Can An Entity Be Covered by HB 300 and Not by HIPAA?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Under Texas HB 300, a "Covered Entity" means any person who:

(A)  for commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information.  The term includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site

(B)  comes into possession of protected health information;

(C)  obtains or stores protected health information under this chapter; or

(D)  is an employee, agent, or contractor of a person described by Paragraph (A), (B), or (C) insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.

Per Section 181.004 of HB 300, “A covered entity, as that term is defined by 45 C.F.R. Section 160.103, shall comply with the Health Insurance Portability and Accountability Act and Privacy Standards.”

Not every entity defined as a covered entity by HB 300 is automatically a covered entity as defined by HIPAA.

This is so in part because HB 300 does not impose a “covered transactions” condition.

Under HIPAA, a healthcare provider, to be a “covered entity,” must engage in one or more “HIPAA transactions.”

HIPAA transactions include:

Health care claim X12N 837 transaction

Health care claim payment advice X12N 835 transaction

Health care claim status request/notification X12N 276/277 transaction

Eligibility, coverage, or benefit inquiry/information X12N 270/271 transaction

Benefit enrollment and maintenance X12N 834 transaction

Health care service review information X12N 278 transaction

Payment order/remittance advice X12N 820 transaction

These transactions all involve communications with health insurers.  HB 300 has no “provider must communicate with insurer” requirement for a provider to be a covered entity.

Say that I am a non-profit hospital conducting business in Texas. I do not engage in any HIPAA transactions. This means that I am a covered entity as HB 300 defines that term (“nonprofit, or pro bono basis, which engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information.“), but I am NOT a “HIPAA” covered entity.

A state law cannot enlarge the scope of a federal law- that is, a state law cannot expand the scope of who is regulated by a federal law. If an entity meets the Texas definition of “covered entity,” but does not meet the HIPAA definition of “covered entity,” HIPAA does not regulate that entity. It lacks the jurisdiction to do so.

HIPAA doesn’t always and at all times exclude non-profits from classification as “covered entities.” Individual Coverage Health Reimbursement Accounts (ICHRA’s) are a type of health insurance benefit non-profits can offer their employees. If the employer administers the plan, the employer is a HIPAA “covered entity.”

If an entity that is a covered entity as defined by HB 300 (but that is not a covered entity as the term covered entity is defined by HIPAA) sustains a breach of health information, it is not HB 300 that requires the breach to be reported. Rather, it s another provision of Texas law, known as TITEPA, that would require the breach to be reported. A provision of TITEPA requires that (“A person who is required to disclose or provide notification of a breach of system security under TITEPA shall notify the attorney general of that breach as soon as practicable and not later than the 30th day after the date on which the person determines that the breach occurred if the breach involves at least 250 residents of this state.” (TITEPA Sec. 521.053(i)).  TITEPA also requires that breaches of health information be reported to affected individuals (TITEPA Sec. 521.053(b) through (h)).  The Texas attorney general enforces TITEPA.

Please note that if an entity qualifies as a covered entity under HIPAA, that entity is almost certain to be a covered entity under HB 300. as HB 300 uses the term “covered entity.”  In 2009, the HITECH Act Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and they can obtain damages on behalf of state residents. States have “concurrent” jurisdiction with HHS to pursue HIPAA violators. A state civil action may be brought against a HIPAA covered entity or business associate by state Attorneys General, AND, HHS may also investigate the entity and impose its own fines and penalties.  

Violations of the TMRPA may ONLY be addressed by the state of Texas, not HHS. The state of Texas, as part of the concurrent jurisdiction with HHS, may conduct “audits.”  Here is how the state’s auditing power works - the state may investigate HIPAA-covered entities as follows:

If the (Texas) commission has evidence that a covered entity has committed violations of this chapter that are egregious and constitute a pattern or practice, the commission may:

(1)  require the covered entity to submit to the commission the results of a risk analysis conducted by the covered entity if required by 45 C.F.R. Section 164.308(a)(1)(ii)(A); or

(2) if the covered entity is licensed by a licensing agency of this state, request that the licensing agency conduct an audit of the covered entity's system to determine compliance with the provisions of the TMRPA.