Standards & Vendors
Review the break down of standards & multiple vendors to assist with SECURETexas multiple vendors to assist with you. VendorsSECURETexas Standards
Standards for Confidential Information In Any Form:
- 390.2(a)(4)(A)(i) – Cancer
- 390.2(a)(4)(A)(ii) – HIV/AIDs
- 390.2(a)(4)(A)(iii) – Genetic
- 390.2(a)(4)(A)(iv) – Sexual Assault
- 390.2(a)(4)(A)(v) – Communicable Diseases
- 390.2(a)(4)(A)(vi) – Mental Health
- 390.2(a)(4)(A)(vii) – Substance Abuse/Disorder
- 390.2(a)(4)(A)(viii) – Immunizations
- 390.2(a)(4)(A)(ix) – Bureau of Vital Statistics
- 390.2(a)(4)(A)(x) – Reports of Abuse or Neglect
- 390.2(a)(4)(A)(xi) – Federal Tax Information
- 390.2(a)(4)(A)(xii) – Social Security Administration Data
- 390.2(a)(4)(A)(xiii) – Occupational Diseases
- 390.2(a)(4)(A)(xiv) – Family Planning
- 390.2(a)(4)(A)(xv) – Government Benefits
Standards for Providers, Facilities & Services:
- 390.2(a)(4)(B)(i) – Hospitals
- 390.2(a)(4)(B)(ii) – Nursing Facilities
- 390.2(a)(4)(B)(iii) – ICF/IID
- 390.2(a)(4)(B)(iv) – Freestanding Emergency Medical Care Facilities
- 390.2(a)(4)(B)(v) – Ambulatory Surgical Centers
- 390.2(a)(4)(B)(vi) – Emergency Medical Services
- 390.2(a)(4)(B)(vii) – Physicians
- 390.2(a)(4)(B)(viii) – Chiropractors
- 390.2(a)(4)(B)(ix) – Dentists
- 390.2(a)(4)(B)(x) – Labs
- 390.2(a)(4)(B)(xi) – Pharmacists
- 390.2(a)(4)(B)(xii) – Podiatrists
- 390.2(a)(4)(B)(xiii) – PHR Vendors
- 390.2(a)(4)(B)(xiv) – End Stage Renal Disease Facilities
- 390.2(a)(4)(B)(xv) – Special Care Facilities
- 390.2(a)(4)(B)(xvi) – Private Psychiatric Hospitals & Crisis Stabilization Units
- 390.2(a)(4)(B)(xvii) – Birthing Centers
- 390.2(a)(4)(B)(xviii) – Applicable Health Professions
- 390.2(a)(4)(B)(xviii)(I) – Licensed Chemical Dependency Counselors & Treatment Facilities
- 390.2(a)(4)(B)(xviii)(II) – Medical Radiologic Technologists
- 390.2(a)(4)(B)(xviii)(III) – Dyslexia Therapists & Dyslexia Practitioners
- 390.2(a)(4)(B)(xviii)(IV) – Promoters of Community Health Workers
Standards for Specific Types of Individuals
- 390.2(a)(4)(C)(i) – Minors
- 390.2(a)(4)(C)(ii) – Children with Special Care Needs
- 390.2(a)(4)(C)(iii) – Early & Periodic Screening, Diagnosis, & Treatment
HIPAA
nThe Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) establishes a set of national standards for the use and disclosure of an individual’s health information – called protected health information – by covered entities, as well as standards for providing individuals with privacy rights to understand and control how their health information is used.
The Security Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”) and to their business associates.
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.
Texas Law/Acts
Texas Medical Records Privacy Acts
Texas Identity Theft Enforcement & Protection Act
Ready to talk?
Our team is happy to answer any questions or comments regrading our products & certification. Click on the button below and we’ll get back to you shortly!
SECURETexas Vendors
The Texas Health Services Authority (the Authority) partners with multiple vendors to assist with SECURETexas Certifications.
SECURETexas Preferred Vendor
Citiscape IT, P.C.
Learn more here: citiscapeit.com
Jacobian Engineering.
Learn more here: https://jacobianengineering.com/
Jackson Lewis, P.C.
Learn more here: jacksonlewis.com
Latitude Information Security
Learn more here: latitudeinfosec.com
NCC Group Security Services
Learn more here: https://www.nccgroup.com/
Online Business Services
Learn more here: obsglobal.com
Orbzen
Learn more here: orbzen.com
PwC
Learn more here: pws.com
Third Rock
Learn more here:thirdrock.com
SECURETexas Frameworks
Recognized Frameworks
HITRUST CSF
NIST Cybersecurity Framework
Want More Info?
Certification FAQs
Use the accordions to learn about frequently asked questions about SECURETexas. These questions cover a wide range of topics. If your question can not be answer please contact our team with the button below.
What is SECURETexas?
Why certify through SECURETexas?
How much does SECURETexas Certification cost?
See the THSA’s page on SECURETexas Certification Pricing. Please note that certification pricing is in addition to the price of conducting an assessment with a preferred vendor.
How does my organization become SECURETexas certified?
Steps to attaining SECURETexas certification:
- Are you eligible? Determine whether your organization is an entity who should get certified.
- Review the certification standards. Does your entity have policies and procedures covering each of the SECURETexas certification standards?
- Conduct a SECURETexas assessment. Contact one of our SECURETexas Preferred Vendors to conduct an assessment of your organization’s compliance against the SECURETexas standards.
- Certify your assessment. Once the preferred vendor completes your assessment, the vendor will refer the assessment to the THSA for review and certification.
- Re-Certify. SECURETexas certification lasts for two years, at which time the covered entity will re-assess and re-certify their compliance with the SECURETexas standards.
How does this relate to or reduce HIPAA fines and penalties?
Pursuant to 45 C.F.R. 160.408(c), in determining the amount of a civil money penalty, the Secretary of the U.S. Department of Health and Human Services will consider mitigating factors, including the covered entity’s “history of prior compliance with the administrative simplification provisions.” The SECURETexas standards cover the HIPAA privacy, security, and breach notification regulations (i.e., the administrative simplification provisions). Therefore, certification provides the covered entity with evidence displaying this prior compliance, thus potentially reducing any civil money penalties under HIPAA:
- Between $100-$50,000 for each violation up to a maximum of $1,500,000 for all violations of an identical provision in a calendar year, if the entity did not know of the violation.
- Between $1,000-$50,000 for each violation up to a maximum of $1,500,000 for all violations of an identical provision in a calendar year, if there was a reasonable cause for the violation.
- Between $10,000-$50,000 for each violation up to a maximum of $1,500,000 for all violations of an identical provision in a calendar year, if there was a willful neglect but the organization too corrective action.
- $50,000 for each violation up to a maximum of $1,500,000 for all violations of an identical provision in a calendar year, if there was willful neglect and the organization did not take corrective action.
How does this relate or reduce Texas fines and penalties?
Pursuant to Texas Health and Safety Code Section 181.201(b), the Texas Office of the Attorney General may institute an action for civil penalties against a Texas covered entity for violation of the Texas Medical Records Privacy Act not to exceed:
- $5,000 for each violation that occurs in one year, regardless of how long the violation continues during that year, committed negligently.
- $25,000 for each violation that occurs in one year, regardless of how long the violation continues during that year, committed knowingly or intentionally.
- $250,000 for each violation in which the covered entity knowingly or intentionally used PHI for financial gain.
- Up to $1,500,000 if the court finds that the violations have occurred with a frequency to constitute a pattern or practice.
However, pursuant to Sections 181.201 and 181.205, Health & Safety Code, when imposing civil or administrative penalties against a Texas covered entity for a violation of the Texas Medical Records Privacy Act, the court must consider six factors, including whether the covered entity maintained the SECURETexas certification at the time of the violation. Furthermore, SECURETexas may help prove another mitigating factor – the covered entity’s compliance history – that will reduce the amount of the civil or administrative penalty. The results of the certification can act as evidence of the covered entity’s compliance with the Texas Medical Records Privacy Act.
MORE ON SECURETexas CERTIFICATION
What is SECURETexas
If you or your organization uses, stores and/or exchanges protected health information (PHI), you are considered a “covered entity” as defined by Texas Medical Records Privacy Act and would benefit from certification.
Should I Get Certified?
If you or your organization uses, stores and/or exchanges protected health information (PHI), you are considered a “covered entity” as defined by Texas Medical Records Privacy Act and would benefit from certification.
Certification Pricing
SECURETexas certification pricing is based on the covered entity’s number of employees. Please note that certification pricing is in addition to the price paid to the SECURETexas preferred vendor for assessment services.