Starting on September 1, 2012, businesses handling electronic protected health information (ePHI) in Texas will be subject to more stringent data privacy and security regulations and harsher penalties than those imposed by federal HIPAA regulations. Among other things, the new bill, signed into law in June 2011 by Governor Rick Perry, expands on the HIPAA definition of a “covered entity.”
Under the new law, “covered entities” are broadly defined as any organization that handles electronic health records. This expanded definition has the potential to impact many organizations that are not currently “covered entities” under HIPAA, such as SaaS and cloud providers who market to health care organizations. In addition to complying with HIPAA requirements, covered entities are required to provide custom training sessions within 60 days of hire. In addition, the time period for responding to patients’ written request for copies of EHR is reduced from 30 days under HIPAA to 15 days. The new law also includes an explicit ban on selling patient records for profit, and a breach-notification requirement similar to that recently enacted under the Health Information Technology for Economic and Clinical Health Act (HITECH).
In addition to the more stringent regulations, there are harsher civil penalties available under the new law. Depending on the degree of intent exhibited in committing a violation, penalties can range from $1,500 to $1.5M per year for disclosure of PHI. The monetary penalties are in addition to any penalties levied by the federal government under HIPAA/HITECH, and they can also include license revocations.
Although the law will not be effective until September 2012, I recommend taking time this year to revisit your organization’s status under the new law and to determine if your current compliance policies and procedures are sufficient to address any new requirements.