Texas Governor Perry recently signed House Bill 300 — which further strengthens Texas medical privacy laws, which were already more stringent than HIPAA. To begin, HIPAA currently covers only providers, insurers, and clearinghouses — while Texas law covers virtually any business that has patient health information including traditional HIPAA Business Associates, billing companies, computer support companies, or anyone who has a website. The new law becomes effective September 1, 2012.
Penalties for violations were significantly increased. The new civil monetary penalties are $5000/violation in cases of negligence, $25,000/violation if committed knowingly, $250,000/violation if done for financial gain, up to $1.5 million/year when repeat violations constitute a pattern of practice. Further, in egregious cases licenses may be revoked. For entities that delay a “breach notification”, penalties can be as high as $100/person for each day of delay, which even for a solo physician office could quickly reach the maximum of $250,000 for a single breach.
The state was given new powers to both request audits by federal officials and to conduct their own audits, as well as to request certain remedies.
Businesses are required to strengthen employee training. New employees must be trained within 60 days of hiring, and all employees must receive refresher training at least every two years. Training must explain the state and federal privacy laws as they relate to the employers business and specifically to the employee’s job.
A number of other miscellaneous provisions are included; any Texas business which uses patient medical information is advised to update their compliance program early.
