HB 300 Training
HB 300 training is the training that has to be provided in addition to HIPAA training by covered entities and business associates that assemble, collect, analyze, use, evaluate, store, or transmit the Protected Health Information of a Texas resident. The requirement to provide HB 300 training applies regardless of where the covered entity or business associate is located and regardless of where the Texas resident was at the time the information was collected.
In 2011, House Bill 300 (HB 300) introduced significant changes to the Texas Health and Safety Code including a requirement for Covered Entities to provide HB 300 training. While it had always been necessary for HIPAA Covered Entities to provide HIPAA training, the requirement to provide HB 300 training has implications for organizations both inside and outside the state of Texas.
HIPAA and HB 300
Throughout the U.S., the Healthcare Insurance Portability and Accountability Act (HIPAA) provides a โfederal floor of privacy protections for individualsยด individually identifiable health informationโ and preempts state lawsย unlessย state laws are โmore stringentโ and increase either the duties of Covered Entities or the rights of patients.
In Texas, the Medical Privacy Act (Chapter 181 of the Health and Safety Code) not only increases the duties of Covered Entities but increases the rights of patients. Furthermore, the Act expanded the definition of Covered Entities in Texas to any person or organization that โassembles, collects, analyzes, uses, evaluates, stores, or transmits Protected Health Informationโ (PHI).
Effectively, any person or organization with access to a Texas residentยดs PHI is subject to the Medical Privacy Act and amendments to the Act made by HB 300 โ including persons and organizations located outside of Texas if PHI is collected or stored within Texas. This also means that an organization classified as Business Associate under HIPAA is classified as a Covered Entity under Texas law.
The Differences between HIPAA and HB 300
Following the passage of the HITECH Act in 2009, the Texas legislature felt that the Meaningful Use incentivization of EHR adoption would increase electronic exchanges of PHI, and that this would lead to increased risks to the confidentiality, integrity, and availability of electronic PHI. (Note: this was prior to the privacy and security provisions recommended by HITECH being incorporated into HIPAA via the Omnibus Rule in 2013).
The legislature acted by passing HB 300, which further increased the duties of Covered Entities and the rights of patients. Following the passage of HB 300, the primary difference between HIPAA and HB 300 are:
Fewer Permissible Uses and Disclosures of PHI
Under the Medical Privacy Act, permissible uses and disclosures are limited to treatment, payment, and healthcare operations, certain insurance functions, and disclosures required by law (for example, Texasโ Family Code mandates the reporting of child abuse and neglect). All other uses and disclosures require a written authorization โ including many which, under HIPAA, only require the opportunity to agree or object.
Notice of Electronic Disclosure
For the avoidance of doubt, HB 300 applies the fewer permissible and uses to electronic PHI and requires Covered Entities to provide a notice advising individuals that PHI is subject to electronic disclosure. This requirement is additional to the Notice of Privacy Practices required by HIPAA โ although Covered Entities under the Texas Medical privacy Act only have to display the notice rather than provide it to each individual and obtain an acknowledgement of receipt.
Standardized Form for Patient Authorizations
Texas HB300 instructed the Texas Attorney General to adopt a standard authorization form for all entities covered by the Medical privacy Act and HB 300. It is not mandatory for Covered Entities to use the HB300 authorization form provided any alternative complies with HIPAA, the Texas Medical Privacy Act, and other applicable laws. The โother application lawsโ clause primarily applies to entities located outside Texas, who may be subject to a different stateโs medical privacy laws.
Access to Electronic PHI Stored on EHRs
HIPAA requires Covered Entities and Business Associates to respond to patient requests for access to or copies of their PHI within 30 days. HB 300 reduces the time limit for responding to patient requests to fifteen days when PHI is electronically stored on an EHR. This difference between HIPAA and HB 300 only applies to electronic PHI stored on EHRs โ and not other forms of PHI, which are still covered by the HIPAA 30 day time limit.
Exceptions When the Sale of PHI is Permitted
The original Medical Privacy Act prohibited any circumstances in which PHI could be sold without an individualโs authorization. HB 300 relaxed the general prohibition to allow the sale of PHI when the sale is to another Covered Entity for treatment, payment, health care operations, or insurance/health maintenance operations provided the remuneration received for the sale of PHI is limited to the cost of preparing and transmitting the PHI. Even with this exception, the limitations on the sale of PHI are still more restrictive than in the Privacy Rule.
Penalties for Violations of Texas HB 300
When the Medical Privacy Act was passed in 2001, it included penalties for violations of the Act that were higher than the penalties for violating HIPAA. Although the penalties for violating HIPAA were increased by the HITECH Act, HB 300 further increased the penalties for violating the Medical Privacy Act and โ similar to the HITECH Act โ introduced a tiered penalty structure:
Tier 1:ย Up to $5,000 per violation for violations due to negligence
Tier 2:ย Up to $25,000 per violation for a knowing or intentional violation
Tier 3:ย Up to $250,000 per violation for an intentional violation for financial gain
The maximum penalty for violations of Texas HB 300 is capped at $1.5 million per year per violation type. However, Covered Entities can also be fined for the failure to notify individuals and the Texas Attorney General of a data breach. Additionally, cases can be referred to the Department of Justice when a violation of ยง1177 of the Social Security Act is identified. Importantly, these penalties for violations of Texas HB 300 are in addition to penalties imposed by HHS for violations of HIPAA.
HB 300 Training Requirements
In addition to the above, HB 300 introduced a mandatory training requirement. Section 181.101 of HB 300 stipulates that Covered Entities must โprovide a training program [โฆ] regarding the state and federal law concerning Protected Health Information as it relates to the Covered Entityโs course of business and each employeeโs scope of employmentโ. The bill also mandates training must be completed within ninety days of being hired by a Covered Entity.
The HB 300 training requirements differ from the HIPAA training requirements inasmuch as HIPAA does not place a time limit on the provision of training. HIPAA also does not put a time limit on retraining members of the workforce when there is a โmaterial changeโ to policies and procedures, whereas the Texas HB 300 training requirements stipulate material change training must be provided within twelve months of a change taking effect.
Additionally, whereas HIPAA only requires the documentation of training, HB 300 required employees of Covered Entities under the Medical Privacy Act to sign a statement verifying their attendance at training. It is not made clear whether a signed statement is only required for attending initial HB 300 training, or for attending each HIPAA security and awareness training session required under ยง164.308(5)(i) of the Security Rule.
HB 300 Training Courses
Because HB 300 training has to be customized according to employeesโ roles, there are no one-size-fits-all HB 300 training courses. Covered Entities have the option of developing their own HB 300 training courses or taking advantage of courses provided by third-party compliance companies. As a general guide, when either developing a course or selecting a third-party HB 300 training course, the content should include the following elements:
- Introduction to Texas HB 300.
- Why the law was introduced and why compliance is essential.
- Types of information covered.
- Entities and individuals required to comply.
- Medical record and PHI access.
- Patient rights over electronic medical records.
- Notices about electronic disclosures of PHI.
- Authorizations from patients about electronic PHI disclosures.
- Breach notification requirements of HB 4390.
- How to protect PHI.
- Enforcement of compliance and penalties for violations.
HB 300 Training FAQs
Do HIPAA Covered Entities have to provide both HIPAA training and HB 300 training?
HIPAA Covered Entities have to provide both HIPAA training and HB300 training relating to the Covered Entityโs policies and procedures which are relevant to members of the workforceโs roles. However, it is not necessary to provide each type of training separately. In cases where the Texas Medical Privacy Act preempts HIPAA, workforce policies and procedures should account for this, so it should only be necessary to prepare and present one training curriculum.
Is every organization with access to PHI in Texas subject to the requirements of HB 300?
Every organization with access to PHI in Texas is subject to the requirements of HB 300 unless it is exempted by the Texas Medical Privacy Act. Exemptions include (but are not limited to), payment processors, nonprofit agencies, workersโ compensation programs, employee benefits plans, and the American Red Cross. However, although exempted from complying with the Texas medical Privacy Act, some organizations in these categories may still be required to comply with HIPAA.
Does this mean schools have to provide HB 300 training? If so, who to?
Schools have to provide HB 300 training to any member of the workforce who assembles, collects, analyzes, uses, evaluates, stores, or transmits Protected Health Information not classified as an educational record as defined by the Family Educational Rights and Privacy Act (FERPA). In most cases, schools that only provide medical services for students do not have to provide HB 300 training. However, if medical records are maintained for any member of the workforce or a member of the public, it will be necessary for the school to provide HB 300 training.
Where is it stated Covered Entities have to review user access to ePHI annually?
It is recommended Covered Entities review user access to ePHI annually inย Article VI of the Texas Health Services Authorityยดsย Model Security Policies.ย Although issued as guidance, rather than as part of the Medical Records Privacy Act, the recommendation is one a breach investigator would expect to find in place to secure ePHI. Generally, the Model Security Policies align with best practices for HIPAA compliance, but there are a few differences.
What subsequent amendments have there been to the Texas Breach Notification Rule?
Subsequent amendments to the Texas Breach Notification Rule were enacted in June 2021 viaย HB 3746.ย The amendments require Covered Entities to provide additional content for breach notifications including the circumstances of the breach, whether it is known if PHI has been subsequently used or disclosed without authority, and what measures the Covered Entity intends to take to address the cause of the breach.