What is Texas HB 300?
The federal HIPAA law covers healthcare organizations based in Texas, but they also must comply with state laws. Texas health data laws are detailed in the Texas Health and Safety Code and one such law is HB 300.
In June 2011, Texas HB 300 was passed by the Texas legislature. HB 300 amended four areas of Texas legislature: The Texas Health and Safety Code (Chapters 181 and 182), the Texas Business and Commerce Code (Sections 521 and 522), the Texas Government Code (Chapter 531), and the Texas Insurance Code (Chapter 602) and introduced tougher privacy protections for health data than HIPAA.
HB 300 vs. Federal HIPAA Law
HB300 has a few differences with the Federal HIPAA standard. Most practices naturally comply with these more stringent provisions in the course of normal business but the differences are as follows:
Electronic Health Records
HB 300 prohibits covered entities (CE) from using protected health information (PHI) for any reason other than treatment, payment, or insurance purposes unless prior to the disclosure of PHI, the CE has obtained written authorization from the individual to disclose their PHI.
HB300 also requires a 15 day turnaround vs. a 30 day turnaround for federal HIPAA to fulfill PHI access requests from patients and plan members.
Training requirements
- HB300 requires those who handle/encounter PHI to undergo training within 90 days of employment.
- Training must be documented and training logs must be maintained for six years.
- Refresher training must be provided within a year of a material change.
Different penalty tiers
- Violations committed negligently = $5,000 per violation, per year
- Violations committed knowingly or intentionally = $25,000 per violation, per year
- Violations committed intentionally and when PHI is misused for financial gain = $250,000 per violation, per year
- When a violation is part of a pattern of noncompliance – Maximum penalty of $1.5 million per year
Other differences
There are other differences between Texas HB 300 and federal HIPAA law that do not apply to healthcare providers (e.g. they apply to other entities that HB 300 requires compliance of such as any organization that maintains PHI). These differences are not covered here.