Health Industry Online


Craig H. Myers
Craig H. Myers

901 Main Street
Suite 4400
Dallas, Texas 75202


Don’t Mess with the New Texas Healthcare Privacy Laws

A new law that sailed through both houses unopposed and was signed by Texas Governor Rick Perry modifies Chapter 181 of the Texas Health & Safety Code, provisions that deal with the privacy of electronic medical records.  These new laws, which go into effect on September 1, 2012, are considerably broader than the analogous laws at the federal level, the Health Insurance Portability and Accountability Act “HIPAA” and its associated regulations.

Definition of “covered entity”

These laws cover any entity in possession of “protected health information” “PHI”, which establishes a considerably wider classification of “covered entities” than does HIPAA.  Pursuant to § 181.101(b)(2) of the Texas Health and Safety Code, a “covered entity” includes anyone who:
  1. for commercial, financial, or professional gain, monetary fees, or dues, engages and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information.  This category includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site;
  2. comes into possession of protected health information;
  3. obtains or stores protected health information; or
  4. is an employee, agent, or contractor of a person described above, to the extent that person creates, receives, obtains, maintains, uses, or transmits protected health information.
This definition represents quite a contrast to the HIPAA laws, which define “covered entity” only as a health plan, a healthcare clearinghouse, or a healthcare provider who transmits health information in electronic form, though HIPAA did provide that “business associates” of covered entities must give adequate assurances to the covered entity that the business associate would maintain the privacy of any PHI that it handled.

Chapter 181 will mandate compliance by these covered entities with the provisions of HIPAA, prohibiting the disclosure of PHI absent an established purpose such as health care treatment, payment, or health care operations.  Disclosure outside of these circumstances may only occur after the covered entity has received an authorization from the patient and provided notice to that patient of the disclosure. 


This expanded privacy law will also require a covered entity to train its employees concerning both the state and federal laws covering the privacy of medical records.  A new employee must be so trained within 60 days of his or her hiring, and employees must be re-trained at least once every two years.  This represents a departure from the HIPAA rules, which require only that new employees be trained within a reasonable time from their date of hire. 

Patient access to records      

The laws allow patients access to their electronic health records, directing covered entities to provide a copy of those records within fifteen business days of receipt of a written request for the records.  Similar provisions in the HIPAA laws allowed the entity thirty days to produce the records.

Enforcement provisions       

Chapter 181 will bring Texas into line with the 2009 federal law known as the Health Information Technology for Economic and Clinical Health Act, in that it prohibits the sale of PHI, except for treatment, payment, healthcare operations, performing an insurance function, or as otherwise allowed by law.  A breach of the confidentiality of this PHI requires the covered entity to notify the patient, and a failure to do so may result in a penalty of $100 per day the notice is not sent, up to a maximum of $250,000. 

The new law significantly raises the penalties for violations to $5,000 for negligent violations and up to $25,000 for knowing or intentional violations.  However, if an offender sold the PHI for financial gain, the penalties increase to $250,000, and for repeat offenders, the maximum penalty is $1.5 million.  The law also authorizes the revocation of a health care provider’s license for egregious violations or those that constitute a pattern or practice of disclosure.


Texas businesses or entities that handle electronic health information in any format – regardless of whether they were covered by HIPAA – will be required to comply with these new provisions, and there are significant penalties for failure to do so.  A careful review of the privacy provisions, along with establishment of employee training programs as dictated by the statute, are strongly encouraged well in advance of the law’s effective date of September 1, 2012.

•  To view past issues of Health Industry Online, please visit Health Industry Online
•  To subscribe to other Strasburger publications, please visit Strasburger Publications

DISCLAIMER: Articles contained within this newsletter provide information on general legal issues and are not intended to provide advice on any specific legal matter or factual situation. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional counsel.

ADVERTISEMENT NOTICE: This e-mail may constitute a commercial electronic mail message subject to the CAN-SPAM Act of 2003. If you do not wish to receive further commercial electronic mail messages from the sender, please send an e-mail to and request that your e-mail address be removed from future mailings. To update your address, please send an email to including the updated information. Strasburger & Price, LLP, 901 Main Street, Suite 4400, Dallas, TX 75202.

Strasburger & Price, LLP