By Maxey H.B. No. 3254
76R1447 JRD-F
A BILL TO BE ENTITLED
1-1 AN ACT
1-2 relating to the privacy of public health information.
1-3 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
1-4 SECTION 1. Subtitle D, Title 2, Health and Safety Code, is
1-5 amended by adding Chapter 93 to read as follows:
1-6 CHAPTER 93. PUBLIC HEALTH PRIVACY ACT
1-7 SUBCHAPTER A. GENERAL PROVISIONS
1-8 Sec. 93.001. SHORT TITLE. This chapter may be cited as the
1-9 Public Health Privacy Act.
1-10 Sec. 93.002. UNIFORMITY PROVISION. This chapter is a
1-11 uniform Act intended to be applied and construed to effectuate its
1-12 general purpose to make uniform the law among states enacting it
1-13 with respect to the subject of this chapter.
1-14 Sec. 93.003. LEGISLATIVE FINDINGS. The legislature finds
1-15 that:
1-16 (1) public health agencies acquire, use, disclose, or
1-17 store an increasing amount of information about individuals related
1-18 to their health, some of which is highly sensitive, that is
1-19 maintained in paper and electronic formats for public health
1-20 purposes;
1-21 (2) uses of information related to individuals' health
1-22 for public health purposes are critically important to preserving,
1-23 monitoring, and improving population-based health as well as the
1-24 personal health of individuals;
2-1 (3) each individual has significant privacy interests
2-2 with respect to personally identifiable information about the
2-3 individual's health;
2-4 (4) individual privacy interests in information
2-5 related to health that is in the possession of public health
2-6 agencies justify:
2-7 (A) the imposition of duties and limitations
2-8 concerning the acquisition, use, disclosure, and storage of the
2-9 information;
2-10 (B) the establishment of rights concerning
2-11 individual access to the information; and
2-12 (C) the imposition of security protections
2-13 governing the information;
2-14 (5) an individual's interests in the privacy of
2-15 information related to the individual's health are significantly
2-16 reduced when the information is collected, used, disclosed, or
2-17 stored in a form that is not personally identifiable to the
2-18 individual;
2-19 (6) a public health agency has a significant interest
2-20 in protecting the privacy of information related to health in its
2-21 possession whenever protecting the privacy of the information may
2-22 tend to encourage individuals to participate in public health
2-23 programs and objectives; and
2-24 (7) though public health agencies generally protect
2-25 the privacy interests of individuals in information related to
2-26 health that is possessed by the agencies, additional statutory
2-27 protections will further clarify and protect individual privacy
3-1 interests while facilitating without jeopardizing public health
3-2 objectives.
3-3 Sec. 93.004. PURPOSES. The purposes of this chapter are to:
3-4 (1) address privacy and security issues arising from
3-5 the acquisition, use, disclosure, and storage of protected health
3-6 information by state and local public health agencies;
3-7 (2) protect information related to health in the
3-8 possession of public health agencies against unauthorized
3-9 disclosures without significantly limiting the ability of public
3-10 health agencies to use the information for public health purposes;
3-11 (3) encourage extensive use and disclosure of public
3-12 health information that is not personally identifiable because use
3-13 and disclosure of this information does not implicate individual
3-14 privacy and security concerns and may greatly facilitate the
3-15 accomplishment of public health purposes;
3-16 (4) require that the acquisition and use of protected
3-17 health information by a public health agency be consistent with
3-18 public health purposes;
3-19 (5) prohibit most disclosures of protected health
3-20 information without the informed consent of the individual who is
3-21 the subject of the information and allow disclosure without
3-22 informed consent only under specified and narrow circumstances;
3-23 (6) impose a duty on public health agencies to hold
3-24 and use protected health information securely;
3-25 (7) impose a general duty on public health agencies to
3-26 ensure the accuracy of public health information;
3-27 (8) provide an individual who is the subject of public
4-1 health information held by a public health agency access to the
4-2 information and the right to inspect and copy the information;
4-3 (9) provide an individual who is the subject of public
4-4 health information held by a public health agency an opportunity to
4-5 request the correction, amendment, or deletion of erroneous or
4-6 incomplete information; and
4-7 (10) prescribe various criminal penalties and civil
4-8 enforcement mechanisms to protect individuals who are harmed by
4-9 wilful or negligent violations of this chapter by public health
4-10 agencies, public health officials, and other persons.
4-11 Sec. 93.005. DEFINITIONS. In this chapter:
4-12 (1) "Amend" means to indicate one or more entries in
4-13 protected public health information are disputed or to change the
4-14 entry without obliterating the original information.
4-15 (2) "Confidentiality statement" means a written
4-16 statement dated and signed by the individual agreeing to the
4-17 statement that certifies the individual's agreement to abide by the
4-18 security policy of a public health agency and with the provisions
4-19 of this chapter.
4-20 (3) "Disclose" and "disclosure" mean to release,
4-21 transfer, disseminate, provide access to, or otherwise communicate
4-22 or divulge all or any part of any protected health information to
4-23 any person or entity other than a public health agency or a public
4-24 health official who has been authorized by a public health agency
4-25 to receive the information.
4-26 (4) "Expunge" means to permanently destroy or delete
4-27 information or to make the information not personally identifiable
5-1 to an individual.
5-2 (5) "Health oversight agency" means:
5-3 (A) an agency in the executive branch of state
5-4 or local government that performs or oversees an assessment,
5-5 investigation, or prosecution relating to compliance with legal or
5-6 fiscal standards or claims of fraud in the health care industry,
5-7 the health equipment industry, or a related field; or
5-8 (B) a person who performs an activity described
5-9 by Paragraph (A) on behalf of or at the direction of the health
5-10 oversight agency or under a duty imposed by state or federal law.
5-11 (6) "Institutional review board" means any board,
5-12 committee, or other group formally designated by an institution or
5-13 authorized under federal or state law to review, approve the
5-14 initiation of, or conduct periodic review of research programs to
5-15 assure the protection of the rights and welfare of human research
5-16 subjects, consistent with requirements of the Federal Policy for
5-17 the Protection of Human Subjects.
5-18 (7) "Nonidentifiable health information" means any
5-19 information, whether communicated orally or recorded in writing or
5-20 in an electronic, visual, or other form, that relates to an
5-21 individual's past, present, or future physical or mental health
5-22 status, condition, treatment, receipt of health services, receipt
5-23 of health care, or purchase of products related to health care and
5-24 that:
5-25 (A) does not reveal the identity of the
5-26 individual; and
5-27 (B) does not tend to reveal the identity of the
6-1 individual, even if used in conjunction with other information that
6-2 it is reasonable to believe would be available to others.
6-3 (8) "Protected health information" means any
6-4 information, whether communicated orally or recorded in writing or
6-5 in an electronic, visual, or other form, that relates to an
6-6 individual's past, present, or future physical or mental health
6-7 status, condition, treatment, receipt of health services, receipt
6-8 of health care, or purchase of products related to health care and
6-9 that:
6-10 (A) reveals the identity of the individual; or
6-11 (B) tends to reveal the identity of the
6-12 individual if used alone or in conjunction with other information
6-13 that it is reasonable to believe would be available to others.
6-14 (9) "Public health" means population-based activities
6-15 or efforts, including individual efforts, the primary purposes of
6-16 which are the promotion of health or the prevention of injury,
6-17 disease, or premature death.
6-18 (10) "Public health agency" means an organization
6-19 operated by a state or local government that acquires, uses,
6-20 discloses, or stores protected health information for public health
6-21 purposes.
6-22 (11) "Public health official" means an officer,
6-23 employee, private contractor, private agent, intern, or volunteer
6-24 of a public health agency who is authorized by the agency or under
6-25 law to acquire, use, disclose, or store protected health
6-26 information.
6-27 (12) "Public health purpose" includes:
7-1 (A) assessing public health status and needs
7-2 through surveillance and epidemiological research;
7-3 (B) developing public health policy;
7-4 (C) responding to public health needs and public
7-5 health emergencies; and
7-6 (D) other public health activities authorized
7-7 under law.
7-8 (13) "Public information" means information that may
7-9 be inspected, reviewed, or obtained by the general public.
7-10 (14) "Request" means a written, dated, and signed
7-11 request of protected health information in paper or electronic form
7-12 through which the identity of the person making the request can be
7-13 accurately verified.
7-14 (15) "Requestor" means an individual, the legal parent
7-15 or guardian of a minor, or the court-appointed guardian of an
7-16 individual who requests health information.
7-17 (16) "Store" and "storage" mean to hold, maintain,
7-18 keep, or retain all or any part of protected health information.
7-19 SUBCHAPTER B. ACQUISITION OF PROTECTED HEALTH INFORMATION
7-20 Sec. 93.031. ACQUISITION OF INFORMATION. (a) A public
7-21 health agency may acquire protected health information only if:
7-22 (1) the acquisition directly relates to a public
7-23 health purpose;
7-24 (2) the acquisition is reasonably likely to achieve
7-25 the public health purpose in accordance with this chapter and other
7-26 law considering the resources and means available to achieve the
7-27 purpose; and
8-1 (3) the public health purpose cannot be achieved as
8-2 well with nonidentifiable health information.
8-3 (b) Protected health information may not be secretly
8-4 acquired by a public health agency.
8-5 (c) This section applies to the acquisition of protected
8-6 health information from a federal, state, or local public health
8-7 agency as well as from other sources.
8-8 SUBCHAPTER C. USE OF PROTECTED HEALTH INFORMATION
8-9 Sec. 93.061. USE CONSISTENT WITH ORIGINAL PURPOSE.
8-10 Protected health information may only be used by public health
8-11 agencies for public health purposes that are reasonably related to
8-12 the purpose for which the information was acquired.
8-13 Sec. 93.062. SUBSEQUENT USE. A public health agency may use
8-14 protected health information for public health purposes that are
8-15 not reasonably related to the purpose for which the information was
8-16 acquired only if the agency could have originally acquired the
8-17 information for that purpose under Subchapter B.
8-18 Sec. 93.063. SCOPE OF USE. (a) A public health agency
8-19 shall use only nonidentifiable health information to the extent
8-20 possible to accomplish a public health purpose.
8-21 (b) The agency shall use protected health information only
8-22 in accordance with this chapter and to the minimum extent
8-23 reasonably believed to be necessary to accomplish a public health
8-24 purpose.
8-25 Sec. 93.064. COMMERCIAL USE PROHIBITED. A public health
8-26 agency or public health official may not use protected health
8-27 information for a commercial purpose.
9-1 Sec. 93.065. EXPUNGING INFORMATION. A public health agency
9-2 shall expunge in a confidential manner protected health information
9-3 the use of which no longer furthers any public health purpose.
9-4 SUBCHAPTER D. DISCLOSURE OF PROTECTED HEALTH INFORMATION
9-5 Sec. 93.101. INFORMATION NOT PUBLIC. Except as provided by
9-6 this chapter, protected health information is not public
9-7 information and may not be disclosed without the informed consent
9-8 of the individual or the representative of the individual who is
9-9 the subject of the information.
9-10 Sec. 93.102. INFORMED CONSENT. (a) For the purposes of
9-11 this chapter, informed consent means a written authorization to
9-12 disclose public health information made on a form substantially
9-13 similar to a form to be prescribed by the department that is signed
9-14 in writing or electronically by the individual who is the subject
9-15 of the information. The authorization must be dated and must
9-16 specify to whom the disclosure is authorized, the general purpose
9-17 of the disclosure, and the period during which the authorization is
9-18 effective.
9-19 (b) An individual may revoke an authorization in writing at
9-20 any time. The individual is responsible for informing the person
9-21 who originally received the authorization that it has been revoked.
9-22 (c) If the authorization does not contain an expiration date
9-23 or has not previously been revoked, it automatically expires six
9-24 months after the date it is signed.
9-25 (d) A general authorization for the disclosure of
9-26 information related to health is not sufficient to authorize
9-27 disclosure of protected health information for purposes of this
10-1 chapter unless the authorization complies with this section.
10-2 (e) If the individual who is the subject of protected health
10-3 information is not competent or is otherwise legally unable to give
10-4 informed consent for the disclosure of protected health
10-5 information, written authorization under Subsection (a) may be
10-6 provided by the individual's parent, guardian, or other person
10-7 authorized under law to make health care decisions for the
10-8 individual. For the purposes of this subsection, a minor under the
10-9 age of 14 is not considered competent to give informed consent.
10-10 Sec. 93.103. SCOPE OF DISCLOSURE. (a) Protected health
10-11 information may be disclosed with the informed consent of the
10-12 individual who is the subject of the information to persons and for
10-13 purposes that are authorized under the terms of the informed
10-14 consent.
10-15 (b) Whenever this chapter allows the disclosure of protected
10-16 health information without the informed consent of the individual
10-17 who is the subject of the information, the information shall be
10-18 disclosed in a nonidentifiable form to the extent consistent with
10-19 accomplishing the public health purpose unless the disclosure is in
10-20 fact made with the informed consent of the individual who is the
10-21 subject of the information.
10-22 (c) Whenever this chapter allows the disclosure of protected
10-23 health information without the informed consent of the individual
10-24 who is the subject of the information and the information is not
10-25 disclosed in a nonidentifiable form, the disclosure shall be
10-26 limited to the minimum amount of information that the person making
10-27 the disclosure reasonably believes is necessary to accomplish the
11-1 purpose of the disclosure unless the disclosure is in fact made
11-2 with the informed consent of the individual who is the subject of
11-3 the information.
11-4 (d) Whenever a disclosure of protected health information is
11-5 made under this chapter, the disclosure shall be accompanied by a
11-6 statement in writing, or followed within three days by a statement
11-7 in writing if the information was disclosed orally, concerning the
11-8 public health agency's policy on disclosure. The statement must
11-9 include the following language or substantially similar language:
11-10 "This information has been disclosed to you from confidential
11-11 public health records protected by state and federal law. State or
11-12 federal law may prohibit any further disclosure of this information
11-13 in an identifiable form without the written informed consent of the
11-14 person who is the subject of the information, unless otherwise
11-15 permitted by law. Unauthorized disclosure of this information may
11-16 result in significant criminal or civil penalties, including
11-17 incarceration or monetary damages."
11-18 Sec. 93.104. DISCLOSURE WITHOUT INFORMED CONSENT. Protected
11-19 health information may be disclosed without the informed consent of
11-20 the individual who is the subject of the information only if the
11-21 disclosure is made:
11-22 (1) directly to the individual;
11-23 (2) for a public health, epidemiological, medical, or
11-24 health services research purpose and:
11-25 (A) it is not feasible to obtain the informed
11-26 consent of the individual who is the subject of the information;
11-27 (B) the use of identifiable information is
12-1 necessary for the effectiveness of the research project;
12-2 (C) the minimum amount of information necessary
12-3 for the effectiveness of the project is disclosed;
12-4 (D) the research will probably contribute to
12-5 achieving a public health purpose;
12-6 (E) the information is made nonidentifiable at
12-7 the earliest opportunity consistent with the effectiveness of the
12-8 research project and is expunged by the persons conducting the
12-9 project at the conclusion of the project; and
12-10 (F) the disclosure is made under a
12-11 confidentiality agreement executed after review and approval by an
12-12 institutional review board that requires any person receiving the
12-13 information to adhere to protections for the privacy and security
12-14 of the information that meet or exceed the protections required by
12-15 this chapter;
12-16 (3) to appropriate federal agencies or authorities
12-17 under a requirement of state or federal law; or
12-18 (4) to health care personnel in a medical emergency to
12-19 the extent necessary to protect the health or life of the
12-20 individual who is the subject of the information.
12-21 Sec. 93.105. DISCLOSURE IN LEGAL PROCEEDING. (a) Protected
12-22 health information may not be disclosed in a civil, criminal,
12-23 administrative, or other legal proceeding, including any disclosure
12-24 in response to a subpoena, as part of discovery, or through the
12-25 testimony of any person who has knowledge about the information
12-26 because of its acquisition by a public health agency, except in
12-27 accordance with this section.
13-1 (b) A court may grant an order authorizing the disclosure of
13-2 protected health information on an application by a public health
13-3 agency or public health official showing:
13-4 (1) there exists a clear danger to an individual whose
13-5 life or health may unknowingly be at significant risk as a result
13-6 of contact with the individual who is the subject of the
13-7 information;
13-8 (2) there exists a clear danger to the public health
13-9 that may be averted or mitigated through disclosure by the public
13-10 health agency or public health officer; or
13-11 (3) that the applicant is lawfully entitled to
13-12 disclose the information under this chapter.
13-13 (c) On receiving an application for an order authorizing
13-14 disclosure under this section, the court shall enter an order
13-15 directing that all materials that are part of the application and
13-16 decision of the court be sealed. The materials may not be made
13-17 available to any person except to the extent necessary to conduct
13-18 proceedings concerning the application, including any appeal. The
13-19 order also shall direct that all proceedings concerning the
13-20 application be conducted in camera.
13-21 (d) An individual who is the subject of the information and
13-22 any person in possession of the information from whom the
13-23 information is sought shall be notified of an application for its
13-24 disclosure.
13-25 (e) An individual who is the subject of the information and
13-26 any person in possession of the information from whom the
13-27 information is sought may file a written response to the
14-1 application or appear in person for the limited purpose of
14-2 providing evidence on the statutory criteria for the issuance of an
14-3 order under this section. The court may grant an order without the
14-4 required notice or appearance if the application by a public health
14-5 agency or public health officer requires immediate action to avert
14-6 or mitigate a clear danger to the public health.
14-7 (f) In assessing whether clear danger exists, the court
14-8 shall weigh the need for disclosure against the privacy interests
14-9 of the individual who is the subject of the information and any
14-10 public health purpose that may be adversely affected by disclosure.
14-11 The court shall provide written findings of fact regarding the
14-12 court's determination.
14-13 (g) An order authorizing disclosure of protected health
14-14 information shall:
14-15 (1) limit disclosure to the information that is
14-16 necessary under the facts of the application;
14-17 (2) limit disclosure to those persons who need the
14-18 information and specifically prohibit those persons from disclosing
14-19 the information to any other person who is not authorized to
14-20 receive the information;
14-21 (3) include any other measures that the court
14-22 considers necessary to limit any disclosure not authorized by the
14-23 order; and
14-24 (4) conform to the other provisions of this chapter to
14-25 the extent possible.
14-26 Sec. 93.106. DISCLOSURE FOR HEALTH OVERSIGHT PURPOSES. A
14-27 public health agency may disclose protected health information to a
15-1 health oversight agency to enable the agency to perform a health
15-2 oversight function authorized by law if:
15-3 (1) the public health agency is itself the focus of
15-4 the oversight inquiry;
15-5 (2) the protected health information is not removed
15-6 from the premises, custody, or control of the public health agency;
15-7 and
15-8 (3) the health oversight agency does not record the
15-9 names or other identifying information of an individual from
15-10 patient or client files.
15-11 Sec. 93.107. DECEASED INDIVIDUALS. (a) This chapter does
15-12 not prohibit the disclosure of protected health information:
15-13 (1) in a certificate of death, autopsy report, or
15-14 related documents prepared under applicable laws or rules;
15-15 (2) for the purpose of identifying a deceased
15-16 individual;
15-17 (3) for the purpose of determining a deceased
15-18 individual's manner of death by a chief medical examiner or the
15-19 examiner's designee; or
15-20 (4) to provide necessary information about a deceased
15-21 individual who is a donor or prospective donor of an anatomical
15-22 gift.
15-23 (b) The rights of a deceased individual under this chapter
15-24 may be exercised for a period of two years after the date of death
15-25 by one of the following individuals in the following order of
15-26 priority, subject to any written limitations or restrictions made
15-27 by the decedent:
16-1 (1) an executor or administrator of the estate of a
16-2 deceased individual, or an executor or administrator soon to be
16-3 appointed in accordance with a will or other legal instrument;
16-4 (2) a surviving spouse or domestic partner;
16-5 (3) an adult child;
16-6 (4) a parent; or
16-7 (5) another person authorized by law to act for the
16-8 individual decedent.
16-9 Sec. 93.108. SECONDARY DISCLOSURE. A person to whom
16-10 protected health information has been disclosed under this chapter
16-11 may not disclose the information in an identifiable form to another
16-12 person except as authorized by this chapter. This section does not
16-13 apply to:
16-14 (1) the individual who is the subject of the
16-15 information;
16-16 (2) the individual's parent, guardian, or other person
16-17 lawfully authorized to make health care decisions for the
16-18 individual where the individual who is the subject of the
16-19 information is unable to give informed consent under this chapter;
16-20 or
16-21 (3) a person who is specifically required by federal
16-22 or state law to disclose the information.
16-23 Sec. 93.109. RECORD OF DISCLOSURE. (a) A public health
16-24 agency shall establish a written or electronic record of any
16-25 disclosure of protected health information made under this chapter.
16-26 The record of disclosure is itself protected health information.
16-27 (b) A record of disclosure must include the following
17-1 information:
17-2 (1) the name, title, address, and institutional
17-3 affiliation, if any, of the person to whom protected health
17-4 information is disclosed;
17-5 (2) the date and purpose of the disclosure;
17-6 (3) a brief description of the information disclosed;
17-7 and
17-8 (4) the legal authority for the disclosure.
17-9 (c) The record of disclosure shall be maintained by the
17-10 public health agency for a period of ten years, even if the
17-11 protected health information disclosed is no longer in the agency's
17-12 possession.
17-13 SUBCHAPTER E. SECURITY SAFEGUARDS AND RECORDS RETENTION
17-14 Sec. 93.151. DUTY TO HOLD INFORMATION SECURELY. (a) Public
17-15 health agencies have a duty to acquire, use, disclose, and store
17-16 protected health information in a confidential and secure manner.
17-17 (b) Public health agencies and recipients of protected
17-18 health information disclosed by an agency, other than a recipient
17-19 who is the subject of the information or such a recipient's
17-20 representative, shall take appropriate measures to protect the
17-21 security of the information, including:
17-22 (1) maintaining the information in a physically secure
17-23 environment by taking measures such as:
17-24 (A) minimizing the number of physical places in
17-25 which the information is used or stored; and
17-26 (B) prohibiting the use or storage of the
17-27 information in places where the security of the information is
18-1 likely to be breached or is otherwise significantly threatened;
18-2 (2) maintaining the information in a technologically
18-3 secure environment;
18-4 (3) identifying and limiting the persons that have
18-5 access to the information to those who have a demonstrable need to
18-6 access the information;
18-7 (4) reducing the length of time that the information
18-8 is used or stored in a personally identifiable form to the period
18-9 that is necessary for the use of the information;
18-10 (5) eliminating unnecessary physical or electronic
18-11 transfers of the information;
18-12 (6) destroying unnecessary duplicate copies of the
18-13 information;
18-14 (7) developing and distributing written guidelines
18-15 consistent with this chapter concerning the preservation of the
18-16 security of the information;
18-17 (8) assigning personal responsibility to each person
18-18 who acquires, uses, discloses, or stores the information for
18-19 preserving its security;
18-20 (9) providing initial and periodic security training
18-21 to all persons who acquire, use, disclose, or store the
18-22 information;
18-23 (10) investigating thoroughly any potential or actual
18-24 breaches of security concerning the information;
18-25 (11) imposing disciplinary sanctions for any breaches
18-26 of security when appropriate; and
18-27 (12) undertaking continuous review and assessment of
19-1 security standards.
19-2 (c) Wherever protected public health information is
19-3 accessible to public health officials, there shall be a prominently
19-4 displayed notice concerning the agency's disclosure policy that
19-5 includes the following language or substantially similar language:
19-6 "Protected health information contains health-related information
19-7 about individuals that may be highly sensitive. This information
19-8 is entitled to significant privacy protections under state and
19-9 federal law. The disclosure of this information outside public
19-10 health agencies in an identifiable form is prohibited without the
19-11 informed written consent of the person who is the subject of the
19-12 information unless the disclosure is specifically permitted by
19-13 state or federal law. Unauthorized disclosure of this information
19-14 may result in significant criminal or civil penalties, including
19-15 incarceration and monetary damages."
19-16 (d) All public health officials or other persons having
19-17 authority at any time to acquire, use, disclose, or store protected
19-18 health information shall:
19-19 (1) be individually informed of the person's personal
19-20 responsibility to preserve the security of protected health
19-21 information;
19-22 (2) execute a confidentiality statement before
19-23 entering the premises of the public health agency, or as soon
19-24 afterwards as possible, and review written guidelines consistent
19-25 with this chapter concerning the preservation of the security of
19-26 the information;
19-27 (3) fulfill their personal responsibility for
20-1 preserving the security of protected health information to the
20-2 degree possible; and
20-3 (4) report to the public health information officer
20-4 any known breaches of security or actions that may lead to security
20-5 breaches.
20-6 (e) The identity of any person making a report under
20-7 Subsection (d)(4) may not be disclosed to anyone, other than
20-8 investigating public health or law enforcement officers, without
20-9 the consent of the person making the report.
20-10 Sec. 93.152. ESTABLISHMENT OF PUBLIC HEALTH INFORMATION
20-11 OFFICER. (a) Each public health agency shall appoint or designate
20-12 a public health official as the agency's public health information
20-13 officer.
20-14 (b) The public health information officer has overall
20-15 responsibility for preserving the security of all public health
20-16 information in a manner consistent with this section and this
20-17 chapter generally. The public health information officer shall
20-18 report directly to the highest ranking public health official at
20-19 the agency.
20-20 (c) The public health information officer shall perform all
20-21 duties as required by this section and this chapter generally,
20-22 including:
20-23 (1) monitoring the acquisition, use, disclosure, and
20-24 storage of protected health information to ensure those activities
20-25 are conducted in a physically and technologically secure
20-26 environment;
20-27 (2) developing and implementing written policies and
21-1 guidelines to preserve the security of protected health
21-2 information, including developing a model confidentiality statement
21-3 for use under Section 93.151(d)(2);
21-4 (3) coordinating the assignment of personal
21-5 responsibility to each person who acquires, uses, discloses, or
21-6 stores protected health information for preserving its security;
21-7 (4) acting as the agency's principal investigator for
21-8 each investigation of any breach of security;
21-9 (5) recommending disciplinary sanctions for any
21-10 breaches of security to the highest ranking public health official
21-11 at the agency, who shall be responsible for issuing and
21-12 implementing any sanctions;
21-13 (6) coordinating with federal, state, or local
21-14 authorities, as appropriate, in the investigation of any potential
21-15 or actual breach of security; and
21-16 (7) preparing any report required under Section
21-17 93.153.
21-18 Sec. 93.153. ISSUANCE OF PUBLIC REPORTS. (a) Each public
21-19 health agency shall prepare annually a report concerning the status
21-20 of security protections of protected health information that shall
21-21 be sent to the public health information officer for the department
21-22 at the time requested by the department. The report shall be
21-23 prepared in accordance with guidelines issued by the public health
21-24 information officer for the department.
21-25 (b) The public health information officer for the department
21-26 shall prepare a summary report on the status of security
21-27 protections of protected health information for all public health
22-1 agencies in this state within 60 days after the date on which
22-2 reports required under Subsection (a) are requested. This report
22-3 shall be issued to the legislature together with any
22-4 recommendations for amendments to state law that are relevant to
22-5 improving the security of protected health information.
22-6 (c) A report prepared under this section may not contain any
22-7 protected health information or other personally identifiable
22-8 information.
22-9 (d) Reports prepared under this section are public
22-10 information.
22-11 SUBCHAPTER F. FAIR INFORMATION PRACTICES
22-12 Sec. 93.201. INDIVIDUAL ACCESS TO PUBLIC HEALTH INFORMATION.
22-13 (a) This section applies to a request by an individual who is the
22-14 subject of protected health information, or by the parent or
22-15 guardian of the individual, to inspect or copy the information when
22-16 it is in the possession of a public health agency.
22-17 (b) The public health agency may place reasonable
22-18 limitations on the time, place, and frequency of any inspections.
22-19 A public health agency may request the opportunity to review the
22-20 information with the requestor but such a review may not be a
22-21 prerequisite to providing the information.
22-22 (c) Any information contained in the information regarding
22-23 the individual that relates to the health status of other persons
22-24 or to other confidential information regarding other persons shall
22-25 be deleted before the information is inspected or copied under this
22-26 section.
22-27 (d) Any information contained in the information regarding
23-1 the individual that is not related to the requestor's health status
23-2 may be deleted before the information is inspected or copied under
23-3 this section.
23-4 (e) A public health agency may deny a request to inspect or
23-5 copy protected health information under this section if:
23-6 (1) the public health agency can, if its denial is
23-7 appealed, show by clear and convincing evidence that the review of
23-8 the protected health information will cause substantial and
23-9 identifiable harm to the requestor or others that outweighs the
23-10 requestor's right to access the information;
23-11 (2) an individual over the age of 14 for whom a parent
23-12 or guardian has requested information objects to its disclosure to
23-13 the parent or guardian within seven calendar days after the date
23-14 the individual receives written notice of the request from the
23-15 public health agency; or
23-16 (3) the information is compiled principally in
23-17 anticipation of, or for use in, a legal proceeding, including a
23-18 legal proceeding before an administrative agency.
23-19 (f) The public health agency shall notify the requestor in
23-20 writing of the reasons for denying a request under this section,
23-21 including a denial for the reason that the agency does not have in
23-22 its possession any requested protected health information relating
23-23 to the requestor.
23-24 (g) A requestor may appeal a denial of access under this
23-25 section through an administrative review procedure prescribed for
23-26 this purpose by the department.
23-27 Sec. 93.202. ACCURACY OF INFORMATION. (a) Public health
24-1 agencies shall reasonably ensure the accuracy and completeness of
24-2 protected health information.
24-3 (b) After inspecting or reviewing copies of protected health
24-4 information under Section 93.201, the requestor may request that
24-5 the public health agency correct, amend, or delete erroneous,
24-6 incomplete, or false information.
24-7 (c) A brief written statement from the requestor challenging
24-8 the veracity of the protected health information shall be retained
24-9 by the public health agency while it possesses the information.
24-10 The public health agency shall note on the disputed portions of the
24-11 protected health information the original language and the
24-12 requestor's proposed change and disclose the notation on request to
24-13 any person who is authorized to receive the protected health
24-14 information.
24-15 (d) The public health agency shall correct, amend, or delete
24-16 erroneous, incomplete, or false information within 14 calendar days
24-17 after the date it receives a request to do so if it determines that
24-18 the modification is reasonably supported by the facts. The
24-19 requestor has the burden of proving that the information needs to
24-20 be corrected, amended, or deleted.
24-21 (e) The requestor shall be notified in writing of any
24-22 corrections, amendments, or deletions made, or, in the alternative,
24-23 the reasons for denying any request under this section in whole or
24-24 in part.
24-25 (f) The requestor may appeal a decision under this section
24-26 through an administrative review procedure prescribed for this
24-27 purpose by the department.
25-1 (g) A public health agency shall take reasonable steps to
25-2 notify all persons indicated by the requestor, or others for which
25-3 known disclosures have previously been made, of corrections,
25-4 amendments, or deletions made to protected information.
25-5 Sec. 93.203. APPEALS. (a) If an administrative review
25-6 procedure under this subchapter has been exhausted, the requestor
25-7 may appeal the decision of the public health agency to a Travis
25-8 County district court or to a district court in the county in which
25-9 the requestor resides.
25-10 (b) The court shall determine whether there exists a
25-11 reasonable basis for the action or decision of the public health
25-12 agency by conducting an in camera review of the relevant protected
25-13 health information, the administrative record, and other admissible
25-14 evidence.
25-15 (c) Relief that may be granted to a requestor under this
25-16 section is limited to a judgment requiring the public health agency
25-17 to make the requested information available to the requestor for
25-18 inspection or copying or to correct, amend, or delete erroneous,
25-19 incomplete, or false information as requested.
25-20 SUBCHAPTER G. CRIMINAL SANCTIONS; CIVIL REMEDIES
25-21 Sec. 93.251. CRIMINAL OFFENSES AND PENALTIES. (a) A public
25-22 health official who wilfully commits an act in violation of this
25-23 chapter and who knew or should have known that the act is
25-24 prohibited commits an offense. Each offense under this subsection
25-25 is a misdemeanor punishable by a fine not to exceed $5,000,
25-26 confinement for a period not to exceed one year, or both the fine
25-27 and confinement.
26-1 (b) A person who is not a public health official who
26-2 wilfully discloses protected health information in violation of
26-3 this chapter and who knows or should know that the disclosure is
26-4 prohibited commits an offense. Each offense under this subsection
26-5 is a misdemeanor punishable by a fine not to exceed $5,000,
26-6 confinement for a period not to exceed one year, or both the fine
26-7 and confinement.
26-8 (c) Any person who by any unlawful means, including bribery,
26-9 fraud, theft, false pretenses, or other misrepresentation of
26-10 identity, misrepresentation of purpose of use, or misrepresentation
26-11 of entitlement to information, inspects, copies, examines, or
26-12 obtains protected health information in violation of this chapter
26-13 commits an offense. Each offense under this subsection is a felony
26-14 punishable by a fine not to exceed $50,000, imprisonment for a
26-15 period not to exceed five years, or both the fine and imprisonment.
26-16 (d) An offense committed under Subsection (a), (b), or (c)
26-17 for the purpose of commercial gain or with intent to cause
26-18 malicious harm is a felony punishable by a fine not to exceed
26-19 $50,000, imprisonment for a period not to exceed five years, or
26-20 both the fine and imprisonment.
26-21 (e) The maximum penalties described in Subsections (a), (b),
26-22 (c), and (d) are doubled for every subsequent conviction of a
26-23 person arising out of a violation or violations that are related to
26-24 a different set of circumstances from those involved in the
26-25 previous offense or set of offenses under Subsection (a), (b), (c),
26-26 or (d).
26-27 (f) A prosecution under this section is barred if the
27-1 indictment or information is not presented within three years after
27-2 the date the offense was committed.
27-3 (g) Each violation of this chapter is a separate offense.
27-4 Sec. 93.252. CIVIL ENFORCEMENT. The attorney general or a
27-5 district or county attorney may bring a civil action to enforce
27-6 this chapter and obtain relief that the court is authorized to
27-7 grant under Section 93.253.
27-8 Sec. 93.253. CIVIL REMEDIES. (a) Any person aggrieved by a
27-9 negligent or intentional violation of this chapter, including a
27-10 negligent or intentional disclosure of protected health information
27-11 in violation of this chapter, failure to adequately safeguard the
27-12 confidentiality or security of protected health information, or
27-13 failure to supervise persons responsible for the acquisition, use,
27-14 disclosure, or storage of protected health information, may bring
27-15 an action for relief under this section.
27-16 (b) The court may order a public health agency, public
27-17 health official, or other person to comply with this chapter and
27-18 may order any appropriate civil or equitable relief, including
27-19 injunctive relief, to prevent noncompliance with this chapter.
27-20 (c) If the court determines that there is a violation of
27-21 this chapter, the aggrieved person is entitled to recover damages
27-22 for losses sustained as a result of the violation. The aggrieved
27-23 person is entitled to recover the greater of the person's actual
27-24 damages or liquidated damages of $1,000 for each violation. The
27-25 liquidated damages awarded to a person in a single action may not
27-26 exceed $10,000.
27-27 (d) If the court determines the violation results from
28-1 wilful or grossly negligent conduct, the aggrieved person may in
28-2 addition recover punitive damages from the violator in an amount
28-3 not to exceed $10,000 for each violation.
28-4 (e) If an aggrieved party prevails, the court may assess
28-5 reasonable attorney's fees and all other expenses reasonably
28-6 incurred in the litigation against the parties that did not
28-7 prevail.
28-8 (f) Responsible parties are jointly and severally liable for
28-9 any compensatory damages, attorney's fees, or other costs awarded.
28-10 (g) Any action under this section is barred unless the
28-11 action is commenced within one year after the cause of action
28-12 accrues or was or should reasonably have been discovered by the
28-13 aggrieved person or the person's representative.
28-14 (h) Each separate violation of this chapter is an actionable
28-15 violation.
28-16 (i) This section does not limit or expand the right of an
28-17 aggrieved person or the person's representative to recover damages
28-18 under other applicable law.
28-19 Sec. 93.254. IMMUNITIES. (a) It is not a violation of or
28-20 an offense under this chapter to disclose protected public health
28-21 information in accordance with an informed consent to disclose the
28-22 information that is executed in accordance with this chapter.
28-23 (b) If a public health official is a superior or supervisory
28-24 officer over another public health official and the other public
28-25 health official violates any part of this chapter, the superior or
28-26 supervisory officer is subject to the application of a civil remedy
28-27 under this chapter only on a theory of vicarious liability if the
29-1 superior or supervisory official:
29-2 (1) had no prior actual or constructive knowledge of
29-3 the violation or actions leading to the violation; and
29-4 (2) was not otherwise responsible for ensuring against
29-5 the occurrence of the violation.
29-6 (c) A person who is not a public health official is not
29-7 subject to the imposition of a criminal sanction or civil liability
29-8 under this chapter as a result of disclosing protected health
29-9 information in violation of this chapter if the original disclosure
29-10 of information by the public health agency was not accompanied by
29-11 the language required under Section 93.103(d). This subsection
29-12 does not affect whether a criminal sanction or civil liability may
29-13 be imposed on a public health official or other person who failed
29-14 to include the language required under Section 93.103(d) in the
29-15 prior disclosure.
29-16 (d) The parent or guardian of a minor or the court-appointed
29-17 guardian of a mentally incompetent individual is not subject to the
29-18 imposition of a criminal sanction or civil liability under this
29-19 chapter as a result of disclosing protected health information that
29-20 relates to the minor or individual if the parent or guardian
29-21 obtained the information in accordance with this chapter.
29-22 SECTION 2. (a) Not later than January 3, 2000, the highest
29-23 ranking public health official at each public health agency
29-24 affected by Chapter 93, Health and Safety Code, as added by this
29-25 Act, shall prepare and submit a report to the Texas Department of
29-26 Health concerning the probable effect of Chapter 93 on the agency.
29-27 (b) Not later than November 1, 2000, the Texas Department of
30-1 Health shall issue a comprehensive report to the legislature on
30-2 behalf of each public health agency concerning the effect of
30-3 Chapter 93, Health and Safety Code, as added by this Act, including
30-4 any recommendations for legislative amendments.
30-5 SECTION 3. This Act takes effect September 1, 2000.
30-6 SECTION 4. The importance of this legislation and the
30-7 crowded condition of the calendars in both houses create an
30-8 emergency and an imperative public necessity that the
30-9 constitutional rule requiring bills to be read on three several
30-10 days in each house be suspended, and this rule is hereby suspended.