Texas Governor Rick Perry just signed a law protecting patients’ data in electronic health records and increasing penalties for violation of the health care privacy laws. In what was a heated legislative session, this bill passed both houses without opposition, signaling widespread support for a stronger stance on protecting patients’ health information. The new law becomes effective September 1, 2012.
The Texas law requires covered entities, such as hospitals, physicians, health plans, health care clearinghouses and their business associates, to comply with the federal Health Insurance Portability and Accountability Act (HIPAA) privacy standards. Adopting HIPAA, the new law states that an individual’s protected health information may not be disclosed without the patient’s authorization, except for purposes of treatment, payment, health care operations, insurance purposes, and as otherwise authorized by state or federal law. Covered entities must provide notice to patients of their policies on their website or other prominent place where patients will see the notice.
Most notably, the law substantially increases penalties for privacy violations from $2,500 per violation, to up to $5,000 per negligent violation, up to $25,000 per knowing or intentional violation, and up to $250,000 penalties if the disclosure is for financial gain. For repeat offenders, the maximum penalty is increased to $1.5 million. A health care provider’s professional or institutional license may also be revoke for repeated violations under the new law. With a single disclosure, a covered entity with Texas patients is potentially subject to substantial state and federal penalties depending on the violation.
The Texas law also puts into place a regulatory framework with the Texas Health and Human Services Commission, Texas Health Care Authority, Texas Department of Insurance, and the Texas Attorney General’s office having audit authority to ensure privacy compliance. The AG’s office is also required to set up a complaint system and information website, already seen in several other states. The Texas Health Care Authority is charged with developing standards for electronic sharing of protected health information in compliance with HIPAA, to ensure security maintenance and disclosure of records.