by Matt Murray, MD, CPHIMS
As a result of recent legislation, Texas physicians will soon face privacy requirements that are more stringent than HIPAA. In 2011, the 82nd Texas Legislature passed House Bill 300 (HB300) which amends several Texas privacy statutes. The most significant changes are to the Texas Health & Safety Code Section 181 (sometimes referred to as the Texas Medical Records Privacy Act) and to the Texas Business & Commerce Code Section 521 (the Texas Identity Theft Enforcement & Protection Act). These amendments increase the protections of electronic protected health information (PHI) beyond those found in HIPAA. The new requirements found in HB300 take effect September 1, 2012. Beginning September 1, 2012, physicians must not only comply with federal privacy laws but also with the newly amended Texas privacy laws.
Below are some case examples that describe how the new Texas privacy laws will affect physicians.
EXPANDED EMPLOYEE TRAINING REQUIREMENTS
A physician's office disclosed a patient's HIV status without written consent when the office mistakenly faxed medical records to the patient's employer instead of to the patient's new physician. The employee responsible received a written disciplinary warning, and both the employee and physician apologized to the patient. The Office of Civil Rights (OCR) — the entity responsible for enforcing HIPAA standards — required the practice to revise their fax cover page to underscore that it is a confidential communication for the intended recipient. The office informed all its employees of the incident and counseled staff on proper faxing procedures. (1)
Many breaches of protected health information (PHI) like this can be avoided if employees understand privacy policies and remain highly attentive to PHI. In Texas, HB 300 protects not only PHI as defined by HIPAA, but also "sensitive personal information (SPI)" as defined by the Texas Identity Theft Protection Act. HB 300 requires all new employees who will encounter PHI or SPI to undergo privacy training within 60 days of hiring, and training must be repeated at least once every two years. Training is to be tailored to the employee's specific responsibilities and types of contact with PHI. The practice must maintain a log with employee signatures verifying their attendance. Physicians can prepare for the new requirements by updating their employee training policies and privacy education materials.
STRICTER REQUIREMENTS TO PROVIDE PATIENT ACCESS TO ELECTRONIC HEALTH RECORDS
A practice (in a different state) failed to honor a patient's request for a complete copy of her minor son's medical record. OCR's investigation determined that the practice had relied on their state's privacy laws that permit physicians to provide only a summary of the record. OCR explained to the practice that HIPAA permits a practice to provide a summary of patient records rather than the full record only if the requesting individual agrees in advance to such a summary or explanation. Among other corrective actions to resolve the specific issues in the case, OCR required the practice to revise its policy and forward the complainant a complete copy of the medical record. (1)
This case describes a circumstance where state and federal privacy laws diverge and the more protective law prevails. Texas laws are more protective of a patient's right to access his or her electronic health records (EHRs) than HIPAA. HB 300 mandates physicians who use EHRs to provide patients the requested record in electronic form not later than 15 business days after receiving a written request, unless there is an allowable exception. HIPAA allows 30 days. The EHR may be provided in another format if agreed upon by the patient in advance or if the physician's EHR is incapable of producing an electronic copy. To comply with HB 300, physicians should update their Notice of Privacy Practices and revise policies on patient access to their EHR.
MORE ACCOUNTABILITY FOR BUSINESS ASSOCIATES
A laptop was stolen from an employee of a business associate (BA) of the physician practice. The computer contained PHI on 656 individuals. The PHI included names, social security numbers, dates of birth, and medications. In response, the physician took steps to enforce the requirements of the business associate agreement (BAA). The BA agreed to install encryption software on all their mobile devices, strengthen IT access controls, update security policies, and improve the physical security of their building. In addition, the responsible employee was counseled and all employees received additional security training. (1)
HB 300 holds accountable any business in Texas that comes into contact with PHI. This means that BAs of physician practices will be accountable to the provisions of HIPAA and HB 300 unless they have no contact with PHI. Consequently, physicians should revise their BAAs to include language requiring BAs to comply with state and federal privacy rules. Matters to address in a BAA include:
- immediate notification when a breach is discovered;
- clarifying who notifies affected individuals by mail, who incurs the cost;
- contract termination if BA fails to comply with privacy laws or take "reasonable" steps to fix the breach;
- evidence that BA performs security risk analysis at least annually;
- evidence BA provides required privacy training to employees; and
- encryption of PHI on BA's mobile devices, when BA exchanges PHI online and other circumstances where PHI is at high risk.
STRONGER ENFORCEMENT PENALTIES
An unencrypted USB drive used to store PHI could not be found in a physician's office. The drive contained data on 1,105 patients including names, addresses, birthdates, diagnosis codes, and Social Security numbers. The physician's office subsequently notified all affected individuals and the local media. The practice also added technical safeguards of encryption for all PHI stored on mobile devices; added physical safeguards by keeping new portable devices locked in a secure safe in the doctor's private office or in a secure filing cabinet; added administrative safeguards by requiring annual retraining of staff; and required immediate retraining of cleaning staff. (1)
HB 300 privacy protections will be enforced through financial penalties, disciplinary actions, and audits that are intended to deter breaches. A court may consider several factors when determining the consequence of a breach including: 1) seriousness of the violation; 2) the entity's compliance history; 3) harm done to individuals; and 4) efforts made to correct violations. Civil penalties may be assessed up to:
- $5,000/violation if committed negligently;
- $25,000/violation if committed knowingly or intentionally;
- $250,000/violation if committed intentionally and PHI is used for financial gain; and
- $1.5 million if a "pattern of practice" found.
In summary, HB 300 is more protective of patients, but increases cyber liability risks for physicians. Consider the following to help reduce cyber liability risks related to HB 300:
- revise employee privacy training materials and policies;
- revise policies on patients' access to their EHRs;
- update Notice of Privacy Practices;
- revise business associate agreements;
- encrypt PHI stored on mobile devices; and
- encrypt PHI sent electronically.
Physicians may wish to consult with an attorney or the TMLT Risk Management Department to find out how to further align their practices with HB 300. Physicians should also consider purchasing cyber liability insurance (currently available at no additional cost with all TMLT policies at limits of $50,000) and consulting with their Regional Extension Center about assistance with security risk analysis and management.
ABOUT THE AUTHOR
Matt Murray, MD, CPHIMS, is a pediatric emergency medicine physician and health information technology (IT) advocate. He currently practices medicine at the Texas Christian University Brown Lupton Health Center and is active in local and statewide health IT initiatives. He can be reached at firstname.lastname@example.org.