By Maxey H.B. No. 1221
Line and page numbers may not match official copy.
Bill not drafted by TLC or Senate E&E.
A BILL TO BE ENTITLED
1-1 AN ACT
1-2 relating to protecting the privacy of medical records; providing
1-3 penalties.
1-4 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
1-5 SECTION 1. Title 2, Health and Safety Code, is amended by
1-6 adding Subtitle I to read as follows:
1-7 SUBTITLE I. MEDICAL RECORDS
1-8 CHAPTER 181. MEDICAL RECORDS PRIVACY
1-9 SUBCHAPTER A. GENERAL PROVISIONS
1-10 Sec. 181.001. DEFINITIONS. In this chapter:
1-11 (1) "Administrative billing information" means
1-12 protected health information that is necessary for the payment or
1-13 administration of health care claims. The term includes only the
1-14 date of service, reimbursement, any patient or practitioner
1-15 identifiers, diagnostic and treatment information contained in
1-16 standard billing codes, and information required by nationally
1-17 recognized third-party health care claim forms. The term does not
1-18 include a clinical health record included or requested as an
1-19 attachment to administrative billing information.
1-20 (2) "Audit trail" means a complete and accurate record
1-21 of the date, user or recipient, and function performed with respect
1-22 to protected health information.
2-1 (3) "Clinical health record" means a record of any
2-2 protected health information, other than administrative billing
2-3 information, that is used or maintained by or for a covered entity
2-4 or an employee, agent, or contractor of a covered entity for the
2-5 purpose of delivering health care to an individual.
2-6 (4) "Computerized records system" means any
2-7 electronic, digital, optical, magnetic, or other system that
2-8 stores, retrieves, or manipulates data. The term does not include
2-9 a static storage system, including microfiche or microfilm.
2-10 (5) "Covered entity" means any person who:
2-11 (A) for commercial, financial, or professional
2-12 gain, monetary fees, or dues, or on a cooperative, nonprofit, or
2-13 pro bono basis, engages, in whole or in part, and with real or
2-14 constructive knowledge, in the practice of assembling, collecting,
2-15 analyzing, using, evaluating, storing, or transmitting protected or
2-16 deidentified health information. The term includes a health care
2-17 payer, information or computer management entity, employer, school,
2-18 health researcher, health care facility, clinic, health care
2-19 practitioner, or person who maintains an Internet site;
2-20 (B) comes into possession of protected health
2-21 information;
2-22 (C) obtains or stores protected health
2-23 information under this chapter; or
2-24 (D) is an employee, agent, or contractor of a
2-25 person described by Paragraph (A), (B), or (C) insofar as the
2-26 employee, agent, or contractor creates, receives, obtains,
3-1 maintains, uses, or transmits protected health information.
3-2 (6) "Deidentified health information" means protected
3-3 health information with respect to which the holder has made a good
3-4 faith effort to evaluate the risks of reidentification of the
3-5 information in the context in which it will be used or disclosed;
3-6 and to remove all personal identifiers or other information that
3-7 may be used by itself or in combination with other information to
3-8 identify the subject from the information. The term includes
3-9 aggregate statistics, redacted health information, information for
3-10 which random or fictitious alternatives have been substituted for
3-11 personally identifiable information, and information for which
3-12 personally identifiable information has been encrypted and for
3-13 which the encryption key is maintained by a person otherwise
3-14 authorized to have access to the information in an identifiable
3-15 format.
3-16 (7) "Disclose" means to release, publish, share,
3-17 transfer, transmit, distribute, show, or otherwise divulge
3-18 protected health information to a person other than the individual
3-19 who is the subject of the information.
3-20 (8) "Governmental unit" means;
3-21 (A) this state and all the several agencies of
3-22 government that collectively constitute the government of this
3-23 state, including other agencies bearing different designations, and
3-24 all departments, bureaus, boards, commissions, offices, agencies,
3-25 councils, and courts;
3-26 (B) a political subdivision of this state,
4-1 including any municipality, county, school district, junior college
4-2 district, levee improvement district, drainage district, irrigation
4-3 district, water improvement district, water control and improvement
4-4 district, water control and preservation district, freshwater
4-5 supply district, navigation district, conservation and reclamation
4-6 district, soil conservation district, communication district,
4-7 public health district, and river authority; and
4-8 (C) any other institution, agency, or organ of
4-9 government the status and authority of which are derived from the
4-10 state constitution or from laws passed by the legislature under the
4-11 constitution.
4-12 (9) "Health care" means preventive, diagnostic,
4-13 therapeutic, rehabilitative, maintenance, or palliative care,
4-14 counseling, a service, or a procedure normally provided by or under
4-15 the supervision or direction of a health care practitioner or
4-16 health care facility with respect to the physical or mental
4-17 condition of an individual or affecting the structure or function
4-18 of the human body or any part of the human body, including
4-19 individual cells and their components. The term does not include
4-20 payment for health care, performance of health care delivery
4-21 review, or administration of health care claims.
4-22 (10) "Health care delivery review" means any review,
4-23 audit, assessment, or analysis of health care that is conducted in
4-24 regard to an individual who is the subject of protected health
4-25 information, that is performed by a covered entity or an agent or
4-26 contractor of a covered entity, and that requires any protected
5-1 health information that is not deidentified, other than
5-2 administrative billing information. The term includes:
5-3 (A) utilization, quality assurance, or
5-4 management review activities;
5-5 (B) population-based activities relating to
5-6 improving health care or reducing health care costs;
5-7 (C) protocol development;
5-8 (D) review of the competence or qualifications
5-9 of health care professionals;
5-10 (E) evaluation of health care practitioners,
5-11 health care payers, and health care facility performance;
5-12 (F) the conduct of training programs in which
5-13 undergraduate and graduate students and trainees in health care,
5-14 including graduate medical education students and residents, learn
5-15 under supervision to practice as health care providers; and
5-16 (G) accreditation, certification, licensing, or
5-17 credentialing activities.
5-18 (11) "Health care facility" means any facility
5-19 licensed to provide health care or legally and regularly engaged in
5-20 providing health care. The term does not include an employer,
5-21 health care payer, or health maintenance organization.
5-22 (12) "Health care payer" means any person who provides
5-23 payment or reimbursement for health care, including a health
5-24 insurance or other insurance company, hospital or medical service
5-25 plan, health or dental service plan, health maintenance
5-26 organization, employee welfare benefit plan, or other group health
6-1 plan, whether or not funded through the purchase of insurance.
6-2 (13) "Health care practitioner" means a person who:
6-3 (A) is licensed, certified, registered, or
6-4 otherwise authorized by law to provide an item or service that, in
6-5 the ordinary course of business or practice of a profession,
6-6 constitutes health care, including a physician, nurse,
6-7 chiropractor, midwife, podiatrist, physician assistant,
6-8 optometrist, pharmacist, physical therapist, occupational
6-9 therapist, or speech therapist; or
6-10 (B) is an employee, agent, or contractor of a
6-11 person described by Paragraph (A) who is supervised in providing
6-12 health care.
6-13 (14) "Health research" means any systematic
6-14 investigation, testing, evaluation, or other inquiry that uses
6-15 protected health information to develop or contribute to general
6-16 knowledge, including the study of:
6-17 (A) the causes of disease or medical conditions;
6-18 and
6-19 (B) the relationship among certain
6-20 characteristics, health care, and disease or health status.
6-21 (15) "Health researcher" means a person who conducts
6-22 health research using protected or deidentified health information.
6-23 (16) "Individual" means an adult person or anyone who
6-24 may legally obtain health care as a minor without the expressed
6-25 consent of a parent, custodian, or guardian.
6-26 (17) "Person" includes a corporation, organization,
7-1 governmental unit, business trust, estate, trust, partnership,
7-2 association, and any other legal entity.
7-3 (18) "Protected health information" means any health
7-4 information, other than deidentified information, that is
7-5 maintained in any format, including in writing, electronically, or
7-6 orally. The term includes sensitive health information,
7-7 administrative billing information, clinical health records, and
7-8 prescription records that:
7-9 (A) are created or received by a covered entity;
7-10 (B) relate to:
7-11 (i) the past, present, or future physical
7-12 or mental health or condition of an individual;
7-13 (ii) the providing of health care to an
7-14 individual; or
7-15 (iii) the past, present, or future payment
7-16 for providing health care to an individual; and
7-17 (C) identify or could be used or manipulated
7-18 alone or in combination with other information to identify an
7-19 individual by a reasonably foreseeable method.
7-20 (19) "Public health authority" means an authority
7-21 statutorily charged with responsibility for public health matters,
7-22 including the department, the board, and any local or municipal
7-23 agent.
7-24 (20) "Reidentification" means any attempt to
7-25 ascertain:
7-26 (A) the identity of the individual who is the
8-1 subject of protected health information; or
8-2 (B) any specific data element with the intention
8-3 of ascertaining the identity of the subject or with knowledge that
8-4 the data element would allow for the identification of the
8-5 individual who is the subject of the protected health information.
8-6 (21) "Sensitive health information" means protected
8-7 health information that pertains specifically to:
8-8 (A) a history, diagnosis, or treatment of:
8-9 (i) substance abuse;
8-10 (ii) human immunodeficiency virus or
8-11 acquired immune deficiency syndrome;
8-12 (iii) sexually transmitted disease; or
8-13 (iv) sexual, physical, or mental abuse,
8-14 including information related to sexual assault;
8-15 (B) mental health;
8-16 (C) sexual or reproductive health; or
8-17 (D) the results of a genetic test, including the
8-18 fact that an individual has undergone a genetic test.
8-19 Sec. 181.002. APPLICABILITY. This chapter does not affect
8-20 the validity of another statute that provides greater
8-21 confidentiality for information made confidential by this chapter.
8-22 Sec. 181.003. OMBUDSMAN. (a) The attorney general shall
8-23 appoint a lawyer to serve as the medical records privacy ombudsman.
8-24 The ombudsman shall serve on a full-time basis at the pleasure of
8-25 the attorney general. The attorney general may assign other staff
8-26 as may be appropriate to assist in performing the duties of the
9-1 ombudsman. The ombudsman shall:
9-2 (1) assist members of the public, governmental units,
9-3 and covered entities in understanding and interpreting this chapter
9-4 or other information privacy laws;
9-5 (2) on written request, issue and publish advisory
9-6 opinions to governmental units about compliance with this chapter;
9-7 (3) collect technical information and determine best
9-8 practices for distribution to individuals and parties subject to
9-9 this chapter;
9-10 (4) assist in mediating disputes relating to the
9-11 release of protected health information;
9-12 (5) compile and make available for review relevant
9-13 federal and state laws governing the privacy of medical records in
9-14 this state;
9-15 (6) not later than December 1 of each even-numbered
9-16 year, prepare and deliver to the governor, the lieutenant governor,
9-17 the speaker of the house of representatives, and each member of the
9-18 legislature a biennial report on the state of medical records
9-19 privacy in this state and other states and make recommendations to
9-20 the legislature about medical records privacy;
9-21 (7) maintain records and compile reports on the types
9-22 of complaints filed with the ombudsman and how those complaints
9-23 were resolved; and
9-24 (8) create and maintain an Internet site through the
9-25 Texas Online government portal that contains easily understandable
9-26 information about an individual's privacy rights and that allows
10-1 consumers to submit questions and receive replies about privacy
10-2 rights.
10-3 (b) The ombudsman shall respond to a question submitted to
10-4 the ombudsman not later than the 180th day after the date the
10-5 ombudsman receives the question.
10-6 (c) Information received by the ombudsman relating to an
10-7 advisory opinion issued by the ombudsman is confidential and not
10-8 subject to disclosure under Chapter 552, Government Code. An
10-9 advisory opinion may contain only deidentified information with
10-10 respect to any individual who is the subject of the information.
10-11 Sec. 181.004. INAPPLICABILITY TO ERISA PLANS. This chapter
10-12 does not apply to a health benefit plan provided in accordance with
10-13 the Employee Retirement Income Security Act of 1974 (29 U.S.C.
10-14 Section 1001 et seq.), as amended.
10-15 (Sections 181.005-181.050 reserved for expansion
10-16 SUBCHAPTER B. ACCESS TO AND USE OF HEALTH CARE INFORMATION
10-17 Sec. 181.051. PATIENT ACCESS TO INFORMATION; FEE. (a)
10-18 Except as provided by Subsection (b), a covered entity shall permit
10-19 an individual who is the subject of protected health information or
10-20 the person's designee to inspect and copy any protected health
10-21 information that the entity maintains or controls and that relates
10-22 to the individual. A covered entity shall provide the individual
10-23 with one copy of the records requested under this subsection free
10-24 of charge during a three-year period. Unless otherwise established
10-25 in law a covered entity may charge a reasonable fee for the cost of
10-26 additional copies.
11-1 (b) Any of the following persons who is providing
11-2 professional services to an individual is not required to permit
11-3 the individual to inspect or copy a personal note or diary
11-4 containing protected health information relating to the individual
11-5 if the information contained in the note or diary has not been
11-6 disclosed to a person other than another of the following persons
11-7 for the specific purpose of clinical supervision conducted in the
11-8 regular course of treatment:
11-9 (1) a psychiatrist;
11-10 (2) a psychologist licensed under Chapter 501,
11-11 Occupations Code;
11-12 (3) a marriage and family therapist licensed under
11-13 Chapter 502, Occupations Code;
11-14 (4) a licensed professional counselor licensed under
11-15 Chapter 503, Occupations Code;
11-16 (5) a chemical dependency counselor licensed under
11-17 Chapter 504, Occupations Code; or
11-18 (6) a social worker licensed under Chapter 505,
11-19 Occupations Code.
11-20 (c) A covered entity shall provide requested information not
11-21 later than the 10th day after the date the entity receives the
11-22 request for inspection or copying.
11-23 (d) On request of an individual who is the subject of
11-24 protected health information that is in coded form, a covered
11-25 entity shall provide the individual with an accurate translation in
11-26 plain language of the coded information.
12-1 Sec. 181.052. DISCLOSURE OR USE OF PROTECTED HEALTH
12-2 INFORMATION. (a) A covered entity may not disclose or use
12-3 protected health information except as authorized under this
12-4 chapter.
12-5 (b) A covered entity may not use or disclose protected
12-6 health information without obtaining the expressed consent of the
12-7 individual who is the subject of the information.
12-8 (c) A covered entity may not use or request or require the
12-9 disclosure of more protected health information than is directly
12-10 related to the specific purpose that is stated in the expressed
12-11 consent.
12-12 (d) A covered entity shall evaluate a request made for
12-13 protected health information and may disclose only the minimum
12-14 amount of protected health information that is essential and
12-15 directly related to the specific function to be performed by the
12-16 recipient.
12-17 (e) Protected health information, administrative billing
12-18 information, clinical health records, and deidentified health
12-19 information used or disclosed under this chapter shall be clearly
12-20 labeled.
12-21 (f) A request for disclosure of protected health information
12-22 must be in writing.
12-23 Sec. 181.053. USE OF CLINICAL HEALTH RECORDS. (a) Except
12-24 as provided by Section 181.054, this chapter does not limit the
12-25 ability of a health care practitioner or health care facility to
12-26 use protected health information to provide health care to an
13-1 individual or to disclose the information as provided by Section
13-2 181.056.
13-3 (b) With respect to a clinical health record used for any
13-4 purpose other than to deliver health care, by a health care
13-5 practitioner or health care facility, to the individual who is the
13-6 subject of the record, the covered entity using the record shall:
13-7 (1) use, receive, or create the record only to the
13-8 extent that a function cannot be reasonably performed with
13-9 deidentified health information;
13-10 (2) limit access to a clinical health record that is
13-11 not deidentified to only those employees, agents, or contractors
13-12 who perform an essential function that is directly related to the
13-13 purpose for which the record was created or collected;
13-14 (3) prohibit an employee, agent, or contractor from
13-15 reidentifying an individual who is the subject of any deidentified
13-16 health information used, received, or created by the employee,
13-17 agent, or contractor unless otherwise authorized by law;
13-18 (4) require that an employee, agent, or contractor use
13-19 or receive only the minimum amount of information from a clinical
13-20 health record that is essential and directly related to the
13-21 specific function performed by the employee, agent, or contractor;
13-22 (5) prohibit an employee, agent, or contractor from
13-23 using or having access to a clinical health record for longer than
13-24 is necessary to perform the specific function of the employee,
13-25 agent, or contractor;
13-26 (6) prohibit an employee, agent, or contractor from
14-1 disclosing a clinical health record or deidentified health
14-2 information to any other person except as otherwise authorized
14-3 under this chapter;
14-4 (7) link, match, or index clinical health records
14-5 collected, held, or maintained by other covered entities only if
14-6 the entity has specific expressed consent; and
14-7 (8) disclose a clinical health record collected from
14-8 or created by any other covered entity only to the individual who
14-9 is the subject of the information or as otherwise authorized by
14-10 law.
14-11 Sec. 181.054. USE OF ADMINISTRATIVE BILLING INFORMATION. (a)
14-12 with respect to administrative billing information used by a
14-13 covered entity, the entity shall:
14-14 (1) limit the use of administrative billing
14-15 information to those essential functions that cannot be reasonably
14-16 performed with deidentified health information;
14-17 (2) limit the use of administrative billing
14-18 information that is not deidentified to those employees, agents, or
14-19 contractors who perform an essential function;
14-20 (3) prohibit an employee, agent, or contractor from
14-21 reidentifying an individual who is the subject of any deidentified
14-22 health information used, received, or created by the employee,
14-23 agent, or contractor unless otherwise authorized by law;
14-24 (4) require that an employee, agent, or contractor use
14-25 only the minimum amount of administrative billing information that
14-26 is necessary to accomplish the specific function performed by the
15-1 employee, agent, or contractor;
15-2 (5) prohibit an employee, agent, or contractor from
15-3 disclosing administrative billing information or deidentified
15-4 health information to any other person except as otherwise
15-5 authorized under this chapter; and
15-6 (6) link, match, or index administrative billing
15-7 information collected, held, or maintained by other covered
15-8 entities only if the entity has specific expressed consent.
15-9 (b) Except as otherwise provided by this chapter, a health
15-10 care provider, a health care facility, a health care payer, or an
15-11 employee, agent, or contractor of a provider, facility, or payer
15-12 may use administrative billing information without the expressed
15-13 consent of the individual who is the subject of the information
15-14 only if the health care provider, facility, or payer:
15-15 (1) deidentifies all the information used by the
15-16 entity; or
15-17 (2) uses only the minimum amount of administrative
15-18 billing information that is essential and directly related to
15-19 administrative billing purposes and does not store, preserve, copy,
15-20 or otherwise maintain the information for longer than is necessary
15-21 to perform the specific function of the recipient.
15-22 (c) A health care payer may not refuse to make a payment to,
15-23 or otherwise retaliate against, a covered entity if the covered
15-24 entity complies with this section or Section 181.056(8).
15-25 Sec. 181.055. DIRECTORY INFORMATION. (a) Except as provided
15-26 by Subsection (b), a health care practitioner or health care
16-1 facility that provides patient services may disclose directory
16-2 information regarding an individual to any person if:
16-3 (1) the patient:
16-4 (A) has been notified of the patient's right to
16-5 object at the time of admission to the facility and has not
16-6 objected to the disclosure; or
16-7 (B) is in a physical or mental condition that
16-8 makes it impossible to notify the patient of the right to object
16-9 and there are no prior indications that the patient would object;
16-10 and
16-11 (2) the information consists of:
16-12 (A) the general health status of the patient,
16-13 described as critical, poor, fair, stable, or satisfactory or in
16-14 terms denoting similar conditions; or
16-15 (B) the location of the patient on premises
16-16 controlled by the practitioner or facility.
16-17 (b) A health care practitioner or health care facility may
16-18 not release patient directory information without expressed consent
16-19 if:
16-20 (1) disclosure of the location of the individual would
16-21 reveal information supporting all inferences about the specific
16-22 diagnosis of the individual; or
16-23 (2) the practitioner or facility has reason to believe
16-24 that the disclosure of the information could lead to physical,
16-25 mental, or emotional harm to or the death of the individual.
16-26 Sec. 181.056. DISCLOSURE OF INFORMATION. A covered entity
17-1 may disclose protected health information without the consent of
17-2 the individual who is the subject of the information if the
17-3 disclosure is:
17-4 (1) to a health care practitioner or health care
17-5 facility that is rendering health care to the individual;
17-6 (2) to a transporting emergency medical services
17-7 provider for the direct purpose of determining the individual's
17-8 diagnosis and the outcome of the individual's hospital admission;
17-9 (3) to a prospective health care provider for the
17-10 purpose of securing the services of that health care provider as
17-11 part of the patient's continuum of care, as determined by the
17-12 patient's attending physician, and the patient is in a physical or
17-13 mental condition that makes it impossible to obtain consent;
17-14 (4) to an individual authorized to consent to medical
17-15 treatment under Chapter 313 or to an individual in a circumstance
17-16 exempted from chapter 313 to facilitate the adequate provision of
17-17 treatment and the protected health information to be disclosed is
17-18 directly related to the treatment;
17-19 (5) to an employee or agent of the covered entity who
17-20 requires health care information for medical education, for peer
17-21 review, or for assisting the covered entity in complying with
17-22 statutory, licensing, accreditation, or certification requirements,
17-23 and the covered entity takes appropriate action to ensure that the
17-24 employee or agent:
17-25 (A) discloses only protected health information
17-26 that is directly related to the medical education, peer review, or
18-1 compliance;
18-2 (B) does not use or disclose the protected
18-3 health information for any other purpose; and
18-4 (C) takes appropriate steps to protect the
18-5 protected health information;
18-6 (6) to a federal, state, or local government agency or
18-7 authority to the extent authorized or required by law;
18-8 (7) to the American Red Cross for the specific purpose
18-9 of fulfilling the duties specified under its charter granted as an
18-10 instrumentality of the United States government;
18-11 (8) for purposes of performing health care delivery
18-12 review and the covered entity does not disclose any protected
18-13 health information that is not essential for the review or not
18-14 directly related to the specific care or procedure being reviewed;
18-15 (9) to satisfy a request for medical records of a
18-16 deceased or incompetent person pursuant to Section 4.01(e), Medical
18-17 Liability and Insurance Improvement Act of Texas (Article 4590i,
18-18 Vernon's Texas Civil Statutes);
18-19 (10) to comply with a court order except as provided
18-20 by Subdivision (11);
18-21 (11) related to a judicial proceeding in which the
18-22 patient is a party and the disclosure is requested under a subpoena
18-23 issued under:
18-24 (A) the Texas Rules of Civil Procedure or Code
18-25 of Criminal Procedure; or
18-26 (B) Chapter 121, Civil Practice and Remedies
19-1 Code; or
19-2 (12) to a public health authority for public health
19-3 reasons.
19-4 Sec. 181.057. NEXT OF KIN. A health care practitioner or
19-5 health care facility may disclose, without the patient's consent,
19-6 protected health information regarding the health care provided to
19-7 the patient if:
19-8 (1) the patient:
19-9 (A) has been notified of the patient's right to
19-10 object at the time of admission to the facility and has not
19-11 objected to the disclosure; or
19-12 (B) is in a physical or mental condition that
19-13 makes it impossible to notify the patient of the right to object
19-14 and there is no indication that the patient would object to the
19-15 disclosure; and
19-16 (2) the information is disclosed to the patient's next
19-17 of kin, a representative of the patient, or an individual with whom
19-18 the patient resides.
19-19 Sec. 181.058. INFORMATION FOR RESEARCH. (a) A researcher
19-20 may disclose protected health information to a health researcher,
19-21 regardless of the source of funding of the research, for the
19-22 purpose of conducting health research, only if the researcher has
19-23 obtained:
19-24 (1) the expressed consent of the individual; or
19-25 (2) documentation that a waiver of expressed consent
19-26 has been granted by:
20-1 (A) an institutional review board in accordance
20-2 with the Health Insurance Portability and Accountability Act of
20-3 1996 (Pub. L. No. 104-191), as amended, and the rules adopted under
20-4 that Act; or
20-5 (B) a privacy board established under this
20-6 section.
20-7 (b) The Texas Ethics Commission shall establish a privacy
20-8 board for one or more health research projects. A privacy board:
20-9 (1) must consist of members with varying backgrounds
20-10 and appropriate professional competency as necessary to review the
20-11 effect of the research protocol for the project or projects on the
20-12 privacy rights and related interests of the individuals whose
20-13 protected health information would be used or disclosed;
20-14 (2) must include at least one member who is not
20-15 affiliated with the covered entity or an entity conducting or
20-16 sponsoring the research, and not related to any person who is
20-17 affiliated with an entity described by this subdivision; and
20-18 (3) may not have any member participating in the
20-19 review of any project in which the member has a conflict of
20-20 interest.
20-21 (c) A privacy board may grant a waiver of the expressed
20-22 consent for the use of protected health information if the privacy
20-23 board:
20-24 (1) documents the date on which the waiver of the
20-25 expressed consent was approved and identifies the privacy board;
20-26 (2) determines that:
21-1 (A) the use or disclosure of protected health
21-2 information involves no more than minimal risk to the affected
21-3 individuals;
21-4 (B) the waiver does not adversely affect the
21-5 privacy rights and related interests of those individuals;
21-6 (C) the research could not practicably be
21-7 conducted without the waiver;
21-8 (D) the research could not practicably be
21-9 conducted without access to and use of the protected health
21-10 information;
21-11 (E) the privacy risks to an individual whose
21-12 protected health information is to be used or disclosed are
21-13 reasonable in relation to the anticipated benefits, if any, to the
21-14 individual and the importance of the knowledge that may reasonably
21-15 be expected to result from the research;
21-16 (F) there is an adequate plan to protect the
21-17 identifiers from improper use and disclosure;
21-18 (G) there is an adequate plan to destroy the
21-19 identifiers at the earliest opportunity consistent with the
21-20 conducting of the research, unless there is a health or research
21-21 justification for retaining the identifiers or the retention is
21-22 otherwise required by law;
21-23 (H) there are adequate written assurances that
21-24 the protected health information will not be reused or disclosed to
21-25 another person or entity, except:
21-26 (i) as required by law;
22-1 (ii) for authorized oversight of the
22-2 research project; or
22-3 (iii) for other research for which the use
22-4 or disclosure of protected health information would be permitted by
22-5 this section; and
22-6 (I) the health researcher has presented adequate
22-7 assurances that none of the data containing protected health
22-8 information will be loaned, sold, disseminated, or otherwise
22-9 disclosed;
22-10 (3) provides a description of the protected health
22-11 information for which use or access has been determined to be
22-12 necessary by the privacy board; and
22-13 (4) documents that the waiver of expressed consent has
22-14 been approved by the privacy board following the procedures under
22-15 Subsection (e).
22-16 (d) A waiver must be signed by the presiding officer of the
22-17 board or the presiding officer's designee.
22-18 (e) The privacy board must review the proposed research at a
22-19 convened meeting at which a majority of the privacy board members
22-20 are present, including at least one member who satisfies the
22-21 requirements of Subsection (b)(2). The waiver of expressed consent
22-22 must be approved by the majority of the privacy board members
22-23 present at the meeting, unless the privacy board elects to use an
22-24 expedited review procedure. The privacy board may use an expedited
22-25 review procedure only if the research involves no more than minimal
22-26 risk to the privacy of the individual who is the subject of the
23-1 protected health information for which use or disclosure is being
23-2 sought. If the privacy board elects to use an expedited review
23-3 procedure, the review and approval of the waiver of expressed
23-4 consent may be made by the presiding officer of the privacy board
23-5 or by one or more members of the privacy board as designated by the
23-6 presiding officer.
23-7 (f) The privacy board shall provide documentation of the
23-8 board's findings under this section on request to:
23-9 (1) the Texas Ethics Commission;
23-10 (2) the office of the attorney general;
23-11 (3) the ombudsman; and
23-12 (4) any individual whose protected health information
23-13 is disclosed or used under this section.
23-14 (g) A health researcher who receives protected health
23-15 information pursuant to a waiver of expressed consent granted by a
23-16 privacy board may not use or disclose the information for any
23-17 purposes other than those specifically approved by the privacy
23-18 board and directly related to the research being performed.
23-19 Sec. 181.059. DISCLOSURE IN LEGAL PROCEEDING. (a) A covered
23-20 entity may disclose protected health information without consent if
23-21 the disclosure is made in response to compulsory legal process
23-22 issued on behalf of a party in compliance with this section.
23-23 (b) Except as otherwise provided by Subsection (d), the
23-24 party seeking the information shall send the individual who is the
23-25 subject of the information written notice of the compulsory legal
23-26 process, at the subject's last known address, together with notice
24-1 of the subject's right to challenge the process in accordance with
24-2 Subsection (e).
24-3 (c) Except as otherwise provided by Subsection (d), a
24-4 covered entity on whom compulsory legal process is served may not
24-5 disclose protected health information:
24-6 (1) before the 16th day after the date the individual
24-7 who is the subject of the information has been notified under
24-8 Subsection (b); or
24-9 (2) if an objection has been made by the individual
24-10 who is the subject of the information in accordance with Subsection
24-11 (e) and no decision has been made.
24-12 (d) In the event of a risk of flight or destruction of
24-13 evidence or if the identity and location of the individual who is
24-14 the subject of protected health information is not known to the
24-15 party seeking compulsory legal process, a court, administrative
24-16 agency, or other person having power to so act generally may issue
24-17 a subpoena, warrant, or other compulsory legal process requiring
24-18 disclosure of protected health information into the custody of the
24-19 court, administrative agency, or other person. The court,
24-20 administrative agency, or other person shall send notice or cause
24-21 the entity in possession of the information to send notice to the
24-22 last known address of the individual who is the subject of the
24-23 information. Protected health information held by the court may be
24-24 disclosed to the party seeking the information after the 15th day
24-25 after the date the notice is sent if the individual who is the
24-26 subject of the information has not objected to the disclosure of
25-1 the information in accordance with Subsection (e).
25-2 (e) If an individual who is the subject of protected health
25-3 information seeks to quash or limit compulsory legal process
25-4 requiring disclosure of the information pertaining to the subject,
25-5 the court, administrative agency, or other person may not issue
25-6 process unless the party seeking the process demonstrates at a
25-7 hearing by clear and convincing evidence that the information
25-8 sought is necessary to the proceedings and the need of the party
25-9 seeking the process for the information outweighs the privacy
25-10 interests of the subject. In determining whether the need of the
25-11 party seeking protected health information outweighs the privacy
25-12 interests of the individual who is the subject of the information,
25-13 the court, administrative agency, or other person shall consider:
25-14 (1) the particular purpose for which the information
25-15 is sought;
25-16 (2) the degree to which the disclosure of the
25-17 information would embarrass, injure, or further invade the privacy
25-18 of the subject;
25-19 (3) the effects of the disclosure on the subject's
25-20 future health care;
25-21 (4) the importance of the information to the
25-22 proceeding; and
25-23 (5) any other relevant factor.
25-24 (f) A party that receives protected health information under
25-25 this section may not disclose or use the information in an
25-26 administrative, civil, or criminal action other than that for which
26-1 the compulsory legal process is issued under this section.
26-2 (g) Protected health information received under this section
26-3 is excepted from the disclosure requirements of Section 552.021,
26-4 Government Code.
26-5 Sec. 181.060. AMENDMENT OF HEALTH RECORDS. (a) An
26-6 individual may request in writing that a covered entity that append
26-7 or amend the individual's clinical health record.
26-8 (b) Not later than the 60th day after the date the covered
26-9 entity receives a written request to append or amend the
26-10 individual's clinical health record, the covered entity shall:
26-11 (1) make the appendant or amendment requested and make
26-12 reasonable efforts to notify any person reasonably designated by
26-13 the individual of the appendant or amendment; or
26-14 (2) inform the individual of:
26-15 (A) the reasons for refusing to make the
26-16 appendant or amendment; and
26-17 (B) any procedures for further review of the
26-18 refusal.
26-19 (c) A covered entity may not unreasonably refuse to append
26-20 or amend a clinical health record.
26-21 (d) If a covered entity refuses to append or amend a
26-22 clinical health record, the covered entity shall comply with the
26-23 request of the individual to include at a relevant place in the
26-24 record a statement from the individual regarding the disputed
26-25 information.
26-26 (e) For purposes of Subsection (b), an appendant or
27-1 amendment is considered to have been made if the information that
27-2 has been disputed by the individual has been supplemented by or
27-3 replaced with appended or amended information and the information
27-4 is clearly marked as appended or amended. The covered entity
27-5 making the appendant or amendment may select the method by which
27-6 the information is appended or amended.
27-7 (f) A covered entity that receives appended or amended
27-8 clinical health records shall:
27-9 (1) make the appendant or amendment not later than the
27-10 90th day after the date the covered entity receives the records;
27-11 and
27-12 (2) make reasonable efforts to notify each person to
27-13 whom the covered entity disclosed the unappended or unamended
27-14 record of the appendant or amendment.
27-15 (g) After a covered entity makes an appendant or amendment,
27-16 the covered entity shall send a copy of the appendant or amendment
27-17 to the individual free or charge.
27-18 Sec. 181.061. REQUIRED NOTICE. (a) A covered entity shall
27-19 provide written notice to an individual of the entity's practices
27-20 with respect to protected health information. The covered entity
27-21 shall provide the notice not later than the seventh business day
27-22 after the date the entity receives a request from an individual for
27-23 the notice.
27-24 (b) Notice under this section must include:
27-25 (1) a complete description of the usual and customary
27-26 functions performed with protected health information that has not
28-1 been deidentified;
28-2 (2) a statement of whether protected health
28-3 information is stored within a computerized records system;
28-4 (3) the name and the method of contacting the
28-5 individual responsible for responding to inquiries regarding the
28-6 entity's information practices; and
28-7 (4) the procedures an individual must follow to
28-8 exercise the rights granted under this chapter.
28-9 (c) The notice required by this section must be written in
28-10 clear language that a layperson can understand. If the entity
28-11 serves a linguistically diverse or visually impaired clientele, the
28-12 entity must use a reasonable means to provide the required notice.
28-13 (d) On written request by an individual, a covered entity
28-14 shall provide a list of the agents or contractors who ordinarily
28-15 have access to or use of protected health information that is not
28-16 deidentified.
28-17 (e) The ombudsman shall, after notice and opportunity for
28-18 public comment, develop and disseminate model notice of information
28-19 practices of the type described by this section. Any notice that
28-20 conforms to the model notice developed under this subsection is
28-21 considered to meet the notice requirements of this section.
28-22 (f) A covered entity shall notify each individual who has
28-23 received notice under this section of any change in the entity's
28-24 practices with respect to protected health information.
28-25 (g) A covered entity may not penalize an individual or
28-26 adversely affect the individual's ability to obtain goods or
29-1 services from the covered entity if the individual requests notice
29-2 under this section.
29-3 Sec. 181.062. AUDIT TRAIL. (a) A covered entity that stores
29-4 or maintains protected health information, other than
29-5 administrative billing information that is not deidentified, in a
29-6 digital, optical, magnetic, electronic, or other computerized
29-7 records system shall maintain an audit trail of each use or
29-8 disclosure of the information, other than a disclosure by a health
29-9 care provider or a health care facility, and of the source of the
29-10 protected health information. This subsection applies only to new
29-11 or substantially updated information systems implemented after the
29-12 effective date of this chapter. With respect to an audit trail, a
29-13 covered entity shall either:
29-14 (1) provide a copy of the audit trail maintained under
29-15 this section on request to the individual who is the subject of the
29-16 information; or
29-17 (2) comply with the request of an individual to review
29-18 the audit trail maintained under this section and report any
29-19 unauthorized access to the information to the individual.
29-20 (b) A covered entity shall maintain an audit trail for each
29-21 use or disclosure until the sixth anniversary of the date the use
29-22 or disclosure was made.
29-23 Sec. 181.063. DISCLOSURE OF INFORMATION TO PUBLIC HEALTH
29-24 AUTHORITY. A covered entity may disclose protected health
29-25 information without expressed consent:
29-26 (1) to a public health authority that is authorized by
30-1 law to collect or receive the information to:
30-2 (A) prevent or control disease, injury, or
30-3 disability;
30-4 (B) report disease, injury, or vital events,
30-5 including birth and death; and
30-6 (C) conduct public health surveillance, public
30-7 health investigations, and public health interventions;
30-8 (2) at the direction of a public health authority, to
30-9 an official of a foreign government agency that is acting in
30-10 collaboration with a public health authority; and
30-11 (3) to the entity authorized by law to receive reports
30-12 of child abuse or neglect.
30-13 Sec. 181.064. PROHIBITED USES OF INFORMATION. A person may
30-14 not disclose, use, or sell protected health information, including
30-15 prescription patterns and administrative billing information, for
30-16 marketing, education, or marketing research purposes without the
30-17 expressed consent of the individual who is the subject of the
30-18 protected health information.
30-19 (Sections 181.065-181.100 reserved for expansion
30-20 SUBCHAPTER C. HEALTH CARE PAYERS
30-21 Sec. 181.101. NOTICE TO INDIVIDUAL. A health care payer
30-22 shall, on enrollment, notify an individual who is the subject of
30-23 protected health information of:
30-24 (1) the regular uses of the information, including
30-25 administrative billing information; and
30-26 (2) the required uses of the information in the case
31-1 of any complaint, appeal, or other grievance made by or relating to
31-2 the subject.
31-3 Sec. 181.102. CONTACT WITH PATIENT. (a) A health care payer
31-4 may not initiate contact with the subject of sensitive health
31-5 information regarding any disease management or other clinical
31-6 intervention program pertaining to the sensitive health condition.
31-7 The health care payer shall initiate communication through a health
31-8 care practitioner.
31-9 (b) A health care payer may not send mail addressed to an
31-10 individual regarding any health topic, including generic material
31-11 regarding sensitive health information.
31-12 Sec. 181.103. DISEASE MANAGEMENT PROGRAM. (a) A health care
31-13 payer or employer may not require as a condition of employment,
31-14 health insurance, or coverage or reimbursement for health care that
31-15 an individual participate in a disease management program or other
31-16 clinical intervention program.
31-17 (B) this subsection does not include a case management
31-18 or care coordination program operated by a covered entity and
31-19 includes the individual's health care practitioner in the program.
31-20 Sec. 181.104. CONSENT REQUIRED. Expressed consent provided
31-21 by an enrollee or member in any health plan is not valid as to
31-22 anyone other than that enrollee or member. A health care payer may
31-23 not condition health care insurance or coverage or reimbursement
31-24 for health care on consent from a minor who has legally obtained
31-25 health care without parental consent to disclose any information
31-26 pertaining to the health care or payment for the health care to a
32-1 parent or other legal guardian.
32-2 Sec. 181.105. HEALTH CARE DELIVERY REVIEW. (a) For the
32-3 purpose of performing health care delivery review, a health care
32-4 payer may not request any protected health information unless the
32-5 information is essential for the review and directly related to the
32-6 specific care or procedure being reviewed.
32-7 (b) Protected health information collected for the
32-8 performance of health care delivery review may not be used for any
32-9 other purpose.
32-10 (Sections 181.106-181.150 reserved for expansion
32-11 SUBCHAPTER D. EXPRESSED CONSENT
32-12 Sec. 181.151. FORM. (a) Expressed consent required by this
32-13 chapter must be in writing and signed by:
32-14 (1) the individual who is the subject of the health
32-15 information;
32-16 (2) the individual's legal guardian; or
32-17 (3) the individual's agent under a medical power of
32-18 attorney.
32-19 (b) For purposes of this section, documentation of expressed
32-20 consent may be satisfied by the use of electronic signatures,
32-21 computerized expressed consent documentation, or other
32-22 technological means of recording expressed consent. Use of a means
32-23 authorized by the ombudsman is considered to meet the requirements
32-24 of this subsection.
32-25 Sec. 181.152. CONTENT OF CONSENT. The written expressed
32-26 consent must:
33-1 (1) describe the information to be used or disclosed
33-2 in clear, concise, and plain language;
33-3 (2) clearly identify the covered entity that will
33-4 disclose the information;
33-5 (3) clearly identify the person:
33-6 (A) who will use the information; or
33-7 (B) to whom the information will be disclosed;
33-8 (4) describe in reasonable detail the purpose for
33-9 which the information is being disclosed or used;
33-10 (5) state that the information will be used or
33-11 disclosed solely for the purpose specified in the expressed consent
33-12 or as otherwise authorized by law;
33-13 (6) contain a specific date or event at which the
33-14 authorization expires; and
33-15 (7) contain a statement that the individual has the
33-16 right to:
33-17 (A) revoke or amend the authorization in
33-18 accordance with this chapter;
33-19 (B) receive the notice required by Section
33-20 181.061;
33-21 (C) inspect, copy, and request an appendant or
33-22 amendment of protected health information; and
33-23 (D) be informed of those circumstances under
33-24 which health information may be used or disclosed without expressed
33-25 consent under a court order or other proper legal process issued by
33-26 a federal or state administrative agency or any other legal
34-1 requirement.
34-2 Sec. 181.153. EXPIRATION. (a) An expressed consent for the
34-3 use of protected health information is valid until the expiration
34-4 date or event specified in the documentation or until it is revoked
34-5 by the individual.
34-6 (b) A signed express consent for use of protected health
34-7 information by or disclosure of protected health information to a
34-8 health researcher is valid until:
34-9 (1) the specific health research inquiry for which
34-10 expressed consent was provided is completed;
34-11 (2) the expressed consent is revoked as provided by
34-12 Section 181.154; or
34-13 (3) as otherwise authorized by an institutional review
34-14 board or privacy review board.
34-15 Sec. 181.154. REVOCATION. (a) The subject of protected
34-16 health information may revoke or amend an expressed consent at any
34-17 time unless:
34-18 (1) a disclosure or use has already been made in
34-19 reliance on the consent; or
34-20 (2) disclosure or use of protected information is made
34-21 for payment or reimbursement for health care that has previously
34-22 been delivered and for which the subject is not providing other
34-23 payment.
34-24 (b) A revocation or amendment to expressed consent must be
34-25 in writing.
34-26 Sec. 181.155. MODEL CONSENT. The ombudsman shall, after
35-1 notice and opportunity for public comment, develop and distribute a
35-2 model expressed consent form. An expressed consent obtained on a
35-3 model form developed or approved by the ombudsman is considered to
35-4 meet the requirements of this subchapter.
35-5 (Sections 181.156-181.200 reserved for expansion
35-6 SUBCHAPTER E. PROHIBITED ACTS
35-7 Sec. 181.201. DEIDENTIFIED INFORMATION. A person, including
35-8 a governmental unit, may not identify or attempt to identify an
35-9 individual who is the subject of any deidentified health
35-10 information.
35-11 Sec. 181.202. COERCED CONSENT. (a) A covered entity may
35-12 not condition the provision of health care to an individual or the
35-13 payment or reimbursement for health care on:
35-14 (1) the provision of an expressed consent to use or
35-15 disclose the information for any purpose that is not essential and
35-16 directly related to the purpose of providing health care,
35-17 performing health care delivery review, or administrating or paying
35-18 a health care claim; or
35-19 (2) an individual's decision to consent or withhold
35-20 consent for the use or disclosure of any national individual
35-21 health identification number or other common unique identifier,
35-22 including an individual's social security number.
35-23 (b) An employer may not condition terms of employment or
35-24 health care coverage or payment or reimbursement for health care on
35-25 the provision of expressed consent to use or disclose any protected
35-26 health information that is not:
36-1 (1) deidentified; or
36-2 (2) necessary and directly related to the job duties
36-3 performed by the individual.
36-4 (c) A person may not coerce an individual to sign an
36-5 expressed consent document.
36-6 Sec.181.203. RETALIATION. A covered entity may not
36-7 adversely affect a patient, health care practitioner, or other
36-8 person, directly or indirectly, because the patient, practitioner,
36-9 or other person has exercised a right under this chapter, disclosed
36-10 information relating to a possible violation of this chapter, or
36-11 associated with or assisted a person in the exercise of a right
36-12 under this chapter, or has the intent to do so.
36-13 Sec. 181.204. REFUSAL TO PROVIDE HEALTH CARE. Except as
36-14 otherwise provided by law, a person may not refuse to provide
36-15 health care to an individual who refuses to consent to the
36-16 disclosure or use of protected health information as long as the
36-17 individual is not requesting payment or reimbursement for the
36-18 health care from a third party and the information is not essential
36-19 and directly related to the purpose of providing health care.
36-20 Sec. 181.205. PERSON ON COMMUNITY SUPERVISION. A
36-21 supervision officer may not require a defendant to provide the
36-22 supervision officer with the defendant's protected health
36-23 information unless the protected health information is directly
36-24 related to the terms of the supervision.
36-25 (Sections 181.206-181.250 reserved for expansion
36-26 SUBCHAPTER F. ENFORCEMENT
37-1 Sec. 181.251. INJUNCTIVE RELIEF; CIVIL PENALTY. (a) The
37-2 attorney general may institute an action for injunctive or
37-3 declaratory relief to restrain a violation of this chapter.
37-4 (b) In addition to the injunctive relief provided by
37-5 Subsection (a), the attorney general may institute an action for
37-6 civil penalties against a covered entity for a violation of this
37-7 chapter. A civil penalty assessed under this subsection may not
37-8 exceed $3,000 for each violation.
37-9 (c) If the court in which an action under Subsection (b) is
37-10 pending finds that the violations have occured with a frequency as
37-11 to constitute a pattern or practice, the court may:
37-12 (1) assess a civil penalty not to exceed $250,000;
37-13 (2) exclude the covered entity from participating in
37-14 any state-funded health care program; and
37-15 (3) revoke any license held by the covered entity.
37-16 Sec. 181.252. INDIVIDUAL INJUNCTIVE RELIEF; CIVIL CAUSE OF
37-17 ACTION. (a) An individual who is aggrieved by a violation of this
37-18 chapter may institute an action against a covered entity for
37-19 appropriate injunctive or declaratory relief.
37-20 (b) The individual may institute an action for civil
37-21 damages. An individual who prevails in an action may recover:
37-22 (1) the greater of:
37-23 (A) the individual's actual damages; or
37-24 (B) liquidated damages in the amount of $3,000;
37-25 and
37-26 (2) punitive damages.
38-1 (c) if the alleged violation involves sensitive health
38-2 information, the individual may recover:
38-3 (1) the greater of:
38-4 (A) the individual's actual damages; or
38-5 (B) liquidated damages in the amount of $10,000;
38-6 and
38-7 (2) punitive damages.
38-8 (d) If the individual who institutes an action under this
38-9 section is the prevailing party, the court may award reasonable
38-10 attorney's fees and other litigation costs and expenses reasonably
38-11 incurred, including expert fees.
38-12 (e) A civil action brought under this section must be
38-13 commenced not later than:
38-14 (1) three years after the date the cause of action
38-15 accrues; or
38-16 (2) one year after the date the cause of action was
38-17 discovered but not later than 5 years after the date the cause of
38-18 action accrued.
38-19 (f) It is a defense to a civil action brought under this
38-20 section that the defendant, in good faith, reasonably believed that
38-21 the disclosure of the information was authorized by an expressed
38-22 consent.
38-23 Sec. 181.253. CRIMINAL OFFENSE. (a) A person commits an
38-24 offense if the person knowingly uses, discloses, reidentifies, or
38-25 obtains, or induces another to use, disclose, reidentify, or
38-26 obtain, protected health information for commercial advantage or
39-1 personal gain or to cause malicious harm in violation of this
39-2 chapter.
39-3 (b) An offense under this section is a misdemeanor
39-4 punishable by a fine of not more than $50,000, confinement in
39-5 county jail for not more than one year, or both.
39-6 (c) If the person commits an offense under this section with
39-7 intent to sell the information, the offense is a felony punishable
39-8 by a fine of not more than $500,000, imprisonment in the
39-9 institutional division of the Texas Department of Criminal Justice
39-10 for not more than 10 years, or both.
39-11 Sec. 181.254. DISCIPLINARY ACTION. In addition to the
39-12 penalties prescribed by this chapter, a violation of this chapter
39-13 by an individual or facility that is licensed by an agency of this
39-14 state is subject to the same consequence as a violation of the
39-15 licensing law applicable to the individual or facility or of a rule
39-16 adopted under that licensing law.
39-17 SECTION 2. Section 38.009, Education Code, is repealed.
39-18 SECTION 3. This Act takes effect September 1, 2002.