In 2011, House Bill 300 (HB 300) introduced significant changes to the Texas Health and Safety Code including a requirement for Covered Entities to provide HB 300 training. While it had always been necessary for HIPAA Covered Entities to provide HIPAA training, the requirement to provide HB 300 training has implications for organizations both inside and outside the state of Texas.
HIPAA and HB 300
Throughout most of the U.S., the Healthcare Insurance Portability and Accountability Act (HIPAA) provides a “federal floor of privacy protections for individuals´ individually identifiable health information” and preempts state laws unless state laws are “more stringent” and increase either the duties of Covered Entities or the rights of patients.
In Texas, the Medical Records Privacy Act (Chapter 181 of the Health and Safety Code) not only increases the duties of Covered Entities but increases the rights of patients. Furthermore, HB 300 expands the definition of Covered Entities in Texas to any person or organization that “assembles, collects, analyzes, uses, evaluates, stores, or transmits Protected Health Information”.
Effectively, any person or organization in possession of a Texas resident´s PHI is subject to the Medical Records Privacy Act – including persons and organizations located outside of Texas if PHI is collected or stored within Texas. This also means that an organization classified as Business Associate under HIPAA can be classified as a Covered Entity under Texas HB 300.
The Differences between HIPAA and HB 300
Other than the expanded definition of Covered Entities under HB 300, the differences between HIPAA and HB 300 are relatively minor. The main ways in which the duties of Covered Entities are increased include stricter controls on the disclosure of ePHI, the requirement to review user access to ePHI annually, and to customize training according to employees´ roles.
With regards to increasing the rights of patients, HB 300 gives patients faster access to their medical records, the right to correct errors on their medical records, and the right to file a complaint against a Covered Entity with either the Office for Civil Rights (HIPAA-Covered Entities only), the Texas Attorney General, or the public agency responsible for overseeing compliance with HB 300.
A further difference between HIPAA and Texas law concerns breach notifications. Under HIPAA, a Covered Entity has to report breaches affecting more then 500 individuals; whereas, in Texas, the threshold for reporting breaches to the Attorney General under the Texas identity Theft Enforcement and Protection Act (HB 4390 and subsequent amendments) is 250 individuals.
HB 300 Training Requirements
Because HB 300 training has to be customized according to employees´ roles, there are no one-size-fits-all training requirements. However, under the Medical Records Privacy Act, HB 300 training must be provided to new employees within 90 days of being hired by a Covered Entity (note: this requirement was originally 60 days but was amended by SB 1609 in 2013).
Also amended by SB 1609 was the requirement that refresher training has to be provided at least every two years. The Act now stipulates HB 300 refresher training must be provided whenever a material change in state or federal law concerning PHI affects the role of the employee. In this case, the refresher training must be conducted within one year of the change taking effect.
This second change differs from HIPAA training requirements inasmuch as HIPAA Covered Entities are required to provide refresher training whenever any material change in operations occurs. However, like HIPAA, employees are required to complete documentation stating they have undergone HB 300 training and the document has to be maintained for six years.
HB 300 Training Courses
Covered Entities have the option of developing their own HB 300 training courses or taking advantage of courses provided by third-party compliance companies. As a general guide, when either developing a course or selecting a third-party HB 300 training course the content should include the following elements:
- Introduction to Texas HB 300.
- Why the law was introduced and why compliance is essential.
- Types of information covered.
- Entities and individuals required to comply.
- Medical record and PHI access.
- Patient rights over electronic medical records.
- Notices about electronic disclosures of PHI.
- Authorizations from patients about electronic PHI disclosures.
- Breach notification requirements of HB 4390.
- How to protect PHI.
- Enforcement of compliance and penalties for violations.
HB 300 Training FAQs
Do HIPAA Covered Entities have to provide both HIPAA training and HB 300 training?
Qualifying organizations that are Covered Entities under HIPAA (i.e., health care providers, health plans, and healthcare clearing houses with access to the PHI of Texas residents) should conduct HIPAA training but replace the elements of the Privacy and Security requirements with clauses of the Medical Records Privacy Act where the state of Texas has more stringent requirements.
Is every organization with access to PHI in Texas subject to the requirements of HB 300?
Although there are some exemptions from HB 300 (i.e., payment processors, workers´ compensation schemes, etc.), most organizations that collect individually identifiable health and payment information about individuals in Texas are subject to the requirements of HB 300. This includes schools, government agencies, and website owners.
Does this mean schools have to provide HB 300 training? If so, who to?
Most schools collect, use, or save individually identifiable health information relating to students; and while records covered by FERPA are exempt form HB300, all other treatment records are not. Typically, an organization covered by HB 300 would only provide training to employees with access to Protected Health Information. However, it may be advisable to train all school employees on the privacy clauses of HB 300 to mitigate the risk of unauthorized verbal disclosures.
Where is it stated Covered Entities have to review user access to ePHI annually?
This clause appears in Article VI of the Texas Health Services Authority´s Model Security Policies – which although issued as guidance, rather than as part of the Medical Records Privacy Act, are the policies a breach investigator would expect to find in place to secure ePHI. Generally, the policies align with best practices for HIPAA compliance, but there are a few differences.
What subsequent amendments have there been to the Texas Breach Notification Rule?
In June 2021, Governor Abbot signed HB 3746 into law, amending the Texas Breach Notification Rule by requiring Covered Entities to provide additional content requirements such as the circumstances of the breach, whether it is known if PHI has been subsequently used or disclosed without authority, and what measures the Covered Entity intends to take to address the cause of the breach.