By Averitt                                            H.B. No. 3328
         Line and page numbers may not match official copy.
         Bill not drafted by TLC or Senate E&E.
                                A BILL TO BE ENTITLED
 1-1                                   AN ACT
 1-2     relating to privacy rules for health information for insurance
 1-3     companies and licensees of the Texas Department of Insurance.
 1-4           BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
 1-5           SECTION 1. Chapter 21, Insurance Code, is amended by adding a
 1-6     new Article 21.74 to read as follows:
 1-7            ARTICLE 21.74.  PRIVACY RULES FOR HEALTH INFORMATION
 1-8           Sec. 1.  DEFINITIONS.  IN THIS ARTICLE, THE FOLLOWING
 1-9     DEFINITIONS SHALL APPLY:  (a)  "Health Information" means any
1-10     information or data, except age or gender, whether oral or recorded
1-11     in any form or medium, created by or derived from a health care
1-12     provider or the consumer or customer that relates to:
1-13                 (1)  The past, present or future physical, mental or
1-14     behavioral health or condition of an individual;
1-15                 (2)  The provision of health care to an individual; or
1-16                 (3)  Payment for the provision of health care to an
1-17     individual.
1-18           (b)  "Licensee" means any individual, corporation,
1-19     association, partnership, insurance company, group hospital service
1-20     corporation, mutual insurance company, local mutual aid
1-21     association, statewide mutual assessment company, stipulated
1-22     premium insurance company, health maintenance organization,
1-23     reciprocal or interinsurance exchange, Lloyds insurer, fraternal
 2-1     benefit society, county mutual insurer, farm mutual insurer,
 2-2     insurance agent and other persons licensed or required to be
 2-3     licensed under this code.
 2-4           (c)  "Nonpublic personal health information" means health
 2-5     information:
 2-6                 (1)  That identifies an individual who is the subject
 2-7     of the information; or
 2-8                 (2)  With respect to which there is a reasonable basis
 2-9     to believe that the information could be used to identify an
2-10     individual.
2-11           Sec. 2.  WHEN AUTHORIZATION REQUIRED FOR DISCLOSURE OF
2-12     NONPUBLIC PERSONAL HEALTH INFORMATION  (a)  A licensee shall not
2-13     disclose nonpublic personal health information about a consumer or
2-14     customer unless an authorization is obtained from the consumer or
2-15     customer whose nonpublic personal health information is sought to
2-16     be disclosed.
2-17           (b)  Nothing in this section shall prohibit, restrict or
2-18     require an authorization for the disclosure of nonpublic personal
2-19     health information by a licensee for the performance of the
2-20     following insurance functions by or on behalf of the licensee:
2-21     claims adjustment and management; detection, investigation or
2-22     reporting of actual or potential fraud, misrepresentation or
2-23     criminal activity; underwriting; policy placement or issuance; loss
2-24     control; ratemaking and guaranty fund functions; reinsurance and
2-25     excess loss insurance; risk management; case management; disease
2-26     management; quality assurance; quality improvement; performance
 3-1     evaluation; provider credentialing verification; utilization
 3-2     review; peer review activities; actuarial, scientific, medical or
 3-3     public policy research; grievance procedures; internal
 3-4     administration of compliance, managerial, and information systems;
 3-5     policyholder service functions; auditing; reporting; database
 3-6     security; administration of consumer disputes and inquiries;
 3-7     external accreditation standards; the replacement of a group
 3-8     benefit plan or workers compensation policy or program; activities
 3-9     in connection with a sale, merger, transfer or exchange of all or
3-10     part of a business or operating unit; any activity that permits
3-11     disclosure without authorization pursuant to the federal Health
3-12     Insurance Portability and Accountability Act privacy rules
3-13     promulgated by the U.S. Department of Health and Human Services;
3-14     disclosure that is required, or is one of the lawful or appropriate
3-15     methods, to enforce the licensee's rights or the rights of other
3-16     persons engaged in carrying out a transaction or providing a
3-17     product or service that a consumer requests or authorizes; and any
3-18     activity otherwise permitted by law, required pursuant to
3-19     governmental reporting authority, or to comply with legal process.
3-20     Additional insurance functions may be added with the approval of
3-21     the commissioner to the extent they are necessary for appropriate
3-22     performance of insurance functions and are fair and reasonable to
3-23     the interest of consumers.
3-24           Sec. 3.  AUTHORIZATIONS. (a)  A valid authorization to
3-25     disclose nonpublic personal health information pursuant to this
3-26     Article shall be in written or electronic form and shall contain
 4-1     all of the following:
 4-2                 (1)  The identity of the consumer or customer who is
 4-3     the subject of the nonpublic personal health information;
 4-4                 (2)  A general description of the types of nonpublic
 4-5     personal health information to be disclosed;
 4-6                 (3)  General descriptions of the parties to whom the
 4-7     licensee discloses nonpublic personal health information, the
 4-8     purpose of the disclosure and how the information will be used;
 4-9                 (4)  The signature of the consumer or customer who is
4-10     the subject of the nonpublic personal health information or the
4-11     individual who is legally empowered to grant authority and the date
4-12     signed; and
4-13                 (5)  Notice of the length of time for which the
4-14     authorization is valid and that the consumer or customer may revoke
4-15     the authorization at any time and the procedure for making a
4-16     revocation.
4-17           (b)  An authorization for the purposes of this Article shall
4-18     specify a length of time for which the authorization shall remain
4-19     valid, which in no event shall be for more than twenty-four (24)
4-20     months.
4-21           (c)  A consumer or customer who is the subject of nonpublic
4-22     personal health information may revoke an authorization provided
4-23     pursuant to this Article at any time, subject to the rights of any
4-24     individual who acted in reliance on the authorization prior to
4-25     notice of the revocation.
4-26           (d)  A licensee shall retain the authorization or a copy
 5-1     thereof in the record of the individual who is the subject of
 5-2     nonpublic personal health information.
 5-3           Sec. 4.  AUTHORIZATION REQUEST DELIVERY. A request for
 5-4     authorization and an authorization form may be delivered to a
 5-5     consumer or a customer, provided that the request and the
 5-6     authorization form are clear and conspicuous.  An authorization
 5-7     form is not required to be delivered to the consumer or customer or
 5-8     included in any other notices unless the licensee intends to
 5-9     disclose protected health information pursuant to Section 2(a).
5-10           Sec. 5.  RELATIONSHIP TO FEDERAL RULES Irrespective of
5-11     whether a licensee is subject to the federal Health Insurance
5-12     Portability and Accountability Act privacy rule as promulgated by
5-13     the U.S. Department of Health and Human Services, if a licensee
5-14     complies with all requirements of the federal rule except for its
5-15     effective date provision, the licensee shall not be subject to the
5-16     provisions of this Article.
5-17           Sec. 6.  RELATIONSHIP TO STATE LAWS Nothing in this Article
5-18     shall preempt or supersede existing state law related to medical
5-19     records, health or insurance information privacy.  If there is any
5-20     conflict with any other state law, the provisions of this Article
5-21     shall prevail.
5-22           Sec. 7.  PROTECTION OF FAIR CREDIT REPORTING ACT Nothing in
5-23     this Article shall be construed to modify, limit or supersede the
5-24     operation of the federal Fair Credit Reporting Act (15 U.S.C. 1681
5-25     et seq.), and no inference shall be drawn on the basis of the
5-26     provisions of this Article whether information is transaction or
 6-1     experience information under Section 603 of that Act.
 6-2           Sec. 8.  NONDISCRIMINATION A licensee shall not unfairly
 6-3     discriminate against a consumer or customer because that consumer
 6-4     or customer has not granted authorization for the disclosure of his
 6-5     or her nonpublic personal health information pursuant to the
 6-6     provisions of this Article.
 6-7           Sec. 9.  VIOLATION A violation of this Article is subject to
 6-8     an administrative penalty authorized under Section 84.022 of this
 6-9     code.
6-10           Sec. 10.  SEVERABILITY If any section or portion of a section
6-11     of this Article or its applicability to any person or circumstance
6-12     is held invalid by a court, the remainder of the Article or the
6-13     applicability of the provision to other persons or circumstances
6-14     shall not be affected.
6-15           Sec. 11.  EFFECTIVE DATE AND AUTHORIZATION FOR RULES (a)
6-16     This Article is effective January 1, 2002.  In order to provide
6-17     sufficient time for licensees to establish policies and systems to
6-18     comply with the requirements of this Article, the commissioner may
6-19     extend the time for compliance by rule or regulation.
6-20           (b)  The commissioner is authorized to adopt rules to
6-21     implement this Article provided such rules may not impose
6-22     requirements that are more stringent than privacy requirements in
6-23     federal law.
6-24           SECTION 2.  This Act takes effect immediately if it receives
6-25     a vote of two-thirds of all the members elected to each house, as
6-26     provided by Section 39, Article III, Texas Constitution.  If this
 7-1     Act does not receive the vote necessary for immediate effect, this
 7-2     Act takes effect August 27, 2001.