1-1 By: Nelson, et al. S.B. No. 11 1-2 (In the Senate - Filed November 13, 2000; January 11, 2001, 1-3 read first time and referred to Committee on Business and Commerce; 1-4 March 15, 2001, reported adversely, with favorable Committee 1-5 Substitute by the following vote: Yeas 5, Nays 0; March 15, 2001, 1-6 sent to printer.) 1-7 COMMITTEE SUBSTITUTE FOR S.B. No. 11 By: Van de Putte 1-8 A BILL TO BE ENTITLED 1-9 AN ACT 1-10 relating to protecting the privacy of medical records; providing 1-11 penalties. 1-12 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: 1-13 SECTION 1. Title 2, Health and Safety Code, is amended by 1-14 adding Subtitle I to read as follows: 1-15 SUBTITLE I. MEDICAL RECORDS 1-16 CHAPTER 181. MEDICAL RECORDS PRIVACY 1-17 SUBCHAPTER A. GENERAL PROVISIONS 1-18 Sec. 181.001. DEFINITIONS. In this chapter: 1-19 (1) "Administrative billing information" means 1-20 protected health information that is necessary for the payment or 1-21 administration of health care claims. The term: 1-22 (A) includes only: 1-23 (i) date of service; 1-24 (ii) billed charges; 1-25 (iii) identifiers of the individual who is 1-26 the subject of the protected health information; 1-27 (iv) diagnostic and treatment information 1-28 contained in standard billing codes; 1-29 (v) information required by nationally 1-30 recognized third-party health care claim forms; and 1-31 (vi) protected health information that is 1-32 part of a health care delivery review; and 1-33 (B) does not include a clinical health record 1-34 included or requested as an attachment to administrative billing 1-35 information. 1-36 (2) "Clinical health record" means a record of any 1-37 protected health information, other than administrative billing 1-38 information, that is used or maintained by or for a health care 1-39 practitioner or facility or an employee, agent, or contractor of a 1-40 health care practitioner or facility for the purpose of delivering 1-41 health care to an individual. 1-42 (3) "Covered entity" means any person who for 1-43 commercial or professional gain, monetary fees, or dues, or on a 1-44 cooperative, nonprofit or pro bono basis engages, in whole or in 1-45 part, directly or indirectly, and with real or constructive 1-46 knowledge, in the practice of assembling, collecting, analyzing, 1-47 using, evaluating, storing, or transmitting protected health 1-48 information. The term includes medical information bureaus and 1-49 pharmaceutical companies. The term does not include a health care 1-50 entity, third-party administrator, employer, or educational 1-51 institution subject to the Family Educational Rights and Privacy 1-52 Act of 1974 (20 U.S.C. Section 1232g), and its subsequent 1-53 amendments. 1-54 (4) "Disclose" means to release, publish, share, 1-55 transfer, transmit, distribute, show, or otherwise divulge 1-56 protected health information to a person outside the entity holding 1-57 the information other than the individual who is the subject of the 1-58 information. 1-59 (5) "Disease management" means a multidisciplinary, 1-60 continuum-based approach to health care delivery that: 1-61 (A) proactively identifies populations with, or 1-62 at risk for, established medical conditions and utilizes 1-63 appropriate health care practitioner's expertise in the treating 1-64 physician's plan of care; 2-1 (B) emphasizes prevention of complications by 2-2 using cost-effective, evidence-based practice guidelines and 2-3 patient empowerment strategies, including self-management 2-4 education; and 2-5 (C) continuously evaluates clinical, humanistic, 2-6 and economic outcomes with the goal of improving overall health. 2-7 (6) "Financial institution" means a state or federally 2-8 chartered bank, savings bank, savings and loan association, credit 2-9 union, or a holding company, subsidiary, or affiliate of such an 2-10 institution. 2-11 (7) "Health care entity" means any person, other than 2-12 a pharmaceutical company, that: 2-13 (A) is a health care payer, person performing 2-14 health research, health care facility, clinic, or health care 2-15 practitioner; 2-16 (B) is an employee, agent, or contractor of a 2-17 person described by Paragraph (A) to the extent the employee, 2-18 agent, or contractor creates, receives, obtains, maintains, uses, 2-19 or transmits protected health information; or 2-20 (C) is a governmental entity that uses or 2-21 discloses protected health information other than in conducting an 2-22 investigation or prosecuting a criminal offense. 2-23 (8) "Health care facility" means any facility licensed 2-24 to provide health care or legally and regularly engaged in 2-25 providing health care, an employee, agent, affiliate, or contractor 2-26 of the facility, or a health care practitioner with whom the 2-27 facility has an agreement or affiliation for the purpose of 2-28 providing, delivering, or arranging health care. The term includes 2-29 a hospital, long-term care facility, or pharmacy. The term does 2-30 not include an employer, health care payer, or health maintenance 2-31 organization. 2-32 (9) "Health care operations" means any of the 2-33 following activities of a covered entity or health care entity, and 2-34 any of the following activities of an organized health care 2-35 arrangement in which a covered entity or health care entity 2-36 participates: 2-37 (A) conducting quality assessment and 2-38 improvement activities, including outcomes evaluation and 2-39 development of clinical guidelines, provided that obtaining general 2-40 knowledge is not the primary purpose of any studies resulting from 2-41 those activities; 2-42 (B) conducting population-based activities 2-43 relating to: 2-44 (i) improving health or reducing health 2-45 care costs; 2-46 (ii) protocol development; 2-47 (iii) case management and care 2-48 coordination; and 2-49 (iv) contacting health care providers and 2-50 patients with information about treatment alternatives; 2-51 (C) conducting related functions that do not 2-52 include treatment; 2-53 (D) reviewing the competence or qualifications 2-54 of health care professionals; 2-55 (E) evaluating practitioner and provider 2-56 performance and health plan performance; 2-57 (F) conducting training programs in which 2-58 students, trainees, or practitioners in areas of health care learn 2-59 under supervision to practice or improve their skills as health 2-60 care providers; 2-61 (G) training of non-health care professionals 2-62 and accreditation, certification, licensing, or credentialing 2-63 activities; 2-64 (H) ceding, securing, or placing a contract for 2-65 reinsurance of risk relating to claims for health care, including 2-66 stop-loss insurance and excess of loss insurance; 2-67 (I) conducting or arranging for medical review, 2-68 legal services, and auditing functions, including fraud and abuse 2-69 detection and compliance programs; 3-1 (J) business planning and development, including 3-2 conducting cost-management and planning-related analyses related to 3-3 managing and operating the entity, formulary development and 3-4 administration, and development or improvement of methods of 3-5 payment or coverage policies; 3-6 (K) business management and general 3-7 administrative activities of the entity, including: 3-8 (i) management activities relating to 3-9 implementation of and compliance with the requirements of this 3-10 chapter; 3-11 (ii) customer service, including the 3-12 provision of data analyses for policyholders, plan sponsors, or 3-13 other customers, provided that protected health information is not 3-14 disclosed to the policyholder, plan sponsor, or customer; 3-15 (iii) resolution of internal grievances; 3-16 (iv) due diligence in connection with the 3-17 sale or transfer of assets to a potential successor in interest, if 3-18 the potential successor in interest is a covered entity or, 3-19 following completion of the sale or transfer, will become a covered 3-20 entity; and 3-21 (v) consistent with the applicable 3-22 requirements of the Health Insurance Portability and Accountability 3-23 Act and Privacy Standards, creating deidentified health information 3-24 and fund-raising for the benefit of the health care entity; and 3-25 (L) administering health plan benefits. 3-26 (10) "Health care payer" means any person who provides 3-27 payment or reimbursement for health care. The term does not 3-28 include an employer. 3-29 (11) "Health care practitioner" means a person, 3-30 including a physician, nurse, chiropractor, midwife, podiatrist, 3-31 physician assistant, pharmacist, or optometrist, who: 3-32 (A) is licensed, certified, registered, or 3-33 otherwise authorized by law to provide an item or service that, in 3-34 the ordinary course of business, constitutes health care; 3-35 (B) is an employee, agent, or contractor of a 3-36 person described by Paragraph (A) who is supervised by the person 3-37 described by Paragraph (A) in providing health care; or 3-38 (C) is a health care facility with whom the 3-39 person has an agreement or affiliation for the purpose of 3-40 providing, delivering, or arranging health care. 3-41 (12) "Health Insurance Portability and Accountability 3-42 Act and Privacy Standards" means the privacy requirements of the 3-43 Administrative Simplification subtitle of the Health Insurance 3-44 Portability and Accountability Act of 1996 (Pub. L. No. 104-191) 3-45 and the final rules adopted on December 28, 2000, and published at 3-46 65 Fed. Reg. 82798 et seq., and any subsequent amendments. 3-47 (13) "Health research" means any systematic 3-48 investigation, including research development, testing, and 3-49 evaluation, or other inquiry that uses protected health information 3-50 to develop or contribute to general knowledge, including the study 3-51 of: 3-52 (A) the causes and treatment of disease or 3-53 medical conditions; and 3-54 (B) the relationship among certain 3-55 characteristics, health care, and disease or health status. 3-56 (14) "Payment" means the following activities 3-57 undertaken by a covered entity or health care entity to obtain 3-58 premiums, determine or fulfill responsibility of coverage and 3-59 provision of benefits under a health plan, or to obtain or provide 3-60 reimbursement for health care: 3-61 (A) determination of eligibility or coverage, 3-62 including coordination of benefits or the determination of 3-63 cost-sharing amounts and adjudication or subrogation of health 3-64 benefit claims; 3-65 (B) risk-adjusting amounts due based on enrollee 3-66 health status and demographic characteristics; 3-67 (C) billing, claims management, collection 3-68 activities, the obtaining of payment under a contract for 3-69 reinsurance, including stop-loss insurance and excess of loss 4-1 insurance, and related health care data processing; 4-2 (D) review of health care services with respect 4-3 to medical necessity, coverage under a health plan, appropriateness 4-4 of care, or justification of charges; 4-5 (E) utilization review activities, including 4-6 precertification and preauthorization of services and concurrent 4-7 and retrospective review of services; and 4-8 (F) disclosure to consumer reporting agencies 4-9 consistent with the provisions under the Health Insurance 4-10 Portability and Accountability Act and Privacy Standards. 4-11 (15) "Person" includes a corporation, organization, 4-12 governmental unit, business trust, estate, trust, partnership, 4-13 association, and any other legal entity. 4-14 (16) "Pharmaceutical company" means any person that 4-15 manufactures, distributes, analyzes, dispenses, or conducts 4-16 research with a controlled substance as defined by Section 481.002 4-17 or a dangerous drug as defined by Section 483.001. The term does 4-18 not include health care entities. 4-19 (17) "Protected health information": 4-20 (A) includes any information, including 4-21 administrative billing information, clinical health records, and 4-22 prescriptions, that: 4-23 (i) relates to: 4-24 (a) the past, present, or future 4-25 physical health or condition of an individual; 4-26 (b) the past, present, or future 4-27 mental health or condition of an individual; 4-28 (c) the provision of health care to 4-29 an individual; or 4-30 (d) the past, present, or future 4-31 payment for providing health care to an individual; and 4-32 (ii) identifies or could be used or 4-33 manipulated by itself or in combination with other information to 4-34 identify an individual by a reasonably foreseeable method; and 4-35 (B) does not include: 4-36 (i) aggregate statistics; 4-37 (ii) redacted health information; 4-38 (iii) information for which random or 4-39 fictitious alternatives have been substituted for personally 4-40 identifiable information; 4-41 (iv) information for which personally 4-42 identifiable information has been encrypted and for which the 4-43 encryption key is maintained by a person otherwise authorized to 4-44 have access to the information in an identifiable format; and 4-45 (v) personally identifiable health 4-46 information in: 4-47 (a) education records covered by the 4-48 Family Educational Rights and Privacy Act of 1974 (20 U.S.C. 4-49 Section 1232g), and its subsequent amendments; and 4-50 (b) records described by 20 U.S.C. 4-51 Section 1232g(a)(4)(B)(iv), and its subsequent amendments. 4-52 (18) "Reidentification" means any attempt to 4-53 ascertain: 4-54 (A) the identity of the individual who is the 4-55 subject of protected health information; or 4-56 (B) any specific data element with the intention 4-57 of ascertaining the identity of the subject or with knowledge that 4-58 the data element would allow for the identification of the 4-59 individual who is the subject of the protected health information. 4-60 (19) "Treatment" means any of the following 4-61 activities: 4-62 (A) the provision, coordination, or management 4-63 of health care and related services by one or more health care 4-64 entities, including the coordination or management of health care 4-65 by a health care entity with a third party; 4-66 (B) consultation between health care entities 4-67 relating to a patient; and 4-68 (C) the referral of a patient for health care 4-69 from one health care entity to another. 5-1 Sec. 181.002. APPLICABILITY. (a) This chapter does not 5-2 affect the confidentiality that another statute creates for any 5-3 information. 5-4 (b) This chapter does not apply to: 5-5 (1) workers' compensation insurance or a function 5-6 authorized by Title 5, Labor Code; 5-7 (2) any person or entity in connection with providing, 5-8 administering, supporting, or coordinating any of the benefits 5-9 under a self-insured program for workers' compensation; 5-10 (3) an employee benefit plan; or 5-11 (4) any covered entity, health care entity, or other 5-12 person, insofar as the entity or person is acting in connection 5-13 with an employee benefit plan. 5-14 (c) To the extent that this chapter differs from the Health 5-15 Insurance Portability and Accountability Act and Privacy Standards, 5-16 this chapter controls if the provisions of this chapter are clearly 5-17 more restrictive than the provisions of the Health Insurance 5-18 Portability and Accountability Act and Privacy Standards. 5-19 Sec. 181.003. PROCESSING PAYMENT TRANSACTIONS BY FINANCIAL 5-20 INSTITUTIONS. (a) In this section, "financial institution" has 5-21 the meaning assigned by Section 1101, Right to Financial Privacy 5-22 Act of 1978 (12 U.S.C. Section 3401), and its subsequent 5-23 amendments. 5-24 (b) To the extent that a covered entity engages in 5-25 activities of a financial institution, or authorizes, processes, 5-26 clears, settles, bills, transfers, reconciles, or collects payments 5-27 for a financial institution, this chapter and any rule adopted 5-28 under this chapter does not apply to the covered entity with 5-29 respect to those activities, including the following: 5-30 (1) using or disclosing information to authorize, 5-31 process, clear, settle, bill, transfer, reconcile, or collect a 5-32 payment for, or related to, health plan premiums or health care, if 5-33 the payment is made by any means, including a credit, debit, or 5-34 other payment card, an account, a check, or an electronic funds 5-35 transfer; and 5-36 (2) requesting, using, or disclosing information with 5-37 respect to a payment described by Subdivision (1): 5-38 (A) for transferring receivables; 5-39 (B) for auditing; 5-40 (C) in connection with a customer dispute or an 5-41 inquiry from or to a customer; 5-42 (D) in a communication to a customer of the 5-43 entity regarding the customer's transactions, payment card, 5-44 account, check, or electronic funds transfer; 5-45 (E) for reporting to consumer reporting 5-46 agencies; or 5-47 (F) for complying with a civil or criminal 5-48 subpoena or a federal or state law regulating the covered entity. 5-49 Sec. 181.004. NONPROFIT AGENCIES. The department shall by 5-50 rule exempt from this chapter: 5-51 (1) a nonprofit agency that pays for health care 5-52 services or prescription drugs for an indigent person only if the 5-53 agency's primary business is not the provision of health care or 5-54 reimbursement for health care services; and 5-55 (2) health care providers who provide health care to 5-56 indigent persons at a health fair that lasts not more than two days 5-57 and is organized by a nonprofit agency. 5-58 (Sections 181.005-181.050 reserved for expansion 5-59 SUBCHAPTER B. ACCESS TO AND USE OF HEALTH CARE INFORMATION 5-60 Sec. 181.051. PATIENT ACCESS TO INFORMATION; FEE. 5-61 (a) Except as provided by Subsection (b), a covered entity or 5-62 health care entity shall permit an individual who is the subject of 5-63 a clinical health record, the individual's designee, or another 5-64 individual authorized by law to obtain an individual's clinical 5-65 health record to inspect and copy any clinical health record, 5-66 including records received from another health care entity or 5-67 covered entity, except for any clinical health record collected or 5-68 created in the course of a clinical research trial, that the entity 5-69 maintains or controls and that relates to the individual. The 6-1 covered entity or health care entity may charge retrieval and 6-2 copying fees as provided by law or regulation, or in the absence of 6-3 a law or regulation, a reasonable fee. 6-4 (b) A psychologist licensed under Chapter 501, Occupations 6-5 Code, or a psychiatrist or other physician who is providing 6-6 psychological or psychiatric services to an individual is not 6-7 required to permit the individual to inspect or copy a personal 6-8 diary created by the psychologist, psychiatrist, or physician 6-9 containing protected health information relating to the individual 6-10 if the information contained in the diary has not been disclosed to 6-11 a person other than another psychologist, psychiatrist, or 6-12 physician for the specific purpose of clinical supervision 6-13 conducted in the regular course of treatment. 6-14 (c) A health care practitioner is not required to permit an 6-15 individual to inspect or copy the individual's clinical health 6-16 record if the health care practitioner determines that access to 6-17 the information would be harmful to the physical, mental, or 6-18 emotional health of the individual. 6-19 (d) A health care practitioner may redact or otherwise 6-20 prevent disclosure of confidential information about another 6-21 individual or family member of the individual who has not consented 6-22 to the release of information, as otherwise provided by law. 6-23 (e) Not later than the 30th day after the date a covered 6-24 entity or health care entity receives a request and payment under 6-25 Subsection (a), the covered entity or health care entity shall 6-26 provide the requested information. 6-27 Sec. 181.052. APPENDANT OR AMENDMENT TO HEALTH RECORDS. A 6-28 health care entity may, at the entity's discretion, require that 6-29 any appendant or amendment to an individual's clinical health 6-30 record be designated as "a patient supplement." 6-31 Sec. 181.053. DISCLOSING, USING, ACCESSING, OR OBTAINING 6-32 PROTECTED HEALTH INFORMATION. (a) Except to carry out treatment, 6-33 payment, or health care operations, a covered entity may not 6-34 disclose, use, access, or obtain protected health information 6-35 unless the individual who is the subject of the protected health 6-36 information has provided: 6-37 (1) express written authorization; or 6-38 (2) consent or authorization unless consent or 6-39 authorization is not required by federal or state law. 6-40 (b) A covered entity may not use, access, request, or 6-41 require the disclosure of more protected health information than is 6-42 reasonably related to the specific purpose that is stated in the 6-43 express written authorization. A covered entity may not refuse to 6-44 provide protected health information requested by a health care 6-45 practitioner for use in providing health care services. 6-46 (c) A covered entity may use, disclose, access, or obtain 6-47 protected health information only for the purpose stated in the 6-48 express written authorization. 6-49 (d) A covered entity may disclose protected health 6-50 information without obtaining the express written authorization of 6-51 the individual who is the subject of the information if the 6-52 disclosure is made in response to a subpoena in a judicial or 6-53 administrative proceeding. 6-54 (e) A covered entity may not condition services on the 6-55 provision of express written authorization by the individual to 6-56 disclose protected health information when the information is not 6-57 directly related to the services being provided. 6-58 Sec. 181.054. INFORMATION OR RESEARCH. (a) A covered 6-59 entity or health care entity may disclose protected health 6-60 information to a person performing health research, regardless of 6-61 the source of funding of the research, for the purpose of 6-62 conducting health research, only if the person performing health 6-63 research has obtained: 6-64 (1) individual consent or authorization for use or 6-65 disclosure of protected health information for research required by 6-66 federal law; 6-67 (2) the express written authorization of the 6-68 individual required by this chapter; 6-69 (3) documentation that a waiver of individual consent 7-1 or authorization required for use or disclosure of protected health 7-2 information has been granted by an institutional review board or 7-3 privacy board as required under federal law; or 7-4 (4) documentation that a waiver of the individual's 7-5 express written authorization required by this chapter has been 7-6 granted by a privacy board established under this section. 7-7 (b) A privacy board: 7-8 (1) must consist of members with varying backgrounds 7-9 and appropriate professional competency as necessary to review the 7-10 effect of the research protocol for the project or projects on the 7-11 privacy rights and related interests of the individuals whose 7-12 protected health information would be used or disclosed; 7-13 (2) must include at least one member who is not 7-14 affiliated with the covered entity or health care entity or an 7-15 entity conducting or sponsoring the research, and not related to 7-16 any person who is affiliated with an entity described by this 7-17 subsection; and 7-18 (3) may not have any member participating in the 7-19 review of any project in which the member has a conflict of 7-20 interest. 7-21 (c) A privacy board may grant a waiver of the express 7-22 written authorization for the use of protected health information 7-23 if the privacy board obtains the following documentation: 7-24 (1) a statement identifying the privacy board and the 7-25 date on which the waiver of the express written authorization was 7-26 approved by the privacy board; 7-27 (2) a statement that the privacy board has determined 7-28 that the waiver satisfies the following criteria: 7-29 (A) the use or disclosure of protected health 7-30 information involves no more than minimal risk to the affected 7-31 individuals; 7-32 (B) the waiver will not adversely affect the 7-33 privacy rights and welfare of those individuals; 7-34 (C) the research could not practicably be 7-35 conducted without the waiver; 7-36 (D) the research could not practicably be 7-37 conducted without access to and use of the protected health 7-38 information; 7-39 (E) the privacy risks to individuals whose 7-40 protected health information is to be used or disclosed are 7-41 reasonable in relation to the anticipated benefits, if any, to the 7-42 individuals and the importance of the knowledge that may reasonably 7-43 be expected to result from the research; 7-44 (F) there is an adequate plan to protect the 7-45 identifiers from improper use and disclosure; 7-46 (G) there is an adequate plan to destroy the 7-47 identifiers at the earliest opportunity consistent with conduct of 7-48 the research, unless there is a health or research justification 7-49 for retaining the identifiers or the retention is otherwise 7-50 required by law; and 7-51 (H) there are adequate written assurances that 7-52 the protected health information will not be reused or disclosed to 7-53 another person or entity, except: 7-54 (i) as required by law; 7-55 (ii) for authorized oversight of the 7-56 research project; or 7-57 (iii) for other research for which the use 7-58 or disclosure of protected health information would be permitted by 7-59 state or federal law; 7-60 (3) a brief description of the protected health 7-61 information for which use or access has been determined to be 7-62 necessary by the privacy board under Subdivision (2)(D); and 7-63 (4) a statement that the waiver of express written 7-64 authorization has been approved by the privacy board following the 7-65 procedures under Subsection (e). 7-66 (d) A waiver must be signed by the presiding officer of the 7-67 privacy board or the presiding officer's designee. 7-68 (e) The privacy board must review the proposed research at a 7-69 convened meeting at which a majority of the privacy board members 8-1 are present, including at least one member who satisfies the 8-2 requirements of Subsection (b)(2). The waiver of express written 8-3 authorization must be approved by the majority of the privacy board 8-4 members present at the meeting, unless the privacy board elects to 8-5 use an expedited review procedure. The privacy board may use an 8-6 expedited review procedure only if the research involves no more 8-7 than minimal risk to the privacy of the individual who is the 8-8 subject of the protected health information of which use or 8-9 disclosure is being sought. If the privacy board elects to use an 8-10 expedited review procedure, the review and approval of the waiver 8-11 of express written authorization may be made by the presiding 8-12 officer of the privacy board or by one or more members of the 8-13 privacy board as designated by the presiding officer. 8-14 (f) A covered entity or health care entity may disclose 8-15 protected health information to a person performing health research 8-16 if the covered entity or health care entity obtains from the person 8-17 performing the health research representations that: 8-18 (1) use or disclosure is sought solely to review 8-19 protected health information as necessary to prepare a research 8-20 protocol or for similar purposes preparatory to research; 8-21 (2) no protected health information is to be removed 8-22 from the covered entity or health care entity by the person 8-23 performing the health research in the course of the review; and 8-24 (3) the protected health information for which use or 8-25 access is sought is necessary for the research purposes. 8-26 Sec. 181.055. DISCLOSURE OF INFORMATION TO PUBLIC HEALTH 8-27 AUTHORITY. A covered entity may use or disclose protected health 8-28 information without the express written authorization of the 8-29 individual for public health activities or to comply with the 8-30 requirements of any federal or state health benefit program. A 8-31 covered entity may disclose protected health information: 8-32 (1) to a public health authority that is authorized by 8-33 law to collect or receive such information for the purpose of 8-34 preventing or controlling disease, injury, or disability, including 8-35 the reporting of disease, injury, vital events such as birth or 8-36 death, and the conduct of public health surveillance, public health 8-37 investigations, and public interventions; 8-38 (2) to a public health authority or other appropriate 8-39 government authority authorized by law to receive reports of child 8-40 or adult abuse, neglect, or exploitation; and 8-41 (3) to any state agency in conjunction with a federal 8-42 or state health benefit program. 8-43 Sec. 181.056. REQUIRED NOTICE. (a) On request, a covered 8-44 entity or health care entity conducting disease management or 8-45 health care operations shall provide written notice to an 8-46 individual of the entity's practices with respect to its uses and 8-47 disclosures of protected health information. 8-48 (b) Notice under this section must include: 8-49 (1) a complete description of the usual functions 8-50 performed with protected health information; 8-51 (2) a statement of whether protected health 8-52 information is stored in a computerized records system; and 8-53 (3) the name and the method of contacting the 8-54 individual responsible for responding to inquiries regarding the 8-55 entity's information practices. 8-56 (c) On written request by an individual who is the subject 8-57 of protected health information, a covered entity or health care 8-58 entity conducting disease management or health care operations 8-59 shall provide a list of the agents or contractors, not including 8-60 health care practitioners or health care facilities, who have 8-61 direct access to or use of the protected health information. 8-62 (d) The department by rule shall adopt a standardized notice 8-63 of information practices of the type described by this section. 8-64 (Sections 181.057-181.100 reserved for expansion 8-65 SUBCHAPTER C. EXPRESS WRITTEN AUTHORIZATION 8-66 Sec. 181.101. FORM. (a) Express written authorization 8-67 required by this chapter must be in writing and signed by: 8-68 (1) the individual who is the subject of the protected 8-69 health information; 9-1 (2) the individual's legally authorized 9-2 representative; or 9-3 (3) the individual's agent under a medical power of 9-4 attorney. 9-5 (b) For purposes of this section, documentation of express 9-6 written authorization may be satisfied by the use of electronic 9-7 signatures, computerized express written authorization 9-8 documentation, or other technological means of recording express 9-9 written authorization. 9-10 (c) The department by rule shall adopt standards regulating 9-11 the content and form of the express written authorization. 9-12 Sec. 181.102. EXPIRATION. (a) An express written 9-13 authorization to disclose, access, or use protected health 9-14 information is valid until the expiration date or event specified 9-15 in the documentation or until it is revoked by the individual. 9-16 (b) Except as provided by Subsection (c), a covered entity 9-17 may not coerce an individual to sign an express written 9-18 authorization required under this chapter. 9-19 (c) A person engaged in health research may require an 9-20 individual's express written authorization to disclose protected 9-21 health information as a condition of the individual's participation 9-22 in the research. 9-23 (Sections 181.103-181.150 reserved for expansion 9-24 SUBCHAPTER D. PROHIBITED ACTS 9-25 Sec. 181.151. REIDENTIFIED INFORMATION. A person may not 9-26 reidentify or attempt to reidentify an individual who is the 9-27 subject of any protected health information without obtaining the 9-28 individual's consent or authorization if required under this 9-29 chapter or other state or federal law. 9-30 Sec. 181.152. CONTACT FOR PURPOSES OF PROMOTION OR 9-31 ADVERTISEMENT. (a) A covered entity or health care entity may 9-32 not, without the express written authorization of the individual 9-33 who is the subject of protected health information, use, access, or 9-34 disclose the protected health information for the promotion or 9-35 advertisement by any person or entity of specific products or 9-36 services if the covered entity or health care entity receives, 9-37 directly or indirectly, a financial incentive or remuneration from 9-38 a third party for the use, access, or disclosure. 9-39 (b) A covered entity may not condition services upon receipt 9-40 of required express written authorization for activities described 9-41 in this section. 9-42 (c) "Promotion or advertisement of specific products or 9-43 services" does not include treatment, disease management, or health 9-44 care operations, except that health care operations as defined by 9-45 Section 181.001(9)(C) may be prohibited under this section. 9-46 (Sections 181.153-181.200 reserved for expansion 9-47 SUBCHAPTER E. ENFORCEMENT 9-48 Sec. 181.201. INJUNCTIVE RELIEF; CIVIL PENALTY. (a) The 9-49 attorney general may institute an action for injunctive relief to 9-50 restrain a violation of this chapter. 9-51 (b) In addition to the injunctive relief provided by 9-52 Subsection (a), the attorney general may institute an action for 9-53 civil penalties against a covered entity or health care entity for 9-54 a violation of this chapter. A civil penalty assessed under this 9-55 section may not exceed $3,000 for each violation. 9-56 (c) If the court in which an action under Subsection (b) is 9-57 pending finds that the violations have occurred with a frequency as 9-58 to constitute a pattern or practice, the court may assess a civil 9-59 penalty not to exceed $250,000. 9-60 (d) If the attorney general substantially prevails in an 9-61 action for injunctive relief or a civil penalty under this section, 9-62 the court shall award to the attorney general reasonable attorney's 9-63 fees, costs, and expenses incurred obtaining the relief or penalty, 9-64 including court costs and witness fees. 9-65 Sec. 181.202. INDIVIDUAL INJUNCTIVE RELIEF. An individual 9-66 who is aggrieved by a violation of this chapter may institute an 9-67 action against a covered entity or health care entity for 9-68 appropriate injunctive relief. If the individual is the prevailing 9-69 party, the court shall award reasonable attorney's fees and other 10-1 litigation costs and expenses reasonably incurred. 10-2 Sec. 181.203. SOVEREIGN IMMUNITY. This chapter does not 10-3 waive sovereign immunity to suit or liability. 10-4 SECTION 2. Title 1, Insurance Code, is amended by adding 10-5 Chapter 28B to read as follows: 10-6 CHAPTER 28B. PRIVACY OF HEALTH INFORMATION 10-7 SUBCHAPTER A. GENERAL PROVISIONS 10-8 Art. 28B.01. DEFINITIONS. In this chapter: 10-9 (1) "Health information" means any information or data 10-10 regarding an individual, other than age or gender, whether oral or 10-11 recorded in any form or medium, that is created by or derived from 10-12 a health care provider or the individual and that relates to: 10-13 (A) the past, present, or future physical, 10-14 mental, or behavioral health or condition of an individual; 10-15 (B) the provision of health care to an 10-16 individual; or 10-17 (C) payment for the provision of health care to 10-18 an individual. 10-19 (2) "Licensee" means a person who holds or is required 10-20 to hold a license, registration, certificate of authority, or other 10-21 authority under this code or another insurance law of this state. 10-22 The term includes an insurance company, group hospital service 10-23 corporation, mutual insurance company, local mutual aid 10-24 association, statewide mutual assessment company, stipulated 10-25 premium insurance company, health maintenance organization, 10-26 reciprocal or interinsurance exchange, Lloyd's plan, fraternal 10-27 benefit society, county mutual insurer, farm mutual insurer, or 10-28 insurance agent. 10-29 (3) "Nonpublic personal health information" means 10-30 health information: 10-31 (A) that identifies an individual who is the 10-32 subject of the information; or 10-33 (B) with respect to which there is a reasonable 10-34 basis to believe that the information could be used to identify an 10-35 individual. 10-36 Art. 28B.02. PERSONALLY IDENTIFIABLE HEALTH INFORMATION: 10-37 PRIVACY NOTICE AND DISCLOSURE AUTHORIZATION. (a) A licensee must 10-38 obtain an authorization to disclose any nonpublic personal health 10-39 information before making such a disclosure. 10-40 (b) The request for authorization required by this article 10-41 may be in written or electronic form and must: 10-42 (1) state the identity of the consumer or customer who 10-43 is the subject of the nonpublic personal health information; 10-44 (2) describe: 10-45 (A) the types of nonpublic personal health 10-46 information to be disclosed; 10-47 (B) the parties to whom the licensee discloses 10-48 nonpublic personal health information; 10-49 (C) the purpose of the disclosure; 10-50 (D) how the information will be used; and 10-51 (E) the procedure for revoking the 10-52 authorization; 10-53 (3) include the signature and date signed of: 10-54 (A) the consumer or customer who is the subject 10-55 of the nonpublic personal health information; or 10-56 (B) the individual who is legally empowered to 10-57 grant authority; 10-58 (4) provide notice: 10-59 (A) of the length of time for which the 10-60 authorization is valid; and 10-61 (B) that the consumer or customer may revoke the 10-62 authorization at any time; and 10-63 (5) specify the amount of time that the authorization 10-64 remains valid, which may not exceed 24 months. 10-65 (c) The right of a consumer or customer to revoke an 10-66 authorization at any time is subject to the rights of an individual 10-67 who acted in reliance on the authorization before receiving notice 10-68 of a revocation. 10-69 (d) The licensee shall retain the original or a copy of the 11-1 authorization in the record of the individual who is the subject of 11-2 the nonpublic personal health information. 11-3 Art. 28B.03. DELIVERY OF AUTHORIZATION. (a) A request for 11-4 authorization and an authorization form may be delivered to a 11-5 consumer or a customer if the request and the authorization form 11-6 are clear and conspicuous. 11-7 (b) A licensee must include delivery of the authorization in 11-8 a notice to the consumer or customer only if the licensee intends 11-9 to disclose protected health information under this chapter. 11-10 Art. 28B.04. EXCEPTIONS. A licensee may disclose nonpublic 11-11 personal health information to the extent that the disclosure is 11-12 necessary to perform the following insurance functions on behalf of 11-13 that licensee: 11-14 (1) the investigation or reporting of actual or 11-15 potential fraud, misrepresentation, or criminal activity; 11-16 (2) underwriting; 11-17 (3) the placement or issuance of an insurance policy; 11-18 (4) loss control services; 11-19 (5) ratemaking and guaranty fund functions; 11-20 (6) reinsurance and excess loss insurance; 11-21 (7) risk management; 11-22 (8) case management; 11-23 (9) disease management; 11-24 (10) quality assurance; 11-25 (11) quality improvement; 11-26 (12) performance evaluation; 11-27 (13) health care provider credentialing verification; 11-28 (14) utilization review; 11-29 (15) peer review activities; 11-30 (16) actuarial, scientific, medical, or public policy 11-31 research; 11-32 (17) grievance procedures; 11-33 (18) the internal administration of compliance, 11-34 managerial, and information systems; 11-35 (19) policyholder services; 11-36 (20) auditing; 11-37 (21) reporting; 11-38 (22) database security; 11-39 (23) the administration of consumer disputes and 11-40 inquiries; 11-41 (24) external accreditation standards; 11-42 (25) the replacement of a group benefit plan or 11-43 workers' compensation policy or program; 11-44 (26) activities in connection with a sale, merger, 11-45 transfer, or exchange of all or part of a business or operating 11-46 unit; 11-47 (27) any activity that permits disclosure without 11-48 authorization under the federal Health Insurance Portability and 11-49 Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), as 11-50 amended; 11-51 (28) disclosure that is required, or is a lawful or 11-52 appropriate method to enforce the licensee's rights or the rights 11-53 of other persons engaged, in carrying out a transaction or 11-54 providing a product or service that the consumer requests or 11-55 authorizes; 11-56 (29) claims administration, adjustment, and 11-57 management; 11-58 (30) any activity otherwise permitted by law, required 11-59 pursuant to a governmental reporting authority, or required to 11-60 comply with legal process; and 11-61 (31) any other insurance functions that the 11-62 commissioner approves that are: 11-63 (A) necessary for appropriate performance of 11-64 insurance functions; and 11-65 (B) fair and reasonable to the interests of 11-66 consumers. 11-67 Art. 28B.05. EXCEPTION FOR COMPLIANCE WITH FEDERAL RULES. 11-68 This subchapter does not apply to a licensee who complies with any 11-69 standards governing the privacy of individually identifiable health 12-1 information adopted by the United States Secretary of Health and 12-2 Human Services under Section 262(a), Health Insurance Portability 12-3 and Accountability Act of 1996 (42 U.S.C. Sections 1320d-1320d-8). 12-4 Art. 28B.06. PROTECTION OF FAIR CREDIT REPORTING ACTS. 12-5 (a) This chapter may not be construed to modify, limit, or 12-6 supersede the operation of the Fair Credit Reporting Act (15 U.S.C. 12-7 Section 1681 et seq.) and an inference may not be drawn based on 12-8 this chapter regarding whether information is transaction or 12-9 experience information under Section 603 of that Act (15 U.S.C. 12-10 Section 1681a). 12-11 (b) This chapter does not preempt or supersede a state law 12-12 related to medical record, health, or insurance information privacy 12-13 that is in effect on July 1, 2002. 12-14 Art. 28B.07. VIOLATION; PENALTIES. (a) A licensee may not 12-15 knowingly or wilfully violate this chapter. 12-16 (b) The department may investigate any alleged violation of 12-17 this chapter and may impose fines and other sanctions as determined 12-18 to be appropriate in accordance with Chapters 82 and 84 of this 12-19 code and the other insurance laws of this state. 12-20 SECTION 3. (a) Chapter 181, Health and Safety Code, as 12-21 added by this Act, takes effect September 1, 2003. 12-22 (b) Chapter 28B, Insurance Code, as added by this Act, takes 12-23 effect January 1, 2002. 12-24 (c) The commissioner of insurance may delay the date for 12-25 compliance with Chapter 28B, Insurance Code, as added by this Act, 12-26 if the commissioner determines that an entity needs more time to 12-27 establish policies and systems to comply with the requirements of 12-28 that chapter. 12-29 (d) An authorization or consent granting access to an 12-30 individual's health care records executed before the effective date 12-31 of this Act is governed by the law in effect when the authorization 12-32 or consent was executed, and the former law continues in effect for 12-33 that purpose. 12-34 * * * * *