|
Getting your Trinity Audio player ready...
|
This Texas law could affect how your practice handles patient and consumer data, even if you already comply with HIPAA.
The Texas Data Privacy and Security Act (TDPSA) took effect on July 1, 2024, marking a significant shift in how businesses could handle personal data. If it applies to your practice, it may still require meaningful updates to your policies and procedures.
Who Must Comply?
The law applies to individuals and businesses, referred to as “controllers,” that do business in Texas or offer goods and services to Texas residents and that process or sell personal data. It also generally excludes small businesses as defined by the U.S. Small Business Administration, unless the business sells sensitive personal data. In that case, it must comply with the TDPSA’s consent requirements even if it qualifies as a small business.
The term “processing” includes collecting, storing, using, disclosing, analyzing, modifying, or deleting personal data. So, if your practice interacts with Texas residents and handles their personal information in any of these ways, it may fall under the TDPSA.
Are Healthcare Practices Exempt?
Many healthcare practices are already governed by federal privacy laws, which means they may be exempt from some or all of the TDPSA. The law specifically does not apply to:
- Entities or business associates governed by HIPAA and HITECH, including those that manage or transmit protected health information for treatment, payment, or operations
- Nonprofits
- State agencies
- Utility providers
- Institutions of higher education
- Financial institutions
- Employee data and any information already covered by HIPAA or similar state or federal laws
If your practice is a HIPAA-covered entity, the TDPSA likely does not apply to the health data you already protect. However, it may still apply to other personal data your practice collects, especially through websites, social media, or marketing tools outside HIPAA’s scope.
What Rights Do Consumers Have?
The TDPSA gives Texas residents new rights over how their personal data is handled. They can confirm whether their data is being processed, access it, correct inaccuracies, delete it, and request a portable copy. They also have the right to opt out of certain uses of their data, including targeted advertising, data sales, and profiling used to make significant decisions about them.
Businesses must honor these requests and support at least two reliable methods for consumers to opt out. This could include browser settings or device-level privacy controls. Once a request is verified, the business must act on it.
Sensitive Data and Consent
Under the TDPSA, practices and businesses must get consent before collecting or using sensitive personal data. This includes data that reveals a person’s race, religion, health diagnoses, sexual orientation, citizenship, or immigration status. It also covers genetic and biometric data used for identification, precise geolocation data, and any data collected from children under age 13.
Required Policies and Agreements
To meet the law’s transparency requirements, businesses must maintain a privacy policy that discloses whether they sell sensitive or biometric data. If so, the policy must include the following language exactly: “NOTICE: We may sell your sensitive personal data/biometric data.”
In addition, practices that rely on third parties to manage data must enter into data processing agreements with those vendors. These agreements define how data can be handled and ensure both parties comply with the TDPSA.
Data Use Limits and Risk Assessments
The law also includes a data minimization requirement. This means businesses should only collect and use personal data when it is reasonably necessary to accomplish a specific purpose. If your practice performs higher-risk activities, such as selling personal data, handling sensitive data, or using data in a way that could significantly affect someone, then a formal data protection assessment is required. This assessment should examine the benefits, risks, and safeguards involved in the activity.
Enforcement and Penalties
The Texas Attorney General enforces the TDPSA. If your practice is found to be in violation, you will have 30 days to fix the problem and provide written documentation showing that the issue has been resolved. You must also notify affected consumers. If you do not cure the violation within this window, the state may impose penalties of up to $7,500 per violation.
What Should Your Practice Do?
Even if you already follow HIPAA, your practice may be handling non-health data that requires a second look. If this is the case, it is vital to have clear procedures for collecting and using personal data. That includes updating your privacy policy, setting up opt-out tools, obtaining consent where required, and training your staff on how to respond to data requests.
Get Legal Support
Not sure whether the TDPSA applies to your practice? You don’t have to navigate the layers of overlapping and sometimes conflicting privacy laws on your own. If you operate in one of the states where we are licensed, you can schedule a consultation to speak with a healthcare attorney about your obligations and next steps.
This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader. It should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.
