By: Nelson S.B. No. 1754
Line and page numbers may not match official copy.
Bill not drafted by TLC or Senate E&E.
A BILL TO BE ENTITLED
1-1 AN ACT
1-2 relating to the information practices of government and to certain
1-3 information practices of the private sector that affect the privacy
1-4 of citizens of this state; providing penalties and creating a
1-5 privacy task force.
1-6 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
1-7 SECTION 1. Title 2, Health and Safety Code, is amended by
1-8 adding Subtitle I to read as follows:
1-9 SUBTITLE I. MEDICAL RECORDS
1-10 CHAPTER 181. MEDICAL RECORDS PRIVACY
1-11 SUBCHAPTER A. GENERAL PROVISIONS
1-12 Sec. 181.001. DEFINITIONS. In this chapter:
1-13 (1) "Administrative billing information" means
1-14 protected health information that is necessary for the payment or
1-15 administration of health care claims. The term:
1-16 (A) includes only:
1-17 (i) date of service;
1-18 (ii) billed charges;
1-19 (iii) identifiers of the individual who is
1-20 the subject of the protected health information;
1-21 (iv) diagnostic and treatment information
1-22 contained in standard billing codes;
1-23 (v) information required by nationally
2-1 recognized third-party health care claim forms; and
2-2 (vi) protected health information that is
2-3 part of a health care delivery review; and
2-4 (B) does not include a clinical health record
2-5 included or requested as an attachment to administrative billing
2-6 information.
2-7 (2) "Clinical health record" means a record of any
2-8 protected health information, other than administrative billing
2-9 information, that is used or maintained by or for a health care
2-10 practitioner or facility or an employee, agent, or contractor of a
2-11 health care practitioner or facility for the purpose of delivering
2-12 health care to an individual.
2-13 (3) "Covered entity" means any person who for
2-14 commercial, or professional gain, monetary fees, or dues, or on a
2-15 cooperative, nonprofit or pro bono basis engages, in whole or in
2-16 part, directly or indirectly, and with real or constructive
2-17 knowledge, in the practice of assembling, collecting, analyzing,
2-18 using, evaluating, storing, or transmitting protected health
2-19 information. The term includes, medical information bureaus, and
2-20 pharmaceutical companies. The term does not include health care
2-21 entities; third party administrators; employers; or educational
2-22 institutions governed by Federal Educational Rights and Privacy Act
2-23 or exempted under HIPAA.
2-24 (4) "Disclose" means to release, publish, share,
2-25 transfer, transmit, distribute, show, or otherwise divulge
2-26 protected health information to a person outside the entity holding
3-1 the information other than the individual who is the subject of the
3-2 information.
3-3 (5) "Disease management" means a multidisciplinary,
3-4 continuum-based approach to health care delivery that:
3-5 (A) proactively identifies populations with, or
3-6 at risk for, established medical conditions and supports the
3-7 physician-patient relationship and plan of care;
3-8 (B) emphasizes prevention of complications by
3-9 using cost-effective, evidence-based practice guidelines and
3-10 patient empowerment strategies, including self-management
3-11 education; and
3-12 (C) continuously evaluates clinical, humanistic,
3-13 and economic outcomes with the goal of improving overall health.
3-14 (6) "Financial institution" means a state or federally
3-15 chartered bank, savings bank, savings and loan association, credit
3-16 union, or a holding company, subsidiary, or affiliate of such an
3-17 institution.
3-18 (7) "Health care entity" means any person, other than
3-19 a pharmaceutical company, that:
3-20 (A) is a health researcher, health care
3-21 facility, clinic, or health care practitioner; or
3-22 (B) is an employee, agent, or contractor of a
3-23 person described by Paragraph (A) to the extent the employee,
3-24 agent, or contractor creates, receives, obtains, maintains, uses,
3-25 or transmits protected health information;
3-26 (C) is a governmental entity that uses or
4-1 discloses protected health information; or
4-2 (D) is a governmental entity not conducting an
4-3 investigation or prosecution of a criminal offense.
4-4 (8) "Health care facility" means any facility licensed
4-5 to provide health care or legally and regularly engaged in
4-6 providing health care, an employee, agent, affiliate or contractor
4-7 of the facility, or a health care practitioner with whom the
4-8 facility has an agreement or affiliation for the purpose of
4-9 providing, delivering, or arranging health care. The term includes
4-10 a hospital, long-term care facility, or pharmacy. The term does
4-11 not include an employer, health care payer, or health maintenance
4-12 organization.
4-13 (9) "Health care operations" means any of the
4-14 following activities of a covered entity or health care entity, and
4-15 any of the following activities of an organized health care
4-16 arrangement in which a covered entity or health care entity
4-17 participates:
4-18 (A) conducting quality assessment and
4-19 improvement activities, including outcomes evaluation and
4-20 development of clinical guidelines, provided that obtaining general
4-21 knowledge is not the primary purpose of any studies resulting from
4-22 those activities;
4-23 (B) conducting population-based activities
4-24 relating to:
4-25 (i) improving health or reducing health
4-26 care costs;
5-1 (ii) protocol development;
5-2 (iii) case management and care
5-3 coordination; and
5-4 (iv) contacting health care providers and
5-5 patients with information about treatment alternatives;
5-6 (C) conducting related functions that do not
5-7 include treatment;
5-8 (D) reviewing the competence or qualifications
5-9 of health care professionals;
5-10 (E) evaluating practitioner and provider
5-11 performance and health plan performance;
5-12 (F) conducting training programs in which
5-13 students, trainees, or practitioners in areas of health care learn
5-14 under supervision to practice or improve their skills as health
5-15 care providers;
5-16 (G) training of non-health care professionals
5-17 and accreditation, certification, licensing, or credentialing
5-18 activities;
5-19 (H) ceding, securing, or placing a contract for
5-20 reinsurance of risk relating to claims for health care, including
5-21 stop-loss insurance and excess of loss insurance;
5-22 (I) conducting or arranging for medical review,
5-23 legal services, and auditing functions, including fraud and abuse
5-24 detection and compliance programs;
5-25 (J) business planning and development, including
5-26 conducting cost-management and planning-related analyses related to
6-1 managing and operating the entity, formulary development and
6-2 administration, and development or improvement of methods of
6-3 payment or coverage policies;
6-4 (K) business management and general
6-5 administrative activities of the entity, including:
6-6 (i) management activities relating to
6-7 implementation of and compliance with the requirements of this
6-8 chapter;
6-9 (ii) customer service, including the
6-10 provision of data analyses for policyholders, plan sponsors, or
6-11 other customers, provided that protected health information is not
6-12 disclosed to the policyholder, plan sponsor, or customer;
6-13 (iii) resolution of internal grievances;
6-14 (iv) due diligence in connection with the
6-15 sale or transfer of assets to a potential successor in interest, if
6-16 the potential successor in interest is a covered entity or,
6-17 following completion of the sale or transfer, will become a covered
6-18 entity; and
6-19 (v) consistent with the applicable
6-20 requirements of the Health Insurance Portability and Accountability
6-21 Act and Privacy Standards as defined in this bill, creating
6-22 deidentified health information and fund-raising for the benefit of
6-23 the health care entity; and
6-24 (L) administering health plan benefits.
6-25 (10) "Health care payer" means any person who provides
6-26 payment or reimbursement for health care.
7-1 (11) "Health care practitioner" means a person,
7-2 including a physician, nurse, chiropractor, midwife, podiatrist,
7-3 physician assistant, pharmacist, or optometrist, who:
7-4 (A) is licensed, certified, registered, or
7-5 otherwise authorized by law to provide an item or service that, in
7-6 the ordinary course of business, constitutes health care;
7-7 (B) is an employee, agent, or contractor of a
7-8 person described by Paragraph (A) who is supervised by the person
7-9 described by Paragraph (A) in providing health care; or
7-10 (C) is a health care facility with whom the
7-11 person has an agreement or affiliation for the purpose of
7-12 providing, delivering, or arranging health care.
7-13 (12) "Health Insurance Portability and Accountability
7-14 Act and Privacy Standards" means the privacy requirements of the
7-15 Administrative Simplification subtitle of the Health Insurance
7-16 Portability and Accountability Act of 1996 (Pub. L. No. 104-191)
7-17 and the final rules adopted on December 28, 2000, and published at
7-18 65 Fed. Reg. 82798 et seq, and any amendments thereto.
7-19 (13) "Health research" means any systematic
7-20 investigation, including research development, testing, and
7-21 evaluation, or other inquiry that uses protected health information
7-22 to develop or contribute to general knowledge, including the study
7-23 of:
7-24 (A) the causes and treatment of disease or
7-25 medical conditions; and
7-26 (B) the relationship among certain
8-1 characteristics, health care, and disease or health status.
8-2 (14) "Payment" means the following activities
8-3 undertaken by a covered entity or health care entity to obtain
8-4 premiums, determine or fulfill responsibility of coverage and
8-5 premiums under a health plan or to obtain or provide reimbursement:
8-6 (A) determination of eligibility or coverage,
8-7 including coordination of benefits or the determination of
8-8 cost-sharing amounts and adjudication or subrogation of health
8-9 benefit claims;
8-10 (B) risk-adjusting amounts due based on enrollee
8-11 health status and demographic characteristics;
8-12 (C) billing, claims management, collection
8-13 activities, the obtaining of payment under a contract for
8-14 reinsurance, including stop-loss insurance and excess of loss
8-15 insurance, and related health care data processing;
8-16 (D) review of health care services with respect
8-17 to medical necessity, coverage under a health plan, appropriateness
8-18 of care, or justification of charges;
8-19 (E) utilization review activities, including
8-20 precertification and preauthorization of services and concurrent
8-21 and retrospective review of services; and
8-22 (F) disclosure to consumer reporting agencies
8-23 consistent with the provisions under the Health Insurance
8-24 Portability and Accountability Act and Privacy Standards as defined
8-25 in this bill.
8-26 (15) "Person" includes a corporation, organization,
9-1 governmental unit, business trust, estate, trust, partnership,
9-2 association, and any other legal entity.
9-3 (16) "Pharmaceutical company" means any person that
9-4 manufactures, distributes, analyzes, dispenses samples, or conducts
9-5 research with a controlled substance as defined by Section 481.002
9-6 or a dangerous drug as defined by Section 483.001. The term does
9-7 not include health care entities.
9-8 (17) "Protected health information":
9-9 (A) includes any information, including
9-10 administrative billing information, clinical health records, and
9-11 prescriptions, that:
9-12 (i) relates to:
9-13 (a) the past, present, or future
9-14 physical health or condition of an individual;
9-15 (b) the past, present, or future
9-16 mental health or condition of an individual;
9-17 (c) the provision of health care to
9-18 an individual; or
9-19 (d) the past, present, or future
9-20 payment for providing health care to an individual; and
9-21 (ii) identifies or could be used or
9-22 manipulated by itself or in combination with other information to
9-23 identify an individual by a reasonably foreseeable method; and
9-24 (B) does not include aggregate statistics,
9-25 redacted health information, information for which random or
9-26 fictitious alternatives have been substituted for personally
10-1 identifiable information, and information for which personally
10-2 identifiable information has been encrypted and for which the
10-3 encryption key is maintained by a person otherwise authorized to
10-4 have access to the information in an identifiable format.
10-5 (18) "Reidentification" means any attempt to
10-6 ascertain:
10-7 (A) the identity of the individual who is the
10-8 subject of protected health information; or
10-9 (B) any specific data element with the intention
10-10 of ascertaining the identity of the subject or with knowledge that
10-11 the data element would allow for the identification of the
10-12 individual who is the subject of the protected health information.
10-13 (19) "Treatment" means any of the following
10-14 activities:
10-15 (A) the provision, coordination, or management
10-16 of health care and related services by one or more health care
10-17 entities, including the coordination or management of health care
10-18 by a health care entity with a third party;
10-19 (B) consultation between health care entities
10-20 relating to a patient; and
10-21 (C) the referral of a patient for health care
10-22 from one health care entity to another.
10-23 Sec. 181.002. APPLICABILITY. (a) This chapter does not
10-24 affect the confidentiality that another statute creates for any
10-25 information.
10-26 (b) This chapter does not apply to:
11-1 (1) workers' compensation insurance, or a function as
11-2 authorized by Title 5 of the Texas Labor Code;
11-3 (2) any person or entity in connection with providing,
11-4 administering, supporting, or coordinating any of the benefits
11-5 under a self-insured program for workers' compensation;
11-6 (3) an employee benefit plan; or
11-7 (4) any covered entity, health care entity, or other
11-8 person, insofar as the entity or person is acting in connection
11-9 with an employee benefit plan.
11-10 (c) To the extent that a provision of this chapter differs
11-11 from HIPAA, this chapter will control as long as it is clearly more
11-12 stringent than the corresponding HIPAA provision.
11-13 (Sections 181.003-181.050 reserved for expansion
11-14 SUBCHAPTER B. ACCESS TO AND USE OF HEALTH CARE INFORMATION
11-15 Sec. 181.051. PATIENT ACCESS TO INFORMATION; FEE.
11-16 (a) Except as provided by Subsection (b), a covered entity or
11-17 health care entity shall permit an individual who is the subject of
11-18 a clinical health record, the individual's designee, or another
11-19 individual's authorized by law to obtain a individual clinical
11-20 health record to inspect and copy any clinical health record,
11-21 including records received from another health care entity or
11-22 covered entity, except for any clinical health record collected or
11-23 created in the course of a clinical research trial, that the entity
11-24 maintains or controls and that relates to the individual. The
11-25 covered entity or health care entity may charge retrieval and
11-26 copying fees as provided by law, regulation or in the absence of a
12-1 law or regulation, a reasonable fee.
12-2 (b) A psychologist licensed under Chapter 501, Occupations
12-3 Code, or a psychiatrist or other physician who is providing
12-4 psychological or psychiatric services to an individual is not
12-5 required to permit the individual to inspect or copy a personal
12-6 diary created by the psychologist, psychiatrist, or physician
12-7 containing protected health information relating to the individual
12-8 if the information contained in the diary has not been disclosed to
12-9 a person other than another psychologist, psychiatrist, or
12-10 physician for the specific purpose of clinical supervision
12-11 conducted in the regular course of treatment.
12-12 (c) A health care practitioner is not required to permit an
12-13 individual to inspect or copy the individual's clinical health
12-14 record if the health care practitioner determines that access to
12-15 the information would be harmful to the physical, mental, or
12-16 emotional health of the individual.
12-17 (d) A health care practitioner may redact or otherwise
12-18 prevent disclosure of confidential information about another
12-19 individual or family member of the individual who has not consented
12-20 to the release of information, as otherwise provided by law.
12-21 (e) Not later than the 30th day after the date a covered
12-22 entity or health care entity receives a request and payment under
12-23 Subsection (a), the covered entity or health care entity shall
12-24 provide the requested information.
12-25 Sec. 181.052. APPENDANT OR AMENDMENT TO HEALTH RECORDS. A
12-26 health care entity may, at the entity's discretion, require that
13-1 any appendant or amendment to an individual's clinical health
13-2 record be designated as "a patient supplement."
13-3 Sec. 181.053. DISCLOSING, USING, ACCESSING, OR OBTAINING
13-4 PROTECTED HEALTH INFORMATION. (a) Except to carry out treatment,
13-5 payment , or health care operations, a covered entity may not
13-6 disclose, use, access, or obtain protected health information
13-7 unless one of the following conditions is met:
13-8 (1) the individual who is the subject of the protected
13-9 health information has provided express written authorization; or
13-10 (2) the individual is the subject of the protected
13-11 health information has provided consent or authorization, if
13-12 required by applicable federal or state law.
13-13 (b) A covered entity may not use, access, request, or
13-14 require the disclosure of more protected health information than is
13-15 reasonably related to the specific purpose that is stated in the
13-16 express written authorization. A covered entity may not refuse to
13-17 provide protected health information requested by a health care
13-18 practitioner for use in providing health care services.
13-19 (c) A covered entity may use, disclose, access, or obtain
13-20 protected health information only for the purpose stated in the
13-21 express written authorization.
13-22 (d) A covered entity may disclose protected health
13-23 information without obtaining the express written authorization of
13-24 the individual who is the subject of the information if the
13-25 disclosure is made in response to a subpoena in a judicial or
13-26 administrative proceeding.
14-1 (e) A covered entity may not condition services on the
14-2 provision of express written authorization by the individual to
14-3 protected health information when the information is not directly
14-4 related to the services being provided.
14-5 PROCESSING PAYMENT TRANSACTIONS BY FINANCIAL INSTITUTIONS
14-6 SEC. 1179. To the extent that an entity is engaged in
14-7 activities of a financial institution (as defined in section 1101
14-8 of the Right to Financial Privacy Act of 1978), or is engaged in
14-9 authorizing, processing, clearing, settling, billing, transferring,
14-10 reconciling, or collecting payments, for a financial institution,
14-11 this part, and any standard adopted under this part, shall not
14-12 apply to the entity with respect to such activities, including the
14-13 following:
14-14 (1) The use or disclosure of information by the entity
14-15 for authorizing, processing, clearing, settling, billing,
14-16 transferring, reconciling or collecting, a payment for, or related
14-17 to, health plan premiums or health care, where such payment is made
14-18 by any means, including a credit, debit, or other payment card, an
14-19 account, check, or electronic funds transfer.
14-20 (2) The request for, or the use or disclosure of,
14-21 information by the entity with respect to a payment described in
14-22 paragraph (1)--(A) for transferring receivables; (B) for
14-23 auditing; (C) in connection with--(i) a customer dispute; or
14-24 (ii) an inquiry from, or to, a customer; (D) in a communication
14-25 to a customer of the entity regarding the customers transactions,
14-26 payment card, account, check, or electronic funds transfer;
15-1 (E) for reporting to consumer reporting agencies; or (F) for
15-2 complying with--(i) a civil or criminal subpoena; or (ii) a
15-3 Federal or State law regulating the entity.
15-4 Sec. 181.054. INFORMATION FOR RESEARCH. (a) A covered
15-5 entity or health care entity may disclose protected health
15-6 information to a person performing health research, regardless of
15-7 the source of funding of the research, for the purpose of
15-8 conducting health research, only if the researcher has obtained:
15-9 (1) individual consent or authorization for use or
15-10 disclosure of protected health information for research required by
15-11 applicable federal law;
15-12 (2) the express written authorization of the
15-13 individual required by this chapter;
15-14 (3) documentation that a waiver of individual consent
15-15 or authorization required for use or disclosure of protected health
15-16 information for research has been granted by an institutional
15-17 review board or privacy board as required under applicable federal
15-18 law; or
15-19 (4) documentation that a waiver of the individual's
15-20 express written authorization required by this chapter has been
15-21 granted by a privacy board established under this section.
15-22 (b) A privacy board:
15-23 (1) must consist of members with varying backgrounds
15-24 and appropriate professional competency as necessary to review the
15-25 effect of the research protocol for the project or projects on the
15-26 privacy rights and related interests of the individuals whose
16-1 protected health information would be used or disclosed;
16-2 (2) must include at least one member who is not
16-3 affiliated with the covered entity or health care entity or an
16-4 entity conducting or sponsoring the research, and not related to
16-5 any person who is affiliated with an entity described by this
16-6 subsection; and
16-7 (3) may not have any member participating in the
16-8 review of any project in which the member has a conflict of
16-9 interest.
16-10 (c) A privacy board may grant a waiver of the express
16-11 written authorization for the use of protected health information
16-12 if the privacy board obtains documentation that includes all of the
16-13 following:
16-14 (1) a statement identifying the privacy board and the
16-15 date on which the waiver of the express written authorization was
16-16 approved by the privacy board;
16-17 (2) a statement that the privacy board has determined
16-18 that the waiver satisfies the following criteria:
16-19 (A) the use or disclosure of protected health
16-20 information involves no more than minimal risk to the affected
16-21 individuals;
16-22 (B) the waiver will not adversely affect the
16-23 privacy rights and welfare of those individuals;
16-24 (C) the research could not practicably be
16-25 conducted without the waiver;
16-26 (D) the research could not practicably be
17-1 conducted without access to and use of the protected health
17-2 information;
17-3 (E) the privacy risks to individuals whose
17-4 protected health information is to be used or disclosed are
17-5 reasonable in relation to the anticipated benefits, if any, to the
17-6 individuals and the importance of the knowledge that may reasonably
17-7 be expected to result from the research;
17-8 (F) there is an adequate plan to protect the
17-9 identifiers from improper use and disclosure;
17-10 (G) there is an adequate plan to destroy the
17-11 identifiers at the earliest opportunity consistent with conduct of
17-12 the research, unless there is a health or research justification
17-13 for retaining the identifiers, or the retention is otherwise
17-14 required by law; and
17-15 (H) there are adequate written assurances that
17-16 the protected health information will not be reused or disclosed to
17-17 another person or entity, except:
17-18 (i) as required by law;
17-19 (ii) for authorized oversight of the
17-20 research project; or
17-21 (iii) for other research for which the use
17-22 or disclosure of protected health information would be permitted by
17-23 applicable state or federal law.
17-24 (3) a brief description of the protected health
17-25 information for which use [of] or access has been determined to be
17-26 necessary by the privacy board pursuant to Subsection (c)(2)(D);
18-1 and
18-2 (4) a statement that the waiver of express written
18-3 authorization has been approved by the privacy board following the
18-4 procedures under Subsection (e).
18-5 (d) A waiver must be signed by the presiding officer of the
18-6 board or the presiding officer's designee.
18-7 (e) The privacy board must review the proposed research at a
18-8 convened meeting at which a majority of the privacy board members
18-9 are present, including at least one member who satisfies the
18-10 requirements of Subsection (b)(2). The waiver of express written
18-11 authorization must be approved by the majority of the privacy board
18-12 members present at the meeting, unless the privacy board elects to
18-13 use an expedited review procedure. The privacy board may use an
18-14 expedited review procedure only if the research involves no more
18-15 than minimal risk to the privacy of the individual who is the
18-16 subject of the protected health information for which use or
18-17 disclosure is being sought. If the privacy board elects to use an
18-18 expedited review procedure, the review and approval of the waiver
18-19 of express written authorization may be made by the presiding
18-20 officer of the privacy board or by one or more members of the
18-21 privacy board as designated by the presiding officer.
18-22 (f) A covered entity or health care entity may disclose
18-23 protected health information to a researcher if the covered entity
18-24 or health care entity obtains from the researcher representations
18-25 that:
18-26 (1) use or disclosure is sought solely to review
19-1 protected health information as necessary to prepare a research
19-2 protocol or for similar purposes preparatory to research;
19-3 (2) no protected health information is to be removed
19-4 from the covered entity or health care entity by the researcher in
19-5 the course of the review; and
19-6 (3) the protected health information for which use [of]
19-7 or access [to which] is sought is necessary for the research
19-8 purposes.
19-9 Sec. 181.055. DISCLOSURE OF INFORMATION TO PUBLIC HEALTH
19-10 AUTHORITY. A covered entity may use or disclose protected health
19-11 information without the express written authorization of the
19-12 individual for public health activities or to comply with the
19-13 requirements of any federal or state health benefit program. A
19-14 covered entity may disclose protected health information:
19-15 (1) to a public health authority that is authorized by
19-16 law to collect or receive such information for the purpose of
19-17 preventing or controlling disease, injury, or disability, including
19-18 the reporting of disease, injury, vital events such as birth or
19-19 death, and the conduct of public health surveillance, public health
19-20 investigations, and public interventions;
19-21 (2) to a public health authority or other appropriate
19-22 government authority authorized by law to receive reports of child
19-23 or adult abuse or neglect or exploitation;
19-24 (3) to any or state agency in conjunction with a
19-25 federal or state health benefit program requirement.
19-26 Sec. 181.056. REQUIRED NOTICE. (a) On request, a covered
20-1 entity or health care entity conducting disease management or
20-2 health care operations shall provide written notice to an
20-3 individual of the entity's practices with respect to its uses and
20-4 disclosures of protected health information.
20-5 (b) Notice under this section must include:
20-6 (1) a complete description of the usual functions
20-7 performed with protected health information;
20-8 (2) a statement of whether protected health
20-9 information is stored in a computerized records system; and
20-10 (3) the name and the method of contacting the
20-11 individual responsible for responding to inquiries regarding the
20-12 entity's information practices.
20-13 (c) On written request by an individual who is the subject
20-14 of protected health information, a covered entity or health care
20-15 entity conducting disease management or health care operations
20-16 shall provide a list of the agents or contractors, not including
20-17 health care practitioners or health care facilities, who have
20-18 direct access to or use of the protected health information.
20-19 (d) The department by rule shall adopt a standardized notice
20-20 of information practices of the type described by this section.
20-21 (Sections 181.057-181.100 reserved for expansion
20-22 SUBCHAPTER C. EXPRESS WRITTEN AUTHORIZATION
20-23 Sec. 181.101. FORM. (a) Express written authorization
20-24 required by this chapter must be in writing and signed by:
20-25 (1) the individual who is the subject of the protected
20-26 health information;
21-1 (2) the individual's legally authorized
21-2 representative; or
21-3 (3) the individual's agent under a medical power of
21-4 attorney.
21-5 (b) For purposes of this section, documentation of express
21-6 written authorization may be satisfied by the use of electronic
21-7 signatures, computerized express written authorization
21-8 documentation, or other technological means of recording express
21-9 written authorization.
21-10 (c) The department by rule shall adopt standards regulating
21-11 the content and form of the express written authorization.
21-12 Sec. 181.102. EXPIRATION. (a) An express written
21-13 authorization to disclose, access, or use protected health
21-14 information is valid until the expiration date or event specified
21-15 in the documentation or until it is revoked by the individual.
21-16 (b) A person may not coerce an individual to sign an express
21-17 written authorization required under this act.
21-18 (c) Persons engaged in health research, as defined in this
21-19 chapter, can require an individual's express written authorization
21-20 to disclose protected health information as a condition of that
21-21 individual's participation in the research.
21-22 (Sections 181.103-181.150 reserved for expansion
21-23 SUBCHAPTER D. PROHIBITED ACTS
21-24 Sec. 181.151. REIDENTIFIED INFORMATION. A person may not
21-25 reidentify or attempt to reidentify an individual who is the
21-26 subject of any protected health information without obtaining the
22-1 individual's consent or authorization if required under this
22-2 chapter or other state or federal law.
22-3 Sec. 181.152. CONTRACT FOR PURPOSES OF PROMOTION OR
22-4 ADVERTISEMENT. (a) A covered entity or health care entity may
22-5 not, without the express written authorization of the individual
22-6 that is the subject of protected health information, use, access,
22-7 or disclose protected health information for the promotion or
22-8 advertisement, by any person or entity, of specific products or
22-9 services if the covered entity or health care entity receives,
22-10 directly or indirectly, a financial incentive or remuneration from
22-11 a third party for such use, access, or disclosure.
22-12 (b) A covered entity may not condition services upon the
22-13 receipt of required express authorization for activities described
22-14 in this section.
22-15 (c) Promotion or advertisement of specific products or
22-16 services does not include-treatment, disease management, or health
22-17 care operations as defined by this act; with the exception that
22-18 health care operations defined in section 181.001 (9)(c) may be
22-19 prohibited under this act if they violate the promotion and
22-20 advertising restrictions of this section.
22-21 (Sections 181.153-181.200 reserved for expansion
22-22 SUBCHAPTER E. ENFORCEMENT
22-23 Sec. 181.201. INJUNCTIVE RELIEF; CIVIL PENALTY. (a) The
22-24 attorney general may institute an action for injunctive relief to
22-25 restrain a violation of this chapter.
22-26 (b) In addition to the injunctive relief provided by
23-1 Subsection (a), the attorney general may institute an action for
23-2 civil penalties against a covered entity or health care entity for
23-3 a violation of this chapter. A civil penalty assessed under this
23-4 section may not exceed $3,000 for each violation.
23-5 (c) If the court in which an action under Subsection (b) is
23-6 pending finds that the violations have occurred with a frequency as
23-7 to constitute a pattern or practice, the court may assess a civil
23-8 penalty not to exceed $250,000.
23-9 (d) If the attorney general substantially prevails in an
23-10 action for injunctive relief or a civil penalty under this section,
23-11 the court shall award to the attorney general reasonable attorney's
23-12 fees, costs, and expenses incurred obtaining the relief or penalty,
23-13 including court costs and witness fees.
23-14 Sec. 181.202. INDIVIDUAL INJUNCTIVE RELIEF. An individual
23-15 who is aggrieved by a violation of this chapter may institute an
23-16 action against a covered entity or health care entity for
23-17 appropriate injunctive relief. If the individual is the prevailing
23-18 party, the court shall award reasonable attorney's fees and other
23-19 litigation costs and expenses reasonably incurred.
23-20 Sec. 181.203. SOVEREIGN IMMUNITY. This chapter does not
23-21 waive sovereign immunity to suit or liability.
23-22 SECTION 2. Chapter 21, Insurance Code, is amended by adding
23-23 a new Article 21.74 to read as follows:
23-24 ARTICLE 21.74. PRIVACY RULES FOR HEALTH INFORMATION
23-25 Section 1. Definitions. In this article, the following
23-26 definitions shall apply:
24-1 (a) "Health Information" means any information or data
24-2 except age or gender, whether oral or recorded in any form or
24-3 medium, created by or derived from a health care provider or the
24-4 consumer that relates to:
24-5 (1) The past, present or future physical, mental or
24-6 behavioral health or condition of an individual;
24-7 (2) The provision of health care to an individual; or
24-8 (3) Payment for the provision of health care to an
24-9 individual.
24-10 (b) "Licensee" means any individual, corporation,
24-11 association, partnership, insurance company, group hospital service
24-12 corporation, mutual insurance companies, local mutual aid
24-13 association, statewide mutual assessment companies, stipulated
24-14 premium insurance companies, health maintenance organization,
24-15 reciprocal exchange, interinsurer, Lloyds insurer, fraternal
24-16 benefit society, county mutual insurer, farm mutual insurer,
24-17 insurance agent and other persons licensed or required to be
24-18 licensed under this Code.
24-19 (c) "Nonpublic personal health information" means health
24-20 information:
24-21 (1) That identifies an individual who is the subject
24-22 of the information; or
24-23 (2) With respect to which there is a reasonable basis
24-24 to believe that the information could be used to identify an
24-25 individual.
24-26 Section 2. When Authorization Required for Disclosure of
25-1 Nonpublic Personal Health Information
25-2 (a) A licensee shall not disclose nonpublic personal health
25-3 information about a consumer or customer unless an authorization is
25-4 obtained from the consumer or customer whose nonpublic personal
25-5 health information is sought to be disclosed.
25-6 (b) Nothing in this section shall prohibit, restrict or
25-7 require an authorization for the disclosure of nonpublic personal
25-8 health information by a licensee for the performance of the
25-9 following insurance functions by or on behalf of the licensee:
25-10 claims adjustment and management; detection, investigation or
25-11 reporting of actual or potential fraud, misrepresentation or
25-12 criminal activity; underwriting; policy placement or issuance; loss
25-13 control; ratemaking and guaranty fund functions; reinsurance and
25-14 excess loss insurance; risk management; case management; disease
25-15 management; quality assurance; quality improvement; performance
25-16 evaluation; provider credentialing verification; utilization
25-17 review; peer review activities; actuarial, scientific, medical or
25-18 public policy research; grievance procedures; internal
25-19 administration of compliance, managerial, and information systems;
25-20 policyholder service functions; auditing; reporting; database
25-21 security; administration of consumer disputes and inquiries;
25-22 external accreditation standards; the replacement of a group
25-23 benefit plan or workers compensation policy or program; activities
25-24 in connection with a sale, merger, transfer or exchange of all or
25-25 part of a business or operating unit; any activity that permits
25-26 disclosure without authorization pursuant to the federal Health
26-1 Insurance Portability and Accountability Act privacy rules
26-2 promulgated by the U.S. Department of Health and Human Services;
26-3 disclosure that is required, or is one of the lawful or appropriate
26-4 methods, to enforce the licensee's rights or the rights of other
26-5 persons engaged in carrying out a transaction or providing a
26-6 product or service that a consumer requests or authorizes; and any
26-7 activity otherwise permitted by law, required pursuant to
26-8 governmental reporting authority, or to comply with legal process.
26-9 Nothing in this section shall prohibit a licensee from sharing
26-10 nonpublic personal health information with an affiliate of the
26-11 licensee for the purposes provided herein. Additional insurance
26-12 functions may be added with the approval of the commissioner to the
26-13 extent they are necessary for appropriate performance of insurance
26-14 functions and are fair and reasonable to the interest of consumers.
26-15 Section 3 Authorizations
26-16 (a) A valid authorization to disclose nonpublic personal
26-17 health information pursuant to this Article shall be in written or
26-18 electronic form and shall contain all of the following:
26-19 (1) The identity of the consumer or customer who is
26-20 the subject of the nonpublic personal health information;
26-21 (2) A general description of the types of nonpublic
26-22 personal health information to be disclosed;
26-23 (3) General descriptions of the parties to whom the
26-24 licensee discloses nonpublic personal health information, the
26-25 purpose of the disclosure and how the information will be used;
26-26 (4) The signature of the consumer or customer who is
27-1 the subject of the nonpublic personal health information or the
27-2 individual who is legally empowered to grant authority and the date
27-3 signed; and
27-4 (5) Notice of the length of time for which the
27-5 authorization is valid and that the consumer or customer may revoke
27-6 the authorization at any time and the procedure for making a
27-7 revocation.
27-8 (b) An authorization for the purposes of this Article shall
27-9 specify a length of time for which the authorization shall remain
27-10 valid, which in no event shall be for more than twenty-four (24)
27-11 months.
27-12 (c) A consumer or customer who is the subject of nonpublic
27-13 personal health information may revoke an authorization provided
27-14 pursuant to this Article at any time, subject to the rights of any
27-15 individual who acted in reliance on the authorization prior to
27-16 notice of the revocation.
27-17 (d) A licensee shall retain the authorization or a copy
27-18 thereof in the record of the individual who is the subject of
27-19 nonpublic personal health information.
27-20 Section 4. Authorization Request Delivery
27-21 A request for authorization and an authorization form may be
27-22 delivered to a consumer or a customer provided that the request and
27-23 the authorization form are clear and conspicuous. An authorization
27-24 form is not required to be delivered to the consumer or customer or
27-25 included in any other notices unless the licensee intends to
27-26 disclose protected health information pursuant to Section 1(a).
28-1 Section 5. Relationship to Federal Rules
28-2 Irrespective of whether a licensee is subject to the federal
28-3 Health Insurance Portability and Accountability Act privacy rule as
28-4 promulgated by the U.S. Department of Health and Human Services, if
28-5 a licensee complies with all requirements of the federal rule
28-6 except for its effective date provision, the licensee shall not be
28-7 subject to the provisions of this Article.
28-8 Section 6. Relationship to State Laws
28-9 Nothing in this article shall preempt or supercede existing
28-10 state law related to medical records, health or insurance
28-11 information privacy. If there is any conflict with any other state
28-12 law, the provisions of this Article shall prevail.
28-13 Section 7. Protection of Fair Credit Reporting Act
28-14 Nothing in this article shall be construed to modify, limit
28-15 or supersede the operation of the federal Fair Credit Reporting Act
28-16 (15 U.S.C. 1681 et seq.), and no inference shall be drawn on the
28-17 basis of the provisions of this regulation whether information is
28-18 transaction or experience information under Section 603 of that
28-19 Act.
28-20 Section 8. Nondiscrimination.
28-21 A licensee shall not unfairly discriminate against a consumer
28-22 or customer because that consumer or customer has not granted
28-23 authorization for the disclosure of his or her nonpublic personal
28-24 health information pursuant to the provisions of this regulation.
28-25 Section 9. Violation
28-26 A violation of this Article is subject to an administrative
29-1 penalty authorized under Section 84.022 of this code.
29-2 Section 10. Severability
29-3 If any section or portion of a section of this article or its
29-4 applicability to any person or circumstance is held invalid by a
29-5 court, the remainder of this article or the applicability of the
29-6 provision to other persons or circumstances shall not be affected.
29-7 Section 11. Effective Date
29-8 This Article is effective January 1, 2002. In order to
29-9 provide sufficient time for licensees to establish policies and
29-10 systems to comply with the requirements of this regulation, the
29-11 commissioner may extend the time for compliance by rule or
29-12 regulation.
29-13 SECTION 3. Title 1, Insurance Code, is amended by adding
29-14 Chapter 28A to read as follows:
29-15 CHAPTER 28A. PRIVACY
29-16 SUBCHAPTER A. GENERAL PROVISIONS
29-17 Art. 28A.01. DEFINITIONS. In this chapter:
29-18 (1) "Affiliate" means any company that controls, is
29-19 controlled by, or is under common control with another company.
29-20 (2) "Authorization" has the meaning assigned by
29-21 Section 82.001 of this code.
29-22 (3) "Covered entity" means an individual or entity who
29-23 receives an authorization from the department. The term includes
29-24 any individual or entity described by Section 82.002 of this code.
29-25 (4) "Nonaffiliated third party" means an entity that
29-26 is not an affiliate of, or related to by common ownership or
30-1 affiliated by corporate control with, the covered entity. The term
30-2 does not include a joint employee of the entity.
30-3 Art. 28A.02. COMPLIANCE WITH FEDERAL LAW REQUIRED. (a) A
30-4 covered entity shall comply with 15 U.S.C. Sections 6802 and 6803,
30-5 as amended, in the same manner as a financial institution under
30-6 those sections.
30-7 (b) An entity that is a nonaffiliated third party in
30-8 relation to a covered entity shall comply with 15 U.S.C. Section
30-9 6802(c), as amended.
30-10 Art. 28A.03. EXCEPTION. Article 28A.02(a) of this code does
30-11 not apply to a covered entity to the extent that the entity is
30-12 acting solely as an insurance agent for another covered entity.
30-13 Art. 28A.04. HEALTH INFORMATION. This chapter does not
30-14 affect the authority of the department or another state agency to
30-15 adopt stricter rules governing the treatment of health information
30-16 by a covered entity, if another law gives the department or agency
30-17 that authority, including any laws or rules of this state related
30-18 to the privacy of individually identifiable health information
30-19 under the federal Health Insurance Portability and Accountability
30-20 Act of 1996 (42 U.S.C. Section 1320d et seq.), as amended.
30-21 (Articles 28A.05-28A.50 reserved for expansion
30-22 SUBCHAPTER B. DEPARTMENT POWERS AND DUTIES
30-23 Art. 28A.51. RULEMAKING AUTHORITY. (a) The commissioner
30-24 shall adopt rules to implement this chapter.
30-25 (b) The commissioner shall adopt any other rules necessary
30-26 to carry out 15 U.S.C. Subchapter I, Chapter 94 (15 U.S.C. Section
31-1 6801 et seq., as amended) to make this state eligible to override
31-2 federal regulations, as described by 15 U.S.C. Section 6805(c), as
31-3 amended.
31-4 (c) In adopting rules under this chapter, the commissioner
31-5 shall attempt to keep state privacy requirements consistent with
31-6 federal regulations adopted under 15 U.S.C. Subchapter I, Chapter
31-7 94 (15 U.S.C. Section 6801 et seq., as amended).
31-8 Art. 28A.52. STANDARDS. The department shall implement
31-9 standards as required by 15 U.S.C. Section 6805(b), as amended.
31-10 (Articles 28A.53-28A.100 reserved for expansion
31-11 SUBCHAPTER C. ENFORCEMENT
31-12 Art. 28A.101. ENFORCEMENT OF FEDERAL LAW. The department
31-13 shall enforce 15 U.S.C. Sections 6801-6805, as amended, to the
31-14 extent required by 15 U.S.C. Section 6805.
31-15 Art. 28A.102. INJUNCTIVE RELIEF; CIVIL PENALTY. (a) The
31-16 attorney general may institute an action for injunctive or
31-17 declaratory relief to restrain a violation of this chapter.
31-18 (b) In addition to the injunctive relief provided by
31-19 Subsection (a) of this article, the attorney general may institute
31-20 an action for civil penalties against a covered entity or a
31-21 nonaffiliated third party for a violation of this chapter. A civil
31-22 penalty assessed under this article may not exceed $3,000 for each
31-23 violation.
31-24 (c) If the court in which an action under Subsection (b) of
31-25 this article is pending finds that the violations have occurred
31-26 with a frequency as to constitute a pattern or practice, the court
32-1 may assess a civil penalty not to exceed $250,000.
32-2 (d) If the attorney general substantially prevails in an
32-3 action for injunctive relief or a civil penalty under this article,
32-4 the attorney general may recover reasonable attorney's fees, costs,
32-5 and expenses incurred obtaining the relief or penalty, including
32-6 court costs and witness fees.
32-7 SECTION 4. Not later than 30 days after the effective date
32-8 of this Act, the commissioner of insurance shall adopt the rules
32-9 required by Article 28A.51, Insurance Code, as added by SECTION 3
32-10 of this Act. The commissioner may adopt these initial rules on an
32-11 emergency basis.
32-12 SECTION 5. Subtitle A, Title 5, Government Code, is amended
32-13 by adding Chapter 559 to read as follows:
32-14 CHAPTER 559. TEXAS PRIVACY ACT
32-15 SUBCHAPTER A. GENERAL PROVISIONS
32-16 Sec. 559.001. SHORT TITLE. This chapter may be cited as the
32-17 Texas Privacy Act.
32-18 Sec. 559.002. LEGISLATIVE FINDINGS; GENERAL PRIVACY
32-19 PRINCIPLES. (a) The legislature finds that:
32-20 (1) an increasing number of individuals in this state
32-21 are concerned that:
32-22 (A) personal information held by government may
32-23 be used inappropriately;
32-24 (B) unauthorized persons may have access to that
32-25 information; and
32-26 (C) some of the information may be inaccurate,
33-1 incomplete, or unnecessary for the effective functioning of
33-2 government; and
33-3 (2) in response to the findings stated by Subdivision
33-4 (1), each state and local governmental entity in this state must be
33-5 committed to strengthening privacy protections for personal
33-6 information held by government in a manner consistent with the
33-7 public's right to complete information about the affairs of
33-8 government and the official acts of public officials and employees.
33-9 (b) The legislature also finds that because inadvertent
33-10 release, careless storage, or improper disposal of information
33-11 could result in embarrassment or other harm to individuals, each
33-12 state and local governmental entity:
33-13 (1) has an obligation to protect personal information
33-14 in the manner required by law; and
33-15 (2) must exercise particular care in protecting
33-16 records containing sensitive and private personal information about
33-17 health or financial matters and in protecting personal identifiers,
33-18 such as a social security number.
33-19 (c) It is the policy of this state that an individual has a
33-20 right to know how personal information about the individual is
33-21 handled by government and the extent to which the information may
33-22 be disclosed or must be kept confidential under law.
33-23 Sec. 559.003. DEFINITIONS. In this chapter:
33-24 (1) "Personal information" means information about an
33-25 individual such as:
33-26 (A) the individual's home address, home
34-1 telephone number, social security number, date of birth, physical
34-2 characteristics, and similar information about the individual;
34-3 (B) information about an individual's marital
34-4 status or history, whether the individual has family members, and
34-5 information about the individual's family members; and
34-6 (C) personally identifiable information about
34-7 the individual's health or health history, finances or financial
34-8 history, and purchases made from government.
34-9 (2) "Governmental entity" does not include a court
34-10 other than a commissioners court.
34-11 Sec. 559.004. CONSTRUCTION WITH OTHER LAW. This chapter
34-12 does not affect:
34-13 (1) the ability of a state or local governmental
34-14 entity to undertake a lawful investigation or to protect persons,
34-15 property, or the environment in the manner authorized by law; or
34-16 (2) the duty of a state or local governmental entity
34-17 to comply with applicable law.
34-18 (Sections 559.005-559.050 reserved for expansion
34-19 SUBCHAPTER B. SPECIFIC PRIVACY PROTECTIONS
34-20 Sec. 559.051. DISCLOSURE OF CERTAIN PERSONAL INFORMATION;
34-21 COMPELLING INTEREST OR INTENSE PUBLIC CONCERN REQUIREMENT.
34-22 (a) This section applies only to the disclosure by a governmental
34-23 entity of information that reveals an individual's:
34-24 (1) social security number;
34-25 (2) bank account number, credit card account number,
34-26 or other financial account number; or
35-1 (3) computer password or computer network location or
35-2 identity.
35-3 (b) A state or local governmental entity may not disclose
35-4 information described by Subsection (a) under Chapter 552 or other
35-5 law unless the attorney general authorizes the disclosure after
35-6 determining that:
35-7 (1) there is a compelling governmental interest in
35-8 disclosing the information that cannot be effectively accomplished
35-9 without the disclosure; or
35-10 (2) due to extraordinary circumstances, the
35-11 information is especially relevant to a matter of intense public
35-12 concern.
35-13 (c) The attorney general may adopt rules to implement this
35-14 section, including rules that describe appropriate and clearly
35-15 defined circumstances under which a category of information
35-16 described by Subsection (a) is presumed to satisfy a requirement of
35-17 Subsection (b) and therefore may be disclosed without the necessity
35-18 of obtaining specific authorization for the disclosure from the
35-19 attorney general. A rule of the attorney general that describes
35-20 circumstances under which information presumptively may be
35-21 disclosed may limit disclosure to specific state, local, or federal
35-22 authorities or may allow the information to be generally disclosed
35-23 under Chapter 552, as appropriate.
35-24 (d) The attorney general shall develop procedures under
35-25 which the office of the attorney general will expedite a decision
35-26 whether to authorize disclosure of information described by
36-1 Subsection (a) when expedited consideration is warranted under the
36-2 circumstances.
36-3 (e) A decision of the attorney general under this section
36-4 may be challenged in court in the same manner that a decision of
36-5 the attorney general may be challenged under Subchapter G, Chapter
36-6 552.
36-7 (f) If information described by Subsection (a) is requested
36-8 under Chapter 552, Section 552.325 applies in relation to the
36-9 individual who is the subject of the information in the same manner
36-10 as if the individual were a requestor of the information, except
36-11 that the attorney general shall notify the individual under Section
36-12 552.325(c) if the attorney general proposes to agree to the release
36-13 of all or part of the information.
36-14 Sec. 559.052. COLLECTION OF PERSONAL INFORMATION. A state
36-15 or local governmental entity shall establish procedures to ensure
36-16 that the governmental entity collects personal information only to
36-17 the extent reasonably necessary to:
36-18 (1) implement a program;
36-19 (2) authenticate an individual's identity when
36-20 necessary;
36-21 (3) ensure security; or
36-22 (4) accomplish another legitimate governmental
36-23 purpose.
36-24 Sec. 559.053. RECORDS RETENTION SCHEDULES. (a) In adopting
36-25 or amending its records retention schedule, a state or local
36-26 governmental entity shall schedule the retention of personal
37-1 information only for the period necessary to accomplish the purpose
37-2 for which the information was collected or, if applicable, for the
37-3 minimum period specifically prescribed by statute.
37-4 (b) Subsection (a) does not apply to the retention of
37-5 personal information that has demonstrable historical or archival
37-6 value.
37-7 Sec. 559.054. GENERAL PRIVACY POLICIES. (a) A state or
37-8 local governmental entity shall develop a privacy policy that
37-9 completely describes in plainly written language:
37-10 (1) the reasons that the governmental entity requires
37-11 or collects each category of personal information about individuals
37-12 that the entity requires or collects;
37-13 (2) the procedures used to require or collect the
37-14 information;
37-15 (3) the persons to whom the information may be
37-16 disclosed;
37-17 (4) the manner in which the information may be
37-18 disclosed; and
37-19 (5) any current arrangement under which the
37-20 governmental entity sells personal information about individuals or
37-21 discloses the information under a contract or agreement or in bulk.
37-22 (b) The state or local governmental entity shall promptly
37-23 amend the privacy policy whenever information in the policy becomes
37-24 incorrect or incomplete.
37-25 (c) The state or local governmental entity shall prominently
37-26 post its current privacy policy:
38-1 (1) through a prominent link on the main Internet site
38-2 maintained by or for the governmental entity; and
38-3 (2) next to the sign that the governmental entity
38-4 posts under Section 552.205.
38-5 Sec. 559.055. GOVERNMENT INTERNET SITES: PRIVACY POLICY.
38-6 (a) The Department of Information Resources shall adopt rules
38-7 prescribing minimum privacy standards with which an Internet site
38-8 or portal maintained by or for a state or local governmental entity
38-9 must comply. The rules must be designed to limit the collection of
38-10 personal information about users of the government Internet site or
38-11 portal to information:
38-12 (1) that the state or local governmental entity needs
38-13 in order to accomplish a legitimate government purpose;
38-14 (2) that the user of the site or portal knowingly and
38-15 intentionally transmits to the state or local governmental entity;
38-16 or
38-17 (3) regarding the collection of which the user of the
38-18 site or portal has actively given informed consent.
38-19 (b) In adopting its rules under this section, the Department
38-20 of Information Resources shall consider policies adopted by other
38-21 states and the federal government in this regard.
38-22 (c) A state or local governmental entity that maintains an
38-23 Internet site or portal or for which an Internet site or portal is
38-24 maintained shall adopt a privacy policy regarding information
38-25 collected through the site or portal and provide a prominent link
38-26 to the policy for users of the site or portal. The policy must be
39-1 consistent with the rules adopted by the Department of Information
39-2 Resources under this section and must be included as a prominent
39-3 separate element of the general privacy policy that the entity is
39-4 required to develop and to which it must provide an Internet link
39-5 under Section 559.054.
39-6 Sec. 559.056. STATE AUDITOR. (a) The state auditor shall
39-7 establish auditing guidelines to ensure that state and local
39-8 governmental entities that the state auditor has authority to audit
39-9 under other law:
39-10 (1) do not routinely collect or retain more personal
39-11 information than an entity needs to accomplish a legitimate
39-12 governmental purpose of the entity; and
39-13 (2) have established an information management system
39-14 that protects the privacy and security of information in accordance
39-15 with applicable state and federal law.
39-16 (b) During an appropriate type of audit, the state auditor
39-17 may audit a state or local governmental entity for compliance with
39-18 the guidelines established under Subsection (a).
39-19 (Sections 559.057-559.100 reserved for expansion
39-20 SUBCHAPTER C. GUIDELINES AND STUDIES
39-21 Sec. 559.101. ATTORNEY GENERAL GUIDELINES FOR REVIEWING
39-22 PRIVACY ISSUES. (a) The attorney general shall establish
39-23 guidelines for state and local governmental entities to follow when
39-24 considering privacy issues that arise in connection with requests
39-25 for public information. The guidelines shall address procedural
39-26 safeguards, legal issues, and other issues that in the opinion of
40-1 the attorney general would help state and local governmental
40-2 entities comply with applicable law and recommended information
40-3 practices when handling personal information.
40-4 (b) The guidelines do not create exceptions from required
40-5 disclosure under Chapter 552.
40-6 Sec. 559.102. OPEN RECORDS STEERING COMMITTEE; RECORDS
40-7 MANAGEMENT INTERAGENCY COORDINATING COUNCIL. (a) The open records
40-8 steering committee established under Section 552.009 shall
40-9 periodically study and determine the implications for the personal
40-10 privacy of individuals of putting information held by government on
40-11 the Internet and shall include its findings and recommendations in
40-12 reports the committee makes under Section 552.009.
40-13 (b) The Records Management Interagency Coordinating Council
40-14 established under Section 441.203 shall provide guidance and policy
40-15 direction to state and local governmental entities in appropriately
40-16 incorporating developments in electronic management of information
40-17 into their information management systems in ways that protect
40-18 personal privacy and promote efficient public access to public
40-19 information that is not excepted from required public disclosure.
40-20 (c) The Records Management Interagency Coordinating Council
40-21 shall study and assess efficient and effective ways in which:
40-22 (1) an individual could request and receive from a
40-23 state or local governmental entity information about the individual
40-24 that:
40-25 (A) the entity possesses or to which it has a
40-26 right of access; and
41-1 (B) the individual is entitled to receive under
41-2 Section 552.021 or 552.023;
41-3 (2) the individual could challenge the accuracy of the
41-4 information if the individual considers it to be incorrect; and
41-5 (3) the governmental entity can correct information
41-6 that is incorrect.
41-7 (d) A state or local governmental entity on request shall
41-8 assist the Records Management Interagency Coordinating Council in
41-9 performing its studies under Subsection (c) by responding to the
41-10 council's requests for information or opinion. The council shall
41-11 periodically report the results of its studies under Subsection (c)
41-12 and any related recommendations to the governor and the
41-13 legislature.
41-14 Sec. 559.103. ATTORNEY GENERAL STUDIES. The attorney
41-15 general shall study and periodically report recommendations to the
41-16 governor and the legislature regarding:
41-17 (1) ways in which laws could be enacted that would
41-18 balance the need for open government with the ability of
41-19 individuals to elect not to have personal information about the
41-20 individual released, especially when the release of that
41-21 information poses a significant danger to an individual; and
41-22 (2) circumstances under which, with respect to
41-23 personal information that a state or local governmental entity
41-24 possesses only because the individual who is the subject of the
41-25 information applied for or holds a license, permit, certificate, or
41-26 similar form of permission issued by the governmental entity that
42-1 the individual must obtain to engage in an activity, the
42-2 governmental entity should be allowed to release the personal
42-3 information to the public only with the prior informed consent of
42-4 the individual.
42-5 Sec. 559.104. COMPTROLLER STUDY: MODIFYING INFORMATION
42-6 MANAGEMENT SYSTEMS' USE OF PERSONAL IDENTIFIERS. (a) The
42-7 comptroller shall study and make recommendations to the governor,
42-8 the legislature, and affected state governmental entities regarding
42-9 efficient and effective ways in which state governmental entities
42-10 could modify their information management systems so that personal
42-11 identifiers, such as social security numbers, are not used to track
42-12 individuals in a manner contrary to commonly held privacy
42-13 expectations. In making its recommendations under this section,
42-14 the comptroller shall include an estimate of the cost of modifying
42-15 an information management system in accordance with a
42-16 recommendation.
42-17 (b) The Department of Information Resources shall assist the
42-18 comptroller in making the study. Other state governmental entities
42-19 shall participate in the study at the invitation of the
42-20 comptroller.
42-21 SECTION 6. (a) Each state and local governmental entity
42-22 shall examine its records retention schedule and amend the schedule
42-23 so that it complies with Section 559.053, Government Code, as added
42-24 by this Act.
42-25 (b) The comptroller of public accounts shall make initial
42-26 recommendations to the governor, the legislature, and any effected
43-1 state governmental entities under Section 559.104, Government Code,
43-2 as added by this Act, not later than November 1, 2002.
43-3 (c) The Records Management Interagency Coordinating Council
43-4 shall make initial recommendations to the governor and the
43-5 legislature under Subsection (d), Section 559.102, Government Code,
43-6 as added by this Act, not later than November 1, 2002.
43-7 SECTION 1. TASK FORCE ON PERSONAL PRIVACY. (a) The
43-8 lieutenant governor and the speaker of the house of representatives
43-9 shall establish a joint interim task force to study issues
43-10 identified by this Act that affect personal privacy.
43-11 (b) The lieutenant governor and the speaker of the house of
43-12 representatives shall each appoint five members to the task force.
43-13 (c) The task force shall elect a presiding officer and
43-14 assistant presiding officer from among its members.
43-15 (d) The task force shall meet at the times and places within
43-16 the state that the task force designates. The task force shall
43-17 develop and implement policies that provide the public with a
43-18 reasonable opportunity to appear before the task force and to speak
43-19 on any issue being studied by the task force.
43-20 (e) A legislative entity shall assist the task force at the
43-21 request of the lieutenant governor or the speaker of the house of
43-22 representatives, and a state agency in the executive branch of
43-23 state government shall assist the task force at the request of the
43-24 task force.
43-25 (f) Chapter 2110, Government Code, does not apply to the
43-26 size or composition of the task force or of the advisory committee
44-1 created under Section 2 of this Act.
44-2 SECTION 2. ADVISORY COMMITTEE. (a) The task force shall
44-3 appoint an advisory committee to assist it in performing its
44-4 duties.
44-5 (b) The advisory committee consists of the number of members
44-6 that the task force considers advisable. The task force shall
44-7 appoint an approximately equal number of members from the public
44-8 and private sectors. Public-sector appointments must include
44-9 representatives from state agencies such as the office of the
44-10 comptroller of public accounts, the office of the governor, the
44-11 office of the attorney general, the office of the state auditor,
44-12 the Department of Information Resources, the Texas Department of
44-13 Banking, and the Health and Human Services Commission.
44-14 Private-sector appointments must include individuals involved in
44-15 fields such as banking, marketing, the news media, medicine, and
44-16 information technology. The advisory committee must include
44-17 members who understand the implications that advances in
44-18 information technology have for personal privacy.
44-19 SECTION 3. ANALYSIS OF EXISTING AND PROPOSED LAW. (a) The
44-20 task force shall identify and analyze existing and proposed privacy
44-21 statutes and rules of this state, other states, and the federal
44-22 government. In performing an analysis under this subsection, the
44-23 task force shall address the extent to which the existing or
44-24 proposed privacy statutes and rules:
44-25 (1) benefit individuals;
44-26 (2) impose financial, efficiency, or lost opportunity
45-1 costs on governmental entities or private businesses; and
45-2 (3) benefit commerce or benefit governmental
45-3 effectiveness or efficiency by creating an environment in which
45-4 individuals are more likely to willingly divulge information about
45-5 themselves.
45-6 (b) The task force shall identify and analyze other existing
45-7 and proposed statutes and rules of this state, other states, and
45-8 the federal government with respect to the manner in which the
45-9 statutes and rules affect individual privacy. In performing an
45-10 analysis under this subsection, the task force shall address the
45-11 extent to which existing or proposed statutes and rules that affect
45-12 individual privacy:
45-13 (1) impose burdens on individuals, adversely affect
45-14 individuals' lives, or contravene commonly held expectations of
45-15 individual privacy;
45-16 (2) benefit governmental entities or private
45-17 businesses with respect to increased revenues or financial gain,
45-18 increased efficiency, or increased opportunities; and
45-19 (3) affect commerce or affect governmental
45-20 effectiveness or efficiency by creating an environment in which
45-21 individuals become less likely to willingly divulge information
45-22 about themselves.
45-23 (c) The office of the attorney general shall coordinate with
45-24 and assist the task force in performing legal analyses under this
45-25 section.
45-26 SECTION 7. STUDY REGARDING CONSENT TO DISCLOSURE. (a) In
46-1 this section, "personal information" means information about an
46-2 individual such as:
46-3 (1) the individual's address, telephone number, social
46-4 security number, date of birth, physical characteristics, and
46-5 similar information about the individual;
46-6 (2) information about an individual's marital status
46-7 or history, whether the individual has family members, and
46-8 information about the individual's family members; and
46-9 (3) personally identifiable information about the
46-10 individual's health or health history, finances or financial
46-11 history, and consumer history.
46-12 (b) The task force shall conduct a study regarding the
46-13 advantages, disadvantages, and feasibility of requiring by law in
46-14 various circumstances that certain personal information may be
46-15 released by a governmental entity or a private business only with
46-16 the prior informed consent of the individual.
46-17 SECTION 8. REPORT. The task force shall report the results
46-18 of its study and its recommendations to the lieutenant governor and
46-19 the speaker of the house of representatives by not later than
46-20 November 1, 2002. The task force shall include in its report its
46-21 conclusions regarding the advisability of enacting legislation with
46-22 respect to each of the topics that the task force studied.
46-23 SECTION 9. EXPIRATION DATE. The task force and advisory
46-24 committee are abolished September 1, 2003.
46-25 SECTION 10. Section 1 of this Act takes effect September 1,
46-26 2003.
47-1 SECTION 11. Except as provided in Section 10, this Act takes
47-2 effect immediately if it receives a vote of two-thirds of all the
47-3 members elected to each house, as provided by Section 39, Article
47-4 III, Texas Constitution. If this Act does not receive the vote
47-5 necessary for immediate effect, this Act takes effect September 1,
47-6 2001.