The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HB300 Training

HB300 training is similar to HIPAA training inasmuch as employees of entities covered by the Texas Medical Privacy Act are required to undergo training on what Protected Health Information is and how the privacy of individually identifiable health information must be protected from unauthorized access and impermissible disclosures.

However, there are some significant differences between HIPAA and the Texas Medical Privacy Act as amended by Texas HB300. Where differences exist, the Texas Medical Privacy Act preempts HIPAA if the Act increases the duties of Covered Entities, has greater protections against unauthorized access and impermissible disclosures, or provides more patients’ rights.

Who is Required to Comply with HB300?

The Medical Privacy Act of 2002 states any entity (individual or organization), employee, agent, or contractor who creates, receives, obtains, maintains, uses, or transmits Protected Health Information (PHI) relating to a citizen of Texas is considered to be a Covered Entity under the Act. This definition includes entities outside of Texas with access to PHI of Texas citizens.

There are some exemptions to the definition. For example, payment processors, workers´ compensation schemes, and the American Red Cross are exempted from complying with the Medical Privacy Act; while – similar to HIPAA – students’ medical records are considered to be part of their educational records covered by FERPA and are also exempted.

Get the FREE
HB300 Checklist

Discover everything you need to become compliant under the Texas Medical Privacy Act

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

When HB300 was passed in 2011, it distinguished between HIPAA Covered Entities and other entities covered by the Medical Privacy Act inasmuch as the bill stated HIPAA Covered Entities (as defined by 45 CFR §160.103) shall comply with HIPAA. However, where the Texas Medical Privacy Act preempts HIPAA, the Texas Medical Privacy Act still applies.

What HB300 Training should Consist Of

What HB300 training should consist of depends on whether your organization is subject to HIPAA and the Texas Medical Privacy Act where applicable, or just the Texas Medical Privacy Act. In the former case, it can be simpler to integrate HB300 training into existing HIPAA training. However, it is important to note HB300 training must be completed within 90 days of a new employee starting whereas HIPAA does not stipulate an exact timeframe.

With regards to what HB300 training should consist of, both HIPAA and the Texas Medical Privacy Act require that members of the workforce are trained on policies and procedures relating to PHI that are relevant to their roles. This means it is necessary for members of the workforce to understand what PHI is (both Acts use the same definition of PHI), and how it should be protected from unauthorized access and impermissible disclosures.

Depending on employees’ roles, it may also be necessary to provide training on patients’ rights, permissible uses and disclosures of PHI (which are more restricted under the Medical Privacy Act), and the procedures for obtaining authorizations from patients. HIPAA Covered Entities should also note that, in addition to providing HB300 training, it is also necessary to provide security and awareness training as required by 45 CFR 164.308 of the Security Rule.

Sample HB300 Training Curriculum

Because both HIPAA and the Medical Privacy Act stipulates training has to be relevant to each member of the workforce’s role, there is no one-size-fits-all HB300 training curriculum. However, the following elements should be included in an HB300 training course as a minimum:

  • Introduction to the Medical Privacy Act and HB300.
  • Why HB300 was introduced and what changes it made.
  • Entities and individuals required to comply with HB300.
  • An explanation of Protected Health Information.
  • Permissible uses and disclosures under the Medical Privacy Act.
  • Patient rights to request copies of electronic medical records.
  • Notices about electronic disclosures of PHI.
  • Authorizations from patients for disclosures of PHI.
  • Breach notification requirements of HB 4390.
  • How to protect PHI from unauthorized access.
  • Enforcement of compliance and penalties for violations.

Unlike HIPAA training – which only needs to be documented – to satisfy the HB300 training requirements, members of the workforce must sign a statement confirming they have attended the training. The content of the training and the signed statement must be retained for a minimum of six years.

HB300 Training FAQs

Do HIPAA Covered Entities in Texas have to provide both HIPAA and HB300 training?

HIPAA Covered Entities in Texas have to provide both HIPAA and HB300 training – as does any HIPAA Covered Entity located anywhere in the country that collects, receives, maintains, or transmits the PHI of Texas citizens. Due to the similarities between HIPAA and HB300, HIPAA Covered Entities can train employees on both laws at the same time by replacing clauses of the Privacy and Security requirements with clauses of the Medical Records Privacy Act where more stringent requirements apply.

Why does HB300 take precedence over HIPAA even though the Final Omnibus Rule is more recent?

HB300 takes precedence over HIPAA even though the Final Omnibus Rule is more recent only when HB300 provides greater protections for individually identifiable health information or gives patients’ increased rights. This is because HIPAA provides a federal floor of privacy protections for individually identifiable health information and preempts state laws unless state laws are more stringent.

What additional information has to be released by Covered Entities about data breaches?

The additional information that has to be released by Covered Entities about data breaches in Texas results from the passage of HB 3746 in 2021. This Bill amends the Texas Breach Notification Rule (Section 521.053 of the Business & Commerce Code) by requiring Covered Entities to release additional information about data breaches such as the circumstances of the breach, whether it is known if PHI has been subsequently used or disclosed without authority, and what measures the Covered Entity intends to take to address the cause of the breach.

If students’ medical records are exempt from the Medical Privacy Act, do teachers have to undergo HB300 training?

Although students’ medical records are exempt from the Medical Privacy Act, teachers may have to undergo HB300 training if medical treatments are provided to persons who are not students (i.e., other members of the workforce). Even if teachers do not have access to school treatment records, they should have an understanding of the privacy clauses of the Medical Records Privacy Act to mitigate the risk of an unauthorized verbal disclosure.

Where can I find further information about my obligations under the Medical Records Privacy Act?

All organizations that collect or store the PHI of Texas residents should review the text of the Medical Privacy Act, and the Texas Health Services Authority has also released guidance on model security policies. Alternatively speak with a company specializing in regulatory compliance. Not only will the company be able to answer questions relating to your specific circumstances, but it should also be able to help you with HB300 training.