SRC-MWN, JBJ S.B. 11 77(R) BILL ANALYSIS Senate Research Center S.B. 11 77R523 MCK-FBy: Nelson Business & Commerce 3/1/2001 As Filed DIGEST AND PURPOSE Currently, employers are authorized to use employee health care data to track worker compensation claims and overall health care costs incurred by employees. As proposed, S.B. 11 proposes recommendations contained in the Senate Health Services Committee's interim report. Those proposals include prohibiting pharmaceutical manufacturers from using identifiable patient medical data for marketing purposes; prohibiting patient information other than data necessary for treatment or the payment of claims to be released by insurers unless the patient consents to "opt-in"; granting individuals the right to access and obtain their medical records as well as a means to amend or correct incomplete or inaccurate medical record entries; granting patients the right to know how any entity is using their medical information in the form of an easy-to-understand public notice from that entity; granting non-identifiable personal medical information made available for public health and research efforts; granting employers access to nonindividually identifiable, encrypted and aggregated forms of medical information regarding their employees' health care; granting employers access to appropriate aggregate data to evaluate health care costs and spending trends; granting the Texas Attorney General's Office responsibility for enforcing this statute; and granting individuals legal recourse to halt misuse and abuse. RULEMAKING AUTHORITY Rulemaking authority is expressly granted to the Texas Board of Health in SECTION 1(Sections 181.054 and 181.105, Health and Safety Code) of this Act. SECTION BY SECTION ANALYSIS SECTION 1. Amends Title 2, Health and Safety Code, by adding Subtitle I, as follows: SUBTITLE I. MEDICAL RECORDS CHAPTER 181. MEDICAL RECORDS PRIVACY SUBCHAPTER A. GENERAL PROVISIONS Sec. 181.001. DEFINITIONS. Defines "administrative billing information," "audit trail," "clinical health record," "computerized records system," " covered entity," "deidentified health information," "disclose," "disease management," "health care delivery review," "health care facility," "health care operations," "health care payer," "health care practitioner," "health research," "health researcher," "payment," "protected health information," "reidentification," "sensitive health information," and "treatment." Sec. 181.002. APPLICABILITY. Provides that this chapter does not affect the confidentiality that another statute creates for any information. Sec. 181.003. DELAYED EFFECT. Provides that a person is not required to comply with this chapter before September 1, 2003. Provides that this section expires September 1, 2003. [Reserves Sections 181.004-181.050 for expansion.] SUBCHAPTER B. ACCESS TO AND USE OF HEALTH CARE INFORMATION Sec. 181.051. PATIENT ACCESS TO INFORMATION; FEE. (a) Requires a covered entity, except as provided by Subsection (b), to permit an individual who is the subject of a clinical health record or the person's designee to inspect and copy any clinical health record, except for any clinical health record collected or created in the course of a clinical research trial, that the entity maintains or controls and that relates to the individual. Authorizes the covered entity to charge a reasonable fee for any copies. Prohibits the fee from exceeding the covered entity's cost to copy the record. (b) Provides that a psychologist licensed under Chapter 501 (Psychologist), Occupations Code, or a psychiatrist who is providing psychological or psychiatric services to an individual is not required to permit the individual to inspect or copy a personal diary containing protected health information relating to the individual if the information contained in the diary has not been disclosed to a person other than another psychologist or psychiatrist for the specific purpose of clinical supervision conducted in the regular course of treatment. (c) Requires the covered entity to provide the requested information not later than the 30th day after the date a covered entity receives a request and payment under Subsection (a). Sec. 181.052. DISCLOSURE OR USE OF PROTECTED HEALTH INFORMATION. (a) Prohibits a covered entity from disclosing or using protected health information except as authorized under this chapter. (b) Prohibits a covered entity, except as otherwise provided by law, from using or disclosing protected health information without obtaining the informed consent of the individual who is the subject of the information. (c) Prohibits a covered entity from using or requesting or requiring the disclosure of more protected health information than is reasonably related to the specific purpose that is stated in the informed consent or that is otherwise authorized by law. (d) Authorizes a covered entity, except as otherwise provided by law, to use or disclose protected health information only for the purpose stated in the informed consent. (e) Authorizes a covered entity to disclose protected health information without obtaining the informed consent of the individual who is the subject of the information if the disclosure or use is necessary to perform health care operations. (f) Authorizes a covered entity to disclose protected health information without obtaining the informed consent of the individual who is the subject of the information if the disclosure is made in response to a subpoena in a judicial or administrative proceeding. (g) Authorizes a person who receives information made confidential by this chapter to disclose the information only to the extent consistent with the authorized uses stated in the informed consent. Sec. 181.053. USE OF CLINICAL HEALTH RECORDS. (a) Provides that this chapter, except as provided by Section 181.054, does not limit the ability of a health care practitioner, a health care facility, a health care payer, or a contractor of a health care payer to use protected health information for certain purposes. (b) Requires the covered entity using a clinical health record for any purpose other than to deliver health care to the individual who is the subject of the record to do so in certain specific ways. Sec. 181.054. USE OF ADMINISTRATIVE BILLING INFORMATION. (a) Requires the covered entity, with respect to administrative billing information used by the entity, to: _limit the use of administrative billing information that is not deidentified to those employees, agents, or contractors who perform an essential function; _prohibit an employee, agent, or contractor from reidentifying an individual who is the subject of any deidentified health information used, received, or created by the employee, agent, or contractor unless otherwise authorized by law; _require that an employee, agent, or contractor use only the minimum amount of administrative billing information that is necessary to accomplish the specific function performed by the employee, agent, or contractor; _prohibit an employee, agent, or contractor from disclosing administrative billing information to any other person except as otherwise authorized under this chapter; and _link, match, or index administrative billing information collected, held, or maintained by other covered entities only if the entity has specific informed consent. (b) Authorizes a health care provider, a heath care facility, a health care payer, or an employee, agent, or contractor of a provider, facility, or payer to use administrative billing information without the informed consent of the individual who is the subject of the information only if the health care provider, facility, or payer follows certain guidelines. (c) Requires the Texas Board of Health (board) to determine, by rule, which employees, agents, or contractors perform an essential function under Subsection (a). Sec. 181.055. SENSITIVE HEALTH INFORMATION. (a) Requires a covered entity to obtain separate informed consent documentation for the disclosure of sensitive health information. (b) Requires a covered entity to comply with a request from an individual who is the subject of sensitive health information to restrict access within the entity to the information. Authorizes a health care practitioner or facility, if the practitioner or facility believes that restricting access to the information may endanger the life or health of the subject, to require the subject to sign an acknowledgment that the restriction is against medical advice. Authorizes a covered entity to use any reasonable means to restrict access to the information. Provides that this subsection does not apply to administrative billing information. (c) Prohibits an individual from restricting a health care provider's access to sensitive health information under this section if the health care provider is directly involved in the delivery of health care to the individual. (d) Prohibits a covered entity from withholding sensitive health information requested under an informed consent document. Sec. 181.056. DIRECTORY INFORMATION. (a) Authorizes a health care practitioner or health care facility that provides inpatient services, except as provided by Subsection (b), to disclose directory information regarding an individual to any person under certain conditions. (b) Prohibits a health care practitioner or health care facility from releasing inpatient directory information without informed consent under certain conditions. Sec. 181.057. NEXT OF KIN. (a) Authorizes a health care practitioner or health care facility to disclose, without the patient's consent, protected health information regarding the health care provided to the patient in certain situations. (b) Provides that a health care practitioner or health care facility is not liable for a disclosure made in good faith under Subsection (a). Sec. 181.058. INFORMATION FOR RESEARCH. (a) Authorizes a covered entity to disclose protected health information to a health researcher for the purpose of conducting health research only in certain situations. (b) Authorizes an institutional review board, ethics review board, or privacy review board to grant a waiver or alteration of the informed consent for the use of protected health information if the board meets certain conditions. (c) Authorizes an institutional review board, ethics review board, or privacy review board, in determining whether to grant a waiver under Subsection (b), to consider whether the health researcher is qualified for and is likely to obtain a certificate of confidentiality form the U.S. Department of Health and Human Services under Section 301(d), Public Health Service Act (42 U.S.C. Section 241(d)). (d) Authorizes the institutional review board, ethics review board, or privacy review board to extend the date of destruction required by Subsection (b) if the researcher demonstrates a continuing or new need for protected health information for which the researcher would be qualified for a waiver of informed consent in accordance with this section. (e) Provides that a health researcher performing research on deidentified health information is not required to obtain a waiver or alteration of the informed consent. (f) Provides that for the purposes of this section, if a health researcher receives protected health information that is not deidentified, the health information is considered deidentified health information if explicit or commonly used identifiers are encrypted by the researcher at the earliest opportunity and the encryption code or key is maintained by a person authorized to have access to the information or an institutional review board, ethics review board, or privacy review board acting in accordance with this section. (g) Requires documentation of findings by an institutional review board, ethics review board, or privacy review board under this section to be made available on request by the Texas Department of Health (department), the office of the attorney general, and any individual whose protected health information is disclosed or used under this section. (h) Prohibits a health researcher from using or disclosing protected health information for any purposes other than those specifically approved by the institutional review board, ethics review board, or privacy review board and directly related to the research being performed. (i) Provides that protected and deidentified health information collected or used under this section is immune from any compulsory legal process that does not directly concern the research being performed. Sec. 181.059. APPENDANT TO HEALTH RECORDS. (a) Authorizes an individual to request in writing that a health care practitioner or health care facility that is providing health care to the individual make an appendant to the individual's clinical health record. Authorizes the health care practitioner or health care facility to limit the length of the appendant to two letter-sized pages. (b) Requires the health care practitioner or health care facility, not later then the 90th day after the date the practitioner or facility receives a written request to make an appendant to the individual's clinical health record, to take certain actions. (c) Prohibits a health care practitioner or health care facility from unreasonably refusing to make an appendant to a clinical health record. (d) Requires the health care practitioner or health care facility, if the practitioner or facility refuses to make an appendant to a clinical health record, to comply with a reasonable request of the individual to include at a relevant place in the record a statement from the individual regarding the disputed information. (e) Provides that for the purposes of Subsection (a), an appendant is considered to have been made if the information disputed by the individual has been supplemented by or replaced with appended information and the information is clearly marked as appended. (f) Requires a covered entity that receives clinical health records to which an appendant has been made to take certain actions. (g) Provides that this section does not apply to a clinical health record that has not been used or disclosed during the seven years before the date of the request to make the appendant to the record. Sec. 181.060. REQUIRED NOTICE. (a) Requires a covered entity to provide written notice to an individual of the entity's practices with respect to protected health information. Requires the covered entity to provide the individual with written notice of any change in the entity's practices with respect to protected health information. (b) Requires a notice under this section to meet certain criteria. (c) Requires a covered entity, on written request by an individual, to provide a list of the agents or contractors who ordinarily have direct access to or use of protected health information that is not deidentified. (d) Requires the board to develop and disseminate a model notice of information practices of the type described by this section. Requires the board, in adopting the model notice, to follow the same procedure the board follows under Chapter 2001 (Administrative Procedure), Government Code, for adopting a rule. Provides that any notice that conforms to the model notice developed under this subsection is considered to meet the notice requirements of this section. Sec. 181.061. MARKETING AND EDUCATIONAL INFORMATION. (a) Prohibits a covered entity from sending an individual who is the subject of protected health information marketing material for a product related to the treatment of the individual's medical condition. (b) Authorizes a covered entity to send an individual who is the subject of protected health information educational information related to the individual's medical condition. [Reserves Sections 181.062-181.100 for expansion.] SUBCHAPTER C. HEALTH CARE PAYERS Sec. 181.101. NOTICE TO INDIVIDUAL. Requires a health care payer, on enrollment, to notify an individual who is the subject of protected health information of certain information. Sec. 181.102. CONTACT WITH PATIENT. (a) Prohibits a health care payer from initiating contact with the subject of sensitive health information regarding any disease management or other clinical intervention program relating to the sensitive health condition until the sixth business day after the date the health care payer notifies the health care practitioner or facility that is treating the subject of the information of the health care payer's intent to initiate contact. (b) Authorizes a health care payer to send mail addressed to an individual regarding any health topic, including generic material regarding sensitive health information, if the material does not name or otherwise identify the individual in the material sent. Sec. 181.103. DISEASE MANAGEMENT PROGRAM. (a) Prohibits a health care payer or employer from requiring as a condition of employment, health insurance, or coverage or reimbursement for health care that an individual participates in a disease management program or other clinical intervention program. (b) Provides that this section does not prevent a health care payer from designating the manner of any specific benefit offered by the payer. Sec. 181.104. CONSENT REQUIRED. Provides that, unless otherwise authorized by law, informed consent provided by an enrollee or member in any health plan is not valid as to anyone other than that enrollee or member. Sec. 181.105. HEALTH CARE DELIVERY REVIEW. Authorizes a health care payer, for the purposes of performing health care delivery review, to request protected health information only if the information is essential for the review. Prohibits health information collected for the performance of health care delivery review from being used for any other purpose unless otherwise authorized by law. Requires the board, by rule, to determine what information is essential to perform a health care review. [Reserves Sections 181.106-181.150 for expansion] SUBCHAPTER D. INFORMED CONSENT Sec. 181.151. FORM. (a) Requires informed consent required by this chapter to be in writing and signed by the individual who is the subject of the health information, the individual's legal guardian, or the individual's agent under a medical power of attorney. (b) Authorizes documentation of informed consent, for purposes of this section, to be satisfied by the use of electronic signatures, computerized informed consent documentation, or other technological means of recording informed consent. Sec. 181.152. CONTENT OF CONSENT. Requires the written informed consent to meet certain specific conditions. Sec. 181.153. EXPIRATION. (a) Provides that an informed consent for the use of protected health information is valid until the expiration date or event specified in the documentation or until it is revoked by the individual. (b) Prohibits a person from coercing an individual to sign an informed consent document. Sec. 181.154. REVOCATION. Authorizes the subject of protected health information to revoke or amend an informed consent at any time unless certain specific actions have occurred. Sec. 181.155. MODEL CONSENT. Requires the board to develop and distribute a model informed consent form. Requires the board, in adopting the form, to follow the same procedure the board follows under Chapter 2001, Government Code. Provides that an informed consent obtained on a model form developed or approved by the board is considered to meet the requirements of this subchapter. [Reserves Sections 181.156-181.200 for expansion.] SUBCHAPTER E. PROHIBITED ACTS Sec. 181.201. DEIDENTIFIED INFORMATION. Prohibits a person or governmental entity, unless otherwise authorized by law, from identifying or attempting to identify an individual who is the subject of any deidentified health information. Sec. 181.202. COERCED CONSENT. (a) Prohibits a covered entity from conditioning the provision of health care to an individual on the provision of an informed consent to use or disclose the information for any purpose that is not essential and directly related to the purpose of providing health care, performing health care delivery review, or administering or paying a health care claim. (b) Prohibits an employer from conditioning terms of employment on the provision of informed consent to use or disclose any protected health information that is not either deidentified or necessary and directly related to the job duties performed by the individual. Sec. 181.203. REFUSAL TO PROVIDE HEALTH CARE. Prohibits a person, except as otherwise provided by law, from refusing to provide health care to an individual who refuses to consent to the disclosure or use of protected heath information as long as the individual is not requesting payment or reimbursement for the health care form a third party. [Reserves Sections 181.204-181.250 for expansion.] SUBCHAPTER F. ENFORCEMENT Sec. 181.251. INJUNCTIVE RELIEF; CIVIL PENALTY. (a) Authorizes the attorney general to institute an action for injunctive or declaratory relief to restrain a violation of this chapter. (b) Authorizes the attorney general, in addition to the injunctive relief provided by Subsection (a), to institute an action for civil penalties against a covered entity for a violation of this chapter. Prohibits a civil penalty assessed under this section from exceeding $3,000 for each violation. (c) Authorizes the court, if the court in which an action under Subsection (b) is pending, finds that the violations have occurred with a frequency as to constitute a pattern or practice, to assess a civil penalty not to exceed $250,000, and exclude the covered entity form participating in any state-funded health care program. (d) Authorizes the attorney general, if the attorney general substantially prevails in an action for injunctive relief or a civil penalty under this section, to recover reasonable attorney's fees, costs, and expenses incurred obtaining the relief or penalty, including court costs and witness fees. Sec. 181.252. INDIVIDUAL INJUNCTIVE RELIEF; CIVIL CAUSE OF ACTION. (a) Authorizes an individual who is aggrieved by a violation of this chapter to institute an action against a covered entity for appropriate injunctive or declaratory relief. (b) Authorizes the individual to institute an action for civil damages. Authorizes an individual who prevails in an action to recover the greater of the individual's actual damages, or the liquidated damages in the amount of $3,000, and punitive damages. (c) Authorizes the individual, if the alleged violation involves sensitive health information, to recover the greater of the individual's actual damages, or liquidated damages in the amount of $10,000, and punitive damages. (d) Authorizes the court, if the individual is the prevailing party, to award reasonable attorney's fees and other litigation costs and expenses reasonably incurred, including expert fees. (e) Requires a civil action brought under this section to be commenced not later than three years after the date the cause of action accrues, or one year after the date the cause of action was discovered but not longer than five years after the date the cause of action accrued. Sec. 181.253. CRIMINAL OFFENSE. (a) Provides that a person commits an offense if the person knowingly uses, discloses, reidentifies, obtains, or induces another to use, disclose, reidentify, or obtain protected health information for commercial advantage or personal gain or to cause malicious harm in violation of this chapter. (b) Provides that an offense under this section is a state jail felony unless the person committed the offense under false pretenses, in which event the offense is a third degree felony. Sec. 181.254. DISCIPLINARY ACTION. Provides that in addition to the penalties prescribed by this chapter, a violation of this chapter by an individual or facility that is licensed by an agency of this state is subject to the same consequences as a violation of the licensing law applicable to the individual or facility or of a rule adopted under the licensing law. Sec. 181.255. SOVEREIGN IMMUNITY. Provides that this chapter does not waive sovereign immunity to suit or liability. SECTION 2. Effective date: September 1, 2001.