Texas Medical Privacy Act, Health Law & Policy Institute

Texas Medical Privacy Act Adopts and Expands the HIPAA Privacy Regulations

Jessica Luna, J.D. Candidate

On June 17, 2001, Texas Governor Rick Perry signed the Texas Medical Privacy Act into law. S.B.11 (2001). The Act is designed to bring Texas into compliance with Federal standards on patient privacy as enumerated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 65 Fed. Reg. 82,461 (2000). See http://aspe.os.dhhs.gov/admnsimp/Index.htm. The Texas Medical Privacy Act will also expand the protections mandated by HIPAA in three areas. First, the Act applies to a broader range of entities. Second, the Act does not allow a patient’s health information to be marketed, or to be used in marketing, without that patient’s consent or authorization. Third, the Act prohibits the re-identification of information that has been de-identified.

HIPAA was enacted on August 21, 1996. Title I of the Act deals with health insurance access, portability, and renewability. Title II authorized the Secretary of the Department of Health and Human Services (DHHS) to promulgate final regulations for maintaining the privacy and security of health information if Congress did not enact such legislation within 36 months of HIPAA’s enactment. Congress missed the deadline; therefore, the Secretary issued a final regulation dealing with the security and privacy of protected health information (PHI) on December 20, 2000. The HIPAA Privacy Regulation was formally enacted on April 14, 2001. 45 C.F.R. §§160-164 (2000). See http://aspe.hhs.gov/admnsimp/final/PvcTxt01.htm. On July 6, 2001, the Secretary of the DHHS issued guidelines on the Privacy Regulations. The guidelines clarify the requirements and answer questions about the Regulations. See http://www.hhs.gov/ocr/hipaa/index.html#Initial%20Guidance.

HIPAA is the first federal legislation to initiate uniform privacy standards for patient information. Prior to the enactment of the HIPAA Privacy Regulation, it was up to the states to provide legislation to protect the privacy of patient information. The state laws, however, varied greatly and were often too narrow in their application. See "The State of Health Privacy: An Uneven Terrain," http://www.healthprivacy.org. HIPAA sets a floor of ground rules for health care providers, health plans, and health care clearinghouses to follow, in order to protect patients and encourage them to seek needed care. It creates a framework of protection that can be strengthened by both the federal government and by states as health information systems continue to evolve. 65 Fed. Reg. at 82,464. HIPAA’s provisions allow existing state laws that are more protective of privacy to stand, and permit states to make more protective laws in the future. 45 C.F.R. §160.203(b)

The Texas Medical Privacy Act is an example of a state law that provides more protection for patient privacy than is provided under HIPAA. The Act adopts the basic tenets of the HIPAA Privacy Standards and provides additional protections for Texans in some areas where HIPAA has left gaps. The following chart is a basic comparison between HIPAA regulations and those of the Texas Medical Privacy Act. The portions in bold describe sections of the Texas Medical Privacy Act that fill a gap left by HIPAA.

Topic HIPAA Texas Medical Privacy Act

Covered Entities Health Plans, Health Care Clearinghouses, and Health Care Providers who use computers to transmit health information.
§160.102
Any person who engages in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting PHI, etc.
§181.001(b)(1)(A)-(D).
This covers many more entities and individuals than HIPAA.

PHI Definition PHI is "individually identifiable health information," whether transmitted orally, electronically, or on paper. Individually identifiable health information, including demographic information, is information that:

Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment of health care for an individual;

Identifies, or could be used to identify, the person who is the subject of the information; and

Be created or received by a covered entity.

§164.501 PHI is individually identifiable health information, including demographic information, that:

Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment of health care for an individual;

Identifies, or could be used to identify, the person who is the subject of the information

§181.001(b)(5)(A)&(B).

Patient’s Rights Individuals have rights with respect to their medical information, including the right to:

Receive notice of an entities privacy practices (§164.520);

Inspect and copy (§164.524);

Request restrictions on use or disclosure (§164.522);

Receive an accounting of disclosures (§164.528);

Request amendments or corrections (§164.526); and

File a complaint (§160.306).

The Act adopts HIPAA’s standards relating to an individual’s access to his/her PHI and ability to amend his/her PHI.
§181.101(a)(1)&(2).

Notice Requires that health plans and health care providers provide written notice of their privacy practices, including:

The individual’s rights with respect to PHI; and

The anticipated uses and disclosures of information that may be made without the individual’s authorization.

§164.520. The Act adopts HIPAA’s standards relating to notice.
§181.101(a)(4).

Uses and Disclosures of PHI The covered entity must obtain written:

Consent of the individual prior to uses and disclosures relating to treatment, payment, and health care operations (note: this is not the informed consent typically used for treatment)

A covered health care provider or a health plan may condition treatment or enrollment in a health plan on the provision by the individual of a consent under this section. §164.506(a).

Authorization of the individual prior to uses and disclosures for purposes other than treatment, payment, and health care operations.

§164.508(a). The Act adopts HIPAA’s standards relating to uses and disclosures, including requirements relating to consent.
§181.101(a)(3).

Uses and Disclosures Allowed Without Consent or Authorization No consent or authorization need be obtained prior to the use and disclosure of PHI for:

Public health activities;

Law enforcement purposes;

Research purposes;

Health oversight activities;

Judicial and administrative proceedings;

Disclosures about decedents to coroners, medical examiners, funeral directors, or for organ donation purposes;

Specialized government functions; or

Worker’s compensation.

§164.512 No consent or authorization need be obtained prior to the use and disclosure of PHI for:

Financial institutions for the processing of payment transactions;

Non-profit agencies;

Worker’s compensation insurance;

Employee benefit plans;

Red cross; and

Offenders with mental impairments.

§181.052-181.057

Minimum Necessary When using or disclosing PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. This does not apply to disclosures for treatment and other specified purposes.
§§164.502(b)(1)&(2) & 164.514(d).

Psychotherapy Notes A covered entity must obtain an authorization for any use or disclosure of psychotherapy notes.
§164.508(a)(2).
Exception: Only consent is required for treatment, payment, or health care operations in the following circumstances:

The originator of the psychotherapy notes uses them for treatment,

The covered entity uses or discloses the notes in training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling

The covered entity uses or discloses the notes to defend a legal action or other proceeding brought by the individual

§164.508(a)(2)(i). A licensed psychologist or a psychiatrist who is providing psychological or psychiatric services to an individual is not required to permit the individual to inspect or copy a personal diary containing PHI relating to the individual if the information contained in the diary has not been disclosed to a person other than another psychologist or psychiatrist for the specific purpose of clinical supervision conducted in the regular course of treatment.
§181.051(b).

Research PHI may be disclosed to researchers, regardless of the source of funding of the research, only if the researcher has obtained:

Individual consent and authorization for research (§164.508(f).); or

Documentation that a waiver for consent or authorization has been granted by an IRB or "privacy board." (§164.512(i).)

The Texas law includes the same requirements as HIPAA except that consent or authorization is required for research without an IRB waiver.
§181.102(a)(1)-(4).

Marketing An individual’s PHI may be used for targeted (by health history or status of recipient) marketing by or for the covered entity without authorization from the individual. The covered entity must first make the determination that the health related product may be of value for the condition and must explain why the individual is being targeted. §164.514(3)(ii).
Anything can be marketed without authorization form an individual in a face-to-face encounter with the individual, and products and services of nominal value can be marketed without restriction. Any other health related product may be marketed to individuals as long as the covered entity is identified as the party making the communication, any remuneration the covered entity may receive is prominently stated, and the patient is given the opportunity to opt-out (except in the case of broad newsletters). §§164.514(e)(2)(i)(A)(B)(C) and 164.514(e)(3).
PHI may not be used, disclosed, or sold for marketing purposes without first obtaining consent or authorization from the individual. Written communications must explain the recipient’s right to removal from the mailing list, and removal must be accomplished within five days after the receipt of the request.
§181.152(a),(b),&(c).
The Texas Medical Privacy Act is much more restrictive of marketing than HIPAA is. HIPAA allows covered entities to market virtually all types of health products, with a few restrictions, without obtaining authorization from the individual. The Texas Medical Privacy Act prohibits any release of PHI for marketing purposes without consent or authorization from the individual.

Enforcement Civil penalties:

$100 per violation/day, up to $25,000/year each violation

Criminal Penalties:

Knowing violation: $50,000 – 1 year imprisonment

False pretenses: $100,000 – 5 years imprisonment

For profit, gain, or harm: $250,000 – 10 years imprisonment

Civil penalties:
The Secretary may initiate an injunctive claim or a civil claim for:

Up to $3,000 per violation or up to $250,000 for violations that have occurred with a frequency as to constitute a pattern or practice.

Disciplinary action

Exclusion from state programs

§181.201-§181.203.

De-identification and Re-identification De-identified health information is information that cannot be used to identify the individual because individual identifiers have been removed. This information is not considered PHI, and can be used or disclosed without an individual’s consent or authorization
164.514(a)&(b).
A covered entity may assign a code or other means of record identification to allow previously de-identified information to be re-identified, provided that the means of record identification cannot be used to identify the individual, and the covered entity does not disclose the mechanism for reidentification.
§164.514(c).
A person may not re-identify or attempt to re-identify an individual who is the subject of any protected health information without obtaining the individual’s consent or authorization.
§181.151.
HIPAA allows de-identified information to be re-identified under specific guidelines, however, the Texas Medical Privacy Act does not allow re-identification at all.

Compliance Date April 14, 2003 September 1, 2003

08/30/01

Topic	HIPAA	Texas Medical Privacy Act
Covered Entities	Health Plans, Health Care Clearinghouses, and Health Care Providers who use computers to transmit health information. §160.102	Any person who engages in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting PHI, etc. §181.001(b)(1)(A)-(D). This covers many more entities and individuals than HIPAA.
PHI Definition	PHI is "individually identifiable health information," whether transmitted orally, electronically, or on paper. Individually identifiable health information, including demographic information, is information that: Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment of health care for an individual; Identifies, or could be used to identify, the person who is the subject of the information; and Be created or received by a covered entity. §164.501	PHI is individually identifiable health information, including demographic information, that: Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment of health care for an individual; Identifies, or could be used to identify, the person who is the subject of the information §181.001(b)(5)(A)&(B).
Patient’s Rights	Individuals have rights with respect to their medical information, including the right to: Receive notice of an entities privacy practices (§164.520); Inspect and copy (§164.524); Request restrictions on use or disclosure (§164.522); Receive an accounting of disclosures (§164.528); Request amendments or corrections (§164.526); and File a complaint (§160.306).	The Act adopts HIPAA’s standards relating to an individual’s access to his/her PHI and ability to amend his/her PHI. §181.101(a)(1)&(2).
Notice	Requires that health plans and health care providers provide written notice of their privacy practices, including: The individual’s rights with respect to PHI; and The anticipated uses and disclosures of information that may be made without the individual’s authorization. §164.520.	The Act adopts HIPAA’s standards relating to notice. §181.101(a)(4).
Uses and Disclosures of PHI	The covered entity must obtain written: Consent of the individual prior to uses and disclosures relating to treatment, payment, and health care operations (note: this is not the informed consent typically used for treatment) A covered health care provider or a health plan may condition treatment or enrollment in a health plan on the provision by the individual of a consent under this section. §164.506(a). Authorization of the individual prior to uses and disclosures for purposes other than treatment, payment, and health care operations. §164.508(a).	The Act adopts HIPAA’s standards relating to uses and disclosures, including requirements relating to consent. §181.101(a)(3).
Uses and Disclosures Allowed Without Consent or Authorization	No consent or authorization need be obtained prior to the use and disclosure of PHI for: Public health activities; Law enforcement purposes; Research purposes; Health oversight activities; Judicial and administrative proceedings; Disclosures about decedents to coroners, medical examiners, funeral directors, or for organ donation purposes; Specialized government functions; or Worker’s compensation. §164.512	No consent or authorization need be obtained prior to the use and disclosure of PHI for: Financial institutions for the processing of payment transactions; Non-profit agencies; Worker’s compensation insurance; Employee benefit plans; Red cross; and Offenders with mental impairments. §181.052-181.057
Minimum Necessary	When using or disclosing PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. This does not apply to disclosures for treatment and other specified purposes. §§164.502(b)(1)&(2) & 164.514(d).
Psychotherapy Notes	A covered entity must obtain an authorization for any use or disclosure of psychotherapy notes. §164.508(a)(2). Exception: Only consent is required for treatment, payment, or health care operations in the following circumstances: The originator of the psychotherapy notes uses them for treatment, The covered entity uses or discloses the notes in training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling The covered entity uses or discloses the notes to defend a legal action or other proceeding brought by the individual §164.508(a)(2)(i).	A licensed psychologist or a psychiatrist who is providing psychological or psychiatric services to an individual is not required to permit the individual to inspect or copy a personal diary containing PHI relating to the individual if the information contained in the diary has not been disclosed to a person other than another psychologist or psychiatrist for the specific purpose of clinical supervision conducted in the regular course of treatment. §181.051(b).
Research	PHI may be disclosed to researchers, regardless of the source of funding of the research, only if the researcher has obtained: Individual consent and authorization for research (§164.508(f).); or Documentation that a waiver for consent or authorization has been granted by an IRB or "privacy board." (§164.512(i).)	The Texas law includes the same requirements as HIPAA except that consent or authorization is required for research without an IRB waiver. §181.102(a)(1)-(4).
Marketing	An individual’s PHI may be used for targeted (by health history or status of recipient) marketing by or for the covered entity without authorization from the individual. The covered entity must first make the determination that the health related product may be of value for the condition and must explain why the individual is being targeted. §164.514(3)(ii). Anything can be marketed without authorization form an individual in a face-to-face encounter with the individual, and products and services of nominal value can be marketed without restriction. Any other health related product may be marketed to individuals as long as the covered entity is identified as the party making the communication, any remuneration the covered entity may receive is prominently stated, and the patient is given the opportunity to opt-out (except in the case of broad newsletters). §§164.514(e)(2)(i)(A)(B)(C) and 164.514(e)(3).	PHI may not be used, disclosed, or sold for marketing purposes without first obtaining consent or authorization from the individual. Written communications must explain the recipient’s right to removal from the mailing list, and removal must be accomplished within five days after the receipt of the request. §181.152(a),(b),&(c). The Texas Medical Privacy Act is much more restrictive of marketing than HIPAA is. HIPAA allows covered entities to market virtually all types of health products, with a few restrictions, without obtaining authorization from the individual. The Texas Medical Privacy Act prohibits any release of PHI for marketing purposes without consent or authorization from the individual.
Enforcement	Civil penalties: $100 per violation/day, up to $25,000/year each violation Criminal Penalties: Knowing violation: $50,000 – 1 year imprisonment False pretenses: $100,000 – 5 years imprisonment For profit, gain, or harm: $250,000 – 10 years imprisonment	Civil penalties: The Secretary may initiate an injunctive claim or a civil claim for: Up to $3,000 per violation or up to $250,000 for violations that have occurred with a frequency as to constitute a pattern or practice. Disciplinary action Exclusion from state programs §181.201-§181.203.
De-identification and Re-identification	De-identified health information is information that cannot be used to identify the individual because individual identifiers have been removed. This information is not considered PHI, and can be used or disclosed without an individual’s consent or authorization 164.514(a)&(b). A covered entity may assign a code or other means of record identification to allow previously de-identified information to be re-identified, provided that the means of record identification cannot be used to identify the individual, and the covered entity does not disclose the mechanism for reidentification. §164.514(c).	A person may not re-identify or attempt to re-identify an individual who is the subject of any protected health information without obtaining the individual’s consent or authorization. §181.151. HIPAA allows de-identified information to be re-identified under specific guidelines, however, the Texas Medical Privacy Act does not allow re-identification at all.
Compliance Date	April 14, 2003	September 1, 2003