By Averitt H.B. No. 3328 Line and page numbers may not match official copy. Bill not drafted by TLC or Senate E&E. A BILL TO BE ENTITLED 1-1 AN ACT 1-2 relating to privacy rules for health information for insurance 1-3 companies and licensees of the Texas Department of Insurance. 1-4 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: 1-5 SECTION 1. Chapter 21, Insurance Code, is amended by adding a 1-6 new Article 21.74 to read as follows: 1-7 ARTICLE 21.74. PRIVACY RULES FOR HEALTH INFORMATION 1-8 Sec. 1. DEFINITIONS. IN THIS ARTICLE, THE FOLLOWING 1-9 DEFINITIONS SHALL APPLY: (a) "Health Information" means any 1-10 information or data, except age or gender, whether oral or recorded 1-11 in any form or medium, created by or derived from a health care 1-12 provider or the consumer or customer that relates to: 1-13 (1) The past, present or future physical, mental or 1-14 behavioral health or condition of an individual; 1-15 (2) The provision of health care to an individual; or 1-16 (3) Payment for the provision of health care to an 1-17 individual. 1-18 (b) "Licensee" means any individual, corporation, 1-19 association, partnership, insurance company, group hospital service 1-20 corporation, mutual insurance company, local mutual aid 1-21 association, statewide mutual assessment company, stipulated 1-22 premium insurance company, health maintenance organization, 1-23 reciprocal or interinsurance exchange, Lloyds insurer, fraternal 2-1 benefit society, county mutual insurer, farm mutual insurer, 2-2 insurance agent and other persons licensed or required to be 2-3 licensed under this code. 2-4 (c) "Nonpublic personal health information" means health 2-5 information: 2-6 (1) That identifies an individual who is the subject 2-7 of the information; or 2-8 (2) With respect to which there is a reasonable basis 2-9 to believe that the information could be used to identify an 2-10 individual. 2-11 Sec. 2. WHEN AUTHORIZATION REQUIRED FOR DISCLOSURE OF 2-12 NONPUBLIC PERSONAL HEALTH INFORMATION (a) A licensee shall not 2-13 disclose nonpublic personal health information about a consumer or 2-14 customer unless an authorization is obtained from the consumer or 2-15 customer whose nonpublic personal health information is sought to 2-16 be disclosed. 2-17 (b) Nothing in this section shall prohibit, restrict or 2-18 require an authorization for the disclosure of nonpublic personal 2-19 health information by a licensee for the performance of the 2-20 following insurance functions by or on behalf of the licensee: 2-21 claims adjustment and management; detection, investigation or 2-22 reporting of actual or potential fraud, misrepresentation or 2-23 criminal activity; underwriting; policy placement or issuance; loss 2-24 control; ratemaking and guaranty fund functions; reinsurance and 2-25 excess loss insurance; risk management; case management; disease 2-26 management; quality assurance; quality improvement; performance 3-1 evaluation; provider credentialing verification; utilization 3-2 review; peer review activities; actuarial, scientific, medical or 3-3 public policy research; grievance procedures; internal 3-4 administration of compliance, managerial, and information systems; 3-5 policyholder service functions; auditing; reporting; database 3-6 security; administration of consumer disputes and inquiries; 3-7 external accreditation standards; the replacement of a group 3-8 benefit plan or workers compensation policy or program; activities 3-9 in connection with a sale, merger, transfer or exchange of all or 3-10 part of a business or operating unit; any activity that permits 3-11 disclosure without authorization pursuant to the federal Health 3-12 Insurance Portability and Accountability Act privacy rules 3-13 promulgated by the U.S. Department of Health and Human Services; 3-14 disclosure that is required, or is one of the lawful or appropriate 3-15 methods, to enforce the licensee's rights or the rights of other 3-16 persons engaged in carrying out a transaction or providing a 3-17 product or service that a consumer requests or authorizes; and any 3-18 activity otherwise permitted by law, required pursuant to 3-19 governmental reporting authority, or to comply with legal process. 3-20 Additional insurance functions may be added with the approval of 3-21 the commissioner to the extent they are necessary for appropriate 3-22 performance of insurance functions and are fair and reasonable to 3-23 the interest of consumers. 3-24 Sec. 3. AUTHORIZATIONS. (a) A valid authorization to 3-25 disclose nonpublic personal health information pursuant to this 3-26 Article shall be in written or electronic form and shall contain 4-1 all of the following: 4-2 (1) The identity of the consumer or customer who is 4-3 the subject of the nonpublic personal health information; 4-4 (2) A general description of the types of nonpublic 4-5 personal health information to be disclosed; 4-6 (3) General descriptions of the parties to whom the 4-7 licensee discloses nonpublic personal health information, the 4-8 purpose of the disclosure and how the information will be used; 4-9 (4) The signature of the consumer or customer who is 4-10 the subject of the nonpublic personal health information or the 4-11 individual who is legally empowered to grant authority and the date 4-12 signed; and 4-13 (5) Notice of the length of time for which the 4-14 authorization is valid and that the consumer or customer may revoke 4-15 the authorization at any time and the procedure for making a 4-16 revocation. 4-17 (b) An authorization for the purposes of this Article shall 4-18 specify a length of time for which the authorization shall remain 4-19 valid, which in no event shall be for more than twenty-four (24) 4-20 months. 4-21 (c) A consumer or customer who is the subject of nonpublic 4-22 personal health information may revoke an authorization provided 4-23 pursuant to this Article at any time, subject to the rights of any 4-24 individual who acted in reliance on the authorization prior to 4-25 notice of the revocation. 4-26 (d) A licensee shall retain the authorization or a copy 5-1 thereof in the record of the individual who is the subject of 5-2 nonpublic personal health information. 5-3 Sec. 4. AUTHORIZATION REQUEST DELIVERY. A request for 5-4 authorization and an authorization form may be delivered to a 5-5 consumer or a customer, provided that the request and the 5-6 authorization form are clear and conspicuous. An authorization 5-7 form is not required to be delivered to the consumer or customer or 5-8 included in any other notices unless the licensee intends to 5-9 disclose protected health information pursuant to Section 2(a). 5-10 Sec. 5. RELATIONSHIP TO FEDERAL RULES Irrespective of 5-11 whether a licensee is subject to the federal Health Insurance 5-12 Portability and Accountability Act privacy rule as promulgated by 5-13 the U.S. Department of Health and Human Services, if a licensee 5-14 complies with all requirements of the federal rule except for its 5-15 effective date provision, the licensee shall not be subject to the 5-16 provisions of this Article. 5-17 Sec. 6. RELATIONSHIP TO STATE LAWS Nothing in this Article 5-18 shall preempt or supersede existing state law related to medical 5-19 records, health or insurance information privacy. If there is any 5-20 conflict with any other state law, the provisions of this Article 5-21 shall prevail. 5-22 Sec. 7. PROTECTION OF FAIR CREDIT REPORTING ACT Nothing in 5-23 this Article shall be construed to modify, limit or supersede the 5-24 operation of the federal Fair Credit Reporting Act (15 U.S.C. 1681 5-25 et seq.), and no inference shall be drawn on the basis of the 5-26 provisions of this Article whether information is transaction or 6-1 experience information under Section 603 of that Act. 6-2 Sec. 8. NONDISCRIMINATION A licensee shall not unfairly 6-3 discriminate against a consumer or customer because that consumer 6-4 or customer has not granted authorization for the disclosure of his 6-5 or her nonpublic personal health information pursuant to the 6-6 provisions of this Article. 6-7 Sec. 9. VIOLATION A violation of this Article is subject to 6-8 an administrative penalty authorized under Section 84.022 of this 6-9 code. 6-10 Sec. 10. SEVERABILITY If any section or portion of a section 6-11 of this Article or its applicability to any person or circumstance 6-12 is held invalid by a court, the remainder of the Article or the 6-13 applicability of the provision to other persons or circumstances 6-14 shall not be affected. 6-15 Sec. 11. EFFECTIVE DATE AND AUTHORIZATION FOR RULES (a) 6-16 This Article is effective January 1, 2002. In order to provide 6-17 sufficient time for licensees to establish policies and systems to 6-18 comply with the requirements of this Article, the commissioner may 6-19 extend the time for compliance by rule or regulation. 6-20 (b) The commissioner is authorized to adopt rules to 6-21 implement this Article provided such rules may not impose 6-22 requirements that are more stringent than privacy requirements in 6-23 federal law. 6-24 SECTION 2. This Act takes effect immediately if it receives 6-25 a vote of two-thirds of all the members elected to each house, as 6-26 provided by Section 39, Article III, Texas Constitution. If this 7-1 Act does not receive the vote necessary for immediate effect, this 7-2 Act takes effect August 27, 2001.