Privacy and security FAQs

Have questions about medical privacy and security laws? Read our newest FAQs and get the answers you need.

Are some physician practices exempt from complying with HIPAA?

Under HIPAA, the definition of covered entities did exclude a few physicians; however, the Texas Medical Records Privacy Act is much more inclusive and anyone who creates or maintains medical records must comply with federal and Texas rules.


In 2003, practices that had paper medical records, and met the definition of a covered entity, were required to meet HIPAA Privacy. Is that all I need to be concerned about?

Covered entities were required to meet HIPAA Privacy in 2003; however, changes have been made that affect Texas physicians. The Texas Medical Records Privacy Act, HITECH in 2009, and the HIPAA Omnibus Rule have changed the requirements.  Additionally, if you have transitioned to electronic medical records you must meet the HIPAA Security Requirements.

For more information, visit the HHS web site.


Who is required to conduct a risk analysis and how often must it be repeated?

All practices that are required to meet the HIPAA Security Rule are required to conduct a risk analysis.  Generally speaking, if you have electronic records or maintain records in an electronic format you are required to conduct a risk analysis.

For more information, please see the article “Privacy and security update: risk analysis for health care.”

TMLT staff may be able to conduct a risk analysis for your practice. Please contact Stephanie Downing at 800-580-8658, ext. 4884.


What are the requirements for training staff on privacy and security?

Under HIPAA, covered entities were required to train staff and repeat training when changes were in the practice. Texas has much more stringent requirements; all new employees must be trained by the 90th day of employment; employees must be retrained whenever there is a change in the law that affects their job as it relates to PHI (training should be done as soon as possible, but is required by the 1st anniversary of the effective date of the law); and the employee must sign an acknowledgment of training.


Are Business Associate Agreements required?

Under HIPAA, HITECH, and the HIPAA Omnibus Rule, Business Associates Agreements or contracts are required to clearly outline the responsibilities for the business associate that a covered entity shares protected health information (PHI) with.  Under the Omnibus Rule, there are more requirements for business associates and their subcontractors. Covered entities should review their Business Associates Agreements for compliance.

How is Sensitive Personal Information different from Protected Health Information?

In Texas, Sensitive Personal Information (SPI) is defined in the Identity Theft Enforcement and Protection Act as information that contains the following.

• An individual’s first name or first initial and last name in combination with any one or more of the following items (if the name and items are not encrypted):

  • social security number;
  • driver’s license number or other government-issued identification number;
  • account number, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or

• Information that identified an individual and relates to:

  • the physical or mental health or condition of the individual;
  • the provision of health care to the individual; and
  • payment for the provision of health care to the individual.


What should I do if I have a breach of protected health information?

All TMLT policyholders have a cyber liability endorsement on their policies. Contact the TMLT claims department to report a breach and you will be provided assistance.  It is important to report a breach as soon as possible. If breach notification is required, it must be done within 60 days.

Have a question? Post it below or visit our FAQs page.