Texas House Bill 300, which says school offices collecting health information are now HIPAA covered entities, went into effect last month. Schools receiving federal funding, and thus are FERPA covered entities, are exempt from H.B. 300. However, private K-12 schools, colleges, and universities not covered under FERPA are subject to H.B. 300 requirements, and must be prepared to abide by the new regulations.
Prior to H.B. 300, federal and state laws generally defined “covered entities” as health care plans and health care providers. H.B. 300 seeks to provide greater protection to PHI (personal health information), and in doing so, requires a more encompassing definition. As explained by the Dallas Bar Association, under H.B. 300 a “covered entity” is any business or organization that:
- Engages in the practice of assembling, collecting, analyzing, storing, or transmitting PHI
- Comes into the possession of PHI
- Obtains or stores PHI
- Is an employee, agent, or contractor of a person described in numbers 1-3 above (if they create, receive, obtain, maintain, use or transmit PHI)
With this broader definition also come new requirements of those now deemed covered entities. Employee training around PHI will be necessary, patients will have additional rights where electronic medical records are concerned, and parties not in compliance could face stronger penalties.
These requirements are even stricter than HIPAA policy. With HIPAA, employee training is required within a reasonable time frame after hiring, and when privacy changes were made. Under H.B. 300, training must take place within 60 days of the hiring date, and at least every two years. In addition, a record of every employee’s training must be kept on file. Training must also be specific to the employee’s responsibilities concerning PHI.
With regard to electronic medical records, H.B. 300 requires that an electronic copy of the patient’s medical records be available to him or her within 15 days of their request, whereas under HIPAA, the requirement is within 30 days. In addition, penalties for wrongful disclosure of PHI include anywhere from $5,000 to $1.5 million per year, depending on five factors used to determine the severity of the penalty.
The Texas Medical Liability Trust provides cases and explanations of these more stringent policies under H.B. 300, and may be helpful to you in understanding what is required of your school where PHI is concerned.