Texas Medical Privacy Act (TMPA)
Citing concerns that federal law does not adequately protect patient privacy, Texas recently enacted stringent new health privacy legislation that extends patient protections beyond those contained in the Health Insurance Portability and Accountability Act (HIPAA) or the Health Information Technology for Economic and Clinical Health (HITECH) Act. Under the preemption provision in HIPAA, the stricter Texas law will apply to HIPAA covered entities doing business in the state.
Other individuals and organizations that possess protected health information (PHI) also will fall under the broader Texas definition of ‘‘covered entity’’ and will be subject to these strict new privacy standards. The new law, H.B. 300, effective Sept. 1, 2012, is designed to better ensure the security and privacy of PHI that is exchanged via electronic means. The law also grants new enforcement authority to a variety of state agencies, establishes standards for the use of electronic health records, and increases penalties for the wrongful electronic disclosure of PHI, including creating a new felony for wrongfully accessing or reading of EHR via electronic means.
1 Both the Texas Senate and House of Representatives also were concerned that the increased use of electronic health records and the expansion of the electronic exchange of PHI would require stronger laws to better ensure the protection of PHI.
2 Reports of major data breaches during the 2011 Texas legislative session only added momentum to passage creased revenue to the state as a result of penalties assessed against Texas covered entities that violate the law, though it was also pointed out that the state could realize a potential revenue loss due to enforcement costs.
4 The bill passed with unanimous votes in both houses of the Texas legislature and was signed by Governor Perry on June 17 (20 HLR 950, 6/23/11). The law is likely to generate confusion over the broad terms in its provisions. While it is not clear how these questions will be answered, anyone who comes into possession of PHI—mail carriers, document shredders, law firms, or inadvertent recipients—should take note of the robust privacy requirements and strict penalties—up to $1.5 million—contained in the law.
While many proponents denied the law would be applied broadly, the language in the law belies those assertions.
Article by Michael L. Silhol is a member of the health care practice group in the Dallas and Houston offices of Haynes and Boone LLP. He represents health care providers in a variety of matters ranging from contractual relationships and business transactions to regulatory and compliance issues