Security Risk Analysis

House Bill 300The Texas Medical Records Privacy ActThe Impact on all of us*Presented by:

Coleman JohnsonDirector of Contracts, Reporting, Security & PolicyandTerry AlexanderDirector of CAH and Rural Hospitals

The West Texas Health Information TechnologyRegional Extension Center (WTxHITREC)

*Disclaimer: Information for educational purposes only, not legal advice.

1House Bill 300Bill Sponsor: Senator Jane Nelson Senator Nelson represents part of Denton Countyand Tarrant County.

Primary Bill Author:Representative Lois Kolkhorst

Joint Bill Author:Representative Elliot Naisthat

HB300 was signed by Governor Rick Perry on 6/17/2011 and went into effect 9/1/2012. The bill itself is only 21 pages long!

HB 300 is available online at: www.capitol.state.tx.us/tlodocs/82R/billtext/pdf/HB00300F.pdf

2House Bill 300 has 2 Nicknames

Texas HIPAA

and

HIPAA on STEROIDS!

3Massive Impact in 21 Pages

Changes Texas Health and Safety CodeChanges to Texas Business and Commerce CodeChanges to Texas Insurance CodeDramatically Impacts ALL TexansMassive Fines for ViolationsAttorney General Website to Report ViolationsRequires Documented TrainingState to Seize Medical Records

4Specification Sections of Legislation Amended

Health and Safety Code Section 181Health and Safety Code Section 182Insurance Code Section 602Business and Commerce Code Section 521Business and Commerce Code Section 522

5Purpose of Act: PROTECTIONNeed for protection is obvious. The Ponemom Institutes December 2011 study Second Annual Benchmark Study on Patient Privacy and Data Security estimates that as many as 96 percent of all 72 national healthcare providers surveyed indicated they experienced a data breach in 2010-2011.

Study is available at http://www2.idexpertscorp.com/assets/uploads/PDFs/2011_Ponemon_ID_Experts_Study.pdf

6What is Protected?Protected Health Information: For a covered entity that is a governmental unit, HB 300 includes any information that reflects that an individual received health care from a covered entity that is not public information subject to disclosure by Chapter 552 of the Texas Government Code. For others, the definition of PHI is engrafted from the Health Insurance Portability and Accountability Act HIPAA, which is individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. HB 300 incorporates HIPAA provisions in effect as of Sept. 1, 2011; however, HIPAA has recently been modified under the Omnibus Final Rule. The executive commissioner of the Texas HHSC is to determine whether it is the best interest of the state to adopt any amendments made by the Final Rule.

7Covered EntitiesCovered entity is defined as any person who:For commercial, financial or professional gain, monetary fees or dues, or on a cooperative, nonprofit or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing or transmitting protected health information;Comes into possession of protected health information;Obtains or stores protected health information under the federal statute and regulations; orIs an employee, agent or contractor of one of these persons who creates, receives, obtains, maintains, uses or transmits protected health information.

8In other words, YOU!!

Virtually every Texan will be impacted. If you can spell PHI, then you are likely to be affected.

9

Examples (a short list) of Covered Entities ImpactedHospitalsMedical ProvidersEMS/FireSchoolsEmployeesChurchesSports TeamsCamps

AmbulanceLabsImagingDoctorsTech SupportAdministratorsTransportationIndividualsLaw Firms

10Restricted ActivitiesUnauthorized DisclosureDisclosure is defined as any action to release, transfer, provide access to or otherwise divulge information outside the entity holding the information. = Very broad definitionSale of InformationCovered entities may not disclose PHI in exchange for direct or indirect remuneration, unless disclosure is for:Treatment;Payment; Health Care Operations; orPerforming an insurance or health maintenance organization function.Remuneration may not exceed covered entity's reasonable cost for preparing or transmitting the PHI.

11Consumer Access to RecordsIf using an electronic health records system = Provide record electronically within 15 business days of written request, unless the person agrees to accept the record in another form.

12Consumer ComplaintsThe attorney general shall maintain a website for consumers that providers information regarding the agencies the regulate covered entities in Texas and detailed information regarding each agencys complaint enforcement process.The attorney general will annually submit a report to the Texas legislature that describes the number and types of complaints received by the attorney general and by other state agencies receiving consumer complaints.

13Notice and Authorization RequirementsCE must Post Notice: A covered entity that creates and receives PHI must provide a general notice to individuals if their personal health information is subject to electronic disclosure. This duty to provide notice can be provided by:Posting written notice in place of business;Posting notice on a website; orPosting notice in a place where individuals whose PHI is subject to electronic disclosure are likely to see the notice. The notice must be conspicuous and understandable.

14Even if notice is posted, a covered entity may not electronically disclose an individuals PHI to any person without a separate authorization for the individual for each disclosure.EXCEPTION: This authorization is not required, however, if the disclosure is made to another covered entity (as defined by Health and Safety Code Section 181.001 or to any covered entity as defined by Section 602.001 of the Insurance Code) solely for purposes of treatment, payment, healthcare operations, if performing health maintenance organization functions as defined by the Insurance Code or if otherwise authorized or required by state of federal law.

Standard authorization form available at www.oag.state.tx.us/AG_Publications/pdfs/hb300_auth_form.pdfNotice and Authorization Requirements Continued

15Breach NotificationCurrent Version The existing statute limited breach notifications to residents of Texas. Now, HB 300 updates the language to make it apply to all individuals whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person. If the individual is a resident of a state that has its own related breach provision, the covered entity can comply with that states law in terms of notification.

16Breach NotificationSB 1610If the individual whose PHI is acquired by an authorized person is a resident of a state that requires notice of a breach of system security, the notice may be provided under that states law or under Texas law. Notice may be given by written notice at the last known address of the individual. 17

Required TrainingCurrent VersionCovered entities must provide a training program pertaining to protected health information.All new employees must be trained within 60 days of their hire date and the training must be customized for their role.Each employee must sign a document attesting to their attendance and said documents must be maintained by the covered entity.All employees must be trained at least once every 2 years.

18Required TrainingSB 1609 UpdatesEach covered entity shall provide training to employees as necessary and appropriate for the employees to carry out the employees duties for the covered entity.An employee must complete training not later than the 90th day after the date the employee is hired.If duties of an employee are affected by a material change in state or federal law concerning PHI, the employee shall receive training within a reasonable period, but not later than the first anniversary of the date the change in law takes effect. Employees need to sign a statement verifying completion of training, which shall be maintained until the sixth anniversary of the date it was signed. 19

Enforcement4 general ways the Medical Records Privacy Act will be enforcedGovernment AuditComplaint filed with attorney general that leads to investigationState attorney generalWhistleblower suit

20AuditsThe Texas Health and Human Services Commission HHSC, in connection with the state attorney general, the Texas Health Services Authority THSA, and the Texas Department of Insurance, may request that the U.S. secretary of health and human services conduct an audit of a covered entity as to the compliance of the covered entity with HIPAA. The Texas HHSC is also charged with periodic monitoring and to review results of audits.

If the Texas HHSC becomes aware of egregious violations that demonstrate a pattern and practice, it may require a covered entity to submit to the Texas HHSC any federal risk analysis that the covered entity prepares to comply with HIPAA. In addition, if the covered entity is licensed by a state agency, the Texas HHSC may require the agency to conduct an audit to determine compliance.

21Civil Penalties for NoncomplianceThe state attorney general may institute an action for civil penalties for violations of the Medical Records Privacy Act under HB 300 not to exceed:$5,000 per violation per year if negligent;$25,000 per violation per year if knowing or intentional, regardless of the length of time of the violation within the year; or$250,000 for each violation if knowing or intentional and for financial gain.$1.5 million annually in the event there is a finding that violations have occurred with a frequency so as to constitute a pattern or practice.

22Civil Penalties ContinuedFactors for determining the appropriate financial penalty include:The seriousness of the violation;The entitys compliance history;Whether the violation poses a significant risk of financial, reputational or other harm to the individual whose PHI was involved in the violation;Whether the covered entity was working with or as a certified entity, that is, certified to be in compliance with privacy and security standards being developed by the THSA as per Section 182.108 of the Health and Safety Code;The amount necessary to deter future violations; andThe covered entitys efforts to correct the violation.

23Additional PenaltiesIn addition to civil penalties, a covered entity that is licensed by a state agency is subject to investigation and disciplinary proceedings, including probation or suspension by the licensing agency.Penalties for businesses that do not comply with the breach notification provisions include a civil penalty of not more than $100 for each person, per day, that is not notified, with a cap of $250,00 for a single breach, and possible felony charges.

24Example

Sarah, an EMS worker texts a photo of motorcycle accident with note, Saw this today, to her boyfriend, Paul, at the local Volunteer Fire Department, who has just completed HB300 training. Paul recognizes the motorcycle, and forwards it to his cousin, Clara, whose roommate, Lorenzo, was injured in the accident, asking, Heard your roommate has two broken legs! Is Lorenzo out of ICU yet? The cousin replies, He is better, but please pass it on to church to keep him in their prayers. The cousin, Clara, also posts a request to Pray for Lorenzo Smith, who was hurt in a motorcycle accident, and is in the hospital, on Facebook. Clara also puts a note in the In Our Prayers box at church with Lorenzos name, and that he is recovering from an accident. The pastor, Father Nixon, announces the prayer request to the congregation of 186 people. In the back of the room is a lawyer, Matthew, who texts his secretary about Lorenzos injuries, and asks her to contact him at the hospital regarding his legal representation.

25Civil Penalties for Noncompliance$5,000 per violation per year if negligent;$25,000 per violation per year if knowing or intentional, regardless of the length of time of the violation within the year; or$250,000 for each violation if knowing or intentional and for financial gain.$1.5 million annually in the event there is a finding that violations have occurred with a frequency so as to constitute a pattern or practice.

26Number of ViolationsNumber of VIOLATIONS: Sarah, EMS worker, EMS Service, No violation unless information is identifiable $0 Volunteer Fire Department, - Negligent Release x1 $5000 = $5000 Paul, at Volunteer Fire Department, - Intentional Release x1 $25,000 = $25,000 Clara, Cousin/Roommate, (reply, Facebook posting, Prayer Box) - Negligent Release x 3 each $5000= $15,000 Pastor - Negligent Release x 186 each x 5000 = $930,000 Lawyer - Intentional Release for Financial Gain x 1 = $250,000 Total fines $1,225,000

27HB 300 Action ItemsTrain StaffUpdate policies and proceduresPost NoticeUpdate Disclosure Authorization FormUpdate BAA28

Q & A

Contact Information: WTxHITRECMain Number: (806) 743-7960

Director of Critical Accessand Rural Hospitals:Terry Alexander: (214) 236-5327

Director of Regional Coordinators:Bruce Edmunds (915) 727-4727

Director of Contracts:Cole Johnson (806) 743-7960

Regional Coordinators:Becky Jones: (806) 743-7960 Ext: 360(Trusted Advisors)Cappi Phillips: (806) 778-3243Sharon Rose: (806) 928-6403Leta Cross-Gray: (325) 721-2500All e-mail addresses are: .@ttuhsc.eduExample: terry.alexander@ttuhsc.edu

29