The federal Health Insurance Portability and Accountability Act (HIPAA) requires providers of health care (including mental health care) to ensure the privacy of patient records and health information and requires the federal Department of Health and Human Services (HHS) to adopt implementing rules. HIPAA and its rules apply to health care providers, health plans and other entities that process health insurance claims and these are referred to as "HIPAA covered entities." The business associates of these covered entities that receive protected health information (PHI) must also comply with the HIPAA rules.
On March 26, 2013, HHS' Final Omnibus Rule adopted pursuant to HIPAA and related federal laws goes into effect. This final rule includes the Privacy Rule, the Security Rule and the Breach Notification Rule.
The HIPAA Privacy Rule gives consumers rights over their health information and sets limits on who can look at and receive a consumer's protected health information (PHI). That Rule applies to all forms of PHI, whether oral, electronic or written.
The HIPAA Security Rule protects PHI that is in electronic form and requires entities covered by HIPAA to maintain reasonable safeguards to ensure that electronic PHI is secure.
The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notice to affected consumers and to HHS in the event of a breach of unsecured PHI.
To learn more about HIPAA and its related rules, click here.
HIPAA also provides that if a state law grants more privacy protection to a patient, the state law will apply.
Effective September 1, 2012, the Texas Medical Records Privacy Act provides additional protections to consumers. The Act is broader in scope than HIPAA because it applies not only to health care providers, health plans and other entities that process health insurance claims but also to any individual, business, or organization that obtains, stores, or possesses PHI as well as their agents, employees and contractors if they create, receive, obtain, use or transmit PHI.
Under the Act, these individuals, businesses and organizations must comply with several requirements including mandatory training for employees regarding PHI. In most instances, the Act prohibits covered entities from using or disclosing PHI without first obtaining an individual's authorization.
To learn more about the Texas Medical Records Privacy Act click here.
Read more about the State and health privacy laws at texasattorneygeneral.gov