Texas Medical Privacy Act Adopts and Expands the HIPAA Privacy Regulations
Jessica Luna, J.D. Candidate
On June 17, 2001, Texas Governor Rick Perry signed the Texas Medical Privacy Act into law. S.B.11 (2001). The Act is designed to bring Texas into compliance with Federal standards on patient privacy as enumerated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 65 Fed. Reg. 82,461 (2000). See http://aspe.os.dhhs.gov/admnsimp/Index.htm. The Texas Medical Privacy Act will also expand the protections mandated by HIPAA in three areas. First, the Act applies to a broader range of entities. Second, the Act does not allow a patient’s health information to be marketed, or to be used in marketing, without that patient’s consent or authorization. Third, the Act prohibits the re-identification of information that has been de-identified.
HIPAA was enacted on August 21, 1996. Title I of the Act deals with health insurance access, portability, and renewability. Title II authorized the Secretary of the Department of Health and Human Services (DHHS) to promulgate final regulations for maintaining the privacy and security of health information if Congress did not enact such legislation within 36 months of HIPAA’s enactment. Congress missed the deadline; therefore, the Secretary issued a final regulation dealing with the security and privacy of protected health information (PHI) on December 20, 2000. The HIPAA Privacy Regulation was formally enacted on April 14, 2001. 45 C.F.R. §§160-164 (2000). See http://aspe.hhs.gov/admnsimp/final/PvcTxt01.htm. On July 6, 2001, the Secretary of the DHHS issued guidelines on the Privacy Regulations. The guidelines clarify the requirements and answer questions about the Regulations. See http://www.hhs.gov/ocr/hipaa/index.html#Initial%20Guidance.
HIPAA is the first federal legislation to initiate uniform privacy standards for patient information. Prior to the enactment of the HIPAA Privacy Regulation, it was up to the states to provide legislation to protect the privacy of patient information. The state laws, however, varied greatly and were often too narrow in their application. See "The State of Health Privacy: An Uneven Terrain," http://www.healthprivacy.org. HIPAA sets a floor of ground rules for health care providers, health plans, and health care clearinghouses to follow, in order to protect patients and encourage them to seek needed care. It creates a framework of protection that can be strengthened by both the federal government and by states as health information systems continue to evolve. 65 Fed. Reg. at 82,464. HIPAA’s provisions allow existing state laws that are more protective of privacy to stand, and permit states to make more protective laws in the future. 45 C.F.R. §160.203(b)
The Texas Medical Privacy Act is an example of a state law that provides more protection for patient privacy than is provided under HIPAA. The Act adopts the basic tenets of the HIPAA Privacy Standards and provides additional protections for Texans in some areas where HIPAA has left gaps.