If you or your business handles the protected health information of Texas residents, you must comply with Texas HB 300 and HB 300 training is an essential part of compliance. In this post we outline the requirements for HB 300 training to ensure you do not fall afoul of the state legislature and risk having to pay a financial penalty.
HIPAA and HB 300
Healthcare organizations and their business associates are required to comply with the provisions of the Health Insurance Portability and Accountability Act (HIPAA) Rules and provide training to the workforce. HIPAA is a federal law that sets minimum standards for the privacy and security of healthcare data, referred to as protected health information or PHI.
States have the authority to implement even stricter regulations concerning protected health information if they want to improve protections for their residents, as Texas has chosen to do with Texas House Bill 300. Texas HB 300 amended existing laws such as the Texas Health Code to increase protections for state residents and their healthcare data and has stricter requirements than HIPAA. The law has been in effect since September 1, 2012.
HB 300 Covered Entities and Personally Identifiable Information
In Texas, any individual that is in possession of another person’s personally identifiable information must ensure that the information is protected and not misused. Personally identifiable information is any information about an individual that is not in the public domain which can be used to identify an individual, either directly or with other information. The identifiers that make the information identifiable are the same as HIPAA – any one of 18 identifiers such as names, telephone numbers, email addresses, dates, IP addresses, Social Security numbers, and health insurance numbers, for instance.
All individuals who are involved in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information, or who come into possession of protected health information, stores that information, or are an employee, agent, or contractor of an entity that creates, receives, obtains, maintains, uses, or transmits protected health information is considered a covered entity. It is important to note that this definition is different from HIPAA, and includes entities classed as business associates under HIPAA and some entities that are not covered by HIPAA. For example, a covered entity under HB 300 includes governmental units, schools, and individuals who maintain websites. Covered entities include those based in Texas and other states if they encounter the protected health information of Texas residents.
HB 300 Training Requirements
Any employee of a HIPAA-covered entity or HIPAA business associate must receive HIPAA training and security awareness training, but this is not the same has Texas HB 300 training. Completing a HIPAA training course will not make you compliant with HB 300, as there are differences between the requirements of HIPAA and HB 300.
HB 300 training must be provided within 60 days of an individual joining a company and refresher training should be provided every year and must be provided at least every two years. The legislation states that training must be specific to the role of an individual and their interactions with protected health information. Training must be documented as the logs will need to be provided in the event of a data breach or compliance investigation.
HB 300 Training Courses
You can develop your own HB 300 training course, although many covered entities opt for a third-party course for their employees. Whichever option you choose, the training should be tailored to each employee role. As a general guide for training, when either selecting a course or developing your own, training courses should include the following elements:
- Introduction to Texas HB 300.
- Why the law was introduced and why compliance is essential.
- Types of information covered.
- Entities and individuals required to comply.
- Medical record and PHI access.
- Patient rights over electronic medical records.
- Notices about electronic disclosures of PHI.
- Authorizations from patients about electronic PHI disclosures.
- Breach notification requirements of HB 300.
- How to protect PHI.
- Enforcement of compliance and penalties for violations.