As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012. In a series of weekly blogs I am writing to illustrate some of the new protections. I think that the most important change imposed by HB 300 is the increased accountability placed on business associates of a physician practice to adhere to the state privacy laws. Consider this case history:
A physician practice was notified by one of their business associates (BA), a medical transcription service, that dictated patient reports were viewable on the Internet by anyone after the BA’s server was compromised. The breach involved PHI of 1.085 individuals. In response, the practice immediately terminated the business associate agreement (BAA) with this company and engaged another medical transcription service. The practice contracted with forensic consultants to ensure that the cause of the compromise was found and all online traces of breached reports were removed.
HB 300 holds accountable any business in Texas that comes into contact with PHI. This means that BAs of physician practices are accountable to HB 300 protections and HIPAA unless they have no contact with PHI. Physicians should revise their BAAs to include language compelling BAs to comply with state and federal privacy laws. Matters to address in a BAA include:
- Immediate notification to practice when BA discovers breach
- Who notifies affected individuals? Who bears the cost?
- Contract termination for failure to comply with law or take "reasonable" steps to fix breach
- BA ‘s compliance with performing security risk analysis at least annually
- BA’s compliance with employee privacy training
- Encryption of PHI on BA’s mobile devices or exchanged online; and other circumstances where PHI is at high risk
Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.
More on other HB 300 provisions next week...