Colorado, Texas Laws Taking Effect Sept. 1 Impact Health Care Providers and Others

Health care providers and others will face new privacy requirements in Colorado and Texas starting on Monday. Immigration requirements from a Colorado law (SB-276) enacted in May, plus parts of a Texas law about health care records (SB-1188) from June, both take effect on Sept. 1.

Colorado's law has a Sept. 1 deadline for public or publicly supported entities, including child care centers, schools, libraries and health care facilities, to adopt policies related to collecting and disclosing immigration-related information (see 2508200045). The law carries penalties of up to $50,000 per violation. SB-276 otherwise took effect in May when it was signed by Gov. Jared Polis (D), including a separate section that added precise geolocation data as a form of sensitive data under the Colorado Privacy Act.

“The Colorado law is really aimed at ensuring that entities covered by the law are not, essentially volunteering information about their patrons, students, patients, and their parents to third parties without sufficient legal basis,” said Vold.

For the health care sector, "the law’s requirements of particular policies and procedures for releases of information are not onerous,” since “HIPAA already has strict requirements and conditions for when … covered entities are permitted to release patient information to law enforcement officials,” said the health privacy attorney: For many years, HIPAA-covered entities have been “required to have policies and procedures that document those requirements,” and they “have entire departments of specialists responsible for ensuring compliance.”

However, the requirements may look new to groups outside the health care industry that are covered by Colorado’s law, said Vold. “These requirements will certainly require significant policy and procedure creation, as there are no HIPAA-similar laws for the other entities covered by the Colorado law -- day cares, schools, and libraries. While the policies and procedures required by the law are not overly complicated to draft, it may take a change in culture to ensure that, as an organization, entities need to take a closer look at the types of requests for information they receive.”

Even HIPAA-covered entities should take notice of various ways that the Colorado law deviates from the federal law, said the attorney. For example, the state law prohibits “the collection of place of birth, immigration status, and documents like passports and permanent resident or alien registration cards unless required by law or to validate eligibility,” she said.

“Health care providers in Colorado should assess their patient intake questions to ensure that the demographic questions asked related to place of birth or immigration status or documents are not required fields unless a determination is made that such information is required (for instance, to verify insurance),” said Vold. “This may require coordination with their electronic health record vendor.”

Sometimes, “information about a patient’s parent or guardian is not considered protected health information subject to HIPAA and thus would not be within the scope of the entities’ HIPAA policies that are duplicative of the Colorado law’s requirements,” noted Vold. “Thus, Colorado health care entities should determine whether current policies need to be revised to include parental/guardian information or whether a separate non-HIPAA information release policy set should be created.”

However, a Colorado “requirement that healthcare providers inform the patient or parent ‘as appropriate’ is perhaps vague enough to require no change,” the lawyer said. “Entities do not routinely notify patients when the entities fulfill HIPAA-permissible records requests, though these requests are documented in the patient’s record if required by HIPAA.”

Likewise, a requirement to designate an employee for alerting “may not require any real change,” since HIPAA-covered entities “generally have release of information policies that state that their Health Information Management employees will be responsible for and receive all such requests,” said Vold. “That potentially satisfies the spirit of the law.”

On the other hand, Vold said, a Colorado “requirement to provide the policies on request is one that, while likely fairly easy to accommodate, may come as a surprise … as that is not a right patients have under HIPAA.”

Texas Swerves from Standard Practice

Meanwhile, in Texas, a health care records law taking effect Monday “applies to most healthcare providers and all health insurers, as well as a long list of businesses that collect, maintain or store health information (HI) of Texas residents,” Vold and her BakerHostetler colleague Hatim Tai wrote in an Aug. 19 blog post. “The law is not confined to those engaged in the traditional medical practice or” HIPAA-covered entities.

Some of the more unexpectedly covered entities include employers that store workers’ compensation or Family and Medical Leave Act documents, schools and universities that maintain student health center records, mobile health tracking apps and life insurance companies that collect medical information for their underwriting, said Vold and Tai.

A major part of SB-1188 that restricts offshoring health care records won’t apply until Jan. 1, but multiple other requirements start soon.

For example, a requirement that access “to electronic health records must be role-based and limited to those with a business or clinical need … applies to any electronic health record prepared on or after Sept. 1, 2025,” said the lawyers.

Also starting Monday, covered entities must add “strictly defined” fields in electronic records for biological sex, they said. “In other words, Texas is prohibiting deference to the patient’s nonbinary gender identity and a transgender person’s transition when documenting their ‘biological sex,’” the BakerHostetler lawyers said. “The law does permit notations of information related to the individual’s biological sex or gender identity in other areas of the record, however.”

The law additionally requires quick access by parents to their children’s full health records. “This deviates significantly from the standard practice in the industry,” said Vold and Tai. “When patients turn 12, most health systems transition parent/guardian access to their children’s electronic health records from full proxy access to a more limited proxy access. … This is to ensure that the child can confidentially share with their provider sensitive issues that could inform treatment -- topics like issues with self-harm, eating disorders and sexual activity. In most states, children 12 and older are able to direct and consent to their own healthcare, and some states use that authority as a demarcation line of when parental access is no longer appropriate.”

“The risks of noncompliance with the new [Texas] law are significant,” the lawyers added. “If an entity is found to have violated the law three or more times, the disciplinary actions available are the same as those available if the entity violated an applicable licensing or regulatory law. This includes suspension of licenses, registrations or certifications for a period determined appropriate by the agency.” The Texas attorney general could also seek civil penalties between $5,000 and $250,000 per violation.