HIPAA, HITECH, and the Texas Privacy Law

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Congress passed HIPAA to provide consumers with greater access to health care insurance, to protect the privacy of health care data, and to promote more standardization and efficiency in the health care industry. Portability in HIPAA includes patient protections for coverage under group health plans that limit exclusions for preexisting conditions; prohibit discrimination against employees and dependents based on their health status; and allow a special opportunity to enroll in a new plan to individuals in certain circumstances.

Federal Privacy Law HIPAA

The Final Rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law. Some of the provisions include:
    • Clarifying when breaches of unsecured health information must be reported to the federal government.
    • Strengthening the requirement between physicians and their business associates such as health plans and other entities who receive patient information.
    • Allowing cash paying patients to instruct their physician not to share information about their treatment with health plans.

HIPAA Administrative Simplification Provisions

The Administrative Simplification provisions of HIPAA streamline the administration of health care with requirements for privacy, electronic transactions and code sets, security, and national provider identifiers. These provisions apply to all covered entities.
    • The Privacy requirements govern disclosure of patient protected health information (PHI), while protecting patient rights. The Office of Civil Rights (OCR) enforces the HIPAA Privacy Rule.
    • The Electronic Transactions and Code Sets requirements involve the transfer of health care information and the adoption of standard formats for processing claims and payments.
    • The Security regulations involve the adoption of administrative, technical, and physical safeguards required to prevent unauthorized access to PHI. The Office of Civil Rights enforces the HIPAA Security Rule.
    • HHS has health information privacy guidance materials for Covered Entities.
    • The HIPAA Privacy and Security Audit Program requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.
    • Combined regulation text of all HIPAA Administrative Simplification Regulations found at 45 CFR 160, 162, and 164. Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.

Cybersecurity

Cybersecurity and Risk Assessments - Informational page regarding cybersecurity and risk assessments as well as vendors and tools.

Texas Laws

HB 300 (2011) and its 2013 amendment amended the Texas Health and Safety Code Section 181 with privacy requirements that are more stringent than the federal privacy requirements of HIPAA. The law imposes requirements regarding training, electronic health records access, sales of protected health information, notice and authorization for electronic disclosures, enforcement and disciplinary actions, and audits of covered entities. This law was effective on Sept. 1, 2012. In the legislative session of 2013, the law was further amended to change some of the requirements and timetables for training.

HB 4390 (2019) amended the Texas Business and Commerce Code Section 521.053, effective Jan. 1, 2020, by making it more restrictive than federal HIPAA laws. HB 4390 amends the code by defining a deadline by which businesses must provide notice to affected individuals, requiring notice be provided without unreasonable delay, but no later than 60 days after discovering a breach has occurred. Businesses are also required to provide notice to the Texas attorney general within 30 days after a breach is discovered if the breach involves the sensitive personal information (SPI) of 250 or more Texas residents (see SB 768 below). 

SB 768 (2023) amended the Business & Commerce Code Section 521.053, effective Sept. 1, 2023, by changing the timeframe to report a breach to the Texas attorney general to 30 days from the date the breach was discovered if at least 250 state residents were involved. The notification must be submitted electronically via the attorney general ’s online breach report. The breach will be placed on a publicly available list by the attorney general. Failure to comply could result in a fine of up to $50,000 for each violation, among other consequences. 

Resources

Patient De-identification

The HIPAA Privacy Rules outline methods and approaches to de-identify PHI.

HITECH Act

The 2009 federal economic stimulus bill, American Recovery and Reinvestment Act (ARRA), substantially broadens the scope and impact of HIPAA security and privacy rules. These mandates are included in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of ARRA. A requirement of the stimulus bill regarding electronic protected health information (ePHI) is to notify patients and the US Dept of Health & Human Services (HHS) of "unsecured" PHI leaks and breaches. Under the stimulus bill, several HIPAA security provisions apply to business associates in the same manner as those that apply to covered entities.
    • The HIPAA Privacy and Security Audit Program requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. Also see a TMA article in Texas MedicineJuly 2012, on the the federal government's enforcement of data security and privacy standards.
    • For additional information on electronic health/medical records, see our EHR web page.