By: Nelson, et al. S.B. No. 11
A BILL TO BE ENTITLED
1-1 AN ACT
1-2 relating to protecting the privacy of medical records; providing
1-3 penalties.
1-4 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
1-5 SECTION 1. Title 2, Health and Safety Code, is amended by
1-6 adding Subtitle I to read as follows:
1-7 SUBTITLE I. MEDICAL RECORDS
1-8 CHAPTER 181. MEDICAL RECORDS PRIVACY
1-9 SUBCHAPTER A. GENERAL PROVISIONS
1-10 Sec. 181.001. DEFINITIONS. In this chapter:
1-11 (1) "Administrative billing information" means
1-12 protected health information that is necessary for the payment or
1-13 administration of health care claims. The term:
1-14 (A) includes only:
1-15 (i) date of service;
1-16 (ii) billed charges;
1-17 (iii) identifiers of the individual who is
1-18 the subject of the protected health information;
1-19 (iv) diagnostic and treatment information
1-20 contained in standard billing codes;
1-21 (v) information required by nationally
1-22 recognized third-party health care claim forms; and
1-23 (vi) protected health information that is
1-24 part of a health care delivery review; and
1-25 (B) does not include a clinical health record
2-1 included or requested as an attachment to administrative billing
2-2 information.
2-3 (2) "Clinical health record" means a record of any
2-4 protected health information, other than administrative billing
2-5 information, that is used or maintained by or for a health care
2-6 practitioner or facility or an employee, agent, or contractor of a
2-7 health care practitioner or facility for the purpose of delivering
2-8 health care to an individual.
2-9 (3) "Covered entity" means any person who for
2-10 commercial or professional gain, monetary fees, or dues, or on a
2-11 cooperative, nonprofit or pro bono basis engages, in whole or in
2-12 part, directly or indirectly, and with real or constructive
2-13 knowledge, in the practice of assembling, collecting, analyzing,
2-14 using, evaluating, storing, or transmitting protected health
2-15 information. The term includes medical information bureaus and
2-16 pharmaceutical companies. The term does not include a health care
2-17 entity, third-party administrator, employer, or educational
2-18 institution subject to the Family Educational Rights and Privacy
2-19 Act of 1974 (20 U.S.C. Section 1232g), and its subsequent
2-20 amendments.
2-21 (4) "Disclose" means to release, publish, share,
2-22 transfer, transmit, distribute, show, or otherwise divulge
2-23 protected health information to a person outside the entity holding
2-24 the information other than the individual who is the subject of the
2-25 information.
2-26 (5) "Disease management" means a multidisciplinary,
3-1 continuum-based approach to health care delivery that:
3-2 (A) proactively identifies populations with, or
3-3 at risk for, established medical conditions and utilizes
3-4 appropriate health care practitioner's expertise in the treating
3-5 physician's plan of care;
3-6 (B) emphasizes prevention of complications by
3-7 using cost-effective, evidence-based practice guidelines and
3-8 patient empowerment strategies, including self-management
3-9 education; and
3-10 (C) continuously evaluates clinical, humanistic,
3-11 and economic outcomes with the goal of improving overall health.
3-12 (6) "Financial institution" means a state or federally
3-13 chartered bank, savings bank, savings and loan association, credit
3-14 union, or a holding company, subsidiary, or affiliate of such an
3-15 institution.
3-16 (7) "Health care entity" means any person, other than
3-17 a pharmaceutical company, that:
3-18 (A) is a health care payer, person performing
3-19 health research, health care facility, clinic, or health care
3-20 practitioner;
3-21 (B) is an employee, agent, or contractor of a
3-22 person described by Paragraph (A) to the extent the employee,
3-23 agent, or contractor creates, receives, obtains, maintains, uses,
3-24 or transmits protected health information; or
3-25 (C) is a governmental entity that uses or
3-26 discloses protected health information other than in conducting an
4-1 investigation or prosecuting a criminal offense.
4-2 (8) "Health care facility" means any facility licensed
4-3 to provide health care or legally and regularly engaged in
4-4 providing health care, an employee, agent, affiliate, or contractor
4-5 of the facility, or a health care practitioner with whom the
4-6 facility has an agreement or affiliation for the purpose of
4-7 providing, delivering, or arranging health care. The term includes
4-8 a hospital, long-term care facility, or pharmacy. The term does
4-9 not include an employer, health care payer, or health maintenance
4-10 organization.
4-11 (9) "Health care operations" means any of the
4-12 following activities of a covered entity or health care entity, and
4-13 any of the following activities of an organized health care
4-14 arrangement in which a covered entity or health care entity
4-15 participates:
4-16 (A) conducting quality assessment and
4-17 improvement activities, including outcomes evaluation and
4-18 development of clinical guidelines, provided that obtaining general
4-19 knowledge is not the primary purpose of any studies resulting from
4-20 those activities;
4-21 (B) conducting population-based activities
4-22 relating to:
4-23 (i) improving health or reducing health
4-24 care costs;
4-25 (ii) protocol development;
4-26 (iii) case management and care
5-1 coordination; and
5-2 (iv) contacting health care providers and
5-3 patients with information about treatment alternatives;
5-4 (C) conducting related functions that do not
5-5 include treatment;
5-6 (D) reviewing the competence or qualifications
5-7 of health care professionals;
5-8 (E) evaluating practitioner and provider
5-9 performance and health plan performance;
5-10 (F) conducting training programs in which
5-11 students, trainees, or practitioners in areas of health care learn
5-12 under supervision to practice or improve their skills as health
5-13 care providers;
5-14 (G) training of non-health care professionals
5-15 and accreditation, certification, licensing, or credentialing
5-16 activities;
5-17 (H) ceding, securing, or placing a contract for
5-18 reinsurance of risk relating to claims for health care, including
5-19 stop-loss insurance and excess of loss insurance;
5-20 (I) conducting or arranging for medical review,
5-21 legal services, and auditing functions, including fraud and abuse
5-22 detection and compliance programs;
5-23 (J) business planning and development, including
5-24 conducting cost-management and planning-related analyses related to
5-25 managing and operating the entity, formulary development and
5-26 administration, and development or improvement of methods of
6-1 payment or coverage policies;
6-2 (K) business management and general
6-3 administrative activities of the entity, including:
6-4 (i) management activities relating to
6-5 implementation of and compliance with the requirements of this
6-6 chapter;
6-7 (ii) customer service, including the
6-8 provision of data analyses for policyholders, plan sponsors, or
6-9 other customers, provided that protected health information is not
6-10 disclosed to the policyholder, plan sponsor, or customer;
6-11 (iii) resolution of internal grievances;
6-12 (iv) due diligence in connection with the
6-13 sale or transfer of assets to a potential successor in interest, if
6-14 the potential successor in interest is a covered entity or,
6-15 following completion of the sale or transfer, will become a covered
6-16 entity; and
6-17 (v) consistent with the applicable
6-18 requirements of the Health Insurance Portability and Accountability
6-19 Act and Privacy Standards, creating deidentified health information
6-20 and fund-raising for the benefit of the health care entity; and
6-21 (L) administering health plan benefits.
6-22 (10) "Health care payer" means any person who provides
6-23 payment or reimbursement for health care. The term does not
6-24 include an employer.
6-25 (11) "Health care practitioner" means a person,
6-26 including a physician, nurse, chiropractor, midwife, podiatrist,
7-1 physician assistant, pharmacist, or optometrist, who:
7-2 (A) is licensed, certified, registered, or
7-3 otherwise authorized by law to provide an item or service that, in
7-4 the ordinary course of business, constitutes health care;
7-5 (B) is an employee, agent, or contractor of a
7-6 person described by Paragraph (A) who is supervised by the person
7-7 described by Paragraph (A) in providing health care; or
7-8 (C) is a health care facility with whom the
7-9 person has an agreement or affiliation for the purpose of
7-10 providing, delivering, or arranging health care.
7-11 (12) "Health Insurance Portability and Accountability
7-12 Act and Privacy Standards" means the privacy requirements of the
7-13 Administrative Simplification subtitle of the Health Insurance
7-14 Portability and Accountability Act of 1996 (Pub. L. No. 104-191)
7-15 and the final rules adopted on December 28, 2000, and published at
7-16 65 Fed. Reg. 82798 et seq., and any subsequent amendments.
7-17 (13) "Health research" means any systematic
7-18 investigation, including research development, testing, and
7-19 evaluation, or other inquiry that uses protected health information
7-20 to develop or contribute to general knowledge, including the study
7-21 of:
7-22 (A) the causes and treatment of disease or
7-23 medical conditions; and
7-24 (B) the relationship among certain
7-25 characteristics, health care, and disease or health status.
7-26 (14) "Payment" means the following activities
8-1 undertaken by a covered entity or health care entity to obtain
8-2 premiums, determine or fulfill responsibility of coverage and
8-3 provision of benefits under a health plan, or to obtain or provide
8-4 reimbursement for health care:
8-5 (A) determination of eligibility or coverage,
8-6 including coordination of benefits or the determination of
8-7 cost-sharing amounts and adjudication or subrogation of health
8-8 benefit claims;
8-9 (B) risk-adjusting amounts due based on enrollee
8-10 health status and demographic characteristics;
8-11 (C) billing, claims management, collection
8-12 activities, the obtaining of payment under a contract for
8-13 reinsurance, including stop-loss insurance and excess of loss
8-14 insurance, and related health care data processing;
8-15 (D) review of health care services with respect
8-16 to medical necessity, coverage under a health plan, appropriateness
8-17 of care, or justification of charges;
8-18 (E) utilization review activities, including
8-19 precertification and preauthorization of services and concurrent
8-20 and retrospective review of services; and
8-21 (F) disclosure to consumer reporting agencies
8-22 consistent with the provisions under the Health Insurance
8-23 Portability and Accountability Act and Privacy Standards.
8-24 (15) "Person" includes a corporation, organization,
8-25 governmental unit, business trust, estate, trust, partnership,
8-26 association, and any other legal entity.
9-1 (16) "Pharmaceutical company" means any person that
9-2 manufactures, distributes, analyzes, dispenses, or conducts
9-3 research with a controlled substance as defined by Section 481.002
9-4 or a dangerous drug as defined by Section 483.001. The term does
9-5 not include health care entities.
9-6 (17) "Protected health information":
9-7 (A) includes any information, including
9-8 administrative billing information, clinical health records, and
9-9 prescriptions, that:
9-10 (i) relates to:
9-11 (a) the past, present, or future
9-12 physical health or condition of an individual;
9-13 (b) the past, present, or future
9-14 mental health or condition of an individual;
9-15 (c) the provision of health care to
9-16 an individual; or
9-17 (d) the past, present, or future
9-18 payment for providing health care to an individual; and
9-19 (ii) identifies or could be used or
9-20 manipulated by itself or in combination with other information to
9-21 identify an individual by a reasonably foreseeable method; and
9-22 (B) does not include:
9-23 (i) aggregate statistics;
9-24 (ii) redacted health information;
9-25 (iii) information for which random or
9-26 fictitious alternatives have been substituted for personally
10-1 identifiable information;
10-2 (iv) information for which personally
10-3 identifiable information has been encrypted and for which the
10-4 encryption key is maintained by a person otherwise authorized to
10-5 have access to the information in an identifiable format; and
10-6 (v) personally identifiable health
10-7 information in:
10-8 (a) education records covered by the
10-9 Family Educational Rights and Privacy Act of 1974 (20 U.S.C.
10-10 Section 1232g), and its subsequent amendments; and
10-11 (b) records described by 20 U.S.C.
10-12 Section 1232g(a)(4)(B)(iv), and its subsequent amendments.
10-13 (18) "Reidentification" means any attempt to
10-14 ascertain:
10-15 (A) the identity of the individual who is the
10-16 subject of protected health information; or
10-17 (B) any specific data element with the intention
10-18 of ascertaining the identity of the subject or with knowledge that
10-19 the data element would allow for the identification of the
10-20 individual who is the subject of the protected health information.
10-21 (19) "Treatment" means any of the following
10-22 activities:
10-23 (A) the provision, coordination, or management
10-24 of health care and related services by one or more health care
10-25 entities, including the coordination or management of health care
10-26 by a health care entity with a third party;
11-1 (B) consultation between health care entities
11-2 relating to a patient; and
11-3 (C) the referral of a patient for health care
11-4 from one health care entity to another.
11-5 Sec. 181.002. APPLICABILITY. (a) This chapter does not
11-6 affect the confidentiality that another statute creates for any
11-7 information.
11-8 (b) This chapter does not apply to:
11-9 (1) workers' compensation insurance or a function
11-10 authorized by Title 5, Labor Code;
11-11 (2) any person or entity in connection with providing,
11-12 administering, supporting, or coordinating any of the benefits
11-13 under a self-insured program for workers' compensation;
11-14 (3) an employee benefit plan; or
11-15 (4) any covered entity, health care entity, or other
11-16 person, insofar as the entity or person is acting in connection
11-17 with an employee benefit plan.
11-18 (c) To the extent that this chapter differs from the Health
11-19 Insurance Portability and Accountability Act and Privacy Standards,
11-20 this chapter controls if the provisions of this chapter are clearly
11-21 more restrictive than the provisions of the Health Insurance
11-22 Portability and Accountability Act and Privacy Standards.
11-23 Sec. 181.003. PROCESSING PAYMENT TRANSACTIONS BY FINANCIAL
11-24 INSTITUTIONS. (a) In this section, "financial institution" has
11-25 the meaning assigned by Section 1101, Right to Financial Privacy
11-26 Act of 1978 (12 U.S.C. Section 3401), and its subsequent
12-1 amendments.
12-2 (b) To the extent that a covered entity engages in
12-3 activities of a financial institution, or authorizes, processes,
12-4 clears, settles, bills, transfers, reconciles, or collects payments
12-5 for a financial institution, this chapter and any rule adopted
12-6 under this chapter does not apply to the covered entity with
12-7 respect to those activities, including the following:
12-8 (1) using or disclosing information to authorize,
12-9 process, clear, settle, bill, transfer, reconcile, or collect a
12-10 payment for, or related to, health plan premiums or health care, if
12-11 the payment is made by any means, including a credit, debit, or
12-12 other payment card, an account, a check, or an electronic funds
12-13 transfer; and
12-14 (2) requesting, using, or disclosing information with
12-15 respect to a payment described by Subdivision (1):
12-16 (A) for transferring receivables;
12-17 (B) for auditing;
12-18 (C) in connection with a customer dispute or an
12-19 inquiry from or to a customer;
12-20 (D) in a communication to a customer of the
12-21 entity regarding the customer's transactions, payment card,
12-22 account, check, or electronic funds transfer;
12-23 (E) for reporting to consumer reporting
12-24 agencies; or
12-25 (F) for complying with a civil or criminal
12-26 subpoena or a federal or state law regulating the covered entity.
13-1 Sec. 181.004. NONPROFIT AGENCIES. The department shall by
13-2 rule exempt from this chapter:
13-3 (1) a nonprofit agency that pays for health care
13-4 services or prescription drugs for an indigent person only if the
13-5 agency's primary business is not the provision of health care or
13-6 reimbursement for health care services; and
13-7 (2) health care providers who provide health care to
13-8 indigent persons at a health fair that lasts not more than two days
13-9 and is organized by a nonprofit agency.
13-10 (Sections 181.005-181.050 reserved for expansion
13-11 SUBCHAPTER B. ACCESS TO AND USE OF HEALTH CARE INFORMATION
13-12 Sec. 181.051. PATIENT ACCESS TO INFORMATION; FEE.
13-13 (a) Except as provided by Subsection (b), a covered entity or
13-14 health care entity shall permit an individual who is the subject of
13-15 a clinical health record, the individual's designee, or another
13-16 individual authorized by law to obtain an individual's clinical
13-17 health record to inspect and copy any clinical health record,
13-18 including records received from another health care entity or
13-19 covered entity, except for any clinical health record collected or
13-20 created in the course of a clinical research trial, that the entity
13-21 maintains or controls and that relates to the individual. The
13-22 covered entity or health care entity may charge retrieval and
13-23 copying fees as provided by law or regulation, or in the absence of
13-24 a law or regulation, a reasonable fee.
13-25 (b) A psychologist licensed under Chapter 501, Occupations
13-26 Code, or a psychiatrist or other physician who is providing
14-1 psychological or psychiatric services to an individual is not
14-2 required to permit the individual to inspect or copy a personal
14-3 diary created by the psychologist, psychiatrist, or physician
14-4 containing protected health information relating to the individual
14-5 if the information contained in the diary has not been disclosed to
14-6 a person other than another psychologist, psychiatrist, or
14-7 physician for the specific purpose of clinical supervision
14-8 conducted in the regular course of treatment.
14-9 (c) A health care practitioner is not required to permit an
14-10 individual to inspect or copy the individual's clinical health
14-11 record if the health care practitioner determines that access to
14-12 the information would be harmful to the physical, mental, or
14-13 emotional health of the individual.
14-14 (d) A health care practitioner may redact or otherwise
14-15 prevent disclosure of confidential information about another
14-16 individual or family member of the individual who has not consented
14-17 to the release of information, as otherwise provided by law.
14-18 (e) Not later than the 30th day after the date a covered
14-19 entity or health care entity receives a request and payment under
14-20 Subsection (a), the covered entity or health care entity shall
14-21 provide the requested information.
14-22 Sec. 181.052. APPENDANT OR AMENDMENT TO HEALTH RECORDS. A
14-23 health care entity may, at the entity's discretion, require that
14-24 any appendant or amendment to an individual's clinical health
14-25 record be designated as "a patient supplement."
14-26 Sec. 181.053. DISCLOSING, USING, ACCESSING, OR OBTAINING
15-1 PROTECTED HEALTH INFORMATION. (a) Except to carry out treatment,
15-2 payment, or health care operations, a covered entity may not
15-3 disclose, use, access, or obtain protected health information
15-4 unless the individual who is the subject of the protected health
15-5 information has provided:
15-6 (1) express written authorization; or
15-7 (2) consent or authorization unless consent or
15-8 authorization is not required by federal or state law.
15-9 (b) A covered entity may not use, access, request, or
15-10 require the disclosure of more protected health information than is
15-11 reasonably related to the specific purpose that is stated in the
15-12 express written authorization. A covered entity may not refuse to
15-13 provide protected health information requested by a health care
15-14 practitioner for use in providing health care services.
15-15 (c) A covered entity may use, disclose, access, or obtain
15-16 protected health information only for the purpose stated in the
15-17 express written authorization.
15-18 (d) A covered entity may disclose protected health
15-19 information without obtaining the express written authorization of
15-20 the individual who is the subject of the information if the
15-21 disclosure is made in response to a subpoena in a judicial or
15-22 administrative proceeding.
15-23 (e) A covered entity may not condition services on the
15-24 provision of express written authorization by the individual to
15-25 disclose protected health information when the information is not
15-26 directly related to the services being provided.
16-1 Sec. 181.054. INFORMATION OR RESEARCH. (a) A covered
16-2 entity or health care entity may disclose protected health
16-3 information to a person performing health research, regardless of
16-4 the source of funding of the research, for the purpose of
16-5 conducting health research, only if the person performing health
16-6 research has obtained:
16-7 (1) individual consent or authorization for use or
16-8 disclosure of protected health information for research required by
16-9 federal law;
16-10 (2) the express written authorization of the
16-11 individual required by this chapter;
16-12 (3) documentation that a waiver of individual consent
16-13 or authorization required for use or disclosure of protected health
16-14 information has been granted by an institutional review board or
16-15 privacy board as required under federal law; or
16-16 (4) documentation that a waiver of the individual's
16-17 express written authorization required by this chapter has been
16-18 granted by a privacy board established under this section.
16-19 (b) A privacy board:
16-20 (1) must consist of members with varying backgrounds
16-21 and appropriate professional competency as necessary to review the
16-22 effect of the research protocol for the project or projects on the
16-23 privacy rights and related interests of the individuals whose
16-24 protected health information would be used or disclosed;
16-25 (2) must include at least one member who is not
16-26 affiliated with the covered entity or health care entity or an
17-1 entity conducting or sponsoring the research, and not related to
17-2 any person who is affiliated with an entity described by this
17-3 subsection; and
17-4 (3) may not have any member participating in the
17-5 review of any project in which the member has a conflict of
17-6 interest.
17-7 (c) A privacy board may grant a waiver of the express
17-8 written authorization for the use of protected health information
17-9 if the privacy board obtains the following documentation:
17-10 (1) a statement identifying the privacy board and the
17-11 date on which the waiver of the express written authorization was
17-12 approved by the privacy board;
17-13 (2) a statement that the privacy board has determined
17-14 that the waiver satisfies the following criteria:
17-15 (A) the use or disclosure of protected health
17-16 information involves no more than minimal risk to the affected
17-17 individuals;
17-18 (B) the waiver will not adversely affect the
17-19 privacy rights and welfare of those individuals;
17-20 (C) the research could not practicably be
17-21 conducted without the waiver;
17-22 (D) the research could not practicably be
17-23 conducted without access to and use of the protected health
17-24 information;
17-25 (E) the privacy risks to individuals whose
17-26 protected health information is to be used or disclosed are
18-1 reasonable in relation to the anticipated benefits, if any, to the
18-2 individuals and the importance of the knowledge that may reasonably
18-3 be expected to result from the research;
18-4 (F) there is an adequate plan to protect the
18-5 identifiers from improper use and disclosure;
18-6 (G) there is an adequate plan to destroy the
18-7 identifiers at the earliest opportunity consistent with conduct of
18-8 the research, unless there is a health or research justification
18-9 for retaining the identifiers or the retention is otherwise
18-10 required by law; and
18-11 (H) there are adequate written assurances that
18-12 the protected health information will not be reused or disclosed to
18-13 another person or entity, except:
18-14 (i) as required by law;
18-15 (ii) for authorized oversight of the
18-16 research project; or
18-17 (iii) for other research for which the use
18-18 or disclosure of protected health information would be permitted by
18-19 state or federal law;
18-20 (3) a brief description of the protected health
18-21 information for which use or access has been determined to be
18-22 necessary by the privacy board under Subdivision (2)(D); and
18-23 (4) a statement that the waiver of express written
18-24 authorization has been approved by the privacy board following the
18-25 procedures under Subsection (e).
18-26 (d) A waiver must be signed by the presiding officer of the
19-1 privacy board or the presiding officer's designee.
19-2 (e) The privacy board must review the proposed research at a
19-3 convened meeting at which a majority of the privacy board members
19-4 are present, including at least one member who satisfies the
19-5 requirements of Subsection (b)(2). The waiver of express written
19-6 authorization must be approved by the majority of the privacy board
19-7 members present at the meeting, unless the privacy board elects to
19-8 use an expedited review procedure. The privacy board may use an
19-9 expedited review procedure only if the research involves no more
19-10 than minimal risk to the privacy of the individual who is the
19-11 subject of the protected health information of which use or
19-12 disclosure is being sought. If the privacy board elects to use an
19-13 expedited review procedure, the review and approval of the waiver
19-14 of express written authorization may be made by the presiding
19-15 officer of the privacy board or by one or more members of the
19-16 privacy board as designated by the presiding officer.
19-17 (f) A covered entity or health care entity may disclose
19-18 protected health information to a person performing health research
19-19 if the covered entity or health care entity obtains from the person
19-20 performing the health research representations that:
19-21 (1) use or disclosure is sought solely to review
19-22 protected health information as necessary to prepare a research
19-23 protocol or for similar purposes preparatory to research;
19-24 (2) no protected health information is to be removed
19-25 from the covered entity or health care entity by the person
19-26 performing the health research in the course of the review; and
20-1 (3) the protected health information for which use or
20-2 access is sought is necessary for the research purposes.
20-3 Sec. 181.055. DISCLOSURE OF INFORMATION TO PUBLIC HEALTH
20-4 AUTHORITY. A covered entity may use or disclose protected health
20-5 information without the express written authorization of the
20-6 individual for public health activities or to comply with the
20-7 requirements of any federal or state health benefit program. A
20-8 covered entity may disclose protected health information:
20-9 (1) to a public health authority that is authorized by
20-10 law to collect or receive such information for the purpose of
20-11 preventing or controlling disease, injury, or disability, including
20-12 the reporting of disease, injury, vital events such as birth or
20-13 death, and the conduct of public health surveillance, public health
20-14 investigations, and public interventions;
20-15 (2) to a public health authority or other appropriate
20-16 government authority authorized by law to receive reports of child
20-17 or adult abuse, neglect, or exploitation; and
20-18 (3) to any state agency in conjunction with a federal
20-19 or state health benefit program.
20-20 Sec. 181.056. REQUIRED NOTICE. (a) On request, a covered
20-21 entity or health care entity conducting disease management or
20-22 health care operations shall provide written notice to an
20-23 individual of the entity's practices with respect to its uses and
20-24 disclosures of protected health information.
20-25 (b) Notice under this section must include:
20-26 (1) a complete description of the usual functions
21-1 performed with protected health information;
21-2 (2) a statement of whether protected health
21-3 information is stored in a computerized records system; and
21-4 (3) the name and the method of contacting the
21-5 individual responsible for responding to inquiries regarding the
21-6 entity's information practices.
21-7 (c) On written request by an individual who is the subject
21-8 of protected health information, a covered entity or health care
21-9 entity conducting disease management or health care operations
21-10 shall provide a list of the agents or contractors, not including
21-11 health care practitioners or health care facilities, who have
21-12 direct access to or use of the protected health information.
21-13 (d) The department by rule shall adopt a standardized notice
21-14 of information practices of the type described by this section.
21-15 (Sections 181.057-181.100 reserved for expansion
21-16 SUBCHAPTER C. EXPRESS WRITTEN AUTHORIZATION
21-17 Sec. 181.101. FORM. (a) Express written authorization
21-18 required by this chapter must be in writing and signed by:
21-19 (1) the individual who is the subject of the protected
21-20 health information;
21-21 (2) the individual's legally authorized
21-22 representative; or
21-23 (3) the individual's agent under a medical power of
21-24 attorney.
21-25 (b) For purposes of this section, documentation of express
21-26 written authorization may be satisfied by the use of electronic
22-1 signatures, computerized express written authorization
22-2 documentation, or other technological means of recording express
22-3 written authorization.
22-4 (c) The department by rule shall adopt standards regulating
22-5 the content and form of the express written authorization.
22-6 Sec. 181.102. EXPIRATION. (a) An express written
22-7 authorization to disclose, access, or use protected health
22-8 information is valid until the expiration date or event specified
22-9 in the documentation or until it is revoked by the individual.
22-10 (b) Except as provided by Subsection (c), a covered entity
22-11 may not coerce an individual to sign an express written
22-12 authorization required under this chapter.
22-13 (c) A person engaged in health research may require an
22-14 individual's express written authorization to disclose protected
22-15 health information as a condition of the individual's participation
22-16 in the research.
22-17 (Sections 181.103-181.150 reserved for expansion
22-18 SUBCHAPTER D. PROHIBITED ACTS
22-19 Sec. 181.151. REIDENTIFIED INFORMATION. A person may not
22-20 reidentify or attempt to reidentify an individual who is the
22-21 subject of any protected health information without obtaining the
22-22 individual's consent or authorization if required under this
22-23 chapter or other state or federal law.
22-24 Sec. 181.152. CONTACT FOR PURPOSES OF PROMOTION OR
22-25 ADVERTISEMENT. (a) A covered entity or health care entity may
22-26 not, without the express written authorization of the individual
23-1 who is the subject of protected health information, use, access, or
23-2 disclose the protected health information for the promotion or
23-3 advertisement by any person or entity of specific products or
23-4 services if the covered entity or health care entity receives,
23-5 directly or indirectly, a financial incentive or remuneration from
23-6 a third party for the use, access, or disclosure.
23-7 (b) A covered entity may not condition services upon receipt
23-8 of required express written authorization for activities described
23-9 in this section.
23-10 (c) "Promotion or advertisement of specific products or
23-11 services" does not include treatment, disease management, or health
23-12 care operations, except that health care operations as defined by
23-13 Section 181.001(9)(C) may be prohibited under this section.
23-14 (Sections 181.153-181.200 reserved for expansion
23-15 SUBCHAPTER E. ENFORCEMENT
23-16 Sec. 181.201. INJUNCTIVE RELIEF; CIVIL PENALTY. (a) The
23-17 attorney general may institute an action for injunctive relief to
23-18 restrain a violation of this chapter.
23-19 (b) In addition to the injunctive relief provided by
23-20 Subsection (a), the attorney general may institute an action for
23-21 civil penalties against a covered entity or health care entity for
23-22 a violation of this chapter. A civil penalty assessed under this
23-23 section may not exceed $3,000 for each violation.
23-24 (c) If the court in which an action under Subsection (b) is
23-25 pending finds that the violations have occurred with a frequency as
23-26 to constitute a pattern or practice, the court may assess a civil
24-1 penalty not to exceed $250,000.
24-2 (d) If the attorney general substantially prevails in an
24-3 action for injunctive relief or a civil penalty under this section,
24-4 the court shall award to the attorney general reasonable attorney's
24-5 fees, costs, and expenses incurred obtaining the relief or penalty,
24-6 including court costs and witness fees.
24-7 Sec. 181.202. INDIVIDUAL INJUNCTIVE RELIEF. An individual
24-8 who is aggrieved by a violation of this chapter may institute an
24-9 action against a covered entity or health care entity for
24-10 appropriate injunctive relief. If the individual is the prevailing
24-11 party, the court shall award reasonable attorney's fees and other
24-12 litigation costs and expenses reasonably incurred.
24-13 Sec. 181.203. SOVEREIGN IMMUNITY. This chapter does not
24-14 waive sovereign immunity to suit or liability.
24-15 SECTION 2. Title 1, Insurance Code, is amended by adding
24-16 Chapter 28B to read as follows:
24-17 CHAPTER 28B. PRIVACY OF HEALTH INFORMATION
24-18 SUBCHAPTER A. GENERAL PROVISIONS
24-19 Art. 28B.01. DEFINITIONS. In this chapter:
24-20 (1) "Health information" means any information or data
24-21 regarding an individual, other than age or gender, whether oral or
24-22 recorded in any form or medium, that is created by or derived from
24-23 a health care provider or the individual and that relates to:
24-24 (A) the past, present, or future physical,
24-25 mental, or behavioral health or condition of an individual;
24-26 (B) the provision of health care to an
25-1 individual; or
25-2 (C) payment for the provision of health care to
25-3 an individual.
25-4 (2) "Licensee" means a person who holds or is required
25-5 to hold a license, registration, certificate of authority, or other
25-6 authority under this code or another insurance law of this state.
25-7 The term includes an insurance company, group hospital service
25-8 corporation, mutual insurance company, local mutual aid
25-9 association, statewide mutual assessment company, stipulated
25-10 premium insurance company, health maintenance organization,
25-11 reciprocal or interinsurance exchange, Lloyd's plan, fraternal
25-12 benefit society, county mutual insurer, farm mutual insurer, or
25-13 insurance agent.
25-14 (3) "Nonpublic personal health information" means
25-15 health information:
25-16 (A) that identifies an individual who is the
25-17 subject of the information; or
25-18 (B) with respect to which there is a reasonable
25-19 basis to believe that the information could be used to identify an
25-20 individual.
25-21 Art. 28B.02. PERSONALLY IDENTIFIABLE HEALTH INFORMATION:
25-22 PRIVACY NOTICE AND DISCLOSURE AUTHORIZATION. (a) A licensee must
25-23 obtain an authorization to disclose any nonpublic personal health
25-24 information before making such a disclosure.
25-25 (b) The request for authorization required by this article
25-26 may be in written or electronic form and must:
26-1 (1) state the identity of the consumer or customer who
26-2 is the subject of the nonpublic personal health information;
26-3 (2) describe:
26-4 (A) the types of nonpublic personal health
26-5 information to be disclosed;
26-6 (B) the parties to whom the licensee discloses
26-7 nonpublic personal health information;
26-8 (C) the purpose of the disclosure;
26-9 (D) how the information will be used; and
26-10 (E) the procedure for revoking the
26-11 authorization;
26-12 (3) include the signature and date signed of:
26-13 (A) the consumer or customer who is the subject
26-14 of the nonpublic personal health information; or
26-15 (B) the individual who is legally empowered to
26-16 grant authority;
26-17 (4) provide notice:
26-18 (A) of the length of time for which the
26-19 authorization is valid; and
26-20 (B) that the consumer or customer may revoke the
26-21 authorization at any time; and
26-22 (5) specify the amount of time that the authorization
26-23 remains valid, which may not exceed 24 months.
26-24 (c) The right of a consumer or customer to revoke an
26-25 authorization at any time is subject to the rights of an individual
26-26 who acted in reliance on the authorization before receiving notice
27-1 of a revocation.
27-2 (d) The licensee shall retain the original or a copy of the
27-3 authorization in the record of the individual who is the subject of
27-4 the nonpublic personal health information.
27-5 Art. 28B.03. DELIVERY OF AUTHORIZATION. (a) A request for
27-6 authorization and an authorization form may be delivered to a
27-7 consumer or a customer if the request and the authorization form
27-8 are clear and conspicuous.
27-9 (b) A licensee must include delivery of the authorization in
27-10 a notice to the consumer or customer only if the licensee intends
27-11 to disclose protected health information under this chapter.
27-12 Art. 28B.04. EXCEPTIONS. A licensee may disclose nonpublic
27-13 personal health information to the extent that the disclosure is
27-14 necessary to perform the following insurance functions on behalf of
27-15 that licensee:
27-16 (1) the investigation or reporting of actual or
27-17 potential fraud, misrepresentation, or criminal activity;
27-18 (2) underwriting;
27-19 (3) the placement or issuance of an insurance policy;
27-20 (4) loss control services;
27-21 (5) ratemaking and guaranty fund functions;
27-22 (6) reinsurance and excess loss insurance;
27-23 (7) risk management;
27-24 (8) case management;
27-25 (9) disease management;
27-26 (10) quality assurance;
28-1 (11) quality improvement;
28-2 (12) performance evaluation;
28-3 (13) health care provider credentialing verification;
28-4 (14) utilization review;
28-5 (15) peer review activities;
28-6 (16) actuarial, scientific, medical, or public policy
28-7 research;
28-8 (17) grievance procedures;
28-9 (18) the internal administration of compliance,
28-10 managerial, and information systems;
28-11 (19) policyholder services;
28-12 (20) auditing;
28-13 (21) reporting;
28-14 (22) database security;
28-15 (23) the administration of consumer disputes and
28-16 inquiries;
28-17 (24) external accreditation standards;
28-18 (25) the replacement of a group benefit plan or
28-19 workers' compensation policy or program;
28-20 (26) activities in connection with a sale, merger,
28-21 transfer, or exchange of all or part of a business or operating
28-22 unit;
28-23 (27) any activity that permits disclosure without
28-24 authorization under the federal Health Insurance Portability and
28-25 Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), as
28-26 amended;
29-1 (28) disclosure that is required, or is a lawful or
29-2 appropriate method to enforce the licensee's rights or the rights
29-3 of other persons engaged, in carrying out a transaction or
29-4 providing a product or service that the consumer requests or
29-5 authorizes;
29-6 (29) claims administration, adjustment, and
29-7 management;
29-8 (30) any activity otherwise permitted by law, required
29-9 pursuant to a governmental reporting authority, or required to
29-10 comply with legal process; and
29-11 (31) any other insurance functions that the
29-12 commissioner approves that are:
29-13 (A) necessary for appropriate performance of
29-14 insurance functions; and
29-15 (B) fair and reasonable to the interests of
29-16 consumers.
29-17 Art. 28B.05. EXCEPTION FOR COMPLIANCE WITH FEDERAL RULES.
29-18 This subchapter does not apply to a licensee who complies with any
29-19 standards governing the privacy of individually identifiable health
29-20 information adopted by the United States Secretary of Health and
29-21 Human Services under Section 262(a), Health Insurance Portability
29-22 and Accountability Act of 1996 (42 U.S.C. Sections 1320d-1320d-8).
29-23 Art. 28B.06. PROTECTION OF FAIR CREDIT REPORTING ACTS.
29-24 (a) This chapter may not be construed to modify, limit, or
29-25 supersede the operation of the Fair Credit Reporting Act (15 U.S.C.
29-26 Section 1681 et seq.) and an inference may not be drawn based on
30-1 this chapter regarding whether information is transaction or
30-2 experience information under Section 603 of that Act (15 U.S.C.
30-3 Section 1681a).
30-4 (b) This chapter does not preempt or supersede a state law
30-5 related to medical record, health, or insurance information privacy
30-6 that is in effect on July 1, 2002.
30-7 Art. 28B.07. VIOLATION; PENALTIES. (a) A licensee may not
30-8 knowingly or wilfully violate this chapter.
30-9 (b) The department may investigate any alleged violation of
30-10 this chapter and may impose fines and other sanctions as determined
30-11 to be appropriate in accordance with Chapters 82 and 84 of this
30-12 code and the other insurance laws of this state.
30-13 SECTION 3. (a) Chapter 181, Health and Safety Code, as
30-14 added by this Act, takes effect September 1, 2003.
30-15 (b) Chapter 28B, Insurance Code, as added by this Act, takes
30-16 effect January 1, 2002.
30-17 (c) The commissioner of insurance may delay the date for
30-18 compliance with Chapter 28B, Insurance Code, as added by this Act,
30-19 if the commissioner determines that an entity needs more time to
30-20 establish policies and systems to comply with the requirements of
30-21 that chapter.
30-22 (d) An authorization or consent granting access to an
30-23 individual's health care records executed before the effective date
30-24 of this Act is governed by the law in effect when the authorization
30-25 or consent was executed, and the former law continues in effect for
30-26 that purpose.