By Averitt H.B. No. 3328
Line and page numbers may not match official copy.
Bill not drafted by TLC or Senate E&E.
A BILL TO BE ENTITLED
1-1 AN ACT
1-2 relating to privacy rules for health information for insurance
1-3 companies and licensees of the Texas Department of Insurance.
1-4 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
1-5 SECTION 1. Chapter 21, Insurance Code, is amended by adding a
1-6 new Article 21.74 to read as follows:
1-7 ARTICLE 21.74. PRIVACY RULES FOR HEALTH INFORMATION
1-8 Sec. 1. DEFINITIONS. IN THIS ARTICLE, THE FOLLOWING
1-9 DEFINITIONS SHALL APPLY: (a) "Health Information" means any
1-10 information or data, except age or gender, whether oral or recorded
1-11 in any form or medium, created by or derived from a health care
1-12 provider or the consumer or customer that relates to:
1-13 (1) The past, present or future physical, mental or
1-14 behavioral health or condition of an individual;
1-15 (2) The provision of health care to an individual; or
1-16 (3) Payment for the provision of health care to an
1-17 individual.
1-18 (b) "Licensee" means any individual, corporation,
1-19 association, partnership, insurance company, group hospital service
1-20 corporation, mutual insurance company, local mutual aid
1-21 association, statewide mutual assessment company, stipulated
1-22 premium insurance company, health maintenance organization,
1-23 reciprocal or interinsurance exchange, Lloyds insurer, fraternal
2-1 benefit society, county mutual insurer, farm mutual insurer,
2-2 insurance agent and other persons licensed or required to be
2-3 licensed under this code.
2-4 (c) "Nonpublic personal health information" means health
2-5 information:
2-6 (1) That identifies an individual who is the subject
2-7 of the information; or
2-8 (2) With respect to which there is a reasonable basis
2-9 to believe that the information could be used to identify an
2-10 individual.
2-11 Sec. 2. WHEN AUTHORIZATION REQUIRED FOR DISCLOSURE OF
2-12 NONPUBLIC PERSONAL HEALTH INFORMATION (a) A licensee shall not
2-13 disclose nonpublic personal health information about a consumer or
2-14 customer unless an authorization is obtained from the consumer or
2-15 customer whose nonpublic personal health information is sought to
2-16 be disclosed.
2-17 (b) Nothing in this section shall prohibit, restrict or
2-18 require an authorization for the disclosure of nonpublic personal
2-19 health information by a licensee for the performance of the
2-20 following insurance functions by or on behalf of the licensee:
2-21 claims adjustment and management; detection, investigation or
2-22 reporting of actual or potential fraud, misrepresentation or
2-23 criminal activity; underwriting; policy placement or issuance; loss
2-24 control; ratemaking and guaranty fund functions; reinsurance and
2-25 excess loss insurance; risk management; case management; disease
2-26 management; quality assurance; quality improvement; performance
3-1 evaluation; provider credentialing verification; utilization
3-2 review; peer review activities; actuarial, scientific, medical or
3-3 public policy research; grievance procedures; internal
3-4 administration of compliance, managerial, and information systems;
3-5 policyholder service functions; auditing; reporting; database
3-6 security; administration of consumer disputes and inquiries;
3-7 external accreditation standards; the replacement of a group
3-8 benefit plan or workers compensation policy or program; activities
3-9 in connection with a sale, merger, transfer or exchange of all or
3-10 part of a business or operating unit; any activity that permits
3-11 disclosure without authorization pursuant to the federal Health
3-12 Insurance Portability and Accountability Act privacy rules
3-13 promulgated by the U.S. Department of Health and Human Services;
3-14 disclosure that is required, or is one of the lawful or appropriate
3-15 methods, to enforce the licensee's rights or the rights of other
3-16 persons engaged in carrying out a transaction or providing a
3-17 product or service that a consumer requests or authorizes; and any
3-18 activity otherwise permitted by law, required pursuant to
3-19 governmental reporting authority, or to comply with legal process.
3-20 Additional insurance functions may be added with the approval of
3-21 the commissioner to the extent they are necessary for appropriate
3-22 performance of insurance functions and are fair and reasonable to
3-23 the interest of consumers.
3-24 Sec. 3. AUTHORIZATIONS. (a) A valid authorization to
3-25 disclose nonpublic personal health information pursuant to this
3-26 Article shall be in written or electronic form and shall contain
4-1 all of the following:
4-2 (1) The identity of the consumer or customer who is
4-3 the subject of the nonpublic personal health information;
4-4 (2) A general description of the types of nonpublic
4-5 personal health information to be disclosed;
4-6 (3) General descriptions of the parties to whom the
4-7 licensee discloses nonpublic personal health information, the
4-8 purpose of the disclosure and how the information will be used;
4-9 (4) The signature of the consumer or customer who is
4-10 the subject of the nonpublic personal health information or the
4-11 individual who is legally empowered to grant authority and the date
4-12 signed; and
4-13 (5) Notice of the length of time for which the
4-14 authorization is valid and that the consumer or customer may revoke
4-15 the authorization at any time and the procedure for making a
4-16 revocation.
4-17 (b) An authorization for the purposes of this Article shall
4-18 specify a length of time for which the authorization shall remain
4-19 valid, which in no event shall be for more than twenty-four (24)
4-20 months.
4-21 (c) A consumer or customer who is the subject of nonpublic
4-22 personal health information may revoke an authorization provided
4-23 pursuant to this Article at any time, subject to the rights of any
4-24 individual who acted in reliance on the authorization prior to
4-25 notice of the revocation.
4-26 (d) A licensee shall retain the authorization or a copy
5-1 thereof in the record of the individual who is the subject of
5-2 nonpublic personal health information.
5-3 Sec. 4. AUTHORIZATION REQUEST DELIVERY. A request for
5-4 authorization and an authorization form may be delivered to a
5-5 consumer or a customer, provided that the request and the
5-6 authorization form are clear and conspicuous. An authorization
5-7 form is not required to be delivered to the consumer or customer or
5-8 included in any other notices unless the licensee intends to
5-9 disclose protected health information pursuant to Section 2(a).
5-10 Sec. 5. RELATIONSHIP TO FEDERAL RULES Irrespective of
5-11 whether a licensee is subject to the federal Health Insurance
5-12 Portability and Accountability Act privacy rule as promulgated by
5-13 the U.S. Department of Health and Human Services, if a licensee
5-14 complies with all requirements of the federal rule except for its
5-15 effective date provision, the licensee shall not be subject to the
5-16 provisions of this Article.
5-17 Sec. 6. RELATIONSHIP TO STATE LAWS Nothing in this Article
5-18 shall preempt or supersede existing state law related to medical
5-19 records, health or insurance information privacy. If there is any
5-20 conflict with any other state law, the provisions of this Article
5-21 shall prevail.
5-22 Sec. 7. PROTECTION OF FAIR CREDIT REPORTING ACT Nothing in
5-23 this Article shall be construed to modify, limit or supersede the
5-24 operation of the federal Fair Credit Reporting Act (15 U.S.C. 1681
5-25 et seq.), and no inference shall be drawn on the basis of the
5-26 provisions of this Article whether information is transaction or
6-1 experience information under Section 603 of that Act.
6-2 Sec. 8. NONDISCRIMINATION A licensee shall not unfairly
6-3 discriminate against a consumer or customer because that consumer
6-4 or customer has not granted authorization for the disclosure of his
6-5 or her nonpublic personal health information pursuant to the
6-6 provisions of this Article.
6-7 Sec. 9. VIOLATION A violation of this Article is subject to
6-8 an administrative penalty authorized under Section 84.022 of this
6-9 code.
6-10 Sec. 10. SEVERABILITY If any section or portion of a section
6-11 of this Article or its applicability to any person or circumstance
6-12 is held invalid by a court, the remainder of the Article or the
6-13 applicability of the provision to other persons or circumstances
6-14 shall not be affected.
6-15 Sec. 11. EFFECTIVE DATE AND AUTHORIZATION FOR RULES (a)
6-16 This Article is effective January 1, 2002. In order to provide
6-17 sufficient time for licensees to establish policies and systems to
6-18 comply with the requirements of this Article, the commissioner may
6-19 extend the time for compliance by rule or regulation.
6-20 (b) The commissioner is authorized to adopt rules to
6-21 implement this Article provided such rules may not impose
6-22 requirements that are more stringent than privacy requirements in
6-23 federal law.
6-24 SECTION 2. This Act takes effect immediately if it receives
6-25 a vote of two-thirds of all the members elected to each house, as
6-26 provided by Section 39, Article III, Texas Constitution. If this
7-1 Act does not receive the vote necessary for immediate effect, this
7-2 Act takes effect August 27, 2001.