ARTICLE
19 January 2012

Developments In Texas

MW
McDermott Will & Emery

Contributor

McDermott Will & Emery logo
McDermott Will & Emery partners with leaders around the world to fuel missions, knock down barriers and shape markets. With more than 1,100 lawyers across several office locations worldwide, our team works seamlessly across practices, industries and geographies to deliver highly effective solutions that propel success.
Texas passed a law (H.B. 300) in the fall of 2011 that will take effect on September 1, 2012.
United States Privacy
To print this article, all you need is to be registered or login on Mondaq.com.

Texas passed a law (H.B. 300) in the fall of 2011 that will take effect on September 1, 2012. The law imposes new employee training and notification obligations related to protected health information (PHI), exceeding the requirements of the HIPAA Privacy Rule. The law provides patients with increased rights and remedies over electronic health records, and increases penalties for non-compliance. Significantly, the law incorporates an expanded definition of the term "covered entity" in Texas's existing health privacy law, such that it could have a broad effect on many non-HIPAA-covered entities. The definition of "covered entity" under the law includes any entity that engages in assembling, collecting, analyzing, using, evaluating, storing or transmitting protected health information, as well as any entity that comes into possession or obtains or stores PHI.

The law also amends the existing breach notification law, Business & Commerce Code, Section 521.053, and purports to expand coverage to all citizens of the United States. In particular, the new law provides that if an entity conducting business in Texas suffers a breach, it must not only provide notice to affected consumers who live in Texas, but also to those who live in a state that does not currently require notification. If the individual lives in a state that currently does require notification, then the entity can comply with Texas law by providing notice to the affected consumer pursuant to his or her state's law. To the extent a company doing business in Texas suffers a breach after August 2012, therefore, it should evaluate with counsel whether and to what extent it should send notices to all affected U.S. consumers regardless of the state of residence, to avoid the harsh penalty scheme of the Texas law.

To read "Privacy and Data Protection 2011 Year in Review" in full, please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More