In 2012, many Texas employers became subject to strict security and privacy Texas laws enacted to protect the security and privacy of certain personal information. These laws parallel HIPAA in some respects, but require protection of a broader class of personal information.
Under the Texas Medical Records Privacy Act (Act), any individual, business or organization (including any employee, agent or contractor of these) that possesses, obtains or stores Protected Health Information (PHI) is required to protect the PHI in accordance with the Act. PHI includes information about the past, present or future physical or mental health or condition of an individual or the provision of health care to an individual. Thus, employers who maintain information pertaining to employee health, including such information that would be included among HR and benefits records, must be aware and perform the necessary risk analysis and policy implementation to protect such information.
Among the issues businesses and individuals that handle PHI must address include:
As with all businesses in Texas, employers are also subject to identity theft protection laws under the Texas Business & Commerce Code which protect a category of information referred to as sensitive personal information (SPI). SPI includes an individual’s first name or initial and last name in combination with certain identifiers (e.g., social security number, driver’s license number, credit/debit card information, etc.). As with the protection of PHI, employers are required to have policies and procedures in place to protect SPI, which include notification to individuals whose SPI has been breached and the destruction of SPI which is no longer necessary for the employer to maintain.
The Texas Attorney General enforces Texas privacy and security laws, and spot-checks and audits may be performed on businesses to ensure compliance. Penalties for a violation of the Act can range from $5,000 to $250,000 per violation, and for violations of identity theft protection laws, $2,000 to $50,000.
Employers cannot afford to ignore these state law requirements requiring the strict protection of PHI and SPI. Policies and procedures for maintaining and protecting such information are imperative, as well as physical and technological safeguards to protect against data theft. The process for investigating and determining the nature and extent of a breach is costly, and includes costs associated with a forensic analyst/auditor, legal services, planning and making required disclosures, and business disruption. Employers are advised to perform a risk analysis of their data protection program and consider purchasing data breach insurance to cover expenses and losses in the event of a breach of PHI and/or SPI. Legal counsel can provide effective guidance on the specific coverage and exclusions in the insurance policy under consideration.
For additional information regarding Texas privacy and security requirements, please contact:
Click here to print a copy of the Employment Alert.