The oft-stated position of Texas Governor Rick Perry on health care reform, and government regulation in general are, apparently, unrelated to the state’s wholehearted adaptation of one particular health care innovation: the electronic medical record. HB300, passed by the Texas Legislature in the 2011 session, goes well beyond HIPAA in safeguards for privacy and security in electronic medical records.

The statue greatly expands HIPAA’s definition of “Covered Entity” to include anyone who “comes into possession of Protected Health Information.” Covered Entities are required to train newly hired employees on the privacy and security provisions of this law as well as federal law within sixty days of hire, and to provide refresher trianing at least once every two years thereafter.

Enforcement has been considerably enhanced under HB300 and carries with it the perhaps surprising element of cooperation with the federal government in certain cases. Penalties the state may levy can reach $1.5 million. In addition, the Texas Attorney General may request the Secretary of the Department of Health and Human Services to audit Covered Entities (as that definition has been expanded by HB300. If the audit reveals a pattern of serious violations, the state can require the entity to undergo a risk analysis in the form and process required by HIPAA.

HB300 won’t take effect until September of 2012, but it serves as a notice that even those states whose elected representatives have offered full-throated opposition to health care reform will put those views aside in the pursuit of privacy and security of the electronic health information of its citizens. And they will pursue those protections with regard to an expanding roster of entities that access such information.

Forearmed is forewarned: policies and practices in privacy and security cannot be prepared and implemented overnight.

• Tweet