Effective Sept. 1, 2012, the State of Texas amended the Texas Medical Records
Privacy Act (Texas Health and Safety Code Section 181) (the MRPA) in an effort
to afford new protections to patient medical records. All covered entities, as
defined by the MRPA, must be in compliance with the MRPA as of the effective
date. The MRPA defines the term “covered entity” broadly to include both (a)
covered entities as defined by the Health Insurance Portability and
Accountability Act of 1996, as amended, and its accompanying regulations (HIPAA)
and (b) the following entities or individuals and their employees, agents or
contractors who obtain, use or transmit protected health information: business
associates, governmental units, information or computer management entities,
schools, health researchers or any person who maintains an Internet site.
The amended MRPA requires covered entities to conduct ongoing privacy
training. New employees must be trained within 60 days of their hire date on
both the MRPA and HIPAA as they relate to the covered entity’s particular course
of business and the employee’s scope of employment. Furthermore, all employees
of a covered entity must be retrained biannually on both the MRPA and HIPAA.
Entities that have already conducted HIPAA training for their employees should
not assume that they have satisfied this MRPA training requirement, because the
law has a series of provisions that differ from HIPAA but should be included in
For example, the amended MRPA also imposes new and unique requirements
regarding a patient’s rights with respect to the patient’s protected health
information. Under the MRPA, a healthcare provider must provide patients with a
copy of requested electronic health records in electronic format within 15
business days of receiving a written request. A covered entity must also provide
a general notice that an individual’s protected health information (PHI) is
subject to electronic disclosure and post the notice online or in a conspicuous
The amended MRPA increased the civil penalties that may be assessed for
violations from $5,000 to $1.5 million, depending upon the number of violations
and certain mitigating factors. Civil penalties may not exceed the following
- $5,000 for each negligent violation that occurs in one year;
- $25,000 for each knowing or intentional violation that occurs in one year;
- $250,000 for each knowing or intentional violation used for financial
- $1,500,000 for violations that have occurred with a frequency as to
constitute a pattern or practice.
Additionally, an entity that is a licensed by a state agency that violates
the MRPA is subject to administrative action. A covered entity as defined by
HIPAA may also be referred to the U.S. Department of Health and Human Services
for an audit of its compliance with HIPAA.
In addition to amending the MRPA, 2011 Texas House Bill 300 also clarified
the scope of the breach notification requirements set forth in the Business and
Commerce Code for the breach of computerized data that contains personal
sensitive information (including PHI) and imposes penalties of up to $250,000
for noncompliance with the notification requirements.
If you have questions regarding the amendments to the MRPA or the MRPA itself
and its application to your organization, please contact the authors.