Jane Dotson
The Texas Medical Records Privacy Act (TMRPA) came into effect on September 1, 2019, to safeguard protected health information (PHI). The TMRPA applies to a broader range of entities than the Health Insurance Portability and Accountability Act (HIPAA), including hospitals, insurance providers, and health maintenance organizations. While the TMRPA does not specifically mention insurance agents, the definition of covered entities under Texas law includes employees and agents who create, receive, obtain, maintain, use, or transmit PHI. Therefore, it can be inferred that insurance agents who handle PHI are subject to the TMRPA and must comply with its privacy and data protection requirements.
| Characteristics | Values |
|---|---|
| What is TMRPA? | Texas Medical Records Privacy Act |
| What does it do? | Maintains the privacy of Protected Health Information (PHI) for patients and customers |
| Who does it apply to? | Covered entities, including hospitals, insurance providers, health maintenance organizations, clearinghouses, and other service providers that handle PHI |
| What is PHI? | Any information about health status, provision of health care, or payment for health care created or collected by a Covered Entity |
| Who are Covered Entities? | Legal definition includes hospitals, care, or insurance providers that are subject to regulations like HIPAA and TMRPA |
| How does it differ from HIPAA? | TMRPA applies to a broader range of entities and has more specific training requirements |
| What are the penalties for non-compliance? | Fines ranging from $2,000 to $5,000 per violation, disciplinary action, and exclusion from state programs |
| What rights do data subjects have? | The right to request information about how their PHI is used and disclosed, to limit its use for sales and marketing purposes, and to request amendments to inaccurate records |
Explore related products
What You'll Learn
TMRPA's broader scope than HIPAA
The Texas Medical Records Privacy Act (TMRPA), also known as the Texas Privacy Act, has a broader scope than HIPAA in several ways.
Firstly, the TMRPA applies to a wider range of entities than HIPAA. While HIPAA primarily focuses on healthcare service providers, the TMRPA applies to "any person or entity who engages in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting" Protected Health Information (PHI) of Texas residents. This includes hospitals, insurance providers, health maintenance organizations, clearinghouses, and other service providers that handle PHI. The TMRPA could potentially regulate business entities that are not subject to HIPAA, such as business partners of providers.
Secondly, the TMRPA has stricter rules regarding the use of PHI for sales and marketing purposes. Individuals have the right to limit the use of their PHI for these purposes and must be notified if their PHI is being used in this way. The TMRPA also prohibits the re-identification of information that has been de-identified.
Thirdly, the TMRPA requires faster record access for individuals. Under the TMRPA, individuals must be provided access to their medical records within 15 business days of a request, whereas HIPAA allows up to 30 days.
Fourthly, the TMRPA has more specific training requirements than HIPAA. All employees who handle PHI or are likely to encounter it must undergo formal privacy training within 60 days of beginning employment. Additionally, ongoing training is required at least every two years to ensure that all personnel are updated on the latest privacy practices.
Finally, the TMRPA imposes stricter fee restrictions. Only reasonable, cost-based charges for copying records are permitted, and administrative or retrieval fees are prohibited.
While the TMRPA has a broader scope than HIPAA, companies that are already HIPAA-compliant may not need to make significant changes. However, they will need to ensure that their privacy training programs align with the TMRPA's more specific requirements and that they respect the additional consumer rights outlined in the TMRPA.
The Dark Side of Insurance: Why I Quit
You may want to see also
Explore related products
PHI and its use for sales and marketing
The Texas Medical Records Privacy Act (TMRPA), or the Texas Privacy Act, came into effect on September 1, 2019. The Act is designed to safeguard Protected Health Information (PHI), which includes any data about an individual's past, present, or future health, the healthcare provided, and the payment for said healthcare. The Act applies to a broad range of entities, including hospitals, insurance providers, and health maintenance organizations, as well as their employees and business associates. Under the TMRPA, individuals have the right to limit the use of their PHI for sales and marketing purposes and must be notified if their data is being used for these purposes.
PHI consists of any information about an individual's health status, healthcare provision, or healthcare payment that is created or collected by a Covered Entity. Covered Entities include hospitals, insurance providers, and other healthcare organizations, as well as their employees and business associates. PHI is considered sensitive information and is protected by both the TMRPA and the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA sets the standards for safeguarding PHI and applies to any organization that handles sensitive medical records in Texas or for Texas consumers. The use of PHI for marketing and sales purposes is strictly regulated by HIPAA, which requires that individuals give their authorization for the use of their PHI in most cases. The 2013 Amendments to HIPAA distinguish between the use and disclosure of PHI for marketing and for sale purposes. Marketing is defined as a communication that encourages the recipient to use a product or service, while a sale is simply the disclosure of PHI for remuneration.
HIPAA-compliant marketing requires that PHI not be included in email subject lines or social media posts and that all contact forms and channels of communication used to transmit PHI be HIPAA-compliant. In most cases, a covered entity must obtain an individual's authorization to use their PHI for marketing purposes, especially if there is financial remuneration involved. However, there are certain exceptions, such as when an insurance agent sells a health insurance policy in person and also markets a life insurance policy, or when a hospital provides a free package to new mothers upon discharge.
To ensure compliance with both TMRPA and HIPAA, organizations must implement robust security measures, conduct regular employee training, and establish policies and procedures that protect PHI.
Insurance Claims: Siding and Roofing Inspections
You may want to see also
Explore related products
TMRPA's training requirements
The Texas Medical Records Privacy Act (TMRPA) regulates the use and disclosure of protected health information (PHI) by covered entities, which include employees, agents, contractors, and other individuals or entities that create, receive, obtain, maintain, use, or transmit PHI. Under the TMRPA, covered entities are required to train their workforce on privacy requirements and obtain patient consent for the use or disclosure of PHI.
While Texas does not require prelicensing education for insurance agents, certain licenses require the completion of specific training and continuing education requirements. For example, Texas General Lines Licensed Agents must complete 24 Credit Hours of Approved Continuing Education every 2 years, with at least 3 hours dedicated to Ethics Training and 12 hours in a classroom setting.
Additionally, agents selling, soliciting, or negotiating specific insurance products may have additional training requirements. For instance, agents selling long-term care insurance must complete an initial 8-hour Long-Term Care training course and ongoing 4-hour LTC refresher courses each renewal period. Similarly, agents selling annuity products must complete a one-time 4-hour Annuity Best Interest course before selling and ongoing 8-hour Annuity Suitability training courses.
To maintain their licenses, insurance agents in Texas must also renew them through the National Insurance Producer Registry (NIPR) and pay a $50 renewal fee. The renewal period begins 60 days before the expiration date, and agents must complete all required continuing education credits before this date.
Understanding Potential Loss in Insurance
You may want to see also
Explore related products
TMRPA's breach notification rules
The Texas Medical Records Privacy Act (TMRPA) is a privacy law that focuses on maintaining the privacy of Protected Health Information (PHI) for patients and customers. It applies to any organisation that collects, stores, or transmits healthcare data, regardless of HIPAA coverage. While the TMRPA does not contain a specific breach notification requirement, companies are still mandated to notify users in the event of a breach under Texas' own breach notification statute, the Texas Data Breach Notification Law, also known as the Identity Theft Enforcement and Protection Act (ITEPA).
Under ITEPA, entities that conduct business in Texas and own or license computerized data that includes sensitive personal information must disclose any breach of system security that has compromised the security, confidentiality, or integrity of sensitive personal information. This disclosure must be made without unreasonable delay and no later than 60 days after the breach is discovered. If the breach involves at least 250 Texas residents, the entity must also notify the Texas Attorney General electronically via a form on the Attorney General's website within 60 days of determining that the breach occurred.
The Texas Breach Notification Rule specifies that breaches of all types of sensitive information qualify as notifiable data breaches. This includes personally identifiable information combined with information relating to a person's health status, healthcare they have received or will receive, or healthcare payment.
In addition to ITEPA, the TMRPA also requires certain entities defined as "covered entities" to provide notices to patients of electronic disclosures of their PHI and to obtain patient authorization for such disclosures. Covered entities under the TMRPA include HIPAA business associates, health researchers, healthcare providers, and other entities that do business in Texas.
Harvard Pilgrim: Understanding Their Insurance Offerings
You may want to see also
Explore related products
TMRPA's penalties for non-compliance
The Texas Medical Records Privacy Act (TMRPA) came into effect on September 1, 2019, as an extension of the federal Health Insurance Portability and Accountability Act (HIPAA) regulations. TMRPA applies to a broader range of entities than HIPAA, including insurance agents. It is important to understand the TMRPA requirements and penalties for non-compliance to ensure adherence to the law.
TMRPA mandates a rapid response to patient requests for their electronic health records within 15 days and requires formal privacy training for employees within 60 days of hiring. It also necessitates additional training at least every two years to ensure compliance with the latest privacy practices. The Act's scope of covered entities is broader, and the penalties for violations are significantly higher than HIPAA.
Non-compliance with TMRPA can result in substantial financial and operational consequences. Texas has imposed stringent penalties for violations, reflecting the severity of its approach to protecting health information. The penalties for non-compliance include:
- Fines: TMRPA violations can result in civil penalties ranging from $2,000 to $5,000 per violation, with a maximum of $250,000 for recurring violations. The University of Houston Law Center states that fines can be up to $3,000 per violation.
- Disciplinary action: Covered entities that violate TMRPA are subject to investigation and disciplinary proceedings, including probation or suspension by the licensing agency.
- Exclusion from state programs: Entities that engage in a pattern or practice of violating TMRPA will be excluded from participating in any state-funded healthcare programs.
- Lawsuits and injunctive relief: The Texas Attorney General may file a lawsuit seeking injunctive relief, prohibiting the covered entity from taking specific actions.
- Additional civil penalties: The Texas Attorney General may also seek civil penalties of $5,000 for each violation that occurs in one year, regardless of the duration of the violation.
- Higher penalties for patterns of non-compliance: If a court finds that violations have occurred frequently enough to constitute a pattern, the annual penalty can reach up to $1.5 million.
It is important to note that companies that are already HIPAA compliant may not need to make significant changes but must ensure their privacy training programs align with TMRPA's requirements. Non-compliance with TMRPA can have serious repercussions, and entities must understand and adhere to the Act's requirements to avoid penalties and protect patient privacy.
Gateway Insurance: What's in a Name Change?
You may want to see also
Frequently asked questions
The Texas Medical Records Privacy Act (TMRPA), or the Texas Privacy Act, is a law that safeguards protected health information (PHI) for patients and customers.
Yes, the TMRPA applies to insurance agents as well as insurance providers. The TMRPA defines “covered entities” as including hospitals, insurance providers, health maintenance organizations, clearinghouses, and other service providers that handle PHI.
The fines for non-compliance with the TMRPA are higher than for non-compliance with HIPAA. Fines can range from $2,000 to $5,000 per violation and $100 for each individual who failed to receive a notification (up to $250,000). Non-compliant entities may also be subject to disciplinary action and exclusion from state programs.
