You are on page 1of 2

MEMORANDUM

TO: DEBORAH HOLLAND, ASSISTANT VICE PROVOST FOR RESEARCH


FROM: DAVID ALEXANDER, ASSISTANT GENERAL COUNSEL
SUBJECT: TEXAS MEDICAL RECORDS PRIVACY ACT COMPLIANCE
DATE: MARCH 9, 2017
CC: CHRIS HOLMES, DOUG WELCH

In a meeting on February 28, 2017, you requested guidance from the Office of General
Counsel regarding compliance with the Texas Medical Records Privacy Act (MRPA)(H.B.300) in the
absence of meaningful guidance from the State of Texas.

Your office has identified several Baylor units that are HIPAA-covered entities, and more
that have access to Protected Health Information (PHI) and are therefore subject to the MRPA but
are not HIPAA entities. You are prepared to undertake HIPAA compliance training to those units
that are subject to HIPAA, and you suggested that identical training should be given to the MRPA-
covered units. This would have numerous benefits from an operational standpoint, and for some
units would aid in their educational mission. However, you identified at least two problems with this
approach:

1. The State has provided no guidance clearly stating that HIPAA-compliant privacy
procedures will satisfy the requirements of the MRPA; and

2. The OCR has given some indication that adoption of HIPAA-compliant procedures for
non-HIPAA entities could result in those entities becoming subject to OCR
enforcement.

You also requested clarification regarding whether your office should be tasked with providing
MRPA training. Given the discussion below, which concludes that MRPA policies should be
substantially identical to HIPAA policies, and given your greater expertise in HIPAA matters, it is
OGCs suggestion that your office should provide all HIPAA and MRPA training. We are of course
available to assist in any way that you may require, and I for one would be interested in sitting
through your HIPAA training at the earliest opportunity.

Additional questions are also discussed below.

1. Adoption of HIPAA-compliant privacy policies to meet MRPA requirements.

A review of the MRPA suggests that it was intended to expand HIPAA-compliant rules to a broader
range of entities and more types of records. It clearly indicates an intent that its requirements be read
consistently with HIPAA. For instance, 181.005 authorizes the Commissioner to adopt rules
consistent with HIPAA; 181.102 requires covered entities to provide access to EHR unless HIPAA
rules permit access to be denied; 181.205 permits evidence of a covered entitys compliance with
HIPAA rules to be considered in mitigation of the penalties for a violation of MRPA.

Other than the expansion of coverage of privacy and security rules to a broader range of entities,
MRPA does not itself place many positive obligations on covered entities. Entities shall comply with
HIPAA (181.004); shall train employees (181.101); shall provide access to EHR (181.102); shall give
notice and obtain authorization prior to disclosure of PHI (181.154). Specific rules and guidance are
left to the discretion of state regulators, who have not yet produced any.

Thus, the principal requirement of MRPA, given the present lack of rules or other guidance, is for all
MRPA covered entities to adopt privacy practices that would comply with HIPAA rules.

It therefore the opinion of the General Counsel Office that, in the absence of contrary guidance,
training should be given to all covered entities, including those only covered by MRPA, and that the
training for all units should be consistent with HIPAA rules and practices.

2. Adoption of HIPAA-compliant policies in non-HIPAA entities.

While the handling and protection of records subject to MRPA but not HIPAA should be consistent
with HIPAA requirements, care should be taken to avoid any statement to the effect that non-
HIPAA entities comply with HIPAA requirements. MRPA-only entities should state that they
comply with MRPA requirements.

3. Are FERPA records exempt from MRPA coverage?

Consistency between HIPAA and MRPA compliance would, in General Counsels opinion, include
consistency in the treatment of records that are covered by FERPA and therefore excepted from
HIPAA coverage. Such records should also be treated as exempt from MRPA coverage.

4. Are communications with prospective students relating to health and medical issues
covered by FERPA or MRPA?

If the prospective student enrolls and becomes a student, those communications are FERPA records.
Communications with a prospective student who does not matriculate to Baylor may be MRPA
records, and should be treated as such, and destroyed at the earliest opportunity. We should have no
significant record retention requirement for documents relating to students who do not enroll.