Texas passed a law (H.B. 300) in the fall of 2011 that will take effect on September 1, 2012. The law imposes new employee training and notification obligations related to protected health information (PHI), exceeding the requirements of the HIPAA Privacy Rule. The law provides patients with increased rights and remedies over electronic health records, and increases penalties for non-compliance. Significantly, the law incorporates an expanded definition of the term "covered entity" in Texas's existing health privacy law, such that it could have a broad effect on many non-HIPAA-covered entities. The definition of "covered entity" under the law includes any entity that engages in assembling, collecting, analyzing, using, evaluating, storing or transmitting protected health information, as well as any entity that comes into possession or obtains or stores PHI.
The law also amends the existing breach notification law, Business & Commerce Code, Section 521.053, and purports to expand coverage to all citizens of the United States. In particular, the new law provides that if an entity conducting business in Texas suffers a breach, it must not only provide notice to affected consumers who live in Texas, but also to those who live in a state that does not currently require notification. If the individual lives in a state that currently does require notification, then the entity can comply with Texas law by providing notice to the affected consumer pursuant to his or her state's law. To the extent a company doing business in Texas suffers a breach after August 2012, therefore, it should evaluate with counsel whether and to what extent it should send notices to all affected U.S. consumers regardless of the state of residence, to avoid the harsh penalty scheme of the Texas law.
To read "Privacy and Data Protection 2011 Year in Review" in full, please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
