[ Wednesday, April 18, 2012 ]
Last year, the Texas legislature passed House Bill 300, which tightened up state law requirements relating to HIPAA matters. Specifically, it addresses access requirements when PHI is in an electronic health record, prevents sales of PHI, and requires some state agencies to publish reports and track breach data. But the most visible change in HB 300 is the requirement that "covered entities" (which is a broader definition than HIPAA under Texas law and includes almost any business that maintains and deals with personal information) train their employees at least every 2 years.
The question I have is this: if a company is a "covered entity" in Texas and has employees in Texas and outside Texas, does it need to train its non-Texas employees? Does it only have to train employees who handle personal information of Texas residents? The language of the law is broadly drafted, and indicates that all employees must be trained; no distinction is made based on the location of the employee. There is a distinction on the information the employee deals with, but not a geographic one (the law says training must be appropriate to the job duties of the employee, so an employee who has no access to personal information would need minimal (but more than none?) training.
Anyway, my bleg: If you are a Texas entity and have dealt with this issue, please email me at jdrummond-at-jw.com and let me know how you are addressing this. Thanks in advance.
Jeff [4:37 PM]
Blogger: HIPAA Blog - Edit your Template