A new law recently enacted in Texas (HB 300), [see http://www.capitol.state.tx.us/tlodocs/82R/billtext/pdf/HB00300F.pdf ] bans for-profit sales of personal health information and sets up a process for notifying patients of any electronic transfer of their medical records. This law incorporates many provisions of HIPAA into the Texas Laws and imposes penalties for these violations that are even stiffer than the fines mandated by the HIPAA Laws. For example under HIPAA all covered entities are required to provide HIPAA training to their staff. Under the Texas Law “A covered entity shall require an employee of the entity who attends a training program described by Subsection (a) to sign, electronically or in writing, a statement verifying the employee ’s attendance at the training program. The covered entity shall maintain the signed statement.” so in Texas the method or recording the training is also specified.
Another item of concern in the legislation is “Sec.A181.153. SALE OF PROTECTED HEALTH INFORMATION PROHIBITED; EXCEPTIONS. (a) A covered entity may not disclose an individual ’s protected health information to any other person in exchange for direct or indirect remuneration. " There are exceptions to this rule which can be read on page 7 of the document. But if you are using a 'Free' online EMR that as part of their business practices uses the patient information for profit you may be violating this provision.
As of September 1, 2012, the day this law goes into effect, if you sell medical data you could be subject to fines of up to $3,000 per violation and the fines can go up to $1.5 million dollars. In some cases, in addition to the fines, your license can be placed under probation or suspended.