By Nelson S.B. No. 11 77R523 MCK-F A BILL TO BE ENTITLED 1-1 AN ACT 1-2 relating to protecting the privacy of medical records; providing 1-3 penalties. 1-4 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: 1-5 SECTION 1. Title 2, Health and Safety Code, is amended by 1-6 adding Subtitle I to read as follows: 1-7 SUBTITLE I. MEDICAL RECORDS 1-8 CHAPTER 181. MEDICAL RECORDS PRIVACY 1-9 SUBCHAPTER A. GENERAL PROVISIONS 1-10 Sec. 181.001. DEFINITIONS. In this chapter: 1-11 (1) "Administrative billing information" means 1-12 protected health information that is necessary for the payment or 1-13 administration of health care claims. The term: 1-14 (A) includes only: 1-15 (i) date of service; 1-16 (ii) billed charges; 1-17 (iii) patient or practitioner identifiers; 1-18 (iv) diagnostic and treatment information 1-19 contained in standard billing codes; 1-20 (v) information required by nationally 1-21 recognized third-party health care claim forms; and 1-22 (vi) protected health information that is 1-23 part of a health care delivery review; and 1-24 (B) does not include a clinical health record 2-1 included or requested as an attachment to administrative billing 2-2 information. 2-3 (2) "Audit trail" means a complete and accurate record 2-4 of the date, user or recipient, and function performed with respect 2-5 to the use or disclosure of protected health information. 2-6 (3) "Clinical health record" means a record of any 2-7 protected health information, other than administrative billing 2-8 information, that is used or maintained by or for a health care 2-9 practitioner or facility or an employee, agent, or contractor of a 2-10 health care practitioner or facility for the purpose of delivering 2-11 health care to an individual. 2-12 (4) "Computerized records system" means any 2-13 electronic, digital, optical, magnetic, or other system that 2-14 stores, retrieves, or manipulates data. The term does not include 2-15 a static storage system, including microfiche or microfilm. 2-16 (5) "Covered entity" means any person who: 2-17 (A) for commercial, financial, or professional 2-18 gain, monetary fees, or dues, or on a cooperative, nonprofit or pro 2-19 bono basis, engages, in whole or in part, and with real or 2-20 constructive knowledge, in the practice of assembling, collecting, 2-21 analyzing, using, evaluating, storing, or transmitting protected or 2-22 deidentified health information. The term includes a health care 2-23 payer, information or computer management entity, employer, school, 2-24 health researcher, health care facility, clinic, or health care 2-25 practitioner; 2-26 (B) obtains protected health information 2-27 pursuant to this chapter; 3-1 (C) is an employee, agent, or contractor of a 3-2 person described by Paragraph (A) or (B) insofar as the employee, 3-3 agent, or contractor creates, receives, obtains, maintains, uses, 3-4 or transmits protected health information; or 3-5 (D) is a governmental entity. 3-6 (6) "Deidentified health information" means protected 3-7 health information with respect to which the holder has made a good 3-8 faith effort to evaluate the risks of reidentification of the 3-9 information in the context in which it will be used or disclosed 3-10 and removed all personal identifiers or other information that may 3-11 be used by itself or in combination with other information to 3-12 identify the subject from the information. The term includes 3-13 aggregate statistics, redacted health information, information for 3-14 which random or fictitious alternatives have been substituted for 3-15 personally identifiable information, and information for which 3-16 personally identifiable information has been encrypted and for 3-17 which the encryption key is maintained by a person otherwise 3-18 authorized to have access to the information in an identifiable 3-19 format. 3-20 (7) "Disclose" means to release, publish, share, 3-21 transfer, transmit, distribute, show, or otherwise divulge 3-22 protected health information to a person other than the individual 3-23 who is the subject of the information. 3-24 (8) "Disease management" means a multidisciplinary, 3-25 continuum-based approach to health care delivery that: 3-26 (A) proactively identifies populations with, or 3-27 at risk for, established medical conditions; 4-1 (B) supports the physician-patient relationship 4-2 and plan of care; 4-3 (C) emphasizes prevention of exacerbations and 4-4 complications by using cost-effective, evidence-based practice 4-5 guidelines and patient empowerment strategies, including 4-6 self-management; and 4-7 (D) continuously evaluates clinical, humanistic, 4-8 and economic outcomes with the goal of improving overall health. 4-9 (9) "Health care delivery review" means any review, 4-10 audit, assessment, or analysis of health care, including 4-11 utilization, quality assurance, or management review, that: 4-12 (A) is conducted in regard to an individual who 4-13 is the subject of protected health information; 4-14 (B) is performed by a health care payer or an 4-15 agent or contractor of a health care payer; and 4-16 (C) requires any protected health information 4-17 that is not deidentified other than administrative billing 4-18 information. 4-19 (10) "Health care facility" means any facility 4-20 licensed to provide health care or legally and regularly engaged in 4-21 providing health care, an employee, agent, or contractor of the 4-22 facility, or a health care practitioner with whom the facility has 4-23 an agreement or affiliation for the purpose of providing, 4-24 delivering, or arranging health care. The term includes a 4-25 hospital, long-term care facility, or pharmacy. The term does not 4-26 include an employer, health care payer, or health maintenance 4-27 organization. 5-1 (11) "Health care operations" means an activity 5-2 undertaken by or on behalf of a health care facility, a health care 5-3 payer, or a health care practitioner to carry out the management 5-4 functions necessary for the support of treatment or payment, 5-5 including: 5-6 (A) conducting quality assessment and 5-7 improvement activities, including outcomes evaluation and 5-8 development of clinical guidelines; 5-9 (B) reviewing the competence or qualifications 5-10 of health care professionals, evaluating practitioner and provider 5-11 performance or health plan performance, conducting training 5-12 programs in which undergraduate and graduate students and trainees 5-13 in areas of health care learn under supervision to practice as 5-14 health care providers, and reviewing accreditation, certification, 5-15 licensing, or credentialing activities; 5-16 (C) conducting insurance rating and other 5-17 insurance activities relating to renewal of a contract for 5-18 insurance, including underwriting, experience rating, and 5-19 reinsurance, but only if the individuals are already enrolled in 5-20 the health plan conducting activities and if the use of disclosure 5-21 of protected health information relates to an existing contract of 5-22 insurance or the renewal of a contract; and 5-23 (D) conducting or arranging for medical review 5-24 and auditing services, including fraud and abuse detection and 5-25 compliance programs. 5-26 (12) "Health care payer" means any person who provides 5-27 payment or reimbursement for health care, including a health 6-1 insurance or other insurance company, hospital or medical service 6-2 plan, health or dental service plan, health maintenance 6-3 organization, employee welfare benefit plan, or other group health 6-4 plan, regardless of whether the payment or reimbursement is funded 6-5 through the purchase of insurance. 6-6 (13) "Health care practitioner" means a person, 6-7 including a physician, nurse, chiropractor, midwife, podiatrist, 6-8 physician assistant, pharmacist, or optometrist, who: 6-9 (A) is licensed, certified, registered, or 6-10 otherwise authorized by law to provide an item or service that, in 6-11 the ordinary course of business, constitutes health care; 6-12 (B) is an employee, agent, or contractor of a 6-13 person described by Paragraph (A) who is supervised by the person 6-14 described by Paragraph (A) in providing health care; or 6-15 (C) is a health care facility with whom the 6-16 person has an agreement or affiliation for the purpose of 6-17 providing, delivering, or arranging health care. 6-18 (14) "Health research" means any systematic 6-19 investigation, testing, evaluation, or other inquiry that uses 6-20 protected health information to develop or contribute to general 6-21 knowledge, including the study of: 6-22 (A) the causes of disease or medical conditions; 6-23 and 6-24 (B) the relationship among certain 6-25 characteristics, health care, and disease or health status. 6-26 (15) "Health researcher" means a person who has been 6-27 authorized by an institutional review board described by Section 7-1 181.058(a) to conduct health research using protected or 7-2 deidentified health information. 7-3 (16) "Payment" includes: 7-4 (A) determination of coverage, including 7-5 appropriateness of care and justification of charges; 7-6 (B) payment, adjudication, and subrogation of 7-7 health care claims; 7-8 (C) risk adjustment of amounts due based on 7-9 enrollee health status and demographic characteristics; 7-10 (D) billing, claims management, and medical data 7-11 processing; and 7-12 (E) utilization review activities, including 7-13 preauthorization and precertification of services. 7-14 (17) "Protected health information" means any 7-15 information, including sensitive health information, administrative 7-16 billing information, and clinical health records, including 7-17 prescriptions, but not including deidentified health information 7-18 that is in the public domain, that: 7-19 (A) relates to: 7-20 (i) the past, present, or future physical 7-21 or mental health or condition of an individual; 7-22 (ii) the providing of health care to an 7-23 individual; or 7-24 (iii) the past, present, or future payment 7-25 for providing health care to an individual; and 7-26 (B) identifies or could be used or manipulated 7-27 by itself or in combination with other information to identify an 8-1 individual by a reasonably foreseeable method. 8-2 (18) "Reidentification" means any attempt to 8-3 ascertain: 8-4 (A) the identity of the individual who is the 8-5 subject of protected health information; or 8-6 (B) any specific data element with the intention 8-7 of ascertaining the identity of the subject or with knowledge that 8-8 the data element would allow for the identification of the 8-9 individual who is the subject of the protected health information. 8-10 (19) "Sensitive health information" means protected 8-11 health information that pertains specifically to: 8-12 (A) a history, diagnosis, or treatment of: 8-13 (i) substance abuse; 8-14 (ii) human immunodeficiency virus or 8-15 acquired immune deficiency syndrome; 8-16 (iii) sexually transmitted disease; or 8-17 (iv) sexual, physical, or mental abuse, 8-18 including information related to sexual assault; 8-19 (B) mental health; 8-20 (C) sexual or reproductive health; or 8-21 (D) the results of a genetic test, including the 8-22 fact that an individual has undergone a genetic test. 8-23 (20) "Treatment" means a health care treatment, 8-24 service, or procedure provided by a health care practitioner 8-25 designed to maintain or treat a patient's physical or mental 8-26 condition, as well as preventive care. The term includes the 8-27 coordination of the provision of health care among health care 9-1 practitioners and health care payers and patient referrals. 9-2 Sec. 181.002. APPLICABILITY. This chapter does not affect 9-3 the confidentiality that another statute creates for any 9-4 information. 9-5 Sec. 181.003. DELAYED EFFECT. (a) A person is not required 9-6 to comply with this chapter before September 1, 2003. 9-7 (b) This section expires September 1, 2003. 9-8 (Sections 181.004-181.050 reserved for expansion 9-9 SUBCHAPTER B. ACCESS TO AND USE OF HEALTH CARE INFORMATION 9-10 Sec. 181.051. PATIENT ACCESS TO INFORMATION; FEE. (a) 9-11 Except as provided by Subsection (b), a covered entity shall permit 9-12 an individual who is the subject of a clinical health record or the 9-13 person's designee to inspect and copy any clinical health record, 9-14 except for any clinical health record collected or created in the 9-15 course of a clinical research trial, that the entity maintains or 9-16 controls and that relates to the individual. The covered entity 9-17 may charge a reasonable fee for any copies. The fee may not exceed 9-18 the covered entity's cost to copy the record. 9-19 (b) A psychologist licensed under Chapter 501, Occupations 9-20 Code, or a psychiatrist who is providing psychological or 9-21 psychiatric services to an individual is not required to permit the 9-22 individual to inspect or copy a personal diary containing protected 9-23 health information relating to the individual if the information 9-24 contained in the diary has not been disclosed to a person other 9-25 than another psychologist or psychiatrist for the specific purpose 9-26 of clinical supervision conducted in the regular course of 9-27 treatment. 10-1 (c) Not later than the 30th day after the date a covered 10-2 entity receives a request and payment under Subsection (a), the 10-3 covered entity shall provide the requested information. 10-4 Sec. 181.052. DISCLOSURE OR USE OF PROTECTED HEALTH 10-5 INFORMATION. (a) A covered entity may not disclose or use 10-6 protected health information except as authorized under this 10-7 chapter. 10-8 (b) Except as otherwise provided by law, a covered entity 10-9 may not use or disclose protected health information without 10-10 obtaining the informed consent of the individual who is the subject 10-11 of the information. 10-12 (c) A covered entity may not use or request or require the 10-13 disclosure of more protected health information than is reasonably 10-14 related to the specific purpose that is stated in the informed 10-15 consent or that is otherwise authorized by law. 10-16 (d) Except as otherwise provided by law, a covered entity 10-17 may use or disclose protected health information only for the 10-18 purpose stated in the informed consent. 10-19 (e) A covered entity may disclose or use protected health 10-20 information without obtaining the informed consent of the 10-21 individual who is the subject of the information if the disclosure 10-22 or use is necessary to perform health care operations. 10-23 (f) A covered entity may disclose protected health 10-24 information without obtaining the informed consent of the 10-25 individual who is the subject of the information if the disclosure 10-26 is made in response to a subpoena in a judicial or administrative 10-27 proceeding. 11-1 (g) A person who receives information made confidential by 11-2 this chapter may disclose the information only to the extent 11-3 consistent with the authorized uses stated in the informed consent. 11-4 Sec. 181.053. USE OF CLINICAL HEALTH RECORDS. (a) Except 11-5 as provided by Section 181.054, this chapter does not limit the 11-6 ability of a health care practitioner, a health care facility, a 11-7 health care payer, or a contractor of a health care payer to use 11-8 protected health information to: 11-9 (1) provide health care to the individual who is the 11-10 subject of the information; or 11-11 (2) perform a health care delivery review. 11-12 (b) With respect to a clinical health record used for any 11-13 purpose other than to deliver health care to the individual who is 11-14 the subject of the record, the covered entity using the record 11-15 shall: 11-16 (1) limit access to a clinical health record that is 11-17 not deidentified to only those employees, agents, or contractors 11-18 who perform an essential function that is directly related to the 11-19 purpose for which the record was created or collected; 11-20 (2) prohibit an employee, agent, or contractor from 11-21 reidentifying an individual who is the subject of any deidentified 11-22 health information used, received, or created by the employee, 11-23 agent, or contractor unless otherwise authorized by law; 11-24 (3) require that an employee, agent, or contractor use 11-25 or receive only the minimum amount of information from a clinical 11-26 health record that is essential and directly related to the 11-27 specific function performed by the employee, agent, or contractor; 12-1 (4) prohibit an employee, agent, or contractor from 12-2 using or having access to a clinical health record for longer than 12-3 is necessary to perform the specific function of the employee, 12-4 agent, or contractor; 12-5 (5) prohibit an employee, agent, or contractor from 12-6 disclosing a clinical health record or deidentified health 12-7 information to any other person except as otherwise authorized 12-8 under this chapter; 12-9 (6) link, match, or index clinical health records 12-10 collected, held, or maintained by other covered entities only if 12-11 the entity has specific informed consent; and 12-12 (7) disclose a clinical health record collected from 12-13 or created by any other covered entity only to the individual who 12-14 is the subject of the information or as otherwise authorized by 12-15 law. 12-16 Sec. 181.054. USE OF ADMINISTRATIVE BILLING INFORMATION. (a) 12-17 With respect to administrative billing information used by a 12-18 covered entity, the entity shall: 12-19 (1) limit the use of administrative billing 12-20 information that is not deidentified to those employees, agents, or 12-21 contractors who perform an essential function; 12-22 (2) prohibit an employee, agent, or contractor from 12-23 reidentifying an individual who is the subject of any deidentified 12-24 health information used, received, or created by the employee, 12-25 agent, or contractor unless otherwise authorized by law; 12-26 (3) require that an employee, agent, or contractor use 12-27 only the minimum amount of administrative billing information that 13-1 is necessary to accomplish the specific function performed by the 13-2 employee, agent, or contractor; 13-3 (4) prohibit an employee, agent, or contractor from 13-4 disclosing administrative billing information or deidentified 13-5 health information to any other person except as otherwise 13-6 authorized under this chapter; and 13-7 (5) link, match, or index administrative billing 13-8 information collected, held, or maintained by other covered 13-9 entities only if the entity has specific informed consent. 13-10 (b) Except as otherwise provided by this chapter, a health 13-11 care provider, a health care facility, a health care payer, or an 13-12 employee, agent, or contractor of a provider, facility, or payer 13-13 may use administrative billing information without the informed 13-14 consent of the individual who is the subject of the information 13-15 only if the health care provider, facility, or payer: 13-16 (1) deidentifies all the information used by the 13-17 entity; or 13-18 (2) uses only the minimum amount of administrative 13-19 billing information that is essential and reasonably related to the 13-20 specific function to be performed by the recipient and does not 13-21 store, preserve, copy, or otherwise maintain the information for 13-22 longer than is necessary to perform the specific function of the 13-23 recipient or as otherwise authorized by law. 13-24 (c) The board by rule shall determine which employees, 13-25 agents, or contractors perform an essential function under 13-26 Subsection (a)(1). 13-27 Sec. 181.055. SENSITIVE HEALTH INFORMATION. (a) A covered 14-1 entity shall obtain separate informed consent documentation for the 14-2 disclosure of sensitive health information. 14-3 (b) A covered entity shall comply with a request from an 14-4 individual who is the subject of sensitive health information to 14-5 restrict access within the entity to the information. If a health 14-6 care practitioner or health care facility believes that restricting 14-7 access to the information may endanger the life or health of the 14-8 subject, the practitioner or facility may require the subject to 14-9 sign an acknowledgment that the restriction is against medical 14-10 advice. A covered entity may use any reasonable means to restrict 14-11 access to the information. This subsection does not apply to 14-12 administrative billing information. 14-13 (c) An individual may not restrict a health care provider's 14-14 access to sensitive health information under this section if the 14-15 health care provider is directly involved in the delivery of health 14-16 care to the individual. 14-17 (d) A covered entity may not withhold sensitive health 14-18 information requested under an informed consent document. 14-19 Sec. 181.056. DIRECTORY INFORMATION. (a) Except as provided 14-20 by Subsection (b), a health care practitioner or health care 14-21 facility that provides inpatient services may disclose directory 14-22 information regarding an individual to any person if: 14-23 (1) the inpatient: 14-24 (A) has been notified of the inpatient's right 14-25 to object at the time of admission to the facility and has not 14-26 objected to the disclosure; or 14-27 (B) is in a physical or mental condition that 15-1 makes it impossible to notify the inpatient of the right to object 15-2 and there are no prior indications that the inpatient would object; 15-3 and 15-4 (2) the information consists of: 15-5 (A) the name of the inpatient; 15-6 (B) the nature of the inpatient's injury; 15-7 (C) the municipality, if any, and the county 15-8 where the inpatient resides; 15-9 (D) the inpatient's sex; 15-10 (E) the inpatient's age; 15-11 (F) the general health status of the inpatient, 15-12 described as critical, poor, fair, stable, or satisfactory or in 15-13 terms denoting similar conditions; or 15-14 (G) the location of the inpatient on premises 15-15 controlled by the practitioner or facility. 15-16 (b) A health care practitioner or health care facility may 15-17 not release inpatient directory information without informed 15-18 consent if: 15-19 (1) disclosure of the location of the individual would 15-20 reveal information supporting all inferences about the specific 15-21 diagnosis of the individual; or 15-22 (2) the practitioner or facility has reason to believe 15-23 that the disclosure of the information could lead to physical, 15-24 mental, or emotional harm to or the death of the individual. 15-25 Sec. 181.057. NEXT OF KIN. (a) A health care practitioner 15-26 or health care facility may disclose, without the patient's 15-27 consent, protected health information regarding the health care 16-1 provided to the patient if: 16-2 (1) the patient: 16-3 (A) has been notified of the patient's right to 16-4 object at the time of admission to the facility and has not 16-5 objected to the disclosure; or 16-6 (B) is in a physical or mental condition that 16-7 makes it impossible to notify the patient of the right to object; 16-8 and 16-9 (2) the information is disclosed to the patient's next 16-10 of kin, a representative of the patient, or an individual with whom 16-11 the patient resides. 16-12 (b) A health care practitioner or health care facility is 16-13 not liable for a disclosure made in good faith under Subsection 16-14 (a). 16-15 Sec. 181.058. INFORMATION FOR RESEARCH. (a) A covered 16-16 entity may disclose protected health information to a health 16-17 researcher for the purpose of conducting health research only if: 16-18 (1) an institutional review board, ethics review 16-19 board, or privacy review board acting in compliance with part 46 of 16-20 Title 45 or part 56 of Title 21 of the Code of Federal Regulations 16-21 as they appear in the October 1996 edition approves the research in 16-22 accordance with this section; and 16-23 (2) the researcher has obtained either: 16-24 (A) the informed consent of the individual; or 16-25 (B) a waiver of informed consent granted by the 16-26 institutional review board, ethics review board, or privacy review 16-27 board under this section. 17-1 (b) An institutional review board, ethics review board, or 17-2 privacy review board may grant a waiver or alteration of the 17-3 informed consent for the use of protected health information if the 17-4 board: 17-5 (1) meets the requirements of Section 46.110(d) of 17-6 Title 45 as it appears in the October 1996 edition of the Code of 17-7 Federal Regulations; 17-8 (2) determines and documents that: 17-9 (A) there is no practicable alternative to the 17-10 use of the protected health information and that the information 17-11 will be deidentified at the earliest practicable opportunity; 17-12 (B) the health researcher has fully disclosed 17-13 which of the protected health information to be collected or 17-14 created will be linked to other protected health information; 17-15 (C) appropriate safeguards will be used to 17-16 protect the information against reidentification or subsequent 17-17 unauthorized linkage if, in the course of the proposed research, 17-18 the health researcher intends to link protected health information 17-19 to other protected health information or if there is a risk that 17-20 the information may be linked; 17-21 (D) at the conclusion of the proposed health 17-22 research or at some specific date, the health researcher will 17-23 destroy all of the data containing protected health information as 17-24 well as all copies of the data; and 17-25 (E) the health researcher has presented adequate 17-26 assurances that none of the data containing protected health 17-27 information will be given, loaned, sold, disseminated, or otherwise 18-1 disclosed to other parties; and 18-2 (3) has the opportunity to review any publication of 18-3 information based on the protected health information collected or 18-4 created under this section to ensure that no disclosures are made 18-5 that might identify an individual. 18-6 (c) In determining whether to grant a waiver under 18-7 Subsection (b), an institutional review board, ethics review board, 18-8 or privacy review board may consider whether the health researcher 18-9 is qualified for and is likely to obtain a certificate of 18-10 confidentiality from the U.S. Department of Health and Human 18-11 Services pursuant to Section 301(d) of the Public Health Service 18-12 Act (42 U.S.C. Section 241(d)). 18-13 (d) The institutional review board, ethics review board, or 18-14 privacy review board may extend the date of destruction required by 18-15 Subsection (b)(2)(D) if the researcher demonstrates a continuing or 18-16 new need for protected health information for which the researcher 18-17 would be qualified for a waiver of informed consent in accordance 18-18 with this section. 18-19 (e) A health researcher performing research on deidentified 18-20 health information is not required to obtain a waiver or alteration 18-21 of the informed consent. 18-22 (f) For purposes of this section, if a health researcher 18-23 receives protected health information that is not deidentified, the 18-24 health information is considered deidentified health information if 18-25 explicit or commonly used identifiers are encrypted by the 18-26 researcher at the earliest opportunity and the encryption code or 18-27 key is maintained by a person authorized to have access to the 19-1 information or an institutional review board, ethics review board, 19-2 or privacy review board acting in accordance with this section. 19-3 (g) Documentation of findings by an institutional review 19-4 board, ethics review board, or privacy review board under this 19-5 section shall be made available on request by: 19-6 (1) the department; 19-7 (2) the office of the attorney general; and 19-8 (3) any individual whose protected health information 19-9 is disclosed or used pursuant to this section. 19-10 (h) A health researcher may not use or disclose protected 19-11 health information for any purposes other than those specifically 19-12 approved by the institutional review board, ethics review board, or 19-13 privacy review board and directly related to the research being 19-14 performed. 19-15 (i) Protected and deidentified health information collected 19-16 or used pursuant to this section is immune from any compulsory 19-17 legal process that does not directly concern the research being 19-18 performed. 19-19 Sec. 181.059. APPENDANT TO HEALTH RECORDS. (a) An 19-20 individual may request in writing that a health care practitioner 19-21 or health care facility that is providing health care to the 19-22 individual make an appendant to the individual's clinical health 19-23 record. The health care practitioner or health care facility may 19-24 limit the length of the appendant to two letter-sized pages. 19-25 (b) Not later than the 90th day after the date the health 19-26 care practitioner or health care facility receives a written 19-27 request to make an appendant to the individual's clinical health 20-1 record, the health care practitioner or health care facility shall: 20-2 (1) make the appendant requested and on request 20-3 provide the individual with a list of the entities to whom the 20-4 record was disclosed before the appendant was made; or 20-5 (2) inform the individual of: 20-6 (A) the reasons for refusing to make the 20-7 appendant; and 20-8 (B) any procedures for further review of the 20-9 refusal. 20-10 (c) A health care practitioner or health care facility may 20-11 not unreasonably refuse to make an appendant to a clinical health 20-12 record. 20-13 (d) If a health care practitioner or health care facility 20-14 refuses to make an appendant to a clinical health record, the 20-15 health care practitioner or health care facility shall comply with 20-16 a reasonable request of the individual to include at a relevant 20-17 place in the record a statement from the individual regarding the 20-18 disputed information. 20-19 (e) For purposes of Subsection (a), an appendant is 20-20 considered to have been made if the information that has been 20-21 disputed by the individual has been supplemented by or replaced 20-22 with appended information and the information is clearly marked as 20-23 appended. 20-24 (f) A covered entity that receives clinical health records 20-25 to which an appendant has been made shall: 20-26 (1) make the same appendant that the practitioner or 20-27 facility made not later than the 90th day after the date the 21-1 covered entity receives the records; and 21-2 (2) make reasonable efforts to give notice of the 21-3 appendant to each person to whom the covered entity disclosed the 21-4 records before the appendant was made. 21-5 (g) This section does not apply to a clinical health record 21-6 that has not been used or disclosed during the seven years before 21-7 the date of the request to make the appendant to the record. 21-8 Sec. 181.060. REQUIRED NOTICE. (a) A covered entity shall 21-9 provide written notice to an individual of the entity's practices 21-10 with respect to protected health information. The covered entity 21-11 shall provide the individual with written notice of any change in 21-12 the entity's practices with respect to protected health 21-13 information. 21-14 (b) Notice under this section must include: 21-15 (1) a reasonably complete description of the usual 21-16 functions performed with protected health information that has not 21-17 been deidentified; 21-18 (2) a statement of whether protected health 21-19 information is stored in a computerized records system; 21-20 (3) the name and the method of contacting the 21-21 individual responsible for responding to inquiries regarding the 21-22 entity's information practices; and 21-23 (4) the procedures an individual must follow to 21-24 exercise the rights granted under this chapter. 21-25 (c) On written request by an individual, a covered entity 21-26 shall provide a list of the agents or contractors who ordinarily 21-27 have direct access to or use of protected health information that 22-1 is not deidentified. 22-2 (d) The board shall develop and disseminate a model notice 22-3 of information practices of the type described by this section. In 22-4 adopting the model notice, the board shall follow the same 22-5 procedure the board follows under the administrative procedure law, 22-6 Chapter 2001, Government Code, for adopting a rule. Any notice 22-7 that conforms to the model notice developed under this subsection 22-8 is considered to meet the notice requirements of this section. 22-9 Sec. 181.061. MARKETING AND EDUCATIONAL INFORMATION. (a) A 22-10 covered entity may not send an individual who is the subject of 22-11 protected health information marketing material for a product 22-12 related to the treatment of the individual's medical condition. 22-13 (b) A covered entity may send an individual who is the 22-14 subject of protected health information educational information 22-15 related to the individual's medical condition. 22-16 (Sections 181.062-181.100 reserved for expansion 22-17 SUBCHAPTER C. HEALTH CARE PAYERS 22-18 Sec. 181.101. NOTICE TO INDIVIDUAL. A health care payer 22-19 shall, on enrollment, notify an individual who is the subject of 22-20 protected health information: 22-21 (1) of the regular uses of the information, including 22-22 administrative billing information; and 22-23 (2) that protected health information will be accessed 22-24 in the event of an investigation, complaint, appeal, or other 22-25 grievance made by or relating to the subject. 22-26 Sec. 181.102. CONTACT WITH PATIENT. (a) A health care 22-27 payer may not initiate contact with the subject of sensitive health 23-1 information regarding any disease management or other clinical 23-2 intervention program relating to the sensitive health condition 23-3 until the sixth business day after the date the health care payer 23-4 notifies the health care practitioner or facility that is treating 23-5 the subject of the information of the health care payer's intent to 23-6 initiate contact. 23-7 (b) A health care payer may send mail addressed to an 23-8 individual regarding any health topic, including generic material 23-9 regarding sensitive health information, if the material does not 23-10 name or otherwise identify the individual in the material sent. 23-11 Sec. 181.103. DISEASE MANAGEMENT PROGRAM. (a) A health 23-12 care payer or employer may not require as a condition of 23-13 employment, health insurance, or coverage or reimbursement for 23-14 health care that an individual participate in a disease management 23-15 program or other clinical intervention program. 23-16 (b) This section does not prevent a health care payer from 23-17 designating the manner of any specific benefit offered by the 23-18 payer. 23-19 Sec. 181.104. CONSENT REQUIRED. Unless otherwise authorized 23-20 by law, informed consent provided by an enrollee or member in any 23-21 health plan is not valid as to anyone other than that enrollee or 23-22 member. 23-23 Sec. 181.105. HEALTH CARE DELIVERY REVIEW. For the purpose 23-24 of performing health care delivery review, a health care payer may 23-25 request protected health information only if the information is 23-26 essential for the review. Protected health information collected 23-27 for the performance of health care delivery review may not be used 24-1 for any other purpose unless otherwise authorized by law. The 24-2 board by rule shall determine what information is essential to 24-3 perform a health care review. 24-4 (Sections 181.106-181.150 reserved for expansion 24-5 SUBCHAPTER D. INFORMED CONSENT 24-6 Sec. 181.151. FORM. (a) Informed consent required by this 24-7 chapter must be in writing and signed by: 24-8 (1) the individual who is the subject of the health 24-9 information; 24-10 (2) the individual's legal guardian; or 24-11 (3) the individual's agent under a medical power of 24-12 attorney. 24-13 (b) For purposes of this section, documentation of informed 24-14 consent may be satisfied by the use of electronic signatures, 24-15 computerized informed consent documentation, or other technological 24-16 means of recording informed consent. 24-17 Sec. 181.152. CONTENT OF CONSENT. The written informed 24-18 consent must: 24-19 (1) describe the information to be used or disclosed 24-20 in clear, concise, and plain language; 24-21 (2) clearly identify the covered entity that will 24-22 disclose the information; 24-23 (3) clearly identify the person: 24-24 (A) who will use the information; or 24-25 (B) to whom the information will be disclosed; 24-26 (4) describe in reasonable detail the purpose for 24-27 which the information is being disclosed or used; 25-1 (5) state that the information will be used or 25-2 disclosed solely for the purpose specified in the informed consent 25-3 or as otherwise authorized by law; 25-4 (6) contain a specific date or event at which the 25-5 authorization expires; 25-6 (7) contain a statement that the individual has the 25-7 right to: 25-8 (A) revoke or amend the authorization in 25-9 accordance with this chapter; 25-10 (B) receive the notice required by Section 25-11 181.060; 25-12 (C) inspect, copy, and request an amendment of 25-13 protected health information; 25-14 (D) be informed of those circumstances under 25-15 which health information may be used or disclosed without informed 25-16 consent under a court order or other proper legal process issued by 25-17 a federal or state administrative agency or any other legal 25-18 requirement; and 25-19 (E) refuse to sign any informed consent 25-20 documentation that is valid for longer than two years; and 25-21 (8) state that a written notice of information 25-22 practices has been provided. 25-23 Sec. 181.153. EXPIRATION. (a) An informed consent for the 25-24 use of protected health information is valid until the expiration 25-25 date or event specified in the documentation or until it is revoked 25-26 by the individual. 25-27 (b) A person may not coerce an individual to sign an 26-1 informed consent document. 26-2 Sec. 181.154. REVOCATION. The subject of protected health 26-3 information may revoke or amend an informed consent at any time 26-4 unless: 26-5 (1) a disclosure or use has already been made in 26-6 reliance on the consent; or 26-7 (2) disclosure or use of protected information is made 26-8 for payment or reimbursement for health care that has previously 26-9 been delivered and for which the subject is not providing other 26-10 payment for the care. 26-11 Sec. 181.155. MODEL CONSENT. The board shall develop and 26-12 distribute a model informed consent form. In adopting the model 26-13 consent form, the board shall follow the same procedure the board 26-14 follows under the administrative procedure law, Chapter 2001, 26-15 Government Code. An informed consent obtained on a model form 26-16 developed or approved by the board is considered to meet the 26-17 requirements of this subchapter. 26-18 (Sections 181.156-181.200 reserved for expansion 26-19 SUBCHAPTER E. PROHIBITED ACTS 26-20 Sec. 181.201. DEIDENTIFIED INFORMATION. Unless otherwise 26-21 authorized by law, a person or governmental entity may not identify 26-22 or attempt to identify an individual who is the subject of any 26-23 deidentified health information. 26-24 Sec. 181.202. COERCED CONSENT. (a) A covered entity may not 26-25 condition the provision of health care to an individual on the 26-26 provision of an informed consent to use or disclose the information 26-27 for any purpose that is not essential and directly related to the 27-1 purpose of providing health care, performing health care delivery 27-2 review, or administrating or paying a health care claim. 27-3 (b) An employer may not condition terms of employment on the 27-4 provision of informed consent to use or disclose any protected 27-5 health information that is not either: 27-6 (1) deidentified; or 27-7 (2) necessary and directly related to the job duties 27-8 performed by the individual. 27-9 Sec. 181.203. REFUSAL TO PROVIDE HEALTH CARE. Except as 27-10 otherwise provided by law, a person may not refuse to provide 27-11 health care to an individual who refuses to consent to the 27-12 disclosure or use of protected health information as long as the 27-13 individual is not requesting payment or reimbursement for the 27-14 health care from a third party. 27-15 (Sections 181.204-181.250 reserved for expansion 27-16 SUBCHAPTER F. ENFORCEMENT 27-17 Sec. 181.251. INJUNCTIVE RELIEF; CIVIL PENALTY. (a) The 27-18 attorney general may institute an action for injunctive or 27-19 declaratory relief to restrain a violation of this chapter. 27-20 (b) In addition to the injunctive relief provided by 27-21 Subsection (a), the attorney general may institute an action for 27-22 civil penalties against a covered entity for a violation of this 27-23 chapter. A civil penalty assessed under this section may not 27-24 exceed $3,000 for each violation. 27-25 (c) If the court in which an action under Subsection (b) is 27-26 pending finds that the violations have occurred with a frequency as 27-27 to constitute a pattern or practice, the court may: 28-1 (1) assess a civil penalty not to exceed $250,000; and 28-2 (2) exclude the covered entity from participating in 28-3 any state-funded health care program. 28-4 (d) If the attorney general substantially prevails in an 28-5 action for injunctive relief or a civil penalty under this section, 28-6 the attorney general may recover reasonable attorney's fees, costs, 28-7 and expenses incurred obtaining the relief or penalty, including 28-8 court costs and witness fees. 28-9 Sec. 181.252. INDIVIDUAL INJUNCTIVE RELIEF; CIVIL CAUSE OF 28-10 ACTION. (a) An individual who is aggrieved by a violation of this 28-11 chapter may institute an action against a covered entity for 28-12 appropriate injunctive or declaratory relief. 28-13 (b) The individual may institute an action for civil 28-14 damages. An individual who prevails in an action may recover: 28-15 (1) the greater of: 28-16 (A) the individual's actual damages; or 28-17 (B) liquidated damages in the amount of $3,000; 28-18 and 28-19 (2) punitive damages. 28-20 (c) If the alleged violation involves sensitive health 28-21 information, the individual may recover: 28-22 (1) the greater of: 28-23 (A) the individual's actual damages; or 28-24 (B) liquidated damages in the amount of $10,000; 28-25 and 28-26 (2) punitive damages. 28-27 (d) If the individual is the prevailing party, the court may 29-1 award reasonable attorney's fees and other litigation costs and 29-2 expenses reasonably incurred, including expert fees. 29-3 (e) A civil action brought under this section must be 29-4 commenced not later than: 29-5 (1) three years after the date the cause of action 29-6 accrues; or 29-7 (2) one year after the date the cause of action was 29-8 discovered but not longer than five years after the date the cause 29-9 of action accrued. 29-10 Sec. 181.253. CRIMINAL OFFENSE. (a) A person commits an 29-11 offense if the person knowingly uses, discloses, reidentifies, 29-12 obtains, or induces another to use, disclose, reidentify, or obtain 29-13 protected health information for commercial advantage or personal 29-14 gain or to cause malicious harm in violation of this chapter. 29-15 (b) An offense under this section is a state jail felony 29-16 unless the person committed the offense under false pretenses, in 29-17 which event the offense is a third degree felony. 29-18 Sec. 181.254. DISCIPLINARY ACTION. In addition to the 29-19 penalties prescribed by this chapter, a violation of this chapter 29-20 by an individual or facility that is licensed by an agency of this 29-21 state is subject to the same consequence as a violation of the 29-22 licensing law applicable to the individual or facility or of a rule 29-23 adopted under that licensing law. 29-24 Sec. 181.255. SOVEREIGN IMMUNITY. This chapter does not 29-25 waive sovereign immunity to suit or liability. 29-26 SECTION 2. This Act takes effect September 1, 2001.