By: Nelson, et al. S.B. No. 11 A BILL TO BE ENTITLED 1-1 AN ACT 1-2 relating to protecting the privacy of medical records; providing 1-3 penalties. 1-4 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: 1-5 SECTION 1. Title 2, Health and Safety Code, is amended by 1-6 adding Subtitle I to read as follows: 1-7 SUBTITLE I. MEDICAL RECORDS 1-8 CHAPTER 181. MEDICAL RECORDS PRIVACY 1-9 SUBCHAPTER A. GENERAL PROVISIONS 1-10 Sec. 181.001. DEFINITIONS. In this chapter: 1-11 (1) "Administrative billing information" means 1-12 protected health information that is necessary for the payment or 1-13 administration of health care claims. The term: 1-14 (A) includes only: 1-15 (i) date of service; 1-16 (ii) billed charges; 1-17 (iii) identifiers of the individual who is 1-18 the subject of the protected health information; 1-19 (iv) diagnostic and treatment information 1-20 contained in standard billing codes; 1-21 (v) information required by nationally 1-22 recognized third-party health care claim forms; and 1-23 (vi) protected health information that is 1-24 part of a health care delivery review; and 1-25 (B) does not include a clinical health record 2-1 included or requested as an attachment to administrative billing 2-2 information. 2-3 (2) "Clinical health record" means a record of any 2-4 protected health information, other than administrative billing 2-5 information, that is used or maintained by or for a health care 2-6 practitioner or facility or an employee, agent, or contractor of a 2-7 health care practitioner or facility for the purpose of delivering 2-8 health care to an individual. 2-9 (3) "Covered entity" means any person who for 2-10 commercial or professional gain, monetary fees, or dues, or on a 2-11 cooperative, nonprofit or pro bono basis engages, in whole or in 2-12 part, directly or indirectly, and with real or constructive 2-13 knowledge, in the practice of assembling, collecting, analyzing, 2-14 using, evaluating, storing, or transmitting protected health 2-15 information. The term includes medical information bureaus and 2-16 pharmaceutical companies. The term does not include a health care 2-17 entity, third-party administrator, employer, or educational 2-18 institution subject to the Family Educational Rights and Privacy 2-19 Act of 1974 (20 U.S.C. Section 1232g), and its subsequent 2-20 amendments. 2-21 (4) "Disclose" means to release, publish, share, 2-22 transfer, transmit, distribute, show, or otherwise divulge 2-23 protected health information to a person outside the entity holding 2-24 the information other than the individual who is the subject of the 2-25 information. 2-26 (5) "Disease management" means a multidisciplinary, 3-1 continuum-based approach to health care delivery that: 3-2 (A) proactively identifies populations with, or 3-3 at risk for, established medical conditions and utilizes 3-4 appropriate health care practitioner's expertise in the treating 3-5 physician's plan of care; 3-6 (B) emphasizes prevention of complications by 3-7 using cost-effective, evidence-based practice guidelines and 3-8 patient empowerment strategies, including self-management 3-9 education; and 3-10 (C) continuously evaluates clinical, humanistic, 3-11 and economic outcomes with the goal of improving overall health. 3-12 (6) "Financial institution" means a state or federally 3-13 chartered bank, savings bank, savings and loan association, credit 3-14 union, or a holding company, subsidiary, or affiliate of such an 3-15 institution. 3-16 (7) "Health care entity" means any person, other than 3-17 a pharmaceutical company, that: 3-18 (A) is a health care payer, person performing 3-19 health research, health care facility, clinic, or health care 3-20 practitioner; 3-21 (B) is an employee, agent, or contractor of a 3-22 person described by Paragraph (A) to the extent the employee, 3-23 agent, or contractor creates, receives, obtains, maintains, uses, 3-24 or transmits protected health information; or 3-25 (C) is a governmental entity that uses or 3-26 discloses protected health information other than in conducting an 4-1 investigation or prosecuting a criminal offense. 4-2 (8) "Health care facility" means any facility licensed 4-3 to provide health care or legally and regularly engaged in 4-4 providing health care, an employee, agent, affiliate, or contractor 4-5 of the facility, or a health care practitioner with whom the 4-6 facility has an agreement or affiliation for the purpose of 4-7 providing, delivering, or arranging health care. The term includes 4-8 a hospital, long-term care facility, or pharmacy. The term does 4-9 not include an employer, health care payer, or health maintenance 4-10 organization. 4-11 (9) "Health care operations" means any of the 4-12 following activities of a covered entity or health care entity, and 4-13 any of the following activities of an organized health care 4-14 arrangement in which a covered entity or health care entity 4-15 participates: 4-16 (A) conducting quality assessment and 4-17 improvement activities, including outcomes evaluation and 4-18 development of clinical guidelines, provided that obtaining general 4-19 knowledge is not the primary purpose of any studies resulting from 4-20 those activities; 4-21 (B) conducting population-based activities 4-22 relating to: 4-23 (i) improving health or reducing health 4-24 care costs; 4-25 (ii) protocol development; 4-26 (iii) case management and care 5-1 coordination; and 5-2 (iv) contacting health care providers and 5-3 patients with information about treatment alternatives; 5-4 (C) conducting related functions that do not 5-5 include treatment; 5-6 (D) reviewing the competence or qualifications 5-7 of health care professionals; 5-8 (E) evaluating practitioner and provider 5-9 performance and health plan performance; 5-10 (F) conducting training programs in which 5-11 students, trainees, or practitioners in areas of health care learn 5-12 under supervision to practice or improve their skills as health 5-13 care providers; 5-14 (G) training of non-health care professionals 5-15 and accreditation, certification, licensing, or credentialing 5-16 activities; 5-17 (H) ceding, securing, or placing a contract for 5-18 reinsurance of risk relating to claims for health care, including 5-19 stop-loss insurance and excess of loss insurance; 5-20 (I) conducting or arranging for medical review, 5-21 legal services, and auditing functions, including fraud and abuse 5-22 detection and compliance programs; 5-23 (J) business planning and development, including 5-24 conducting cost-management and planning-related analyses related to 5-25 managing and operating the entity, formulary development and 5-26 administration, and development or improvement of methods of 6-1 payment or coverage policies; 6-2 (K) business management and general 6-3 administrative activities of the entity, including: 6-4 (i) management activities relating to 6-5 implementation of and compliance with the requirements of this 6-6 chapter; 6-7 (ii) customer service, including the 6-8 provision of data analyses for policyholders, plan sponsors, or 6-9 other customers, provided that protected health information is not 6-10 disclosed to the policyholder, plan sponsor, or customer; 6-11 (iii) resolution of internal grievances; 6-12 (iv) due diligence in connection with the 6-13 sale or transfer of assets to a potential successor in interest, if 6-14 the potential successor in interest is a covered entity or, 6-15 following completion of the sale or transfer, will become a covered 6-16 entity; and 6-17 (v) consistent with the applicable 6-18 requirements of the Health Insurance Portability and Accountability 6-19 Act and Privacy Standards, creating deidentified health information 6-20 and fund-raising for the benefit of the health care entity; and 6-21 (L) administering health plan benefits. 6-22 (10) "Health care payer" means any person who provides 6-23 payment or reimbursement for health care. The term does not 6-24 include an employer. 6-25 (11) "Health care practitioner" means a person, 6-26 including a physician, nurse, chiropractor, midwife, podiatrist, 7-1 physician assistant, pharmacist, or optometrist, who: 7-2 (A) is licensed, certified, registered, or 7-3 otherwise authorized by law to provide an item or service that, in 7-4 the ordinary course of business, constitutes health care; 7-5 (B) is an employee, agent, or contractor of a 7-6 person described by Paragraph (A) who is supervised by the person 7-7 described by Paragraph (A) in providing health care; or 7-8 (C) is a health care facility with whom the 7-9 person has an agreement or affiliation for the purpose of 7-10 providing, delivering, or arranging health care. 7-11 (12) "Health Insurance Portability and Accountability 7-12 Act and Privacy Standards" means the privacy requirements of the 7-13 Administrative Simplification subtitle of the Health Insurance 7-14 Portability and Accountability Act of 1996 (Pub. L. No. 104-191) 7-15 and the final rules adopted on December 28, 2000, and published at 7-16 65 Fed. Reg. 82798 et seq., and any subsequent amendments. 7-17 (13) "Health research" means any systematic 7-18 investigation, including research development, testing, and 7-19 evaluation, or other inquiry that uses protected health information 7-20 to develop or contribute to general knowledge, including the study 7-21 of: 7-22 (A) the causes and treatment of disease or 7-23 medical conditions; and 7-24 (B) the relationship among certain 7-25 characteristics, health care, and disease or health status. 7-26 (14) "Payment" means the following activities 8-1 undertaken by a covered entity or health care entity to obtain 8-2 premiums, determine or fulfill responsibility of coverage and 8-3 provision of benefits under a health plan, or to obtain or provide 8-4 reimbursement for health care: 8-5 (A) determination of eligibility or coverage, 8-6 including coordination of benefits or the determination of 8-7 cost-sharing amounts and adjudication or subrogation of health 8-8 benefit claims; 8-9 (B) risk-adjusting amounts due based on enrollee 8-10 health status and demographic characteristics; 8-11 (C) billing, claims management, collection 8-12 activities, the obtaining of payment under a contract for 8-13 reinsurance, including stop-loss insurance and excess of loss 8-14 insurance, and related health care data processing; 8-15 (D) review of health care services with respect 8-16 to medical necessity, coverage under a health plan, appropriateness 8-17 of care, or justification of charges; 8-18 (E) utilization review activities, including 8-19 precertification and preauthorization of services and concurrent 8-20 and retrospective review of services; and 8-21 (F) disclosure to consumer reporting agencies 8-22 consistent with the provisions under the Health Insurance 8-23 Portability and Accountability Act and Privacy Standards. 8-24 (15) "Person" includes a corporation, organization, 8-25 governmental unit, business trust, estate, trust, partnership, 8-26 association, and any other legal entity. 9-1 (16) "Pharmaceutical company" means any person that 9-2 manufactures, distributes, analyzes, dispenses, or conducts 9-3 research with a controlled substance as defined by Section 481.002 9-4 or a dangerous drug as defined by Section 483.001. The term does 9-5 not include health care entities. 9-6 (17) "Protected health information": 9-7 (A) includes any information, including 9-8 administrative billing information, clinical health records, and 9-9 prescriptions, that: 9-10 (i) relates to: 9-11 (a) the past, present, or future 9-12 physical health or condition of an individual; 9-13 (b) the past, present, or future 9-14 mental health or condition of an individual; 9-15 (c) the provision of health care to 9-16 an individual; or 9-17 (d) the past, present, or future 9-18 payment for providing health care to an individual; and 9-19 (ii) identifies or could be used or 9-20 manipulated by itself or in combination with other information to 9-21 identify an individual by a reasonably foreseeable method; and 9-22 (B) does not include: 9-23 (i) aggregate statistics; 9-24 (ii) redacted health information; 9-25 (iii) information for which random or 9-26 fictitious alternatives have been substituted for personally 10-1 identifiable information; 10-2 (iv) information for which personally 10-3 identifiable information has been encrypted and for which the 10-4 encryption key is maintained by a person otherwise authorized to 10-5 have access to the information in an identifiable format; and 10-6 (v) personally identifiable health 10-7 information in: 10-8 (a) education records covered by the 10-9 Family Educational Rights and Privacy Act of 1974 (20 U.S.C. 10-10 Section 1232g), and its subsequent amendments; and 10-11 (b) records described by 20 U.S.C. 10-12 Section 1232g(a)(4)(B)(iv), and its subsequent amendments. 10-13 (18) "Reidentification" means any attempt to 10-14 ascertain: 10-15 (A) the identity of the individual who is the 10-16 subject of protected health information; or 10-17 (B) any specific data element with the intention 10-18 of ascertaining the identity of the subject or with knowledge that 10-19 the data element would allow for the identification of the 10-20 individual who is the subject of the protected health information. 10-21 (19) "Treatment" means any of the following 10-22 activities: 10-23 (A) the provision, coordination, or management 10-24 of health care and related services by one or more health care 10-25 entities, including the coordination or management of health care 10-26 by a health care entity with a third party; 11-1 (B) consultation between health care entities 11-2 relating to a patient; and 11-3 (C) the referral of a patient for health care 11-4 from one health care entity to another. 11-5 Sec. 181.002. APPLICABILITY. (a) This chapter does not 11-6 affect the confidentiality that another statute creates for any 11-7 information. 11-8 (b) This chapter does not apply to: 11-9 (1) workers' compensation insurance or a function 11-10 authorized by Title 5, Labor Code; 11-11 (2) any person or entity in connection with providing, 11-12 administering, supporting, or coordinating any of the benefits 11-13 under a self-insured program for workers' compensation; 11-14 (3) an employee benefit plan; or 11-15 (4) any covered entity, health care entity, or other 11-16 person, insofar as the entity or person is acting in connection 11-17 with an employee benefit plan. 11-18 (c) To the extent that this chapter differs from the Health 11-19 Insurance Portability and Accountability Act and Privacy Standards, 11-20 this chapter controls if the provisions of this chapter are clearly 11-21 more restrictive than the provisions of the Health Insurance 11-22 Portability and Accountability Act and Privacy Standards. 11-23 Sec. 181.003. PROCESSING PAYMENT TRANSACTIONS BY FINANCIAL 11-24 INSTITUTIONS. (a) In this section, "financial institution" has 11-25 the meaning assigned by Section 1101, Right to Financial Privacy 11-26 Act of 1978 (12 U.S.C. Section 3401), and its subsequent 12-1 amendments. 12-2 (b) To the extent that a covered entity engages in 12-3 activities of a financial institution, or authorizes, processes, 12-4 clears, settles, bills, transfers, reconciles, or collects payments 12-5 for a financial institution, this chapter and any rule adopted 12-6 under this chapter does not apply to the covered entity with 12-7 respect to those activities, including the following: 12-8 (1) using or disclosing information to authorize, 12-9 process, clear, settle, bill, transfer, reconcile, or collect a 12-10 payment for, or related to, health plan premiums or health care, if 12-11 the payment is made by any means, including a credit, debit, or 12-12 other payment card, an account, a check, or an electronic funds 12-13 transfer; and 12-14 (2) requesting, using, or disclosing information with 12-15 respect to a payment described by Subdivision (1): 12-16 (A) for transferring receivables; 12-17 (B) for auditing; 12-18 (C) in connection with a customer dispute or an 12-19 inquiry from or to a customer; 12-20 (D) in a communication to a customer of the 12-21 entity regarding the customer's transactions, payment card, 12-22 account, check, or electronic funds transfer; 12-23 (E) for reporting to consumer reporting 12-24 agencies; or 12-25 (F) for complying with a civil or criminal 12-26 subpoena or a federal or state law regulating the covered entity. 13-1 Sec. 181.004. NONPROFIT AGENCIES. The department shall by 13-2 rule exempt from this chapter: 13-3 (1) a nonprofit agency that pays for health care 13-4 services or prescription drugs for an indigent person only if the 13-5 agency's primary business is not the provision of health care or 13-6 reimbursement for health care services; and 13-7 (2) health care providers who provide health care to 13-8 indigent persons at a health fair that lasts not more than two days 13-9 and is organized by a nonprofit agency. 13-10 (Sections 181.005-181.050 reserved for expansion 13-11 SUBCHAPTER B. ACCESS TO AND USE OF HEALTH CARE INFORMATION 13-12 Sec. 181.051. PATIENT ACCESS TO INFORMATION; FEE. 13-13 (a) Except as provided by Subsection (b), a covered entity or 13-14 health care entity shall permit an individual who is the subject of 13-15 a clinical health record, the individual's designee, or another 13-16 individual authorized by law to obtain an individual's clinical 13-17 health record to inspect and copy any clinical health record, 13-18 including records received from another health care entity or 13-19 covered entity, except for any clinical health record collected or 13-20 created in the course of a clinical research trial, that the entity 13-21 maintains or controls and that relates to the individual. The 13-22 covered entity or health care entity may charge retrieval and 13-23 copying fees as provided by law or regulation, or in the absence of 13-24 a law or regulation, a reasonable fee. 13-25 (b) A psychologist licensed under Chapter 501, Occupations 13-26 Code, or a psychiatrist or other physician who is providing 14-1 psychological or psychiatric services to an individual is not 14-2 required to permit the individual to inspect or copy a personal 14-3 diary created by the psychologist, psychiatrist, or physician 14-4 containing protected health information relating to the individual 14-5 if the information contained in the diary has not been disclosed to 14-6 a person other than another psychologist, psychiatrist, or 14-7 physician for the specific purpose of clinical supervision 14-8 conducted in the regular course of treatment. 14-9 (c) A health care practitioner is not required to permit an 14-10 individual to inspect or copy the individual's clinical health 14-11 record if the health care practitioner determines that access to 14-12 the information would be harmful to the physical, mental, or 14-13 emotional health of the individual. 14-14 (d) A health care practitioner may redact or otherwise 14-15 prevent disclosure of confidential information about another 14-16 individual or family member of the individual who has not consented 14-17 to the release of information, as otherwise provided by law. 14-18 (e) Not later than the 30th day after the date a covered 14-19 entity or health care entity receives a request and payment under 14-20 Subsection (a), the covered entity or health care entity shall 14-21 provide the requested information. 14-22 Sec. 181.052. APPENDANT OR AMENDMENT TO HEALTH RECORDS. A 14-23 health care entity may, at the entity's discretion, require that 14-24 any appendant or amendment to an individual's clinical health 14-25 record be designated as "a patient supplement." 14-26 Sec. 181.053. DISCLOSING, USING, ACCESSING, OR OBTAINING 15-1 PROTECTED HEALTH INFORMATION. (a) Except to carry out treatment, 15-2 payment, or health care operations, a covered entity may not 15-3 disclose, use, access, or obtain protected health information 15-4 unless the individual who is the subject of the protected health 15-5 information has provided: 15-6 (1) express written authorization; or 15-7 (2) consent or authorization unless consent or 15-8 authorization is not required by federal or state law. 15-9 (b) A covered entity may not use, access, request, or 15-10 require the disclosure of more protected health information than is 15-11 reasonably related to the specific purpose that is stated in the 15-12 express written authorization. A covered entity may not refuse to 15-13 provide protected health information requested by a health care 15-14 practitioner for use in providing health care services. 15-15 (c) A covered entity may use, disclose, access, or obtain 15-16 protected health information only for the purpose stated in the 15-17 express written authorization. 15-18 (d) A covered entity may disclose protected health 15-19 information without obtaining the express written authorization of 15-20 the individual who is the subject of the information if the 15-21 disclosure is made in response to a subpoena in a judicial or 15-22 administrative proceeding. 15-23 (e) A covered entity may not condition services on the 15-24 provision of express written authorization by the individual to 15-25 disclose protected health information when the information is not 15-26 directly related to the services being provided. 16-1 Sec. 181.054. INFORMATION OR RESEARCH. (a) A covered 16-2 entity or health care entity may disclose protected health 16-3 information to a person performing health research, regardless of 16-4 the source of funding of the research, for the purpose of 16-5 conducting health research, only if the person performing health 16-6 research has obtained: 16-7 (1) individual consent or authorization for use or 16-8 disclosure of protected health information for research required by 16-9 federal law; 16-10 (2) the express written authorization of the 16-11 individual required by this chapter; 16-12 (3) documentation that a waiver of individual consent 16-13 or authorization required for use or disclosure of protected health 16-14 information has been granted by an institutional review board or 16-15 privacy board as required under federal law; or 16-16 (4) documentation that a waiver of the individual's 16-17 express written authorization required by this chapter has been 16-18 granted by a privacy board established under this section. 16-19 (b) A privacy board: 16-20 (1) must consist of members with varying backgrounds 16-21 and appropriate professional competency as necessary to review the 16-22 effect of the research protocol for the project or projects on the 16-23 privacy rights and related interests of the individuals whose 16-24 protected health information would be used or disclosed; 16-25 (2) must include at least one member who is not 16-26 affiliated with the covered entity or health care entity or an 17-1 entity conducting or sponsoring the research, and not related to 17-2 any person who is affiliated with an entity described by this 17-3 subsection; and 17-4 (3) may not have any member participating in the 17-5 review of any project in which the member has a conflict of 17-6 interest. 17-7 (c) A privacy board may grant a waiver of the express 17-8 written authorization for the use of protected health information 17-9 if the privacy board obtains the following documentation: 17-10 (1) a statement identifying the privacy board and the 17-11 date on which the waiver of the express written authorization was 17-12 approved by the privacy board; 17-13 (2) a statement that the privacy board has determined 17-14 that the waiver satisfies the following criteria: 17-15 (A) the use or disclosure of protected health 17-16 information involves no more than minimal risk to the affected 17-17 individuals; 17-18 (B) the waiver will not adversely affect the 17-19 privacy rights and welfare of those individuals; 17-20 (C) the research could not practicably be 17-21 conducted without the waiver; 17-22 (D) the research could not practicably be 17-23 conducted without access to and use of the protected health 17-24 information; 17-25 (E) the privacy risks to individuals whose 17-26 protected health information is to be used or disclosed are 18-1 reasonable in relation to the anticipated benefits, if any, to the 18-2 individuals and the importance of the knowledge that may reasonably 18-3 be expected to result from the research; 18-4 (F) there is an adequate plan to protect the 18-5 identifiers from improper use and disclosure; 18-6 (G) there is an adequate plan to destroy the 18-7 identifiers at the earliest opportunity consistent with conduct of 18-8 the research, unless there is a health or research justification 18-9 for retaining the identifiers or the retention is otherwise 18-10 required by law; and 18-11 (H) there are adequate written assurances that 18-12 the protected health information will not be reused or disclosed to 18-13 another person or entity, except: 18-14 (i) as required by law; 18-15 (ii) for authorized oversight of the 18-16 research project; or 18-17 (iii) for other research for which the use 18-18 or disclosure of protected health information would be permitted by 18-19 state or federal law; 18-20 (3) a brief description of the protected health 18-21 information for which use or access has been determined to be 18-22 necessary by the privacy board under Subdivision (2)(D); and 18-23 (4) a statement that the waiver of express written 18-24 authorization has been approved by the privacy board following the 18-25 procedures under Subsection (e). 18-26 (d) A waiver must be signed by the presiding officer of the 19-1 privacy board or the presiding officer's designee. 19-2 (e) The privacy board must review the proposed research at a 19-3 convened meeting at which a majority of the privacy board members 19-4 are present, including at least one member who satisfies the 19-5 requirements of Subsection (b)(2). The waiver of express written 19-6 authorization must be approved by the majority of the privacy board 19-7 members present at the meeting, unless the privacy board elects to 19-8 use an expedited review procedure. The privacy board may use an 19-9 expedited review procedure only if the research involves no more 19-10 than minimal risk to the privacy of the individual who is the 19-11 subject of the protected health information of which use or 19-12 disclosure is being sought. If the privacy board elects to use an 19-13 expedited review procedure, the review and approval of the waiver 19-14 of express written authorization may be made by the presiding 19-15 officer of the privacy board or by one or more members of the 19-16 privacy board as designated by the presiding officer. 19-17 (f) A covered entity or health care entity may disclose 19-18 protected health information to a person performing health research 19-19 if the covered entity or health care entity obtains from the person 19-20 performing the health research representations that: 19-21 (1) use or disclosure is sought solely to review 19-22 protected health information as necessary to prepare a research 19-23 protocol or for similar purposes preparatory to research; 19-24 (2) no protected health information is to be removed 19-25 from the covered entity or health care entity by the person 19-26 performing the health research in the course of the review; and 20-1 (3) the protected health information for which use or 20-2 access is sought is necessary for the research purposes. 20-3 Sec. 181.055. DISCLOSURE OF INFORMATION TO PUBLIC HEALTH 20-4 AUTHORITY. A covered entity may use or disclose protected health 20-5 information without the express written authorization of the 20-6 individual for public health activities or to comply with the 20-7 requirements of any federal or state health benefit program. A 20-8 covered entity may disclose protected health information: 20-9 (1) to a public health authority that is authorized by 20-10 law to collect or receive such information for the purpose of 20-11 preventing or controlling disease, injury, or disability, including 20-12 the reporting of disease, injury, vital events such as birth or 20-13 death, and the conduct of public health surveillance, public health 20-14 investigations, and public interventions; 20-15 (2) to a public health authority or other appropriate 20-16 government authority authorized by law to receive reports of child 20-17 or adult abuse, neglect, or exploitation; and 20-18 (3) to any state agency in conjunction with a federal 20-19 or state health benefit program. 20-20 Sec. 181.056. REQUIRED NOTICE. (a) On request, a covered 20-21 entity or health care entity conducting disease management or 20-22 health care operations shall provide written notice to an 20-23 individual of the entity's practices with respect to its uses and 20-24 disclosures of protected health information. 20-25 (b) Notice under this section must include: 20-26 (1) a complete description of the usual functions 21-1 performed with protected health information; 21-2 (2) a statement of whether protected health 21-3 information is stored in a computerized records system; and 21-4 (3) the name and the method of contacting the 21-5 individual responsible for responding to inquiries regarding the 21-6 entity's information practices. 21-7 (c) On written request by an individual who is the subject 21-8 of protected health information, a covered entity or health care 21-9 entity conducting disease management or health care operations 21-10 shall provide a list of the agents or contractors, not including 21-11 health care practitioners or health care facilities, who have 21-12 direct access to or use of the protected health information. 21-13 (d) The department by rule shall adopt a standardized notice 21-14 of information practices of the type described by this section. 21-15 (Sections 181.057-181.100 reserved for expansion 21-16 SUBCHAPTER C. EXPRESS WRITTEN AUTHORIZATION 21-17 Sec. 181.101. FORM. (a) Express written authorization 21-18 required by this chapter must be in writing and signed by: 21-19 (1) the individual who is the subject of the protected 21-20 health information; 21-21 (2) the individual's legally authorized 21-22 representative; or 21-23 (3) the individual's agent under a medical power of 21-24 attorney. 21-25 (b) For purposes of this section, documentation of express 21-26 written authorization may be satisfied by the use of electronic 22-1 signatures, computerized express written authorization 22-2 documentation, or other technological means of recording express 22-3 written authorization. 22-4 (c) The department by rule shall adopt standards regulating 22-5 the content and form of the express written authorization. 22-6 Sec. 181.102. EXPIRATION. (a) An express written 22-7 authorization to disclose, access, or use protected health 22-8 information is valid until the expiration date or event specified 22-9 in the documentation or until it is revoked by the individual. 22-10 (b) Except as provided by Subsection (c), a covered entity 22-11 may not coerce an individual to sign an express written 22-12 authorization required under this chapter. 22-13 (c) A person engaged in health research may require an 22-14 individual's express written authorization to disclose protected 22-15 health information as a condition of the individual's participation 22-16 in the research. 22-17 (Sections 181.103-181.150 reserved for expansion 22-18 SUBCHAPTER D. PROHIBITED ACTS 22-19 Sec. 181.151. REIDENTIFIED INFORMATION. A person may not 22-20 reidentify or attempt to reidentify an individual who is the 22-21 subject of any protected health information without obtaining the 22-22 individual's consent or authorization if required under this 22-23 chapter or other state or federal law. 22-24 Sec. 181.152. CONTACT FOR PURPOSES OF PROMOTION OR 22-25 ADVERTISEMENT. (a) A covered entity or health care entity may 22-26 not, without the express written authorization of the individual 23-1 who is the subject of protected health information, use, access, or 23-2 disclose the protected health information for the promotion or 23-3 advertisement by any person or entity of specific products or 23-4 services if the covered entity or health care entity receives, 23-5 directly or indirectly, a financial incentive or remuneration from 23-6 a third party for the use, access, or disclosure. 23-7 (b) A covered entity may not condition services upon receipt 23-8 of required express written authorization for activities described 23-9 in this section. 23-10 (c) "Promotion or advertisement of specific products or 23-11 services" does not include treatment, disease management, or health 23-12 care operations, except that health care operations as defined by 23-13 Section 181.001(9)(C) may be prohibited under this section. 23-14 (Sections 181.153-181.200 reserved for expansion 23-15 SUBCHAPTER E. ENFORCEMENT 23-16 Sec. 181.201. INJUNCTIVE RELIEF; CIVIL PENALTY. (a) The 23-17 attorney general may institute an action for injunctive relief to 23-18 restrain a violation of this chapter. 23-19 (b) In addition to the injunctive relief provided by 23-20 Subsection (a), the attorney general may institute an action for 23-21 civil penalties against a covered entity or health care entity for 23-22 a violation of this chapter. A civil penalty assessed under this 23-23 section may not exceed $3,000 for each violation. 23-24 (c) If the court in which an action under Subsection (b) is 23-25 pending finds that the violations have occurred with a frequency as 23-26 to constitute a pattern or practice, the court may assess a civil 24-1 penalty not to exceed $250,000. 24-2 (d) If the attorney general substantially prevails in an 24-3 action for injunctive relief or a civil penalty under this section, 24-4 the court shall award to the attorney general reasonable attorney's 24-5 fees, costs, and expenses incurred obtaining the relief or penalty, 24-6 including court costs and witness fees. 24-7 Sec. 181.202. INDIVIDUAL INJUNCTIVE RELIEF. An individual 24-8 who is aggrieved by a violation of this chapter may institute an 24-9 action against a covered entity or health care entity for 24-10 appropriate injunctive relief. If the individual is the prevailing 24-11 party, the court shall award reasonable attorney's fees and other 24-12 litigation costs and expenses reasonably incurred. 24-13 Sec. 181.203. SOVEREIGN IMMUNITY. This chapter does not 24-14 waive sovereign immunity to suit or liability. 24-15 SECTION 2. Title 1, Insurance Code, is amended by adding 24-16 Chapter 28B to read as follows: 24-17 CHAPTER 28B. PRIVACY OF HEALTH INFORMATION 24-18 SUBCHAPTER A. GENERAL PROVISIONS 24-19 Art. 28B.01. DEFINITIONS. In this chapter: 24-20 (1) "Health information" means any information or data 24-21 regarding an individual, other than age or gender, whether oral or 24-22 recorded in any form or medium, that is created by or derived from 24-23 a health care provider or the individual and that relates to: 24-24 (A) the past, present, or future physical, 24-25 mental, or behavioral health or condition of an individual; 24-26 (B) the provision of health care to an 25-1 individual; or 25-2 (C) payment for the provision of health care to 25-3 an individual. 25-4 (2) "Licensee" means a person who holds or is required 25-5 to hold a license, registration, certificate of authority, or other 25-6 authority under this code or another insurance law of this state. 25-7 The term includes an insurance company, group hospital service 25-8 corporation, mutual insurance company, local mutual aid 25-9 association, statewide mutual assessment company, stipulated 25-10 premium insurance company, health maintenance organization, 25-11 reciprocal or interinsurance exchange, Lloyd's plan, fraternal 25-12 benefit society, county mutual insurer, farm mutual insurer, or 25-13 insurance agent. 25-14 (3) "Nonpublic personal health information" means 25-15 health information: 25-16 (A) that identifies an individual who is the 25-17 subject of the information; or 25-18 (B) with respect to which there is a reasonable 25-19 basis to believe that the information could be used to identify an 25-20 individual. 25-21 Art. 28B.02. PERSONALLY IDENTIFIABLE HEALTH INFORMATION: 25-22 PRIVACY NOTICE AND DISCLOSURE AUTHORIZATION. (a) A licensee must 25-23 obtain an authorization to disclose any nonpublic personal health 25-24 information before making such a disclosure. 25-25 (b) The request for authorization required by this article 25-26 may be in written or electronic form and must: 26-1 (1) state the identity of the consumer or customer who 26-2 is the subject of the nonpublic personal health information; 26-3 (2) describe: 26-4 (A) the types of nonpublic personal health 26-5 information to be disclosed; 26-6 (B) the parties to whom the licensee discloses 26-7 nonpublic personal health information; 26-8 (C) the purpose of the disclosure; 26-9 (D) how the information will be used; and 26-10 (E) the procedure for revoking the 26-11 authorization; 26-12 (3) include the signature and date signed of: 26-13 (A) the consumer or customer who is the subject 26-14 of the nonpublic personal health information; or 26-15 (B) the individual who is legally empowered to 26-16 grant authority; 26-17 (4) provide notice: 26-18 (A) of the length of time for which the 26-19 authorization is valid; and 26-20 (B) that the consumer or customer may revoke the 26-21 authorization at any time; and 26-22 (5) specify the amount of time that the authorization 26-23 remains valid, which may not exceed 24 months. 26-24 (c) The right of a consumer or customer to revoke an 26-25 authorization at any time is subject to the rights of an individual 26-26 who acted in reliance on the authorization before receiving notice 27-1 of a revocation. 27-2 (d) The licensee shall retain the original or a copy of the 27-3 authorization in the record of the individual who is the subject of 27-4 the nonpublic personal health information. 27-5 Art. 28B.03. DELIVERY OF AUTHORIZATION. (a) A request for 27-6 authorization and an authorization form may be delivered to a 27-7 consumer or a customer if the request and the authorization form 27-8 are clear and conspicuous. 27-9 (b) A licensee must include delivery of the authorization in 27-10 a notice to the consumer or customer only if the licensee intends 27-11 to disclose protected health information under this chapter. 27-12 Art. 28B.04. EXCEPTIONS. A licensee may disclose nonpublic 27-13 personal health information to the extent that the disclosure is 27-14 necessary to perform the following insurance functions on behalf of 27-15 that licensee: 27-16 (1) the investigation or reporting of actual or 27-17 potential fraud, misrepresentation, or criminal activity; 27-18 (2) underwriting; 27-19 (3) the placement or issuance of an insurance policy; 27-20 (4) loss control services; 27-21 (5) ratemaking and guaranty fund functions; 27-22 (6) reinsurance and excess loss insurance; 27-23 (7) risk management; 27-24 (8) case management; 27-25 (9) disease management; 27-26 (10) quality assurance; 28-1 (11) quality improvement; 28-2 (12) performance evaluation; 28-3 (13) health care provider credentialing verification; 28-4 (14) utilization review; 28-5 (15) peer review activities; 28-6 (16) actuarial, scientific, medical, or public policy 28-7 research; 28-8 (17) grievance procedures; 28-9 (18) the internal administration of compliance, 28-10 managerial, and information systems; 28-11 (19) policyholder services; 28-12 (20) auditing; 28-13 (21) reporting; 28-14 (22) database security; 28-15 (23) the administration of consumer disputes and 28-16 inquiries; 28-17 (24) external accreditation standards; 28-18 (25) the replacement of a group benefit plan or 28-19 workers' compensation policy or program; 28-20 (26) activities in connection with a sale, merger, 28-21 transfer, or exchange of all or part of a business or operating 28-22 unit; 28-23 (27) any activity that permits disclosure without 28-24 authorization under the federal Health Insurance Portability and 28-25 Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), as 28-26 amended; 29-1 (28) disclosure that is required, or is a lawful or 29-2 appropriate method to enforce the licensee's rights or the rights 29-3 of other persons engaged, in carrying out a transaction or 29-4 providing a product or service that the consumer requests or 29-5 authorizes; 29-6 (29) claims administration, adjustment, and 29-7 management; 29-8 (30) any activity otherwise permitted by law, required 29-9 pursuant to a governmental reporting authority, or required to 29-10 comply with legal process; and 29-11 (31) any other insurance functions that the 29-12 commissioner approves that are: 29-13 (A) necessary for appropriate performance of 29-14 insurance functions; and 29-15 (B) fair and reasonable to the interests of 29-16 consumers. 29-17 Art. 28B.05. EXCEPTION FOR COMPLIANCE WITH FEDERAL RULES. 29-18 This subchapter does not apply to a licensee who complies with any 29-19 standards governing the privacy of individually identifiable health 29-20 information adopted by the United States Secretary of Health and 29-21 Human Services under Section 262(a), Health Insurance Portability 29-22 and Accountability Act of 1996 (42 U.S.C. Sections 1320d-1320d-8). 29-23 Art. 28B.06. PROTECTION OF FAIR CREDIT REPORTING ACTS. 29-24 (a) This chapter may not be construed to modify, limit, or 29-25 supersede the operation of the Fair Credit Reporting Act (15 U.S.C. 29-26 Section 1681 et seq.) and an inference may not be drawn based on 30-1 this chapter regarding whether information is transaction or 30-2 experience information under Section 603 of that Act (15 U.S.C. 30-3 Section 1681a). 30-4 (b) This chapter does not preempt or supersede a state law 30-5 related to medical record, health, or insurance information privacy 30-6 that is in effect on July 1, 2002. 30-7 Art. 28B.07. VIOLATION; PENALTIES. (a) A licensee may not 30-8 knowingly or wilfully violate this chapter. 30-9 (b) The department may investigate any alleged violation of 30-10 this chapter and may impose fines and other sanctions as determined 30-11 to be appropriate in accordance with Chapters 82 and 84 of this 30-12 code and the other insurance laws of this state. 30-13 SECTION 3. (a) Chapter 181, Health and Safety Code, as 30-14 added by this Act, takes effect September 1, 2003. 30-15 (b) Chapter 28B, Insurance Code, as added by this Act, takes 30-16 effect January 1, 2002. 30-17 (c) The commissioner of insurance may delay the date for 30-18 compliance with Chapter 28B, Insurance Code, as added by this Act, 30-19 if the commissioner determines that an entity needs more time to 30-20 establish policies and systems to comply with the requirements of 30-21 that chapter. 30-22 (d) An authorization or consent granting access to an 30-23 individual's health care records executed before the effective date 30-24 of this Act is governed by the law in effect when the authorization 30-25 or consent was executed, and the former law continues in effect for 30-26 that purpose.