Handling Electronic Protected Health Information in the COVID Era
With the advent of electronic hearings, client consultations, and virtual mediations arising from the COVID-19 pandemic, the courts, lawyers, and mediators will undoubtedly be handling protected health information. This post will focus on some privacy considerations under Chapter 181 of the Texas Health & Safety Code.
Overview of Applicable Statutes. Both Texas law and federal law regulate the use and electronic disclosure of health information. Texas' Medical Privacy laws are codified in Texas Health & Safety Code § 181.001 , et seq ("Chapter 181"). Its federal cousin -- the Health Insurance Portability and Accountability Act ("HIPAA") is codified in the U.S. Code., with definitions found at 45 C.F.R. Section 160.103.
Who Must Comply With Chapter 181? Chapter 181 applies to a "covered entity." A covered entity is broadly defined, to include "any person who comes into possession of protected health information or obtains or stores protected health information under this chapter." Tex. Health & Safety Code § 181.001(b)(2)(B)-(C). This is broader that HIPAA's definition of covered entity. A covered entity, as defined by 181.001, must comply with Chapter 181. Id. § 181.004 (b).
What Type of Information Does Chapter 181 Protect? Chapter 181 applies generally to an individual's health information, in whatever format it exists. Chapter 181 adopts HIPAA's definition for "protected health information." Tex. Health & Safety Code § 181.001 (a) (where a term is not defined by Chapter 181, each term has the meaning assigned by HIPAA). Health information means any information, including genetic information, whether oral or recorded in any form or medium "that ... relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual." 45 C.F.R. 160.103. Protected health information is that health information which identifies an individual and is transmitted electronically, maintained electronically or transmitted or maintained in any other form or medium. Id.
What Does Chapter 181 Require? Chapter 181's requirements focus on the electronic disclosure of health information. It defines "disclose" as "to release, transfer, provide access to, or otherwise divulge information outside the entity holding the information." Tex. Health & Safety Code § 181.001 (b)(2-a). First, a "covered entity" must provide notice to an individual if that individual's health information is subject to electronic disclosure. Id. § 181.154 (a). This may be general notice posted in the entity's place of business, on its website, or in another place that is easily noticed. Ibid. Next, a "covered entity" may not electronically disclose protected health information to any person without a separate authorization for each disclosure. Id. § 181.154 (b). The authorization may be in writing or in electronic form or in oral form if documented. Ibid.
What Are the Penalties for Violating Chapter 181? Chapter 181 has a range of civil penalties that may be enforced by the Attorney General, including injunctive relief and fines ranging from $5,000 to $250,000 per violation. Tex. Health & Safety Code § 181.201. For egregious violations, a penalty may also include revocation of a covered entity's license issued by the state of Texas. § 181.202(1).