Starting on September 1, 2012, businesses handling electronic
protected health information (ePHI) in Texas will be subject to
more stringent data privacy and security regulations and harsher
penalties than those imposed by federal HIPAA regulations. Among
other things, the new bill, signed into law in June 2011 by
Governor Rick Perry, expands on the HIPAA definition of a
Under the new law, "covered entities" are broadly
defined as any organization that handles electronic health records.
This expanded definition has the potential to impact many
organizations that are not currently "covered entities"
under HIPAA, such as SaaS and cloud providers who market to health
care organizations. In addition to complying with HIPAA
requirements, covered entities are required to provide custom
training sessions within 60 days of hire. In addition, the time
period for responding to patients' written request for copies
of EHR is reduced from 30 days under HIPAA to 15 days. The new law
also includes an explicit ban on selling patient records for
profit, and a breach-notification requirement similar to that
recently enacted under the Health Information Technology for
Economic and Clinical Health Act (HITECH).
In addition to the more stringent regulations, there are harsher
civil penalties available under the new law. Depending on the
degree of intent exhibited in committing a violation, penalties can
range from $1,500 to $1.5M per year for disclosure of PHI. The
monetary penalties are in addition to any penalties levied by the
federal government under HIPAA/HITECH, and they can also include
Although the law will not be effective until September 2012, I
recommend taking time this year to revisit your organization's
status under the new law and to determine if your current
compliance policies and procedures are sufficient to address any
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The 2010 theft of an unencrypted laptop containing confidential health care information made front-page news in 2013, not because a huge number of patients were affected, but for the exact opposite reason.
Any company that collects personal data from consumers should take proactive steps to have appropriate legal counsel review its data security practices, as well as its terms of service or privacy practices, to identify any potential problem areas.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published on its website a series of factsheets designed to educate consumers unfamiliar with their rights under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.