Texas mental health network: Unauthorized internet connection compromised 11k records

Texas mental health network: Unauthorized internet connection compromised 11k records

October 28, 2015 | Print  |



El Paso, Texas-based Emergence Health Network is notifying patients its server was compromised in August due to an unauthorized internet connection, although a third-party audit suggests no protected health information was disclosed during the breach.


The mental health network first began notifying patients Oct. 8 in a letter that detailed how the network became aware of the breach and what steps it was taking to follow up and ensure it wouldn't happen again.

"EHN does not have any proof that information such as Social Security number, date of birth, home address, was accessed or otherwise misused," an Oct. 16 statement from the company reads. "However, in an abundance of caution EHN will notify, via written notification, the affected individuals."

EHN is offering credit monitoring to any patients concerned their information may have been improperly accessed and says it is cooperating with officials to minimize the potential effects of the incident.

More articles on data breaches:

Cyberattack on Oklahoma home health, hospice company impacts 4,500
Employee email error compromises 1,260 patient records at Arkansas nephrology lab
8 things to know about the Cybersecurity Information Sharing Act


© Copyright ASC COMMUNICATIONS 2018. Interested in LINKING to or REPRINTING this content? View our policies by clicking here

Continue reading
149 Hits

Texas House Bill 300 (HB300) – Expanding on HIPAA Privacy and Security

Texas House Bill 300 (HB300) – Expanding on HIPAA Privacy and Security

Texas House Bill 300 (HB300) went into effect on September 1st which significantly expands patient privacy protections past that of federal laws HIPAA and HITECH.  This law is one of the most “strict” patient privacy state laws and it will be interesting to see if other states follow Texas’ lead.  HB 300 compliance deadline is 60 days after the effective date of September 1st 2012

Continue reading
129 Hits

Texas House Bill 300 Significantly Expands

Texas House Bill 300 Significantly Expands

State’s Patient Privacy Protections for Covered Entities

by Pamela D. Tyner

July 2012

Texas patient privacy protections will soon become more substantial. During the 82nd

legislative session in 2011, the Texas Legislature adopted House Bill 300 (“HB 300”), which

amends the Texas Medical Records Privacy Act (“Texas Act”) and takes effect on

September 1, 2012.1 Since HB 300’s effective date is nearing, Texas covered entities,

including out-of-state companies that use and/or disclose protected health information

(“PHI”) in Texas, must be aware of, and take steps now to ensure compliance with, the new

statutory requirements. In particular, HB 300 significantly expands patient privacy

protections for Texas covered entities beyond those federal requirements as outlined by the

Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health

Information Technology for Economic and Clinical Health (or “HITECH”) Act2 by:

 revising the definition of a “covered entity”;

 increasing mandates on covered entities, including requiring customized employee


 establishing standards for the use of electronic health records (“EHRs”);

 granting enforcement authority to several state agencies; and

 increasing civil and criminal penalties for the wrongful electronic disclosure of PHI.

HB 300 significantly expands the definition of a Texas “covered entity.”3 Beginning

September 1, a “covered entity” will be defined as any person/entity who:

A. for commercial, financial, or professional gain, monetary fees, or dues, or on

a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and

1 Texas House Bill 300 amends Chapter 181, Texas Medical Records Privacy Act of the Texas Health

and Safety Code.

2 45 C.F.R., Parts 160 and 164.

3 Section 181.001(b), Texas Health and Safety Code.


with real or constructive knowledge, in the practice of assembling, collecting,

analyzing, using, evaluating, storing, or transmitting protected health


B. comes into possession of protected health information;

C. obtains or stores protected health information under this chapter; or

D. is an employee, agent, or contractor of a person described by Paragraph (A),

(B), or (C) insofar as the employee, agent, or contractor creates, receives,

obtains, maintains, uses, or transmits protected health information.

This revised definition is broad and includes not only health care providers but those entities

and individuals who under the “HIPAA Privacy Rule,” a federal regulation that protects the

privacy of individually identifiable health information, would be classified as business

associates and health care payers. In addition, the Texas Act’s “covered entity” definition

includes governmental units, information or computer management entities, schools, health

researchers, health care facility, clinics, and persons who maintain an Internet site. As a

result, this revision impacts any entity that conducts business in Texas and collects, uses,

and/or stores PHI.

In addition to expanding the definition of a “covered entity,” mandatory customized

employee training regarding state and federal patient privacy and security laws is one of the

significant changes to the Texas Act through the adoption of HB 300.4 Training must cover

federal and state regulatory requirements as well as include the covered entity’s course of

business and employees’ scope of employment as it relates to PHI use and disclosure.5

Employees of covered entities must complete training at least once every two years and not

later than 60 days after their hire date.6 This training requirement is an expansion of the

HIPAA Privacy Rule, which does not currently require customized staff training. Instead,

HIPAA requires that employees be trained “within a reasonable period of time” after hire

and after any material changes in applicable policies.7

Under the new law, Texas covered entities must provide patients with their EHRs in

electronic format within 15 business days after receipt of a written request. The Texas

Health and Human Services Commission will soon recommend a standard format for the

release of EHRs that is consistent with federal law.8 Also, following the Office of Civil

Rights’ recent lead, the website of the Office of the Attorney General of Texas will contain

consumer access to public health information to educate members of the public,9 including

the steps to take to file a complaint with applicable state agencies and their contact

information. These state agencies will file annual complaint reports to the Attorney General

of Texas. Then, the Attorney General will provide an annual report to the Texas Legislature

that includes an overview and statistical analysis of the complaints received.

4 Section 181.101, Texas Health and Safety Code.

5 Section 181.101(a), Texas Health and Safety Code.

6 Section 181.101(b), Texas Health and Safety Code.

7 45 C.F.R. Section 164.530 (b)(2). The HIPAA Privacy Rule also requires that covered entities document

training that has been provided.

8 HIPAA allows covered entities 30 days to respond to a request to provide copies of EHRs.

9 Section 181.104, Texas Health and Safety Code.


The law also broadens the scope of covered entities’ Notice of Privacy Practices or other

general notices to inform patients about how their e-PHI is used and disclosed.10 Note that

for some entities, this will mean the need to issue a notice if the PHI is subject to electronic

disclosure, e.g., for entities such as business associates that would not be required to issue

a Notice of Privacy Practices under the HIPAA Privacy Rule. In addition, HB 300 authorizes

civil penalties ranging from $5,000 to $1.5 million for data breaches, depending on the

severity of the breach, the covered entity’s compliance program, if entity was certified,11 and

its efforts to correct the violation.12 Besides these increased civil monetary penalties, a data

breach may also be classified as a felony.13


With the September 1, 2012, effective date quickly approaching, Texas covered entities

should take immediate steps to ensure compliance with the new more stringent state

requirements. To meet this deadline, covered entities should ramp up their efforts to

provide customized employee training on state and federal privacy and security

requirements, update their Notice of Privacy Practices, and review and update policies to

incorporate the new statutory requirements.

* * *

This Client Alert was authored by Pamela D. Tyner. For additional information about the

issues discussed in this Client Alert, please contact the author or the Epstein Becker Green

attorney who regularly handles your legal matters.

About Epstein Becker Green

Epstein Becker & Green, P.C., founded in 1973, is a national law firm with approximately 300 lawyers practicing in 11

offices, in Atlanta, Boston, Chicago, Houston, Indianapolis, Los Angeles, New York, Newark, San Francisco,

Stamford, and Washington, D.C. The firm is uncompromising in its pursuit of legal excellence and client service in its

areas of practice: Health Care and Life Sciences, Labor and Employment, Litigation, Corporate Services, and

Employee Benefits. Epstein Becker Green was founded to serve the health care industry and has been at the

forefront of health care legal developments since 1973. The firm is also proud to be a trusted advisor to clients in the

financial services and hospitality industries, among others, representing entities from startups to Fortune 100

companies. Our commitment to these practices and industries reflects the founders' belief in focused proficiency

paired with seasoned experience. For more information, visit

Continue reading
224 Hits

Texas HB300: What You Need to Know

Texas HB300: What You Need to Know

Texas House Bill 300, known commonly as HB300, was passed by the 82nd Texas Legislature and went into effect on September 1, 2012. The law significantly amends several Texas laws to increase the protections and security associated with the storage and handling of protected health information (PHI). The law also incorporates changes to the definitions of a Texas Covered Entity (CE) separate from the criteria laid down by HIPAA regulation. The main components of HB300 are listed below, followed by detailed explanations:

  • The expanded definition of a CE that operates or does business in Texas
  • Broader regulation regarding CEs, including customized employee training
  • Formal standards for the handling of electronic health records (EHRs)
  • Faster Patient Access to EHRs
  • Greater accountability for Business Associates (BAs)
  • Stricter civil and criminal penalties for unregulated electronic disclosure of PHI
  • Selected state agencies’ authority to enforce these regulations

Expanded Definition of a CE

Under HB300, the definition of a CE is now far more extensive. The law expands the definition of a Texas CE to include:

  • Any person who assembles, collects, analyzes, uses, evaluates, stores, or transmits PHI. CEs now refer to any “BA, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an internet site.”
  • comes into possession of PHI
  • obtains or stores PHI
  • Any employee, agent, or contractor of any person who meets the above criteria and handles PHI in any way

Customized Employee Training Requirements

All new employees who, in any way, handle or encounter PHI or sensitive personal information (SPI) are required to undergo privacy training within 60 days of hiring, with additional training sessions completed at least once every two years. Under HB300, these training sessions need to be customized to an employee’s individual role in an organization and must take into account the specific ways in which they are expected to handle PHI or SPI. Sessions must be documented and verified with employee signatures upon their attendance.

Standards for Handling EHRs

If a CE creates or receives a patient’s PHI they must notify that patient if their PHI is going to be electronically disclosed. Before the PHI can be transmitted, the patient needs to give their legal authorization, unless it’s being transmitted to another CE for use in treatment, payment, or insurance purposes.

Faster Patient Access to EHRs

Physicians who use EHRs must provide patients access to their records in electronic form within 15 business days of having received a written request. This is in contrast to the 30 day rule that HIPAA allows. The records can be provided in a different format if a practice is unable to produce an electronic copy, or if the patient has agreed in advance.

Greater Accountability for BAs

Along with the broader definition of a CE, HB300 also incorporates stricter accountability for all businesses that handle PHI in any way. Unless a BA has absolutely no contact with PHI, they need to incorporate the following regulations into their communications and interactions with a CE:

  • BAs must immediately notify their corresponding CE when a breach is discovered
  • Business Associate Agreements (BAAs) must specify if the BA or CE will notify breach-affected individuals by mail, in addition to who will incur the cost
  • Contract termination if a BA fails to properly address a breach or is non-compliant with HB300 regulation
  • BAs must provide evidence that they perform annual security risk analyses
  • BAs must provide evidence that their employees have received the proper privacy training
  • BAs must encrypt PHI on mobile devices, during electronic or online exchanges of PHI, and in other high risk circumstances

Stricter Enforcement Penalties

HB300 is primarily enforced through financial penalties and disciplinary actions if an audit detects a breach in compliance. The consequences of the breach should be determined by the severity of the violation, the practice’s history of compliance, the harm that has been done as a result of the breach, and the remediation measures taken to correct the violations. Fines in civil suits are broken down as follows:

  • $5,000 per violation if the breach was committed negligently
  • $25,000 per violation if the breach was committed knowingly or intentionally
  • $250,000 per violation if the breach was committed intentionally and PHI is being distributed for financial gain
  • $1.5 million if the breach is a part of a “pattern of practice”
Continue reading
163 Hits

HIPAA / HITECH Act / Texas HB 300 What Does It Mean and Why Should I Care?

HIPAA / HITECH Act / Texas HB 300
What Does It Mean and Why Should I Care?

Friday, September 27, 2013
9:00 a.m. - 12:00 p.m. - 3 CE Hours

Greater Houston Dental Society
One Greenway Plaza, Ste. 110
Houston, TX 77046

Presented by Ms. Jill Yeager


$50 - GHDS Members / Staff
$60 - Non GHDS Members / Staff

HIPAA HAS CHANGED! Make sure you are up-to-date on recent changes to the Health Insurance Portability and Accountability
Act/Health Information Technology for Economic Clinical Health Act (HIPAA/HITECH Act) and Texas House Bill 300. We will
discuss what they mean and how you can comply. With increased compliance enforcement by the Office for Civil Rights and
significantly higher fines for non-compliance, it is time to understand how these regulations impact your practice.

You will leave the course with:
• A step-by-step plan to help you understand, prepare and implement a compliance program for your office
• Sample forms & policies
• Checklists
• Risk assessment evaluations
• Training guidance

Jill Yeager has been working in dentistry for 30 years. She has been speaking in Texas for the Texas Dental Association, Greater
Houston Dental Society and University of Texas School of Dentistry at Houston and working with offices on compliance issues
(OSHA, HIPAA, Radiation Safety & CPR) since 1988. She understands the realities of compliance because she faces those challenges
on a daily basis.

The Greater Houston Dental Society is an ADA CERP recognized provider. ADA CERP is a service of the American Dental Association to
assist dental professionals in identifying quality providers of continuing dental education. ADA CERP does not approve or endorse individual
courses or instructors, nor does it imply acceptance of credit hours by boards of dentistry.

The Greater Houston Dental Society designates this program for three continuing education credits.


Payment is required with registration and must be made by Monday, September 23, 2013; otherwise, the reservation is not
guaranteed. Cancellations prior to September 23rd will be assessed a 25% administrative fee. No refunds for any reason after
Monday, September 23, 2013. Registration includes parking.

Continue reading
261 Hits

Blog Archive


Get a 10% Discount in Your Inbox

Where to find us?

Compliance Learning Solutions, LLC
395 Sawdust Road, Suite 2136
The Woodlands, Texas 77380-2299
Phone Number