As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012. I am concerned that their may be low levels of awareness at this time among Texas physicians regarding the new privacy provisions. For example, one of the new requirements impacts employee privacy training policies for the physician practice. As an illustration, consider this case history:
A laptop computer was stolen or lost from the reception desk area possibly after a cleaning crew had left the main door to the building open. An employee had previously used the laptop to download information that included protected health information (PHI) on 67 patients seen that week. Following the breach the practice notified all affected individuals, added technical safeguards of encryption for PHI stored on mobile computers, added physical safeguards by keeping all portable devices locked in a cabinet of a locked storage room when not in use and required re-training of all employees on privacy and security policies including immediate training for the cleaning staff.
Many breaches of PHI are avoidable if employees are trained on privacy/security and remain vigilant when managing PHI. In Texas HB 300 protects not only PHI as defined by HIPAA, but also “sensitive personal information (SPI)” as defined by the Texas Identity Theft Protection Act. HB 300 requires all employees who will encounter PHI or SPI to undergo privacy training that is tailored to the employee’s specific responsibilities and types of contact with PHI. New employees must be trained within 60 days of hiring, and training must be repeated at least once every two years. A log must be maintained with employee signatures verifying their attendance. Physicians can prepare by updating employee training policies and materials.
Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.
More on other HB 300 provisions next week...