Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

Similar documents
WHAT IS HB 300? HOW DOES IT AFFECT MY PRACTICE AND WHAT DO I DO TO FOLLOW THE RULES?

The Privacy Rule. Health insurance Portability & Accountability Act

Effective Date: 4/3/17

2016 Business Associate Workforce Member HIPAA Training Handbook

Determining Whether You Are a Business Associate

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

HIPAA and Lawyers: Your stakes have just been raised

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

ARE YOU HIP WITH HIPAA?

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

HIPAA Background and History

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

LEGAL ISSUES IN HEALTH IT SECURITY

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

Limited Data Set Data Use Agreement For Research

HIPAA Compliance Guide

HIPAA & The Medical Practice

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

ARTICLE 1. Terms { ;1}

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

"HIPAA RULES AND COMPLIANCE"

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA Privacy & Security. Transportation Providers 2017

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

HIPAA The Health Insurance Portability and Accountability Act of 1996

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

HIPAA Basics: IMPORTANT HIPAA CONCEPTS. What We re going to Cover. Training for Employee Benefits Staff

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

What is HIPAA? (1 of 2)

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

HIPAA Basic Training for Health & Welfare Plan Administrators

HIPAA COMPLIANCE. for Small & Mid-Size Practices

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Business Associate Agreement

Fifth National HIPAA Summit West

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

BUSINESS ASSOCIATE AGREEMENT

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA Privacy, Breach, & Security Rules

HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS. What do I need to know?

HIPAA, Privacy, and Security Oh My!

1 Security 101 for Covered Entities

Privacy and Security Laws Beyond HIPAA: Protecting Consumer Information. Webinar Presented by Laura Bird January 29, 2014

Highlights of the Omnibus HIPAA/HITECH Final Rule

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

AFTER THE OMNIBUS RULE

Texas Tech University Health Sciences Center HIPAA Privacy Policies

HIPAA STUDENT ASSOCIATE AGREEMENT

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

IBM Watson Care Manager Cloud Service

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

BUSINESS ASSOCIATE AGREEMENT

EGYPTIAN ELECTRIC COOPERATIVE ASSOCIATION POLICY BULLETIN NO. 214A

RECITALS. WHEREAS, this Amendment incorporates the various amendments, technical and conforming changes to HIPAA implemented by the Final Rule; and

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT WITH THE DOCTORS CLINIC, PART OF FRANCISCAN MEDICAL GROUP

CHAPTER 33 HIPAA PRIVACY REGULATIONS

Understanding Cyber Risk in the Dental Office. Melissa Moore Sanchez, CIC

HHS, Office for Civil Rights. IAPP October 11, 2012

Business Associate Agreement

Health Insurance Portability and Accountability Act Category: Administration 04/30/2015 Vice President for Legal Prior Effective Date:

HEALTHCARE BREACH TRIAGE

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

BUSINESS ASSOCIATE AGREEMENT Between THE NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS and

HIPAA Annual Training

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

Getting a Grip on HIPAA

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

Transcription:

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300 Training Module provided as a component of the Stericycle HIPAA Compliance Program

Goals for Training Understand how Texas House Bill 300 (HB300) significantly expands State s Patient Privacy Protections and imposes new requirements on Covered Entities (CEs) Learn what the new law requires: Mandatory employee training Informing patients about how their electronic Protected Health Information (ephi) is used and disclosed Providing patients with EHRs within 15 business days after receipt of a written request Prohibition on sale of PHI Texas Attorney General website and annual report to the Texas Legislature on patient complaints over medical privacy Increased enforcement penalties Notification Requirements if PHI is wrongfully disclosed Best Practices for safeguarding Protected Health Information (PHI)

HB 300 Modifies the Texas Medical Records Privacy Act Why was House Bill (HB) 300 introduced? HB 300 was introduced in response to a large data breach that exposed the personal information of 3.5 million Texas residents the breach was discovered in March 2011 Information was discovered on a government server accessible to the public The breach included: Names Mailing addresses Social security numbers Dates of birth Driver s license numbers In response to the breach, the Texas attorney general s office and the FBI launched a criminal investigation

The State of Texas Responded by Immediately securing the information and moving it to a private location Contacting all three major credit reporting agencies Arranging for one year of credit monitoring at no charge for those whose information was affected Notifying media outlets through a press release; and Creating a website to provide information to those affected www.txsafeguard.com

A New Law Is Passed Texas Governor Rick Perry signed HB 300, which modified the Medical Records Privacy Law, in June 2011 with an effective date of September 1, 2012.

What Changes Under HB 300? Highlights on the Changes: Requirement that all covered entities, as defined under Texas state law, comply with HIPAA Mandatory training for employees regarding protected health information (PHI) Greater patient rights to electronic medical records Separate authorization for electronic disclosure of PHI Shorter timeline to provide patient with electronic copy of EHR Prohibition on sale of PHI Broader scope and guidelines for breach notification Stricter penalties, increased fines for non-compliance

Federal HIPAA Definition of a Covered Entity The Administrative Simplification standards adopted by Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply to any entity that is : a health care provider that conducts certain transactions in electronic form* a health care clearinghouse a health plan Covered transactions are transactions for which the Secretary has adopted standards; the standards are at 45 C.F.R. Part 162.

Under Texas law, a Covered Entity means any person who: For any purpose engages in the practice of assembling, collecting, analyzing, using, evaluating, storing or transmitting of Protected Health Information, (PHI). The term includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site; TEXAS Definition of a Covered Entity Comes into possession of PHI Obtains or stores PHI Is an employee, agent, or contractor of a CE who in their capacity as such receives obtains, maintains, uses or transmits PHI The definition of a Covered Entity under Texas Health and Safety Code, Chapter 181, Medical Records Privacy is broader than federal HIPAA s definition.

Exceptions While still considered Covered Entities, the provisions of Chapter 181 of the Texas Health and Safety Code do NOT apply to: Worker s compensation plans and the people who administer selfinsured worker s compensation plans Employee benefit plans and the people who administer them The American Red Cross from accessing any information necessary to perform their duties Educational records covered by the Family Educational Rights and Privacy Act Non-profit agencies who pay for care of indigent people but whose primary business is not the provision of health care or reimbursement for health care Processing of certain payment transactions by financial institutions Certain information relating to offenders with mental impairments

Implications of Texas Expanded Definition of a Covered Entity Additional requirements for CEs: Mandatory Compliance Training Electronic Disclosure Notice Authorization for Electronic Disclosure of PHI Provision to provide EHR within 15 business days Enhanced penalties for breaches Chapter 181 of this law has specific restrictions on the use of PHI for Marketing purposes Audits of CEs Broader scope for breach notification Effective Date September 1, 2012

Mandatory Training Requirements HB 300 requires CEs to train employees on their obligations under federal HIPAA and state of Texas privacy and security law Within 60 days of employment Training is required to be repeated every two years Training sessions require a sign in sheet verifying attendance

Patient Rights Electronic Disclosure Notice Requirements HB 300 provides a requirement that CEs who create or receive PHI regarding individuals must provide notice to individuals if their PHI is subject to electronic disclosure. General notice may be provided by: Posting a written notice in the CE s place of business Posting a notice on the CE s Internet website; or Posting a notice in any other place where individuals whose PHI is subject to electronic notice are likely to see the notice

Authorization Requirements for Electronic Disclosure of PHI HB 300 provides that a CE cannot electronically disclose an individual s PHI to any person without a separate authorization from the individual or their legal authorized representative for each disclosure, unless the disclosure is to another CE, for one of the following purposes: Treatment Payment Health care operations Performing certain insurance or HMO functions; or As otherwise authorized or required by state or federal law

Patients Right to See Their Electronic Health Record HB 300 provides for consumer access to electronic health records in a timeframe shorter than provided by HIPAA. Texas law requires CEs to provide patients with electronic copies of their EHR within 15 BUSINESS DAYS of the patient s written request for the records. A health care provider using an electronic records system capable of fulfilling the request must provide a person with an electronic copy (unless the requesting individual accepts an alternative form) of the person s electronic health care record The Health and Human Services Commissioner, in consultation with the Texas Health Services Authority (THSA), the Texas Medical Board and the Texas Department of Insurance is charged with recommending a standard electronic format for the release of requested health records

The Sale of PHI is Prohibited CEs may not disclose PHI to any other person in exchange for direct or indirect remuneration or financial gain. There is an exception for disclosure from one CE to another, if: For treatment, payment; health care operations, certain insurance and HMO functions, or as otherwise authorized or required by law; and Provided that costs cannot exceed reasonable costs of preparing or transmitting the PHI

Breach Notification Requirements Under HB 300, any business (not just a Covered Entity) that conducts business in Texas and handles PHI must provide notification to Texas residents if their PHI is wrongfully disclosed.. HB300 extends breach notification to any impacted individual, whether in Texas or elsewhere Applies to recipients in Texas or in states that do not have breach notification requirements Any business that fails to make the required notification is subject to state penalties not exceeding $250,000 for a single breach HB 300 makes it a state jail felony for individuals who use a scanning device or other re-encoder to access, read, scans, store or transfer PHI without authorization

Penalties for Breaches by a Covered Entity The Texas State Attorney General s office may institute an action for civil monetary penalties not to exceed: $5,000 per violation per year if negligent $25,000 per violation per year if done knowingly or intentionally $250,000 for each violation if knowingly or intentionally used PHI for financial gain A pattern or practice of abuse can result in penalties up to $1.5 annually Similar penalties can be assessed by Health and Human Services under HITECH and the HIPAA Omnibus Final Rule. When determining a penalty, the Texas State Attorney General will take into account: the seriousness of the violation the CE s compliance history the risk of financial, reputational or other harm to the affected patients the amount necessary to deter future violations any efforts taken by the covered entity to correct the violation

Audits of Covered Entities The state of Texas through The Texas Health and Human Services Commission (HHSC) can: Request federal authorities to audit HIPAA covered entities to determine compliance under HIPAA Periodically monitor the results of audits of Covered Entities If the HHSC has evidence that the CE has engaged in violations that are egregious and constitute a pattern or practice, the HHSC may: Require the CE to submit results of a risk analysis to the HHSC ; or If the CE is licensed by a state agency, request the licensing agency to perform an audit of the CE

Other Related Requirements for Texas State Agencies The Texas Attorney General must maintain a website describing patient privacy rights under state and federal law and publish an annual report detailing privacy complaints filed with state agencies during the previous year.

Key Takeaway Texas is serious about protection of personal privacy Entities need to encourage a culture of compliance that values and promotes the protection of private information The cost of a breach can be staggering. Failing to comply with HIPAA, the HITECH Act and HB 300 can lead to potentially significant financial penalties and these costly repercussions: Repercussions of a PHI Breach Reputational Financial Legal, Regulatory Operational Clinical

Tips for Protecting PHI Caution must be taken to secure patient information and dispose of PHI no longer needed: When you step away from your desk or workstation: ensure that you secure your mobile device, lock your workstation close files, turn over or secure any paperwork that may contain PHI When you leave for the day: ensure that you lock any PHI in the appropriate file cabinets and/or desk drawers of your work area When you need to dispose of PHI no longer needed: Place PHI in a secure bin for shredding or shred documents with PHI immediately when no longer needed PHI should never be placed in the regular trash

General Security Tips 1. Do not share passwords 2. Use strong passwords 3. Do not write down passwords by unsecured means 4. Never use another person s login credentials 5. Never take pictures of patient information with your cell phone or tablet camera 6. Never allow patients to use or gain access to Organization computers or devices 7. Be aware of threats to your computing environment (malicious software, viruses, etc.) 8. Follow your Organization s data security policies for: Accessing data Storing data Transmitting data Destroying data Use of external media

The confidentiality and security of a patients PHI is your responsibility please protect it wisely!

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback