Information on the HB 300 training requirements for companies, organizations, and individuals that do business with Texas residents that involves access to protected health information and/or sensitive personal information.
What is Texas HB 300?
HB 300 – Texas House Bill 300 – was passed and signed into law by Texas Governor Rick Perry in June 2011 and took effect on September 1, 2012. The bill amended existing state laws such as the Texas Health Code and was introduced to improve privacy protections for state residents. Texas now has some of the strictest laws in the United States concerning patient privacy and security for protected health information (PHI) and sensitive personal information (SPI).
Protected health information is any healthcare data that can be tied to an individual or could be used to identify an individual when combined with other data. The definition follows that of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, which involves 18 different identifiers such as names, ID numbers, Social Security numbers, addresses, telephone numbers, email addresses, and IP addresses.
Who Must Comply with HB 300?
HIPAA is a federal law with data privacy and security provisions that apply to healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities. Texas HB 300 expands the HIPAA definition of covered entities, so some individuals, companies, and organizations will be required to comply with HB 300 that are not required to comply with HIPAA. For example, website owners whose websites collect the PHI or SPI of Texas residents are not necessarily required to comply with HIPAA, but they are required to comply with HB 300.
Under HB 300, a covered entity is any entity or individual that possesses, obtains, assembles, collects, analyzes, evaluates, stores, or transmits PHI/SPI in any form. There are HB 300 training requirements for those entities to ensure all individuals are aware of their responsibilities with respect to PHI and SPI.
Does Texas HB 300 Replace HIPAA?
HIPAA sets minimum standards for covered entities and business associates to ensure the confidentiality, integrity, and availability of protected health information. HIPAA also gives individuals rights over their healthcare data.
HIPAA is therefore the baseline. States can introduce legislation that increases protections for healthcare data and patient privacy, and many states have done so, including Texas. HB 300 broadened the definition of covered entities and added several new privacy and security requirements for covered entities to improve protections for state residents. The HB 300 training requirements are also stricter than HIPAA and there are maximum timeframes for providing training for all individuals who handle the PHI/SPI of Texas residents.
What are the HB 300 Training Requirements?
The HB 300 training requirements for covered entities are for formal training on HB 300 to be provided to individuals within 90 days of commencing employment (the original requirement of 60 days was revised in 2013). All individuals must receive HB 300 training if they have access to protected health information or sensitive personal information (SPI). Training must be tailored to the role of an individual and their interactions with PHI/SPI. All training must be documented and maintained for six years, as training logs will need to be provided to state regulators in the event of a compliance audit or data breach investigation. Employees are required to sign to confirm they have received training.
There are further HB training requirements, as training cannot be a one-time checkbox process. All individuals must receive refresher HB 300 training whenever a material change in state or federal law concerning PHI affects the individual´s role. Again, these training sessions must be documented. Covered entities not complying with the HB 300 training requirements can face stiff financial penalties.
HB 300 Training Options
There are two options available to HB 300 covered entities concerning training. Covered entities can develop and maintain their own HB 300 training program or opt for one of many third-party training courses. Developing your own HB 300 training course from scratch is time consuming, which is why many covered entities choose a third-party training course.
Compliance training companies take care of all aspects of the training and update their courses when there are any amendments to state legislation. These training courses are usually computer-based and can be accessed over the Internet. They allow covered entities to track the progress of individuals as they complete their training and many offer certification for individuals and companies to confirm that training has been completed.
What are the Penalties for HB 300 Violations?
The penalties for violations of HB 300 are tiered and based on the extent to which the covered entity was aware of the violation. The first tier – negligence – has a maximum penalty of $5,000 per violation per year. Tier 2 – intentional or knowing violations – has a maximum penalty of $25,000 per violation per year. Tier 3 – intentional violations for financial gain – has a maximum penalty of $250,000 per violation per year.
Fines can also be applied for the failure to notify Texas residents about a privacy breach at a level of $100 per consecutive day that notifications were not issued up to a maximum of $250,000. If a violation also violates the HIPAA Rules, separate penalties can be applied for the HIPAA violation.