Throughout most of the U.S., the Healthcare Insurance Portability and Accountability Act (HIPAA) provides a “federal floor of privacy protections for individuals´ individually identifiable health information” and preempts state laws unless state laws are “more stringent” and increase either the duties of Covered Entities or the rights of patients.
In Texas, the Medical Records Privacy Act (Chapter 181 of the Health and Safety Code) not only increases the duties of Covered Entities but increases the rights of patients. Furthermore, HB 300 expands the definition of Covered Entities in Texas to any person or organization that “assembles, collects, analyzes, uses, evaluates, stores, or transmits Protected Health Information”.
Effectively, any person or organization in possession of a Texas resident´s PHI is subject to the Medical Records Privacy Act – including persons and organizations located outside of Texas if PHI is collected or stored within Texas. This also means that an organization classified as Business Associate under HIPAA can be classified as a Covered Entity under Texas HB 300.
