Presented by: Coleman Johnson Director of Contracts, Reporting, Security & Policy and Terry Alexander Director of CAH and Rural Hospitals The West Texas Health Information Technology Regional Extension Center (WTxHITREC) *Disclaimer: Information for educational purposes only, not legal advice. 1

House Bill 300 Bill Sponsor: Senator Jane Nelson Senator Nelson represents part of Denton County and Tarrant County. Primary Bill Author: Representative Lois Kolkhorst Joint Bill Author: Representative Elliot Naisthat HB300 was signed by Governor Rick Perry on 6/17/2011 and went into effect 9/1/2012. The bill itself is only 21 pages long! HB 300 is available online at: 2

House Bill 300 has 2 Nicknames “Texas HIPAA” and “HIPAA on STEROIDS!” 3

Massive Impact in 21 Pages Changes Texas Health and Safety Code Changes to Texas Business and Commerce Code Changes to Texas Insurance Code Dramatically Impacts ALL Texans Massive Fines for Violations Attorney General Website to Report Violations Requires Documented Training State to Seize Medical Records 4

Specification Sections of Legislation Amended  Health and Safety Code – Section 181  Health and Safety Code – Section 182  Insurance Code – Section 602  Business and Commerce Code – Section 521  Business and Commerce Code – Section 522 5

Purpose of Act: PROTECTION Need for protection is obvious. The Ponemom Institute’s December 2011 study – Second Annual Benchmark Study on Patient Privacy and Data Security – estimates that as many as 96 percent of all 72 national healthcare providers surveyed indicated they experienced a data breach in Study is available at /2011_Ponemon_ID_Experts_Study.pdf 6

What is Protected? Protected Health Information: For a covered entity that is a governmental unit, HB 300 includes any information that reflects that an individual received health care from a covered entity that is not public information subject to disclosure by Chapter 552 of the Texas Government Code. For others, the definition of PHI is engrafted from the Health Insurance Portability and Accountability Act “HIPAA”, which is individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. HB 300 incorporates HIPAA provisions in effect as of Sept. 1, 2011; however, HIPAA has recently been modified under the Omnibus Final Rule. The executive commissioner of the Texas HHSC is to determine whether it is the best interest of the state to adopt any amendments made by the Final Rule. 7

Covered Entities Covered entity is defined as any person who: For commercial, financial or professional gain, monetary fees or dues, or on a cooperative, nonprofit or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing or transmitting protected health information; Comes into possession of protected health information; Obtains or stores protected health information under the federal statute and regulations; or Is an employee, agent or contractor of one of these persons who creates, receives, obtains, maintains, uses or transmits protected health information. 8

In other words, YOU!! Virtually every Texan will be impacted. If you can spell “PHI”, then you are likely to be affected. 9

Examples (a short list) of Covered Entities Impacted  Hospitals  Medical Providers  EMS/Fire  Schools  Employees  Churches  Sports Teams  Camps  Ambulance  Labs  Imaging  Doctors  Tech Support  Administrators  Transportation  Individuals  Law Firms 10

Restricted Activities Unauthorized Disclosure Disclosure is defined as any action to “release, transfer, provide access to or otherwise divulge information outside the entity holding the information.” = Very broad definition Sale of Information Covered entities may not disclose PHI in exchange for direct or indirect remuneration, unless disclosure is for: Treatment; Payment; Health Care Operations; or Performing an insurance or health maintenance organization function. Remuneration may not exceed covered entity's reasonable cost for preparing or transmitting the PHI. 11

Consumer Access to Records If using an electronic health records system = Provide record electronically within 15 business days of written request, unless the person agrees to accept the record in another form. 12

Consumer Complaints The attorney general shall maintain a website for consumers that providers information regarding the agencies the regulate covered entities in Texas and detailed information regarding each agency’s complaint enforcement process. The attorney general will annually submit a report to the Texas legislature that describes the number and types of complaints received by the attorney general and by other state agencies receiving consumer complaints. 13

Notice and Authorization Requirements CE must Post Notice: A covered entity that creates and receives PHI must provide a general notice to individuals if their personal health information is subject to electronic disclosure. This duty to provide notice can be provided by: Posting written notice in place of business; Posting notice on a website; or Posting notice in a place where individuals whose PHI is subject to electronic disclosure are likely to see the notice. The notice must be conspicuous and understandable. 14

Even if notice is posted, a covered entity may not electronically disclose an individual’s PHI to any person without a separate authorization for the individual for each disclosure. EXCEPTION: This authorization is not required, however, if the disclosure is made to another covered entity (as defined by Health and Safety Code Section or to any covered entity as defined by Section of the Insurance Code) solely for purposes of treatment, payment, healthcare operations, if performing health maintenance organization functions as defined by the Insurance Code or if otherwise authorized or required by state of federal law. Standard authorization form available at Notice and Authorization Requirements Continued 15

Breach Notification Current Version The existing statute limited breach notifications to residents of Texas. Now, HB 300 updates the language to make it apply to all individuals whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person. If the individual is a resident of a state that has its own related breach provision, the covered entity can comply with that state’s law in terms of notification. 16

Breach Notification SB 1610 If the individual whose PHI is acquired by an authorized person is a resident of a state that requires notice of a breach of system security, the notice may be provided under that state’s law or under Texas law. Notice may be given by written notice at the last known address of the individual. 17

Required Training Current Version  Covered entities must provide a training program pertaining to protected health information.  All new employees must be trained within 60 days of their hire date and the training must be customized for their role.  Each employee must sign a document attesting to their attendance and said documents must be maintained by the covered entity.  All employees must be trained at least once every 2 years. 18

Required Training SB 1609 Updates Each covered entity shall provide training to employees as necessary and appropriate for the employees to carry out the employees’ duties for the covered entity. An employee must complete training not later than the 90 th day after the date the employee is hired. If duties of an employee are affected by a material change in state or federal law concerning PHI, the employee shall receive training within a reasonable period, but not later than the first anniversary of the date the change in law takes effect. Employees need to sign a statement verifying completion of training, which shall be maintained until the sixth anniversary of the date it was signed. 19

Enforcement 4 general ways the Medical Records Privacy Act will be enforced Government Audit Complaint filed with attorney general that leads to investigation State attorney general Whistleblower suit 20

Audits The Texas Health and Human Services Commission “HHSC”, in connection with the state attorney general, the Texas Health Services Authority “THSA”, and the Texas Department of Insurance, may request that the U.S. secretary of health and human services conduct an audit of a covered entity as to the compliance of the covered entity with HIPAA. The Texas HHSC is also charged with periodic monitoring and to review results of audits. If the Texas HHSC becomes aware of egregious violations that demonstrate a pattern and practice, it may require a covered entity to submit to the Texas HHSC any federal risk analysis that the covered entity prepares to comply with HIPAA. In addition, if the covered entity is licensed by a state agency, the Texas HHSC may require the agency to conduct an audit to determine compliance. 21

Civil Penalties for Noncompliance The state attorney general may institute an action for civil penalties for violations of the Medical Records Privacy Act under HB 300 not to exceed: $5,000 per violation per year if negligent; $25,000 per violation per year if knowing or intentional, regardless of the length of time of the violation within the year; or $250,000 for each violation if knowing or intentional and for financial gain. $1.5 million annually in the event there is a finding that violations have occurred with a frequency so as to constitute a pattern or practice. 22

Civil Penalties Continued Factors for determining the appropriate financial penalty include: The seriousness of the violation; The entity’s compliance history; Whether the violation poses a significant risk of financial, reputational or other harm to the individual whose PHI was involved in the violation; Whether the covered entity was working with or as a certified entity, that is, certified to be in compliance with privacy and security standards being developed by the THSA as per Section of the Health and Safety Code; The amount necessary to deter future violations; and The covered entity’s efforts to correct the violation. 23

Additional Penalties In addition to civil penalties, a covered entity that is licensed by a state agency is subject to investigation and disciplinary proceedings, including probation or suspension by the licensing agency. Penalties for businesses that do not comply with the breach notification provisions include a civil penalty of not more than $100 for each person, per day, that is not notified, with a cap of $250,00 for a single breach, and possible felony charges. 24

Example Sarah, an EMS worker texts a photo of motorcycle accident with note, “Saw this today,” to her boyfriend, Paul, at the local Volunteer Fire Department, who has just completed HB300 training. Paul recognizes the motorcycle, and forwards it to his cousin, Clara, whose roommate, Lorenzo, was injured in the accident, asking, “Heard your roommate has two broken legs! Is Lorenzo out of ICU yet?” The cousin replies, “He is better, but please pass it on to church to keep him in their prayers.” The cousin, Clara, also posts a request to “Pray for Lorenzo Smith, who was hurt in a motorcycle accident, and is in the hospital,” on Facebook. Clara also puts a note in the “In Our Prayers” box at church with Lorenzo’s name, and that he is recovering from an accident. The pastor, Father Nixon, announces the prayer request to the congregation of 186 people. In the back of the room is a lawyer, Matthew, who texts his secretary about Lorenzo’s injuries, and asks her to contact him at the hospital regarding his legal representation. 25

Civil Penalties for Noncompliance $5,000 per violation per year if negligent; $25,000 per violation per year if knowing or intentional, regardless of the length of time of the violation within the year; or $250,000 for each violation if knowing or intentional and for financial gain. $1.5 million annually in the event there is a finding that violations have occurred with a frequency so as to constitute a pattern or practice. 26

Number of Violations Number of VIOLATIONS: Sarah, EMS worker, EMS Service, No violation unless information is identifiable $0 Volunteer Fire Department, - Negligent Release x1 $5000 = $5000 Paul, at Volunteer Fire Department, - Intentional Release x1 $25,000 = $25,000 Clara, Cousin/Roommate, (reply, Facebook posting, Prayer Box) - Negligent Release x 3 each $5000= $15,000 Pastor - Negligent Release x 186 each x 5000 = $930,000 Lawyer - Intentional Release for Financial Gain x 1 = $250,000 Total fines $1,225,000 27

HB 300 Action Items Train Staff Update policies and procedures Post Notice Update Disclosure Authorization Form Update BAA 28

Q & A Contact Information: WTxHITRECMain Number: (806) Director of Critical Access and Rural Hospitals:Terry Alexander: (214) Director of Regional Coordinators:Bruce Edmunds (915) Director of Contracts:Cole Johnson (806) Regional Coordinators:Becky Jones: (806) Ext: 360 (Trusted Advisors)Cappi Phillips: (806) Sharon Rose: (806) Leta Cross-Gray: (325) All addresses Example: 29