Information on the HB 300 training requirements for companies, organizations, and individuals that do business with Texas residents that involves access to protected health information and/or sensitive personal information.
What is Texas HB 300?
HB 300 – Texas House Bill 300 – was passed and signed into law by Texas Governor Rick Perry in June 2011 and took effect on September 1, 2012. The bill amended the Texas Health and Safety Code and was introduced to improve privacy protections for state residents. Texas now has some of the strictest laws in the United States concerning patient privacy and security for protected health information (PHI) and sensitive personal information (SPI).
Who Must Comply with HB 300?
HIPAA is a federal law with data privacy and security provisions that apply to healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities. The Texas Health and Safety Code expands the HIPAA definition of covered entities, so some individuals, companies, and organizations will be required to comply with HB 300 that are not required to comply with HIPAA. For example, website owners whose websites collect the PHI or SPI of Texas residents are not necessarily required to comply with HIPAA, but they are required to comply with HB 300.
Under HB 300, a covered entity is any entity or individual that possesses, obtains, assembles, collects, analyzes, evaluates, stores, or transmits PHI/SPI in any form. There are HB 300 training requirements for those entities to ensure all individuals are aware of their responsibilities with respect to PHI and SPI.
Does Texas HB 300 Replace HIPAA?
HIPAA sets minimum standards for covered entities and business associates to ensure the confidentiality, integrity, and availability of protected health information. HIPAA also gives individuals rights over their healthcare data. HIPAA is therefore the baseline. States can introduce legislation that increases protections for healthcare data and patient privacy, and many states have done so, including Texas.
Texas HB 300 does not replace HIPAA except where HB 300 has more stringent provisions. For example, Texas HB-300 expands individual protections beyond HIPAA by limiting permissible disclosures of electronic PHI to those required for treatment, payment, healthcare operations, and HMO or insurance functions. All other disclosures of electronic PHI must be authorized by the patient unless they are required by law – for example, reporting child abuse.
What are the HB 300 Training Requirements?
The HB 300 training requirements for covered entities are for formal training on HB 300 to be provided to individuals within 90 days of commencing employment (the original requirement of 60 days was revised in 2013). All individuals must receive HB 300 training if they have access to protected health information or sensitive personal information (SPI). Training must be tailored to the role of an individual and their interactions with PHI/SPI. All training must be documented and maintained for six years, as training logs will need to be provided to state regulators in the event of a compliance audit or data breach investigation. Employees are required to sign to confirm they have received training.
There are further HB training requirements, as training cannot be a one-time checkbox process. All individuals must receive refresher HB 300 training whenever a material change in state or federal law concerning PHI affects the individual´s role. Again, these training sessions must be documented. Covered entities not complying with the HB 300 training requirements can face stiff financial penalties.
HB 300 Training Options
There are two options available to HB 300 covered entities concerning training. Covered entities can develop and maintain their own HB 300 training program or opt for one of many third-party training courses. Developing your own HB 300 training course from scratch is time consuming, which is why many covered entities choose a third-party training course.
Compliance training companies take care of all aspects of the training and update their courses when there are any amendments to state legislation. These training courses are usually computer-based and can be accessed over the Internet. They allow covered entities to track the progress of individuals as they complete their training and many offer certification for individuals and companies to confirm that training has been completed.
What are the Penalties for HB 300 Violations?
The penalties for violations of HB 300 are tiered and based on the extent to which the covered entity was aware of the violation. The first tier – negligence – has a maximum penalty of $5,000 per violation per year. Tier 2 – intentional or knowing violations – has a maximum penalty of $25,000 per violation per year. Tier 3 – intentional violations for financial gain – has a maximum penalty of $250,000 per violation per year.
Fines can also be applied for the failure to notify Texas residents about a privacy breach at a level of $100 per consecutive day that notifications were not issued up to a maximum of $250,000. If a violation also violates the HIPAA Rules, separate penalties can be applied for the HIPAA violation.
