Think HIPAA's patient privacy rules are tough? Head to Texas

The political news out of Texas in recent weeks has focused on issues ranging from immigration to school funding to "anti-groping" airport security measures. But what may have been missed by those concerned about healthcare privacy and electronic medical records (EMRs) is that a new law was signed by Gov. Rick Perry (R) this month with provisions tougher than those currently found under the Health Insurance Portability and Accountability Act (HIPAA).

The measure (HB 300), introduced by Rep. Lois Kolkhorst (R-Brenham), chair of the House Committee on Public Health, bans for-profit sales of personal health information and sets up a process for notifying patients of any electronic transfer of their medical records.

As medical offices and hospitals transfer their files to digital records and more local health information exchanges are created, individuals need to be sure that their "right to privacy keeps up with technology," Kolkhorst said earlier this year. Kolkhorst pledged that tougher privacy protections were going to be one of her committee's top priorities for the 2011 legislative session.

Under the new law--which goes into effect on Sept. 1, 2012--companies or providers who break the rules and sell medical data could be subject to stiff fines of up to $3,000 per violation, with legal damages as much as $1.5 million. If the actions are considered "egregious," probation or suspension may be in order by a state licensing agency.

Under the law, "covered entities"--which refer to any organization or provider that handles health information--are to notify individuals before protected health information is disclosed electronically.

This notification could be done, for instance, through posting a written notice at the organization's place of business or through a website. These organizations will be required to provide staff training on both federal and state law concerning protecting health information.

The bill did gain provider support as it made its way through the Texas legislature. Bruce Malone, MD, president of the 45,000-member Texas Medical Association, expressed support for the measure at a hearing this past spring, as it contained many of its "core principles for elevating and protecting patient privacy."

Still, there are some rough spots in the new law. Of particular interest is what happens to a provider if an unintended breach of the data occurs. Critics say this could put some providers out of business. Others worry that patient data could be put in limbo if an entity or provider merges or retires.

For the time being, however, the issue of data privacy is getting nudged from the shadows of HIPAA--at least in Texas. It will be interesting to see what other states have in mind. - Janice