Optometry Board Heading
Licensing Doctors of Optometry and Regulating the Practice of Optometry

   Health & Safety Code Chapter 181
Texas House Bill 300, added the following requirements for covered entities to state law protecting patient records. The definition of covered entity in the statute is very broad, and would most likely include every optometrist's office.
The law, Chapter 181 of the Texas Health and Safety Code, has these requirements:
Doctors must provide training for staff w/i 90 days of hire and whenever a change in the law affects the employee's duties (Sec. 181.101)
Doctors must provide patient records w/i 15 days of a request if the request is for electronic records (Sec. 181.102)
Doctors must obtain authorization and provide notice for electronic disclosure unless disclosure is for listed exceptions (Sec. 181.154)
Note that these requirements are in addition to the federal HIPAA requirements. The Texas Attorney General is authorized to enforce the federal and state requirements. The Optometry Board has the authority to enforce, through disciplinary action, the law.
Doctors should also be aware that their office, as with any other business in Texas, has additional responsibilities to protect other sensitive information, including social security numbers and driver's license numbers (Business and Commerce Code). State law also requires a business to give notice to all customers if there has been a breach of computer security. (Business and Commerce Code). Substantial penalties are possible if the requirements of the law are not met.
   Authorization Form To Disclose Protected Health Information
The Texas Health & Safety Code Section 181.154(d) requires the Attorney General to develop a form that may be used to authorize the release of protected health information.

   Referenced Sections of Chapter 181
    (a) Each covered entity shall provide training to employees of the covered entity regarding the state and federal law concerning protected health information as necessary and appropriate for the employees to carry out the employees' duties for the covered entity.
     (b) An employee of a covered entity must complete training described by Subsection (a) not later than the 90th day after the date the employee is hired by the covered entity.
    (c) If the duties of an employee of a covered entity are affected by a material change in state or federal law concerning protected health information, the employee shall receive training described by Subsection (a) within a reasonable period, but not later than the first anniversary of the date the material change in law takes effect.
    (d) A covered entity shall require an employee of the entity who receives training described by Subsection (a) to sign, electronically or in writing, a statement verifying the employee's completion of training. The covered entity shall maintain the signed statement until the sixth anniversary of the date the statement is signed.
    (a) Except as provided by Subsection (b), if a health care provider is using an electronic health records system that is capable of fulfilling the request, the health care provider, not later than the 15th business day after the date the health care provider receives a written request from a person for the person's electronic health record, shall provide the requested record to the person in electronic form unless the person agrees to accept the record in another form.
    (b) A health care provider is not required to provide access to a person's protected health information that is excepted from access, or to which access may be denied, under 45 C.F.R. Section 164.524.
    (c) For purposes of Subsection (a), the executive commissioner, in consultation with the department, the Texas Medical Board, and the Texas Department of Insurance, by rule may recommend a standard electronic format for the release of requested health records. The standard electronic format recommended under this section must be consistent, if feasible, with federal law regarding the release of electronic health records.
    (a) A covered entity shall provide notice to an individual for whom the covered entity creates or receives protected health information if the individual's protected health information is subject to electronic disclosure. A covered entity may provide general notice by:
(1) posting a written notice in the covered entity's place of business;
(2) posting a notice on the covered entity's Internet website; or
(3) posting a notice in any other place where individuals whose protected health information is subject to electronic disclosure are likely to see the notice.
    (b) Except as provided by Subsection (c), a covered entity may not electronically disclose an individual's protected health information to any person without a separate authorization from the individual or the individual's legally authorized representative for each disclosure. An authorization for disclosure under this subsection may be made in written or electronic form or in oral form if it is documented in writing by the covered entity.
    (c) The authorization for electronic disclosure of protected health information described by Subsection (b) is not required if the disclosure is made:
(1) to another covered entity, as that term is defined by Section 181.001, or to a covered entity, as that term is defined by Section 602.001, Insurance Code, for the purpose of:
(A) treatment;
(B) payment;
(C) health care operations; or
(D) performing an insurance or health maintenance organization function described by Section 602.053, Insurance Code; or
(2) as otherwise authorized or required by state or federal law.
    (d) The attorney general shall adopt a standard authorization form for use in complying with this section. The form must comply with the Health Insurance Portability and Accountability Act and Privacy Standards and this chapter.
This information is provided as a service to licensees by Board Staff. It is not intended as legal advice and should not be considered as an official statement, opinion, order or rule of the Board. The Board does not control or verify the information provided in links to other organizations.

State Website State Websites Homeland Security Web Policies Report Fraud Veteran's Portal Peer Assistance

.The Board and the State of Texas make no warranty as to the accuracy, completeness, reliability or fitness for a particular use of the information on this web site. The user assumes all liability and waives any and all claims or causes of action against the Board and the State of Texas for all uses of, and any reliance on, this information. This paragraph shall accompany all distributions of this information and is incorporated into this information for all purposes.
Copyright 2012, 2013, 2016 TOB
Last Updated: 07/01/2016
Please send comments and suggestions to Chris.Kloeris@mail.capnet.state.tx.us
Site URL: http://www.tob.state.tx.us
State Website