Southeast Texas Medical Associates, LLP James L. Holly, M.D. Southeast Texas Medical Associates, LLP

EPM Tools - Health Insurance Portability and Accountability Act (HIPAA) Privacy Tutorial for SETMA's Compliance with Federal and State HIPAA Behavior Health Requirements
View in PDF Format Print this page

If the Federal HIPAA requirements were not difficult to interpret and to comply with, the Texas Legislature in 2011 passed Texas HB300 which increased that complexity geometrically.  Effective September 2014, all Texas Healthcare practitioners were required to renew their employee HB300 certification.  That certification has to be renew every two years after that.

The details of the requirements of Federal HIPAA Primacy and Texas HB300 are given below.  The major problem faced by a large medical practice is the number of patient charts which are requested daily by insurance companies and other covered entities.  If a practice receives 200 requests a day compliance with Privacy Regulations means we must examine every chart for information which requires special handling.  That special handling may involve getting a more inclusive permission from the patient or patient’s power-of-attorney before the information can be released even for the most common and simple reason.

Because a chart can contain hundreds of pages and because the privacy issues apply even to Chronic Problem Lists, we needed an automated means of examining charts.  Those which require special handling can be set aside while others can be sent out immediately.  Because the Texas Privacy requirements are much more restrictive than the Federal Law, if you comply with Texas, you automatically comply with the Federal regulations.

Who Must Comply...

All Texas healthcare provider businesses are required to   comply with the new bill.  And you will have to update your     training compliance every two years thereafter.   Here is who is included:  Healthcare Facilities, Clinics, Healthcare Providers, Persons maintaining Internet Websites, All workers handling PHI, ePHI & EHR (Protected Health Info, electronic PHI, Electronic Health Records).

  What is Required...

  • You'll need to understand & implement the new Patients Protection Guidelines in relation to Patient Privacy.
  • Provide Proof-of-Employee-Training on patient EHR, ePHI and PHI for HB 300 (in certificate format).
  • You'll need to train all new employees within 60 days of their hire (and have them sign a certificate).
  • Remember to update every 2 years!
  • Keep on file:  Written Office Protocols for HI TECH LAW, EHR & ePHI for HB 300
  • Understand the fines & punishments for breaches / violations of HB 300--- And know how to report breaches! 

The following tutorial details the privacy requirements and shows how SETMA does this automatically.  Below is SETMA’s AAA Home template which is the starting point for all patient management in our EMR.  In the fifth column near the bottom, you will see the button for the launching of SETMA’s Behavior Health HIPAA Compliance tool.  It is entitled Check Sensitive Info and is outlined in green.

There are five categories of sensitive information which triggers special handling of patient’s charts.  As SETMA expands its Behavioral Health and Mental Health Services, this function will becoming more and more important.   Once the Check Sensitive Info button is deployed the following pop-up appears.   There are five categories of information or data;

  1. Does the chart contain HIV/AIDS diagnosis?
  2. Does the chart contain positive HIV results?
  3. Does the chart contain mental illness information?
  4. Does the chart contain alcohol or substance abuse information?
  5. Does the chart contain genetic testing information?

When the chart is opened, it is automatically checked for these categories by an algorithm which SETMA has created and embedded in the EMR.  If such data is contained in the chart a “Yes” will appear in “red” beside that category of material.  If the chart does not contain such data, a “No” will appear in “black” in the box next to that category of information.

The following five pop€”ups have each category outlined in green for emphasis.

Our identification of the charts which require special handling and thus our compliance with HIPAA Privacy is simple.  However, there are other complexities to the HIPAA Privacy which require more effort.