SRC-MWN, JBJ S.B. 11 77(R) BILL ANALYSIS
Senate Research Center S.B. 11
77R523 MCK-FBy: Nelson
Business & Commerce
3/1/2001
As Filed
DIGEST AND PURPOSE
Currently, employers are authorized to use employee health care data to
track worker compensation claims and overall health care costs incurred by
employees. As proposed, S.B. 11 proposes recommendations contained in the
Senate Health Services Committee's interim report. Those proposals include
prohibiting pharmaceutical manufacturers from using identifiable patient
medical data for marketing purposes; prohibiting patient information
other than data necessary for treatment or the payment of claims to be
released by insurers unless the patient consents to "opt-in"; granting
individuals the right to access and obtain their medical records as well as
a means to amend or correct incomplete or inaccurate medical record
entries; granting patients the right to know how any entity is using their
medical information in the form of an easy-to-understand public notice from
that entity; granting non-identifiable personal medical information made
available for public health and research efforts; granting employers access
to nonindividually identifiable, encrypted and aggregated forms of medical
information regarding their employees' health care; granting employers
access to appropriate aggregate data to evaluate health care costs and
spending trends; granting the Texas Attorney General's Office
responsibility for enforcing this statute; and granting individuals legal
recourse to halt misuse and abuse.
RULEMAKING AUTHORITY
Rulemaking authority is expressly granted to the Texas Board of Health in
SECTION 1(Sections 181.054 and 181.105, Health and Safety Code) of this
Act.
SECTION BY SECTION ANALYSIS
SECTION 1. Amends Title 2, Health and Safety Code, by adding Subtitle I, as
follows:
SUBTITLE I. MEDICAL RECORDS
CHAPTER 181. MEDICAL RECORDS PRIVACY
SUBCHAPTER A. GENERAL PROVISIONS
Sec. 181.001. DEFINITIONS. Defines "administrative billing information,"
"audit trail," "clinical health record," "computerized records system," "
covered entity," "deidentified health information," "disclose," "disease
management," "health care delivery review," "health care facility," "health
care operations," "health care payer," "health care practitioner," "health
research," "health researcher," "payment," "protected health information,"
"reidentification," "sensitive health information," and "treatment."
Sec. 181.002. APPLICABILITY. Provides that this chapter does not affect the
confidentiality that another statute creates for any information.
Sec. 181.003. DELAYED EFFECT. Provides that a person is not required to
comply with this chapter before September 1, 2003. Provides that this
section expires September 1, 2003.
[Reserves Sections 181.004-181.050 for expansion.]
SUBCHAPTER B. ACCESS TO AND USE OF HEALTH CARE INFORMATION
Sec. 181.051. PATIENT ACCESS TO INFORMATION; FEE. (a) Requires a covered
entity, except as provided by Subsection (b), to permit an individual who
is the subject of a clinical health record or the person's designee to
inspect and copy any clinical health record, except for any clinical health
record collected or created in the course of a clinical research trial,
that the entity maintains or controls and that relates to the individual.
Authorizes the covered entity to charge a reasonable fee for any copies.
Prohibits the fee from exceeding the covered entity's cost to copy the
record.
(b) Provides that a psychologist licensed under Chapter 501 (Psychologist),
Occupations Code, or a psychiatrist who is providing psychological or
psychiatric services to an individual is not required to permit the
individual to inspect or copy a personal diary containing protected health
information relating to the individual if the information contained in the
diary has not been disclosed to a person other than another psychologist or
psychiatrist for the specific purpose of clinical supervision conducted in
the regular course of treatment.
(c) Requires the covered entity to provide the requested information not
later than the 30th day after the date a covered entity receives a request
and payment under Subsection (a).
Sec. 181.052. DISCLOSURE OR USE OF PROTECTED HEALTH INFORMATION. (a)
Prohibits a covered entity from disclosing or using protected health
information except as authorized under this chapter.
(b) Prohibits a covered entity, except as otherwise provided by law, from
using or disclosing protected health information without obtaining the
informed consent of the individual who is the subject of the information.
(c) Prohibits a covered entity from using or requesting or requiring the
disclosure of more protected health information than is reasonably related
to the specific purpose that is stated in the informed consent or that is
otherwise authorized by law.
(d) Authorizes a covered entity, except as otherwise provided by law, to
use or disclose protected health information only for the purpose stated in
the informed consent.
(e) Authorizes a covered entity to disclose protected health information
without obtaining the informed consent of the individual who is the subject
of the information if the disclosure or use is necessary to perform health
care operations.
(f) Authorizes a covered entity to disclose protected health information
without obtaining the informed consent of the individual who is the subject
of the information if the disclosure is made in response to a subpoena in a
judicial or administrative proceeding.
(g) Authorizes a person who receives information made confidential by this
chapter to disclose the information only to the extent consistent with the
authorized uses stated in the informed consent.
Sec. 181.053. USE OF CLINICAL HEALTH RECORDS. (a) Provides that this
chapter, except as provided by Section 181.054, does not limit the ability
of a health care practitioner, a health care facility, a health care
payer, or a contractor of a health care payer to use protected health
information for certain purposes.
(b) Requires the covered entity using a clinical health record for any
purpose other than to deliver health care to the individual who is the
subject of the record to do so in certain specific ways.
Sec. 181.054. USE OF ADMINISTRATIVE BILLING INFORMATION. (a) Requires the
covered entity, with respect to administrative billing information used by
the entity, to:
_limit the use of administrative billing information that is not
deidentified to those employees, agents, or contractors who perform an
essential function;
_prohibit an employee, agent, or contractor from reidentifying an
individual who is the subject of any deidentified health information used,
received, or created by the employee, agent, or contractor unless otherwise
authorized by law;
_require that an employee, agent, or contractor use only the minimum
amount of administrative billing information that is necessary to
accomplish the specific function performed by the employee, agent, or
contractor;
_prohibit an employee, agent, or contractor from disclosing administrative
billing information to any other person except as otherwise authorized
under this chapter; and
_link, match, or index administrative billing information collected, held,
or maintained by other covered entities only if the entity has specific
informed consent.
(b) Authorizes a health care provider, a heath care facility, a health care
payer, or an employee, agent, or contractor of a provider, facility, or
payer to use administrative billing information without the informed
consent of the individual who is the subject of the information only if the
health care provider, facility, or payer follows certain guidelines.
(c) Requires the Texas Board of Health (board) to determine, by rule, which
employees, agents, or contractors perform an essential function under
Subsection (a).
Sec. 181.055. SENSITIVE HEALTH INFORMATION. (a) Requires a covered entity
to obtain separate informed consent documentation for the disclosure of
sensitive health information.
(b) Requires a covered entity to comply with a request from an individual
who is the subject of sensitive health information to restrict access
within the entity to the information. Authorizes a health care practitioner
or facility, if the practitioner or facility believes that restricting
access to the information may endanger the life or health of the subject,
to require the subject to sign an acknowledgment that the restriction is
against medical advice. Authorizes a covered entity to use any reasonable
means to restrict access to the information. Provides that this subsection
does not apply to administrative billing information.
(c) Prohibits an individual from restricting a health care provider's
access to sensitive health information under this section if the health
care provider is directly involved in the delivery of health care to the
individual.
(d) Prohibits a covered entity from withholding sensitive health
information requested under an informed consent document.
Sec. 181.056. DIRECTORY INFORMATION. (a) Authorizes a health care
practitioner or health care facility that provides inpatient services,
except as provided by Subsection (b), to disclose directory information
regarding an individual to any person under certain conditions.
(b) Prohibits a health care practitioner or health care facility from
releasing inpatient directory information without informed consent under
certain conditions.
Sec. 181.057. NEXT OF KIN. (a) Authorizes a health care practitioner or
health care facility to disclose, without the patient's consent, protected
health information regarding the health care provided to the patient in
certain situations.
(b) Provides that a health care practitioner or health care facility is not
liable for a disclosure made in good faith under Subsection (a).
Sec. 181.058. INFORMATION FOR RESEARCH. (a) Authorizes a covered entity to
disclose protected health information to a health researcher for the
purpose of conducting health research only in certain situations.
(b) Authorizes an institutional review board, ethics review board, or
privacy review board to grant a waiver or alteration of the informed
consent for the use of protected health information if the board meets
certain conditions.
(c) Authorizes an institutional review board, ethics review board, or
privacy review board, in determining whether to grant a waiver under
Subsection (b), to consider whether the health researcher is qualified for
and is likely to obtain a certificate of confidentiality form the U.S.
Department of Health and Human Services under Section 301(d), Public Health
Service Act (42 U.S.C. Section 241(d)).
(d) Authorizes the institutional review board, ethics review board, or
privacy review board to extend the date of destruction required by
Subsection (b) if the researcher demonstrates a continuing or new need for
protected health information for which the researcher would be qualified
for a waiver of informed consent in accordance with this section.
(e) Provides that a health researcher performing research on deidentified
health information is not required to obtain a waiver or alteration of the
informed consent.
(f) Provides that for the purposes of this section, if a health researcher
receives protected health information that is not deidentified, the health
information is considered deidentified health information if explicit or
commonly used identifiers are encrypted by the researcher at the earliest
opportunity and the encryption code or key is maintained by a person
authorized to have access to the information or an institutional review
board, ethics review board, or privacy review board acting in accordance
with this section.
(g) Requires documentation of findings by an institutional review board,
ethics review board, or privacy review board under this section to be made
available on request by the Texas Department of Health (department), the
office of the attorney general, and any individual whose protected health
information is disclosed or used under this section.
(h) Prohibits a health researcher from using or disclosing protected health
information for any purposes other than those specifically approved by the
institutional review board, ethics review board, or privacy review board
and directly related to the research being performed.
(i) Provides that protected and deidentified health information collected
or used under this section is immune from any compulsory legal process that
does not directly concern the research being performed.
Sec. 181.059. APPENDANT TO HEALTH RECORDS. (a) Authorizes an individual to
request in writing that a health care practitioner or health care facility
that is providing health care to the individual make an appendant to the
individual's clinical health record. Authorizes the health care
practitioner or health care facility to limit the length of the appendant
to two letter-sized pages.
(b) Requires the health care practitioner or health care facility, not
later then the 90th day after the date the practitioner or facility
receives a written request to make an appendant to the individual's
clinical health record, to take certain actions.
(c) Prohibits a health care practitioner or health care facility from
unreasonably refusing to make an appendant to a clinical health record.
(d) Requires the health care practitioner or health care facility, if the
practitioner or facility refuses to make an appendant to a clinical health
record, to comply with a reasonable request of the individual to include at
a relevant place in the record a statement from the individual regarding
the disputed information.
(e) Provides that for the purposes of Subsection (a), an appendant is
considered to have been made if the information disputed by the individual
has been supplemented by or replaced with appended information and the
information is clearly marked as appended.
(f) Requires a covered entity that receives clinical health records to
which an appendant has been made to take certain actions.
(g) Provides that this section does not apply to a clinical health record
that has not been used or disclosed during the seven years before the date
of the request to make the appendant to the record.
Sec. 181.060. REQUIRED NOTICE. (a) Requires a covered entity to provide
written notice to an individual of the entity's practices with respect to
protected health information. Requires the covered entity to provide the
individual with written notice of any change in the entity's practices with
respect to protected health information.
(b) Requires a notice under this section to meet certain criteria.
(c) Requires a covered entity, on written request by an individual, to
provide a list of the agents or contractors who ordinarily have direct
access to or use of protected health information that is not deidentified.
(d) Requires the board to develop and disseminate a model notice of
information practices of the type described by this section. Requires the
board, in adopting the model notice, to follow the same procedure the board
follows under Chapter 2001 (Administrative Procedure), Government Code, for
adopting a rule. Provides that any notice that conforms to the model
notice developed under this subsection is considered to meet the notice
requirements of this section.
Sec. 181.061. MARKETING AND EDUCATIONAL INFORMATION. (a) Prohibits a
covered entity from sending an individual who is the subject of protected
health information marketing material for a product related to the
treatment of the individual's medical condition.
(b) Authorizes a covered entity to send an individual who is the subject of
protected health information educational information related to the
individual's medical condition.
[Reserves Sections 181.062-181.100 for expansion.]
SUBCHAPTER C. HEALTH CARE PAYERS
Sec. 181.101. NOTICE TO INDIVIDUAL. Requires a health care payer, on
enrollment, to notify an individual who is the subject of protected health
information of certain information.
Sec. 181.102. CONTACT WITH PATIENT. (a) Prohibits a health care payer from
initiating contact with the subject of sensitive health information
regarding any disease management or other clinical intervention program
relating to the sensitive health condition until the sixth business day
after the date the health care payer notifies the health care practitioner
or facility that is treating the subject of the information of the health
care payer's intent to initiate contact.
(b) Authorizes a health care payer to send mail addressed to an individual
regarding any health topic, including generic material regarding sensitive
health information, if the material does not name or otherwise identify the
individual in the material sent.
Sec. 181.103. DISEASE MANAGEMENT PROGRAM. (a) Prohibits a health care payer
or employer from requiring as a condition of employment, health insurance,
or coverage or reimbursement for health care that an individual
participates in a disease management program or other clinical intervention
program.
(b) Provides that this section does not prevent a health care payer from
designating the manner of any specific benefit offered by the payer.
Sec. 181.104. CONSENT REQUIRED. Provides that, unless otherwise authorized
by law, informed consent provided by an enrollee or member in any health
plan is not valid as to anyone other than that enrollee or member.
Sec. 181.105. HEALTH CARE DELIVERY REVIEW. Authorizes a health care payer,
for the purposes of performing health care delivery review, to request
protected health information only if the information is essential for the
review. Prohibits health information collected for the performance of
health care delivery review from being used for any other purpose unless
otherwise authorized by law. Requires the board, by rule, to determine
what information is essential to perform a health care review.
[Reserves Sections 181.106-181.150 for expansion]
SUBCHAPTER D. INFORMED CONSENT
Sec. 181.151. FORM. (a) Requires informed consent required by this chapter
to be in writing and signed by the individual who is the subject of the
health information, the individual's legal guardian, or the individual's
agent under a medical power of attorney.
(b) Authorizes documentation of informed consent, for purposes of this
section, to be satisfied by the use of electronic signatures, computerized
informed consent documentation, or other technological means of recording
informed consent.
Sec. 181.152. CONTENT OF CONSENT. Requires the written informed consent to
meet certain specific conditions.
Sec. 181.153. EXPIRATION. (a) Provides that an informed consent for the use
of protected health information is valid until the expiration date or event
specified in the documentation or until it is revoked by the individual.
(b) Prohibits a person from coercing an individual to sign an informed
consent document.
Sec. 181.154. REVOCATION. Authorizes the subject of protected health
information to revoke or amend an informed consent at any time unless
certain specific actions have occurred.
Sec. 181.155. MODEL CONSENT. Requires the board to develop and distribute a
model informed consent form. Requires the board, in adopting the form, to
follow the same procedure the board follows under Chapter 2001, Government
Code. Provides that an informed consent obtained on a model form developed
or approved by the board is considered to meet the requirements of this
subchapter.
[Reserves Sections 181.156-181.200 for expansion.]
SUBCHAPTER E. PROHIBITED ACTS
Sec. 181.201. DEIDENTIFIED INFORMATION. Prohibits a person or governmental
entity, unless otherwise authorized by law, from identifying or attempting
to identify an individual who is the subject of any deidentified health
information.
Sec. 181.202. COERCED CONSENT. (a) Prohibits a covered entity from
conditioning the provision of health care to an individual on the provision
of an informed consent to use or disclose the information for any purpose
that is not essential and directly related to the purpose of providing
health care, performing health care delivery review, or administering or
paying a health care claim.
(b) Prohibits an employer from conditioning terms of employment on the
provision of informed consent to use or disclose any protected health
information that is not either deidentified or necessary and directly
related to the job duties performed by the individual.
Sec. 181.203. REFUSAL TO PROVIDE HEALTH CARE. Prohibits a person, except as
otherwise provided by law, from refusing to provide health care to an
individual who refuses to consent to the disclosure or use of protected
heath information as long as the individual is not requesting payment or
reimbursement for the health care form a third party.
[Reserves Sections 181.204-181.250 for expansion.]
SUBCHAPTER F. ENFORCEMENT
Sec. 181.251. INJUNCTIVE RELIEF; CIVIL PENALTY. (a) Authorizes the attorney
general to institute an action for injunctive or declaratory relief to
restrain a violation of this chapter.
(b) Authorizes the attorney general, in addition to the injunctive relief
provided by Subsection (a), to institute an action for civil penalties
against a covered entity for a violation of this chapter. Prohibits a
civil penalty assessed under this section from exceeding $3,000 for each
violation.
(c) Authorizes the court, if the court in which an action under Subsection
(b) is pending, finds that the violations have occurred with a frequency as
to constitute a pattern or practice, to assess a civil penalty not to
exceed $250,000, and exclude the covered entity form participating in any
state-funded health care program.
(d) Authorizes the attorney general, if the attorney general substantially
prevails in an action for injunctive relief or a civil penalty under this
section, to recover reasonable attorney's fees, costs, and expenses
incurred obtaining the relief or penalty, including court costs and witness
fees.
Sec. 181.252. INDIVIDUAL INJUNCTIVE RELIEF; CIVIL CAUSE OF ACTION. (a)
Authorizes an individual who is aggrieved by a violation of this chapter to
institute an action against a covered entity for appropriate injunctive or
declaratory relief.
(b) Authorizes the individual to institute an action for civil damages.
Authorizes an individual who prevails in an action to recover the greater
of the individual's actual damages, or the liquidated damages in the amount
of $3,000, and punitive damages.
(c) Authorizes the individual, if the alleged violation involves sensitive
health information, to recover the greater of the individual's actual
damages, or liquidated damages in the amount of $10,000, and punitive
damages.
(d) Authorizes the court, if the individual is the prevailing party, to
award reasonable attorney's fees and other litigation costs and expenses
reasonably incurred, including expert fees.
(e) Requires a civil action brought under this section to be commenced not
later than three years after the date the cause of action accrues, or one
year after the date the cause of action was discovered but not longer than
five years after the date the cause of action accrued.
Sec. 181.253. CRIMINAL OFFENSE. (a) Provides that a person commits an
offense if the person knowingly uses, discloses, reidentifies, obtains, or
induces another to use, disclose, reidentify, or obtain protected health
information for commercial advantage or personal gain or to cause malicious
harm in violation of this chapter.
(b) Provides that an offense under this section is a state jail felony
unless the person committed the offense under false pretenses, in which
event the offense is a third degree felony.
Sec. 181.254. DISCIPLINARY ACTION. Provides that in addition to the
penalties prescribed by this chapter, a violation of this chapter by an
individual or facility that is licensed by an agency of this state is
subject to the same consequences as a violation of the licensing law
applicable to the individual or facility or of a rule adopted under the
licensing law.
Sec. 181.255. SOVEREIGN IMMUNITY. Provides that this chapter does not waive
sovereign immunity to suit or liability.
SECTION 2. Effective date: September 1, 2001.