HIPAA/HITECH and TMPA

In order order to respond to the privacy and security requirements included in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Department of Health and Human Services published the HIPAA Privacy Rule and the HIPAA Security Rule.

The HIPAA Privacy Rule established national standards for the protection of protected health information that is held by those entities subject to the rule (covered entities). The Privacy Rule defines the type of health information that is protected, the entities that are subject to the rule (covered entities), and  the use and disclosure of protected health information.

The Security Rule establishes national standards for the administrative, physical, and technological safeguards that must be in place for the protection of electronic protected health information.

The Health Information Technology for Economic and Clinical Health Act (HITECH) is part of the American Recovery and Reinvestment Act enacted in 2009 (ARRA). Included within ARRA were incentives and grants to health providers designed to promote greater efficiencies and access by promoting the use of electronic medical records.  It was necessary to expand the HIPAA privacy and security provisions of protected health information given the anticipated promulgation of electronic medical records across providers. The provisions of the HITECH Act address the increased privacy and security concerns through a number of new requirements  including: Establishing mandatory federal reporting for security breaches; Establishing criminal and civil penalties for non-compliance; Applying HIPAA to Business Associates; and creating new privacy requirements for Covered entities and Business associates.

In response to concerns regarding the protections afforded through the federal HIPAA and HITECH Acts  and the enforcement of those regulations, the Texas Legislature passed House Bill 300 (The Texas Medical Privacy Act[TMPA]) in September 2012. The stringent Texas health privacy laws add additional protections to basic HIPAA privacy regulations and apply a more expanded definition of covered entities doing business in Texas, including those entities or individuals possessing protected health information.  HB 300 expands the privacy protections for health data exchanged electronically and increases penalties for wrongful disclosure of or access to protected health information.