S.B. No. 1136
AN ACT
relating to access to certain private medical information.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. The Legislature of the State of Texas finds that:
(1) the privacy requirements of the Health Insurance
Portability and Accountability Act of 1996 (Pub. L. No. 104-191)
and the privacy rules implementing these requirements contained in
45 C.F.R. Parts 160 and 164 give individuals important controls
over whether and how their protected health information is used and
disclosed for marketing purposes;
(2) with limited exceptions, the federal privacy
standards, as modified on August 14, 2002, require a health care
provider, health plan, or health care clearinghouse to obtain an
individual's written authorization before a use or disclosure of
the individual's protected health information can be made for
marketing;
(3) so as not to interfere with core health care
functions, the federal privacy standards and guidance documents
from the United States Department of Health and Human Services,
Office for Civil Rights, distinguish marketing communications from
certain treatment or health care operation activities;
(4) importing the marketing provisions under the
federal standards and guidance into state law will help clarify the
application of, and compliance with, state provisions that are
consistent with the federal privacy standards regarding marketing
communications;
(5) covered entities should be able to rely on the
federal guidance interpreting the marketing provisions under state
law that are consistent with the federal privacy standards without
sacrificing protection against improper use of protected health
information for marketing purposes; and
(6) this Act is necessary to safeguard uses and
disclosures of protected health information for marketing purposes
in this state consistent with the federal privacy standards and
federal guidance, to extend application of the federal privacy
standards regarding marketing communications to anyone that comes
into possession of protected health information, and to impose
stricter standards related to certain product-specific
communications that encourage a change in prescription drugs or
prescription medical devices.
SECTION 2. Subsection (b), Section 181.001, Health and
Safety Code, is amended to read as follows:
(b) In this chapter:
(1) "Commissioner" means the commissioner of health
and human services.
(2) "Covered entity" means any person who:
(A) for commercial, financial, or professional
gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro
bono basis, engages, in whole or in part, and with real or
constructive knowledge, in the practice of assembling, collecting,
analyzing, using, evaluating, storing, or transmitting protected
health information. The term includes a business associate, health
care payer, governmental unit, information or computer management
entity, school, health researcher, health care facility, clinic,
health care provider, or person who maintains an Internet site;
(B) comes into possession of protected health
information;
(C) obtains or stores protected health
information under this chapter; or
(D) is an employee, agent, or contractor of a
person described by Paragraph (A), (B), or (C) insofar as the
employee, agent, or contractor creates, receives, obtains,
maintains, uses, or transmits protected health information.
[(2) "Health care operations" has the meaning assigned
by the Health Insurance Portability and Accountability Act and
Privacy Standards. The term does not include marketing as
described in 45 C.F.R. Section 164.514(e) and any subsequent
amendments.]
(3) "Health Insurance Portability and Accountability
Act and Privacy Standards" means the privacy requirements in
existence on August 14, 2002, of the Administrative Simplification
subtitle of the Health Insurance Portability and Accountability Act
of 1996 (Pub. L. No. 104-191) contained in 45 C.F.R. Part 160 and 45
C.F.R. Part 164, Subparts A and E [and the final rules adopted on
December 28, 2000, and published at 65 Fed. Reg. 82798 et seq., and
any subsequent amendments].
(4) "Marketing" means:
(A) making a communication about a product or
service that encourages a recipient of the communication to
purchase or use the product or service, unless the communication is
made:
(i) to describe a health-related product or
service or the payment for a health-related product or service that
is provided by, or included in a plan of benefits of, the covered
entity making the communication, including communications about:
(a) the entities participating in a
health care provider network or health plan network;
(b) replacement of, or enhancement
to, a health plan; or
(c) health-related products or
services available only to a health plan enrollee that add value to,
but are not part of, a plan of benefits;
(ii) for treatment of the individual;
(iii) for case management or care
coordination for the individual, or to direct or recommend
alternative treatments, therapies, health care providers, or
settings of care to the individual; or
(iv) by a covered entity to an individual
that encourages a change to a prescription drug included in the
covered entity's drug formulary or preferred drug list;
(B) an arrangement between a covered entity and
any other entity under which the covered entity discloses protected
health information to the other entity, in exchange for direct or
indirect remuneration, for the other entity or its affiliate to
make a communication about its own product or service that
encourages recipients of the communication to purchase or use that
product or service; and
(C) notwithstanding Paragraphs (A)(ii) and
(iii), a product-specific written communication to a consumer that
encourages a change in products [the promotion or advertisement, by
a covered entity, of specific products or services if the covered
entity receives, directly or indirectly, a financial incentive or
remuneration for the use, access, or disclosure of protected health
information. Marketing does not include a communication for
treatment or health care operations by a health care provider,
health plan, or participants in an organized health care
arrangement or their affiliated covered entities or business
associates].
(5) "Product" means a prescription drug or
prescription medical device ["Protected health information" means
individually identifiable health information, including
demographic information collected from an individual, that:
[(A) relates to:
[(i) the past, present, or future physical
or mental health or condition of an individual;
[(ii) the provision of health care to an
individual; or
[(iii) the past, present, or future payment
for the provision of health care to an individual; and
[(B) identifies the individual or with respect to
which there is a reasonable basis to believe the information can be
used to identify the individual].
SECTION 3. Subsection (a), Section 181.002, Health and
Safety Code, is amended to read as follows:
(a) Except as provided by Section 181.205, this [This]
chapter does not affect the validity of another statute of this
state that provides greater confidentiality for information made
confidential by this chapter.
SECTION 4. Subchapter A, Chapter 181, Health and Safety
Code, is amended by adding Section 181.005 to read as follows:
Sec. 181.005. DUTIES OF THE COMMISSIONER. (a) The
commissioner shall administer this chapter and may adopt rules
consistent with the Health Insurance Portability and
Accountability Act and Privacy Standards to administer this
chapter.
(b) The commissioner shall review amendments to the
definitions in 45 C.F.R. Parts 160 and 164 that occur after August
14, 2002, and determine whether it is in the best interest of the
state to adopt the amended federal regulations. If the
commissioner determines that it is in the best interest of the state
to adopt the amended federal regulations, the amended regulations
shall apply as required by this chapter.
(c) In making a determination under this section, the
commissioner must consider, in addition to other factors affecting
the public interest, the beneficial and adverse effects the
amendments would have on:
(1) the lives of individuals in this state and their
expectations of privacy; and
(2) governmental entities, institutions of higher
education, state-owned teaching hospitals, private businesses, and
commerce in this state.
(d) The commissioner shall prepare a report of the
commissioner's determination made under this section and shall file
the report with the presiding officer of each house of the
legislature before the 30th day after the date the determination is
made. The report must include an explanation of the reasons for the
determination.
SECTION 5. Section 181.056, Health and Safety Code, is
amended to read as follows:
Sec. 181.056. AMERICAN RED CROSS. This chapter does not
prohibit the American Red Cross from accessing any information
necessary to perform its duties to provide biomedical services,
disaster relief, disaster communication, or emergency leave
verification services for military personnel.
SECTION 6. Section 181.152, Health and Safety Code, is
amended to read as follows:
Sec. 181.152. MARKETING USES OF INFORMATION. (a) A
covered entity must obtain clear and unambiguous permission in
written or electronic form to use or disclose protected health
information for any marketing communication, except if the
communication is:
(1) in the form of a face-to-face communication made
by a covered entity to an individual;
(2) in the form of a promotional gift of nominal value
provided by the covered entity;
(3) necessary for administration of a patient
assistance program or other prescription drug savings or discount
program; or
(4) made at the oral request of the individual [may not
disclose, use, or sell or coerce an individual to consent to the
disclosure, use, or sale of protected health information, including
prescription patterns, for marketing purposes without the consent
or authorization of the individual who is the subject of the
protected health information].
(b) If a covered entity uses or discloses protected health
information to send a [A] written marketing communication through
the mail, the communication must be sent in an envelope showing only
the names and addresses of sender and recipient and must:
(1) state the name and toll-free number of the [health
care] entity sending the marketing communication; and
(2) explain the recipient's right to have the
recipient's name removed from the sender's mailing list.
(c) A person who receives a request under Subsection (b)(2)
to remove a person's name from a mailing list shall remove the
person's name not later than the 45th [fifth] day after the date the
person receives the request.
(d) A marketing communication made at the oral request of
the individual under Subsection (a)(4) may be made only if clear and
unambiguous oral permission for the use or disclosure of the
protected health information is obtained. The marketing
communication must be limited to the scope of the oral permission
and any further marketing communication must comply with the
requirements of this section.
SECTION 7. Subchapter E, Chapter 181, Health and Safety
Code, is amended by adding Section 181.205 to read as follows:
Sec. 181.205. MITIGATION. (a) In an action or proceeding
to impose an administrative penalty or assess a civil penalty for
actions related to the disclosure of individually identifiable
health information, a covered entity may introduce, as mitigating
evidence, evidence of the entity's good faith efforts to comply
with:
(1) state law related to the privacy of individually
identifiable health information; or
(2) the Health Insurance Portability and
Accountability Act and Privacy Standards.
(b) On receipt of evidence under Subsection (a), a court or
state agency shall consider the evidence and mitigate imposition of
an administrative penalty or assessment of a civil penalty
accordingly.
SECTION 8. Chapter 181, Health and Safety Code, is amended
by adding Subchapter F to read as follows:
SUBCHAPTER F. PREEMPTION OF STATE LAW
Sec. 181.251. STATE LAW PREEMPTION ANALYSIS. The office of
the attorney general shall perform an analysis of state law to
determine which provisions of state law related to the privacy of
individually identifiable health information are preempted by the
Health Insurance Portability and Accountability Act and Privacy
Standards.
Sec. 181.252. TASK FORCE. (a) The office of the attorney
general may establish a task force to assist and advise the attorney
general in performing the state law preemption analysis.
(b) The attorney general shall adopt a plan of operation for
the task force. The plan must include qualifications for the
members of the task force.
(c) The attorney general may appoint as many members to the
task force as the attorney general determines are necessary. In
making appointments to the task force the attorney general shall
consider any appropriate factor, including a person's expertise. A
task force must include:
(1) a public member;
(2) a member from the Texas State Board of Medical
Examiners;
(3) a member employed by a hospital licensed in this
state; and
(4) a member employed by a pharmaceutical
manufacturer.
(d) Two or more members of the task force may not be
employees or officers of the same company or organization.
(e) A person may not be a public member of the task force if
the person is:
(1) required to register as a lobbyist under Chapter
305, Government Code; or
(2) related to a person required to register as a
lobbyist under Chapter 305, Government Code, within the second
degree of affinity or consanguinity.
(f) Members of the task force may not receive compensation
from the state for service on the task force.
Sec. 181.253. REPORT TO LEGISLATURE. (a) Not later than
November 1, 2004, the attorney general shall file a report with the
presiding officer of each house of the legislature that identifies
the laws the attorney general believes are preempted by the Health
Insurance Portability and Accountability Act and Privacy
Standards.
(b) The report must contain the attorney general's
recommendations for legislation to make the state laws consistent
with the Health Insurance Portability and Accountability Act and
Privacy Standards.
Sec. 181.254. EXPIRATION. This subchapter expires
September 1, 2005.
SECTION 9. Sections 181.004 and 181.204 and Subchapter C,
Chapter 181, Health and Safety Code, are repealed.
SECTION 10. (a) Except as provided by Subsection (b) of
this section, this Act takes effect September 1, 2003.
(b) The changes in law made by this Act to Subdivision (4),
Subsection (b), Section 181.001, and Section 181.152, Health and
Safety Code, take effect January 1, 2004.
______________________________ ______________________________
President of the Senate Speaker of the House
I hereby certify that S.B. No. 1136 passed the Senate on
May 1, 2003, by the following vote: Yeas 31, Nays 0.
______________________________
Secretary of the Senate
I hereby certify that S.B. No. 1136 passed the House on
May 23, 2003, by a non-record vote.
______________________________
Chief Clerk of the House
Approved:
______________________________
Date
______________________________
Governor