By Jay Reyero, JD, Partner, ByrdAdatto

Target. Equifax. Facebook. Capital One. For us, a data breach is a reminder that the sensitive information we routinely entrust to organizations has inherent value and can be subject to nefarious attacks. For organizations, it is a reminder of the great responsibility accepted because of the great power received from valuable information. For states across the country, it is a reminder that more needs to be done in the fight for privacy and protection of sensitive information. With the passage of House Bill 4390 (HB 4390), Texas has showed how it plans to address the privacy of personal identifying information.

Signed into law on June 14, 2019, HB 4390 amends Texas's privacy breach notification law—Texas Business and Commerce Code Chapter 521, Identity Theft Enforcement and Protection Act—by specifying a time frame for when notice of a breach is required and creating a notification requirement to state regulators. Beginning January 1, 2020, if a breach occurs and disclosure is required, the disclosure must be made "without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred." Previously, the disclosure only needed to be made "as quickly as possible."

It is important to understand that the 60-day time frame doesn't create a window for compliance, so organizations should not feel comfortable simply getting disclosures out by the 60th day to comply. Instead, organizations are first responsible to provide disclosure "without unreasonable delay," which, depending on the circumstances, could be well short of the 60 days. If the circumstances support a reasonable delay approaching 60 days, an organization will then need to ensure that disclosure is provided before the deadline.

Also, beginning January 1, 2020, HB 4390 requires notification to the attorney general for breaches involving at least 250 Texas residents. The notice will need to include:

1. A detailed description of the breach;
2. The number of residents affected;
3. The current and planned mitigation efforts; and
4. Any law enforcement involvement.

All organizations subject to Texas's breach notification law should begin reviewing and updating their breach notification policies in preparation for the new rules in 2020.

In addition to the current changes to the Texas privacy breach notification law, HB 4390 signals that Texas is not done addressing privacy with the creation of the Texas Privacy Protection Advisory Council. The purpose of the council will be to study various privacy laws and make recommendations to the Texas legislature on specific changes regarding privacy and protection of sensitive information.

To learn more about legal and business best practices to keep your med spa compliant and profitable, attend one of AmSpa's Medical Spa & Aesthetic Boot Camps and become the next med spa success story.

Jay Reyero, JD, is a partner at the business, healthcare, and aesthetic law firm of ByrdAdatto. He has a background as both a litigator and transactional attorney, bringing a unique and balanced perspective to the firm's clients. His health care and regulatory expertise involves the counseling and advising of physicians, physician groups, other medical service providers and non-professionals. Specific areas of expertise include federal and state health care regulations and how they impact investments, transactions and various contractual arrangements, particularly in the areas of federal and state anti-referral, anti-kickback and HIPAA compliance.