Effective Sept. 1, 2012, the State of Texas amended the Texas
Medical Records Privacy Act (Texas Health and Safety Code Section
181) (the MRPA) in an effort to afford new protections to patient
medical records. All covered entities, as defined by the MRPA, must
be in compliance with the MRPA as of the effective date. The MRPA
defines the term "covered entity" broadly to include both
(a) covered entities as defined by the Health Insurance Portability
and Accountability Act of 1996, as amended, and its accompanying
regulations (HIPAA) and (b) the following entities or individuals
and their employees, agents or contractors who obtain, use or
transmit protected health information: business associates,
governmental units, information or computer management entities,
schools, health researchers or any person who maintains an Internet
The amended MRPA requires covered entities to conduct ongoing
privacy training. New employees must be trained within 60 days of
their hire date on both the MRPA and HIPAA as they relate to the
covered entity's particular course of business and the
employee's scope of employment. Furthermore, all employees of a
covered entity must be retrained biannually on both the MRPA and
HIPAA. Entities that have already conducted HIPAA training for
their employees should not assume that they have satisfied this
MRPA training requirement, because the law has a series of
provisions that differ from HIPAA but should be included in any
For example, the amended MRPA also imposes new and unique
requirements regarding a patient's rights with respect to the
patient's protected health information. Under the MRPA, a
heathcare provider must provide patients with a copy of requested
electronic health records in electronic format within 15 business
days of receiving a written request. A covered entity must also
provide a general notice that an individual's protected health
information (PHI) is subject to electronic disclosure and post the
notice online or in a conspicuous location on-site.
The amended MRPA increased the civil penalties that may be
assessed for violations from $5,000 to $1.5 million, depending upon
the number of violations and certain mitigating factors. Civil
penalties may not exceed the following amounts:
$5,000 for each negligent violation that occurs in one
$25,000 for each knowing or intentional violation that occurs
in one year;
$250,000 for each knowing or intentional violation used for
financial gain; or
$1,500,000 for violations that have occurred with a frequency
as to constitute a pattern or practice.
Additionally, an entity that is a licensed by a state agency
that violates the MRPA is subject to administrative action. A
covered entity as defined by HIPAA may also be referred to the U.S.
Department of Health and Human Services for an audit of its
compliance with HIPAA.
In addition to amending the MRPA, 2011 Texas House Bill 300 also
clarified the scope of the breach notification requirements set
forth in the Business and Commerce Code for the breach of
computerized data that contains personal sensitive information
(including PHI) and imposes penalties of up to $250,000 for
noncompliance with the notification requirements.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Specific Questions relating to this article should be addressed directly to the author.
The Centers for Medicare & Medicaid Services and the Department of Health and Human Services Office of Inspector General have recently published parallel proposed rules revising, respectively, the Stark exception and Anti-Kickback safe harbor concerning electronic health record items and services.
Marilyn Tavenner received bipartisan support from members of the Senate Committee on Finance in her confirmation hearing to lead the Centers for Medicare and Medicaid Services (CMS) though a full Senate vote is being held up, the president released his FY 2014 budget proposal with health care reform and specified reimbursement reductions to providers and manufacturers totaling $400 billion over 10 years sprinkled throughout it, and Department of Health and Human Services (HHS) Secretary Sebelius
The news from the Office of the National Coordinator for Health IT (ONC) about the revocation of the electronic health record (EHR) certifications of two EHR products that had previously been certified will have tremendous ramifications not only on the EHR vendor losing its certifications, but generally on providers and vendors as well.