The Texas Medical Records Privacy Act (TMRPA), or the “Texas privacy act”, came into effect on September 1, 2019. The Texas privacy act is said to be similar to the Health Insurance Portability and Accountability Act (HIPAA), in that it was introduced to safeguard Protected Health Information (PHI), which relates to the “past, present or future health of an individual; the provision of healthcare to an individual; or the payment for the provision of healthcare to an individual”.
The Texas privacy act has also adopted the term “covered entity”, which includes hospitals, insurance providers, health maintenance organizations, clearing-houses and other service providers that handle PHI.
Get the free guide to the secrets of HIPAA compliance
How Does the Texas Medical Records Privacy Act Differ from HIPAA?
There are a number of areas where Texas Medical Records Privacy Act (TMRPA) differs from HIPAA. Firstly, TMRPA applies to a broader range of entities. HIPAA tends to focus more on healthcare service providers, whereas TMRPA applies to “any person who engages in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting PHI”.
Secondly, TMRPA prohibits the re-identification of information that has been de-identified.
Thirdly, TMRPA has introduced stricter rules when it comes to the use of PHI for sales and marketing purposes, which includes the following additional consumer privacy rights:
The right to know
Data subjects have the right to request information about how their PHI is used and disclosed, which covered entities must respond to in writing. While TMRPA doesn’t contain any specific breach notification requirements, under Texas state law, covered entities are required to notify their customers in the event of a breach.
The right to obtain a copy
Covered entities must provide a form which customers can fill out in order to obtain a copy of their PHI. Covered entities are allowed to charge “a reasonable fee” for providing such information, although they are not allowed to charge “a retrieval fee”. Covered entities must respond to requests within 15 days of receiving them.
The right to amendment
Data subjects have the right to request that their records be amended or corrected if they believe them to be inaccurate. While covered entities are not legally required to comply (as the consumer could be mistaken), they must notify them in writing to explain why their request was rejected and add the statement to the consumer’s record.
The right to limit use
Companies sometimes disclose PHI for sales and marketing purposes, without obtaining written consent from their customers. Under TMRPA, data subjects have the right to limit the use of PHI for sales and marketing purposes, either via a toll-free number or some other method of communication. Companies who use PHI for sales and marketing purposes, are required to notify their consumers accordingly.
Enhanced privacy training
While not directly related to consumer privacy rights, a requirement of both TMRPA and HIPAA is that employees receive regular training to ensure that they are able to protect the privacy of the PHI they are entrusted with. However, the Texas privacy act contains more specific training requirements than HIPAA. For example, under TMRPA, any employee that handles PHI is required to undergo formal data privacy training within the first 60 days of their employment.
Fines for non-compliance
The fines for non-compliance are higher under TMRPA than they are under HIPAA, although the literature on the subject is somewhat vague. For example, according to an article by urisq.com, a failure to comply could result in “civil penalties from $2,000 to $50,000 per violation and $100 for each individual that failed to receive a notification (up to $250,000)”. Meanwhile, the University of Houston Law Center states that a failure to comply could result in fines of up to $3,000 per violation or up to $250,000 for reoccurring violations. The non-compliant entity may also be subject to disciplinary action and exclusion from state programs.
How Does TMRPA Affect Your Business?
Companies who are already HIPAA compliant probably won’t need to make any significant changes, although they will need to ensure that their privacy training programs align with TMRPA’s requirements.
Companies who are not already HIPAA compliant must ensure that they have the relevant policies and procedures in place, particularly the administrative policies which help them respect the additional consumer rights (as listed above).
It’s likely that complying with TMRA will incur additional resources in terms of time, money and staffing.
How to Comply with TMRPA
As mentioned already, as a covered entity, you are required to deal with subject access requests in a timely manner. As such, the best place to start would be to create an inventory of all PHI you have collected thus far and make a note of any processing activities involved.
While it is certainly possible to manually sift through vast archives of data and document your PHI on a spreadsheet, a better alternative would be to adopt a data discovery and classification solution which will scan your repositories for PHI, and classify it accordingly.
Most sophisticated solutions will come with pre-defined templates, which are customized to meet the requirements of most relevant data privacy laws, including TMRPA. Classifying your protected health information will make it considerably easier to locate and retrieve a customer’s records in a fast and efficient manner.
You will need to ensure that you have developed a comprehensive and ongoing training program that aligns with TMRPA requirements, which may require hiring additional personnel. Protecting the privacy of your customers requires visibility into who has (and should have) access to what PHI, and what they are doing with it.
To gain this visibility you should have some kind of Data Security Platform in place, which can detect, alert and respond to important changes involving your PHI. A real-time auditing solution will also enable you to generate pre-defined usage reports at the push of a button, which can be used to demonstrate compliance to the relevant authorities, and indeed the customers themselves.