Overview of principal Texas privacy laws and amendments that became effective September 1, 2012. Some say the new Texas law is tougher than federal HIPAA laws.
2. Speaker
James F. Brashear
General Counsel
Zix Corporation
Jim Brashear is a member of the Bar of the United States
Supreme Court, the California Bar Association and the State Bar of
Texas. He frequently appears as a public speaker on corporate
governance, data security and information technology legal topics.
He currently serves the Association of Corporate Counsel on its
Information Technology, Privacy & Electronic Commerce Committee
as Programs Co-Chair and Cloud/SaaS Co-Chair.
He received a Juris Doctorate degree, magna cum laude, from
the University of San Diego School of Law, and a Bachelor of Arts
degree in political science from the University of California at San
Diego.
Twitter @jfbrashear
This program is for educational purposes only. The content
does not constitute legal advice. No attorney-client
relationship is created by your participation.
3. Overview
Texas recently amended privacy laws protecting:
– Protected Health Information (PHI)
– Sensitive Personal Information (SPI)
A business may be simultaneously subject to:
– Texas Identity Theft Enforcement and Protection Act
– Texas Medical Records Privacy Act
– HIPAA and HITECH
New amendments:
– Broaden scope of Texas privacy laws
– Add new requirements
– Impose new penalties
New medical privacy laws are stricter than HIPAA
4. Two Principal Texas Privacy Statutes
Identity Theft Enforcement and Protection Act
Medical Records Privacy Act
5. Identity Theft Enforcement and Protection Act
Business and Commerce Code Chapter 521
http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm
Amended by H.B. No. 300 effective September 1, 2012
http://www.capitol.state.tx.us/tlodocs/82R/billtext/pdf/HB00300F.pdf
6. Broad Scope
Applies to virtually all businesses operating in Texas
Includes most healthcare businesses
Specifically includes nonprofit athletic or sports associations
Excludes financial institutions under Gramm-Leach-Bliley Act
Focus: It is not clear how the Act will be applied to:
• SPI stored outside Texas
• Non-Texas business SPI stored in Texas
• Non-Texas business SPI of Texas residents
7. Duty to Protect Sensitive Personal Information
Business and Commerce Code §521.052
Business must use reasonable procedures to protect
from unlawful use or disclosure any sensitive personal
information collected or maintained in its regular
course of business
Focus: In contrast to Massachusetts 201 CMR 17.01, Texas does not mandate
encryption – but Texas does:
• exclude some encrypted data completely
• exclude encrypted data from data breach notice rules
• mitigate penalties if data was encrypted
8. Sensitive Personal Information
§521.002(a)(2) defines two types of SPI:
1. Personal identifying information
An individual's first name or first initial
+ their last name
+ any of their following:
social security number
driver's license number
government-issued identification number, or
account number or credit or debit card number plus any financial
account security code, access code, or password
Encryption exclusion for this type
– If the name and the listed items are encrypted, then they are
not treated as SPI at all
Tip: Encrypt all sensitive data, at rest and in motion
9. Sensitive Personal Information
§521.002(a)(2) defines two types of SPI:
2. Medical identifying information
Information that identifies an individual and relates to their:
physical or mental health or condition
provision of health care, or
payment for provision of health care
No encryption exclusion for this type . . .
Treated as SPI even if encrypted
. . . but there is an encryption safe harbor
from data breach notification
Consistent with HIPAA
Tip: Encrypt all sensitive data, at rest and in motion
10. Data Breach from Unauthorized Acquisition
§521.053(a) defines Breach of System Security
Unauthorized acquisition of computerized data that
compromises SPI security, confidentiality or integrity
Safe harbor for encrypted data
– No data breach results from unauthorized acquisition of encrypted
data unless the decryption key was also acquired
– No notification required
Focus: The statute does not require a business to monitor its systems
to detect a data breach
Tip: Encrypt all sensitive data, at rest and in motion
11. Data Breach from Authorized Access
Data breach can result from unauthorized use or
disclosure of SPI by employee or agent
– Even if their acquisition was authorized and in good faith
– Even if their use or disclosure was not unlawful
Safe harbor for encrypted data applies here, too
Focus: Recent court decisions held that unauthorized use or disclosure
of data by employees or agents did not violate the Computer Fraud and
Abuse Act where their access to the data was authorized
12. Long Arm Duty to Notify
Must disclose data breach to any individual whose SPI
is reasonably believed to have been acquired
– Act formerly required notice to Texas residents only
Deference to other states’ laws
– Texas law is satisfied by notice provided under the data breach
law of states where affected individuals reside
– Texas law mandates a notice when the data breach laws of those
other states do not
Focus: Contrast MA privacy law 201 CMR 17.00, which applies to
data of MA residents no matter where it is held
13. Timing of Notification
Must disclose data breach as quickly as possible
Two permitted reasons for delay:
1. As necessary to determine the scope of the breach and restore
the reasonable integrity of the data system
2. At the request of a law enforcement agency
Only if that agency determined notification will impede a criminal
investigation
Must provide notice as soon as that agency later determines
notification will not compromise the investigation
Focus: It is not clear how impede differs from compromise
Focus: It is not clear how a business is expected to know if or when
the agency makes its determinations
14. Form of Notification
Business may notify affected individuals by:
written notice, or
electronic notice
Three exceptions:
1. If the business can demonstrate any of:
– cost > $250,000
– number of affected persons > 500,000
– insufficient contact information
then it may give notice by any of:
– email
– conspicuous posting on the business’ website
– notice via major statewide media
15. Form of Notification
Business may notify affected individuals by:
written notice, or
electronic notice
Three exceptions:
2. If the business:
– maintains its own SPI security policy notification procedures, and
– its procedures meet the statute’s notice timing requirements,
then notice under that policy satisfies the statute
Tip: Maintain a SPI security policy with notification procedures
consistent with Texas data breach notice law
16. Form of Notification
Business may notify affected individuals by:
written notice, or
electronic notice
Three exceptions:
3. If the business:
– is required by the Act to notify > 10,000 persons at one time,
then the business must without unreasonable delay also
– notify each nationwide consumer reporting agency of the:
notice timing
notice distribution
notice content
17. Duty to Destroy Sensitive Personal Information
Must destroy or arrange for destruction of customer
records containing SPI which are not going to be
retained
Destruction methods:
– Shred
– Erase
– Make SPI unreadable or indecipherable
E.g., encryption
18. Penalties
§521.151 civil penalties and injunctions
Restraining order for conduct that violates the Act
$2,000 to $50,000 per violation
$100 per individual for each consecutive day of unreasonable delay
in providing notice of a data breach
– Capped at $250,000 per data breach
19. Two Principal Texas Privacy Statutes
Identity Theft Enforcement and Protection Act
Medical Records Privacy Act
20. Texas Medical Records Privacy Act
Health & Safety Code Chapter 181
http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.181.htm
Amended by H.B. No. 300 effective September 1, 2012
http://www.capitol.state.tx.us/tlodocs/82R/billtext/pdf/HB00300F.pdf
21. Both HIPAA and Texas MRA May Apply
§181.004 refers to applicability of Texas and federal law
Texas MRA refers to Covered Entity as defined in both . . .
– 45 C.F.R. §160.103
Must comply with HIPAA and its Privacy Standards
– Texas Health & Safety Code §181.001(b)(2)
Must comply with Texas MRA*
A business might be a . . .
– Texas Covered Entity even if not a HIPAA Covered Entity
– Covered Entity under both laws
Tip: Consider standardizing compliance programs to meet the most
restrictive applicable requirement
*Subject to the partial exemptions under §181.051
22. Covered Entity Broader Than HIPAA
§181.001(b)(2) expansively defines Covered Entity
Generally includes persons who assemble, collect, analyze, use,
evaluate, store, transmit, obtain or come into possession of PHI
– Includes their employees, agents, and contractors who create, receive,
obtain, maintain, use or transmit PHI
– Includes a business associate, health care payer, governmental unit,
information or computer management entity, school, health researcher,
health care facility, clinic, health care provider, and person who maintains
an Internet site
Unlike HIPAA, no exception for conduit entities that only transmit PHI
– E.g., couriers
23. Limited Exemptions
Subchapter B offers a few exemptions
For example:
§181.051 makes employers, and entities defined in the Insurance
Code, subject only to Subchapter D (Prohibited Acts)
§181.052 exempts certain financial institution activities, such as
payment processing
§181.054 exempts workers compensation activities
24. More Training Than HIPAA
§181.101 requires Covered Entity to provide and record employee
training in PHI protection laws
Content
– Must cover federal and Texas laws concerning PHI
– Tailored for the Covered Entity’s business and the employee’s responsibilities
Timing
New employee: Within 60 days after hire
Existing employee: Not specified
All employees: Recurring every two-years
– HIPAA requires training
within a reasonable amount of time after hire
when there are material changes in privacy policies
Record-keeping
– Must require employees attending training to sign (can be electronic or written)
a statement verifying attendance
– Must maintain the signed statements (no time limit)
Tip: Combine with training on policies and procedures
25. EHR Access, Notice and Consent
§181.102: Must give patient an electronic copy of EHR within
15 business days of written request
HIPAA allows 30 days
§181.154: Must notify individuals that PHI is subject to
electronic disclosure
Can be satisfied by posting in the place of business, on the website or in
any other place those individuals are likely to see the notice
§181.154: Must get consent for each electronic disclosure of PHI
Consent can be electronic or written
Texas AG is to develop standard form
Not required if disclosed to a Covered Entity for treatment, payment, health
care operations, insurance or HMO functions, or as authorized or required
by law
Tip: Add website notice of electronic disclosure of PHI
26. Sale of PHI
§181.153: Covered Entity generally cannot disclose
PHI for direct or indirect remuneration
Except to another Covered Entity for treatment, payment, health
care operations, insurance or HMO functions, or as authorized or
required by federal or state law
– Remuneration for disclosing PHI for the purpose of performing an insurance or
HMO function described by Insurance Code §602.053 cannot exceed the
reasonable cost of preparing or transmitting the PHI
– No remuneration cap otherwise
§181.152 generally requires clear, unambiguous consent to use or
disclose PHI for marketing
27. Audits
§181.206 authorizes Texas authorities to monitor HIPAA
compliance
Can ask U.S. HHS to audit HIPAA Covered Entities in Texas
Must monitor and review the results of all U.S. HHS audits of
HIPAA covered entities in Texas
If Texas MPA violations are egregious and constitute a pattern or
practice, §181.206 authorizes Texas HSS to:
Require Covered Entity to submit results of any risk analysis
required by 45 C.F.R. Section 164.308(a)(1)(ii)(A)
Ask the Texas agency that licenses the Covered Entity to conduct
an audit to determine compliance with Texas MPA
Texas HHS must report the number
of audits to the legislature annually
28. Increased Penalties
§181.201 authorizes Texas AG to institute court actions to
impose civil penalties for Texas MPA violations
– Texas AG incentivized by ability to retain a portion of penalties
– Texas AG cannot institute an action under against a Covered Entity licensed by
Texas unless the licensing agency refers the violation to the Texas AG
Annual penalties up to:
– $5,000 per negligent violation
– $25,000 per knowing or intentional violation
– $250,000 per knowing or intentional violation if PHI is used for financial gain
Those penalties are capped at $250,000 annually if all the following apply:
– For disclosure of electronic PHI in violation of §181.154
– Made only to a Covered Entity
– Made only for a purpose permitted by §181.154(c)
– A court finds any of the following:
The PHI was encrypted
The recipient did not use or release the PHI
At the time the PHI was disclosed, the Covered Entity had
security procedures, including PHI training for employees
29. Increased Penalties (cont.)
§181.201 authorizes court to assess civil penalty of
up to $1.5 million annually for violations that constitute a pattern
or practice
– Formerly capped at $250,000
Court must consider in determining the amount of penalties:
– the seriousness of the violation
– if the violation poses a significant risk of financial, reputational or other harm to
an individual whose PHI is involved
– if Covered Entity was certified by Texas Health Services Authority for
compliance with electronic PHI sharing standards
– deterrence
– compliance history
– efforts to correct the violation
– good faith compliance efforts
Federal and Texas penalties both may apply
Injunctions, administrative penalties, license actions,
and Texas program bans may also apply
30. Key Recommendations
A business may benefit from:
Written policies to protect Sensitive Personal Information and
Protected Health Information
Written procedures to protect SPI and PHI
Written procedures for data breach response
Annual privacy risk and data breach insurance coverage analysis
Monitoring and auditing privacy and data security procedures
Recurring privacy law training for employees and contractors
Revising HIPAA Business Associate Agreements to cover state laws
Revising written privacy policies to reflect amended state laws
Updating privacy notices
Encrypting SPI and PHI while at rest and in motion
31. Questions
This program is for educational purposes only. The
content does not constitute legal advice. No attorney-
client relationship is created by your participation.