DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Note: Compliancy Group cannot advise prospects or clients as to whether HB 300 applies to them. This issue is a question of law, and clients and prospects should consult a qualified attorney before proceeding.
Under the Texas Medical Records Privacy Act (TMRPA), a "covered Entity" means any person who:
(A) for commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information. The term includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site
(B) comes into possession of protected health information;
(C) obtains or stores protected health information under this chapter; or
(D) is an employee, agent, or contractor of a person described by Paragraph (A), (B), or (C) insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.
Per Section 181.004 of the TMRPA, “A covered entity, as that term is defined by 45 C.F.R. Section 160.103, shall comply with the Health Insurance Portability and Accountability Act and Privacy Standards.”
Not every entity defined as a covered entity by the TMRPA is automatically a covered entity as defined by HIPAA.
This is so in part because the TMRPA does not impose a “covered transactions” condition.
Under HIPAA, a healthcare provider, to be a “covered entity,” must engage in one or more “HIPAA transactions.”
HIPAA transactions include:
Health care claim X12N 837 transaction
Health care claim payment advice X12N 835 transaction
Health care claim status request/notification X12N 276/277 transaction
Eligibility, coverage, or benefit inquiry/information X12N 270/271 transaction
Benefit enrollment and maintenance X12N 834 transaction
Health care service review information X12N 278 transaction
Payment order/remittance advice X12N 820 transaction
These transactions all involve communications with health insurers. The TMRPA has no “provider must communicate with insurer” requirement for a provider to be a covered entity.
Say that I am a non-profit hospital conducting business in Texas. I do not engage in any HIPAA transactions. This means that I am a covered entity as the TMRPA defines that term (“nonprofit, or pro bono basis, which engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information.“), but I am NOT a “HIPAA” covered entity.
A state law cannot enlarge the scope of a federal law- that is, a state law cannot expand the scope of who is regulated by a federal law. If an entity meets the Texas definition of “covered entity,” but does not meet the HIPAA definition of “covered entity,” HIPAA does not regulate that entity. It lacks the jurisdiction to do so.
HIPAA doesn’t always and at all times exclude non-profits from classification as “covered entities.” Individual Coverage Health Reimbursement Accounts (ICHRA’s) are a type of health insurance benefit non-profits can offer their employees. If the employer administers the plan, the employer is a HIPAA “covered entity.”
If an entity that is a covered entity as defined by the TMRPA (but that is not a covered entity as the term covered entity is defined by HIPAA) sustains a breach of health information, it is a specific provision of the TMRPA known as TITEPA, that would require the breach to be reported. A provision of TITEPA requires that “A person who is required to disclose or provide notification of a breach of system security under TITEPA shall notify the attorney general of that breach as soon as practicable and not later than the 30th day after the date on which the person determines that the breach occurred if the breach involves at least 250 residents of this state.” (TITEPA Sec. 521.053(i)). TITEPA also requires that breaches of health information be reported to affected individuals (TITEPA Sec. 521.053(b) through (h)). The Texas attorney general enforces TITEPA.
Please note that if an entity qualifies as a covered entity under HIPAA, that entity is likely to be a covered entity under the TMRPA, as the TMRPA uses that term. In 2009, the HITECH Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and they can obtain damages on behalf of state residents. States have “concurrent” jurisdiction with HHS to pursue HIPAA violators. A state civil action may be brought against a HIPAA covered entity or business associate by state Attorneys General, AND, HHS may also investigate the entity and impose its own fines and penalties.
Violations of the TMRPA may ONLY be addressed by the state of Texas, not HHS. The state of Texas, as part of the concurrent jurisdiction with HHS, may conduct “audits.” Here is how the state’s auditing power works - the state may investigate HIPAA-covered entities as follows:
Under HB 300, which amended the TMRPA in 2011, if the (Texas) commission has evidence that a covered entity has committed violations of the TMRPA chapter that are egregious and constitute a pattern or practice, the commission may:
(1) require the covered entity to submit to the commission the results of a risk analysis conducted by the covered entity if required by 45 C.F.R. Section 164.308(a)(1)(ii)(A); or
(2) if the covered entity is licensed by a licensing agency of this state, request that the licensing agency conduct an audit of the covered entity's system to determine compliance with the provisions of the TMRPA.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article