Look Beyond HIPAA

Texas Medical Records Privacy Act Imposes Mandatory Training Requirements and Other New Obligations Upon Covered Entities

September 25, 2012

Effective Sept. 1, 2012, the State of Texas amended the Texas Medical Records Privacy Act (Texas Health and Safety Code Section 181) (the MRPA) in an effort to afford new protections to patient medical records. All covered entities, as defined by the MRPA, must be in compliance with the MRPA as of the effective date. The MRPA defines the term “covered entity” broadly to include both (a) covered entities as defined by the Health Insurance Portability and Accountability Act of 1996, as amended, and its accompanying regulations (HIPAA) and (b) the following entities or individuals and their employees, agents or contractors who obtain, use or transmit protected health information: business associates, governmental units, information or computer management entities, schools, health researchers or any person who maintains an Internet site.

The amended MRPA requires covered entities to conduct ongoing privacy training. New employees must be trained within 60 days of their hire date on both the MRPA and HIPAA as they relate to the covered entity’s particular course of business and the employee’s scope of employment. Furthermore, all employees of a covered entity must be retrained biannually on both the MRPA and HIPAA. Entities that have already conducted HIPAA training for their employees should not assume that they have satisfied this MRPA training requirement, because the law has a series of provisions that differ from HIPAA but should be included in any training.

For example, the amended MRPA also imposes new and unique requirements regarding a patient’s rights with respect to the patient’s protected health information. Under the MRPA, a healthcare provider must provide patients with a copy of requested electronic health records in electronic format within 15 business days of receiving a written request. A covered entity must also provide a general notice that an individual’s protected health information (PHI) is subject to electronic disclosure and post the notice online or in a conspicuous location on-site.

The amended MRPA increased the civil penalties that may be assessed for violations from $5,000 to $1.5 million, depending upon the number of violations and certain mitigating factors. Civil penalties may not exceed the following amounts:

  • $5,000 for each negligent violation that occurs in one year;
  • $25,000 for each knowing or intentional violation that occurs in one year;
  • $250,000 for each knowing or intentional violation used for financial gain; or
  • $1,500,000 for violations that have occurred with a frequency as to constitute a pattern or practice.

Additionally, an entity that is a licensed by a state agency that violates the MRPA is subject to administrative action. A covered entity as defined by HIPAA may also be referred to the U.S. Department of Health and Human Services for an audit of its compliance with HIPAA.

In addition to amending the MRPA, 2011 Texas House Bill 300 also clarified the scope of the breach notification requirements set forth in the Business and Commerce Code for the breach of computerized data that contains personal sensitive information (including PHI) and imposes penalties of up to $250,000 for noncompliance with the notification requirements.

If you have questions regarding the amendments to the MRPA or the MRPA itself and its application to your organization, please contact the authors.