIPAA

requirements regarding PHI within reasonable time after material

change goes into effect

CE must document training

Omnibus Rule

No changes to training requirements

Texas Medical Records Privacy Act


HB 300 and amended by SB 1609

Employees to be trained on state and federal laws on PHI

The CE shall provide training to employees regarding state and federal law

concerning PHI as necessary and appropriate for the employee to carry out the

employees’ duties as it relates to PHI

CE must train new employees by the 90 th day of employment

If the duties of an employee of a CE are affected by a material change in state or

federal law, the employee should be retrained, as soon as possible, concerning

the changes; the training must occur no later than the first anniversary of the

date the material change in law takes effect

Must maintain signed statements from employees verifying attendance at

training until the sixth anniversary of the training

Practical Tip – whenever you update your Privacy or Security

policies or procedures you should retrain staff and document the



HIPAA Privacy Rule contains a number of individual rights including:

access – right to review and obtain a copy of PHI with certain


amendment – right to request the CE amend inaccurate or incomplete


disclosure of accounting – right to request an accounting of disclosures;

restriction request – right to request CE restrict disclosure; and

confidential communications.



Texas Medical Records Privacy Act




Omnibus Rule

Changes to patient rights were made in the Final Rule:

electronic copy of PHI;

may direct CE to send ePHI to a third party;

right of restriction-patients may restrict that PHI not be shared with

health plan if they pay out of pocket at the time of service;

genetic information under GINA;

proof of student immunization may be released to schools;

decedent information;

make changes to your NPP.





CE must provide patients with their PHI within 30 days of receipt of

request in form requested if readily producible in such form.

If CE uses or maintains electronic health records (EHRs), patient has the

right to receipt of PHI in electronic format and to direct CE to transmit

such copy directly to an entity or person designated by patient.

HITECH created the patient right to obtain electronic copies of PHI

maintained in EHR.

HITECH established that the fee for copies was to be based on the labor


Omnibus Rule

Individuals have the right to obtain an electronic copy of any PHI

“maintained electronically in one or more designated record sets”.

If electronic information is not readily producable in the form and

format requested, the information must be provided in an alternative

readable electronic form and format as agreed to by the CE and the


The labor of copying ePHI may be included in the reasonable cost-based


The cost of supplies (i.e. CD or USB drives) may be included in the

reasonable cost-based fee if the individual requests that the electronic

copy be provided on portable media.

The cost of postage may be included in the reasonable cost-based fee if

the individual requests that the portable device containing the

electronic copy be sent by mail or courier.

Texas Medical Records Privacy Act


HB 300



CE must provide patients with an electronic copy of their medical records

within 15 days of receipt of written request for same if CE uses EHR system

capable of fulfilling request (15 days is consistent with TMB rules on release of


CE may provide records to patient in another format if patient agrees to same;

Texas Health & Human Services Commission may recommend standard

electronic format for release of EHRs; and

Texas Attorney General has established a website to provide information on

individual’s privacy rights concerning PHI under state and federal law, list of

state agencies that regulate CEs and information regarding each agency’s

complaint enforcement process and contact information.


Practical Tip – Revise your policy and procedure on the release of

records to be sure it reflects Texas requirements.





HITECH limits health-related communications that are excepted from

the definition of marketing to the extent a CE receives or has received

direct or indirect payment in exchange for marketing the


If the payment received by the CE is reasonable, there is an exception

to the payment limitation for communications that describe only a

drug/biologic currently prescribed to the patient.

Omnibus Rule

The Final Rule requires the CE to obtain an individual’s authorization in order to

use or disclose PHI for marketing purposes.

Authorization is required for all treatment or health care operations

communication if the CE received financial renumeration from a third

party whose product or service is marketed in the communication.

No authorization is required where a CE receives financial

renumeration from a third party for marketing communications made

face-to-face to the individual.

Exception to the definition of marketing:

To provide refill reminders or to otherwise communicate about a drug

or biologic currently being prescribed for the individual, provided that

any financial renumeration is reasonably related to the CE’s cost of

making the communication (labor, supplies, and postage).

To describe a health-related product or service or contacting individuals

with information about treatment alternatives and related functions, as

long as the CE does not receive financial renumeration in exchange for

making the communication.

Texas Medical Records Privacy Act




CE must obtain clear and unambiguous permission in written or electronic form

to use or disclose PHI for any marketing communication, except if:

(1) in the form of a face-to-face communication made by a CE to an individual;

(2) in the form of a promotional gift of nominal value provided by the CE;

(3) necessary for administration of a patient assistance program or other

prescription drug savings or discount program; or

(4) made at the oral request of the individual.

If CE uses or discloses PHI to send a written marketing communication through

the mail, the communication must be sent in an envelope showing only the

names and addresses of sender and recipient and must:

(1) state the name and toll-free number of the CE; and

(2) explain the recipient's right to have the recipient's name removed from the

sender's mailing list.

CE must remove an individual’s name from a mailing list no later than the 45 th

day after the CE receives the individual’s request.

Oral request of the individual under Subsection (a)(4) may be made only if clear

and unambiguous oral permission for the use or disclosure of the PHI is

obtained. The marketing communication must be limited to the scope of the

oral permission and any further marketing communication must comply with

the requirements of this section.





CE must provide a clear and conspicuous opt out opportunity.

CE must honor the opt out request.

Omnibus Rule

CE can only use demographic information, insurance status, and dates

of service to target fundraising communications.

Opt out notice must be clear and conspicuous.

Opt out method cannot be burdensome.

CE must honor all opt out requests.

CE may not condition payment or treatment on individual’s choice to

receive fundraising communications.

CE may use general information about the department in which the

patient was served (i.e. cardiology), the identity of the treating

physician, and general outcome information to target fundraising


CE may decide whether opt out should apply to all future fundraising

communications or to a specific campaign.

Texas Medical Records Privacy Act









Prohibits the sale of PHI without patient authorization except for public

health activities, cost and preparation of research activities, treatment

and payment, health care operations — pursuant to BA activity — for

the patient access to his/her PHI, and if the Secretary of HHS

determines it is necessary and appropriate by regulation

Omnibus Rule

Prohibits CE or BA from receiving direct or indirect payment from the

recipient of the PHI in exchange for the PHI without authorization from

the individual.

The authorization requirement does NOT apply for disclosures of PHI


o public health purposes;

o for research purposes where the only renumeration is a

reasonable cost-based fee to cover the cost to prepare and

transmit the PHI;

o for treatment, payment, or health care operations;

o to or by a BA for activies that the BA undertakes on behalf of

the CE, and the only renumeration is for the performace of

such activities;

o to an individual, when requested under the access and

accounting of disclosures provisions of the Privacy Rule;

o for disclosures required by law; or

o for any other purpose permitted by and in accordance with the

applicable requirements of the Privacy Rule, where the only

renumeration is a reasonable cost-based fee to cover the cost

to prepare and transmit the PHI or a fee otherwise expressly

permitted by other law.

Ongoing research studies will be grandfathered.

CE may continue to use a limited data set in accordance with an existing

data agreement up to one year or until it is renewed or modified,

whichever is earlier

Texas Medical Records Privacy Act



HB 300



Prohibits sale of PHI except for treatment, health care operations, performing

insurance or health maintenance organization function, or as otherwise

authorized by state or federal law.






HITECH requires health care providers to adhere to a restriction request

by a patient to not disclose their PHI to a health plan if PHI pertains

solely to items or services, for which the patient paid the provider outof-pocket,

provided disclosure is not required by law.

Texas Medical Records Privacy Act





Omnibus Rule

Clarifications were made in the Final Rule:

providers are prohibited from disclosing PHI to BAs of the health plan;

providers are not required to create separate medical records or

otherwise segregate PHI subject to this restriction as long as they

prevent its dislosure;

providers may unbundle billing for items or services to accommodate

an individual’s restriction request, but they must first counsel the

individual that the health plan may be able to determine the other

services that were provided from such claims;

providers are not required to notify downstream providers of the

restrictions; and

payments from a health savings account or flexible spending account

constitutes payment on behalf of an individual.

Practical Tip – Revise your policy and procedure on use and disclosure

as well as your NPP








Authorization to release PHI is required.

Texas Medical Records Privacy Act




Permits CE to provide proof of immunization without authorization to

schools that are required to have the information.

CE must get parental agreement to allow CE to provide immunization

records without authorization.

Practical Tip – Consider how you will document parental agreement;

consider adding to your general consent



*NOTE: The Texas Medical Board Rules; Chapter 165.2 Medical Records Release

and Charges states:

(a) Release of Records Pursuant to Written Request: “As required by the Medical

Practice Act, §159.006, a physician shall furnish copies of medical and/or billing records

requested or a summary or narrative of the records pursuant to a written release of the

information as provided by the Medical Practice Act, §159.005...”

In the absence of clarification from federal or Texas authorities, practices may want to

continue to obtain written authorization before release of proof of immunization to

schools. Further clarification on this topic is likely in the future.


Disclosure to family: CE is required to protect PHI of decedent to the

same extent as that of a living individual. Authorization is required

from the person’s personal representative for any disclosue that would

have required authorization by the individual if living.

No expiration of HIPAA protections of PHI.

Practical Tip – Consider how you will document parental agreement; consider

adding to your general consent or continue to obtain authorization before

release of PHI.

Texas Medical Records Privacy Act




Omnibus Rule

Information on decedents is protected unless the decedent has been

dead for more than 50 years. There is no requirement to keep records

for 50 years.

Disclosure to family: CE may disclose PHI to family members as long as

the disclosure is not inconsistent with the individual’s prior preferences.

*NOTE: The Medical Practice Act of Texas requires a valid written consent for the

release of confidential information. If the patient is deceased, authorization is

required from the patient’s personal representative.

In the absence of clarification from federal or Texas authorities, practices may want to

continue to obtain written authorization from a personal representative before

releasing PHI of a decedent. Further clarification on this topic is likely in the future.







Requires HHS to clarify that genetic information is PHI and to prohibit

plans, insurance issuers, and issuers of Medicare supplemental policies

from using or disclosing genetic information for underwriting.

Omnibus Rule

Prohibits all health plans, except long term care insurers from using or

disclosing genetic information for underwriting purposes.

Defines underwriting.

Includes genetic information within the definition of PHI.


HIPAA requires CE to have a NPP.

HIPAA requires CE to make copies of the NPP available to patients.

HIPAA requires CE to post a copy of their NPP.

HIPAA requires CE to attempt to obtain a signed acknowledgment of

receipt of the NPP.

Omnibus Rule

Your NPP must include:

Use and Disclosure: NPP must include an express statement that the

following require an individual authorization:

o psychotherapy notes;

o PHI for marketing;

o sale of PHI; and

o uses and disclosures not described in the NPP will be made

only with the individual’s authorization.

Fundraising: where CE intends to contact individuals for fundraising,

NPP must include a separate statement regarding fundraising

communications and the right to opt out.

Notification of Breach: include a statement of the right of the affected

individual to be notified following a breach.

Right to restrict disclosures: NPP must include a separate statement

informing individuals of their right to restrict disclosures of PHI to

health plans under certain circumstances.

Include restrictions on genetic disclosures under GINA.

Health care providers must make a modified (revised) NPP available to

patients at the facility upon request and post the revised NPP at such


Texas Medical Records Privacy Act




Texas Medical Records Privacy Act



HB 300

Changes made by HB 300:

CE must provide notice of electronic disclosure of PHI to patients if patients’ PHI

is subject to electronic disclosure (may be provided in NPP or separate


CE to post written notice of electronic disclosure of PHI in CE’s place of business,

on CE’s web site or in another conspicuous place where patient is likely to see

notice (Note: may incorporate into current practice protocol that satisfies HIPAA


CE must obtain patient authorization (written or in oral form if documented) for

each electronic disclosure of PHI except if electronic.

Disclosure is made to another CE for treatment, payment, health care

operations, or as otherwise authorized or required by state or federal law (do

not obtain blank, signed patient authorizations).

A standard authorization form for electronic disclosure of PHI is available on the

Texas Attorney General’s web site.



Practical Tip – After you revise your NPP, develop a plan to redistribute

and obtain new acknowledgments of receipt





Destruction and encryption can be used for securing PHI and ePHI.

Omnibus Rule

BAs and their subcontractors are fully liable for compliance with HIPAA

Privacy and Security and HITECH (including the Final Rule).

Texas Health & Safety Code §182

HB 300


Mandates Texas Health Services Authority (THSA) to develop and HHS to adopt

privacy and security standards for electronic sharing of PHI;

Adopted privacy and security standards to be posted on THSA’s website; and

THSA to establish process by which CE may obtain compliance certification with

adopted privacy and security standards.


A business shall implement and maintain reasonable procedures, including

taking any appropriate corrective action, to protect from unlawful use or

disclosure any sensitive personal information (SPI) collected or maintained by

the business in the regular course of business.

A business shall destroy or arrange for the destruction of customer records

containing SPI within their custody or control that are not to be retained by

shredding, erasing, or otherwise modifying the SPI in the records to make the

information unreadable or indecipherable through any means.





Breach is unauthorized acquisition, access, use or disclosure of PHI which

compromises security or privacy of PHI and poses significant risk of financial,

reputational or other harm to an individual.

Notification is required if there is a breach of unsecured PHI.

Limited exceptions to Breach Notification Requirements.

Content requirements for written notice.

Substitute notice requirement.

Notify individual no later than 60 days after discovery.

Notify HHS per HHS website specifications.

Notify media in some instance per Breach Notification Rule.

Omnibus Rule

Under the Omnibus rule all breaches of PHI are presumed to be reportable. This

replaces the risk of harm threshold in HITECH.

A breach is an impermissible use or disclosure of PHI.

There is one exception to reporting. If after conducting a risk

assessment in good faith, (using a prescriptive 4 part model) the CE or

BA can demonstrate that there is a low probability that the PHI has

been compromised then reporting is not required.



Breach notification requirements were added to ITEP in 2012.

Safeguard SPI

SPI is defined as unencrypted:

o Name;

o Social Security Number;

o Driver’s license number;

o Other government issued ID number;

o Account number;

o Credit card number;

o Debit number; or


A person who conducts business in Texas and owns or licenses data that

includes SPI must disclose a breach upon discovery or if SPI is reasonably

believed to have been acquired by unauthorized person.

Must notify immediately or as soon as feasible.

A person who maintains computerized data containing SPI must immediately

notify owner/license holder about the breach once the breach is discovered.

HB 300

CE must provide notification to any affected individual, not just Texas residents.

Practical Tip – Report any suspected breach to your cyber liability

carrier immediately. They may be able to provide you with resources,

including counsel, to help you conduct a risk assessment and determine

if the breach is reportable.

Changes made by SB 1610

If the individual whose SPI was breached (or believed to be breached) resides in a state

that requires a notice of a breach of system security, the notice may be provided under

that state’s law or under Texas law. A person may be give written notice as required at

the last known address of the individual.





Omnibus Rule

Changed the definition of BA

BA is anyone who creates, receives, maintains, or transmits PHI on behalf of the


Other changes for BA:

BA relationship is met if the entity fits the definition of a BA regardless

of whether a BAA is in place.

BAs must meet minimum necessary rule.

BAs must comply with HIPAA Privacy and Security rules.

Subcontractor of a BA is anyone who creates, receives, maintains or

transmits PHI on behalf of the BA.

Subcontractor of a BA is now defined as a BA and subject to meeting all

the same rules.

BA will need to have BAA or written contracts with subcontractors.

BAA or Contract

When a CE uses a contractor or other non-workforce member to

perform "business associate" services or activities, the Final Rule requires that

the CE include certain protections for the information in a BAA (in certain

circumstances governmental entities may use alternative means to achieve the

same protections). In the BA contract, a CE must obtain assurances from the BA

that it will impose specified safeguards with respect to the individually

identifiable health information it uses or discloses.


Texas Medical Records Privacy Act

Definition of a CE means any person who:

(A) for commercial, financial, or professional gain, monetary fees, or dues, or on a

cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real

or constructive knowledge, in the practice of assembling, collecting, analyzing,

using, evaluating, storing, or transmitting PHI. The term includes a BA, health care

payer, governmental unit, information or computer management entity, school,

health researcher, health care facility, clinic, health care provider, or person who

maintains an internet site;

(B) comes into possession of PHI;

(C) obtains or stores PHI; or

(D) is an employee, agent, or contractor of a person described by Paragraph (A), (B), or

(C) insofar as the employee, agent, or contractor creates, receives, obtains,

maintains, uses, or transmits PHI.



Changes to BAA

BAA must include an agreement that the BA complies:

with the Security Rule regarding ePHI; and

with the Privacy Rule if the BA is performing services on a CE’s behalf

that fall under the Privacy Rule.

BA and Subcontractor Liability

The Final Rule makes BAs and their subcontractors directly liable for violations of

the Privacy and Security Rules:

failure to notify the CE of a breach;

failure to provide access to a copy of PHI to CE or patient;

failure to provide information to HHS secretary when requested for an


failure to provide an accounting of disclosures; and

failure to comply with the Security Rule.






Omnibus Rule

Clarifies that the following are BAs of CEs:

Health Information Organizations (HIO)/Health Information Exchanges

(HIE); and

Patient Safety Organizations (PSO).

Texas Medical Records Privacy Act






Hybrid entity – The Privacy Rule permits a CE that is a single legal entity and that

conducts both covered and non-covered functions to elect to be a “hybrid

entity.” (The activities that make a person or organization a CE are its “covered

functions.”) To be a hybrid entity, the CE must designate in writing its operations

that perform covered functions as one or more “health care components.” After

making this designation, most of the requirements of the Privacy Rule will apply

only to the health care components. A CE that does not make this designation is

subject in its entirety to the Privacy Rule.

Texas Medical Records Privacy Act




Omnibus Rule

Hybrid entity must include a component that performs business

associate-like activities within its health care component.

The entire CE, and not merely its health care component, remains

responsible for complying with BA arrangements and other

organizational requirements of HIPAA.


About the Author:

Cathy Bryant is a Risk Management Representative at TMLT. Cathy has had more than thirty years’ experience in health care as a nurse, risk manager,

compliance officer, hospital executive, and consultant. Cathy is a member of the Health Care Compliance Association and is certified in Healthcare Privacy

Compliance by the Compliance Certification Board.


More magazines by this user
Similar magazines