“I think they mean it.” The new medical records privacy law in Texas
By B. Joyce Yeager, CIPP/US
Revisions to the Texas Medical Records Privacy statute, which take effect on Sept. 1, expand existing requirements for those who have access to medical information pertaining to others. House Bill 300 (HB 300) provides that covered entities, as defined in the statute, must comply with expanded responsibilities pertaining to health information. The act imposes upon these covered entities additional duties beyond those that are dictated by the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). Because the state statute affords additional protections beyond those provided by HIPAA, no federal preemption issue should exist.
Penalties for failure to comply are substantial and include civil monetary penalties, the potential for loss of professional licensing and even the potential for state law criminal felony prosecution. Entities and individuals within the state who have access to medical information of others have significant new responsibilities. It appears as though the legislature is serious about the protection of state residents’ personal medical information and identifying demographics.
The purpose of the act: Protection
Expressing concern about the potential for sale or unauthorized disclosure of personal health information, the legislature places tight restrictions on the manner in which patient data may be shared. The legislature notes:
Provisions of recent federal legislation establish incentives designed to increase the adoption of electronic health record systems among certain healthcare providers. The expanded use of such systems is likely to lead to the expansion of the electronic exchange of protected health information, which may require stronger state laws to better ensure the protection of that information. [HB 300] seeks to increase privacy and security protections for protected health information.
In light of the concerns, the legislature mandates authorization before a provider may transfer patient data. HB 300 is intended to provide Texans with significant additional protections beyond those provided by the federal HIPAA privacy rule, and Texas intends to be among the vanguards in health privacy regulation.
The need for protection is obvious. The Ponemon Institute’s December 2011 study—Second Annual Benchmark Study on Patient Privacy and Data Security—estimates that as many as 96 percent of all 72
national healthcare providers surveyed indicated they experienced a data breach in 2011 and that lost and stolen security devices and employee actions accounted for almost half of the breaches.
The statute’s elements: An overview
What is covered? What is PHI?
The act defines an individual’s protected health information, for a governmental entity, to include any information that reflects that an individual received healthcare from a covered entity that is not public information subject to disclosure by Chapter 552 of the Government Code. For others, the definition of “protected health information” is engrafted from HIPAA.
The act incorporates the HIPAA provisions in effect as of Sept. 1, 2011. The executive commissioner of the Texas Health and Human Safety Commission is to determine whether it is in the best interest of the state to adopt any amendments made to these federal provisions which might be made at the federal level after Sept. 1, 2011. As defined in HIPAA, individually identifiable health information includes demographic data and health information created or received by a healthcare provider, health plan or healthcare clearinghouse that relates to:
An individual’s past, present or future physical or mental health or condition;
The provision of healthcare to an individual;
The past, present or future payment for the provision of healthcare to the individual, and
The identity of the individual or with respect to which there is a reasonable basis to believe it can be used to identify the individual.
“Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number or Social Security number or other information that, alone or in combination with other publicly available information, reveals the individual's identity. Health information means any information, whether oral or recorded in any form or medium, that:
Is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university or healthcare clearinghouse and
Relates to the past, present or future physical or mental health or condition of an individual; the provision of healthcare to an individual, or the past, present or future payment for the provision of healthcare to an individual.
HIPAA defines a healthcare provider as “a provider of medical or health services and any other person or organization who furnishes, bills or is paid for healthcare in the normal course of business.” Protected health information, in turn, is defined as individually identifiable health information that is:
Transmitted by electronic media;
Maintained in electronic media, or
Transmitted or maintained in any other form or medium.
Excluded from this definition of protected health information is information within certain educational records and in employment records.
Because the act incorporates the provisions of HIPAA, a more thorough discussion of HIPAA is required for this article. This article will not directly address, however, provisions of related federal laws commonly referred to as HITECH—the American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. No, 115-5,
123 Stat. 115, Health Information Technology for Economic and Clinical Health (HITECH Act), Sect. 13000, et seq. (Feb. 17, 2009). Detailed analysis of the HITECH provisions and the act are beyond the scope of this overview article. For a discussion of HITECH and the Texas Privacy Laws, see, Patricia Gray’s “Implementing Privacy and Security Standards in Electronic Health Information Exchange” (University of Houston Health Law & Policy Institute, August 2011).
Who is covered? Who is a covered entity?
Section 181 in the Medical Records Privacy statute will continue to define a “covered entity" to be any person who:
For commercial, financial or professional gain, monetary fees or dues, or on a cooperative, nonprofit or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing or transmitting protected health information;
Comes into possession of protected health information;
Obtains or stores protected health information under the federal statute and regulations, or
Is an employee, agent or contractor of one of these persons who creates, receives, obtains, maintains, uses or transmits protected health information.
This includes a business associate, healthcare payer, governmental unit, information or computer management entity, school, health researcher, healthcare facility, clinic, healthcare provider or person who maintains an Internet site. The Texas Medical Records Privacy statute, then, regulates anyone who comes into possession of personal health information (PHI) or is an employee, agent or contractor who creates, receives, obtains, maintains, uses or transmits PHI. There are exemptions in the state act for:
Workers compensation plans and self-insured workers compensation plans;
Employee benefits plans;
Educational records covered by the Family Educational Rights and Privacy Act;
Nonprofits who pay for indigent medical care but have no medical primary purpose;
Processors of payment transactions in financial institutions and handlers of criminal offenders with mental impairments. (See Jocelyn Dabeau’s presentation from the “Are Things Really Bigger in Texas?” session at the IAPP Privacy Academy 2011 for more information.)
After the effective date of HB 300, also excluded from coverage of the act will be those involved with crime victim compensation.
What activities are restricted?
It is important to note one key provision of the act. The Texas statute contains one profoundly impactful, although seemingly innocuous, provision. The state statute defines the word “disclose” to mean any action to “release, transfer, provide access to or otherwise divulge information outside the entity holding the information.” It is critical to fully absorb the impact of this definition. Anyone who transfers information, divulges information or provides access to information must be aware of the implications for doing so without an authorization. Taken in its literal meaning, the definition of disclosure is so broad
that it would encompass almost any activity whereby health information or demographics of others is involved. Any information about an individual’s condition, care, payment or identity is protected from being divulged or being accessed, no matter the form in which it might be maintained. Any covered entity, including associates of a covered entity, is affected by the statute in some manner. Exceptions are limited and the breadth of the statute’s reach is staggering.
Sale of information
Of even greater significance is the act’s strict ban on the sale of protected health information. A covered entity may not disclose an individual’s protected health information to any other person in exchange for direct or indirect remuneration. Exceptions only allow disclosure to another covered entity under the statute or a covered entity under the Insurance Code for treatment, payment, healthcare operations and insurance or certain HMO functions or as otherwise authorized or required by law. Further, any charges for the disclosure for treatment, payment, healthcare operations or to perform an insurance function cannot exceed the covered entity’s reasonable costs in preparing and transmitting the PHI.
Because the act restricts disclosure of health information for even indirect remuneration, more than an outright ban on the sale of information is restricted. The act restricts any transfer that results in even indirect financial gain that is not associated with treatment, payment, operations, insurance or for compliance authorized by law or required by law. The outright ban on disclosure for even indirect remuneration does not have any mechanism for allowing for disclosure, not even after notice and consent or authorization. Rather, the disclosure for remuneration is flatly banned. Because the act would ban even indirect remuneration, it is possible that the act would implicate, for example, social media interactions or advertising in the form of patient testimonials even if these are the result of patient consent or even the result of patient-initiated activity.
The ability to engage in activities that might result in indirect remuneration with the consent or authorization of the owner of the information and to do so because those actions are protected constitutionally as, for example, free speech or commercial speech, is beyond the scope of this overview article. For discussion of such principles, see, e.g., Sorrell v. IMS Health, Inc., __ U.S. __, 131 S.Ct. 2653 (2011). In Sorrell, the United States Supreme Court determined that restrictions on the sale, disclosure and use of pharmacy records as attempted by implementation of Vermont's Prescription Confidentiality Law, Vt. Stat. Ann., Tit. 18, 4631(d), was unconstitutional because the statute—which imposed content-based and speaker-based burdens on protected expression—banned sales of the information to only some potential users. A complete ban would be more likely to pass constitutional muster.
What additional duties are imposed? Consumer access, notice, training
Patient access to records
The act provides that if a healthcare provider is using an electronic healthcare records system that is capable of fulfilling the request, the healthcare provider, no later than 15 business days following the written request for an electronic healthcare record, must provide the information electronically unless the person making the request agrees to accept the record in another form. An exception is available for records exempt pursuant to 45 C.F.R. § 164.524 for specific types of records such as certain psychotherapy notes, information compiled for use in certain legal proceedings and certain select laboratory records.
The executive commissioner of Texas Health and Human Services, in consultation with the Department of State Health Services, the Texas Medical Board and the Texas Department of Insurance, may recommend a standard electronic format, but any format recommended must be consistent with federal law regarding the release of medical records. As of this writing, the executive commissioner’s office had not yet made a determination concerning the undertaking of this unenviable task. There can be no doubt that the choice of the word “may” in the statute was an intentional one.
Notice and authorization requirements
Any covered entity that creates and receives personal health information must provide notice to individuals if their personal health information is subject to electronic disclosure. The duty to provide notice is, however, only a general one, and the notice can be provided by:
Posting written notice in the place of business;
Posting notice on a website, or
Posting notice in a place where individuals whose PHI is subject to electronic disclosure are likely to see the notice.
According to Texas Health Services Authority General Counsel Jocelyn Dabeau, this notice must be conspicuous and understandable.
Of greatest significance, perhaps, to medical practitioners is the requirement that a covered entity may not electronically disclose an individual’s protected heath information to any person without a separate authorization from the individual, or the individual’s legally authorized representative, for each disclosure. The authorization for electronic disclosure is not required, however, if the disclosure is made to another covered entity under the act or to any covered entity as defined by Section 602.001 of the Insurance Code solely for purposes of treatment, payment, healthcare operations, if performing health maintenance organization functions as defined by the Insurance Code or if otherwise authorized or required by state or federal law. The authorization for this disclosure may be made in written form, electronic form or in oral form if the request is documented in writing by the covered entity. The state attorney general will adopt a standard form for use with obtaining authorizations, and the form will also comply with the Health Insurance Portability and Accountability Act and Privacy Standards, if possible. As of this writing, the state attorney general did not yet have an anticipated release date but noted that Section 22 of the act provides for a date of January 1, 2013.
This author assumes that for any such oral authorization to be valid, it would require contemporaneous documentation of the request at the time it was made. As a practical matter, given the audit functions provided in the act (discussed, infra), it would be a best practice to maintain a separate chart for all such patient HIPAA and state privacy law interactions, if possible. In addition, when orally accepting a request for disclosure or accepting a written request in person or electronically, it would be a best practice to again provide general notice about the electronic disclosures.
Covered entities must provide a training program on state and federal law pertaining to protected health information as it relates to the covered entity’s particular course of business and each employee must be trained but only trained so as to function within their scope of employment. This training must be completed within 60 days of employment and at least once every two years. The covered entity shall require employees who attend training to sign an electronic or written statement verifying attendance at the training program and the covered entity is to maintain the signed statement.
The act, unfortunately, does not indicate that any governmental or educational entity will provide input into the content of any training programs or provide certification for those who will provide the training, however. As of Sept. 15, 2011, no state agency was contemplating oversight of training programs. The State attorney general’s office is planning no such function.
The act does not provide a deadline for a covered entity to provide training for those employees who are already employed as of the effective date of the act. However, given the mitigation available as to the potentially onerous penalties for noncompliance—see section below entitled “What are the penalties for noncompliance?”—a covered entity would be engaged in best practices if all employees were provided, at a minimum, training applicable to their job function as soon as practicable.
It can be logically assumed that less substantive training would be required for someone who merely filed a patient’s paper chart onto the proper place on a shelf than would be required for someone who was responsible for the electronic transmission of records or someone who was responsible for the covered entity’s privacy policies or administration. However, anyone who has access to patient records or gains access to patient information is capable of disclosure or breach. In the event that any resulting civil penalty could be mitigated by the existence of a training program (see discussion, infra), providing training to employees and requiring that vendors and business associates, and, particularly, those providing information technology services, also demonstrate compliance with training requirements would be very beneficial. In the event one finds himself or herself with a need, in the future, to argue for mitigation of any civil penalties to be imposed, the existence of evidence of uniform, substantive training will be helpful. In the event training is undertaken from within an organization, best practices would involve retaining records of the training content as well as those who were trained.
What are the penalties for noncompliance? Audits, monetary fines, felony criminal charges, loss of professional licenses
The Texas Health and Human Services Commission, in connection with the state attorney general, the Texas Health Services Authority and the Texas Department of Insurance, may request that the U.S. secretary of health and human services conduct an audit of a covered entity as to the compliance of the covered entity with HIPAA. The commission is also charged with periodic monitoring and review of the results of audits of covered entities from within the state that are conducted by the U.S. secretary of health and human services. It is unclear what authority the federal auditors would have to monitor for state law violations or whether federal auditors would even be aware of state law violations given that the state law requirements are more extensive than the federal. The U.S. Department of Health and Human Services has embarked on a program of federal audits that is expected to run through December.
If the Texas Health and Human Services Commission becomes aware of egregious violations that demonstrate a pattern and practice, it may require a covered entity to submit to the commission any federal risk analysis that the covered entity prepares in order to comply with HIPAA. In addition, if the covered entity is licensed by a state agency, the commission may request the licensing agency to conduct an audit of the covered entity’s system to determine compliance with the act.
A not insignificant number of potentially overlapping regulatory schemes and enforcement authorities could be implicated by this requirement in the act. For a discussion of the state laws impacting health information regulation, see Cynthia Marietta and Patricia Gray’s “Medical Information Privacy in Texas” (University of Houston Health Law & Policy Institute, February 11) and the section below entitled “Do
other privacy laws exist as well?” The act does not require training for any state or federal agency enforcement personnel.
Civil penalties for noncompliance
In addition to the injunctive relief already available pursuant to the current Health and Safety Code Section 181.201(a), the state attorney general may, after the effective date of the act, institute an action for civil penalties for violations of the act not to exceed:
$5,000 per violation per year if negligent;
$25,000 per violation per year if knowing or intentional, regardless of the length of time of the violation within the year, or
$250,000 for each violation if knowing or intentional and for financial gain.
In the event an adjudicator finds that the violations have occurred with a frequency so as to constitute a pattern or practice, the total amount of any civil monetary penalty that the court may assess is not to exceed $1.5 million annually.
A discussion of applicable definitions for the terms “negligence” or “knowing and intentional” is beyond the scope of this overview article. Language contained within the regulations applicable to the Social Security Act seem helpful in describing levels of culpability in civil administrative functions. Penalties may be limited or mitigated, in the event the disclosure was made only to another covered entity for purposes of treatment, payment, healthcare operations or performing functions of a health maintenance organization; if the information disclosed was encrypted or transmitted using encryption technology, or if the covered entity had, at the time of the disclosure, maintained proper procedures including implementation of security procedures and training. Factors are also provided by the act for determining the appropriate financial penalty and include:
The seriousness of the violation;
The entity’s compliance history;
Whether the violation poses a significant risk of financial, reputational or other harm to the individual whose protected health information was involved in the violation;
Whether the covered entity was working with or as a certified entity, that is, certified to be in compliance with privacy and security standards being developed by the Texas Health Services Authority as per Section 182.108 of the Health and Safety Code for the electronic sharing of protected health information;
The amount necessary to deter future violations, and
The covered entity’s efforts to correct the violation.
It is this author’s contention that one should not have to establish harm to the victim in such instances. In order to determine the financial penalty, adjudicators will consider, in the event of disclosure, both monetary and nonmonetary losses.
Nonmonetary losses include humiliation, embarrassment, mental anguish, fear of social ostracism and other severe emotional distress. An excellent discussion of non-economic damages is contained in the Electronic Privacy Information Center’s FAA v. Cooper, Concerning Emotional Injury as Harm Under the Privacy Act. See also “Will Supreme Court Ruling in Pilot Case Apply to Other ‘Harm’ Cases?” Nonmonetary victim losses also include the increased risk that personal health facts will continue to be
disclosed, the increased risk of identity theft and the increased risk of medical identify theft. Patients themselves express the concern that their data will be misused for commercial gain, that disclosure will result in embarrassment, that disclosure will compromise their personal safety, that their data will be used in a discriminatory fashion impacting their lives and care, that there will be no opportunity to correct any false information circulated and that there will be loss of their data or loss of access to their data. Patients are also concerned about the ability of organizations to accurately provide notification.
Losses to a healthcare provider in the event of an unauthorized disclosure are also not insignificant and include the costs associated with the potential loss of the economic value of a patient who no longer associates with an organization following a breach. At least one study identifies the lifetime economic value, on average, of one patient or customer to fall within a range from $10,000 to more than $1,000,000.
In addition to civil penalties, a covered entity that is licensed by a state agency is subject to investigation and disciplinary proceedings, including probation or suspension by the licensing agency. A license may be revoked if the violations are egregious and constitute a pattern and practice. The attorney general of the state may institute an action for violation of the act against a covered entity that is licensed by a licensing agency of this state for a civil financial penalty only if the licensing agency refers the violation to the attorney general.
What other resources will be available? Websites, standards
The Texas attorney general is to develop and provide a consumer information website that will include information on the manner in which to make a complaint. As of this writing, the state attorney general did not yet have an anticipated release date but noted that Section 22 of the act provides for a date of May 1, 2013. The author notes that the act becomes effective Sept. 1. Certain materials are directed, by statute, to be included on the website. The Texas attorney general is also charged with monitoring consumer complaints and with reporting on the complaints after de-identifying the protected health information.
The Texas Health Services Authority is tasked with rulemaking for the certification of entities undertaking the electronic exchange of protected health information. The Texas Health Services Authority is to establish standards for the secure electronic exchange of protected health information. The authority must develop, and submit to the Health and Human Services Commission for ratification, the privacy and security standards for electronic sharing. The authority is also tasked with developing voluntary operations and technical standards for health information exchanges in Texas. Some have expressed concern about the consent options, which will be required in health information exchanges when the act’s requirement is for authorization for the release of information.
What other state statutes are amended or affected? Breach notification laws, the Insurance Code
In HB 300, the legislature also expanded the state’s breach notification requirements already existing in the Business and Commerce Code at Sections 521.053 and 521.151. The expanded notification will require
notice not only to state residents in the event of a breach, as previously required, but also to all affected individuals. Because notice is to be given to all individuals and not only state citizens, the reach of the statute in its regulation of any covered entity within the state will undoubtedly have nationwide or even global impact. The Dallas Regional Chamber of Commerce estimates the healthcare industry contributes $52 billion dollars annually to the Dallas-Fort Worth area alone, supporting an estimated 601,000 regional jobs and driving up to 15 percent of the area economy. In addition to time and productivity losses in the event of a breach, the economic impacts identified in one study estimated costs for data breach incidents to hospitals surveyed to be in a range from $10,000 to more than $10,000,000 per entity in a two-year period.
Texas’s Business Code already includes notice requirements for breaches of information pertaining to “personal identifying information,” identified in the Business Code breach notification provisions to include biometric data, the physical or mental health or condition of an individual, the provision of healthcare to an individual or the payment for the provision of healthcare to the individual. HB 300 added to the breach notification penalty provisions of Business and Commerce Code Section 521.151 the ability to recover additional civil penalties of up to $100 per day, per individual affected, for an unreasonable delay in notification or failed notification of a breach of data. Although the breach statute does not incorporate the act’s definition of PHI, the definition employed in the Business Code breach statute is broad enough to include PHI. Including enhanced fines for the failure to notify in the event of a breach within the act without revising the Business Code to include a revised definition of PHI demonstrates the legislature’s intent for the two statutes to work in an interrelated fashion.
Offenses for the use of a scanning device or re-encoder to access, read, scan, store or transfer information encoded on the magnetic strip of a payment card without the consent of an authorized user of the payment card and with intent to harm or defraud another were previously codified as a Class B misdemeanor under the Business and Commerce Code. Now, however, if such an offense also involves protected health information as defined by HIPAA, the offense is defined as a felony. If an element of the crime was committed prior to Sept. 1, 2012, the offense was committed prior to the effective date of the act. It is worth noting again that payment processors at financial institutions are not covered entities, however.
The Insurance Code
The State Insurance Code, Chapter 602, was amended by HB 300 to require those covered by Chapter 602 of the Insurance Code to comply with Chapter 181, the Medical Records Privacy statutory provisions. Consequently, the act now also pertains to insurance companies that are exempt from HIPAA, including:
County mutual insurance companies
Farm mutual insurance companies
Fraternal benefit societies
Group hospital service corporations
Local mutual aid associations
Mutual insurance companies
Reciprocal or inter-insurance exchanges
Statewide mutual assessment companies
Stipulated premium companies
Health maintenance organizations
These individuals and organizations must comply with act’s provisions when it becomes effective on Sept. 1. The distinctions in the Insurance Code between “health information” and “nonpublic health information,” defined by Section 602.001 of the Insurance Code, is beyond the scope of this overview article. Section 602.002 of the Insurance Code provides that this chapter of the insurance code does not apply to a covered entity that is required to comply with the standards governing the privacy of individually identifiable health information adopted by the United States Secretary of Health and Human Services under Section 262(a), Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. § 1320d, et seq.). Section 602.003 of the Insurance Code indicates the chapter does not preempt or supersede state law in effect on July 1, 2002, that relates to the privacy of medical records, health information or insurance information. Section 602.053 of the Insurance Code provides exceptions that allow a covered entity to disclose nonpublic personal health information to the extent that the disclosure is necessary to perform the specified insurance or health maintenance organization functions, as identified in that provision, on behalf of the covered entity. The definition of “health information” in the Insurance Code does not include age and gender.
Do other privacy laws exist as well?
Other state statutes and common law principles are not implicated by the act and are not subsumed by the act’s provisions, including the existing body of legal and ethical principles pertaining to patient privileges. There are myriad additional privacy statutes and regulations that will not be subsumed within the act. There are other state statutes that contain restrictions on the disclosure of records currently applicable to a variety of healthcare facilities, such as nursing facilities, rehabilitation facilities, surgery centers and emergency rooms. Mental health professionals also have their own patient privilege laws and ethical codes, particularly as to psychotherapy notes from a patient whose provider determines his best interests would not be served by disclosure. HIV and AIDS records and records pertaining to other communicable diseases are also subject to their own distinct disclosure provisions. Genetic information is separately regulated, as are substance abuse records, certain health study records, occupational condition reporting and records pertaining to minors, inmates and students. Biometric identifiers, Medicaid, State Children’s Health Insurance Program Beneficiaries, other government records containing health information and peer review committee investigation records are all given separate treatment in Texas law. Some of these laws, unlike the act, provide individuals with a cause of action for unauthorized disclosure.
It is clear that attorney-client privileges would apply as to disclosures between an attorney and the attorney’s own client. It seems far less clear that attorneys would not be considered a covered entity when handling the protected health information of others in other instances. The legislature clearly carved such exceptions where it thought them to be applicable and the legal profession was not provided with an exception.
HB 300 act is aggressive in its reach. Its penalty provisions, if and when enforced, will almost certainly be a solid deterrent to all except the most unscrupulous and most careless. It is unfortunate that the burdens of compliance could further exacerbate the already burdensome administrative overlay existing for those in the state who provide healthcare and related services. Given the enormity of the need for the protection of health information and patient demographics, however, state governments can do no less than take an aggressive approach to supplement federal law pertaining to medical privacy. The
provisions of House Bill 300 could create enormous exposure to covered entities as well as licensed individuals and groups. It should follow, then, that associations and individuals will be highly motivated to comply with the act and to protect personal health information. The legislature was clearly serious, and the citizens of the state now wait to see whether enforcement will bear out legislative intent.
House Bill 300, enacted June 17, 2011, is codified at Health and Safety Code Sections 181.001, 181.004, 181.005, 181.006, 181.059, 181.101, 181.102, 181.103, 181.104, 181.153, 181.154, 181.201, 181.202, 181.205, 181.206, 181.207, 182.002, 182.108; Business and Commerce Code Sections 521.053, 521.151, 522.002; Government Code Section 531.0994; and Insurance Code Section 602.054.