TMRPA, or the Texas Medical Records Privacy Act, is one of the patient privacy laws protecting patients’ medical records and privacy in the US. The set of laws protecting patient privacy covers numerous types of medical information, the individuals and entities benefiting from these laws, and they also state how medical information should be shared among entities. This article will highlight these points, focusing on the Texas Medical Records Privacy Act and its comparison to HIPAA, the Health Insurance Portability and Accountability Act.
Table of Contents
What is a Medical Privacy Act?
A patient privacy law is a regulation that protects the confidentiality of an individual’s medical information. These laws typically define what information is private, who has access to it, and under what circumstances it can be shared. These laws aim to maintain patient trust in the healthcare system, encourage patients to seek and receive care without fear of their information being shared inappropriately and reduce the risk of identity theft and other misuse of medical information.
What Information Does the Medical Privacy Act Protect?
Medical privacy acts cover numerous information such as PHI (Protected Health Information), which includes individually identifiable health information or information used to identify a patient, such as their name, address, birth date, social security number and medical records. There’s PHI under HIPAA, which is specific to the US health sector.
Who is Covered by Medical Privacy Acts?
Medical privacy acts cover entities and individuals, and the extent of this application differs accordingly. The entities that must comply with such laws include healthcare providers, health plans, and clearinghouses. As for individuals, they have rights to their own PHI, including the right to access, amend and request restrictions on its use and disclosure.
Medical Privacy Acts Rules of Sharing Information
The general rule of sharing information under medical privacy acts is that entities must obtain the patient’s written consent to share their medical records. However, there are various exceptions, including public health activities, treatment purposes and other specific situations.
What is the Texas Medical Records Privacy Act?
The Texas Medical Records Privacy Act (TMRPA) is a state law designed to protect the privacy of individuals’ medical information in Texas. It works alongside the federal Health Insurance Portability and Accountability Act (HIPAA) but adds additional protections and has a broader reach.
What Does the Texas Medical Records Privacy Act Stipulate?
The Texas Medical Records Privacy Act includes several provisions stipulating the covered entities, defining the protected PHI, patient rights, and the actions entities must follow to protect patient privacy.
Regulates Covered Entities
This act covers entities covered by HIPAA, which adds more entities and healthcare providers. These include healthcare providers, such as doctors, nurses, hospitals, and more; health plans, such as insurance companies; and government programs, such as Medicaid and Medicare. Moreover, TMRPA covers healthcare clearinghouses, entities that process healthcare information electronically.
The act covers anyone who handles PHI for commercial, financial or professional gain; this is where the Texas Medical Records Privacy Act differs from HIPAA. These include businesses such as law firms that handle medical records in legal cases, IT service providers who store or process healthcare data, research institutions conducting medical research, schools with student health records and employers with access to employee health information.
Defines (PHI)
PHI or protected health information under the act, includes anything that can identify a patient, such as personal details (name, address, birth date and social security number) and medical records (diagnosis, treatment history, medications and test results). The act includes billing information (payments and insurance details) and other identifying information (biometric and genetic information).
Protects Patient’s Rights
Under the Texas Medical Records Privacy Act, patients have control over their PHI. The law gives them the right to request and review their medical records, the right to request inaccurate information to be corrected or completed, and the right to request an accounting of disclosures of their PHI. The patients can also request limitations on using or disclosing their PHI and file a complaint if their privacy rights are violated.
Requires Specific Actions
TMRPA specifies certain required actions, such as the actions entities must take to ensure patient privacy. These actions include implementing safeguards such as using security measures to protect PHI from unauthorised access, disclosure, alteration or destruction. The act also provides a notice of privacy practices, informing patients about their rights and how their PHI will be used and shared. The Texas Medical Records Privacy Act also regulates training employees and staff on privacy policies and procedures and how they should respond to patient requests for access, amendments, etc.
Imposes Penalties
The Texas Medical Records Privacy Act stipulates applicable penalties for violations. Failure to comply with TMRPA can result in up to $2,500 per violation, with a maximum of $25,000 per calendar year. The act includes injunctions and court orders forcing a covered entity to comply with TMRPA rules. In the event of a more serious violation, the act stipulates the case might be referred to federal authorities.
What is the Texas Medical Records Privacy Act Training?
The Texas Medical Records Privacy Act (TMRPA) requires specific training for all employees of covered entities with access to (PHI), protected health information, or (SPI) sensitive personal information. This training is crucial to ensure compliance with the law and protect patient privacy. We will include a breakdown of some of this training’s key aspects:
Who Needs TMRPA Training?
All employees of entities covered by the Texas Medical Records Privacy Act and who have access to PHI or SPI must undergo this training. These employees include healthcare providers, from doctors to technicians; administrative staff in hospitals, clinics and medical offices; and staff at health plans and insurance companies. Additionally, employees of businesses handling PHI for commercial, financial or professional purposes, such as lawyers and IT service providers.
What Does TMRPA Training Cover?
The training will give trainees an overview of the act, its purposes, key provisions and how it differs from HIPAA. Trainees will be able to comprehend the difference between PHI and SPI and what information is protected under this law. Protected patient rights (access, amendments and restrictions on disclosure, etc) are also included in the training. If you’re one of the entities covered under TMRPA, you will be able to fully understand your responsibilities, such as safeguarding, notice of privacy practices and training requirements. Trainees will receive practical guidance on securely handling PHI, responding to patient requests, and identifying and reporting potential violations.
Training Frequency and Requirements
TMRPA stipulates that all employees in the healthcare system must complete their TMRPA and HIPAA training within 90 days of employment. Any covered entities under the law must provide employees with refresher training every two years. All provided training must be documented, and the entity must keep the records for 5 years. The law prescribes specific training content and duration depending on the employee’s role and access level.
Benefits of TMRPA Training
Training under this law reduces the risk of non-compliance, hence avoiding penalties. It improves employee awareness and understanding of privacy obligations and empowers them to identify and report potential privacy breaches. Furthermore, this training builds patient trust and confidence by demonstrating the entity’s commitment to privacy.
The Texas Medical Records Privacy Act and HIPAA
There are differences between TMRPA and HIPAA. From the difference in scope application to access restrictions to even training requirements, we bring these differences and more in further detail.
Broader Scope
If we compare the scope of the application of both medical privacy acts, we will find that HIPAA applies mainly to covered entities, such as healthcare providers and health plans. Conversely, TMRPA goes beyond healthcare entities to apply to any entity or individual who assembles, collects, analyses, uses, evaluates, stores or even transmits PHI for commercial, financial or professional purposes. Besides the entities and individuals we mentioned before, we can add the person responsible for handling athlete health information and even website owners who collect health data in online forms.
Stricter Access Restrictions
TMRPA imposes more restrictions on accessing medical records than HIPAA. The latter allows disclosures for certain permitted purposes with written patient consent, with exceptions for public health activities, treatment purposes and other specific situations. TMRPA adds more restrictions on disclosure, even with consent. For example, sharing PHI for marketing purposes under HIPAA requires stronger authorisation, but Texas residents can request disclosure restrictions for out-of-pocket services. This means they can limit sharing of their PHI for services paid for directly without insurance being involved.
More Specific Training Requirements
While HIPAA mandates reasonable and appropriate training for employees who handle PHI, the requirements are left open to interpretation. On the other side, TMRPA prescribes more specific and stringent training requirements.
Additional Rights
HIPAA grants patients the right to access, amend, and request restrictions on using and disclosing their PHI. TMRPA offers the same rights plus one unique protection: Texas residents have the right to request an accounting of disclosures of their PHI for a specific period. This provides more transparency and control over how their information is shared.
Penalties Under TMRPA
Violations of the Texas Medical Privacy Act (TMRPA) can lead to various penalties, ranging from financial fines to court orders and potentially even criminal charges. Here’s a breakdown of the main types of penalties:
Civil Penalties
There are several methods to apply civil penalties under this law. Penalty per violation is up to $2,500, with a maximum of $25,000 per calendar year. This means the fines can accumulate significantly if numerous violations occur within a year. A penalty can be measured by severity, where the fine can vary depending on the violation’s severity, such as whether it was intentional, caused actual harm or involved many individuals. The Texas Attorney General’s Office typically determines penalties after investigating the complaints.
Injunctions
Injunctions are court orders issued by a judge to force a covered entity to comply with the law. This could involve stopping specific practices, implementing corrective measures, or appointing a monitor to oversee compliance efforts.
Referral to Other Agencies
In serious cases, the Attorney General may refer violations to federal authorities, such as the US Department of Health and Human Services (HHS), for further investigation and potential action under HIPAA regulations.
Private Right of Action
Although rare, individual patients may have the right to file lawsuits against covered entities for certain TMRPA violations that cause them harm. However, this option needs specific legal requirements and limitations.
Apart from these consequences, violations can damage an entity’s reputation, lead to loss of patient trust and potentially result in business disruptions or contractual penalties.
This comprehensive overview of TMRPA will help you understand your rights under this law and HIPAA, the difference between them, and what requirements you ought to understand to qualify to work in the healthcare system.
FAQs
Who has the right to access medical records in Texas?
Individuals have the right to access their medical records, while healthcare providers may disclose records to other healthcare providers for treatment purposes. There are also limited circumstances where authorised individuals, such as law enforcement or insurance companies, may have access to medical records.
How long can medical records be retained in Texas?
In Texas, healthcare providers are generally required to retain medical records for at least seven years from the date of the last treatment. For minors, records must be kept until the patient turns 21 or for seven years from the last treatment date, whichever is longer.
What is the breach notification law in Texas?
The Texas Medical Records Privacy Act requires healthcare providers to notify individuals if their health information has been breached within 60 days of the breach’s discovery.
How can healthcare providers ensure compliance with the Texas Medical Records Privacy Act?
Healthcare providers should implement policies and procedures to protect patient privacy, train employees on the Act’s requirements, and conduct regular audits to identify and address any compliance issues.
What are the rights of individuals under the Texas Medical Records Privacy Act?
Individuals have the right to access, amend, and request the destruction of their medical records. They also have the right to file a complaint with the Texas Attorney General if they believe their privacy rights have been violated.