Many countries, states, and jurisdictions have recently passed — or are planning to pass — legislation to protect the privacy and data rights of consumers. The state of Texas is no exception, having recently introduced the Texas Medical Records Privacy Act (TMRPA). This Texas privacy act is similar to the Health Insurance Portability and Accountability Act (HIPAA) in that it sets forth guidelines for safeguarding private medical records and information.
Discover your weak points and strengthen your resilience: Run a Free Ransomware Readiness Test
In this article, we’ll explore the basics of what the TMRPA is and its key components. You’ll also learn about how this law affects your business, whether you’re a hospital, private physician, or medical insurance provider. Finally, we’ll take you through some best practices on how to protect your patient’s and customer’s medical data in a way that makes you compliant with the Texas Privacy Act.
- What is the Texas Privacy Act?
- Key Components of the Texas Privacy Act
- How Does This Affect Your Business?
- How to Ensure You’re Meeting Compliance Standards
- Additional Compliance Guides & Information
- Texas Privacy Act FAQs
What is the Texas Privacy Act?
The TMRPA, or Texas Privacy Act, focuses on maintaining the privacy of Protected Health Information (PHI) for patients and customers. According to U.S. law, PHI consists of any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity. A Covered Entity simply being the legal definition of hospitals, care, or insurance providers that are subject to regulations like HIPAA and TMRPA.
However, the TMRPA differs from other regulations like HIPAA and the California Consumer Privacy Act (CCPA) in several key respects. First, the Texas Privacy Act could potentially regulate business entities that aren’t subject to HIPAA, such as health care clearinghouses and business partners of providers. Any organization that collects, stores, or transmits healthcare data — regardless of HIPAA coverage — is subject to the Texas Privacy Act.
Key Components of the Texas Privacy Act
There are several key aspects of the TMRPA to be aware of and that differ substantially from other regulations protecting PHI. Most of these components mirror the key requirements under HIPAA but apply to any organization that serves Texas individuals that handles PHI — not just covered entities as defined under HIPAA.
The Right to Know PHI
Any organization that handles the PHI of Texas consumers must provide written notice of the use and disclosure of PHI if a written request is made. And while the Texas Privacy Act doesn’t contain a specific breach notification requirement, companies are still mandated to notify users as such under Texas’ own breach notification statute.
The Right to Obtain a Copy
Anyone that handles PHI in Texas needs to have a form whereby customers can obtain copies of their records. Organizations are permitted to charge a reasonable fee for the copying and mailing or records, but not a retrieval fee. And if you have an electronic health records system, you’ll likely be required to provide copies within 15 days of the request.
The Right to Amendment
Every Texas consumer has the right to request that their PHI be amended or corrected if they believe there’s an error. While you’re not legally required to agree with them and make the correction — consumers can be mistaken — you do have to notify them in writing and explain why their request was denied. You then must submit a statement of disagreement and add it to the patient’s record.
The Right to Limit Use
Finally, Texas consumers have the right to request that you limit the use of their PHI. This includes things like disclosing PHI for marketing purposes or sales calls without express written authorization. And if you do use PHI for physical or email marketing, you’re required to provide notice on that piece of mail explaining the person’s right to be removed and providing a toll-free number they can call and immediately request removal.
Emphasis on Training
The Texas Privacy Act and HIPAA both specify that training is conducted, but HIPAA doesn’t offer much detail as to how it should be conducted. The TMRPA, however, contains more exact training requirements to be in compliance. All employees who handle PHI — or are even likely to encounter it — must undergo formal privacy training within 60 days of beginning employment.
How Does This Affect Your Business?
While the Texas Privacy Act might not significantly affect covered entities that are already HIPAA compliant, if you handle PHI and haven’t been prepared to comply with the above key requirements, you’ll need to begin installing the proper policies and procedures. And for entities that are already HIPAA compliant, an additional emphasis on employee training and education will be required.
From a business standpoint, complying with the Texas Privacy Act will cost additional time, manpower, and resources — at least initially. You’ll need to ensure that all administrative processes are in place to respond properly to things like Right to Know and Right to Amend requests. For companies that weren’t previously subject to HIPAA — but now are as a business partner or PHI handler — it’s wise to work with a compliance partner at the beginning to ensure all your bases are covered.
How to Ensure You’re Meeting Compliance Standards
First and foremost, you’ll need to audit and inventory all of your PHI collection, handling, storage, and transmission activities that are either within Texas borders or that involve Texas consumers to determine the scope of compliance activities. Since the Texas Privacy Act covers an extended ecosystem, this may be the first time your business is subject to any such regulatory requirements.
Next, you’ll need to work with an experienced compliance partner to develop an all-encompassing roadmap. One of the first key issues is making sure you have the technology, staffing, and expertise to handle things like rights requests. It’s critical to make sure that you have adequate internal compliance resources and know-how before you start implementing Texas Privacy Act processes within your organization, and having a compliance partner will help you do so efficiently and cost-effectively.
Finally, you’ll need to develop and implement your training and education program that’s in alignment with the Texas Privacy Act. Not only do employees have to be trained within the first 60 days of hire, but the law also mandates that a refresher training be conducted every two years. Again, working with a compliance partner will help you formulate an appropriate curriculum, ensure that your trainers stay up to date on any changes, and schedule refresher sessions within the mandated time frame.
Additional Compliance Guides & Information
Complying with the Texas Privacy Act encompasses many core principles required with regard to other regulatory frameworks. Here are some helpful guides to better inform you along the path to Texas Privacy Act compliance:
Azure Compliance for HIPAA & CCPA
Guide to U.S. Data Protection Compliance
Microsoft 365 and HIPAA Compliance
Complete HIPAA Compliance Checklist
Ransomware Guide for Healthcare
Texas Privacy Act FAQs
How Does the Texas Privacy Act Impact Business Owners?
Under this new law, HIPAA-style standards apply to anyone coming in close contact with PHI — not just hospitals, insurance, and healthcare providers. Any organization that handles sensitive medical records in Texas or for Texas consumers is required to comply.
Does the Texas Privacy Act Require Data Breach Reporting?
Directly, no. However, other Texas statutes mandate prompt breach reporting, so organizations should be prepared in the event a breach does occur. While the main difference between the TMRPA and HIPAA is training, you’re not off the hook when it comes to breach reporting.
How Often Does the Texas Privacy Act Mandate Training?
Every employee must receive PHI handling training within the first 60 days of initial hire. It’s also wise to conduct a company-wide training if you’re just now realizing the Texas Privacy Act applies to your business. After that, training must be conducted at least every two years.
How Much Does Texas Privacy Act Certification Cost?
Typically between $2,500 and $5,000. To become compliant, you’ll likely need a HITRUST certified assessor to come onsite to review your PHI handling processes and training program. Certification also expires after one year, meaning you’ll be subject to this cost annually.
Closing Thoughts
The Texas Medical Records Privacy Act is an attempt to keep pace with both the medical privacy concerns of Texas citizens and other similar frameworks across the globe. It ensures that consumers are guaranteed certain rights that also exist under HIPAA, such as the right to know their medical records and submit requests for changes. It also expands the purview of covered entities, making anyone who handles PHI — medical provider or not — subject to requirements.
And by implementing more specific data handling education and training mandates, the Texas Privacy Act takes big steps to ensure that PHI is never improperly handled, accessed, or transmitted. As an organization, the best steps you can take towards Texas Privacy Act compliance are having the right data protection technology in place and working with an experienced compliance partner to make implementing the right practices quick and cost-efficient.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
