HIPAA and S.B. 330:  Unintended Consequences?

By Ronald L. Scott

S.B. 330 passed in the 78th Legislature and was signed by the Governor.  It becomes effective September 1, 2003.  The new law may have broader consequences than intended.  The bill repeals Sections 181.101 Tex. Health & Safety Code (Compliance with Federal Regulations) and 181.102 Tex. Health & Safety Code (Information for Research).

The Public Health Committee Report on S.B. 330 noted that the provisions of S.B. 11 passed in the 77th Legislature made state law “more restrictive than federal law regarding the conduct of medical research in Texas” since “S.B. 11 contained verbatim the provisions of the federal Health Insurance Portability and Accountability Act (HIPAA) regulation at the time of its passage.”  The report further noted that the Bush Administration subsequently altered HIPAA regulations on March 27, 2002 “and consequently state law became more restrictive than the federal law.”  Therefore, the report concluded that repealing the two provisions of state law would “bring Texas back into concert with federal law."

Section §181.101 required “covered entities” to comply with HIPAA.  Importantly, the term “covered entities” as defined in §181.001 Tex. Health & Safety Code is much broader than the definition of “covered entities” under HIPAA.  HIPAA’s definition of covered entities includes only health plans, health care clearinghouses, and health care providers who use computers to maintain or transmit health information.  See 45 C.F.R.§160.102(a).  One reason for the narrow definition of covered entities under HIPAA is that the U.S. Department of Health and Human Services (the federal agency that drafted the HIPAA regulations) did not believe it had the legal authority to regulate individuals or entities outside its jurisdiction.  Under Texas law, the phrase covered entities includes any person who engages in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information (PHI). See Tex. Health and Safety Code §181.001(b)(1)(A)-(D).  Therefore, Texas law presently covers many more entities and individuals than HIPAA, making them subject to HIPAA.

Although S.B. 330 does not change the Texas definition of covered entities, the effect substantially limits the application of the medical records privacy provisions contained in the Tex. Health & Safety Code.  First, a violation of HIPAA is no longer necessarily a violation of Texas law.  Also, covered entities other than health plans, health care clearinghouses, and health care providers no longer have to comply with HIPAA.  Finally, Texas covered entities are still required to comply with the remaining Texas privacy protections, primarily the limitations on use of PHI for marketing purposes.  See § 181.152 Tex. Health & Safety Code.