SRC-MWN, JBJ C.S.S.B. 11 77(R)BILL ANALYSIS
            

Senate Research CenterC.S.S.B. 11
77R9692 MCK-DBy: Nelson
Business & Commerce
3/15/2001
Committee Report (Substituted)


DIGEST AND PURPOSE 

C.S.S.B. 11 proposes parts of the recommendations contained in the Senate
Health Services Committee's interim report. C.S.S.B 11 stipulates that a
patient can only be marketed to with express written authorization; grants
patients the right to access and append their inaccurate medical records;
grants patients the right to know how an entity is using their medical
information in the form of an easy to understand public notice;
establishing privacy standards to be adopted within medical research based
upon federally adopted guidelines. This bill provides the Texas Department
of Insurance the authority to promulgate medical privacy rules for the
insurance industry operating in Texas and prohibits any attempt to
re-identify de-identified health information. C.S.S.B 11 also provides the
attorney general the authority to sue to stop a violation, and provides
individuals the right to sue to stop their information from being shared
without permission. 

RULEMAKING AUTHORITY

Rulemaking authority is expressly granted to the Texas Department of Health
in SECTION 1 (Sections 181.004, 181.056, and 181.101, Health and Safety
Code) of this bill. 

SECTION BY SECTION ANALYSIS

SECTION 1. Amends Title 2, Health and Safety Code, by adding Subtitle I, as
follows: 

SUBTITLE I. MEDICAL RECORDS
CHAPTER 181. MEDICAL RECORDS PRIVACY
SUBCHAPTER A. GENERAL PROVISIONS

Sec. 181.001. DEFINITIONS.  Defines "administrative billing information,"
"clinical health record," " covered entity," "disclose," "disease
management," "financial institution," "health care entity," "health care
facility," "health care operations," "health care payer," "health care
practitioner," "Health Insurance Portability and Accountability Act and
Privacy Standards," "health research," "health research," "payment,"
"person," "pharmaceutical company," "protected health information,"
"reidentification," and  "treatment." 

Sec. 181.002. APPLICABILITY. Provides that this chapter does not affect the
confidentiality that another statute creates for any information. Provides
that this chapter does not apply to certain benefits, plans, or entities.
Provides that this chapter controls to the extent that it is stricter than
the provisions of the Health Insurance Portability and Accountability Act
and Privacy Standards. 

Sec. 181.003. PROCESSING PAYMENT TRANSACTIONS BY FINANCIAL INSTITUTIONS.
Defines "financial institution." Provides that to the extent that a covered
entity engages in activities of a financial institution, or authorizes,
processes, clears, settles, bills, transfers, reconciles, or collects
payments for a financial institution, this chapter and any rule adopted
under this chapter does not apply to the covered entity with respect to
those activities, including certain other conditions. 
 
Sec. 181.004. NONPROFIT AGENCIES. Requires the Texas Department of Health
(TDH) to by rule exempt certain agencies or providers. 

[Reserves Sections 181.005-181.050 for expansion.]

SUBCHAPTER B. ACCESS TO AND USE OF HEALTH CARE INFORMATION

Sec. 181.051. PATIENT ACCESS TO INFORMATION; FEE.  (a) Requires a covered
entity or health care entity, with an exception, to permit an individual
who is the subject of a clinical health record, the individual's designee,
or another individual authorized by law to obtain an individual's clinical
health record  to inspect and copy any clinical health record, including
records received from another health care entity or covered entity, except
for any clinical health record collected or created in the course of a
clinical research trial, that the entity maintains or controls and that
relates to the individual. Authorizes the covered entity or health care
entity to charge retrieval and copying fees as provided by law or
regulation, or in the absence of a law or regulation, a reasonable fee.  

(b) Provides that a psychologist licensed under Chapter 501 (Psychologist),
Occupations Code, or a psychiatrist or other physician who is providing
psychological or psychiatric services to an individual is not required to
permit the individual to inspect or copy a personal diary created by the
psychologists, psychiatrist, or physician containing protected health
information relating to the individual if the information contained in the
diary has not been disclosed to a person other than another psychologist or
psychiatrist or physician for the specific purpose of clinical supervision
conducted in the regular course of treatment.  

 (c) Provides that a health care practitioner is not required to permit an
individual to inspect or copy the individual's clinical health record if
the health care practitioner determines that access to the information
would be harmful to the physical, mental, or emotional health of the
individual.  

(d) Authorizes a health care practitioner to redact or otherwise prevent
disclosure of confidential information about another individual or family
member of the individual who has not consented to the release  information,
as otherwise provided by law.  

(e) Requires the covered entity or health care entity, not later than the
30th day after the date a covered entity or health care entity receives a
request and payment, to provide the requested information. 

Sec. 181.052. APPENDANT OR AMENDMENT TO HEALTH RECORDS. Authorizes a health
care entity, at the entity's discretion, to require that an appendant or
amendment to an individual's clinical health record be designated as "a
patient supplement."  

Sec. 181.053. DISCLOSING, USING, ACCESSING, OR OBTAINING PROTECTED HEALTH
INFORMATION. (a) Prohibits a covered entity, except to carry out treatment,
payment, or health care operations, from disclosing, using, accessing, or
obtaining protected health information unless the individual who is the
subject of the protected health information has provided certain
authorization.  

(b) Prohibits a covered entity from using, accessing, requesting, or
requiring the disclosure of more protected health information than is
reasonably related to the specific purpose that is stated in the express
written authorization. Prohibits a covered entity from refusing to provide
protected health information requested by a health care practitioner for
use in providing health care services. 

(c) Provides that a covered entity may disclose, access, or obtain
protected health information  only for the purpose stated in the express
written authorization.  

(d) Authorizes a covered entity to disclose protected health information
without obtaining the express written authorization of the individual if
the disclosure is made in response to a subpoena in a judicial or
administrative proceeding.  

(e) Prohibits a covered entity from conditioning services on the provision
of express written authorization by the individual to disclose protected
health information when the information is not directly related to the
services being provided. 

Sec. 181.054. INFORMATION OR RESEARCH. (a) Authorizes a covered entity or
health care entity to disclose protected health information to a person
performing health research, regardless of the source of funding of the
research, for the purpose of conducting health research, only if the person
performing health research has obtained certain authorization.  

 (b) Requires a privacy board to perform certain acts. 

(c) Authorizes a privacy board to grant a waiver of the express written
authorization for the use of protected health information if the privacy
board obtains certain documentation.  

(d) Requires a waiver to be signed by the presiding officer of the board or
the presiding officer's designee.  

(e) Requires the privacy board to review the proposed research at a
convened meeting at which a majority of the privacy board members are
present, including at least one member who satisfies the requirements of
Subsection (b)(2). Requires the waiver of express written authorization to
be approved by the majority of the privacy board members present at the
meeting, unless the privacy board elects to use an expedited review
procedure. Authorizes the privacy board to use an expedited review
procedure only if the research involves no more than minimal risk to the
privacy of the individual who is the subject of the protected health
information of which use or disclosure os being sought. Authorizes the
review and approval of the waiver of express written authorization, if the
privacy board elects to use an expedited review procedure, to be made by
the presiding officer of the privacy board or by one or more members of the
privacy board as designated by the presiding officer.  

(f) Authorizes a covered entity or health care entity to disclose protected
health information to a person performing health research if the covered
entity or health care entity obtains from the person performing the health
research representations that certain conditions are met.  

Sec. 181.055. DISCLOSURE OF INFORMATION TO PUBLIC HEALTH AUTHORITY.
Authorizes a covered entity to use or disclose protected health information
without the express written authorization of the individual for certain
necessary public health activities or to comply with the requirements of
any federal or state health benefit program. Authorizes a covered entity to
disclose protected health information to certain entities. 

Sec. 181.056. REQUIRED NOTICE. Requires a covered entity or health care
entity conducting disease management or health care operations, on request,
to provide written notice to an individual of the entity's practices with
respect to its uses and disclosures of protected health information.
Requires notice under this section to include certain information. Requires
the TDH by rule to adopt a standardized notice of information practices.  

[Reserves Sections 181.057-181.100 for expansion.]

SUBCHAPTER C. EXPRESS WRITTEN AUTHORIZATION
 
 Sec. 181.101. FORM. Requires express written authorization required by
this chapter to be in writing and signed by certain individuals. Authorizes
documentation of express written authorization, for purposes of this
section, to be satisfied by the use of electronic signatures, computerized
express written authorization documentation, or other technological means
of recording express written authorization. Requires the TDH by rule to
adopt standards regulating the content and form of the express written
authorization. 

Sec. 181.102. EXPIRATION. Provides that an express written authorization to
disclose, access, or use protected health information is valid until the
expiration date or event specified in the documentation or until it is
revoked by the individual. Prohibits a covered entity, except as provided
by this section, coercing an individual to sign an express written
authorization required under this chapter. Authorizes a person engaged in
health research to require an individual's express written authorization to
disclose protected health information as a condition of the individual's
participation in the research.   

[Reserves Sections 181.103-181.150 for expansion]

SUBCHAPTER D. PROHIBITED ACTS

Sec. 181.151. REIDENTIFIED INFORMATION. Prohibits a person from
reidentifying or attempting to reidentify an individual who is the subject
of any protected health information without obtaining the individual's
consent or authorization if required under this chapter or other state or
federal law. 

Sec. 181.152. CONTACT FOR PURPOSES OF PROMOTION OR ADVERTISEMENT. Prohibits
a covered entity or health entity from using, accessing, or disclosing the
protected health information for the promotion or advertisement by any
person or entity of specific products or services if the covered entity or
health care entity receives, directly or indirectly, a financial incentive
or remuneration from a third party for the use, access, or disclosure,
without the express written authorization of the individual who is the
subject of protected health information. Prohibits a covered entity from
conditioning services upon receipt of required express written
authorization for activities described in this section. Provides that
"promotion or advertisement of specific products or services" does not
include treatment, disease management, or health care operations, except
that health care operations as defined by Section 181.001(9)(C) may be
prohibited under this section. 
 
[Reserves Sections 181.153-181.200 for expansion.]

SUBCHAPTER E. ENFORCEMENT

Sec. 181.201. INJUNCTIVE RELIEF; CIVIL PENALTY. Authorizes the attorney
general to institute an action for injunctive relief to restrain a
violation of this chapter. Authorizes the attorney general, in addition to
the injunctive relief provided by this section, to institute an action for
civil penalties against a covered entity or health care entity for a
violation of this chapter. Prohibits a civil penalty assessed under this
section from exceeding $3,000 for each violation. Authorizes the court, if
the court in which an action under this section is pending finds that the
violations have occurred with a frequency as to constitute a pattern or
practice, to assess a civil penalty not to exceed $250,000. Requires the
court, if the attorney general substantially prevails in an action for
injunctive relief or a civil penalty under this section, to award the
attorney general reasonable attorney's fees, costs, and expenses incurred
obtaining the relief of penalty, including court costs and witness fees.  

Sec. 181.202. INDIVIDUAL INJUNCTIVE RELIEF. Authorizes an individual who is
aggrieved by a violation of this chapter to institute an action against a
covered entity or health care entity for appropriate injunctive relief.
Requires the court, if the individual is the prevailing  party, to award
reasonable attorney's fees and other litigation costs and expenses
reasonably incurred.  

Sec. 181.203. SOVEREIGN IMMUNITY. Provides that this chapter does not waive
sovereign immunity to suit or liability. 

SECTION 2. Amends Title 1, Insurance Code, by adding Chapter 28B, as
follows: 

CHAPTER 28B. PRIVACY OF HEALTH INFORMATION

SUBCHAPTER A. GENERAL PROVISIONS

Art. 28B.01. DEFINITIONS. Defines "health information," "licensee," and
"nonpublic personal health information." 

Art. 28B.02. PERSONALLY IDENTIFIABLE HEALTH INFORMATION: PRIVACY NOTICE AND
DISCLOSURE AUTHORIZATION. Requires a licensee to obtain an authorization to
disclose any nonpublic personal health information before making such a
disclosure. Authorizes the request for authorization required by this
article to be in written or electronic form and requires it to specify
certain information. Provides that the right of the consumer or customer to
revoke an authorization at any time is subject to the rights of an
individual who acted in reliance on the authorization before receiving
notice of a revocation. Requires the licensee to retain the original or a
copy of the authorization in the record of the individual who is the
subject of the nonpublic personal health information. 

Art. 28B.03. DELIVERY OF AUTHORIZATION. Authorizes a request for
authorization and an authorization form to be delivered to a consumer or a
customer if the request and the authorization form are clear and
conspicuous. Requires a license to include delivery of the authorization in
a notice to the consumer or customer only if the licensee intended to
disclose protected health information under this chapter. 

Art. 28B.04. EXCEPTIONS. Authorizes a licensee to disclose nonpublic
personal health information to the extent that the disclosure is necessary
to perform the certain insurance functions on behalf of that licensee. Sets
forth listing of insurance functions. 

Art. 28B.05. EXCEPTION FOR COMPLIANCE WITH FEDERAL RULES. Provides that
this subchapter does not apply to a licensee who complies with any
standards governing the privacy of individually identifiable health
information adopted by the United States Secretary of Health and Human
Services under Section 262(a), Health Insurance Portability and
Accountability Act of 1996 (42 U.S.C. Section 1320d-1320d-8). 

Art. 28B.06. PROTECTION OF FAIR CREDIT REPORTING ACTS. Prohibits this
chapter from being construed to modify, limit, or supersede the operation
of the Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.) and an
inference from being drawn based on this chapter regarding whether
information is transaction or experience information under Section 603 (15
U.S.C. Section 1681a). Provides that this chapter does not preempt or
supersede a state law related to medical record, health, or insurance
information privacy that is in effect on July 1, 2002. 

Art. 28B.07. VIOLATION; PENALTIES. Prohibits a licensee from knowingly or
wilfully violating this chapter. Authorizes the TDH to investigate any
alleged violation of this chapter and to impose fines and other sanctions
as determined to be appropriate in accordance with Chapters 82 and84 of
this code and the other insurance laws of this state. 

SECTION 3. (a) Effective date: Provides that Chapter 181, Health and safety
Code, as added by this  Act, takes effect September 1, 2003. 

(b) Effective date: Provides that Chapter 28B, Insurance Code, as added by
this Act, takes effect January 1, 2002. 

(c) Authorizes the commissioner of insurance to delay the date for
compliance with Chapter 28B, Insurance Code, as added by this Act, if the
commissioner determines that an entity needs more time to establish
policies and systems to comply with the requirements of that chapter. 

(d) Makes an authorization or consent granting access to an individual's
health care records prospective. 

SUMMARY OF COMMITTEE CHANGES

SECTION 1. Amends As Filed S.B. 11, Title 2, Health and Safety Code, as
folows: 

 _Amends the proposed defintions of  "treatment," "protected health
information," "payments," "health research," "health care payer,"
"admistrative billing information," "covered entity," "disclose," "disease
management," and "health care provider." 

 _Deletes definitions for "audit trail," "computerized records system,"
"deidentified health information," "health care delivery revirew," "health
research," and "sensitive health informaton." 

 _Adds definitions for "financial institution," "health care entity,"
"Health Insurance Portability and Acountability Act and Privacy Standards,"
"person," and "pharmaceutical company." 

 _Adds new language to proposed Section 181.002 regarding what this chapter
does not apply to. 

 _Replaces proposed Section 181.003 (DELAYED EFFECT) with a new proposed
section entitled PROCESSING PAYMENT TRANSACTIONS BY FINANCIAL INSTITUTIONS. 

 _Adds Section 181.004 (NONPROFIT AGENICES).

 _Modifies Section 181.051 to require that a covered entity and a health
care entity must allow certain persons to obtain an individual's clinical
health record. 

 _Replaces proposed Section 181.052 (DISCLOSURE OR USE OF PROTECTED HEALTH
INFORMATION) with previous proposed Section 181.059 entitled APPENDANT OR
AMENDMENT TO HEALTH RECORDS. 

 _Replaces proposed Section 181.053 (USE OF CLINICAL HEALTH RECORDS) with a
new proposed section entitled DISCLOSING, USING, ACCESSING, OR OBTAINING
PROTECTED HEALTH INFORMATION. 

 _Replaces proposed Section 181.054 (USE OF ADMINISTRATIVE BILLING
INFORMATION) with a new proposed section entitled INFORMATON OR RESEARCH. 

 _Replaces proposed Section 181.055 (SENSITIVE HEALTH INFORMATION) with a
new proposed section entitled DISCLOSURE OF INFORMATION TO PUBLIC HEALTH
AUTHORITY. 
 
 _Replaces proposed Section 181.056 (DIRECTORY INFORMATION) with a new
proposed section entitled REQUIRED NOTICE. 

 _Deletes proposed Sections 181.057 (NEXT OF KIN), 181.058 (INFORMATION FOR
RESEARCH), 181.059 (APPENDANT TO HEALTH RECORDS), 181.060 (REQUIRED
NOTICE), and 181.061 (MARKETING AND EDUCATIONAL INFORMATION). 

 _Replaces the previously proposed heading of SUBCHAPTER C (HEALTH CARE
PAYERS) with EXPRESS WRITTEN AUTHORIZATION. 

 _Replaces proposed Section 181.101 (NOTICE TO INDIVIDUAL) with  a new
proposed section entitled FORM. 

 _Replaces proposed Section 181.102 (CONTACT WITH PATIENT) with a new
proposed section enitled EXPIRATION. 

 _Deletes proposed Sections 181.103 (DISEASE MANAGEMENT PROGRAM), 181.104
(CONSENT REQUIRED), and 181.105 (HEALTH CARE DELIVERY REVIEW). 

 _Replaces the previously proposed heading of SUBCHAPTER D (INFORMED
CONSENT) with PROHIBITED ACTS. 

 _Replaces proposed Section 181.151 (FORM) with a new proposed section
entitled REIDENTIFIES INFORMATION. 

 _Replaces proposed Section 181.152 (CONTENT OF CONSENT) with a new
proposed section entitled CONTACT FOR PURPOSES OF PROMOTION OR
ADVERTISEMENT. 

 _Deletes proposed Sections 181.153 (EXPIRATION), 181.154 (REVOCATION), and
181.155 (MODEL CONSENT). 

 _Replaces the previously proposed heading of SUBCHAPTER E (PROHIBITED
ACTS) with ENFORCEMENT. 
 
 _Replaces proposed Section 181.201 (DEIDENTIFIED INFORMATION) with a new
proposed section entitled INJUNCTIVE RELIEF; CIVIL PENALTY. 

 _Replaces proposed Secton 181.202 (COERCED CONSENT) with a new propsed
section entitled INDIVIDUAL INJUNCTIVE RELIEF. 

 _Replaces proposed Section 181.203 (REFUSAL TO PROVIDE HEALTH CARE) with a
new proposed section entitled SOVERIEGN IMMUNITY. 

 _Deletes previously proposed SUBCHAPTER F (ENFORCEMENT).

 _Deletes proposed Sections 181.251 (INJUNCTIVE RELIEF; CIVIL PENALTY),
181.252 (INDIVIDUAL INJUNCTIVE RELIEF; CIVIL CAUSE OF ACTION), 181.253
(CRIMINAL OFFENSE), and 181.254 (DISCIPLINARY ACTION). 

SECTION 2. Adds a new proposed CHAPTER 28B (PRIVACY OF HEALTH INFORMATION)
applicable to entities licensed by the Texas Department of Insurance. 
 
SECTION 3. Effective date. Renumbered from SECTION 2.