SRC-MWN, JBJ C.S.S.B. 11 77(R)BILL ANALYSIS Senate Research CenterC.S.S.B. 11 77R9692 MCK-DBy: Nelson Business & Commerce 3/15/2001 Committee Report (Substituted) DIGEST AND PURPOSE C.S.S.B. 11 proposes parts of the recommendations contained in the Senate Health Services Committee's interim report. C.S.S.B 11 stipulates that a patient can only be marketed to with express written authorization; grants patients the right to access and append their inaccurate medical records; grants patients the right to know how an entity is using their medical information in the form of an easy to understand public notice; establishing privacy standards to be adopted within medical research based upon federally adopted guidelines. This bill provides the Texas Department of Insurance the authority to promulgate medical privacy rules for the insurance industry operating in Texas and prohibits any attempt to re-identify de-identified health information. C.S.S.B 11 also provides the attorney general the authority to sue to stop a violation, and provides individuals the right to sue to stop their information from being shared without permission. RULEMAKING AUTHORITY Rulemaking authority is expressly granted to the Texas Department of Health in SECTION 1 (Sections 181.004, 181.056, and 181.101, Health and Safety Code) of this bill. SECTION BY SECTION ANALYSIS SECTION 1. Amends Title 2, Health and Safety Code, by adding Subtitle I, as follows: SUBTITLE I. MEDICAL RECORDS CHAPTER 181. MEDICAL RECORDS PRIVACY SUBCHAPTER A. GENERAL PROVISIONS Sec. 181.001. DEFINITIONS. Defines "administrative billing information," "clinical health record," " covered entity," "disclose," "disease management," "financial institution," "health care entity," "health care facility," "health care operations," "health care payer," "health care practitioner," "Health Insurance Portability and Accountability Act and Privacy Standards," "health research," "health research," "payment," "person," "pharmaceutical company," "protected health information," "reidentification," and "treatment." Sec. 181.002. APPLICABILITY. Provides that this chapter does not affect the confidentiality that another statute creates for any information. Provides that this chapter does not apply to certain benefits, plans, or entities. Provides that this chapter controls to the extent that it is stricter than the provisions of the Health Insurance Portability and Accountability Act and Privacy Standards. Sec. 181.003. PROCESSING PAYMENT TRANSACTIONS BY FINANCIAL INSTITUTIONS. Defines "financial institution." Provides that to the extent that a covered entity engages in activities of a financial institution, or authorizes, processes, clears, settles, bills, transfers, reconciles, or collects payments for a financial institution, this chapter and any rule adopted under this chapter does not apply to the covered entity with respect to those activities, including certain other conditions. Sec. 181.004. NONPROFIT AGENCIES. Requires the Texas Department of Health (TDH) to by rule exempt certain agencies or providers. [Reserves Sections 181.005-181.050 for expansion.] SUBCHAPTER B. ACCESS TO AND USE OF HEALTH CARE INFORMATION Sec. 181.051. PATIENT ACCESS TO INFORMATION; FEE. (a) Requires a covered entity or health care entity, with an exception, to permit an individual who is the subject of a clinical health record, the individual's designee, or another individual authorized by law to obtain an individual's clinical health record to inspect and copy any clinical health record, including records received from another health care entity or covered entity, except for any clinical health record collected or created in the course of a clinical research trial, that the entity maintains or controls and that relates to the individual. Authorizes the covered entity or health care entity to charge retrieval and copying fees as provided by law or regulation, or in the absence of a law or regulation, a reasonable fee. (b) Provides that a psychologist licensed under Chapter 501 (Psychologist), Occupations Code, or a psychiatrist or other physician who is providing psychological or psychiatric services to an individual is not required to permit the individual to inspect or copy a personal diary created by the psychologists, psychiatrist, or physician containing protected health information relating to the individual if the information contained in the diary has not been disclosed to a person other than another psychologist or psychiatrist or physician for the specific purpose of clinical supervision conducted in the regular course of treatment. (c) Provides that a health care practitioner is not required to permit an individual to inspect or copy the individual's clinical health record if the health care practitioner determines that access to the information would be harmful to the physical, mental, or emotional health of the individual. (d) Authorizes a health care practitioner to redact or otherwise prevent disclosure of confidential information about another individual or family member of the individual who has not consented to the release information, as otherwise provided by law. (e) Requires the covered entity or health care entity, not later than the 30th day after the date a covered entity or health care entity receives a request and payment, to provide the requested information. Sec. 181.052. APPENDANT OR AMENDMENT TO HEALTH RECORDS. Authorizes a health care entity, at the entity's discretion, to require that an appendant or amendment to an individual's clinical health record be designated as "a patient supplement." Sec. 181.053. DISCLOSING, USING, ACCESSING, OR OBTAINING PROTECTED HEALTH INFORMATION. (a) Prohibits a covered entity, except to carry out treatment, payment, or health care operations, from disclosing, using, accessing, or obtaining protected health information unless the individual who is the subject of the protected health information has provided certain authorization. (b) Prohibits a covered entity from using, accessing, requesting, or requiring the disclosure of more protected health information than is reasonably related to the specific purpose that is stated in the express written authorization. Prohibits a covered entity from refusing to provide protected health information requested by a health care practitioner for use in providing health care services. (c) Provides that a covered entity may disclose, access, or obtain protected health information only for the purpose stated in the express written authorization. (d) Authorizes a covered entity to disclose protected health information without obtaining the express written authorization of the individual if the disclosure is made in response to a subpoena in a judicial or administrative proceeding. (e) Prohibits a covered entity from conditioning services on the provision of express written authorization by the individual to disclose protected health information when the information is not directly related to the services being provided. Sec. 181.054. INFORMATION OR RESEARCH. (a) Authorizes a covered entity or health care entity to disclose protected health information to a person performing health research, regardless of the source of funding of the research, for the purpose of conducting health research, only if the person performing health research has obtained certain authorization. (b) Requires a privacy board to perform certain acts. (c) Authorizes a privacy board to grant a waiver of the express written authorization for the use of protected health information if the privacy board obtains certain documentation. (d) Requires a waiver to be signed by the presiding officer of the board or the presiding officer's designee. (e) Requires the privacy board to review the proposed research at a convened meeting at which a majority of the privacy board members are present, including at least one member who satisfies the requirements of Subsection (b)(2). Requires the waiver of express written authorization to be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedure. Authorizes the privacy board to use an expedited review procedure only if the research involves no more than minimal risk to the privacy of the individual who is the subject of the protected health information of which use or disclosure os being sought. Authorizes the review and approval of the waiver of express written authorization, if the privacy board elects to use an expedited review procedure, to be made by the presiding officer of the privacy board or by one or more members of the privacy board as designated by the presiding officer. (f) Authorizes a covered entity or health care entity to disclose protected health information to a person performing health research if the covered entity or health care entity obtains from the person performing the health research representations that certain conditions are met. Sec. 181.055. DISCLOSURE OF INFORMATION TO PUBLIC HEALTH AUTHORITY. Authorizes a covered entity to use or disclose protected health information without the express written authorization of the individual for certain necessary public health activities or to comply with the requirements of any federal or state health benefit program. Authorizes a covered entity to disclose protected health information to certain entities. Sec. 181.056. REQUIRED NOTICE. Requires a covered entity or health care entity conducting disease management or health care operations, on request, to provide written notice to an individual of the entity's practices with respect to its uses and disclosures of protected health information. Requires notice under this section to include certain information. Requires the TDH by rule to adopt a standardized notice of information practices. [Reserves Sections 181.057-181.100 for expansion.] SUBCHAPTER C. EXPRESS WRITTEN AUTHORIZATION Sec. 181.101. FORM. Requires express written authorization required by this chapter to be in writing and signed by certain individuals. Authorizes documentation of express written authorization, for purposes of this section, to be satisfied by the use of electronic signatures, computerized express written authorization documentation, or other technological means of recording express written authorization. Requires the TDH by rule to adopt standards regulating the content and form of the express written authorization. Sec. 181.102. EXPIRATION. Provides that an express written authorization to disclose, access, or use protected health information is valid until the expiration date or event specified in the documentation or until it is revoked by the individual. Prohibits a covered entity, except as provided by this section, coercing an individual to sign an express written authorization required under this chapter. Authorizes a person engaged in health research to require an individual's express written authorization to disclose protected health information as a condition of the individual's participation in the research. [Reserves Sections 181.103-181.150 for expansion] SUBCHAPTER D. PROHIBITED ACTS Sec. 181.151. REIDENTIFIED INFORMATION. Prohibits a person from reidentifying or attempting to reidentify an individual who is the subject of any protected health information without obtaining the individual's consent or authorization if required under this chapter or other state or federal law. Sec. 181.152. CONTACT FOR PURPOSES OF PROMOTION OR ADVERTISEMENT. Prohibits a covered entity or health entity from using, accessing, or disclosing the protected health information for the promotion or advertisement by any person or entity of specific products or services if the covered entity or health care entity receives, directly or indirectly, a financial incentive or remuneration from a third party for the use, access, or disclosure, without the express written authorization of the individual who is the subject of protected health information. Prohibits a covered entity from conditioning services upon receipt of required express written authorization for activities described in this section. Provides that "promotion or advertisement of specific products or services" does not include treatment, disease management, or health care operations, except that health care operations as defined by Section 181.001(9)(C) may be prohibited under this section. [Reserves Sections 181.153-181.200 for expansion.] SUBCHAPTER E. ENFORCEMENT Sec. 181.201. INJUNCTIVE RELIEF; CIVIL PENALTY. Authorizes the attorney general to institute an action for injunctive relief to restrain a violation of this chapter. Authorizes the attorney general, in addition to the injunctive relief provided by this section, to institute an action for civil penalties against a covered entity or health care entity for a violation of this chapter. Prohibits a civil penalty assessed under this section from exceeding $3,000 for each violation. Authorizes the court, if the court in which an action under this section is pending finds that the violations have occurred with a frequency as to constitute a pattern or practice, to assess a civil penalty not to exceed $250,000. Requires the court, if the attorney general substantially prevails in an action for injunctive relief or a civil penalty under this section, to award the attorney general reasonable attorney's fees, costs, and expenses incurred obtaining the relief of penalty, including court costs and witness fees. Sec. 181.202. INDIVIDUAL INJUNCTIVE RELIEF. Authorizes an individual who is aggrieved by a violation of this chapter to institute an action against a covered entity or health care entity for appropriate injunctive relief. Requires the court, if the individual is the prevailing party, to award reasonable attorney's fees and other litigation costs and expenses reasonably incurred. Sec. 181.203. SOVEREIGN IMMUNITY. Provides that this chapter does not waive sovereign immunity to suit or liability. SECTION 2. Amends Title 1, Insurance Code, by adding Chapter 28B, as follows: CHAPTER 28B. PRIVACY OF HEALTH INFORMATION SUBCHAPTER A. GENERAL PROVISIONS Art. 28B.01. DEFINITIONS. Defines "health information," "licensee," and "nonpublic personal health information." Art. 28B.02. PERSONALLY IDENTIFIABLE HEALTH INFORMATION: PRIVACY NOTICE AND DISCLOSURE AUTHORIZATION. Requires a licensee to obtain an authorization to disclose any nonpublic personal health information before making such a disclosure. Authorizes the request for authorization required by this article to be in written or electronic form and requires it to specify certain information. Provides that the right of the consumer or customer to revoke an authorization at any time is subject to the rights of an individual who acted in reliance on the authorization before receiving notice of a revocation. Requires the licensee to retain the original or a copy of the authorization in the record of the individual who is the subject of the nonpublic personal health information. Art. 28B.03. DELIVERY OF AUTHORIZATION. Authorizes a request for authorization and an authorization form to be delivered to a consumer or a customer if the request and the authorization form are clear and conspicuous. Requires a license to include delivery of the authorization in a notice to the consumer or customer only if the licensee intended to disclose protected health information under this chapter. Art. 28B.04. EXCEPTIONS. Authorizes a licensee to disclose nonpublic personal health information to the extent that the disclosure is necessary to perform the certain insurance functions on behalf of that licensee. Sets forth listing of insurance functions. Art. 28B.05. EXCEPTION FOR COMPLIANCE WITH FEDERAL RULES. Provides that this subchapter does not apply to a licensee who complies with any standards governing the privacy of individually identifiable health information adopted by the United States Secretary of Health and Human Services under Section 262(a), Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d-1320d-8). Art. 28B.06. PROTECTION OF FAIR CREDIT REPORTING ACTS. Prohibits this chapter from being construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.) and an inference from being drawn based on this chapter regarding whether information is transaction or experience information under Section 603 (15 U.S.C. Section 1681a). Provides that this chapter does not preempt or supersede a state law related to medical record, health, or insurance information privacy that is in effect on July 1, 2002. Art. 28B.07. VIOLATION; PENALTIES. Prohibits a licensee from knowingly or wilfully violating this chapter. Authorizes the TDH to investigate any alleged violation of this chapter and to impose fines and other sanctions as determined to be appropriate in accordance with Chapters 82 and84 of this code and the other insurance laws of this state. SECTION 3. (a) Effective date: Provides that Chapter 181, Health and safety Code, as added by this Act, takes effect September 1, 2003. (b) Effective date: Provides that Chapter 28B, Insurance Code, as added by this Act, takes effect January 1, 2002. (c) Authorizes the commissioner of insurance to delay the date for compliance with Chapter 28B, Insurance Code, as added by this Act, if the commissioner determines that an entity needs more time to establish policies and systems to comply with the requirements of that chapter. (d) Makes an authorization or consent granting access to an individual's health care records prospective. SUMMARY OF COMMITTEE CHANGES SECTION 1. Amends As Filed S.B. 11, Title 2, Health and Safety Code, as folows: _Amends the proposed defintions of "treatment," "protected health information," "payments," "health research," "health care payer," "admistrative billing information," "covered entity," "disclose," "disease management," and "health care provider." _Deletes definitions for "audit trail," "computerized records system," "deidentified health information," "health care delivery revirew," "health research," and "sensitive health informaton." _Adds definitions for "financial institution," "health care entity," "Health Insurance Portability and Acountability Act and Privacy Standards," "person," and "pharmaceutical company." _Adds new language to proposed Section 181.002 regarding what this chapter does not apply to. _Replaces proposed Section 181.003 (DELAYED EFFECT) with a new proposed section entitled PROCESSING PAYMENT TRANSACTIONS BY FINANCIAL INSTITUTIONS. _Adds Section 181.004 (NONPROFIT AGENICES). _Modifies Section 181.051 to require that a covered entity and a health care entity must allow certain persons to obtain an individual's clinical health record. _Replaces proposed Section 181.052 (DISCLOSURE OR USE OF PROTECTED HEALTH INFORMATION) with previous proposed Section 181.059 entitled APPENDANT OR AMENDMENT TO HEALTH RECORDS. _Replaces proposed Section 181.053 (USE OF CLINICAL HEALTH RECORDS) with a new proposed section entitled DISCLOSING, USING, ACCESSING, OR OBTAINING PROTECTED HEALTH INFORMATION. _Replaces proposed Section 181.054 (USE OF ADMINISTRATIVE BILLING INFORMATION) with a new proposed section entitled INFORMATON OR RESEARCH. _Replaces proposed Section 181.055 (SENSITIVE HEALTH INFORMATION) with a new proposed section entitled DISCLOSURE OF INFORMATION TO PUBLIC HEALTH AUTHORITY. _Replaces proposed Section 181.056 (DIRECTORY INFORMATION) with a new proposed section entitled REQUIRED NOTICE. _Deletes proposed Sections 181.057 (NEXT OF KIN), 181.058 (INFORMATION FOR RESEARCH), 181.059 (APPENDANT TO HEALTH RECORDS), 181.060 (REQUIRED NOTICE), and 181.061 (MARKETING AND EDUCATIONAL INFORMATION). _Replaces the previously proposed heading of SUBCHAPTER C (HEALTH CARE PAYERS) with EXPRESS WRITTEN AUTHORIZATION. _Replaces proposed Section 181.101 (NOTICE TO INDIVIDUAL) with a new proposed section entitled FORM. _Replaces proposed Section 181.102 (CONTACT WITH PATIENT) with a new proposed section enitled EXPIRATION. _Deletes proposed Sections 181.103 (DISEASE MANAGEMENT PROGRAM), 181.104 (CONSENT REQUIRED), and 181.105 (HEALTH CARE DELIVERY REVIEW). _Replaces the previously proposed heading of SUBCHAPTER D (INFORMED CONSENT) with PROHIBITED ACTS. _Replaces proposed Section 181.151 (FORM) with a new proposed section entitled REIDENTIFIES INFORMATION. _Replaces proposed Section 181.152 (CONTENT OF CONSENT) with a new proposed section entitled CONTACT FOR PURPOSES OF PROMOTION OR ADVERTISEMENT. _Deletes proposed Sections 181.153 (EXPIRATION), 181.154 (REVOCATION), and 181.155 (MODEL CONSENT). _Replaces the previously proposed heading of SUBCHAPTER E (PROHIBITED ACTS) with ENFORCEMENT. _Replaces proposed Section 181.201 (DEIDENTIFIED INFORMATION) with a new proposed section entitled INJUNCTIVE RELIEF; CIVIL PENALTY. _Replaces proposed Secton 181.202 (COERCED CONSENT) with a new propsed section entitled INDIVIDUAL INJUNCTIVE RELIEF. _Replaces proposed Section 181.203 (REFUSAL TO PROVIDE HEALTH CARE) with a new proposed section entitled SOVERIEGN IMMUNITY. _Deletes previously proposed SUBCHAPTER F (ENFORCEMENT). _Deletes proposed Sections 181.251 (INJUNCTIVE RELIEF; CIVIL PENALTY), 181.252 (INDIVIDUAL INJUNCTIVE RELIEF; CIVIL CAUSE OF ACTION), 181.253 (CRIMINAL OFFENSE), and 181.254 (DISCIPLINARY ACTION). SECTION 2. Adds a new proposed CHAPTER 28B (PRIVACY OF HEALTH INFORMATION) applicable to entities licensed by the Texas Department of Insurance. SECTION 3. Effective date. Renumbered from SECTION 2.