Can An Entity Be Covered by the Texas Medical Records Privacy Act and Not by HIPAA?

Modified on Wed, 6 Aug at 1:29 PM


DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.


Note: Compliancy Group cannot advise prospects or clients as to whether HB 300 applies to them. This issue is a question of law, and clients and prospects should consult a qualified attorney before proceeding.

Introduction

This article discusses whether an entity can be regulated by the Texas Medical Records Privacy Act, and yet not be regulated by HIPAA.

What is a "Covered Entity" Under the Texas Medical Records Privacy Act?


Under the Texas Medical Records Privacy Act (TMRPA), a "covered entity" means any person or entity who:

  1. For commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information.  The term includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site;
  2. Comes into possession of protected health information;
  3. Obtains or stores protected health information under this chapter; or
  4. Is an employee, agent, or contractor of a person described by Paragraph (1), (2), or (3) insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.

Entities defined as "covered entities" by the TMRPA must comply with the TMRPA. The TMRPA also notes, at Section 181.004, that entities that HIPAA defines as "covered entities," must comply with HIPAA: Per Section 181.004 of the TMRPA, “A covered entity, as that term is defined by 45 C.F.R. Section 160.103, shall comply with the Health Insurance Portability and Accountability Act and Privacy Standards.”

Is it Possible for an Entity to be Regulated by the TMRPA and Not by HIPAA?

Yes.


Not every entity defined as a covered entity by the TMRPA is automatically a covered entity as defined by HIPAA.

Under HIPAA, a healthcare provider, to be a “covered entity,” must engage in one or more “HIPAA transactions.”


HIPAA transactions include:

  1. Health care claim X12N 837 transaction
  2. Health care claim payment advice X12N 835 transaction
  3. Health care claim status request/notification X12N 276/277 transaction
  4. Eligibility, coverage, or benefit inquiry/information X12N 270/271 transaction
  5. Benefit enrollment and maintenance X12N 834 transaction
  6. Health care service review information X12N 278 transaction
  7. Payment order/remittance advice X12N 820 transaction


These transactions all involve communications with health insurers.  The TMRPA, however, has no “provider must communicate with insurer” requirement for that provider to be a TMRPA-defined "covered entity."


Say that I am a non-profit hospital conducting business in Texas. I do not engage in any "HIPAA transactions." This means that I am a covered entity as the TMRPA defines that term (I am an entity that [on a] “nonprofit, or pro bono basis, which engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information.“), but I am NOT a “HIPAA” covered entity.


Another example: I am a dental practice operating in Texas. My practice is cash-only. I do not engage in any "HIPAA transactions," and therefore am not regulated by HIPAA. I am regulated by the TMRPA, however, because I "engage, in whole or in part,..... in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protectedh health information." 

Do "TMRPA" Covered Entities That are Not "HIPAA" Covered Entities Have Breach Reporting Obligations?

Yes.


If an entity that is a covered entity as defined by the TMRPA (but that is not a covered entity as the term "covered entity" is defined by HIPAA) sustains a breach of health information, it is a specific provision of the TMRPA known as ITEPA (Identity Theft Enforcement and Protection Act) that would require the breach to be reported. A provision of ITEPA requires that “A person who is required to disclose or provide notification of a breach of system security under ITEPA shall notify the Texas attorney general of that breach as soon as practicable and not later than the 30th day after the date on which the person determines that the breach occurred if the breach involves at least 250 residents of this state.” (ITEPA Sec. 521.053(i)).  

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article