Republican Lois Kolkhorst, a sponsor of the law, says the legislation was motivated primarily by recognition that electronic health records and the exchange of health data are becoming more common in light of the HITECH Act's federal EHR incentive program. The federal funding for automating and exchanging records "was really the egg cracking wide open," she says.
Attorney Lynn Sessions of the law firm Baker Hostetler says that reports of health information breaches by Texas healthcare organizations, as required under HITECH, also spurred legislators to support the bill.
Lack of HIPAA EnforcementKolkhorst says she was frustrated by the lack of HIPAA enforcement at the federal level and wanted to pave the way for ramped up enforcement of healthcare privacy rights at the state level. "There's no data more sensitive than your healthcare data," she says. "We have lots of laws to protect financial data; I wanted to strengthen our laws protecting healthcare data."
The new law, which goes into effect in September 2012, establishes what amounts to an infrastructure for state oversight of healthcare privacy and enforcement of guidelines, complete with tougher civil penalties for violations, Sessions explains.
Privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights, says the bill includes many provisions that should help protect privacy. "As always, any new law can be weakened when it is turned into regulations," she says. "So that has to be watched to see if the legislature's intents are embodied in the regulations."
Among the new law's provisions are:
- An explicit ban on selling personal health information for a profit. "We think the language on this may actually work," Peel says. "The federal attempt to stop the sale of protected health information without consent in the HITECH Act appears to have been weakened so much that it's not going to have any noticeable effect."
- A requirement that all covered entities, as defined under state law, comply with HIPAA. Texas law already defines "covered entities" much more broadly than HIPAA, applying the term to any organization that handles health information.
- For covered entities that have committed "egregious" violations of the law, state licensing agencies will conduct audits to determine compliance.
- A requirement that all covered entities provide staff training on both federal and state law concerning protecting health information.
- A provision that healthcare providers must provide patients, upon request, with an electronic copy of their records within 15 business days.
- Creation by the attorney general of a system for receiving complaints as well as a website with detailed information on consumer's healthcare privacy rights under state and federal law.
- Creation by a state commission of privacy and security standards for electronic sharing of protected health information.