On June 14, 2021, Governor Greg Abbott signed HB 3746, amending Texas’ data breach notification law. Under HB 3746, Texas has adopted a “HIPAA wall of shame,” requiring breaches affecting 250 or more Texas residents to be posted on the Attorney General’s website. More details on the Texas data breach notification law are discussed.
What Does the Texas Data Breach Notification Law Require?
Prior to the signing of HB 3746, Texas enacted HB 300 which imposes stricter requirements for healthcare organizations treating patients in Texas than HIPAA does. Texas HB 300 expanded the definition of a covered entity, created greater accountability for business associates, and imposed more stringent breach notification requirements.
HB 3746 amends Texas law in the form of additional breach notification requirements. First, data breaches affecting 250 or more Texas residents must now be posted to the Texas Attorney General website, and remain available on the site for one year. The posting may be removed after the one-year period, provided that the breached entity has no further security lapse during that period.
Secondly, HB 3746 imposes additional content requirements for breach notification.
Additional breach notification requirements include:
- a detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach
- the number of Texas residents affected by the breach at the time of notification
- the measures are taken by the Entity regarding the breach
- any measures the Entity intends to take regarding the breach after notification
- information regarding whether law enforcement is investigating the breach.
The new Texas data breach notification law goes into effect on September 1, 2021.
How Does the Law Apply to Behavioral Health Providers?
Any behavioral health provider who treats patients that reside in Texas must be aware of both Texas breach notification requirements, as well as HIPAA breach notification requirements. Any time a state healthcare law is stricter than the federal HIPAA law, entities must comply with the stricter state law. As more states are implementing their own privacy laws, it is important to remain vigilant to ensure that you meet all of the requirements imposed by both federal and state laws.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!