September is here everyone is buzzing about the looming deadline for compliance with the HIPAA Omnibus rule — September 23, 2013.
Compliance with HIPAA is an ongoing process. Whenever laws and rules change, you must review your existing policies and processes to determine if they are still in compliance. And when you make changes to your processes — new software, new mobile devices, etc — you should also review existing policies to determine if they are valid or need to be changed.
The 2013 legislative session brought a few minor changes to the Texas Medical Records Privacy Act that you should incorporate into your policies and procedures.
SENATE BILL 1609 (2013)
There are three changes to the Texas Medical Records Privacy Act, made by Senate Bill 1609, which will affect training requirements.
- Covered entities (CEs) have up to 90 days (previously 60) to train new employees on federal and Texas privacy.
- The requirement to re-train staff every two years has changed to require CEs to conduct re-training of staff in a reasonable period, but not later than the first anniversary of the date of the effective law change if the law affects the duties of the employee.
- CEs are now required to document that an employee has received training by a signed statement that the employee completed the training. The documentation must be maintained for six years.
SENATE BILL 1610 (2013)
If the individual whose SPI was breached (or believed to be breached) resides in a state that requires a notice of a breach, the notice may be provided under that state’s law or under Texas law. A person may be given written notice at his or her last known address.
When you make changes to your processes, you need to evaluate (if not done before) or re-evaluate your systems for vulnerabilities and threats. TMLT can assist you with this process by conducting a risk analysis.
For more information, please contact Stephanie Downing at stephanie-downing@tmlt.org or at 800-580-8658, ext. 4884.