Page 14 - Layout 1
P. 14
CYBER
SECURITY
There is privacy.
Then, there’s Texas Privacy.
By David Schulz
Protecting patient information — and the penalties for getting it are not making unwitting covered entities out of their associates.
wrong — underwent a major upgrade here in Texas with the passage These can include information or computer management entities,
of House Bill 300, amending and adding new teeth and bigger bite schools, persons who maintain Internet sites and a host of other ven-
to the Texas Medical Records Privacy Act (TMRPA). dors and affiliates.
These 2012 changes have impact on every HIPAA covered entity On the other hand, says Stine, for a practice that takes its
in the Lone Star State, and more critically, expand the very definition HIPAA responsibilities to heart, the change is felt more in degree
of covered entities. It also ups the penalties for noncompliance and than in kind. Perhaps most important, staff training requirements
willful neglect — far from an excuse, ignorance can become very, have been upgraded. As opposed to HIPAA’s requiring training
very costly. “within a reasonable time,” a Texas staff member is required to
have job-specific, tailored training by their 90th day, with signed
Let’s review who is required to comply with the law, what is asked attendance records kept. Entire staffs should be retrained when-
of them, and the risks of noncompliance. ever there’s a major change in the regulations (like these) or orga-
nizational privacy policy changes. “Best practice,” said Stine “is
The standard HIPAA definition of covered entities (CEs) includes annual or biannual training.”
health care providers (who use digital records), health plans, and
data processors who serve them. Here in Texas, the definition covers Another change: The window to respond for a patient’s record re-
any individual, business, or organization that obtains, assembles, quest is 15 days if requested in electronic form, not the 30 days of
collects, analyzes, evaluates, stores or transmits protected health in- HIPAA, and with no extensions!
formation (PHI), including health care providers not using digital
(ePHI) records. If a practice has electronic disclosure of PHI for any reason, a no-
tice regarding disclosure should be prominent in the office, on the
“The TMRPA or ‘Texas HIPAA’ is very broad,” said Sheila Stine, website or any other place where individuals whose protected health
JD, Texas Health and Human Services agencies’ first Chief Privacy information is subject will see it. And before each electronic disclo-
Officer. “It basically applies to anyone who handles PHI (protected sure, the individual’s authorization must be obtained.
health information), with some notable exceptions, such as employ-
ers, education records, or financial institutions.” Every practice should periodically review the way it handles PHI
following any change in technology, procedure or rules, and at least
And they don’t have to be aware of it to be held responsible under annually or biannually, “and adjust its privacy notice, policies, train-
the law. ing or controls as needed,” said Stine.
“For example,” offers Stine, “when a physician moves away or re- Finally, Texas regulations on the disclosure of PHI and remunera-
tires or passes on, leaving old medical records in a storage unit, the tion to the practice are very tight:
owner of the storage unit may not be aware of their obligations under
the act,” said Stine. Or that wrongful disclosure or misuse of PHI Sale of PHI for purposes outside of Treatment, Payment or Oper-
may result in civil and criminal penalties under both Texas and ations (TPO) is forbidden; Disclosure for marketing purposes is per-
HIPAA law. mitted only with the individual’s written authorization (although
there are exceptions).
Practices should review their business relationships to ensure they
continued on page 16
14 San Antonio Medicine • February 2016
