By Nelson S.B. No. 11
77R523 MCK-F
A BILL TO BE ENTITLED
1-1 AN ACT
1-2 relating to protecting the privacy of medical records; providing
1-3 penalties.
1-4 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
1-5 SECTION 1. Title 2, Health and Safety Code, is amended by
1-6 adding Subtitle I to read as follows:
1-7 SUBTITLE I. MEDICAL RECORDS
1-8 CHAPTER 181. MEDICAL RECORDS PRIVACY
1-9 SUBCHAPTER A. GENERAL PROVISIONS
1-10 Sec. 181.001. DEFINITIONS. In this chapter:
1-11 (1) "Administrative billing information" means
1-12 protected health information that is necessary for the payment or
1-13 administration of health care claims. The term:
1-14 (A) includes only:
1-15 (i) date of service;
1-16 (ii) billed charges;
1-17 (iii) patient or practitioner identifiers;
1-18 (iv) diagnostic and treatment information
1-19 contained in standard billing codes;
1-20 (v) information required by nationally
1-21 recognized third-party health care claim forms; and
1-22 (vi) protected health information that is
1-23 part of a health care delivery review; and
1-24 (B) does not include a clinical health record
2-1 included or requested as an attachment to administrative billing
2-2 information.
2-3 (2) "Audit trail" means a complete and accurate record
2-4 of the date, user or recipient, and function performed with respect
2-5 to the use or disclosure of protected health information.
2-6 (3) "Clinical health record" means a record of any
2-7 protected health information, other than administrative billing
2-8 information, that is used or maintained by or for a health care
2-9 practitioner or facility or an employee, agent, or contractor of a
2-10 health care practitioner or facility for the purpose of delivering
2-11 health care to an individual.
2-12 (4) "Computerized records system" means any
2-13 electronic, digital, optical, magnetic, or other system that
2-14 stores, retrieves, or manipulates data. The term does not include
2-15 a static storage system, including microfiche or microfilm.
2-16 (5) "Covered entity" means any person who:
2-17 (A) for commercial, financial, or professional
2-18 gain, monetary fees, or dues, or on a cooperative, nonprofit or pro
2-19 bono basis, engages, in whole or in part, and with real or
2-20 constructive knowledge, in the practice of assembling, collecting,
2-21 analyzing, using, evaluating, storing, or transmitting protected or
2-22 deidentified health information. The term includes a health care
2-23 payer, information or computer management entity, employer, school,
2-24 health researcher, health care facility, clinic, or health care
2-25 practitioner;
2-26 (B) obtains protected health information
2-27 pursuant to this chapter;
3-1 (C) is an employee, agent, or contractor of a
3-2 person described by Paragraph (A) or (B) insofar as the employee,
3-3 agent, or contractor creates, receives, obtains, maintains, uses,
3-4 or transmits protected health information; or
3-5 (D) is a governmental entity.
3-6 (6) "Deidentified health information" means protected
3-7 health information with respect to which the holder has made a good
3-8 faith effort to evaluate the risks of reidentification of the
3-9 information in the context in which it will be used or disclosed
3-10 and removed all personal identifiers or other information that may
3-11 be used by itself or in combination with other information to
3-12 identify the subject from the information. The term includes
3-13 aggregate statistics, redacted health information, information for
3-14 which random or fictitious alternatives have been substituted for
3-15 personally identifiable information, and information for which
3-16 personally identifiable information has been encrypted and for
3-17 which the encryption key is maintained by a person otherwise
3-18 authorized to have access to the information in an identifiable
3-19 format.
3-20 (7) "Disclose" means to release, publish, share,
3-21 transfer, transmit, distribute, show, or otherwise divulge
3-22 protected health information to a person other than the individual
3-23 who is the subject of the information.
3-24 (8) "Disease management" means a multidisciplinary,
3-25 continuum-based approach to health care delivery that:
3-26 (A) proactively identifies populations with, or
3-27 at risk for, established medical conditions;
4-1 (B) supports the physician-patient relationship
4-2 and plan of care;
4-3 (C) emphasizes prevention of exacerbations and
4-4 complications by using cost-effective, evidence-based practice
4-5 guidelines and patient empowerment strategies, including
4-6 self-management; and
4-7 (D) continuously evaluates clinical, humanistic,
4-8 and economic outcomes with the goal of improving overall health.
4-9 (9) "Health care delivery review" means any review,
4-10 audit, assessment, or analysis of health care, including
4-11 utilization, quality assurance, or management review, that:
4-12 (A) is conducted in regard to an individual who
4-13 is the subject of protected health information;
4-14 (B) is performed by a health care payer or an
4-15 agent or contractor of a health care payer; and
4-16 (C) requires any protected health information
4-17 that is not deidentified other than administrative billing
4-18 information.
4-19 (10) "Health care facility" means any facility
4-20 licensed to provide health care or legally and regularly engaged in
4-21 providing health care, an employee, agent, or contractor of the
4-22 facility, or a health care practitioner with whom the facility has
4-23 an agreement or affiliation for the purpose of providing,
4-24 delivering, or arranging health care. The term includes a
4-25 hospital, long-term care facility, or pharmacy. The term does not
4-26 include an employer, health care payer, or health maintenance
4-27 organization.
5-1 (11) "Health care operations" means an activity
5-2 undertaken by or on behalf of a health care facility, a health care
5-3 payer, or a health care practitioner to carry out the management
5-4 functions necessary for the support of treatment or payment,
5-5 including:
5-6 (A) conducting quality assessment and
5-7 improvement activities, including outcomes evaluation and
5-8 development of clinical guidelines;
5-9 (B) reviewing the competence or qualifications
5-10 of health care professionals, evaluating practitioner and provider
5-11 performance or health plan performance, conducting training
5-12 programs in which undergraduate and graduate students and trainees
5-13 in areas of health care learn under supervision to practice as
5-14 health care providers, and reviewing accreditation, certification,
5-15 licensing, or credentialing activities;
5-16 (C) conducting insurance rating and other
5-17 insurance activities relating to renewal of a contract for
5-18 insurance, including underwriting, experience rating, and
5-19 reinsurance, but only if the individuals are already enrolled in
5-20 the health plan conducting activities and if the use of disclosure
5-21 of protected health information relates to an existing contract of
5-22 insurance or the renewal of a contract; and
5-23 (D) conducting or arranging for medical review
5-24 and auditing services, including fraud and abuse detection and
5-25 compliance programs.
5-26 (12) "Health care payer" means any person who provides
5-27 payment or reimbursement for health care, including a health
6-1 insurance or other insurance company, hospital or medical service
6-2 plan, health or dental service plan, health maintenance
6-3 organization, employee welfare benefit plan, or other group health
6-4 plan, regardless of whether the payment or reimbursement is funded
6-5 through the purchase of insurance.
6-6 (13) "Health care practitioner" means a person,
6-7 including a physician, nurse, chiropractor, midwife, podiatrist,
6-8 physician assistant, pharmacist, or optometrist, who:
6-9 (A) is licensed, certified, registered, or
6-10 otherwise authorized by law to provide an item or service that, in
6-11 the ordinary course of business, constitutes health care;
6-12 (B) is an employee, agent, or contractor of a
6-13 person described by Paragraph (A) who is supervised by the person
6-14 described by Paragraph (A) in providing health care; or
6-15 (C) is a health care facility with whom the
6-16 person has an agreement or affiliation for the purpose of
6-17 providing, delivering, or arranging health care.
6-18 (14) "Health research" means any systematic
6-19 investigation, testing, evaluation, or other inquiry that uses
6-20 protected health information to develop or contribute to general
6-21 knowledge, including the study of:
6-22 (A) the causes of disease or medical conditions;
6-23 and
6-24 (B) the relationship among certain
6-25 characteristics, health care, and disease or health status.
6-26 (15) "Health researcher" means a person who has been
6-27 authorized by an institutional review board described by Section
7-1 181.058(a) to conduct health research using protected or
7-2 deidentified health information.
7-3 (16) "Payment" includes:
7-4 (A) determination of coverage, including
7-5 appropriateness of care and justification of charges;
7-6 (B) payment, adjudication, and subrogation of
7-7 health care claims;
7-8 (C) risk adjustment of amounts due based on
7-9 enrollee health status and demographic characteristics;
7-10 (D) billing, claims management, and medical data
7-11 processing; and
7-12 (E) utilization review activities, including
7-13 preauthorization and precertification of services.
7-14 (17) "Protected health information" means any
7-15 information, including sensitive health information, administrative
7-16 billing information, and clinical health records, including
7-17 prescriptions, but not including deidentified health information
7-18 that is in the public domain, that:
7-19 (A) relates to:
7-20 (i) the past, present, or future physical
7-21 or mental health or condition of an individual;
7-22 (ii) the providing of health care to an
7-23 individual; or
7-24 (iii) the past, present, or future payment
7-25 for providing health care to an individual; and
7-26 (B) identifies or could be used or manipulated
7-27 by itself or in combination with other information to identify an
8-1 individual by a reasonably foreseeable method.
8-2 (18) "Reidentification" means any attempt to
8-3 ascertain:
8-4 (A) the identity of the individual who is the
8-5 subject of protected health information; or
8-6 (B) any specific data element with the intention
8-7 of ascertaining the identity of the subject or with knowledge that
8-8 the data element would allow for the identification of the
8-9 individual who is the subject of the protected health information.
8-10 (19) "Sensitive health information" means protected
8-11 health information that pertains specifically to:
8-12 (A) a history, diagnosis, or treatment of:
8-13 (i) substance abuse;
8-14 (ii) human immunodeficiency virus or
8-15 acquired immune deficiency syndrome;
8-16 (iii) sexually transmitted disease; or
8-17 (iv) sexual, physical, or mental abuse,
8-18 including information related to sexual assault;
8-19 (B) mental health;
8-20 (C) sexual or reproductive health; or
8-21 (D) the results of a genetic test, including the
8-22 fact that an individual has undergone a genetic test.
8-23 (20) "Treatment" means a health care treatment,
8-24 service, or procedure provided by a health care practitioner
8-25 designed to maintain or treat a patient's physical or mental
8-26 condition, as well as preventive care. The term includes the
8-27 coordination of the provision of health care among health care
9-1 practitioners and health care payers and patient referrals.
9-2 Sec. 181.002. APPLICABILITY. This chapter does not affect
9-3 the confidentiality that another statute creates for any
9-4 information.
9-5 Sec. 181.003. DELAYED EFFECT. (a) A person is not required
9-6 to comply with this chapter before September 1, 2003.
9-7 (b) This section expires September 1, 2003.
9-8 (Sections 181.004-181.050 reserved for expansion
9-9 SUBCHAPTER B. ACCESS TO AND USE OF HEALTH CARE INFORMATION
9-10 Sec. 181.051. PATIENT ACCESS TO INFORMATION; FEE. (a)
9-11 Except as provided by Subsection (b), a covered entity shall permit
9-12 an individual who is the subject of a clinical health record or the
9-13 person's designee to inspect and copy any clinical health record,
9-14 except for any clinical health record collected or created in the
9-15 course of a clinical research trial, that the entity maintains or
9-16 controls and that relates to the individual. The covered entity
9-17 may charge a reasonable fee for any copies. The fee may not exceed
9-18 the covered entity's cost to copy the record.
9-19 (b) A psychologist licensed under Chapter 501, Occupations
9-20 Code, or a psychiatrist who is providing psychological or
9-21 psychiatric services to an individual is not required to permit the
9-22 individual to inspect or copy a personal diary containing protected
9-23 health information relating to the individual if the information
9-24 contained in the diary has not been disclosed to a person other
9-25 than another psychologist or psychiatrist for the specific purpose
9-26 of clinical supervision conducted in the regular course of
9-27 treatment.
10-1 (c) Not later than the 30th day after the date a covered
10-2 entity receives a request and payment under Subsection (a), the
10-3 covered entity shall provide the requested information.
10-4 Sec. 181.052. DISCLOSURE OR USE OF PROTECTED HEALTH
10-5 INFORMATION. (a) A covered entity may not disclose or use
10-6 protected health information except as authorized under this
10-7 chapter.
10-8 (b) Except as otherwise provided by law, a covered entity
10-9 may not use or disclose protected health information without
10-10 obtaining the informed consent of the individual who is the subject
10-11 of the information.
10-12 (c) A covered entity may not use or request or require the
10-13 disclosure of more protected health information than is reasonably
10-14 related to the specific purpose that is stated in the informed
10-15 consent or that is otherwise authorized by law.
10-16 (d) Except as otherwise provided by law, a covered entity
10-17 may use or disclose protected health information only for the
10-18 purpose stated in the informed consent.
10-19 (e) A covered entity may disclose or use protected health
10-20 information without obtaining the informed consent of the
10-21 individual who is the subject of the information if the disclosure
10-22 or use is necessary to perform health care operations.
10-23 (f) A covered entity may disclose protected health
10-24 information without obtaining the informed consent of the
10-25 individual who is the subject of the information if the disclosure
10-26 is made in response to a subpoena in a judicial or administrative
10-27 proceeding.
11-1 (g) A person who receives information made confidential by
11-2 this chapter may disclose the information only to the extent
11-3 consistent with the authorized uses stated in the informed consent.
11-4 Sec. 181.053. USE OF CLINICAL HEALTH RECORDS. (a) Except
11-5 as provided by Section 181.054, this chapter does not limit the
11-6 ability of a health care practitioner, a health care facility, a
11-7 health care payer, or a contractor of a health care payer to use
11-8 protected health information to:
11-9 (1) provide health care to the individual who is the
11-10 subject of the information; or
11-11 (2) perform a health care delivery review.
11-12 (b) With respect to a clinical health record used for any
11-13 purpose other than to deliver health care to the individual who is
11-14 the subject of the record, the covered entity using the record
11-15 shall:
11-16 (1) limit access to a clinical health record that is
11-17 not deidentified to only those employees, agents, or contractors
11-18 who perform an essential function that is directly related to the
11-19 purpose for which the record was created or collected;
11-20 (2) prohibit an employee, agent, or contractor from
11-21 reidentifying an individual who is the subject of any deidentified
11-22 health information used, received, or created by the employee,
11-23 agent, or contractor unless otherwise authorized by law;
11-24 (3) require that an employee, agent, or contractor use
11-25 or receive only the minimum amount of information from a clinical
11-26 health record that is essential and directly related to the
11-27 specific function performed by the employee, agent, or contractor;
12-1 (4) prohibit an employee, agent, or contractor from
12-2 using or having access to a clinical health record for longer than
12-3 is necessary to perform the specific function of the employee,
12-4 agent, or contractor;
12-5 (5) prohibit an employee, agent, or contractor from
12-6 disclosing a clinical health record or deidentified health
12-7 information to any other person except as otherwise authorized
12-8 under this chapter;
12-9 (6) link, match, or index clinical health records
12-10 collected, held, or maintained by other covered entities only if
12-11 the entity has specific informed consent; and
12-12 (7) disclose a clinical health record collected from
12-13 or created by any other covered entity only to the individual who
12-14 is the subject of the information or as otherwise authorized by
12-15 law.
12-16 Sec. 181.054. USE OF ADMINISTRATIVE BILLING INFORMATION. (a)
12-17 With respect to administrative billing information used by a
12-18 covered entity, the entity shall:
12-19 (1) limit the use of administrative billing
12-20 information that is not deidentified to those employees, agents, or
12-21 contractors who perform an essential function;
12-22 (2) prohibit an employee, agent, or contractor from
12-23 reidentifying an individual who is the subject of any deidentified
12-24 health information used, received, or created by the employee,
12-25 agent, or contractor unless otherwise authorized by law;
12-26 (3) require that an employee, agent, or contractor use
12-27 only the minimum amount of administrative billing information that
13-1 is necessary to accomplish the specific function performed by the
13-2 employee, agent, or contractor;
13-3 (4) prohibit an employee, agent, or contractor from
13-4 disclosing administrative billing information or deidentified
13-5 health information to any other person except as otherwise
13-6 authorized under this chapter; and
13-7 (5) link, match, or index administrative billing
13-8 information collected, held, or maintained by other covered
13-9 entities only if the entity has specific informed consent.
13-10 (b) Except as otherwise provided by this chapter, a health
13-11 care provider, a health care facility, a health care payer, or an
13-12 employee, agent, or contractor of a provider, facility, or payer
13-13 may use administrative billing information without the informed
13-14 consent of the individual who is the subject of the information
13-15 only if the health care provider, facility, or payer:
13-16 (1) deidentifies all the information used by the
13-17 entity; or
13-18 (2) uses only the minimum amount of administrative
13-19 billing information that is essential and reasonably related to the
13-20 specific function to be performed by the recipient and does not
13-21 store, preserve, copy, or otherwise maintain the information for
13-22 longer than is necessary to perform the specific function of the
13-23 recipient or as otherwise authorized by law.
13-24 (c) The board by rule shall determine which employees,
13-25 agents, or contractors perform an essential function under
13-26 Subsection (a)(1).
13-27 Sec. 181.055. SENSITIVE HEALTH INFORMATION. (a) A covered
14-1 entity shall obtain separate informed consent documentation for the
14-2 disclosure of sensitive health information.
14-3 (b) A covered entity shall comply with a request from an
14-4 individual who is the subject of sensitive health information to
14-5 restrict access within the entity to the information. If a health
14-6 care practitioner or health care facility believes that restricting
14-7 access to the information may endanger the life or health of the
14-8 subject, the practitioner or facility may require the subject to
14-9 sign an acknowledgment that the restriction is against medical
14-10 advice. A covered entity may use any reasonable means to restrict
14-11 access to the information. This subsection does not apply to
14-12 administrative billing information.
14-13 (c) An individual may not restrict a health care provider's
14-14 access to sensitive health information under this section if the
14-15 health care provider is directly involved in the delivery of health
14-16 care to the individual.
14-17 (d) A covered entity may not withhold sensitive health
14-18 information requested under an informed consent document.
14-19 Sec. 181.056. DIRECTORY INFORMATION. (a) Except as provided
14-20 by Subsection (b), a health care practitioner or health care
14-21 facility that provides inpatient services may disclose directory
14-22 information regarding an individual to any person if:
14-23 (1) the inpatient:
14-24 (A) has been notified of the inpatient's right
14-25 to object at the time of admission to the facility and has not
14-26 objected to the disclosure; or
14-27 (B) is in a physical or mental condition that
15-1 makes it impossible to notify the inpatient of the right to object
15-2 and there are no prior indications that the inpatient would object;
15-3 and
15-4 (2) the information consists of:
15-5 (A) the name of the inpatient;
15-6 (B) the nature of the inpatient's injury;
15-7 (C) the municipality, if any, and the county
15-8 where the inpatient resides;
15-9 (D) the inpatient's sex;
15-10 (E) the inpatient's age;
15-11 (F) the general health status of the inpatient,
15-12 described as critical, poor, fair, stable, or satisfactory or in
15-13 terms denoting similar conditions; or
15-14 (G) the location of the inpatient on premises
15-15 controlled by the practitioner or facility.
15-16 (b) A health care practitioner or health care facility may
15-17 not release inpatient directory information without informed
15-18 consent if:
15-19 (1) disclosure of the location of the individual would
15-20 reveal information supporting all inferences about the specific
15-21 diagnosis of the individual; or
15-22 (2) the practitioner or facility has reason to believe
15-23 that the disclosure of the information could lead to physical,
15-24 mental, or emotional harm to or the death of the individual.
15-25 Sec. 181.057. NEXT OF KIN. (a) A health care practitioner
15-26 or health care facility may disclose, without the patient's
15-27 consent, protected health information regarding the health care
16-1 provided to the patient if:
16-2 (1) the patient:
16-3 (A) has been notified of the patient's right to
16-4 object at the time of admission to the facility and has not
16-5 objected to the disclosure; or
16-6 (B) is in a physical or mental condition that
16-7 makes it impossible to notify the patient of the right to object;
16-8 and
16-9 (2) the information is disclosed to the patient's next
16-10 of kin, a representative of the patient, or an individual with whom
16-11 the patient resides.
16-12 (b) A health care practitioner or health care facility is
16-13 not liable for a disclosure made in good faith under Subsection
16-14 (a).
16-15 Sec. 181.058. INFORMATION FOR RESEARCH. (a) A covered
16-16 entity may disclose protected health information to a health
16-17 researcher for the purpose of conducting health research only if:
16-18 (1) an institutional review board, ethics review
16-19 board, or privacy review board acting in compliance with part 46 of
16-20 Title 45 or part 56 of Title 21 of the Code of Federal Regulations
16-21 as they appear in the October 1996 edition approves the research in
16-22 accordance with this section; and
16-23 (2) the researcher has obtained either:
16-24 (A) the informed consent of the individual; or
16-25 (B) a waiver of informed consent granted by the
16-26 institutional review board, ethics review board, or privacy review
16-27 board under this section.
17-1 (b) An institutional review board, ethics review board, or
17-2 privacy review board may grant a waiver or alteration of the
17-3 informed consent for the use of protected health information if the
17-4 board:
17-5 (1) meets the requirements of Section 46.110(d) of
17-6 Title 45 as it appears in the October 1996 edition of the Code of
17-7 Federal Regulations;
17-8 (2) determines and documents that:
17-9 (A) there is no practicable alternative to the
17-10 use of the protected health information and that the information
17-11 will be deidentified at the earliest practicable opportunity;
17-12 (B) the health researcher has fully disclosed
17-13 which of the protected health information to be collected or
17-14 created will be linked to other protected health information;
17-15 (C) appropriate safeguards will be used to
17-16 protect the information against reidentification or subsequent
17-17 unauthorized linkage if, in the course of the proposed research,
17-18 the health researcher intends to link protected health information
17-19 to other protected health information or if there is a risk that
17-20 the information may be linked;
17-21 (D) at the conclusion of the proposed health
17-22 research or at some specific date, the health researcher will
17-23 destroy all of the data containing protected health information as
17-24 well as all copies of the data; and
17-25 (E) the health researcher has presented adequate
17-26 assurances that none of the data containing protected health
17-27 information will be given, loaned, sold, disseminated, or otherwise
18-1 disclosed to other parties; and
18-2 (3) has the opportunity to review any publication of
18-3 information based on the protected health information collected or
18-4 created under this section to ensure that no disclosures are made
18-5 that might identify an individual.
18-6 (c) In determining whether to grant a waiver under
18-7 Subsection (b), an institutional review board, ethics review board,
18-8 or privacy review board may consider whether the health researcher
18-9 is qualified for and is likely to obtain a certificate of
18-10 confidentiality from the U.S. Department of Health and Human
18-11 Services pursuant to Section 301(d) of the Public Health Service
18-12 Act (42 U.S.C. Section 241(d)).
18-13 (d) The institutional review board, ethics review board, or
18-14 privacy review board may extend the date of destruction required by
18-15 Subsection (b)(2)(D) if the researcher demonstrates a continuing or
18-16 new need for protected health information for which the researcher
18-17 would be qualified for a waiver of informed consent in accordance
18-18 with this section.
18-19 (e) A health researcher performing research on deidentified
18-20 health information is not required to obtain a waiver or alteration
18-21 of the informed consent.
18-22 (f) For purposes of this section, if a health researcher
18-23 receives protected health information that is not deidentified, the
18-24 health information is considered deidentified health information if
18-25 explicit or commonly used identifiers are encrypted by the
18-26 researcher at the earliest opportunity and the encryption code or
18-27 key is maintained by a person authorized to have access to the
19-1 information or an institutional review board, ethics review board,
19-2 or privacy review board acting in accordance with this section.
19-3 (g) Documentation of findings by an institutional review
19-4 board, ethics review board, or privacy review board under this
19-5 section shall be made available on request by:
19-6 (1) the department;
19-7 (2) the office of the attorney general; and
19-8 (3) any individual whose protected health information
19-9 is disclosed or used pursuant to this section.
19-10 (h) A health researcher may not use or disclose protected
19-11 health information for any purposes other than those specifically
19-12 approved by the institutional review board, ethics review board, or
19-13 privacy review board and directly related to the research being
19-14 performed.
19-15 (i) Protected and deidentified health information collected
19-16 or used pursuant to this section is immune from any compulsory
19-17 legal process that does not directly concern the research being
19-18 performed.
19-19 Sec. 181.059. APPENDANT TO HEALTH RECORDS. (a) An
19-20 individual may request in writing that a health care practitioner
19-21 or health care facility that is providing health care to the
19-22 individual make an appendant to the individual's clinical health
19-23 record. The health care practitioner or health care facility may
19-24 limit the length of the appendant to two letter-sized pages.
19-25 (b) Not later than the 90th day after the date the health
19-26 care practitioner or health care facility receives a written
19-27 request to make an appendant to the individual's clinical health
20-1 record, the health care practitioner or health care facility shall:
20-2 (1) make the appendant requested and on request
20-3 provide the individual with a list of the entities to whom the
20-4 record was disclosed before the appendant was made; or
20-5 (2) inform the individual of:
20-6 (A) the reasons for refusing to make the
20-7 appendant; and
20-8 (B) any procedures for further review of the
20-9 refusal.
20-10 (c) A health care practitioner or health care facility may
20-11 not unreasonably refuse to make an appendant to a clinical health
20-12 record.
20-13 (d) If a health care practitioner or health care facility
20-14 refuses to make an appendant to a clinical health record, the
20-15 health care practitioner or health care facility shall comply with
20-16 a reasonable request of the individual to include at a relevant
20-17 place in the record a statement from the individual regarding the
20-18 disputed information.
20-19 (e) For purposes of Subsection (a), an appendant is
20-20 considered to have been made if the information that has been
20-21 disputed by the individual has been supplemented by or replaced
20-22 with appended information and the information is clearly marked as
20-23 appended.
20-24 (f) A covered entity that receives clinical health records
20-25 to which an appendant has been made shall:
20-26 (1) make the same appendant that the practitioner or
20-27 facility made not later than the 90th day after the date the
21-1 covered entity receives the records; and
21-2 (2) make reasonable efforts to give notice of the
21-3 appendant to each person to whom the covered entity disclosed the
21-4 records before the appendant was made.
21-5 (g) This section does not apply to a clinical health record
21-6 that has not been used or disclosed during the seven years before
21-7 the date of the request to make the appendant to the record.
21-8 Sec. 181.060. REQUIRED NOTICE. (a) A covered entity shall
21-9 provide written notice to an individual of the entity's practices
21-10 with respect to protected health information. The covered entity
21-11 shall provide the individual with written notice of any change in
21-12 the entity's practices with respect to protected health
21-13 information.
21-14 (b) Notice under this section must include:
21-15 (1) a reasonably complete description of the usual
21-16 functions performed with protected health information that has not
21-17 been deidentified;
21-18 (2) a statement of whether protected health
21-19 information is stored in a computerized records system;
21-20 (3) the name and the method of contacting the
21-21 individual responsible for responding to inquiries regarding the
21-22 entity's information practices; and
21-23 (4) the procedures an individual must follow to
21-24 exercise the rights granted under this chapter.
21-25 (c) On written request by an individual, a covered entity
21-26 shall provide a list of the agents or contractors who ordinarily
21-27 have direct access to or use of protected health information that
22-1 is not deidentified.
22-2 (d) The board shall develop and disseminate a model notice
22-3 of information practices of the type described by this section. In
22-4 adopting the model notice, the board shall follow the same
22-5 procedure the board follows under the administrative procedure law,
22-6 Chapter 2001, Government Code, for adopting a rule. Any notice
22-7 that conforms to the model notice developed under this subsection
22-8 is considered to meet the notice requirements of this section.
22-9 Sec. 181.061. MARKETING AND EDUCATIONAL INFORMATION. (a) A
22-10 covered entity may not send an individual who is the subject of
22-11 protected health information marketing material for a product
22-12 related to the treatment of the individual's medical condition.
22-13 (b) A covered entity may send an individual who is the
22-14 subject of protected health information educational information
22-15 related to the individual's medical condition.
22-16 (Sections 181.062-181.100 reserved for expansion
22-17 SUBCHAPTER C. HEALTH CARE PAYERS
22-18 Sec. 181.101. NOTICE TO INDIVIDUAL. A health care payer
22-19 shall, on enrollment, notify an individual who is the subject of
22-20 protected health information:
22-21 (1) of the regular uses of the information, including
22-22 administrative billing information; and
22-23 (2) that protected health information will be accessed
22-24 in the event of an investigation, complaint, appeal, or other
22-25 grievance made by or relating to the subject.
22-26 Sec. 181.102. CONTACT WITH PATIENT. (a) A health care
22-27 payer may not initiate contact with the subject of sensitive health
23-1 information regarding any disease management or other clinical
23-2 intervention program relating to the sensitive health condition
23-3 until the sixth business day after the date the health care payer
23-4 notifies the health care practitioner or facility that is treating
23-5 the subject of the information of the health care payer's intent to
23-6 initiate contact.
23-7 (b) A health care payer may send mail addressed to an
23-8 individual regarding any health topic, including generic material
23-9 regarding sensitive health information, if the material does not
23-10 name or otherwise identify the individual in the material sent.
23-11 Sec. 181.103. DISEASE MANAGEMENT PROGRAM. (a) A health
23-12 care payer or employer may not require as a condition of
23-13 employment, health insurance, or coverage or reimbursement for
23-14 health care that an individual participate in a disease management
23-15 program or other clinical intervention program.
23-16 (b) This section does not prevent a health care payer from
23-17 designating the manner of any specific benefit offered by the
23-18 payer.
23-19 Sec. 181.104. CONSENT REQUIRED. Unless otherwise authorized
23-20 by law, informed consent provided by an enrollee or member in any
23-21 health plan is not valid as to anyone other than that enrollee or
23-22 member.
23-23 Sec. 181.105. HEALTH CARE DELIVERY REVIEW. For the purpose
23-24 of performing health care delivery review, a health care payer may
23-25 request protected health information only if the information is
23-26 essential for the review. Protected health information collected
23-27 for the performance of health care delivery review may not be used
24-1 for any other purpose unless otherwise authorized by law. The
24-2 board by rule shall determine what information is essential to
24-3 perform a health care review.
24-4 (Sections 181.106-181.150 reserved for expansion
24-5 SUBCHAPTER D. INFORMED CONSENT
24-6 Sec. 181.151. FORM. (a) Informed consent required by this
24-7 chapter must be in writing and signed by:
24-8 (1) the individual who is the subject of the health
24-9 information;
24-10 (2) the individual's legal guardian; or
24-11 (3) the individual's agent under a medical power of
24-12 attorney.
24-13 (b) For purposes of this section, documentation of informed
24-14 consent may be satisfied by the use of electronic signatures,
24-15 computerized informed consent documentation, or other technological
24-16 means of recording informed consent.
24-17 Sec. 181.152. CONTENT OF CONSENT. The written informed
24-18 consent must:
24-19 (1) describe the information to be used or disclosed
24-20 in clear, concise, and plain language;
24-21 (2) clearly identify the covered entity that will
24-22 disclose the information;
24-23 (3) clearly identify the person:
24-24 (A) who will use the information; or
24-25 (B) to whom the information will be disclosed;
24-26 (4) describe in reasonable detail the purpose for
24-27 which the information is being disclosed or used;
25-1 (5) state that the information will be used or
25-2 disclosed solely for the purpose specified in the informed consent
25-3 or as otherwise authorized by law;
25-4 (6) contain a specific date or event at which the
25-5 authorization expires;
25-6 (7) contain a statement that the individual has the
25-7 right to:
25-8 (A) revoke or amend the authorization in
25-9 accordance with this chapter;
25-10 (B) receive the notice required by Section
25-11 181.060;
25-12 (C) inspect, copy, and request an amendment of
25-13 protected health information;
25-14 (D) be informed of those circumstances under
25-15 which health information may be used or disclosed without informed
25-16 consent under a court order or other proper legal process issued by
25-17 a federal or state administrative agency or any other legal
25-18 requirement; and
25-19 (E) refuse to sign any informed consent
25-20 documentation that is valid for longer than two years; and
25-21 (8) state that a written notice of information
25-22 practices has been provided.
25-23 Sec. 181.153. EXPIRATION. (a) An informed consent for the
25-24 use of protected health information is valid until the expiration
25-25 date or event specified in the documentation or until it is revoked
25-26 by the individual.
25-27 (b) A person may not coerce an individual to sign an
26-1 informed consent document.
26-2 Sec. 181.154. REVOCATION. The subject of protected health
26-3 information may revoke or amend an informed consent at any time
26-4 unless:
26-5 (1) a disclosure or use has already been made in
26-6 reliance on the consent; or
26-7 (2) disclosure or use of protected information is made
26-8 for payment or reimbursement for health care that has previously
26-9 been delivered and for which the subject is not providing other
26-10 payment for the care.
26-11 Sec. 181.155. MODEL CONSENT. The board shall develop and
26-12 distribute a model informed consent form. In adopting the model
26-13 consent form, the board shall follow the same procedure the board
26-14 follows under the administrative procedure law, Chapter 2001,
26-15 Government Code. An informed consent obtained on a model form
26-16 developed or approved by the board is considered to meet the
26-17 requirements of this subchapter.
26-18 (Sections 181.156-181.200 reserved for expansion
26-19 SUBCHAPTER E. PROHIBITED ACTS
26-20 Sec. 181.201. DEIDENTIFIED INFORMATION. Unless otherwise
26-21 authorized by law, a person or governmental entity may not identify
26-22 or attempt to identify an individual who is the subject of any
26-23 deidentified health information.
26-24 Sec. 181.202. COERCED CONSENT. (a) A covered entity may not
26-25 condition the provision of health care to an individual on the
26-26 provision of an informed consent to use or disclose the information
26-27 for any purpose that is not essential and directly related to the
27-1 purpose of providing health care, performing health care delivery
27-2 review, or administrating or paying a health care claim.
27-3 (b) An employer may not condition terms of employment on the
27-4 provision of informed consent to use or disclose any protected
27-5 health information that is not either:
27-6 (1) deidentified; or
27-7 (2) necessary and directly related to the job duties
27-8 performed by the individual.
27-9 Sec. 181.203. REFUSAL TO PROVIDE HEALTH CARE. Except as
27-10 otherwise provided by law, a person may not refuse to provide
27-11 health care to an individual who refuses to consent to the
27-12 disclosure or use of protected health information as long as the
27-13 individual is not requesting payment or reimbursement for the
27-14 health care from a third party.
27-15 (Sections 181.204-181.250 reserved for expansion
27-16 SUBCHAPTER F. ENFORCEMENT
27-17 Sec. 181.251. INJUNCTIVE RELIEF; CIVIL PENALTY. (a) The
27-18 attorney general may institute an action for injunctive or
27-19 declaratory relief to restrain a violation of this chapter.
27-20 (b) In addition to the injunctive relief provided by
27-21 Subsection (a), the attorney general may institute an action for
27-22 civil penalties against a covered entity for a violation of this
27-23 chapter. A civil penalty assessed under this section may not
27-24 exceed $3,000 for each violation.
27-25 (c) If the court in which an action under Subsection (b) is
27-26 pending finds that the violations have occurred with a frequency as
27-27 to constitute a pattern or practice, the court may:
28-1 (1) assess a civil penalty not to exceed $250,000; and
28-2 (2) exclude the covered entity from participating in
28-3 any state-funded health care program.
28-4 (d) If the attorney general substantially prevails in an
28-5 action for injunctive relief or a civil penalty under this section,
28-6 the attorney general may recover reasonable attorney's fees, costs,
28-7 and expenses incurred obtaining the relief or penalty, including
28-8 court costs and witness fees.
28-9 Sec. 181.252. INDIVIDUAL INJUNCTIVE RELIEF; CIVIL CAUSE OF
28-10 ACTION. (a) An individual who is aggrieved by a violation of this
28-11 chapter may institute an action against a covered entity for
28-12 appropriate injunctive or declaratory relief.
28-13 (b) The individual may institute an action for civil
28-14 damages. An individual who prevails in an action may recover:
28-15 (1) the greater of:
28-16 (A) the individual's actual damages; or
28-17 (B) liquidated damages in the amount of $3,000;
28-18 and
28-19 (2) punitive damages.
28-20 (c) If the alleged violation involves sensitive health
28-21 information, the individual may recover:
28-22 (1) the greater of:
28-23 (A) the individual's actual damages; or
28-24 (B) liquidated damages in the amount of $10,000;
28-25 and
28-26 (2) punitive damages.
28-27 (d) If the individual is the prevailing party, the court may
29-1 award reasonable attorney's fees and other litigation costs and
29-2 expenses reasonably incurred, including expert fees.
29-3 (e) A civil action brought under this section must be
29-4 commenced not later than:
29-5 (1) three years after the date the cause of action
29-6 accrues; or
29-7 (2) one year after the date the cause of action was
29-8 discovered but not longer than five years after the date the cause
29-9 of action accrued.
29-10 Sec. 181.253. CRIMINAL OFFENSE. (a) A person commits an
29-11 offense if the person knowingly uses, discloses, reidentifies,
29-12 obtains, or induces another to use, disclose, reidentify, or obtain
29-13 protected health information for commercial advantage or personal
29-14 gain or to cause malicious harm in violation of this chapter.
29-15 (b) An offense under this section is a state jail felony
29-16 unless the person committed the offense under false pretenses, in
29-17 which event the offense is a third degree felony.
29-18 Sec. 181.254. DISCIPLINARY ACTION. In addition to the
29-19 penalties prescribed by this chapter, a violation of this chapter
29-20 by an individual or facility that is licensed by an agency of this
29-21 state is subject to the same consequence as a violation of the
29-22 licensing law applicable to the individual or facility or of a rule
29-23 adopted under that licensing law.
29-24 Sec. 181.255. SOVEREIGN IMMUNITY. This chapter does not
29-25 waive sovereign immunity to suit or liability.
29-26 SECTION 2. This Act takes effect September 1, 2001.