Texas governor, Rick Perry, has signed a new health bill, H.B. 300, into law that enforces new obligations in addition to the requirements of the HIPAA privacy rule. The law, which becomes effective September 1, 2012, provides an expansive definition of a covered entity and is likely to include non-covered entities under HIPAA, including survey researchers.
Under the new law, a covered entity is defined as any entity that engages in “assembling, collecting, analyzing, using, evaluating, storing or transmitting protected health information. A covered entity will also include an entity that “comes into possession of” or “obtains or stores” protected health information (PHI). Protected health information is defined to include “any information that reflects that an individual received health care from the covered entity; and is not public information and is not subject to disclosure” in accordance to Texas law.
The law specifically creates the following obligations:
- Requires all employees of covered entities to undergo training on HIPAA and the Texas privacy law within 60 days of hiring;
- Prohibits the disclosure of PHI for remuneration, unless to other covered entities for treatment, payment, operations, insurance or as required by law;
- Requires covered entities to provide notice to individuals that their PHI is subject to electronic disclosure and obtain authorization for any electronic disclosure of PHI;
- Mandates that health care providers must provide individuals with access to their PHI within 15 days of their request;
- Authorizes the Texas Attorney General, Texas Health Services Authority or the Texas Department of Insurance to conduct compliance audits of covered entities that have consistently violated the Texas law; and
- Creates an obligation for the Texas Health Services Authority to develop privacy and security stands for the electronic sharing of PHI.
In light of the new obligations under this law, drafting agreements which specify the relationship and responsibilities all parties is very important when engaging in any potential transaction involving health care. The broad definitions used in this new law requires survey researchers who engage respondents for health care in the state of Texas to take appropriate steps to reasonably minimize access to health care information and begin steps to comply with obligations for the new HIPAA requirements as a business associate and the Texas law as a covered entity.
The information provided in this document is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any given laws/legislation and their impact on your particular business.