Privacy protection is getting bigger in Texas. Last year the Texas Legislature passed House Bill 300 (HB 300) heavily amending the state's Texas Medical Records Privacy Act. These amendments increase protection of electronic personal health information (PHI) and become effective on September 1, 2012. HB 300, along with other state privacy laws such as the Texas Identity Theft Protection Act, are more protective of patients' privacy than HIPAA. Stronger protections translate to increased physician cyber liability risks.
I support strong protection of patients' electronic PHI through state and federal privacy laws including the imposition of fair penalties, disciplinary actions and audits that are strong enough to deter breaches of PHI. But I am concerned that there may be low levels of awareness among physicians regarding the new state privacy requirements which increase the physician's cyber liability risks. In the next month I know of two physician-oriented publications that will discuss the issue, and I will present on the topic at the Texas Medical Association's TexMed 2012 Conference in Dallas, Texas, on May 18th. Hopefully we can stimulate more conversations and actions across the state.
I suggest that physicians at least consult with their lawyer to ensure their practice is aligned with HB 300. Specific actions a physician practice may need to take to be compliant with HB 300 include revising employee privacy training policies and materials; revising policies on patient access to their EHR; updating the Privacy Notice; revising business associate agreements; encrypting protected health information (PHI) stored on mobile devices; and encrypting PHI transported online. Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.
Stay tuned for more blogs on HB 300...