The Privacy Advisor

“I think they mean it.” The new medical records privacy law in Texas

By B. Joyce Yeager, CIPP/US

Revisions to the Texas Medical Records Privacy statute, which take effect on Sept. 1, expand existing requirements for those who have access to medical information pertaining to others. House Bill 300 (HB 300) provides that covered entities, as defined in the statute, must comply with expanded responsibilities pertaining to health information. The act imposes upon these covered entities additional duties beyond those that are dictated by the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). Because the state statute affords additional protections beyond those provided by HIPAA, no federal preemption issue should exist.

Penalties for failure to comply are substantial and include civil monetary penalties, the potential for loss of professional licensing and even the potential for state law criminal felony prosecution. Entities and individuals within the state who have access to medical information of others have significant new responsibilities. It appears as though the legislature is serious about the protection of state residents’ personal medical information and identifying demographics.

The purpose of the act: Protection

Expressing concern about the potential for sale or unauthorized disclosure of personal health information, the legislature places tight restrictions on the manner in which patient data may be shared. The legislature notes:

Provisions of recent federal legislation establish incentives designed to increase the adoption of electronic health record systems among certain healthcare providers. The expanded use of such systems is likely to lead to the expansion of the electronic exchange of protected health information, which may require stronger state laws to better ensure the protection of that information. [HB 300] seeks to increase privacy and security protections for protected health information.

In light of the concerns, the legislature mandates authorization before a provider may transfer patient data. HB 300 is intended to provide Texans with significant additional protections beyond those provided by the federal HIPAA privacy rule, and Texas intends to be among the vanguards in health privacy regulation.

The need for protection is obvious. The Ponemon Institute’s December 2011 study—Second Annual Benchmark Study on Patient Privacy and Data Security—estimates that as many as 96 percent of all 72

national healthcare providers surveyed indicated they experienced a data breach in 2011 and that lost and stolen security devices and employee actions accounted for almost half of the breaches.

The statute’s elements: An overview

What is covered? What is PHI?

The act defines an individual’s protected health information, for a governmental entity, to include any information that reflects that an individual received healthcare from a covered entity that is not public information subject to disclosure by Chapter 552 of the Government Code. For others, the definition of “protected health information” is engrafted from HIPAA.

The act incorporates the HIPAA provisions in effect as of Sept. 1, 2011. The executive commissioner of the Texas Health and Human Safety Commission is to determine whether it is in the best interest of the state to adopt any amendments made to these federal provisions which might be made at the federal level after Sept. 1, 2011. As defined in HIPAA, individually identifiable health information includes demographic data and health information created or received by a healthcare provider, health plan or healthcare clearinghouse that relates to:

 An individual’s past, present or future physical or mental health or condition;

 The provision of healthcare to an individual;

 The past, present or future payment for the provision of healthcare to the individual, and

 The identity of the individual or with respect to which there is a reasonable basis to believe it can be used to identify the individual.

“Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number or Social Security number or other information that, alone or in combination with other publicly available information, reveals the individual's identity. Health information means any information, whether oral or recorded in any form or medium, that:

 Is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university or healthcare clearinghouse and

 Relates to the past, present or future physical or mental health or condition of an individual; the provision of healthcare to an individual, or the past, present or future payment for the provision of healthcare to an individual.

HIPAA defines a healthcare provider as “a provider of medical or health services and any other person or organization who furnishes, bills or is paid for healthcare in the normal course of business.” Protected health information, in turn, is defined as individually identifiable health information that is:

 Transmitted by electronic media;

 Maintained in electronic media, or

 Transmitted or maintained in any other form or medium.

Excluded from this definition of protected health information is information within certain educational records and in employment records.

Because the act incorporates the provisions of HIPAA, a more thorough discussion of HIPAA is required for this article. This article will not directly address, however, provisions of related federal laws commonly referred to as HITECH—the American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. No, 115-5,

123 Stat. 115, Health Information Technology for Economic and Clinical Health (HITECH Act), Sect. 13000, et seq. (Feb. 17, 2009). Detailed analysis of the HITECH provisions and the act are beyond the scope of this overview article. For a discussion of HITECH and the Texas Privacy Laws, see, Patricia Gray’s “Implementing Privacy and Security Standards in Electronic Health Information Exchange” (University of Houston Health Law & Policy Institute, August 2011).

Who is covered? Who is a covered entity?

Section 181 in the Medical Records Privacy statute will continue to define a “covered entity" to be any person who:

 For commercial, financial or professional gain, monetary fees or dues, or on a cooperative, nonprofit or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing or transmitting protected health information;

 Comes into possession of protected health information;

 Obtains or stores protected health information under the federal statute and regulations, or

 Is an employee, agent or contractor of one of these persons who creates, receives, obtains, maintains, uses or transmits protected health information.

This includes a business associate, healthcare payer, governmental unit, information or computer management entity, school, health researcher, healthcare facility, clinic, healthcare provider or person who maintains an Internet site. The Texas Medical Records Privacy statute, then, regulates anyone who comes into possession of personal health information (PHI) or is an employee, agent or contractor who creates, receives, obtains, maintains, uses or transmits PHI. There are exemptions in the state act for:

 Workers compensation plans and self-insured workers compensation plans;

 Employee benefits plans;

 Educational records covered by the Family Educational Rights and Privacy Act;

 Nonprofits who pay for indigent medical care but have no medical primary purpose;

 Processors of payment transactions in financial institutions and handlers of criminal offenders with mental impairments. (See Jocelyn Dabeau’s presentation from the “Are Things Really Bigger in Texas?” session at the IAPP Privacy Academy 2011 for more information.)

After the effective date of HB 300, also excluded from coverage of the act will be those involved with crime victim compensation.

What activities are restricted?


It is important to note one key provision of the act. The Texas statute contains one profoundly impactful, although seemingly innocuous, provision. The state statute defines the word “disclose” to mean any action to “release, transfer, provide access to or otherwise divulge information outside the entity holding the information.” It is critical to fully absorb the impact of this definition. Anyone who transfers information, divulges information or provides access to information must be aware of the implications for doing so without an authorization. Taken in its literal meaning, the definition of disclosure is so broad

that it would encompass almost any activity whereby health information or demographics of others is involved. Any information about an individual’s condition, care, payment or identity is protected from being divulged or being accessed, no matter the form in which it might be maintained. Any covered entity, including associates of a covered entity, is affected by the statute in some manner. Exceptions are limited and the breadth of the statute’s reach is staggering.

Sale of information

Of even greater significance is the act’s strict ban on the sale of protected health information. A covered entity may not disclose an individual’s protected health information to any other person in exchange for direct or indirect remuneration. Exceptions only allow disclosure to another covered entity under the statute or a covered entity under the Insurance Code for treatment, payment, healthcare operations and insurance or certain HMO functions or as otherwise authorized or required by law. Further, any charges for the disclosure for treatment, payment, healthcare operations or to perform an insurance function cannot exceed the covered entity’s reasonable costs in preparing and transmitting the PHI.

Because the act restricts disclosure of health information for even indirect remuneration, more than an outright ban on the sale of information is restricted. The act restricts any transfer that results in even indirect financial gain that is not associated with treatment, payment, operations, insurance or for compliance authorized by law or required by law. The outright ban on disclosure for even indirect remuneration does not have any mechanism for allowing for disclosure, not even after notice and consent or authorization. Rather, the disclosure for remuneration is flatly banned. Because the act would ban even indirect remuneration, it is possible that the act would implicate, for example, social media interactions or advertising in the form of patient testimonials even if these are the result of patient consent or even the result of patient-initiated activity.

The ability to engage in activities that might result in indirect remuneration with the consent or authorization of the owner of the information and to do so because those actions are protected constitutionally as, for example, free speech or commercial speech, is beyond the scope of this overview article. For discussion of such principles, see, e.g., Sorrell v. IMS Health, Inc., __ U.S. __, 131 S.Ct. 2653 (2011). In Sorrell, the United States Supreme Court determined that restrictions on the sale, disclosure and use of pharmacy records as attempted by implementation of Vermont's Prescription Confidentiality Law, Vt. Stat. Ann., Tit. 18, 4631(d), was unconstitutional because the statute—which imposed content-based and speaker-based burdens on protected expression—banned sales of the information to only some potential users. A complete ban would be more likely to pass constitutional muster.

What additional duties are imposed? Consumer access, notice, training

Patient access to records

The act provides that if a healthcare provider is using an electronic healthcare records system that is capable of fulfilling the request, the healthcare provider, no later than 15 business days following the written request for an electronic healthcare record, must provide the information electronically unless the person making the request agrees to accept the record in another form. An exception is available for records exempt pursuant to 45 C.F.R. § 164.524 for specific types of records such as certain psychotherapy notes, information compiled for use in certain legal proceedings and certain select laboratory records.

The executive commissioner of Texas Health and Human Services, in consultation with the Department of State Health Services, the Texas Medical Board and the Texas Department of Insurance, may recommend a standard electronic format, but any format recommended must be consistent with federal law regarding the release of medical records. As of this writing, the executive commissioner’s office had not yet made a determination concerning the undertaking of this unenviable task. There can be no doubt that the choice of the word “may” in the statute was an intentional one.

Notice and authorization requirements

Any covered entity that creates and receives personal health information must provide notice to individuals if their personal health information is subject to electronic disclosure. The duty to provide notice is, however, only a general one, and the notice can be provided by:

 Posting written notice in the place of business;

 Posting notice on a website, or

 Posting notice in a place where individuals whose PHI is subject to electronic disclosure are likely to see the notice.

According to Texas Health Services Authority General Counsel Jocelyn Dabeau, this notice must be conspicuous and understandable.

Of greatest significance, perhaps, to medical practitioners is the requirement that a covered entity may not electronically disclose an individual’s protected heath information to any person without a separate authorization from the individual, or the individual’s legally authorized representative, for each disclosure. The authorization for electronic disclosure is not required, however, if the disclosure is made to another covered entity under the act or to any covered entity as defined by Section 602.001 of the Insurance Code solely for purposes of treatment, payment, healthcare operations, if performing health maintenance organization functions as defined by the Insurance Code or if otherwise authorized or required by state or federal law. The authorization for this disclosure may be made in written form, electronic form or in oral form if the request is documented in writing by the covered entity. The state attorney general will adopt a standard form for use with obtaining authorizations, and the form will also comply with the Health Insurance Portability and Accountability Act and Privacy Standards, if possible. As of this writing, the state attorney general did not yet have an anticipated release date but noted that Section 22 of the act provides for a date of January 1, 2013.

This author assumes that for any such oral authorization to be valid, it would require contemporaneous documentation of the request at the time it was made. As a practical matter, given the audit functions provided in the act (discussed, infra), it would be a best practice to maintain a separate chart for all such patient HIPAA and state privacy law interactions, if possible. In addition, when orally accepting a request for disclosure or accepting a written request in person or electronically, it would be a best practice to again provide general notice about the electronic disclosures.

Training required

Covered entities must provide a training program on state and federal law pertaining to protected health information as it relates to the covered entity’s particular course of business and each employee must be trained but only trained so as to function within their scope of employment. This training must be completed within 60 days of employment and at least once every two years. The covered entity shall require employees who attend training to sign an electronic or written statement verifying attendance at the training program and the covered entity is to maintain the signed statement.

The act, unfortunately, does not indicate that any governmental or educational entity will provide input into the content of any training programs or provide certification for those who will provide the training, however. As of Sept. 15, 2011, no state agency was contemplating oversight of training programs. The State attorney general’s office is planning no such function.

The act does not provide a deadline for a covered entity to provide training for those employees who are already employed as of the effective date of the act. However, given the mitigation available as to the potentially onerous penalties for noncompliance—see section below entitled “What are the penalties for noncompliance?”—a covered entity would be engaged in best practices if all employees were provided, at a minimum, training applicable to their job function as soon as practicable.

It can be logically assumed that less substantive training would be required for someone who merely filed a patient’s paper chart onto the proper place on a shelf than would be required for someone who was responsible for the electronic transmission of records or someone who was responsible for the covered entity’s privacy policies or administration. However, anyone who has access to patient records or gains access to patient information is capable of disclosure or breach. In the event that any resulting civil penalty could be mitigated by the existence of a training program (see discussion, infra), providing training to employees and requiring that vendors and business associates, and, particularly, those providing information technology services, also demonstrate compliance with training requirements would be very beneficial. In the event one finds himself or herself with a need, in the future, to argue for mitigation of any civil penalties to be imposed, the existence of evidence of uniform, substantive training will be helpful. In the event training is undertaken from within an organization, best practices would involve retaining records of the training content as well as those who were trained.

What are the penalties for noncompliance? Audits, monetary fines, felony criminal charges, loss of professional licenses


The Texas Health and Human Services Commission, in connection with the state attorney general, the Texas Health Services Authority and the Texas Department of Insurance, may request that the U.S. secretary of health and human services conduct an audit of a covered entity as to the compliance of the covered entity with HIPAA. The commission is also charged with periodic monitoring and review of the results of audits of covered entities from within the state that are conducted by the U.S. secretary of health and human services. It is unclear what authority the federal auditors would have to monitor for state law violations or whether federal auditors would even be aware of state law violations given that the state law requirements are more extensive than the federal. The U.S. Department of Health and Human Services has embarked on a program of federal audits that is expected to run through December.

If the Texas Health and Human Services Commission becomes aware of egregious violations that demonstrate a pattern and practice, it may require a covered entity to submit to the commission any federal risk analysis that the covered entity prepares in order to comply with HIPAA. In addition, if the covered entity is licensed by a state agency, the commission may request the licensing agency to conduct an audit of the covered entity’s system to determine compliance with the act.

A not insignificant number of potentially overlapping regulatory schemes and enforcement authorities could be implicated by this requirement in the act. For a discussion of the state laws impacting health information regulation, see Cynthia Marietta and Patricia Gray’s “Medical Information Privacy in Texas” (University of Houston Health Law & Policy Institute, February 11) and the section below entitled “Do

other privacy laws exist as well?” The act does not require training for any state or federal agency enforcement personnel.

Civil penalties for noncompliance

In addition to the injunctive relief already available pursuant to the current Health and Safety Code Section 181.201(a), the state attorney general may, after the effective date of the act, institute an action for civil penalties for violations of the act not to exceed:

 $5,000 per violation per year if negligent;

 $25,000 per violation per year if knowing or intentional, regardless of the length of time of the violation within the year, or

 $250,000 for each violation if knowing or intentional and for financial gain.

In the event an adjudicator finds that the violations have occurred with a frequency so as to constitute a pattern or practice, the total amount of any civil monetary penalty that the court may assess is not to exceed $1.5 million annually.

A discussion of applicable definitions for the terms “negligence” or “knowing and intentional” is beyond the scope of this overview article. Language contained within the regulations applicable to the Social Security Act seem helpful in describing levels of culpability in civil administrative functions. Penalties may be limited or mitigated, in the event the disclosure was made only to another covered entity for purposes of treatment, payment, healthcare operations or performing functions of a health maintenance organization; if the information disclosed was encrypted or transmitted using encryption technology, or if the covered entity had, at the time of the disclosure, maintained proper procedures including implementation of security procedures and training. Factors are also provided by the act for determining the appropriate financial penalty and include:

 The seriousness of the violation;

 The entity’s compliance history;

 Whether the violation poses a significant risk of financial, reputational or other harm to the individual whose protected health information was involved in the violation;

 Whether the covered entity was working with or as a certified entity, that is, certified to be in compliance with privacy and security standards being developed by the Texas Health Services Authority as per Section 182.108 of the Health and Safety Code for the electronic sharing of protected health information;

 The amount necessary to deter future violations, and

 The covered entity’s efforts to correct the violation.

It is this author’s contention that one should not have to establish harm to the victim in such instances. In order to determine the financial penalty, adjudicators will consider, in the event of disclosure, both monetary and nonmonetary losses.

Nonmonetary losses include humiliation, embarrassment, mental anguish, fear of social ostracism and other severe emotional distress. An excellent discussion of non-economic damages is contained in the Electronic Privacy Information Center’s FAA v. Cooper, Concerning Emotional Injury as Harm Under the Privacy Act. See also “Will Supreme Court Ruling in Pilot Case Apply to Other ‘Harm’ Cases?” Nonmonetary victim losses also include the increased risk that personal health facts will continue to be

disclosed, the increased risk of identity theft and the increased risk of medical identify theft. Patients themselves express the concern that their data will be misused for commercial gain, that disclosure will result in embarrassment, that disclosure will compromise their personal safety, that their data will be used in a discriminatory fashion impacting their lives and care, that there will be no opportunity to correct any false information circulated and that there will be loss of their data or loss of access to their data. Patients are also concerned about the ability of organizations to accurately provide notification.

Losses to a healthcare provider in the event of an unauthorized disclosure are also not insignificant and include the costs associated with the potential loss of the economic value of a patient who no longer associates with an organization following a breach. At least one study identifies the lifetime economic value, on average, of one patient or customer to fall within a range from $10,000 to more than $1,000,000.

In addition to civil penalties, a covered entity that is licensed by a state agency is subject to investigation and disciplinary proceedings, including probation or suspension by the licensing agency. A license may be revoked if the violations are egregious and constitute a pattern and practice. The attorney general of the state may institute an action for violation of the act against a covered entity that is licensed by a licensing agency of this state for a civil financial penalty only if the licensing agency refers the violation to the attorney general.

What other resources will be available? Websites, standards


The Texas attorney general is to develop and provide a consumer information website that will include information on the manner in which to make a complaint. As of this writing, the state attorney general did not yet have an anticipated release date but noted that Section 22 of the act provides for a date of May 1, 2013. The author notes that the act becomes effective Sept. 1. Certain materials are directed, by statute, to be included on the website. The Texas attorney general is also charged with monitoring consumer complaints and with reporting on the complaints after de-identifying the protected health information.


The Texas Health Services Authority is tasked with rulemaking for the certification of entities undertaking the electronic exchange of protected health information. The Texas Health Services Authority is to establish standards for the secure electronic exchange of protected health information. The authority must develop, and submit to the Health and Human Services Commission for ratification, the privacy and security standards for electronic sharing. The authority is also tasked with developing voluntary operations and technical standards for health information exchanges in Texas. Some have expressed concern about the consent options, which will be required in health information exchanges when the act’s requirement is for authorization for the release of information.

What other state statutes are amended or affected? Breach notification laws, the Insurance Code

Breach notification

In HB 300, the legislature also expanded the state’s breach notification requirements already existing in the Business and Commerce Code at Sections 521.053 and 521.151. The expanded notification will require

notice not only to state residents in the event of a breach, as previously required, but also to all affected individuals. Because notice is to be given to all individuals and not only state citizens, the reach of the statute in its regulation of any covered entity within the state will undoubtedly have nationwide or even global impact. The Dallas Regional Chamber of Commerce estimates the healthcare industry contributes $52 billion dollars annually to the Dallas-Fort Worth area alone, supporting an estimated 601,000 regional jobs and driving up to 15 percent of the area economy. In addition to time and productivity losses in the event of a breach, the economic impacts identified in one study estimated costs for data breach incidents to hospitals surveyed to be in a range from $10,000 to more than $10,000,000 per entity in a two-year period.

Texas’s Business Code already includes notice requirements for breaches of information pertaining to “personal identifying information,” identified in the Business Code breach notification provisions to include biometric data, the physical or mental health or condition of an individual, the provision of healthcare to an individual or the payment for the provision of healthcare to the individual. HB 300 added to the breach notification penalty provisions of Business and Commerce Code Section 521.151 the ability to recover additional civil penalties of up to $100 per day, per individual affected, for an unreasonable delay in notification or failed notification of a breach of data. Although the breach statute does not incorporate the act’s definition of PHI, the definition employed in the Business Code breach statute is broad enough to include PHI. Including enhanced fines for the failure to notify in the event of a breach within the act without revising the Business Code to include a revised definition of PHI demonstrates the legislature’s intent for the two statutes to work in an interrelated fashion.

Offenses for the use of a scanning device or re-encoder to access, read, scan, store or transfer information encoded on the magnetic strip of a payment card without the consent of an authorized user of the payment card and with intent to harm or defraud another were previously codified as a Class B misdemeanor under the Business and Commerce Code. Now, however, if such an offense also involves protected health information as defined by HIPAA, the offense is defined as a felony. If an element of the crime was committed prior to Sept. 1, 2012, the offense was committed prior to the effective date of the act. It is worth noting again that payment processors at financial institutions are not covered entities, however.

The Insurance Code

The State Insurance Code, Chapter 602, was amended by HB 300 to require those covered by Chapter 602 of the Insurance Code to comply with Chapter 181, the Medical Records Privacy statutory provisions. Consequently, the act now also pertains to insurance companies that are exempt from HIPAA, including:

 County mutual insurance companies

 Farm mutual insurance companies

 Fraternal benefit societies

 Group hospital service corporations

 Lloyd's plans

 Local mutual aid associations

 Mutual insurance companies

 Reciprocal or inter-insurance exchanges

 Statewide mutual assessment companies

 Stipulated premium companies

 Health maintenance organizations

 Insurance agents

These individuals and organizations must comply with act’s provisions when it becomes effective on Sept. 1. The distinctions in the Insurance Code between “health information” and “nonpublic health information,” defined by Section 602.001 of the Insurance Code, is beyond the scope of this overview article. Section 602.002 of the Insurance Code provides that this chapter of the insurance code does not apply to a covered entity that is required to comply with the standards governing the privacy of individually identifiable health information adopted by the United States Secretary of Health and Human Services under Section 262(a), Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. § 1320d, et seq.). Section 602.003 of the Insurance Code indicates the chapter does not preempt or supersede state law in effect on July 1, 2002, that relates to the privacy of medical records, health information or insurance information. Section 602.053 of the Insurance Code provides exceptions that allow a covered entity to disclose nonpublic personal health information to the extent that the disclosure is necessary to perform the specified insurance or health maintenance organization functions, as identified in that provision, on behalf of the covered entity. The definition of “health information” in the Insurance Code does not include age and gender.

Do other privacy laws exist as well?

Other state statutes and common law principles are not implicated by the act and are not subsumed by the act’s provisions, including the existing body of legal and ethical principles pertaining to patient privileges. There are myriad additional privacy statutes and regulations that will not be subsumed within the act. There are other state statutes that contain restrictions on the disclosure of records currently applicable to a variety of healthcare facilities, such as nursing facilities, rehabilitation facilities, surgery centers and emergency rooms. Mental health professionals also have their own patient privilege laws and ethical codes, particularly as to psychotherapy notes from a patient whose provider determines his best interests would not be served by disclosure. HIV and AIDS records and records pertaining to other communicable diseases are also subject to their own distinct disclosure provisions. Genetic information is separately regulated, as are substance abuse records, certain health study records, occupational condition reporting and records pertaining to minors, inmates and students. Biometric identifiers, Medicaid, State Children’s Health Insurance Program Beneficiaries, other government records containing health information and peer review committee investigation records are all given separate treatment in Texas law. Some of these laws, unlike the act, provide individuals with a cause of action for unauthorized disclosure.

It is clear that attorney-client privileges would apply as to disclosures between an attorney and the attorney’s own client. It seems far less clear that attorneys would not be considered a covered entity when handling the protected health information of others in other instances. The legislature clearly carved such exceptions where it thought them to be applicable and the legal profession was not provided with an exception.


HB 300 act is aggressive in its reach. Its penalty provisions, if and when enforced, will almost certainly be a solid deterrent to all except the most unscrupulous and most careless. It is unfortunate that the burdens of compliance could further exacerbate the already burdensome administrative overlay existing for those in the state who provide healthcare and related services. Given the enormity of the need for the protection of health information and patient demographics, however, state governments can do no less than take an aggressive approach to supplement federal law pertaining to medical privacy. The

provisions of House Bill 300 could create enormous exposure to covered entities as well as licensed individuals and groups. It should follow, then, that associations and individuals will be highly motivated to comply with the act and to protect personal health information. The legislature was clearly serious, and the citizens of the state now wait to see whether enforcement will bear out legislative intent.

House Bill 300, enacted June 17, 2011, is codified at Health and Safety Code Sections 181.001, 181.004, 181.005, 181.006, 181.059, 181.101, 181.102, 181.103, 181.104, 181.153, 181.154, 181.201, 181.202, 181.205, 181.206, 181.207, 182.002, 182.108; Business and Commerce Code Sections 521.053, 521.151, 522.002; Government Code Section 531.0994; and Insurance Code Section 602.054.

B. Joyce Yeager is a licensed attorney and Certified Information Privacy Professional. She prepared this article while practicing law in Texas. Yeager is now an assistant attorney general for the Office of the Attorney General of Missouri. She is also the founder of Amenable Though, LLC, an organization committed to education and the arts. She can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it.. A fully annotated version of this article is available from the author

Continue reading
291 Hits

Personal Protective Equipment at Work Regulations 1992

Personal Protective Equipment at Work Regulations 1992


From Wikipedia, the free encyclopedia
Jump to: navigation, search

The Personal Protective Equipment at Work Regulations 1992 are a set of regulations created under the Health and Safety at Work etc. Act 1974 which came into force in Great Britain on 1 January 1993.[1] The regulations place a duty on every employer to ensure that suitable personal protective equipment is provided to employees who may be exposed to a risk to their health or safety while at work.[2]



Personal Protective Equipment[edit]

Personal Protective Equipment (PPE) is defined in the regulations as "all equipment (including clothing affording protection against the weather) which is intended to be worn or held by a person at work which protects them against one or more risks to their health and safety". PPE would include such things as hard hats, eye protection, safety harnesses, life jackets and safety footwear.[3] The regulations however do not apply where requirements for PPE are detailed in other regulations, these include the:

The Health and Safety at Work etc. Act 1974 also states that employers are not allowed to charge for any PPE that is used for work.[5]

Other requirements[edit]

The Regulations also impose requirements with respect to—

  • compatibility of items of personal protective equipment where it is necessary to wear or use more than one item simultaneously.
  • the making, review and changing of assessments in relation to the choice of personal protective equipment.
  • the maintenance (including replacement and cleaning as appropriate) of personal protective equipment.
  • the provision of accommodation for personal protective equipment.
  • the provision of information, instruction and training.
  • ensuring personal protective equipment is used.[6]

Prosecutions arising from the regulations[edit]

On 25 June 2008 a moulding company in Leicester was fined £5,300 and ordered to pay £2,134.10 after an employee suffered serious burns after he removed a mould plug during a routine operation at Harrison Castings Ltd. The burns required several skin grafts and five days in hospital for the employee.[7] Inspector Munera Sidat said that the accident could have been prevented had the company provided the right type of gloves saying "Instead of foundry gloves which provide heat resistance, he was wearing rigger gloves which offered him very little protection. Not only did the molten metal permeate straight through the material, but the gloves were also so short that the liquid went up his jacket sleeves, making his burns worse."[7] The company was charged under regulation 6 of the regulations which states that an assessment of the PPE provided should be made to ensure that it is suitable for the task". [7]

Continue reading
256 Hits

Personal Protective Equipment (PPE) for Infection Control

Personal Protective Equipment (PPE) for Infection Control


Personal Protective Equipment (PPE) is specialized clothing or equipment worn by an employee for protection against infectious materials.

PPE prevents contact with an infectious agent or body fluid that may contain an infectious agent, by creating a barrier between the potential infectious material and the health care worker.



see also>> Infection Control Precautions

Continue reading
194 Hits

Why Workers Don't Wear PPE

Why Workers Don't Wear PPE

Thu, 8/25/2011

Personal Protective Equipment (PPE) can save a worker's life - if they use it. However, in a web survey conducted by Kimberly-Clark Professional, 69% of respondents said the primary cause of PPE non-compliance was because workers think personal protection equipment was not required.


Sustainable Plant also explored the issue, and found some other reasons workers cited for non-PPE use, plus some suggestions to increase PPE compliance. These included: 

  • The “most challenging” PPE category was eye protection - and nearly 3 out of 5 workers who experienced eye injuries were found not to be wearing eye protection at the time of the accident or were wearing the wrong kind of eye protection for the job.
  • The next highest category of non-compliance was hearing protection - and occupational noise-induced hearing loss is 100 percent preventable when proper measures are implemented.
  • To encourage greater PPE compliance, the top strategies included:

    o  Improving existing education and training programs
    o  Increased monitoring of employees
    o  Purchasing more comfortable PPE
    o  Tying compliance to individual performance evaluations
    o  Purchasing more stylish PPE
    o  Developing incentive programs

For the training program component, Stonehouse Signs offers a range of PPE Signs to remind workers to wear proper PPE and encourage overall PPE compliance. These include: 

Continue reading
281 Hits

Hidden Home Hazards

Hidden Home Hazards

You might be surprised at the top five

Here are the top five hidden home hazards according to the U.S. Consumer

Product Safety Commission (CPSC):

#1: Magnets

Small pieces of building sets that contain magnets can be swallowed by children.

CPSC recommendation: Watch carefully for loose magnets and magnetic pieces

and keep them away from kids under age 6. Some such products have been

recalled. Check with the manufacturer.

#2: Recalled products

Keep up to date on recalls to keep dangerous products away from your family.

CPSC recommendation: Check CPSC’s website at

#3: Tip-overs

There are an average of 22 deaths per year and some 3,000 injuries attributed to

furniture and appliances falling over. Children are especially vulnerable and can

be crushed.

CPSC recommendation: Verify that furniture is stable on its own. For added

security, anchor heavy pieces that could fall to the floor or attach them to a wall.

Free-standing ranges and stoves should be installed with antitip brackets.

#4: Windows and coverings

The hazards are window cords that can cause strangulation in the hands of a

young child and falls from windows.

CPSC recommendation: Cut looped cords and install a safety tassel at the end of

each pull cord or use a tie-down device, and install inner cord stays to prevent

strangulation. Also, don’t rely on window screens to keep kids from falling out of

windows. Install window guards or stops.

#5: Pool and spa drains

The suction from a pool drain can be so powerful that it can hold an adult under

water, but most incidents involve children. The body can become sealed against

the drain or hair can be pulled in and tangled. Missing or broken drain covers are

a major reason many incidents occur.

CPSC recommendation: Install a Safety Vacuum Release System (SVRS), which

detects when a drain is blocked and automatically shuts off the pool pump or

interrupts the water circulation to prevent entrapment.

Continue reading
190 Hits

Blog Archive


Get a 10% Discount in Your Inbox

Where to find us?

Compliance Learning Solutions, LLC
395 Sawdust Road, Suite 2136
The Woodlands, Texas 77380-2299
Phone Number