HBA-MSH C.S.S.B. 11 77(R) BILL ANALYSIS Office of House Bill AnalysisC.S.S.B. 11 By: Nelson Public Health 5/18/2001 Committee Report (Substituted) BACKGROUND AND PURPOSE Confidential health and medical data are now collected, analyzed, distributed and accessed in large quantities. Health care providers can access records to diagnose illnesses, coordinate treatment, obtain payment for services, and monitor treatment from other health care providers. Clinical researchers use medical records to gather valuable data on the course of a disease and track response to a treatment. Insurers refer to medical records to determine coverage, make payments on claims, conduct utilization reviews, and for underwriting purposes in an attempt to manage rising health care costs. An employer may use employee health care data to track worker compensation claims and overall health care costs incurred by employees. The Senate Health Committee was charged with reviewing the type, amount, availability, and use of patient-specific medical information, including prescription data, and current statutory and regulatory provisions governing its availability. The interim report explores whether statutory and regulatory provisions are consistent and adequately enforced. The committee made a number of recommendations some of which are contained in this bill. C.S.S.B.11 sets forth provisions relating to medical records privacy. RULEMAKING AUTHORITY It is the opinion of the Office of House Bill Analysis that rulemaking authority is expressly delegated to a state agency that licenses or regulates certain persons who collect protected health information in SECTION 1 (Sec. 181.004, Health and Safety Code), to the Texas Department of Health in SECTION 1 (Sec. 181.053, Health and Safety Code), and to the commissioner of insurance in SECTION 2 (Art.28B.08, Insurance Code) of this bill. ANALYSIS C.S.S.B. 11 amends the Health and Safety Code to require certain persons who collect protected health information (covered entity) to comply with the federal Health Insurance Portability and Accountability Act and Privacy Standards (HIPAAPS) relating to an individual's access to protected health information, amendment of protected health information, uses and disclosures of protected health information, and notice of privacy practices (Sec. 181.101). The bill authorizes a covered entity or health care entity to disclose protected health information to a person performing health research for the purpose of conducting health research only if the person performing health research has obtained individual consent or authorization for use of the information or a waiver granted by an institutional review board or privacy board. The bill sets forth provisions relating to the composition and conduct of a privacy board (Sec. 181.102). The bill authorizes a covered entity or health care entity to disclose protected health information to a person performing health research if the covered entity or health care entity obtains from the person performing the health research certain representations as to the use and necessity of the information. The bill authorizes a person who is the subject of protected health information collected or created in the course of a clinical research trial to access the information at the conclusion of the research trial (Sec. 181.102). The bill authorizes a covered entity to use or disclose protected health information without the express written authorization of the individual for public health activities or to comply with the requirements of any federal or state health benefit program or any federal or state law. The bill authorizes a covered entity to disclose protected health information to certain public health authorities or state agencies (Sec. 181.103). The bill prohibits a person from reidentifying or attempting to reidentify an individual who is the subject of any protected health information without obtaining the individual's consent or authorization if required by state or federal law (Sec 181.151). The bill prohibits a covered entity from disclosing, using, selling, or coercing an individual to consent to the disclosure, use, or sale of protected health information for marketing purposes without the consent or authorization of the individual who is the subject of the information. The bill sets forth requirements for written marketing communication (Sec 181.152). The bill sets forth provisions relating to injunctive relief, civil penalties, disciplinary action, exclusion from state programs, and other remedies for a violation of these provisions (Secs. 181.201-181.204). The bill authorizes a state agency that licenses or regulates a covered entity to adopt rules as necessary to carry out the purposes of these provisions (Sec. 181.004). The bill requires a covered entity to comply with the provisions no later than September 1, 2003 (SECTION 3). Except for provisions relating to marketing uses of information, the bill provides that the provisions relating to medical records privacy do not apply to a covered entity as defined in HIPAAPS, and certain entities associated with a covered entity, the holder of an insurance license, an entity established under the Texas Workers' Compensation Insurance Fund, or a covered entity as defined in this bill with respect to the activities of a financial institution (Secs. 181.051 and 181.052). The bill requires the Texas Department of Health to exempt by rule from medical records privacy provisions a nonprofit agency that pays for health care services or prescription drugs for an indigent person only if the provision of health care or reimbursement for health care services is not the primary business of the agency (Sec. 181.053). Provisions relating to medical records privacy do not apply to worker's compensation insurance, functions, or related entities, an employee benefit plan and related entities, certain state agencies responsible for special needs offenders, and certain educational records (Secs. 181.054, 181.057, and 181.058). The provisions do not prohibit the American Red Cross from accessing any information necessary to perform its disaster duties or emergency leave verification for military personnel (181.056). Senate Bill 11 amends the Insurance Code to provide that a person who holds or is required to hold an insurance license registration, certificate of authority, or other authority (licensee) must obtain an authorization to disclose any nonpublic personal health information before making such a disclosure. The bill sets forth provisions relating to the requirements for a written or electronic request for authorization. The bill provides that the right of a consumer or customer to revoke an authorization at any time is subject to the rights of an individual who acted in reliance on the authorization before receiving notice of a revocation (Art. 28B.02). The bill authorizes a request for authorization and an authorization form to be delivered to a consumer or a customer if the request and form are clear and conspicuous (Art. 28B.03). The bill authorizes a licensee to disclose nonpublic personal health information to the extent that the disclosure is necessary to perform certain specified insurance functions on behalf of the licensee (Art. 28B.04). The bill specifies that these provisions do not apply to a licensee who is required to comply with federal standards governing the privacy of individually identifiable health information (Art. 28B.05). The bill provides that these provisions do not preempt or supersede a state law related to medical record, health, or insurance information privacy that is in effect on July 1, 2002 and do not modify, limit, or supersede the federal fair Credit Reporting Act (Art. 28B.06). The bill authorizes the Texas department of Insurance to investigate any alleged violation by a licensee of provisions related to privacy of health information and impose fines and other sanctions as determined to be appropriate (Art. 28B.07). The bill authorizes the commissioner of insurance (commissioner) to adopt rules to implement provisions related to privacy of health information (Art. 28B.08). The bill authorizes the commissioner to delay the date for compliance if the commissioner determines that an entity needs more time to establish policies and systems. EFFECTIVE DATE Provisions amending the Health and Safety Code relating to medical records privacy take effect September 1, 2001. Provisions amending the Insurance Code relating to privacy of health information take effect January 1, 2002. COMPARISON OF ORIGINAL TO SUBSTITUTE C.S.S.B. 11 differs from the original by removing certain definitions and providing that, unless otherwise defined, each term has the meaning assigned by the Health Insurance Portability and Accountability Act and Privacy Standards (HIPAAPS). The substitute modifies the definition of "covered entity." The substitute add definitions of "Health Insurance Portability and Accountability Act and Privacy Standards" and "marketing" (Sec. 181.001). The substitute provides that the provisions relating to medical records privacy do not affect the validity of a another statute that provides greater confidentiality for information made confidential by these provisions rather than any confidentiality that another statute creates (Sec. 181.002). Except for provisions relating to marketing uses of information, the substitute exempts a covered entity as defined by HIPAA, and certain entities associated with a covered entity, the holder of an insurance license, and an entity established under the Texas Workers' Compensation Insurance Fund from the provisions relating to medical records privacy (Sec. 181.050). The substitute exempts the American Red Cross when performing specified duties, certain state agencies responsible for offenders with mental impairments, and certain educational records (Sec. 181.056-181.058). The substitute removes provisions that require TDH by rule to exempt health care providers who provide health care to indigent persons at a health fair. The substitute removes the fee for patient access to healthcare information. The substitute requires a covered entity to comply with Health Insurance Portability and Accountability Act and Privacy Standards whereas the original set forth provisions prohibiting a covered entity from disclosing, using, accessing, or obtaining protected health information without express written authorization (sec. 181.101). The substitute authorizes a person who is the subject of protected health information collected or created in the course of clinical research trial to access the information at the conclusion of the research trial (Sec. 181.102). The substitute modifies the prohibition on the use of protected health information for marketing purposes without the consent or authorization of the individual who is the subject of the information (Sec 181.152). The substitute adds provisions relating to disciplinary actions, exclusion from state programs, and other available remedies for a violation of the provisions relating to medical records privacy (Secs. 181.202181.204). The substitute removes provisions related to individual injunctive relief and attorney's fees. The substitute requires a covered entity to comply with the provisions relating to medical records privacy not later than September 1, 2003 (SECTION 3). The substitute removes provisions that require a covered entity or health care entity conducting disease management or health care operations to provide written notice on request to an individual of the entity's practices with respect to its uses and disclosures of protected health information. The substitute removes provisions specifying the content and expiration of the express written authorization. The substitute authorizes the commissioner of insurance and a state agency that licenses or regulates a covered entity to adopt rules as necessary to implement the appropriate provisions of the bill (Art. 288.08, Insurance Code and Sec. 181.004, Health and Safety Code).