77R16892 MCK-D By Nelson, et al. S.B. No. 11 Substitute the following for S.B. No. 11: By Gray C.S.S.B. No. 11 A BILL TO BE ENTITLED 1-1 AN ACT 1-2 relating to protecting the privacy of medical records; providing 1-3 penalties. 1-4 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: 1-5 SECTION 1. Title 2, Health and Safety Code, is amended by 1-6 adding Subtitle I to read as follows: 1-7 SUBTITLE I. MEDICAL RECORDS 1-8 CHAPTER 181. MEDICAL RECORDS PRIVACY 1-9 SUBCHAPTER A. GENERAL PROVISIONS 1-10 Sec. 181.001. DEFINITIONS. (a) Unless otherwise defined in 1-11 this chapter, each term that is used in this chapter has the 1-12 meaning assigned by the Health Insurance Portability and 1-13 Accountability Act and Privacy Standards. 1-14 (b) In this chapter: 1-15 (1) "Covered entity" means any person, other than an 1-16 employer, who: 1-17 (A) for commercial, financial, or professional 1-18 gain, monetary fees, or dues, or on a cooperative, nonprofit, or 1-19 pro bono basis, engages, in whole or in part, and with real or 1-20 constructive knowledge, in the practice of assembling, collecting, 1-21 analyzing, using, evaluating, storing, or transmitting protected 1-22 health information. The term includes a business associate, health 1-23 care payer, governmental unit, information or computer management 1-24 entity, school, health researcher, health care facility, clinic, 2-1 health care provider, or person who maintains an Internet site; 2-2 (B) comes into possession of protected health 2-3 information; 2-4 (C) obtains or stores protected health 2-5 information under this chapter; or 2-6 (D) is an employee, agent, or contractor of a 2-7 person described by Paragraph (A), (B), or (C) insofar as the 2-8 employee, agent, or contractor creates, receives, obtains, 2-9 maintains, uses, or transmits protected health information. 2-10 (2) "Health Insurance Portability and Accountability 2-11 Act and Privacy Standards" means the privacy requirements of the 2-12 Administrative Simplification subtitle of the Health Insurance 2-13 Portability and Accountability Act of 1996 (Pub. L. No. 104-191) 2-14 and the final rules adopted on December 28, 2000, and published at 2-15 65 Fed. Reg. 82798 et seq., and any subsequent amendments. 2-16 (3) "Marketing" means the promotion or advertisement, 2-17 by a covered entity, of specific products or services if the 2-18 covered entity receives, directly or indirectly, a financial 2-19 incentive or remuneration from a third party for the use, access, 2-20 or disclosure of protected health information. Marketing does not 2-21 include a communication, for treatment or health care operations, 2-22 by a health care provider, health plan, or participants in an 2-23 organized health care arrangement or their affiliated covered 2-24 entities or business associates within the meaning of those terms 2-25 under the Health Insurance Portability and Accountability Act and 2-26 Privacy Standards. 2-27 Sec. 181.002. APPLICABILITY. This chapter does not affect 3-1 the validity of another statute of this state that provides greater 3-2 confidentiality for information made confidential by this chapter. 3-3 Sec. 181.003. SOVEREIGN IMMUNITY. This chapter does not 3-4 waive sovereign immunity to suit or liability. 3-5 Sec. 181.004. RULES. A state agency that licenses or 3-6 regulates a covered entity may adopt rules as necessary to carry 3-7 out the purposes of this chapter. 3-8 (Sections 181.005-181.050 reserved for expansion 3-9 SUBCHAPTER B. EXEMPTIONS 3-10 Sec. 181.051. PARTIAL EXEMPTION. Except for Section 3-11 181.152, this chapter does not apply to: 3-12 (1) a covered entity as defined in the Health 3-13 Insurance Portability and Accountability Act and Privacy Standards, 3-14 an affiliate under the covered entity's common ownership or 3-15 control, or an entity participating in an organized health care 3-16 arrangement with the covered entity; 3-17 (2) a business associate of a covered entity if the 3-18 business associate is acting in compliance with the Health 3-19 Insurance Portability and Accountability Act and Privacy Standards; 3-20 (3) a licensee as defined in Article 28B.01, Insurance 3-21 Code; or 3-22 (4) an entity established under Article 5.76-3, 3-23 Insurance Code. 3-24 Sec. 181.052. PROCESSING PAYMENT TRANSACTIONS BY FINANCIAL 3-25 INSTITUTIONS. (a) In this section, "financial institution" has 3-26 the meaning assigned by Section 1101, Right to Financial Privacy 3-27 Act of 1978 (12 U.S.C. Section 3401), and its subsequent 4-1 amendments. 4-2 (b) To the extent that a covered entity engages in 4-3 activities of a financial institution, or authorizes, processes, 4-4 clears, settles, bills, transfers, reconciles, or collects payments 4-5 for a financial institution, this chapter and any rule adopted 4-6 under this chapter does not apply to the covered entity with 4-7 respect to those activities, including the following: 4-8 (1) using or disclosing information to authorize, 4-9 process, clear, settle, bill, transfer, reconcile, or collect a 4-10 payment for, or related to, health plan premiums or health care, if 4-11 the payment is made by any means, including a credit, debit, or 4-12 other payment card, an account, a check, or an electronic funds 4-13 transfer; and 4-14 (2) requesting, using, or disclosing information with 4-15 respect to a payment described by Subdivision (1): 4-16 (A) for transferring receivables; 4-17 (B) for auditing; 4-18 (C) in connection with a customer dispute or an 4-19 inquiry from or to a customer; 4-20 (D) in a communication to a customer of the 4-21 entity regarding the customer's transactions, payment card, 4-22 account, check, or electronic funds transfer; 4-23 (E) for reporting to consumer reporting 4-24 agencies; or 4-25 (F) for complying with a civil or criminal 4-26 subpoena or a federal or state law regulating the covered entity. 4-27 Sec. 181.053. NONPROFIT AGENCIES. The department shall by 5-1 rule exempt from this chapter a nonprofit agency that pays for 5-2 health care services or prescription drugs for an indigent person 5-3 only if the agency's primary business is not the provision of 5-4 health care or reimbursement for health care services. 5-5 Sec. 181.054. WORKERS' COMPENSATION. This chapter does not 5-6 apply to: 5-7 (1) workers' compensation insurance or a function 5-8 authorized by Title 5, Labor Code; or 5-9 (2) any person or entity in connection with providing, 5-10 administering, supporting, or coordinating any of the benefits 5-11 under a self-insured program for workers' compensation. 5-12 Sec. 181.055. EMPLOYEE BENEFIT PLAN. This chapter does not 5-13 apply to: 5-14 (1) an employee benefit plan; or 5-15 (2) any covered entity, health care entity, or other 5-16 person, insofar as the entity or person is acting in connection 5-17 with an employee benefit plan. 5-18 Sec. 181.056. AMERICAN RED CROSS. This chapter does not 5-19 prohibit the American Red Cross from accessing any information 5-20 necessary to perform its duties to provide disaster relief, 5-21 disaster communication, or emergency leave verification services 5-22 for military personnel. 5-23 Sec. 181.057. INFORMATION RELATING TO OFFENDERS WITH MENTAL 5-24 IMPAIRMENTS. This chapter does not apply to an agency described by 5-25 Section 614.017 with respect to the disclosure, receipt, transfer, 5-26 or exchange of medical and health information and records relating 5-27 to individuals in the custody of an agency or in community 6-1 supervision. 6-2 Sec. 181.058. EDUCATIONAL RECORDS. In this chapter, 6-3 protected health information does not include: 6-4 (1) education records covered by the Family 6-5 Educational Rights and Privacy Act of 1974 (20 U.S.C. Section 6-6 1232g) and its subsequent amendments; or 6-7 (2) records described by 20 U.S.C. Section 6-8 1232g(a)(4)(B)(iv) and its subsequent amendments. 6-9 (Sections 181.059-181.100 reserved for expansion 6-10 SUBCHAPTER C. ACCESS TO AND USE OF HEALTH CARE INFORMATION 6-11 Sec. 181.101. COMPLIANCE WITH FEDERAL REGULATIONS. (a) A 6-12 covered entity shall comply with the Health Insurance Portability 6-13 and Accountability Act and Privacy Standards relating to: 6-14 (1) an individual's access to the individual's 6-15 protected health information; 6-16 (2) amendment of protected health information; 6-17 (3) uses and disclosures of protected health 6-18 information, including requirements relating to consent; and 6-19 (4) notice of privacy practices for protected health 6-20 information. 6-21 (b) To the extent that this chapter differs from the Health 6-22 Insurance Portability and Accountability Act and Privacy Standards, 6-23 this chapter controls if the provisions of this chapter are clearly 6-24 more restrictive than the provisions of the Health Insurance 6-25 Portability and Accountability Act and Privacy Standards. 6-26 Sec. 181.102. INFORMATION FOR RESEARCH. (a) A covered 6-27 entity or health care entity may disclose protected health 7-1 information to a person performing health research, regardless of 7-2 the source of funding of the research, for the purpose of 7-3 conducting health research, only if the person performing health 7-4 research has obtained: 7-5 (1) individual consent or authorization for use or 7-6 disclosure of protected health information for research required by 7-7 federal law; 7-8 (2) the express written authorization of the 7-9 individual required by this chapter; 7-10 (3) documentation that a waiver of individual consent 7-11 or authorization required for use or disclosure of protected health 7-12 information has been granted by an institutional review board or 7-13 privacy board as required under federal law; or 7-14 (4) documentation that a waiver of the individual's 7-15 express written authorization required by this chapter has been 7-16 granted by a privacy board established under this section. 7-17 (b) A privacy board: 7-18 (1) must consist of members with varying backgrounds 7-19 and appropriate professional competency as necessary to review the 7-20 effect of the research protocol for the project or projects on the 7-21 privacy rights and related interests of the individuals whose 7-22 protected health information would be used or disclosed; 7-23 (2) must include at least one member who is not 7-24 affiliated with the covered entity or health care entity or an 7-25 entity conducting or sponsoring the research, and not related to 7-26 any person who is affiliated with an entity described by this 7-27 subsection; and 8-1 (3) may not have any member participating in the 8-2 review of any project in which the member has a conflict of 8-3 interest. 8-4 (c) A privacy board may grant a waiver of the express 8-5 written authorization for the use of protected health information 8-6 if the privacy board obtains the following documentation: 8-7 (1) a statement identifying the privacy board and the 8-8 date on which the waiver of the express written authorization was 8-9 approved by the privacy board; 8-10 (2) a statement that the privacy board has determined 8-11 that the waiver satisfies the following criteria: 8-12 (A) the use or disclosure of protected health 8-13 information involves no more than minimal risk to the affected 8-14 individuals; 8-15 (B) the waiver will not adversely affect the 8-16 privacy rights and welfare of those individuals; 8-17 (C) the research could not practicably be 8-18 conducted without the waiver; 8-19 (D) the research could not practicably be 8-20 conducted without access to and use of the protected health 8-21 information; 8-22 (E) the privacy risks to individuals whose 8-23 protected health information is to be used or disclosed are 8-24 reasonable in relation to the anticipated benefits, if any, to the 8-25 individuals and the importance of the knowledge that may reasonably 8-26 be expected to result from the research; 8-27 (F) there is an adequate plan to protect the 9-1 identifiers from improper use and disclosure; 9-2 (G) there is an adequate plan to destroy the 9-3 identifiers at the earliest opportunity consistent with conduct of 9-4 the research, unless there is a health or research justification 9-5 for retaining the identifiers or the retention is otherwise 9-6 required by law; and 9-7 (H) there are adequate written assurances that 9-8 the protected health information will not be reused or disclosed to 9-9 another person or entity, except: 9-10 (i) as required by law; 9-11 (ii) for authorized oversight of the 9-12 research project; or 9-13 (iii) for other research for which the use 9-14 or disclosure of protected health information would be permitted by 9-15 state or federal law; 9-16 (3) a brief description of the protected health 9-17 information for which use or access has been determined to be 9-18 necessary by the privacy board under Subdivision (2)(D); and 9-19 (4) a statement that the waiver of express written 9-20 authorization has been approved by the privacy board following the 9-21 procedures under Subsection (e). 9-22 (d) A waiver must be signed by the presiding officer of the 9-23 privacy board or the presiding officer's designee. 9-24 (e) The privacy board must review the proposed research at a 9-25 convened meeting at which a majority of the privacy board members 9-26 are present, including at least one member who satisfies the 9-27 requirements of Subsection (b)(2). The waiver of express written 10-1 authorization must be approved by the majority of the privacy board 10-2 members present at the meeting, unless the privacy board elects to 10-3 use an expedited review procedure. The privacy board may use an 10-4 expedited review procedure only if the research involves no more 10-5 than minimal risk to the privacy of the individual who is the 10-6 subject of the protected health information of which use or 10-7 disclosure is being sought. If the privacy board elects to use an 10-8 expedited review procedure, the review and approval of the waiver 10-9 of express written authorization may be made by the presiding 10-10 officer of the privacy board or by one or more members of the 10-11 privacy board as designated by the presiding officer. 10-12 (f) A covered entity or health care entity may disclose 10-13 protected health information to a person performing health research 10-14 if the covered entity or health care entity obtains from the person 10-15 performing the health research representations that: 10-16 (1) use or disclosure is sought solely to review 10-17 protected health information as necessary to prepare a research 10-18 protocol or for similar purposes preparatory to research; 10-19 (2) no protected health information is to be removed 10-20 from the covered entity or health care entity by the person 10-21 performing the health research in the course of the review; and 10-22 (3) the protected health information for which use or 10-23 access is sought is necessary for the research purposes. 10-24 (g) A person who is the subject of protected health 10-25 information collected or created in the course of a clinical 10-26 research trial may access the information at the conclusion of the 10-27 research trial. 11-1 Sec. 181.103. DISCLOSURE OF INFORMATION TO PUBLIC HEALTH 11-2 AUTHORITY. A covered entity may use or disclose protected health 11-3 information without the express written authorization of the 11-4 individual for public health activities or to comply with the 11-5 requirements of any federal or state health benefit program or any 11-6 federal or state law. A covered entity may disclose protected 11-7 health information: 11-8 (1) to a public health authority that is authorized by 11-9 law to collect or receive such information for the purpose of 11-10 preventing or controlling disease, injury, or disability, including 11-11 the reporting of disease, injury, vital events such as birth or 11-12 death, and the conduct of public health surveillance, public health 11-13 investigations, and public interventions; 11-14 (2) to a public health authority or other appropriate 11-15 government authority authorized by law to receive reports of child 11-16 or adult abuse, neglect, or exploitation; and 11-17 (3) to any state agency in conjunction with a federal 11-18 or state health benefit program. 11-19 (Sections 181.104-181.150 reserved for expansion 11-20 SUBCHAPTER D. PROHIBITED ACTS 11-21 Sec. 181.151. REIDENTIFIED INFORMATION. A person may not 11-22 reidentify or attempt to reidentify an individual who is the 11-23 subject of any protected health information without obtaining the 11-24 individual's consent or authorization if required under this 11-25 chapter or other state or federal law. 11-26 Sec. 181.152. MARKETING USES OF INFORMATION. (a) A covered 11-27 entity may not disclose, use, or sell or coerce an individual to 12-1 consent to the disclosure, use, or sale of protected health 12-2 information, including prescription patterns, for marketing 12-3 purposes without the consent or authorization of the individual who 12-4 is the subject of the protected health information. 12-5 (b) A written marketing communication must be sent in an 12-6 envelope showing only the addresses of sender and recipient and 12-7 must: 12-8 (1) state the name and toll-free number of the health 12-9 care entity sending the marketing communication; and 12-10 (2) explain the recipient's right to have the 12-11 recipient's name removed from the sender's mailing list. 12-12 (c) A person who receives a request under Subsection (b)(2) 12-13 to remove a person's name from a mailing list shall remove the 12-14 person's name not later than the fifth day after the date the 12-15 person receives the request. 12-16 (Sections 181.153-181.200 reserved for expansion 12-17 SUBCHAPTER E. ENFORCEMENT 12-18 Sec. 181.201. INJUNCTIVE RELIEF; CIVIL PENALTY. (a) The 12-19 attorney general may institute an action for injunctive relief to 12-20 restrain a violation of this chapter. 12-21 (b) In addition to the injunctive relief provided by 12-22 Subsection (a), the attorney general may institute an action for 12-23 civil penalties against a covered entity or health care entity for 12-24 a violation of this chapter. A civil penalty assessed under this 12-25 section may not exceed $3,000 for each violation. 12-26 (c) If the court in which an action under Subsection (b) is 12-27 pending finds that the violations have occurred with a frequency as 13-1 to constitute a pattern or practice, the court may assess a civil 13-2 penalty not to exceed $250,000. 13-3 Sec. 181.202. DISCIPLINARY ACTION. In addition to the 13-4 penalties prescribed by this chapter, a violation of this chapter 13-5 by an individual or facility that is licensed by an agency of this 13-6 state is subject to investigation and disciplinary proceedings, 13-7 including probation or suspension by the licensing agency. If 13-8 there is evidence that the violations of this chapter constitute a 13-9 pattern or practice, the agency may revoke the individual's or 13-10 facility's license. 13-11 Sec. 181.203. EXCLUSION FROM STATE PROGRAMS. In addition to 13-12 the penalties prescribed by this chapter, a covered entity shall be 13-13 excluded from participating in any state-funded health care program 13-14 if there is evidence that the covered entity engaged in a pattern 13-15 or practice of violating this chapter. 13-16 Sec. 181.204. AVAILABILITY OF OTHER REMEDIES. This chapter 13-17 does not affect any right of a person under other law to bring a 13-18 cause of action or otherwise seek relief with respect to conduct 13-19 that is a violation of this chapter. 13-20 SECTION 2. Title 1, Insurance Code, is amended by adding 13-21 Chapter 28B to read as follows: 13-22 CHAPTER 28B. PRIVACY OF HEALTH INFORMATION 13-23 SUBCHAPTER A. GENERAL PROVISIONS 13-24 Art. 28B.01. DEFINITIONS. In this chapter: 13-25 (1) "Health information" means any information or data 13-26 regarding an individual, other than age or gender, whether oral or 13-27 recorded in any form or medium, that is created by or derived from 14-1 a health care provider or the individual and that relates to: 14-2 (A) the past, present, or future physical, 14-3 mental, or behavioral health or condition of an individual; 14-4 (B) the provision of health care to an 14-5 individual; or 14-6 (C) payment for the provision of health care to 14-7 an individual. 14-8 (2) "Licensee" means a person who holds or is required 14-9 to hold a license, registration, certificate of authority, or other 14-10 authority under this code or another insurance law of this state. 14-11 The term includes an insurance company, group hospital service 14-12 corporation, mutual insurance company, local mutual aid 14-13 association, statewide mutual assessment company, stipulated 14-14 premium insurance company, health maintenance organization, 14-15 reciprocal or interinsurance exchange, Lloyd's plan, fraternal 14-16 benefit society, county mutual insurer, farm mutual insurer, or 14-17 insurance agent. 14-18 (3) "Nonpublic personal health information" means 14-19 health information: 14-20 (A) that identifies an individual who is the 14-21 subject of the information; or 14-22 (B) with respect to which there is a reasonable 14-23 basis to believe that the information could be used to identify an 14-24 individual. 14-25 Art. 28B.02. PERSONALLY IDENTIFIABLE HEALTH INFORMATION: 14-26 PRIVACY NOTICE AND DISCLOSURE AUTHORIZATION. (a) A licensee must 14-27 obtain an authorization to disclose any nonpublic personal health 15-1 information before making such a disclosure. 15-2 (b) The request for authorization required by this article 15-3 may be in written or electronic form and must: 15-4 (1) state the identity of the consumer or customer who 15-5 is the subject of the nonpublic personal health information; 15-6 (2) describe: 15-7 (A) the types of nonpublic personal health 15-8 information to be disclosed; 15-9 (B) the parties to whom the licensee discloses 15-10 nonpublic personal health information; 15-11 (C) the purpose of the disclosure; 15-12 (D) how the information will be used; and 15-13 (E) the procedure for revoking the 15-14 authorization; 15-15 (3) include the signature and date signed of: 15-16 (A) the consumer or customer who is the subject 15-17 of the nonpublic personal health information; or 15-18 (B) the individual who is legally empowered to 15-19 grant authority; 15-20 (4) provide notice: 15-21 (A) of the length of time for which the 15-22 authorization is valid; and 15-23 (B) that the consumer or customer may revoke the 15-24 authorization at any time; and 15-25 (5) specify the amount of time that the authorization 15-26 remains valid, which may not exceed 24 months. 15-27 (c) The right of a consumer or customer to revoke an 16-1 authorization at any time is subject to the rights of an individual 16-2 who acted in reliance on the authorization before receiving notice 16-3 of a revocation. 16-4 (d) The licensee shall retain the original or a copy of the 16-5 authorization in the record of the individual who is the subject of 16-6 the nonpublic personal health information. 16-7 Art. 28B.03. DELIVERY OF AUTHORIZATION. (a) A request for 16-8 authorization and an authorization form may be delivered to a 16-9 consumer or a customer if the request and the authorization form 16-10 are clear and conspicuous. 16-11 (b) A licensee must include delivery of the authorization in 16-12 a notice to the consumer or customer only if the licensee intends 16-13 to disclose protected health information under this chapter. 16-14 Art. 28B.04. EXCEPTIONS. A licensee may disclose nonpublic 16-15 personal health information to the extent that the disclosure is 16-16 necessary to perform the following insurance functions on behalf of 16-17 that licensee: 16-18 (1) the investigation or reporting of actual or 16-19 potential fraud, misrepresentation, or criminal activity; 16-20 (2) underwriting; 16-21 (3) the placement or issuance of an insurance policy; 16-22 (4) loss control services; 16-23 (5) ratemaking and guaranty fund functions; 16-24 (6) reinsurance and excess loss insurance; 16-25 (7) risk management; 16-26 (8) case management; 16-27 (9) disease management; 17-1 (10) quality assurance; 17-2 (11) quality improvement; 17-3 (12) performance evaluation; 17-4 (13) health care provider credentialing verification; 17-5 (14) utilization review; 17-6 (15) peer review activities; 17-7 (16) actuarial, scientific, medical, or public policy 17-8 research; 17-9 (17) grievance procedures; 17-10 (18) the internal administration of compliance, 17-11 managerial, and information systems; 17-12 (19) policyholder services; 17-13 (20) auditing; 17-14 (21) reporting; 17-15 (22) database security; 17-16 (23) the administration of consumer disputes and 17-17 inquiries; 17-18 (24) external accreditation standards; 17-19 (25) the replacement of a group benefit plan or 17-20 workers' compensation policy or program; 17-21 (26) activities in connection with a sale, merger, 17-22 transfer, or exchange of all or part of a business or operating 17-23 unit; 17-24 (27) any activity that permits disclosure without 17-25 authorization under the federal Health Insurance Portability and 17-26 Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), as 17-27 amended; 18-1 (28) disclosure that is required, or is a lawful or 18-2 appropriate method to enforce the licensee's rights or the rights 18-3 of other persons engaged, in carrying out a transaction or 18-4 providing a product or service that the consumer requests or 18-5 authorizes; 18-6 (29) claims administration, adjustment, and 18-7 management; 18-8 (30) any activity otherwise permitted by law, required 18-9 pursuant to a governmental reporting authority, or required to 18-10 comply with legal process; and 18-11 (31) any other insurance functions that the 18-12 commissioner approves that are: 18-13 (A) necessary for appropriate performance of 18-14 insurance functions; and 18-15 (B) fair and reasonable to the interests of 18-16 consumers. 18-17 Art. 28B.05. EXCEPTION FOR COMPLIANCE WITH FEDERAL RULES. 18-18 This subchapter does not apply to a licensee who is required to 18-19 comply with the standards governing the privacy of individually 18-20 identifiable health information adopted by the United States 18-21 Secretary of Health and Human Services under Section 262(a), Health 18-22 Insurance Portability and Accountability Act of 1996 (42 U.S.C. 18-23 Sections 1320d-1320d-8). 18-24 Art. 28B.06. PROTECTION OF FAIR CREDIT REPORTING ACTS. 18-25 (a) This chapter may not be construed to modify, limit, or 18-26 supersede the operation of the Fair Credit Reporting Act (15 U.S.C. 18-27 Section 1681 et seq.) and an inference may not be drawn based on 19-1 this chapter regarding whether information is transaction or 19-2 experience information under Section 603 of that Act (15 U.S.C. 19-3 Section 1681a). 19-4 (b) This chapter does not preempt or supersede a state law 19-5 related to medical record, health, or insurance information privacy 19-6 that is in effect on July 1, 2002. 19-7 Art. 28B.07. VIOLATION; PENALTIES. (a) A licensee may not 19-8 knowingly or wilfully violate this chapter. 19-9 (b) The department may investigate any alleged violation of 19-10 this chapter and may impose fines and other sanctions as determined 19-11 to be appropriate in accordance with Chapters 82 and 84 of this 19-12 code and the other insurance laws of this state. 19-13 Art. 28B.08. RULES. The commissioner may adopt rules as 19-14 necessary to implement this chapter. 19-15 SECTION 3. (a) Chapter 181, Health and Safety Code, as 19-16 added by this Act, takes effect September 1, 2001. A covered 19-17 entity shall comply with the requirements of Chapter 181, Health 19-18 and Safety Code, as added by this Act, not later than September 1, 19-19 2003. 19-20 (b) Chapter 28B, Insurance Code, as added by this Act, takes 19-21 effect January 1, 2002. 19-22 (c) The commissioner of insurance may delay the date for 19-23 compliance with Chapter 28B, Insurance Code, as added by this Act, 19-24 if the commissioner determines that an entity needs more time to 19-25 establish policies and systems to comply with the requirements of 19-26 that chapter. 19-27 (d) An authorization or consent granting access to an 20-1 individual's health care records executed before the effective date 20-2 of this Act is governed by the law in effect when the authorization 20-3 or consent was executed, and the former law continues in effect for 20-4 that purpose.