SRC-MWN, JBJ S.B. 11 77(R)BILL ANALYSIS
Senate Research CenterS.B. 11
By: Nelson
Business & Commerce
6/18/2001
Enrolled
DIGEST AND PURPOSE
S.B. 11 proposes parts of the recommendations contained in the Senate
Health Services Committee's interim report. S.B 11 stipulates that a
patient can only be marketed to with express written authorization; grants
patients the right to access and append their inaccurate medical records;
grants patients the right to know how an entity is using their medical
information in the form of an easy to understand public notice;
establishing privacy standards to be adopted within medical research based
upon federally adopted guidelines. This bill provides the Texas Department
of Insurance the authority to promulgate medical privacy rules for the
insurance industry operating in Texas and prohibits any attempt to
re-identify de-identified health information. S.B 11 also provides the
attorney general the authority to sue to stop a violation, and provides
individuals the right to sue to stop their information from being shared
without permission.
RULEMAKING AUTHORITY
Rulemaking authority is expressly granted to a state agency that licenses
or regulates a covered entity in SECTION 1 (Section 181.004, Health and
Safety Code), to the Texas Department of Health (Section 181.053, Health
and Safety Code), and to the commissioner of insurance in SECTION 2
(Article 28B.08, Insurance Code) of this bill.
SECTION BY SECTION ANALYSIS
SECTION 1. Amends Title 2, Health and Safety Code, by adding Subtitle I,
as follows:
SUBTITLE I. MEDICAL RECORDS
CHAPTER 181. MEDICAL RECORDS PRIVACY
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 181.001. DEFINITIONS. (a) Provides that unless otherwise defined in
this chapter, each term that is used in this chapter has the meaning
assigned by the Health Insurance Portability and Accountability Act and
Privacy Standards.
(b) Defines "covered entity," "health care operations," "health insurance
portability and accountability Act and Privacy Standards," "marketing," and
"protected health information."
Sec. 181.002. APPLICABILITY. (a) Provides that this chapter does not
affect the validity of another statute of this state that provides greater
confidentiality for information made confidential by this chapter.
(b) Provides that to the extent that this chapter conflicts with another
law with respect to protected health information collected by a
governmental body or unit, this chapter controls.
Sec. 181.003. SOVEREIGN IMMUNITY. Provides that this chapter does not
waive sovereign immunity to suit or liability.
Sec. 181.004. RULES. Authorizes a state agency that licenses or regulates
a covered entity to adopt rules as necessary to carry out the purposes of
this chapter.
[Sections 181.005-181.050 reserved for expansion]
SUBCHAPTER B. EXEMPTIONS
Sec. 181.051. PARTIAL EXEMPTION. Provides that except for Subchapter D,
this chapter does not apply to certain entities.
Sec. 181.052. PROCESSING PAYMENT TRANSACTIONS BY FINANCIAL INSTITUTIONS.
(a) Defines "financial institution."
(b) Provides that to the extent that a covered entity engages in
activities of a financial institution, or authorizes, processes, clears,
settles, bills, transfers, reconciles, or collects payments for a financial
institution, this chapter and any rule adopted under this chapter does not
apply to the covered entity with respect to those activities, including
certain criteria.
Sec. 181.053. NONPROFIT AGENCIES. Requires the Texas Department of
Health.
(department) to by rule exempt from this chapter a nonprofit agency that
pays for health care services or prescription drugs for an indigent person
only if the agency's primary business is not the provision of health care
or reimbursement for health care services.
Sec. 181.054. WORKERS' COMPENSATION. Provides that this chapter does not
apply to certain persons.
Sec. 181.055. EMPLOYEE BENEFIT PLAN. Provides that this chapter does not
apply to certain persons.
Sec. 181.056. AMERICAN RED CROSS. Provides that this chapter does not
prohibit the American Red Cross from accessing any information necessary to
perform its duties to provide disaster relief, disaster communication, or
emergency leave verification services for military personnel.
Sec. 181.057. INFORMATION RELATING TO OFFENDERS WITH MENTAL IMPAIRMENTS.
Provides that this chapter does not apply to an agency described by Section
614.017 with respect to the disclosure, receipt, transfer, or exchange of
medical and health information and records relating to individuals in the
custody of an agency or in community supervision.
Sec. 181.058. EDUCATIONAL RECORDS. Provides that in this chapter,
protected health information does not include certain records.
[Sections 181.059-181.100 reserved for expansion]
SUBCHAPTER C. ACCESS TO AND USE OF HEALTH CARE INFORMATION
Sec. 181.101. COMPLIANCE WITH FEDERAL REGULATIONS. Requires a covered
entity to comply with the Health Insurance Portability and Accountability
Act and Privacy Standards relating to certain criteria.
Sec. 181.102. INFORMATION FOR RESEARCH. (a) Authorizes a covered entity
to disclose protected health information to a person performing health
research, regardless of the source of funding of the research, for the
purpose of conducting health research, only if the person performing health
research has obtained certain information.
(b) Provides that a privacy board to meet certain conditions.
(c) Authorizes a privacy board to grant a waiver of the express written
authorization for the use of protected health information if the privacy
board obtains the certain documentation.
(d) Requires a waiver to be signed by the presiding officer of the privacy
board or the presiding officer's designee.
(e) Requires the privacy board to review the proposed research at a
convened meeting at which a majority of the privacy board members are
present, including at least one member who satisfies the requirements of
Subsection (b)(2). Requires the waiver of express written authorization to
be approved by the majority of the privacy board members present at the
meeting, unless the privacy board elects to use an expedited review
procedure. Authorizes the privacy board to use an expedited review
procedure only if the research involves no more than minimal risk to the
privacy of the individual who is the subject of the protected health
information of which use or disclosure is being sought. Provides that if
the privacy board elects to use an expedited review procedure, the review
and approval of the waiver of express written authorization is authorized
to be made by the presiding officer of the privacy board or by one or more
members of the privacy board as designated by the presiding officer.
(f) Authorizes a covered entity to disclose protected health information
to a person performing health research if the covered entity obtains from
the person performing the health research representations that meet certain
criteria.
(g) Authorizes a person who is the subject of protected health information
collected or created in the course of a clinical research trial to access
the information at the conclusion of the research trial.
Sec. 181.103. DISCLOSURE OF INFORMATION TO PUBLIC HEALTH AUTHORITY.
Authorizes a covered entity to use or disclose protected health information
without the express written authorization of the individual for public
health activities or to comply with the requirements of any federal or
state health benefit program or any federal or state law. Authorizes a
covered entity to disclose certain protected health information.
[Sections 181.104-181.150 reserved for expansion]
SUBCHAPTER D. PROHIBITED ACTS
Sec. 181.151. REIDENTIFIED INFORMATION. Prohibits a person from
reidentifying or attempting to reidentify an individual who is the subject
of any protected health information without obtaining the individual's
consent or authorization if required under this chapter or other state or
federal law.
Sec. 181.152. MARKETING USES OF INFORMATION. (a) Prohibits a covered
entity from disclosing, using, or selling or coercing an individual to
consent to the disclosure, use, or sale of protected health information,
including prescription patterns, for marketing purposes without the consent
or authorization of the individual who is the subject of the protected
health information.
(b) Requires a written marketing communication to be sent in an envelope
showing only the addresses of sender and recipient and to meet certain
criteria.
(c) Requires a person who receives a request under Subsection (b)(2) to
remove a person's name from a mailing list to remove the person's name not
later than the fifth day after the date the person receives the request.
[Sections 181.153-181.200 reserved for expansion]
SUBCHAPTER E. ENFORCEMENT
Sec. 181.201. INJUNCTIVE RELIEF; CIVIL PENALTY. (a) Authorizes the
attorney general to institute an action for injunctive relief to restrain a
violation of this chapter.
(b) Authorizes the attorney general, in addition to the injunctive relief
provided by Subsection (a), to institute an action for civil penalties
against a covered entity for a violation of this chapter. Prohibits a
civil penalty assessed under this section from exceeding $3,000 for each
violation.
(c) Authorizes the court, if the court in which an action under Subsection
(b) is pending finds that the violations have occurred with a frequency as
to constitute a pattern or practice, to assess a civil penalty not to
exceed $250,000.
Sec. 181.202. DISCIPLINARY ACTION. Provides that in addition to the
penalties prescribed by this chapter, a violation of this chapter by an
individual or facility that is licensed by an agency of this state is
subject to investigation and disciplinary proceedings, including probation
or suspension by the licensing agency. Authorizes the agency, if there is
evidence that the violations of this chapter constitute a pattern or
practice, to revoke the individual's or facility's license.
Sec. 181.203. EXCLUSION FROM STATE PROGRAMS. Requires a covered entity,
in addition to the penalties prescribed by this chapter, to be excluded
from participating in any state-funded health care program if a court finds
the covered entity engaged in a pattern or practice of violating this
chapter.
Sec. 181.204. AVAILABILITY OF OTHER REMEDIES. Provides that this chapter
does not affect any right of a person under other law to bring a cause of
action or otherwise seek relief with respect to conduct that is a violation
of this chapter.
SECTION 2. Amends Title 1, Insurance Code, is amended by adding Chapter
28B to read as follows:
CHAPTER 28B. PRIVACY OF HEALTH INFORMATION
SUBCHAPTER A. GENERAL PROVISIONS
Art. 28B.01. DEFINITIONS. Defines "health information," "license," and
"nonpublic personal health information."
Art. 28B.02. PERSONALLY IDENTIFIABLE HEALTH INFORMATION: PRIVACY NOTICE
AND DISCLOSURE AUTHORIZATION. (a) Requires a licensee to obtain an
authorization to disclose any nonpublic personal health information before
making such a disclosure.
(b) Authorizes the request for authorization required by this article to
be in written or electronic form and is required to meet certain
criteria.
(c) Provides that the right of a consumer or customer to revoke an
authorization at any time is subject to the rights of an individual who
acted in reliance on the authorization before receiving notice of a
revocation.
(d) Requires the licensee to retain the original or a copy of the
authorization in the record of the individual who is the subject of the
nonpublic personal health information.
Art. 28B.03. DELIVERY OF AUTHORIZATION. (a) Authorizes a request for
authorization and an authorization form to be delivered to a consumer or a
customer if the request and the authorization form are clear and
conspicuous.
(b) Requires a licensee to include delivery of the authorization in a
notice to the consumer or customer only if the licensee intends to disclose
protected health information under this chapter.
Art. 28B.04. EXCEPTIONS. Authorizes a licensee to disclose nonpublic
personal health information to the extent that the disclosure is necessary
to perform certain insurance functions on behalf of that licensee.
Art. 28B.05. EXCEPTION FOR COMPLIANCE WITH FEDERAL RULES. Provides that
this subchapter does not apply to a licensee who is required to comply with
the standards governing the privacy of individually identifiable health
information adopted by the United States Secretary of Health and Human
Services under Section 262(a), Health Insurance Portability and
Accountability Act of 1996 (42 U.S.C. Sections 1320d-1320d-8).
Art. 28B.06. PROTECTION OF FAIR CREDIT REPORTING ACTS. (a) Prohibits
this chapter from being construed to modify, limit, or supersede the
operation of the Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.)
and an inference from being drawn based on this chapter regarding whether
information is transaction or experience information under Section 603 of
that Act (15 U.S.C. Section 1681a).
(b) Provides that this chapter does not preempt or supersede a state law
related to medical record, health, or insurance information privacy that is
in effect on July 1, 2002.
Art. 28B.07. VIOLATION; PENALTIES. Prohibits a licensee from knowingly or
wilfully violating this chapter.
Art. 28B.08. RULES. Authorizes the commissioner of insurance
(commissioner) to adopt rules as necessary to implement this chapter.
Art. 28B.09. INJUNCTIVE RELIEF; CIVIL PENALTY. (a) Authorizes the
attorney general to institute an action for injunctive relief to restrain a
violation of this chapter.
(b) Authorizes the attorney general, in addition to the injunctive relief
provided by Subsection (a), to institute an action for civil penalties
against a covered entity or health care entity for a violation of this
chapter. Prohibits a civil penalty assessed under this section from being
less than $3,000 for each violation.
(c) Authorizes the court, if the court in which an action under Subsection
(b) is pending finds that the violations have occurred with a frequency as
to constitute a pattern or practice, to assess a civil penalty not to
exceed $250,000.
(d) Provides that the civil penalty authorized by this article is in
addition to any other civil, administrative, or criminal action provided by
law.
Art. 28B.10. DISCIPLINARY ACTION. Provides that in addition to the
penalties prescribed by this chapter, a violation of this chapter by a
licensee is subject to investigation and disciplinary proceedings,
including probation or suspension. Authorizes evidence of a pattern or
practice of violations under this chapter to subject the licensee to
license revocation.
Art. 28B.11. EXCLUSION FROM STATE PROGRAMS. Requires a licensee, in
addition to the penalties prescribed by this chapter, to be excluded from
participating in any state-funded health care program if there is evidence
that the licensee engaged in a pattern or practice of violating this
chapter.
Art. 28B.12. AVAILABILITY OF OTHER REMEDIES. Provides that this chapter
does not affect any right of a person under other law to bring a cause of
action or otherwise seek relief with respect to conduct that is a violation
of this chapter.
SECTION 3. Amends Section 161.032, Health and Safety Code, as follows:
Sec. 161.032. RECORDS AND PROCEEDINGS CONFIDENTIAL. (a) Provides that
the records and proceedings of a medical committee are confidential and are
not subject to court subpoena.
(b) Authorizes certain proceedings, notwithstanding Section 551.002,
Government Code, to be held in a closed meeting prescribed by Subchapter E,
Chapter 551, Government Code.
(c) Provides that records, information, or reports of a medical committee,
medical peer review committee, or compliance officer and records,
information, or reports provided by a medical committee, medical peer
review committee, or compliance officer to the governing body of a public
hospital, hospital district, or hospital authority are not subject to
disclosure under Chapter 552, Government Code.
(e) Provides that the records, information, and reports received or
maintained by a compliance officer retain the protection provided by this
section only if the records, information, or reports are received, created,
or maintained in the exercise of a proper function of the compliance
officer as provided by the Office of Inspector General of the United States
Department of Health and Human Services.
(f) Provides that this section and Subchapter A, Chapter 160, Occupations
Code, rather than Section 5.06, Medical Practice Act (Article 4495b,
V.T.C.S), do not apply to records made or maintained in the regular course
of business by a hospital, health maintenance organization, medical
organization, university medical center or health science center, hospital
district, hospital authority, or extended care facility.
SECTION 4. Amends the heading to Chapter 161D, Health and Safety Code, to
read as follows:
SUBCHAPTER D. MEDICAL COMMITTEES, MEDICAL
PEER REVIEW COMMITTEES, AND COMPLIANCE OFFICERS
SECTION 5. (a) Provides that except as provided by Subsection (c), this
Act takes effect September 1, 2001.
(b) Requires a covered entity to comply with the requirements of Chapter
181, Health and Safety Code, as added by this Act, not later than September
1, 2003.
(c) Provides that Chapter 28B, Insurance Code, as added by this Act, takes
effect January 1, 2002.
(d) Authorizes the commissioner of insurance to delay the date for
compliance with Chapter 28B, Insurance Code, as added by this Act, if the
commissioner determines that an entity needs more time to establish
policies and systems to comply with the requirements of that chapter.
(e) Makes application of this Act prospective.