SRC-MWN, JBJ S.B. 11 77(R)BILL ANALYSIS Senate Research CenterS.B. 11 By: Nelson Business & Commerce 6/18/2001 Enrolled DIGEST AND PURPOSE S.B. 11 proposes parts of the recommendations contained in the Senate Health Services Committee's interim report. S.B 11 stipulates that a patient can only be marketed to with express written authorization; grants patients the right to access and append their inaccurate medical records; grants patients the right to know how an entity is using their medical information in the form of an easy to understand public notice; establishing privacy standards to be adopted within medical research based upon federally adopted guidelines. This bill provides the Texas Department of Insurance the authority to promulgate medical privacy rules for the insurance industry operating in Texas and prohibits any attempt to re-identify de-identified health information. S.B 11 also provides the attorney general the authority to sue to stop a violation, and provides individuals the right to sue to stop their information from being shared without permission. RULEMAKING AUTHORITY Rulemaking authority is expressly granted to a state agency that licenses or regulates a covered entity in SECTION 1 (Section 181.004, Health and Safety Code), to the Texas Department of Health (Section 181.053, Health and Safety Code), and to the commissioner of insurance in SECTION 2 (Article 28B.08, Insurance Code) of this bill. SECTION BY SECTION ANALYSIS SECTION 1. Amends Title 2, Health and Safety Code, by adding Subtitle I, as follows: SUBTITLE I. MEDICAL RECORDS CHAPTER 181. MEDICAL RECORDS PRIVACY SUBCHAPTER A. GENERAL PROVISIONS Sec. 181.001. DEFINITIONS. (a) Provides that unless otherwise defined in this chapter, each term that is used in this chapter has the meaning assigned by the Health Insurance Portability and Accountability Act and Privacy Standards. (b) Defines "covered entity," "health care operations," "health insurance portability and accountability Act and Privacy Standards," "marketing," and "protected health information." Sec. 181.002. APPLICABILITY. (a) Provides that this chapter does not affect the validity of another statute of this state that provides greater confidentiality for information made confidential by this chapter. (b) Provides that to the extent that this chapter conflicts with another law with respect to protected health information collected by a governmental body or unit, this chapter controls. Sec. 181.003. SOVEREIGN IMMUNITY. Provides that this chapter does not waive sovereign immunity to suit or liability. Sec. 181.004. RULES. Authorizes a state agency that licenses or regulates a covered entity to adopt rules as necessary to carry out the purposes of this chapter. [Sections 181.005-181.050 reserved for expansion] SUBCHAPTER B. EXEMPTIONS Sec. 181.051. PARTIAL EXEMPTION. Provides that except for Subchapter D, this chapter does not apply to certain entities. Sec. 181.052. PROCESSING PAYMENT TRANSACTIONS BY FINANCIAL INSTITUTIONS. (a) Defines "financial institution." (b) Provides that to the extent that a covered entity engages in activities of a financial institution, or authorizes, processes, clears, settles, bills, transfers, reconciles, or collects payments for a financial institution, this chapter and any rule adopted under this chapter does not apply to the covered entity with respect to those activities, including certain criteria. Sec. 181.053. NONPROFIT AGENCIES. Requires the Texas Department of Health. (department) to by rule exempt from this chapter a nonprofit agency that pays for health care services or prescription drugs for an indigent person only if the agency's primary business is not the provision of health care or reimbursement for health care services. Sec. 181.054. WORKERS' COMPENSATION. Provides that this chapter does not apply to certain persons. Sec. 181.055. EMPLOYEE BENEFIT PLAN. Provides that this chapter does not apply to certain persons. Sec. 181.056. AMERICAN RED CROSS. Provides that this chapter does not prohibit the American Red Cross from accessing any information necessary to perform its duties to provide disaster relief, disaster communication, or emergency leave verification services for military personnel. Sec. 181.057. INFORMATION RELATING TO OFFENDERS WITH MENTAL IMPAIRMENTS. Provides that this chapter does not apply to an agency described by Section 614.017 with respect to the disclosure, receipt, transfer, or exchange of medical and health information and records relating to individuals in the custody of an agency or in community supervision. Sec. 181.058. EDUCATIONAL RECORDS. Provides that in this chapter, protected health information does not include certain records. [Sections 181.059-181.100 reserved for expansion] SUBCHAPTER C. ACCESS TO AND USE OF HEALTH CARE INFORMATION Sec. 181.101. COMPLIANCE WITH FEDERAL REGULATIONS. Requires a covered entity to comply with the Health Insurance Portability and Accountability Act and Privacy Standards relating to certain criteria. Sec. 181.102. INFORMATION FOR RESEARCH. (a) Authorizes a covered entity to disclose protected health information to a person performing health research, regardless of the source of funding of the research, for the purpose of conducting health research, only if the person performing health research has obtained certain information. (b) Provides that a privacy board to meet certain conditions. (c) Authorizes a privacy board to grant a waiver of the express written authorization for the use of protected health information if the privacy board obtains the certain documentation. (d) Requires a waiver to be signed by the presiding officer of the privacy board or the presiding officer's designee. (e) Requires the privacy board to review the proposed research at a convened meeting at which a majority of the privacy board members are present, including at least one member who satisfies the requirements of Subsection (b)(2). Requires the waiver of express written authorization to be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedure. Authorizes the privacy board to use an expedited review procedure only if the research involves no more than minimal risk to the privacy of the individual who is the subject of the protected health information of which use or disclosure is being sought. Provides that if the privacy board elects to use an expedited review procedure, the review and approval of the waiver of express written authorization is authorized to be made by the presiding officer of the privacy board or by one or more members of the privacy board as designated by the presiding officer. (f) Authorizes a covered entity to disclose protected health information to a person performing health research if the covered entity obtains from the person performing the health research representations that meet certain criteria. (g) Authorizes a person who is the subject of protected health information collected or created in the course of a clinical research trial to access the information at the conclusion of the research trial. Sec. 181.103. DISCLOSURE OF INFORMATION TO PUBLIC HEALTH AUTHORITY. Authorizes a covered entity to use or disclose protected health information without the express written authorization of the individual for public health activities or to comply with the requirements of any federal or state health benefit program or any federal or state law. Authorizes a covered entity to disclose certain protected health information. [Sections 181.104-181.150 reserved for expansion] SUBCHAPTER D. PROHIBITED ACTS Sec. 181.151. REIDENTIFIED INFORMATION. Prohibits a person from reidentifying or attempting to reidentify an individual who is the subject of any protected health information without obtaining the individual's consent or authorization if required under this chapter or other state or federal law. Sec. 181.152. MARKETING USES OF INFORMATION. (a) Prohibits a covered entity from disclosing, using, or selling or coercing an individual to consent to the disclosure, use, or sale of protected health information, including prescription patterns, for marketing purposes without the consent or authorization of the individual who is the subject of the protected health information. (b) Requires a written marketing communication to be sent in an envelope showing only the addresses of sender and recipient and to meet certain criteria. (c) Requires a person who receives a request under Subsection (b)(2) to remove a person's name from a mailing list to remove the person's name not later than the fifth day after the date the person receives the request. [Sections 181.153-181.200 reserved for expansion] SUBCHAPTER E. ENFORCEMENT Sec. 181.201. INJUNCTIVE RELIEF; CIVIL PENALTY. (a) Authorizes the attorney general to institute an action for injunctive relief to restrain a violation of this chapter. (b) Authorizes the attorney general, in addition to the injunctive relief provided by Subsection (a), to institute an action for civil penalties against a covered entity for a violation of this chapter. Prohibits a civil penalty assessed under this section from exceeding $3,000 for each violation. (c) Authorizes the court, if the court in which an action under Subsection (b) is pending finds that the violations have occurred with a frequency as to constitute a pattern or practice, to assess a civil penalty not to exceed $250,000. Sec. 181.202. DISCIPLINARY ACTION. Provides that in addition to the penalties prescribed by this chapter, a violation of this chapter by an individual or facility that is licensed by an agency of this state is subject to investigation and disciplinary proceedings, including probation or suspension by the licensing agency. Authorizes the agency, if there is evidence that the violations of this chapter constitute a pattern or practice, to revoke the individual's or facility's license. Sec. 181.203. EXCLUSION FROM STATE PROGRAMS. Requires a covered entity, in addition to the penalties prescribed by this chapter, to be excluded from participating in any state-funded health care program if a court finds the covered entity engaged in a pattern or practice of violating this chapter. Sec. 181.204. AVAILABILITY OF OTHER REMEDIES. Provides that this chapter does not affect any right of a person under other law to bring a cause of action or otherwise seek relief with respect to conduct that is a violation of this chapter. SECTION 2. Amends Title 1, Insurance Code, is amended by adding Chapter 28B to read as follows: CHAPTER 28B. PRIVACY OF HEALTH INFORMATION SUBCHAPTER A. GENERAL PROVISIONS Art. 28B.01. DEFINITIONS. Defines "health information," "license," and "nonpublic personal health information." Art. 28B.02. PERSONALLY IDENTIFIABLE HEALTH INFORMATION: PRIVACY NOTICE AND DISCLOSURE AUTHORIZATION. (a) Requires a licensee to obtain an authorization to disclose any nonpublic personal health information before making such a disclosure. (b) Authorizes the request for authorization required by this article to be in written or electronic form and is required to meet certain criteria. (c) Provides that the right of a consumer or customer to revoke an authorization at any time is subject to the rights of an individual who acted in reliance on the authorization before receiving notice of a revocation. (d) Requires the licensee to retain the original or a copy of the authorization in the record of the individual who is the subject of the nonpublic personal health information. Art. 28B.03. DELIVERY OF AUTHORIZATION. (a) Authorizes a request for authorization and an authorization form to be delivered to a consumer or a customer if the request and the authorization form are clear and conspicuous. (b) Requires a licensee to include delivery of the authorization in a notice to the consumer or customer only if the licensee intends to disclose protected health information under this chapter. Art. 28B.04. EXCEPTIONS. Authorizes a licensee to disclose nonpublic personal health information to the extent that the disclosure is necessary to perform certain insurance functions on behalf of that licensee. Art. 28B.05. EXCEPTION FOR COMPLIANCE WITH FEDERAL RULES. Provides that this subchapter does not apply to a licensee who is required to comply with the standards governing the privacy of individually identifiable health information adopted by the United States Secretary of Health and Human Services under Section 262(a), Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Sections 1320d-1320d-8). Art. 28B.06. PROTECTION OF FAIR CREDIT REPORTING ACTS. (a) Prohibits this chapter from being construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.) and an inference from being drawn based on this chapter regarding whether information is transaction or experience information under Section 603 of that Act (15 U.S.C. Section 1681a). (b) Provides that this chapter does not preempt or supersede a state law related to medical record, health, or insurance information privacy that is in effect on July 1, 2002. Art. 28B.07. VIOLATION; PENALTIES. Prohibits a licensee from knowingly or wilfully violating this chapter. Art. 28B.08. RULES. Authorizes the commissioner of insurance (commissioner) to adopt rules as necessary to implement this chapter. Art. 28B.09. INJUNCTIVE RELIEF; CIVIL PENALTY. (a) Authorizes the attorney general to institute an action for injunctive relief to restrain a violation of this chapter. (b) Authorizes the attorney general, in addition to the injunctive relief provided by Subsection (a), to institute an action for civil penalties against a covered entity or health care entity for a violation of this chapter. Prohibits a civil penalty assessed under this section from being less than $3,000 for each violation. (c) Authorizes the court, if the court in which an action under Subsection (b) is pending finds that the violations have occurred with a frequency as to constitute a pattern or practice, to assess a civil penalty not to exceed $250,000. (d) Provides that the civil penalty authorized by this article is in addition to any other civil, administrative, or criminal action provided by law. Art. 28B.10. DISCIPLINARY ACTION. Provides that in addition to the penalties prescribed by this chapter, a violation of this chapter by a licensee is subject to investigation and disciplinary proceedings, including probation or suspension. Authorizes evidence of a pattern or practice of violations under this chapter to subject the licensee to license revocation. Art. 28B.11. EXCLUSION FROM STATE PROGRAMS. Requires a licensee, in addition to the penalties prescribed by this chapter, to be excluded from participating in any state-funded health care program if there is evidence that the licensee engaged in a pattern or practice of violating this chapter. Art. 28B.12. AVAILABILITY OF OTHER REMEDIES. Provides that this chapter does not affect any right of a person under other law to bring a cause of action or otherwise seek relief with respect to conduct that is a violation of this chapter. SECTION 3. Amends Section 161.032, Health and Safety Code, as follows: Sec. 161.032. RECORDS AND PROCEEDINGS CONFIDENTIAL. (a) Provides that the records and proceedings of a medical committee are confidential and are not subject to court subpoena. (b) Authorizes certain proceedings, notwithstanding Section 551.002, Government Code, to be held in a closed meeting prescribed by Subchapter E, Chapter 551, Government Code. (c) Provides that records, information, or reports of a medical committee, medical peer review committee, or compliance officer and records, information, or reports provided by a medical committee, medical peer review committee, or compliance officer to the governing body of a public hospital, hospital district, or hospital authority are not subject to disclosure under Chapter 552, Government Code. (e) Provides that the records, information, and reports received or maintained by a compliance officer retain the protection provided by this section only if the records, information, or reports are received, created, or maintained in the exercise of a proper function of the compliance officer as provided by the Office of Inspector General of the United States Department of Health and Human Services. (f) Provides that this section and Subchapter A, Chapter 160, Occupations Code, rather than Section 5.06, Medical Practice Act (Article 4495b, V.T.C.S), do not apply to records made or maintained in the regular course of business by a hospital, health maintenance organization, medical organization, university medical center or health science center, hospital district, hospital authority, or extended care facility. SECTION 4. Amends the heading to Chapter 161D, Health and Safety Code, to read as follows: SUBCHAPTER D. MEDICAL COMMITTEES, MEDICAL PEER REVIEW COMMITTEES, AND COMPLIANCE OFFICERS SECTION 5. (a) Provides that except as provided by Subsection (c), this Act takes effect September 1, 2001. (b) Requires a covered entity to comply with the requirements of Chapter 181, Health and Safety Code, as added by this Act, not later than September 1, 2003. (c) Provides that Chapter 28B, Insurance Code, as added by this Act, takes effect January 1, 2002. (d) Authorizes the commissioner of insurance to delay the date for compliance with Chapter 28B, Insurance Code, as added by this Act, if the commissioner determines that an entity needs more time to establish policies and systems to comply with the requirements of that chapter. (e) Makes application of this Act prospective.