Who Does HB 300 Apply To?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

What is the Texas Medical Records Privacy Act (TMRPA)?
On June 17, 2001, Texas Governor Rick Perry signed the Texas Medical Records Privacy Act (TMRPA) into law. The Act was designed to bring Texas into compliance with federal standards on patient privacy, and to expand the scope of patient privacy protections.  The TMRPA expanded the protections of HIPAA in three areas:

1. The TMRPA brought entities that were not regulated by HIPAA, into its regulatory scope, by creating and regulating a class of entities called "covered entities." The TMRPA defines covered entities as people or businesses who:

• Obtain, come into possession of, assemble, collect, use, analyze, evaluate, store, or transmit PHI.
• Are employees, agents, or contractors of these people or businesses, to the extent that the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.

The definition of PHI under HB 300 is the same as the definition of PHI under HIPAA.

The TMRPA gives specific examples of covered entities. Examples of "TMRPA covered entities" include:

1. HIPAA business associates
2. Healthcare payers
3. Governmental units
4. Information or computer management entities
5. Schools
6. Health researchers
7. Health care facilities
8. Clinics
9. Healthcare Providers
10. Individuals who maintain an Internet site

What Entities Does the TMRPA Cover, Beyond Who HIPAA Covers?

The TMRPA expanded the definition of “covered entity” from the HIPAA definition. Healthcare providers and healthcare plans are TMRPA-covered entities. As noted above, HIPAA business associates are also TMRPA-covered entities. Entities that may NOT be covered by HIPAA are also covered by the TMRPA. TMRPA-covered entities include, as noted above, computer management entities, schools, health researchers, and people who maintain an Internet site, provided these entities obtain, come into possession of, assemble, collect, use, analyze, evaluate, store, or transmit PHI.

What Are Some Specific TMRPA-Covered Entities?

TMRPA-covered entities may include (among other entities) IT service providers, website owners, accountants, sports teams, and lawyers, if they obtain, come into possession of, assemble, collect, use, analyze, evaluate, store, or transmit PHI.

Many TMRPA-covered entities are not covered entities under HIPAA. Under HIPAA, a website owner, say, that merely creates, maintains, receives, and/or transmits PHI is not a covered entity (it’s not a healthcare plan, provider, or healthcare clearinghouse, nor, by virtue of merely being a website, is it a business associate). Under the TMRPA, though, a website owner IS a covered entity, if the owner obtains, comes into possession of, assembles, collects, uses, analyzes, evaluates, stores, or transmits PHI.

Does the TMRPA Regulate Only Texas-Based Covered Entities?

No. Texas-based covered entities (entities incorporated or headquartered in Texas) are subject to the TMRPA. But what about covered entities that are not incorporated or headquartered in Texas? Are they, too, regulated by the TMRPA? Are they TMRPA-covered entities?

Texas, like every other state, has what is called a “long-arm” statute. The “long-arm” language is a nod to the phrase “the long arm of the law.” A long-arm statute, essentially, is a law that allows for a state court to obtain jurisdiction over an out-of-state defendant, on the basis of that person’s violation of a state law – provided the defendant has what’s called a “sufficient connection” with the state.

This long slab of legalese means: If I am a resident of one state (say New York), and I engage in activity that constitutes a violation of another state’s law (say, Texas’ HB 300), I can be sued in a Texas court. This is so, provided I have a “sufficient connection” with Texas. “Sufficient connection” means that I have “sufficient contact” with Texas. “Sufficient contact” arises from the business that I do with Texas (either its government, its residents, or both).

Say again? If I conduct business with Texas residents (by processing, storing, analyzing, evaluating, transmitting, assembling, collecting, or using their PHI), I have “sufficient contact” with Texas, and therefore “sufficient connection.” So, If I violate the terms of the TMRPA, I can expect that Texas can use its “long arm” jurisdiction, which means that I can be expected to appear in Texas court to defend myself in a legal action brought by the state of Texas.  The TMRPA is enforced by the Texas Attorney General, who is authorized to file a lawsuit against entities or individuals who violate it. The TMRPA gave the Attorney General the authority to bring injunctive relief (an order, requiring someone to stop breaking the law) against non-complying entities. 

Note: Compliancy Group cannot advise prospects or clients as to whether HB 300 applies to them, or as to whether Texas can exercise jurisdiction over them. These issues are questions of law, and clients and prospects should consult a qualified attorney before proceeding. 

What Does the TMRPA Protect?

We now know who is regulated by the TMRPA. But who and what does the TMRPA protect? The PHI of Texas residents. State courts in Texas are empowered to enforce the rights of Texas residents. As noted above, The TMRPA allows the Texas Attorney General to sue Texas-based and non-Texas-based TMRPA-covered entities in Texas state court for violations of the law.

What Does the TMRPA Prohibit?
The TMRPA prohibis the marketing of patient PHI, and the use of PHI in marketing, without patient consent or authorization.

The TMRPA prohibits the re-identification of information that has been de-identified, unless any required authorizations or consents are first obtained.

What is HB 300?
In May of 2011, the Texas Legislature amended the 2001 TMRPA, with new legislation called “HB 300.” “HB” stands for “House Bill.” “300” is not a movie reference, a reference to a number of days, or an amount of money.

Under Texas law, to introduce a bill in the Texas House of Representatives, a state representative must file copies of the bill with the House Clerk, who sequentially numbers each term’s bills in the order in which the clerk receives the bills. HB 300 was the 300th House Bill introduced during the legislative session for 2011. Subsequently, the bill was signed into law by Governor Rick Perry, and went into effect in September of 2012. This article discusses the changes made to the TMRPA by HB 300.

HB 300 regulates TMRPA-covered entities. HB 300 amended the TMRPA in several key areas, introducing the following requirements:

1. Entities defined as "covered entities" under the TMRPA must train their employees on PHI.
2. Entities defined as "covered entities" under the TMRPA must respond to patient requests for access to electronic health records within 15 days of the request.
3. Entities defined as "covered entities" under the TMRPA may not sell patient PHI, in the absence of certain exceptions.
4. Entities defined as "covered entities" under the TMRPA must provide notices to patients of electronic disclosures of their PHI, and must obtain patient authorization for such disclosures. 

HB 300 also added language to the TMRPA, specifically stating that entities meeting the TMRPA's definition of "covered entities" must comply with the TMRPA.

In addition, HB 300 empowered the Texas Attorney General to seek monetary relief (in addition to the existing injunctive relief) against entities that violate the TMRPA.

Why Was HB 300 Passed?
“2012” is not a movie reference, either. The HB 300 amendment to the TMRPA was passed in response to the 2009 federal HITECH Act. The HITECH Act encouraged healthcare providers to adopt electronic health records.

The main goal of HB 300 was to strengthen the privacy protections afforded to protected health information and electronic health information, beyond what the federal Health Insurance Portability and Accountability Act (HIPAA) required as of 2011.

The Texas House, in a Committee Report prepared during the 2011 Regular Section regarding HB 300, describes why it introduced HB 300:

“Provisions of recent federal legislation establish incentives designed to increase the adoption of electronic health record systems among certain health care providers. The expanded use of such systems is likely to lead to the expansion of the electronic exchange of protected health information, which may require stronger state laws to better ensure the protection of that information. H.B. 300 seeks to increase privacy and security protections for protected health information.”

HB 300 provides additional privacy protections by (1) requiring covered entities to train patients on PHI; (2) requiring covered entities to respond to patient requests for access to EHRs within 15 days of the request; (3) generally prohibiting the sale of patient PHI; and (4) requiring covered entities to provide notices to patients of eletronic disclosure of PHI, and requiring patient authorization for such disclosures.

What Happens When a Provision of HB 300 Conflicts With a Provision of HIPAA?
The HIPAA Privacy Rule provides a federal floor of privacy protections for individuals' protected health information (PHI), where that information is held by a HIPAA covered entity or by a business associate of the covered entity. State laws, including Texas HIPAA, that are contrary to the HIPAA Privacy Rule, are preempted (trumped) by the federal requirements, unless a specific exception applies.  

The concept of preemption is not specific to HIPAA. The Constitution of the United States contains what is, in effect, a preemption provision. Article 6 of the Constitution contains a clause that is known as the “Supremacy Clause.” The Supremacy Clause states, simply, that the Constitution, and federal laws created under the Constitution, are the “supreme law of the land.” This has been interpreted to mean that a state law that contradicts, or is contrary to, a federal law, is “trumped” by the federal law.  

When is a State Law “Contrary” to the HIPAA Privacy Rule?

A State law is "contrary" to the HIPAA Privacy Rule if:

• It would be impossible to comply with both the State law and the HIPAA Privacy Rule; or 
• The State law is an obstacle to accomplishing the full purposes and objectives of HIPAA. 

For example, a state law that prohibits the disclosure of protected health information (PHI) to an individual who is the subject of the information is contrary to the HIPAA Privacy Rule provision requiring that disclosure to the individual be made.

The state law is contrary to the HIPAA Privacy Rule because:

• The covered entity cannot, as a simple logistical matter, comply with both the State law and the HIPAA Privacy Rule. If the covered entity discloses the information to the individual under the HIPAA Privacy Rule, the covered entity has failed to comply with the state law. If the covered entity follows the state law and does not disclose the information to the individual, the covered entity has failed to comply with the HIPAA Privacy Rule.
• The state law is an obstacle to accomplishing the purposes and objectives of HIPAA’s administrative simplification provisions. Those provisions were created for the purpose of protecting the privacy of individuals’ PHI, without compromising the ability of individuals to receive and review their own health records.    

Are there Exceptions to the HIPAA Privacy Rule’s Preemption of Contrary State Laws?

There are several recognized exceptions to the general rule that the HIPAA Privacy Rule preempts contrary state law.  

Under the main exception, if the state law relates to the privacy of PHI and provides greater privacy protections or privacy rights with respect to such information, than the equivalent HIPAA Privacy Rule regulation does.

As noted above, HIPAA sets a privacy “floor.” States may, if they so choose, to provide greater privacy protections than are provided. In cases where a state law conflicts with a federal law, the law providing the greater privacy protection to the individual prevails.

Example of an Exception to Preemption
The HIPAA right of access rule requires covered entities to provide patients access to their PHI within 30 days of receiving a request for access. PHI, under the right of access rule, includes PHI contained in electronic health records  

HB 300, on the other hand, requires "TMRPA-covered entities" to respond to patient requests for access to electronic health records within 15 days of the request. 

Say I am subject to both the TMRPA (because I use PHI of Texas residents) AND to HIPAA (because I am a healthcare provider engaged in a HIPAA-covered transaction).  Which law must I comply with? The one requiring access to be provided within 15 days, or the one requiring access to be provided within 30 days? The answer is that the TMRPA prevails, and I must provide the access within 15 days. A rule requiring provision of access within 15 days is more favorable to a patient than one requiring provision of access within 30 days (it is more favorable to the patient because the patient need not wait as long to obtain the records under the TMRPA as they would have to wait under HIPAA. Since the right of access rule is a Texas Medica Records Privacy Act rule and the HIPAA right of access rule is part of the HIPAA Privacy Rule, both laws are privacy rights laws. The law providing the greater privacy rights to the patient - the TMRPA - wins out.