77R16892 MCK-D
By Nelson, et al. S.B. No. 11
Substitute the following for S.B. No. 11:
By Gray C.S.S.B. No. 11
A BILL TO BE ENTITLED
1-1 AN ACT
1-2 relating to protecting the privacy of medical records; providing
1-3 penalties.
1-4 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
1-5 SECTION 1. Title 2, Health and Safety Code, is amended by
1-6 adding Subtitle I to read as follows:
1-7 SUBTITLE I. MEDICAL RECORDS
1-8 CHAPTER 181. MEDICAL RECORDS PRIVACY
1-9 SUBCHAPTER A. GENERAL PROVISIONS
1-10 Sec. 181.001. DEFINITIONS. (a) Unless otherwise defined in
1-11 this chapter, each term that is used in this chapter has the
1-12 meaning assigned by the Health Insurance Portability and
1-13 Accountability Act and Privacy Standards.
1-14 (b) In this chapter:
1-15 (1) "Covered entity" means any person, other than an
1-16 employer, who:
1-17 (A) for commercial, financial, or professional
1-18 gain, monetary fees, or dues, or on a cooperative, nonprofit, or
1-19 pro bono basis, engages, in whole or in part, and with real or
1-20 constructive knowledge, in the practice of assembling, collecting,
1-21 analyzing, using, evaluating, storing, or transmitting protected
1-22 health information. The term includes a business associate, health
1-23 care payer, governmental unit, information or computer management
1-24 entity, school, health researcher, health care facility, clinic,
2-1 health care provider, or person who maintains an Internet site;
2-2 (B) comes into possession of protected health
2-3 information;
2-4 (C) obtains or stores protected health
2-5 information under this chapter; or
2-6 (D) is an employee, agent, or contractor of a
2-7 person described by Paragraph (A), (B), or (C) insofar as the
2-8 employee, agent, or contractor creates, receives, obtains,
2-9 maintains, uses, or transmits protected health information.
2-10 (2) "Health Insurance Portability and Accountability
2-11 Act and Privacy Standards" means the privacy requirements of the
2-12 Administrative Simplification subtitle of the Health Insurance
2-13 Portability and Accountability Act of 1996 (Pub. L. No. 104-191)
2-14 and the final rules adopted on December 28, 2000, and published at
2-15 65 Fed. Reg. 82798 et seq., and any subsequent amendments.
2-16 (3) "Marketing" means the promotion or advertisement,
2-17 by a covered entity, of specific products or services if the
2-18 covered entity receives, directly or indirectly, a financial
2-19 incentive or remuneration from a third party for the use, access,
2-20 or disclosure of protected health information. Marketing does not
2-21 include a communication, for treatment or health care operations,
2-22 by a health care provider, health plan, or participants in an
2-23 organized health care arrangement or their affiliated covered
2-24 entities or business associates within the meaning of those terms
2-25 under the Health Insurance Portability and Accountability Act and
2-26 Privacy Standards.
2-27 Sec. 181.002. APPLICABILITY. This chapter does not affect
3-1 the validity of another statute of this state that provides greater
3-2 confidentiality for information made confidential by this chapter.
3-3 Sec. 181.003. SOVEREIGN IMMUNITY. This chapter does not
3-4 waive sovereign immunity to suit or liability.
3-5 Sec. 181.004. RULES. A state agency that licenses or
3-6 regulates a covered entity may adopt rules as necessary to carry
3-7 out the purposes of this chapter.
3-8 (Sections 181.005-181.050 reserved for expansion
3-9 SUBCHAPTER B. EXEMPTIONS
3-10 Sec. 181.051. PARTIAL EXEMPTION. Except for Section
3-11 181.152, this chapter does not apply to:
3-12 (1) a covered entity as defined in the Health
3-13 Insurance Portability and Accountability Act and Privacy Standards,
3-14 an affiliate under the covered entity's common ownership or
3-15 control, or an entity participating in an organized health care
3-16 arrangement with the covered entity;
3-17 (2) a business associate of a covered entity if the
3-18 business associate is acting in compliance with the Health
3-19 Insurance Portability and Accountability Act and Privacy Standards;
3-20 (3) a licensee as defined in Article 28B.01, Insurance
3-21 Code; or
3-22 (4) an entity established under Article 5.76-3,
3-23 Insurance Code.
3-24 Sec. 181.052. PROCESSING PAYMENT TRANSACTIONS BY FINANCIAL
3-25 INSTITUTIONS. (a) In this section, "financial institution" has
3-26 the meaning assigned by Section 1101, Right to Financial Privacy
3-27 Act of 1978 (12 U.S.C. Section 3401), and its subsequent
4-1 amendments.
4-2 (b) To the extent that a covered entity engages in
4-3 activities of a financial institution, or authorizes, processes,
4-4 clears, settles, bills, transfers, reconciles, or collects payments
4-5 for a financial institution, this chapter and any rule adopted
4-6 under this chapter does not apply to the covered entity with
4-7 respect to those activities, including the following:
4-8 (1) using or disclosing information to authorize,
4-9 process, clear, settle, bill, transfer, reconcile, or collect a
4-10 payment for, or related to, health plan premiums or health care, if
4-11 the payment is made by any means, including a credit, debit, or
4-12 other payment card, an account, a check, or an electronic funds
4-13 transfer; and
4-14 (2) requesting, using, or disclosing information with
4-15 respect to a payment described by Subdivision (1):
4-16 (A) for transferring receivables;
4-17 (B) for auditing;
4-18 (C) in connection with a customer dispute or an
4-19 inquiry from or to a customer;
4-20 (D) in a communication to a customer of the
4-21 entity regarding the customer's transactions, payment card,
4-22 account, check, or electronic funds transfer;
4-23 (E) for reporting to consumer reporting
4-24 agencies; or
4-25 (F) for complying with a civil or criminal
4-26 subpoena or a federal or state law regulating the covered entity.
4-27 Sec. 181.053. NONPROFIT AGENCIES. The department shall by
5-1 rule exempt from this chapter a nonprofit agency that pays for
5-2 health care services or prescription drugs for an indigent person
5-3 only if the agency's primary business is not the provision of
5-4 health care or reimbursement for health care services.
5-5 Sec. 181.054. WORKERS' COMPENSATION. This chapter does not
5-6 apply to:
5-7 (1) workers' compensation insurance or a function
5-8 authorized by Title 5, Labor Code; or
5-9 (2) any person or entity in connection with providing,
5-10 administering, supporting, or coordinating any of the benefits
5-11 under a self-insured program for workers' compensation.
5-12 Sec. 181.055. EMPLOYEE BENEFIT PLAN. This chapter does not
5-13 apply to:
5-14 (1) an employee benefit plan; or
5-15 (2) any covered entity, health care entity, or other
5-16 person, insofar as the entity or person is acting in connection
5-17 with an employee benefit plan.
5-18 Sec. 181.056. AMERICAN RED CROSS. This chapter does not
5-19 prohibit the American Red Cross from accessing any information
5-20 necessary to perform its duties to provide disaster relief,
5-21 disaster communication, or emergency leave verification services
5-22 for military personnel.
5-23 Sec. 181.057. INFORMATION RELATING TO OFFENDERS WITH MENTAL
5-24 IMPAIRMENTS. This chapter does not apply to an agency described by
5-25 Section 614.017 with respect to the disclosure, receipt, transfer,
5-26 or exchange of medical and health information and records relating
5-27 to individuals in the custody of an agency or in community
6-1 supervision.
6-2 Sec. 181.058. EDUCATIONAL RECORDS. In this chapter,
6-3 protected health information does not include:
6-4 (1) education records covered by the Family
6-5 Educational Rights and Privacy Act of 1974 (20 U.S.C. Section
6-6 1232g) and its subsequent amendments; or
6-7 (2) records described by 20 U.S.C. Section
6-8 1232g(a)(4)(B)(iv) and its subsequent amendments.
6-9 (Sections 181.059-181.100 reserved for expansion
6-10 SUBCHAPTER C. ACCESS TO AND USE OF HEALTH CARE INFORMATION
6-11 Sec. 181.101. COMPLIANCE WITH FEDERAL REGULATIONS. (a) A
6-12 covered entity shall comply with the Health Insurance Portability
6-13 and Accountability Act and Privacy Standards relating to:
6-14 (1) an individual's access to the individual's
6-15 protected health information;
6-16 (2) amendment of protected health information;
6-17 (3) uses and disclosures of protected health
6-18 information, including requirements relating to consent; and
6-19 (4) notice of privacy practices for protected health
6-20 information.
6-21 (b) To the extent that this chapter differs from the Health
6-22 Insurance Portability and Accountability Act and Privacy Standards,
6-23 this chapter controls if the provisions of this chapter are clearly
6-24 more restrictive than the provisions of the Health Insurance
6-25 Portability and Accountability Act and Privacy Standards.
6-26 Sec. 181.102. INFORMATION FOR RESEARCH. (a) A covered
6-27 entity or health care entity may disclose protected health
7-1 information to a person performing health research, regardless of
7-2 the source of funding of the research, for the purpose of
7-3 conducting health research, only if the person performing health
7-4 research has obtained:
7-5 (1) individual consent or authorization for use or
7-6 disclosure of protected health information for research required by
7-7 federal law;
7-8 (2) the express written authorization of the
7-9 individual required by this chapter;
7-10 (3) documentation that a waiver of individual consent
7-11 or authorization required for use or disclosure of protected health
7-12 information has been granted by an institutional review board or
7-13 privacy board as required under federal law; or
7-14 (4) documentation that a waiver of the individual's
7-15 express written authorization required by this chapter has been
7-16 granted by a privacy board established under this section.
7-17 (b) A privacy board:
7-18 (1) must consist of members with varying backgrounds
7-19 and appropriate professional competency as necessary to review the
7-20 effect of the research protocol for the project or projects on the
7-21 privacy rights and related interests of the individuals whose
7-22 protected health information would be used or disclosed;
7-23 (2) must include at least one member who is not
7-24 affiliated with the covered entity or health care entity or an
7-25 entity conducting or sponsoring the research, and not related to
7-26 any person who is affiliated with an entity described by this
7-27 subsection; and
8-1 (3) may not have any member participating in the
8-2 review of any project in which the member has a conflict of
8-3 interest.
8-4 (c) A privacy board may grant a waiver of the express
8-5 written authorization for the use of protected health information
8-6 if the privacy board obtains the following documentation:
8-7 (1) a statement identifying the privacy board and the
8-8 date on which the waiver of the express written authorization was
8-9 approved by the privacy board;
8-10 (2) a statement that the privacy board has determined
8-11 that the waiver satisfies the following criteria:
8-12 (A) the use or disclosure of protected health
8-13 information involves no more than minimal risk to the affected
8-14 individuals;
8-15 (B) the waiver will not adversely affect the
8-16 privacy rights and welfare of those individuals;
8-17 (C) the research could not practicably be
8-18 conducted without the waiver;
8-19 (D) the research could not practicably be
8-20 conducted without access to and use of the protected health
8-21 information;
8-22 (E) the privacy risks to individuals whose
8-23 protected health information is to be used or disclosed are
8-24 reasonable in relation to the anticipated benefits, if any, to the
8-25 individuals and the importance of the knowledge that may reasonably
8-26 be expected to result from the research;
8-27 (F) there is an adequate plan to protect the
9-1 identifiers from improper use and disclosure;
9-2 (G) there is an adequate plan to destroy the
9-3 identifiers at the earliest opportunity consistent with conduct of
9-4 the research, unless there is a health or research justification
9-5 for retaining the identifiers or the retention is otherwise
9-6 required by law; and
9-7 (H) there are adequate written assurances that
9-8 the protected health information will not be reused or disclosed to
9-9 another person or entity, except:
9-10 (i) as required by law;
9-11 (ii) for authorized oversight of the
9-12 research project; or
9-13 (iii) for other research for which the use
9-14 or disclosure of protected health information would be permitted by
9-15 state or federal law;
9-16 (3) a brief description of the protected health
9-17 information for which use or access has been determined to be
9-18 necessary by the privacy board under Subdivision (2)(D); and
9-19 (4) a statement that the waiver of express written
9-20 authorization has been approved by the privacy board following the
9-21 procedures under Subsection (e).
9-22 (d) A waiver must be signed by the presiding officer of the
9-23 privacy board or the presiding officer's designee.
9-24 (e) The privacy board must review the proposed research at a
9-25 convened meeting at which a majority of the privacy board members
9-26 are present, including at least one member who satisfies the
9-27 requirements of Subsection (b)(2). The waiver of express written
10-1 authorization must be approved by the majority of the privacy board
10-2 members present at the meeting, unless the privacy board elects to
10-3 use an expedited review procedure. The privacy board may use an
10-4 expedited review procedure only if the research involves no more
10-5 than minimal risk to the privacy of the individual who is the
10-6 subject of the protected health information of which use or
10-7 disclosure is being sought. If the privacy board elects to use an
10-8 expedited review procedure, the review and approval of the waiver
10-9 of express written authorization may be made by the presiding
10-10 officer of the privacy board or by one or more members of the
10-11 privacy board as designated by the presiding officer.
10-12 (f) A covered entity or health care entity may disclose
10-13 protected health information to a person performing health research
10-14 if the covered entity or health care entity obtains from the person
10-15 performing the health research representations that:
10-16 (1) use or disclosure is sought solely to review
10-17 protected health information as necessary to prepare a research
10-18 protocol or for similar purposes preparatory to research;
10-19 (2) no protected health information is to be removed
10-20 from the covered entity or health care entity by the person
10-21 performing the health research in the course of the review; and
10-22 (3) the protected health information for which use or
10-23 access is sought is necessary for the research purposes.
10-24 (g) A person who is the subject of protected health
10-25 information collected or created in the course of a clinical
10-26 research trial may access the information at the conclusion of the
10-27 research trial.
11-1 Sec. 181.103. DISCLOSURE OF INFORMATION TO PUBLIC HEALTH
11-2 AUTHORITY. A covered entity may use or disclose protected health
11-3 information without the express written authorization of the
11-4 individual for public health activities or to comply with the
11-5 requirements of any federal or state health benefit program or any
11-6 federal or state law. A covered entity may disclose protected
11-7 health information:
11-8 (1) to a public health authority that is authorized by
11-9 law to collect or receive such information for the purpose of
11-10 preventing or controlling disease, injury, or disability, including
11-11 the reporting of disease, injury, vital events such as birth or
11-12 death, and the conduct of public health surveillance, public health
11-13 investigations, and public interventions;
11-14 (2) to a public health authority or other appropriate
11-15 government authority authorized by law to receive reports of child
11-16 or adult abuse, neglect, or exploitation; and
11-17 (3) to any state agency in conjunction with a federal
11-18 or state health benefit program.
11-19 (Sections 181.104-181.150 reserved for expansion
11-20 SUBCHAPTER D. PROHIBITED ACTS
11-21 Sec. 181.151. REIDENTIFIED INFORMATION. A person may not
11-22 reidentify or attempt to reidentify an individual who is the
11-23 subject of any protected health information without obtaining the
11-24 individual's consent or authorization if required under this
11-25 chapter or other state or federal law.
11-26 Sec. 181.152. MARKETING USES OF INFORMATION. (a) A covered
11-27 entity may not disclose, use, or sell or coerce an individual to
12-1 consent to the disclosure, use, or sale of protected health
12-2 information, including prescription patterns, for marketing
12-3 purposes without the consent or authorization of the individual who
12-4 is the subject of the protected health information.
12-5 (b) A written marketing communication must be sent in an
12-6 envelope showing only the addresses of sender and recipient and
12-7 must:
12-8 (1) state the name and toll-free number of the health
12-9 care entity sending the marketing communication; and
12-10 (2) explain the recipient's right to have the
12-11 recipient's name removed from the sender's mailing list.
12-12 (c) A person who receives a request under Subsection (b)(2)
12-13 to remove a person's name from a mailing list shall remove the
12-14 person's name not later than the fifth day after the date the
12-15 person receives the request.
12-16 (Sections 181.153-181.200 reserved for expansion
12-17 SUBCHAPTER E. ENFORCEMENT
12-18 Sec. 181.201. INJUNCTIVE RELIEF; CIVIL PENALTY. (a) The
12-19 attorney general may institute an action for injunctive relief to
12-20 restrain a violation of this chapter.
12-21 (b) In addition to the injunctive relief provided by
12-22 Subsection (a), the attorney general may institute an action for
12-23 civil penalties against a covered entity or health care entity for
12-24 a violation of this chapter. A civil penalty assessed under this
12-25 section may not exceed $3,000 for each violation.
12-26 (c) If the court in which an action under Subsection (b) is
12-27 pending finds that the violations have occurred with a frequency as
13-1 to constitute a pattern or practice, the court may assess a civil
13-2 penalty not to exceed $250,000.
13-3 Sec. 181.202. DISCIPLINARY ACTION. In addition to the
13-4 penalties prescribed by this chapter, a violation of this chapter
13-5 by an individual or facility that is licensed by an agency of this
13-6 state is subject to investigation and disciplinary proceedings,
13-7 including probation or suspension by the licensing agency. If
13-8 there is evidence that the violations of this chapter constitute a
13-9 pattern or practice, the agency may revoke the individual's or
13-10 facility's license.
13-11 Sec. 181.203. EXCLUSION FROM STATE PROGRAMS. In addition to
13-12 the penalties prescribed by this chapter, a covered entity shall be
13-13 excluded from participating in any state-funded health care program
13-14 if there is evidence that the covered entity engaged in a pattern
13-15 or practice of violating this chapter.
13-16 Sec. 181.204. AVAILABILITY OF OTHER REMEDIES. This chapter
13-17 does not affect any right of a person under other law to bring a
13-18 cause of action or otherwise seek relief with respect to conduct
13-19 that is a violation of this chapter.
13-20 SECTION 2. Title 1, Insurance Code, is amended by adding
13-21 Chapter 28B to read as follows:
13-22 CHAPTER 28B. PRIVACY OF HEALTH INFORMATION
13-23 SUBCHAPTER A. GENERAL PROVISIONS
13-24 Art. 28B.01. DEFINITIONS. In this chapter:
13-25 (1) "Health information" means any information or data
13-26 regarding an individual, other than age or gender, whether oral or
13-27 recorded in any form or medium, that is created by or derived from
14-1 a health care provider or the individual and that relates to:
14-2 (A) the past, present, or future physical,
14-3 mental, or behavioral health or condition of an individual;
14-4 (B) the provision of health care to an
14-5 individual; or
14-6 (C) payment for the provision of health care to
14-7 an individual.
14-8 (2) "Licensee" means a person who holds or is required
14-9 to hold a license, registration, certificate of authority, or other
14-10 authority under this code or another insurance law of this state.
14-11 The term includes an insurance company, group hospital service
14-12 corporation, mutual insurance company, local mutual aid
14-13 association, statewide mutual assessment company, stipulated
14-14 premium insurance company, health maintenance organization,
14-15 reciprocal or interinsurance exchange, Lloyd's plan, fraternal
14-16 benefit society, county mutual insurer, farm mutual insurer, or
14-17 insurance agent.
14-18 (3) "Nonpublic personal health information" means
14-19 health information:
14-20 (A) that identifies an individual who is the
14-21 subject of the information; or
14-22 (B) with respect to which there is a reasonable
14-23 basis to believe that the information could be used to identify an
14-24 individual.
14-25 Art. 28B.02. PERSONALLY IDENTIFIABLE HEALTH INFORMATION:
14-26 PRIVACY NOTICE AND DISCLOSURE AUTHORIZATION. (a) A licensee must
14-27 obtain an authorization to disclose any nonpublic personal health
15-1 information before making such a disclosure.
15-2 (b) The request for authorization required by this article
15-3 may be in written or electronic form and must:
15-4 (1) state the identity of the consumer or customer who
15-5 is the subject of the nonpublic personal health information;
15-6 (2) describe:
15-7 (A) the types of nonpublic personal health
15-8 information to be disclosed;
15-9 (B) the parties to whom the licensee discloses
15-10 nonpublic personal health information;
15-11 (C) the purpose of the disclosure;
15-12 (D) how the information will be used; and
15-13 (E) the procedure for revoking the
15-14 authorization;
15-15 (3) include the signature and date signed of:
15-16 (A) the consumer or customer who is the subject
15-17 of the nonpublic personal health information; or
15-18 (B) the individual who is legally empowered to
15-19 grant authority;
15-20 (4) provide notice:
15-21 (A) of the length of time for which the
15-22 authorization is valid; and
15-23 (B) that the consumer or customer may revoke the
15-24 authorization at any time; and
15-25 (5) specify the amount of time that the authorization
15-26 remains valid, which may not exceed 24 months.
15-27 (c) The right of a consumer or customer to revoke an
16-1 authorization at any time is subject to the rights of an individual
16-2 who acted in reliance on the authorization before receiving notice
16-3 of a revocation.
16-4 (d) The licensee shall retain the original or a copy of the
16-5 authorization in the record of the individual who is the subject of
16-6 the nonpublic personal health information.
16-7 Art. 28B.03. DELIVERY OF AUTHORIZATION. (a) A request for
16-8 authorization and an authorization form may be delivered to a
16-9 consumer or a customer if the request and the authorization form
16-10 are clear and conspicuous.
16-11 (b) A licensee must include delivery of the authorization in
16-12 a notice to the consumer or customer only if the licensee intends
16-13 to disclose protected health information under this chapter.
16-14 Art. 28B.04. EXCEPTIONS. A licensee may disclose nonpublic
16-15 personal health information to the extent that the disclosure is
16-16 necessary to perform the following insurance functions on behalf of
16-17 that licensee:
16-18 (1) the investigation or reporting of actual or
16-19 potential fraud, misrepresentation, or criminal activity;
16-20 (2) underwriting;
16-21 (3) the placement or issuance of an insurance policy;
16-22 (4) loss control services;
16-23 (5) ratemaking and guaranty fund functions;
16-24 (6) reinsurance and excess loss insurance;
16-25 (7) risk management;
16-26 (8) case management;
16-27 (9) disease management;
17-1 (10) quality assurance;
17-2 (11) quality improvement;
17-3 (12) performance evaluation;
17-4 (13) health care provider credentialing verification;
17-5 (14) utilization review;
17-6 (15) peer review activities;
17-7 (16) actuarial, scientific, medical, or public policy
17-8 research;
17-9 (17) grievance procedures;
17-10 (18) the internal administration of compliance,
17-11 managerial, and information systems;
17-12 (19) policyholder services;
17-13 (20) auditing;
17-14 (21) reporting;
17-15 (22) database security;
17-16 (23) the administration of consumer disputes and
17-17 inquiries;
17-18 (24) external accreditation standards;
17-19 (25) the replacement of a group benefit plan or
17-20 workers' compensation policy or program;
17-21 (26) activities in connection with a sale, merger,
17-22 transfer, or exchange of all or part of a business or operating
17-23 unit;
17-24 (27) any activity that permits disclosure without
17-25 authorization under the federal Health Insurance Portability and
17-26 Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), as
17-27 amended;
18-1 (28) disclosure that is required, or is a lawful or
18-2 appropriate method to enforce the licensee's rights or the rights
18-3 of other persons engaged, in carrying out a transaction or
18-4 providing a product or service that the consumer requests or
18-5 authorizes;
18-6 (29) claims administration, adjustment, and
18-7 management;
18-8 (30) any activity otherwise permitted by law, required
18-9 pursuant to a governmental reporting authority, or required to
18-10 comply with legal process; and
18-11 (31) any other insurance functions that the
18-12 commissioner approves that are:
18-13 (A) necessary for appropriate performance of
18-14 insurance functions; and
18-15 (B) fair and reasonable to the interests of
18-16 consumers.
18-17 Art. 28B.05. EXCEPTION FOR COMPLIANCE WITH FEDERAL RULES.
18-18 This subchapter does not apply to a licensee who is required to
18-19 comply with the standards governing the privacy of individually
18-20 identifiable health information adopted by the United States
18-21 Secretary of Health and Human Services under Section 262(a), Health
18-22 Insurance Portability and Accountability Act of 1996 (42 U.S.C.
18-23 Sections 1320d-1320d-8).
18-24 Art. 28B.06. PROTECTION OF FAIR CREDIT REPORTING ACTS.
18-25 (a) This chapter may not be construed to modify, limit, or
18-26 supersede the operation of the Fair Credit Reporting Act (15 U.S.C.
18-27 Section 1681 et seq.) and an inference may not be drawn based on
19-1 this chapter regarding whether information is transaction or
19-2 experience information under Section 603 of that Act (15 U.S.C.
19-3 Section 1681a).
19-4 (b) This chapter does not preempt or supersede a state law
19-5 related to medical record, health, or insurance information privacy
19-6 that is in effect on July 1, 2002.
19-7 Art. 28B.07. VIOLATION; PENALTIES. (a) A licensee may not
19-8 knowingly or wilfully violate this chapter.
19-9 (b) The department may investigate any alleged violation of
19-10 this chapter and may impose fines and other sanctions as determined
19-11 to be appropriate in accordance with Chapters 82 and 84 of this
19-12 code and the other insurance laws of this state.
19-13 Art. 28B.08. RULES. The commissioner may adopt rules as
19-14 necessary to implement this chapter.
19-15 SECTION 3. (a) Chapter 181, Health and Safety Code, as
19-16 added by this Act, takes effect September 1, 2001. A covered
19-17 entity shall comply with the requirements of Chapter 181, Health
19-18 and Safety Code, as added by this Act, not later than September 1,
19-19 2003.
19-20 (b) Chapter 28B, Insurance Code, as added by this Act, takes
19-21 effect January 1, 2002.
19-22 (c) The commissioner of insurance may delay the date for
19-23 compliance with Chapter 28B, Insurance Code, as added by this Act,
19-24 if the commissioner determines that an entity needs more time to
19-25 establish policies and systems to comply with the requirements of
19-26 that chapter.
19-27 (d) An authorization or consent granting access to an
20-1 individual's health care records executed before the effective date
20-2 of this Act is governed by the law in effect when the authorization
20-3 or consent was executed, and the former law continues in effect for
20-4 that purpose.