By Maxey H.B. No. 3254 76R1447 JRD-F A BILL TO BE ENTITLED 1-1 AN ACT 1-2 relating to the privacy of public health information. 1-3 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: 1-4 SECTION 1. Subtitle D, Title 2, Health and Safety Code, is 1-5 amended by adding Chapter 93 to read as follows: 1-6 CHAPTER 93. PUBLIC HEALTH PRIVACY ACT 1-7 SUBCHAPTER A. GENERAL PROVISIONS 1-8 Sec. 93.001. SHORT TITLE. This chapter may be cited as the 1-9 Public Health Privacy Act. 1-10 Sec. 93.002. UNIFORMITY PROVISION. This chapter is a 1-11 uniform Act intended to be applied and construed to effectuate its 1-12 general purpose to make uniform the law among states enacting it 1-13 with respect to the subject of this chapter. 1-14 Sec. 93.003. LEGISLATIVE FINDINGS. The legislature finds 1-15 that: 1-16 (1) public health agencies acquire, use, disclose, or 1-17 store an increasing amount of information about individuals related 1-18 to their health, some of which is highly sensitive, that is 1-19 maintained in paper and electronic formats for public health 1-20 purposes; 1-21 (2) uses of information related to individuals' health 1-22 for public health purposes are critically important to preserving, 1-23 monitoring, and improving population-based health as well as the 1-24 personal health of individuals; 2-1 (3) each individual has significant privacy interests 2-2 with respect to personally identifiable information about the 2-3 individual's health; 2-4 (4) individual privacy interests in information 2-5 related to health that is in the possession of public health 2-6 agencies justify: 2-7 (A) the imposition of duties and limitations 2-8 concerning the acquisition, use, disclosure, and storage of the 2-9 information; 2-10 (B) the establishment of rights concerning 2-11 individual access to the information; and 2-12 (C) the imposition of security protections 2-13 governing the information; 2-14 (5) an individual's interests in the privacy of 2-15 information related to the individual's health are significantly 2-16 reduced when the information is collected, used, disclosed, or 2-17 stored in a form that is not personally identifiable to the 2-18 individual; 2-19 (6) a public health agency has a significant interest 2-20 in protecting the privacy of information related to health in its 2-21 possession whenever protecting the privacy of the information may 2-22 tend to encourage individuals to participate in public health 2-23 programs and objectives; and 2-24 (7) though public health agencies generally protect 2-25 the privacy interests of individuals in information related to 2-26 health that is possessed by the agencies, additional statutory 2-27 protections will further clarify and protect individual privacy 3-1 interests while facilitating without jeopardizing public health 3-2 objectives. 3-3 Sec. 93.004. PURPOSES. The purposes of this chapter are to: 3-4 (1) address privacy and security issues arising from 3-5 the acquisition, use, disclosure, and storage of protected health 3-6 information by state and local public health agencies; 3-7 (2) protect information related to health in the 3-8 possession of public health agencies against unauthorized 3-9 disclosures without significantly limiting the ability of public 3-10 health agencies to use the information for public health purposes; 3-11 (3) encourage extensive use and disclosure of public 3-12 health information that is not personally identifiable because use 3-13 and disclosure of this information does not implicate individual 3-14 privacy and security concerns and may greatly facilitate the 3-15 accomplishment of public health purposes; 3-16 (4) require that the acquisition and use of protected 3-17 health information by a public health agency be consistent with 3-18 public health purposes; 3-19 (5) prohibit most disclosures of protected health 3-20 information without the informed consent of the individual who is 3-21 the subject of the information and allow disclosure without 3-22 informed consent only under specified and narrow circumstances; 3-23 (6) impose a duty on public health agencies to hold 3-24 and use protected health information securely; 3-25 (7) impose a general duty on public health agencies to 3-26 ensure the accuracy of public health information; 3-27 (8) provide an individual who is the subject of public 4-1 health information held by a public health agency access to the 4-2 information and the right to inspect and copy the information; 4-3 (9) provide an individual who is the subject of public 4-4 health information held by a public health agency an opportunity to 4-5 request the correction, amendment, or deletion of erroneous or 4-6 incomplete information; and 4-7 (10) prescribe various criminal penalties and civil 4-8 enforcement mechanisms to protect individuals who are harmed by 4-9 wilful or negligent violations of this chapter by public health 4-10 agencies, public health officials, and other persons. 4-11 Sec. 93.005. DEFINITIONS. In this chapter: 4-12 (1) "Amend" means to indicate one or more entries in 4-13 protected public health information are disputed or to change the 4-14 entry without obliterating the original information. 4-15 (2) "Confidentiality statement" means a written 4-16 statement dated and signed by the individual agreeing to the 4-17 statement that certifies the individual's agreement to abide by the 4-18 security policy of a public health agency and with the provisions 4-19 of this chapter. 4-20 (3) "Disclose" and "disclosure" mean to release, 4-21 transfer, disseminate, provide access to, or otherwise communicate 4-22 or divulge all or any part of any protected health information to 4-23 any person or entity other than a public health agency or a public 4-24 health official who has been authorized by a public health agency 4-25 to receive the information. 4-26 (4) "Expunge" means to permanently destroy or delete 4-27 information or to make the information not personally identifiable 5-1 to an individual. 5-2 (5) "Health oversight agency" means: 5-3 (A) an agency in the executive branch of state 5-4 or local government that performs or oversees an assessment, 5-5 investigation, or prosecution relating to compliance with legal or 5-6 fiscal standards or claims of fraud in the health care industry, 5-7 the health equipment industry, or a related field; or 5-8 (B) a person who performs an activity described 5-9 by Paragraph (A) on behalf of or at the direction of the health 5-10 oversight agency or under a duty imposed by state or federal law. 5-11 (6) "Institutional review board" means any board, 5-12 committee, or other group formally designated by an institution or 5-13 authorized under federal or state law to review, approve the 5-14 initiation of, or conduct periodic review of research programs to 5-15 assure the protection of the rights and welfare of human research 5-16 subjects, consistent with requirements of the Federal Policy for 5-17 the Protection of Human Subjects. 5-18 (7) "Nonidentifiable health information" means any 5-19 information, whether communicated orally or recorded in writing or 5-20 in an electronic, visual, or other form, that relates to an 5-21 individual's past, present, or future physical or mental health 5-22 status, condition, treatment, receipt of health services, receipt 5-23 of health care, or purchase of products related to health care and 5-24 that: 5-25 (A) does not reveal the identity of the 5-26 individual; and 5-27 (B) does not tend to reveal the identity of the 6-1 individual, even if used in conjunction with other information that 6-2 it is reasonable to believe would be available to others. 6-3 (8) "Protected health information" means any 6-4 information, whether communicated orally or recorded in writing or 6-5 in an electronic, visual, or other form, that relates to an 6-6 individual's past, present, or future physical or mental health 6-7 status, condition, treatment, receipt of health services, receipt 6-8 of health care, or purchase of products related to health care and 6-9 that: 6-10 (A) reveals the identity of the individual; or 6-11 (B) tends to reveal the identity of the 6-12 individual if used alone or in conjunction with other information 6-13 that it is reasonable to believe would be available to others. 6-14 (9) "Public health" means population-based activities 6-15 or efforts, including individual efforts, the primary purposes of 6-16 which are the promotion of health or the prevention of injury, 6-17 disease, or premature death. 6-18 (10) "Public health agency" means an organization 6-19 operated by a state or local government that acquires, uses, 6-20 discloses, or stores protected health information for public health 6-21 purposes. 6-22 (11) "Public health official" means an officer, 6-23 employee, private contractor, private agent, intern, or volunteer 6-24 of a public health agency who is authorized by the agency or under 6-25 law to acquire, use, disclose, or store protected health 6-26 information. 6-27 (12) "Public health purpose" includes: 7-1 (A) assessing public health status and needs 7-2 through surveillance and epidemiological research; 7-3 (B) developing public health policy; 7-4 (C) responding to public health needs and public 7-5 health emergencies; and 7-6 (D) other public health activities authorized 7-7 under law. 7-8 (13) "Public information" means information that may 7-9 be inspected, reviewed, or obtained by the general public. 7-10 (14) "Request" means a written, dated, and signed 7-11 request of protected health information in paper or electronic form 7-12 through which the identity of the person making the request can be 7-13 accurately verified. 7-14 (15) "Requestor" means an individual, the legal parent 7-15 or guardian of a minor, or the court-appointed guardian of an 7-16 individual who requests health information. 7-17 (16) "Store" and "storage" mean to hold, maintain, 7-18 keep, or retain all or any part of protected health information. 7-19 SUBCHAPTER B. ACQUISITION OF PROTECTED HEALTH INFORMATION 7-20 Sec. 93.031. ACQUISITION OF INFORMATION. (a) A public 7-21 health agency may acquire protected health information only if: 7-22 (1) the acquisition directly relates to a public 7-23 health purpose; 7-24 (2) the acquisition is reasonably likely to achieve 7-25 the public health purpose in accordance with this chapter and other 7-26 law considering the resources and means available to achieve the 7-27 purpose; and 8-1 (3) the public health purpose cannot be achieved as 8-2 well with nonidentifiable health information. 8-3 (b) Protected health information may not be secretly 8-4 acquired by a public health agency. 8-5 (c) This section applies to the acquisition of protected 8-6 health information from a federal, state, or local public health 8-7 agency as well as from other sources. 8-8 SUBCHAPTER C. USE OF PROTECTED HEALTH INFORMATION 8-9 Sec. 93.061. USE CONSISTENT WITH ORIGINAL PURPOSE. 8-10 Protected health information may only be used by public health 8-11 agencies for public health purposes that are reasonably related to 8-12 the purpose for which the information was acquired. 8-13 Sec. 93.062. SUBSEQUENT USE. A public health agency may use 8-14 protected health information for public health purposes that are 8-15 not reasonably related to the purpose for which the information was 8-16 acquired only if the agency could have originally acquired the 8-17 information for that purpose under Subchapter B. 8-18 Sec. 93.063. SCOPE OF USE. (a) A public health agency 8-19 shall use only nonidentifiable health information to the extent 8-20 possible to accomplish a public health purpose. 8-21 (b) The agency shall use protected health information only 8-22 in accordance with this chapter and to the minimum extent 8-23 reasonably believed to be necessary to accomplish a public health 8-24 purpose. 8-25 Sec. 93.064. COMMERCIAL USE PROHIBITED. A public health 8-26 agency or public health official may not use protected health 8-27 information for a commercial purpose. 9-1 Sec. 93.065. EXPUNGING INFORMATION. A public health agency 9-2 shall expunge in a confidential manner protected health information 9-3 the use of which no longer furthers any public health purpose. 9-4 SUBCHAPTER D. DISCLOSURE OF PROTECTED HEALTH INFORMATION 9-5 Sec. 93.101. INFORMATION NOT PUBLIC. Except as provided by 9-6 this chapter, protected health information is not public 9-7 information and may not be disclosed without the informed consent 9-8 of the individual or the representative of the individual who is 9-9 the subject of the information. 9-10 Sec. 93.102. INFORMED CONSENT. (a) For the purposes of 9-11 this chapter, informed consent means a written authorization to 9-12 disclose public health information made on a form substantially 9-13 similar to a form to be prescribed by the department that is signed 9-14 in writing or electronically by the individual who is the subject 9-15 of the information. The authorization must be dated and must 9-16 specify to whom the disclosure is authorized, the general purpose 9-17 of the disclosure, and the period during which the authorization is 9-18 effective. 9-19 (b) An individual may revoke an authorization in writing at 9-20 any time. The individual is responsible for informing the person 9-21 who originally received the authorization that it has been revoked. 9-22 (c) If the authorization does not contain an expiration date 9-23 or has not previously been revoked, it automatically expires six 9-24 months after the date it is signed. 9-25 (d) A general authorization for the disclosure of 9-26 information related to health is not sufficient to authorize 9-27 disclosure of protected health information for purposes of this 10-1 chapter unless the authorization complies with this section. 10-2 (e) If the individual who is the subject of protected health 10-3 information is not competent or is otherwise legally unable to give 10-4 informed consent for the disclosure of protected health 10-5 information, written authorization under Subsection (a) may be 10-6 provided by the individual's parent, guardian, or other person 10-7 authorized under law to make health care decisions for the 10-8 individual. For the purposes of this subsection, a minor under the 10-9 age of 14 is not considered competent to give informed consent. 10-10 Sec. 93.103. SCOPE OF DISCLOSURE. (a) Protected health 10-11 information may be disclosed with the informed consent of the 10-12 individual who is the subject of the information to persons and for 10-13 purposes that are authorized under the terms of the informed 10-14 consent. 10-15 (b) Whenever this chapter allows the disclosure of protected 10-16 health information without the informed consent of the individual 10-17 who is the subject of the information, the information shall be 10-18 disclosed in a nonidentifiable form to the extent consistent with 10-19 accomplishing the public health purpose unless the disclosure is in 10-20 fact made with the informed consent of the individual who is the 10-21 subject of the information. 10-22 (c) Whenever this chapter allows the disclosure of protected 10-23 health information without the informed consent of the individual 10-24 who is the subject of the information and the information is not 10-25 disclosed in a nonidentifiable form, the disclosure shall be 10-26 limited to the minimum amount of information that the person making 10-27 the disclosure reasonably believes is necessary to accomplish the 11-1 purpose of the disclosure unless the disclosure is in fact made 11-2 with the informed consent of the individual who is the subject of 11-3 the information. 11-4 (d) Whenever a disclosure of protected health information is 11-5 made under this chapter, the disclosure shall be accompanied by a 11-6 statement in writing, or followed within three days by a statement 11-7 in writing if the information was disclosed orally, concerning the 11-8 public health agency's policy on disclosure. The statement must 11-9 include the following language or substantially similar language: 11-10 "This information has been disclosed to you from confidential 11-11 public health records protected by state and federal law. State or 11-12 federal law may prohibit any further disclosure of this information 11-13 in an identifiable form without the written informed consent of the 11-14 person who is the subject of the information, unless otherwise 11-15 permitted by law. Unauthorized disclosure of this information may 11-16 result in significant criminal or civil penalties, including 11-17 incarceration or monetary damages." 11-18 Sec. 93.104. DISCLOSURE WITHOUT INFORMED CONSENT. Protected 11-19 health information may be disclosed without the informed consent of 11-20 the individual who is the subject of the information only if the 11-21 disclosure is made: 11-22 (1) directly to the individual; 11-23 (2) for a public health, epidemiological, medical, or 11-24 health services research purpose and: 11-25 (A) it is not feasible to obtain the informed 11-26 consent of the individual who is the subject of the information; 11-27 (B) the use of identifiable information is 12-1 necessary for the effectiveness of the research project; 12-2 (C) the minimum amount of information necessary 12-3 for the effectiveness of the project is disclosed; 12-4 (D) the research will probably contribute to 12-5 achieving a public health purpose; 12-6 (E) the information is made nonidentifiable at 12-7 the earliest opportunity consistent with the effectiveness of the 12-8 research project and is expunged by the persons conducting the 12-9 project at the conclusion of the project; and 12-10 (F) the disclosure is made under a 12-11 confidentiality agreement executed after review and approval by an 12-12 institutional review board that requires any person receiving the 12-13 information to adhere to protections for the privacy and security 12-14 of the information that meet or exceed the protections required by 12-15 this chapter; 12-16 (3) to appropriate federal agencies or authorities 12-17 under a requirement of state or federal law; or 12-18 (4) to health care personnel in a medical emergency to 12-19 the extent necessary to protect the health or life of the 12-20 individual who is the subject of the information. 12-21 Sec. 93.105. DISCLOSURE IN LEGAL PROCEEDING. (a) Protected 12-22 health information may not be disclosed in a civil, criminal, 12-23 administrative, or other legal proceeding, including any disclosure 12-24 in response to a subpoena, as part of discovery, or through the 12-25 testimony of any person who has knowledge about the information 12-26 because of its acquisition by a public health agency, except in 12-27 accordance with this section. 13-1 (b) A court may grant an order authorizing the disclosure of 13-2 protected health information on an application by a public health 13-3 agency or public health official showing: 13-4 (1) there exists a clear danger to an individual whose 13-5 life or health may unknowingly be at significant risk as a result 13-6 of contact with the individual who is the subject of the 13-7 information; 13-8 (2) there exists a clear danger to the public health 13-9 that may be averted or mitigated through disclosure by the public 13-10 health agency or public health officer; or 13-11 (3) that the applicant is lawfully entitled to 13-12 disclose the information under this chapter. 13-13 (c) On receiving an application for an order authorizing 13-14 disclosure under this section, the court shall enter an order 13-15 directing that all materials that are part of the application and 13-16 decision of the court be sealed. The materials may not be made 13-17 available to any person except to the extent necessary to conduct 13-18 proceedings concerning the application, including any appeal. The 13-19 order also shall direct that all proceedings concerning the 13-20 application be conducted in camera. 13-21 (d) An individual who is the subject of the information and 13-22 any person in possession of the information from whom the 13-23 information is sought shall be notified of an application for its 13-24 disclosure. 13-25 (e) An individual who is the subject of the information and 13-26 any person in possession of the information from whom the 13-27 information is sought may file a written response to the 14-1 application or appear in person for the limited purpose of 14-2 providing evidence on the statutory criteria for the issuance of an 14-3 order under this section. The court may grant an order without the 14-4 required notice or appearance if the application by a public health 14-5 agency or public health officer requires immediate action to avert 14-6 or mitigate a clear danger to the public health. 14-7 (f) In assessing whether clear danger exists, the court 14-8 shall weigh the need for disclosure against the privacy interests 14-9 of the individual who is the subject of the information and any 14-10 public health purpose that may be adversely affected by disclosure. 14-11 The court shall provide written findings of fact regarding the 14-12 court's determination. 14-13 (g) An order authorizing disclosure of protected health 14-14 information shall: 14-15 (1) limit disclosure to the information that is 14-16 necessary under the facts of the application; 14-17 (2) limit disclosure to those persons who need the 14-18 information and specifically prohibit those persons from disclosing 14-19 the information to any other person who is not authorized to 14-20 receive the information; 14-21 (3) include any other measures that the court 14-22 considers necessary to limit any disclosure not authorized by the 14-23 order; and 14-24 (4) conform to the other provisions of this chapter to 14-25 the extent possible. 14-26 Sec. 93.106. DISCLOSURE FOR HEALTH OVERSIGHT PURPOSES. A 14-27 public health agency may disclose protected health information to a 15-1 health oversight agency to enable the agency to perform a health 15-2 oversight function authorized by law if: 15-3 (1) the public health agency is itself the focus of 15-4 the oversight inquiry; 15-5 (2) the protected health information is not removed 15-6 from the premises, custody, or control of the public health agency; 15-7 and 15-8 (3) the health oversight agency does not record the 15-9 names or other identifying information of an individual from 15-10 patient or client files. 15-11 Sec. 93.107. DECEASED INDIVIDUALS. (a) This chapter does 15-12 not prohibit the disclosure of protected health information: 15-13 (1) in a certificate of death, autopsy report, or 15-14 related documents prepared under applicable laws or rules; 15-15 (2) for the purpose of identifying a deceased 15-16 individual; 15-17 (3) for the purpose of determining a deceased 15-18 individual's manner of death by a chief medical examiner or the 15-19 examiner's designee; or 15-20 (4) to provide necessary information about a deceased 15-21 individual who is a donor or prospective donor of an anatomical 15-22 gift. 15-23 (b) The rights of a deceased individual under this chapter 15-24 may be exercised for a period of two years after the date of death 15-25 by one of the following individuals in the following order of 15-26 priority, subject to any written limitations or restrictions made 15-27 by the decedent: 16-1 (1) an executor or administrator of the estate of a 16-2 deceased individual, or an executor or administrator soon to be 16-3 appointed in accordance with a will or other legal instrument; 16-4 (2) a surviving spouse or domestic partner; 16-5 (3) an adult child; 16-6 (4) a parent; or 16-7 (5) another person authorized by law to act for the 16-8 individual decedent. 16-9 Sec. 93.108. SECONDARY DISCLOSURE. A person to whom 16-10 protected health information has been disclosed under this chapter 16-11 may not disclose the information in an identifiable form to another 16-12 person except as authorized by this chapter. This section does not 16-13 apply to: 16-14 (1) the individual who is the subject of the 16-15 information; 16-16 (2) the individual's parent, guardian, or other person 16-17 lawfully authorized to make health care decisions for the 16-18 individual where the individual who is the subject of the 16-19 information is unable to give informed consent under this chapter; 16-20 or 16-21 (3) a person who is specifically required by federal 16-22 or state law to disclose the information. 16-23 Sec. 93.109. RECORD OF DISCLOSURE. (a) A public health 16-24 agency shall establish a written or electronic record of any 16-25 disclosure of protected health information made under this chapter. 16-26 The record of disclosure is itself protected health information. 16-27 (b) A record of disclosure must include the following 17-1 information: 17-2 (1) the name, title, address, and institutional 17-3 affiliation, if any, of the person to whom protected health 17-4 information is disclosed; 17-5 (2) the date and purpose of the disclosure; 17-6 (3) a brief description of the information disclosed; 17-7 and 17-8 (4) the legal authority for the disclosure. 17-9 (c) The record of disclosure shall be maintained by the 17-10 public health agency for a period of ten years, even if the 17-11 protected health information disclosed is no longer in the agency's 17-12 possession. 17-13 SUBCHAPTER E. SECURITY SAFEGUARDS AND RECORDS RETENTION 17-14 Sec. 93.151. DUTY TO HOLD INFORMATION SECURELY. (a) Public 17-15 health agencies have a duty to acquire, use, disclose, and store 17-16 protected health information in a confidential and secure manner. 17-17 (b) Public health agencies and recipients of protected 17-18 health information disclosed by an agency, other than a recipient 17-19 who is the subject of the information or such a recipient's 17-20 representative, shall take appropriate measures to protect the 17-21 security of the information, including: 17-22 (1) maintaining the information in a physically secure 17-23 environment by taking measures such as: 17-24 (A) minimizing the number of physical places in 17-25 which the information is used or stored; and 17-26 (B) prohibiting the use or storage of the 17-27 information in places where the security of the information is 18-1 likely to be breached or is otherwise significantly threatened; 18-2 (2) maintaining the information in a technologically 18-3 secure environment; 18-4 (3) identifying and limiting the persons that have 18-5 access to the information to those who have a demonstrable need to 18-6 access the information; 18-7 (4) reducing the length of time that the information 18-8 is used or stored in a personally identifiable form to the period 18-9 that is necessary for the use of the information; 18-10 (5) eliminating unnecessary physical or electronic 18-11 transfers of the information; 18-12 (6) destroying unnecessary duplicate copies of the 18-13 information; 18-14 (7) developing and distributing written guidelines 18-15 consistent with this chapter concerning the preservation of the 18-16 security of the information; 18-17 (8) assigning personal responsibility to each person 18-18 who acquires, uses, discloses, or stores the information for 18-19 preserving its security; 18-20 (9) providing initial and periodic security training 18-21 to all persons who acquire, use, disclose, or store the 18-22 information; 18-23 (10) investigating thoroughly any potential or actual 18-24 breaches of security concerning the information; 18-25 (11) imposing disciplinary sanctions for any breaches 18-26 of security when appropriate; and 18-27 (12) undertaking continuous review and assessment of 19-1 security standards. 19-2 (c) Wherever protected public health information is 19-3 accessible to public health officials, there shall be a prominently 19-4 displayed notice concerning the agency's disclosure policy that 19-5 includes the following language or substantially similar language: 19-6 "Protected health information contains health-related information 19-7 about individuals that may be highly sensitive. This information 19-8 is entitled to significant privacy protections under state and 19-9 federal law. The disclosure of this information outside public 19-10 health agencies in an identifiable form is prohibited without the 19-11 informed written consent of the person who is the subject of the 19-12 information unless the disclosure is specifically permitted by 19-13 state or federal law. Unauthorized disclosure of this information 19-14 may result in significant criminal or civil penalties, including 19-15 incarceration and monetary damages." 19-16 (d) All public health officials or other persons having 19-17 authority at any time to acquire, use, disclose, or store protected 19-18 health information shall: 19-19 (1) be individually informed of the person's personal 19-20 responsibility to preserve the security of protected health 19-21 information; 19-22 (2) execute a confidentiality statement before 19-23 entering the premises of the public health agency, or as soon 19-24 afterwards as possible, and review written guidelines consistent 19-25 with this chapter concerning the preservation of the security of 19-26 the information; 19-27 (3) fulfill their personal responsibility for 20-1 preserving the security of protected health information to the 20-2 degree possible; and 20-3 (4) report to the public health information officer 20-4 any known breaches of security or actions that may lead to security 20-5 breaches. 20-6 (e) The identity of any person making a report under 20-7 Subsection (d)(4) may not be disclosed to anyone, other than 20-8 investigating public health or law enforcement officers, without 20-9 the consent of the person making the report. 20-10 Sec. 93.152. ESTABLISHMENT OF PUBLIC HEALTH INFORMATION 20-11 OFFICER. (a) Each public health agency shall appoint or designate 20-12 a public health official as the agency's public health information 20-13 officer. 20-14 (b) The public health information officer has overall 20-15 responsibility for preserving the security of all public health 20-16 information in a manner consistent with this section and this 20-17 chapter generally. The public health information officer shall 20-18 report directly to the highest ranking public health official at 20-19 the agency. 20-20 (c) The public health information officer shall perform all 20-21 duties as required by this section and this chapter generally, 20-22 including: 20-23 (1) monitoring the acquisition, use, disclosure, and 20-24 storage of protected health information to ensure those activities 20-25 are conducted in a physically and technologically secure 20-26 environment; 20-27 (2) developing and implementing written policies and 21-1 guidelines to preserve the security of protected health 21-2 information, including developing a model confidentiality statement 21-3 for use under Section 93.151(d)(2); 21-4 (3) coordinating the assignment of personal 21-5 responsibility to each person who acquires, uses, discloses, or 21-6 stores protected health information for preserving its security; 21-7 (4) acting as the agency's principal investigator for 21-8 each investigation of any breach of security; 21-9 (5) recommending disciplinary sanctions for any 21-10 breaches of security to the highest ranking public health official 21-11 at the agency, who shall be responsible for issuing and 21-12 implementing any sanctions; 21-13 (6) coordinating with federal, state, or local 21-14 authorities, as appropriate, in the investigation of any potential 21-15 or actual breach of security; and 21-16 (7) preparing any report required under Section 21-17 93.153. 21-18 Sec. 93.153. ISSUANCE OF PUBLIC REPORTS. (a) Each public 21-19 health agency shall prepare annually a report concerning the status 21-20 of security protections of protected health information that shall 21-21 be sent to the public health information officer for the department 21-22 at the time requested by the department. The report shall be 21-23 prepared in accordance with guidelines issued by the public health 21-24 information officer for the department. 21-25 (b) The public health information officer for the department 21-26 shall prepare a summary report on the status of security 21-27 protections of protected health information for all public health 22-1 agencies in this state within 60 days after the date on which 22-2 reports required under Subsection (a) are requested. This report 22-3 shall be issued to the legislature together with any 22-4 recommendations for amendments to state law that are relevant to 22-5 improving the security of protected health information. 22-6 (c) A report prepared under this section may not contain any 22-7 protected health information or other personally identifiable 22-8 information. 22-9 (d) Reports prepared under this section are public 22-10 information. 22-11 SUBCHAPTER F. FAIR INFORMATION PRACTICES 22-12 Sec. 93.201. INDIVIDUAL ACCESS TO PUBLIC HEALTH INFORMATION. 22-13 (a) This section applies to a request by an individual who is the 22-14 subject of protected health information, or by the parent or 22-15 guardian of the individual, to inspect or copy the information when 22-16 it is in the possession of a public health agency. 22-17 (b) The public health agency may place reasonable 22-18 limitations on the time, place, and frequency of any inspections. 22-19 A public health agency may request the opportunity to review the 22-20 information with the requestor but such a review may not be a 22-21 prerequisite to providing the information. 22-22 (c) Any information contained in the information regarding 22-23 the individual that relates to the health status of other persons 22-24 or to other confidential information regarding other persons shall 22-25 be deleted before the information is inspected or copied under this 22-26 section. 22-27 (d) Any information contained in the information regarding 23-1 the individual that is not related to the requestor's health status 23-2 may be deleted before the information is inspected or copied under 23-3 this section. 23-4 (e) A public health agency may deny a request to inspect or 23-5 copy protected health information under this section if: 23-6 (1) the public health agency can, if its denial is 23-7 appealed, show by clear and convincing evidence that the review of 23-8 the protected health information will cause substantial and 23-9 identifiable harm to the requestor or others that outweighs the 23-10 requestor's right to access the information; 23-11 (2) an individual over the age of 14 for whom a parent 23-12 or guardian has requested information objects to its disclosure to 23-13 the parent or guardian within seven calendar days after the date 23-14 the individual receives written notice of the request from the 23-15 public health agency; or 23-16 (3) the information is compiled principally in 23-17 anticipation of, or for use in, a legal proceeding, including a 23-18 legal proceeding before an administrative agency. 23-19 (f) The public health agency shall notify the requestor in 23-20 writing of the reasons for denying a request under this section, 23-21 including a denial for the reason that the agency does not have in 23-22 its possession any requested protected health information relating 23-23 to the requestor. 23-24 (g) A requestor may appeal a denial of access under this 23-25 section through an administrative review procedure prescribed for 23-26 this purpose by the department. 23-27 Sec. 93.202. ACCURACY OF INFORMATION. (a) Public health 24-1 agencies shall reasonably ensure the accuracy and completeness of 24-2 protected health information. 24-3 (b) After inspecting or reviewing copies of protected health 24-4 information under Section 93.201, the requestor may request that 24-5 the public health agency correct, amend, or delete erroneous, 24-6 incomplete, or false information. 24-7 (c) A brief written statement from the requestor challenging 24-8 the veracity of the protected health information shall be retained 24-9 by the public health agency while it possesses the information. 24-10 The public health agency shall note on the disputed portions of the 24-11 protected health information the original language and the 24-12 requestor's proposed change and disclose the notation on request to 24-13 any person who is authorized to receive the protected health 24-14 information. 24-15 (d) The public health agency shall correct, amend, or delete 24-16 erroneous, incomplete, or false information within 14 calendar days 24-17 after the date it receives a request to do so if it determines that 24-18 the modification is reasonably supported by the facts. The 24-19 requestor has the burden of proving that the information needs to 24-20 be corrected, amended, or deleted. 24-21 (e) The requestor shall be notified in writing of any 24-22 corrections, amendments, or deletions made, or, in the alternative, 24-23 the reasons for denying any request under this section in whole or 24-24 in part. 24-25 (f) The requestor may appeal a decision under this section 24-26 through an administrative review procedure prescribed for this 24-27 purpose by the department. 25-1 (g) A public health agency shall take reasonable steps to 25-2 notify all persons indicated by the requestor, or others for which 25-3 known disclosures have previously been made, of corrections, 25-4 amendments, or deletions made to protected information. 25-5 Sec. 93.203. APPEALS. (a) If an administrative review 25-6 procedure under this subchapter has been exhausted, the requestor 25-7 may appeal the decision of the public health agency to a Travis 25-8 County district court or to a district court in the county in which 25-9 the requestor resides. 25-10 (b) The court shall determine whether there exists a 25-11 reasonable basis for the action or decision of the public health 25-12 agency by conducting an in camera review of the relevant protected 25-13 health information, the administrative record, and other admissible 25-14 evidence. 25-15 (c) Relief that may be granted to a requestor under this 25-16 section is limited to a judgment requiring the public health agency 25-17 to make the requested information available to the requestor for 25-18 inspection or copying or to correct, amend, or delete erroneous, 25-19 incomplete, or false information as requested. 25-20 SUBCHAPTER G. CRIMINAL SANCTIONS; CIVIL REMEDIES 25-21 Sec. 93.251. CRIMINAL OFFENSES AND PENALTIES. (a) A public 25-22 health official who wilfully commits an act in violation of this 25-23 chapter and who knew or should have known that the act is 25-24 prohibited commits an offense. Each offense under this subsection 25-25 is a misdemeanor punishable by a fine not to exceed $5,000, 25-26 confinement for a period not to exceed one year, or both the fine 25-27 and confinement. 26-1 (b) A person who is not a public health official who 26-2 wilfully discloses protected health information in violation of 26-3 this chapter and who knows or should know that the disclosure is 26-4 prohibited commits an offense. Each offense under this subsection 26-5 is a misdemeanor punishable by a fine not to exceed $5,000, 26-6 confinement for a period not to exceed one year, or both the fine 26-7 and confinement. 26-8 (c) Any person who by any unlawful means, including bribery, 26-9 fraud, theft, false pretenses, or other misrepresentation of 26-10 identity, misrepresentation of purpose of use, or misrepresentation 26-11 of entitlement to information, inspects, copies, examines, or 26-12 obtains protected health information in violation of this chapter 26-13 commits an offense. Each offense under this subsection is a felony 26-14 punishable by a fine not to exceed $50,000, imprisonment for a 26-15 period not to exceed five years, or both the fine and imprisonment. 26-16 (d) An offense committed under Subsection (a), (b), or (c) 26-17 for the purpose of commercial gain or with intent to cause 26-18 malicious harm is a felony punishable by a fine not to exceed 26-19 $50,000, imprisonment for a period not to exceed five years, or 26-20 both the fine and imprisonment. 26-21 (e) The maximum penalties described in Subsections (a), (b), 26-22 (c), and (d) are doubled for every subsequent conviction of a 26-23 person arising out of a violation or violations that are related to 26-24 a different set of circumstances from those involved in the 26-25 previous offense or set of offenses under Subsection (a), (b), (c), 26-26 or (d). 26-27 (f) A prosecution under this section is barred if the 27-1 indictment or information is not presented within three years after 27-2 the date the offense was committed. 27-3 (g) Each violation of this chapter is a separate offense. 27-4 Sec. 93.252. CIVIL ENFORCEMENT. The attorney general or a 27-5 district or county attorney may bring a civil action to enforce 27-6 this chapter and obtain relief that the court is authorized to 27-7 grant under Section 93.253. 27-8 Sec. 93.253. CIVIL REMEDIES. (a) Any person aggrieved by a 27-9 negligent or intentional violation of this chapter, including a 27-10 negligent or intentional disclosure of protected health information 27-11 in violation of this chapter, failure to adequately safeguard the 27-12 confidentiality or security of protected health information, or 27-13 failure to supervise persons responsible for the acquisition, use, 27-14 disclosure, or storage of protected health information, may bring 27-15 an action for relief under this section. 27-16 (b) The court may order a public health agency, public 27-17 health official, or other person to comply with this chapter and 27-18 may order any appropriate civil or equitable relief, including 27-19 injunctive relief, to prevent noncompliance with this chapter. 27-20 (c) If the court determines that there is a violation of 27-21 this chapter, the aggrieved person is entitled to recover damages 27-22 for losses sustained as a result of the violation. The aggrieved 27-23 person is entitled to recover the greater of the person's actual 27-24 damages or liquidated damages of $1,000 for each violation. The 27-25 liquidated damages awarded to a person in a single action may not 27-26 exceed $10,000. 27-27 (d) If the court determines the violation results from 28-1 wilful or grossly negligent conduct, the aggrieved person may in 28-2 addition recover punitive damages from the violator in an amount 28-3 not to exceed $10,000 for each violation. 28-4 (e) If an aggrieved party prevails, the court may assess 28-5 reasonable attorney's fees and all other expenses reasonably 28-6 incurred in the litigation against the parties that did not 28-7 prevail. 28-8 (f) Responsible parties are jointly and severally liable for 28-9 any compensatory damages, attorney's fees, or other costs awarded. 28-10 (g) Any action under this section is barred unless the 28-11 action is commenced within one year after the cause of action 28-12 accrues or was or should reasonably have been discovered by the 28-13 aggrieved person or the person's representative. 28-14 (h) Each separate violation of this chapter is an actionable 28-15 violation. 28-16 (i) This section does not limit or expand the right of an 28-17 aggrieved person or the person's representative to recover damages 28-18 under other applicable law. 28-19 Sec. 93.254. IMMUNITIES. (a) It is not a violation of or 28-20 an offense under this chapter to disclose protected public health 28-21 information in accordance with an informed consent to disclose the 28-22 information that is executed in accordance with this chapter. 28-23 (b) If a public health official is a superior or supervisory 28-24 officer over another public health official and the other public 28-25 health official violates any part of this chapter, the superior or 28-26 supervisory officer is subject to the application of a civil remedy 28-27 under this chapter only on a theory of vicarious liability if the 29-1 superior or supervisory official: 29-2 (1) had no prior actual or constructive knowledge of 29-3 the violation or actions leading to the violation; and 29-4 (2) was not otherwise responsible for ensuring against 29-5 the occurrence of the violation. 29-6 (c) A person who is not a public health official is not 29-7 subject to the imposition of a criminal sanction or civil liability 29-8 under this chapter as a result of disclosing protected health 29-9 information in violation of this chapter if the original disclosure 29-10 of information by the public health agency was not accompanied by 29-11 the language required under Section 93.103(d). This subsection 29-12 does not affect whether a criminal sanction or civil liability may 29-13 be imposed on a public health official or other person who failed 29-14 to include the language required under Section 93.103(d) in the 29-15 prior disclosure. 29-16 (d) The parent or guardian of a minor or the court-appointed 29-17 guardian of a mentally incompetent individual is not subject to the 29-18 imposition of a criminal sanction or civil liability under this 29-19 chapter as a result of disclosing protected health information that 29-20 relates to the minor or individual if the parent or guardian 29-21 obtained the information in accordance with this chapter. 29-22 SECTION 2. (a) Not later than January 3, 2000, the highest 29-23 ranking public health official at each public health agency 29-24 affected by Chapter 93, Health and Safety Code, as added by this 29-25 Act, shall prepare and submit a report to the Texas Department of 29-26 Health concerning the probable effect of Chapter 93 on the agency. 29-27 (b) Not later than November 1, 2000, the Texas Department of 30-1 Health shall issue a comprehensive report to the legislature on 30-2 behalf of each public health agency concerning the effect of 30-3 Chapter 93, Health and Safety Code, as added by this Act, including 30-4 any recommendations for legislative amendments. 30-5 SECTION 3. This Act takes effect September 1, 2000. 30-6 SECTION 4. The importance of this legislation and the 30-7 crowded condition of the calendars in both houses create an 30-8 emergency and an imperative public necessity that the 30-9 constitutional rule requiring bills to be read on three several 30-10 days in each house be suspended, and this rule is hereby suspended.