HB 300 Training

HB 300 Training

HB 300 training is the training that has to be provided in addition to HIPAA training by covered entities and business associates that assemble, collect, analyze, use, evaluate, store, or transmit the Protected Health Information of a Texas resident. The requirement to provide HB 300 training applies regardless of where the covered entity or business associate is located and regardless of where the Texas resident was at the time the information was collected.

In 2011, House Bill 300 (HB 300) introduced significant changes to the Texas Health and Safety Code including a requirement for Covered Entities to provide HB 300 training. While it had always been necessary for HIPAA Covered Entities to provide HIPAA training, the requirement to provide HB 300 training has implications for organizations both inside and outside the state of Texas.

HIPAA and HB 300

Throughout the U.S., the Healthcare Insurance Portability and Accountability Act (HIPAA) provides a “federal floor of privacy protections for individuals´ individually identifiable health information” and preempts state laws unless state laws are “more stringent” and increase either the duties of Covered Entities or the rights of patients.

In Texas, the Medical Privacy Act (Chapter 181 of the Health and Safety Code) not only increases the duties of Covered Entities but increases the rights of patients. Furthermore, the Act expanded the definition of Covered Entities in Texas to any person or organization that “assembles, collects, analyzes, uses, evaluates, stores, or transmits Protected Health Information” (PHI).

Effectively, any person or organization with access to a Texas resident´s PHI is subject to the Medical Privacy Act and amendments to the Act made by HB 300 – including persons and organizations located outside of Texas if PHI is collected or stored within Texas. This also means that an organization classified as Business Associate under HIPAA is classified as a Covered Entity under Texas law.

The Differences between HIPAA and HB 300

Following the passage of the HITECH Act in 2009, the Texas legislature felt that the Meaningful Use incentivization of EHR adoption would increase electronic exchanges of PHI, and that this would lead to increased risks to the confidentiality, integrity, and availability of electronic PHI. (Note: this was prior to the privacy and security provisions recommended by HITECH being incorporated into HIPAA via the Omnibus Rule in 2013).

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The legislature acted by passing HB 300, which further increased the duties of Covered Entities and the rights of patients. Following the passage of HB 300, the primary difference between HIPAA and HB 300 are:

Fewer Permissible Uses and Disclosures of PHI

Under the Medical Privacy Act, permissible uses and disclosures are limited to treatment, payment, and healthcare operations, certain insurance functions, and disclosures required by law (for example, Texas’ Family Code mandates the reporting of child abuse and neglect). All other uses and disclosures require a written authorization – including many which, under HIPAA, only require the opportunity to agree or object.

Notice of Electronic Disclosure

For the avoidance of doubt, HB 300 applies the fewer permissible and uses to electronic PHI and requires Covered Entities to provide a notice advising individuals that PHI is subject to electronic disclosure. This requirement is additional to the Notice of Privacy Practices required by HIPAA – although Covered Entities under the Texas Medical privacy Act only have to display the notice rather than provide it to each individual and obtain an acknowledgement of receipt.

Standardized Form for Patient Authorizations

Texas HB300 instructed the Texas Attorney General to adopt a standard authorization form for all entities covered by the Medical privacy Act and HB 300. It is not mandatory for Covered Entities to use the HB300 authorization form provided any alternative complies with HIPAA, the Texas Medical Privacy Act, and other applicable laws. The “other application laws” clause primarily applies to entities located outside Texas, who may be subject to a different state’s medical privacy laws.

Access to Electronic PHI Stored on EHRs

HIPAA requires Covered Entities and Business Associates to respond to patient requests for access to or copies of their PHI within 30 days. HB 300 reduces the time limit for responding to patient requests to fifteen days when PHI is electronically stored on an EHR. This difference between HIPAA and HB 300 only applies to electronic PHI stored on EHRs – and not other forms of PHI, which are still covered by the HIPAA 30 day time limit.

Exceptions When the Sale of PHI is Permitted

The original Medical Privacy Act prohibited any circumstances in which PHI could be sold without an individual’s authorization. HB 300 relaxed the general prohibition to allow the sale of PHI when the sale is to another Covered Entity for treatment, payment, health care operations, or insurance/health maintenance operations provided the remuneration received for the sale of PHI is limited to the cost of preparing and transmitting the PHI. Even with this exception, the limitations on the sale of PHI are still more restrictive than in the Privacy Rule.

Penalties for Violations of Texas HB 300

When the Medical Privacy Act was passed in 2001, it included penalties for violations of the Act that were higher than the penalties for violating HIPAA. Although the penalties for violating HIPAA were increased by the HITECH Act, HB 300 further increased the penalties for violating the Medical Privacy Act and – similar to the HITECH Act – introduced a tiered penalty structure:

Tier 1: Up to $5,000 per violation for violations due to negligence

Tier 2: Up to $25,000 per violation for a knowing or intentional violation

Tier 3: Up to $250,000 per violation for an intentional violation for financial gain

The maximum penalty for violations of Texas HB 300 is capped at $1.5 million per year per violation type. However, Covered Entities can also be fined for the failure to notify individuals and the Texas Attorney General of a data breach. Additionally, cases can be referred to the Department of Justice when a violation of §1177 of the Social Security Act is identified. Importantly, these penalties for violations of Texas HB 300 are in addition to penalties imposed by HHS for violations of HIPAA.

HB 300 Training Requirements

In addition to the above, HB 300 introduced a mandatory training requirement. Section 181.101 of HB 300 stipulates that Covered Entities must “provide a training program […] regarding the state and federal law concerning Protected Health Information as it relates to the Covered Entity’s course of business and each employee’s scope of employment”. The bill also mandates training must be completed within ninety days of being hired by a Covered Entity.

The HB 300 training requirements differ from the HIPAA training requirements inasmuch as HIPAA does not place a time limit on the provision of training. HIPAA also does not put a time limit on retraining members of the workforce when there is a “material change” to policies and procedures, whereas the Texas HB 300 training requirements stipulate material change training must be provided within twelve months of a change taking effect.

Additionally, whereas HIPAA only requires the documentation of training, HB 300 required employees of Covered Entities under the Medical Privacy Act to sign a statement verifying their attendance at training. It is not made clear whether a signed statement is only required for attending initial HB 300 training, or for attending each HIPAA security and awareness training session required under §164.308(5)(i) of the Security Rule.

HB 300 Training Courses

Because HB 300 training has to be customized according to employees’ roles, there are no one-size-fits-all HB 300 training courses. Covered Entities have the option of developing their own HB 300 training courses or taking advantage of courses provided by third-party compliance companies. As a general guide, when either developing a course or selecting a third-party HB 300 training course, the content should include the following elements:

  • Introduction to Texas HB 300.
  • Why the law was introduced and why compliance is essential.
  • Types of information covered.
  • Entities and individuals required to comply.
  • Medical record and PHI access.
  • Patient rights over electronic medical records.
  • Notices about electronic disclosures of PHI.
  • Authorizations from patients about electronic PHI disclosures.
  • Breach notification requirements of HB 4390.
  • How to protect PHI.
  • Enforcement of compliance and penalties for violations.

HB 300 Training FAQs

Do HIPAA Covered Entities have to provide both HIPAA training and HB 300 training?

HIPAA Covered Entities have to provide both HIPAA training and HB300 training relating to the Covered Entity’s policies and procedures which are relevant to members of the workforce’s roles. However, it is not necessary to provide each type of training separately. In cases where the Texas Medical Privacy Act preempts HIPAA, workforce policies and procedures should account for this, so it should only be necessary to prepare and present one training curriculum.

Is every organization with access to PHI in Texas subject to the requirements of HB 300?

Every organization with access to PHI in Texas is subject to the requirements of HB 300 unless it is exempted by the Texas Medical Privacy Act. Exemptions include (but are not limited to), payment processors, nonprofit agencies, workers’ compensation programs, employee benefits plans, and the American Red Cross. However, although exempted from complying with the Texas medical Privacy Act, some organizations in these categories may still be required to comply with HIPAA.

Does this mean schools have to provide HB 300 training? If so, who to?

Schools have to provide HB 300 training to any member of the workforce who assembles, collects, analyzes, uses, evaluates, stores, or transmits Protected Health Information not classified as an educational record as defined by the Family Educational Rights and Privacy Act (FERPA). In most cases, schools that only provide medical services for students do not have to provide HB 300 training. However, if medical records are maintained for any member of the workforce or a member of the public, it will be necessary for the school to provide HB 300 training.

Where is it stated Covered Entities have to review user access to ePHI annually?

It is recommended Covered Entities review user access to ePHI annually in Article VI of the Texas Health Services Authority´s Model Security Policies. Although issued as guidance, rather than as part of the Medical Records Privacy Act, the recommendation is one a breach investigator would expect to find in place to secure ePHI. Generally, the Model Security Policies align with best practices for HIPAA compliance, but there are a few differences.

What subsequent amendments have there been to the Texas Breach Notification Rule?

Subsequent amendments to the Texas Breach Notification Rule were enacted in June 2021 via HB 3746. The amendments require Covered Entities to provide additional content for breach notifications including the circumstances of the breach, whether it is known if PHI has been subsequently used or disclosed without authority, and what measures the Covered Entity intends to take to address the cause of the breach.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/