79R14497 E
By: Chavez H.B. No. 486
Substitute the following for H.B. No. 486:
By: Merritt C.S.H.B. No. 486
A BILL TO BE ENTITLED
AN ACT
relating to the transmission of certain health information to a
site outside the United States; providing penalties.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 181.001(b)(2), Health and Safety Code,
is amended to read as follows:
(2) "Covered entity" means any person who:
(A) for commercial, financial, or professional
gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro
bono basis, engages, in whole or in part, and with real or
constructive knowledge, in the practice of creating, transcribing,
assembling, collecting, analyzing, using, evaluating, storing, or
transmitting protected health information. The term includes a
business associate, health care payer, governmental unit,
information or computer management entity, school, health
researcher, health care facility, clinic, health care provider, or
person who maintains an Internet site;
(B) comes into possession of protected health
information;
(C) obtains or stores protected health
information under this chapter; or
(D) is an employee, agent, or contractor of a
person described by Paragraph (A), (B), or (C) insofar as the
employee, agent, or contractor creates, receives, obtains,
maintains, uses, or transmits protected health information.
SECTION 2. Chapter 181, Health and Safety Code, is amended
by adding Subchapter G to read as follows:
SUBCHAPTER G. TRANSMISSION OF CERTAIN INFORMATION
Sec. 181.301. PROHIBITED DISCLOSURE. (a) A covered entity
is prohibited from disclosing protected health information to a
person or site outside the United States except as provided by
Subsection (b) and Section 181.304.
(b) A covered entity that provides an individual with a
notice of privacy practices, as described by Section 181.302, and
obtains written authorization from that individual that the
disclosure is allowed, as described by Section 181.303, may
disclose protected health information to a person or site outside
the United States.
Sec. 181.302. NOTICE REQUIREMENTS. (a) A covered entity
shall provide a notice of privacy practices that informs an
individual that the covered entity may disclose the individual's
protected health information to a person or site outside the United
States. The notice may be provided separately or may be added to a
notice required by 45 C.F.R. Section 164.520 in bold print and in a
conspicuous location.
(b) The notice must include:
(1) a statement that the covered entity may disclose
protected health information to a person or site outside the United
States;
(2) the specific purpose or purposes for the
disclosure;
(3) a statement informing the individual of the right
to refuse the authorization;
(4) a statement that the covered entity may not
discriminate against the individual for refusing to provide the
authorization; and
(5) the signature of the individual or personal
representative of the individual.
Sec. 181.303. AUTHORIZATION REQUIREMENTS. The written
authorization described by Section 181.301 must include the
following information:
(1) a specific and meaningful description of the
information that may be disclosed;
(2) the name, location, and other identifying
information of the person or class of persons to whom disclosure may
be made;
(3) a specific and meaningful description of each
purpose or reason a disclosure is authorized;
(4) the date that the authorization will expire, which
must be not later than one year from the date the authorization is
signed unless the purpose of the disclosure is for research or
another defined event that will exceed one year, in which case the
authorization may expire on the end date of the research or defined
event;
(5) a dated signature of the individual or personal
representative of the individual and, if a personal representative
signs for an individual, the authorization must state the authority
of the personal representative to act on behalf of the individual;
(6) a statement that the individual has the right to
revoke the authorization and that treatment cannot be conditioned
on providing the authorization;
(7) a statement that the covered entity is subject to
the penalties and disciplinary actions authorized by Subchapter E
for unauthorized disclosures that are not consistent with the
authorization; and
(8) a statement that the covered entity may be liable
for unauthorized disclosures by a person that receives information
directly from the covered entity under a business associate
agreement or contract but may not be liable for subsequent
unauthorized disclosures.
Sec. 181.304. EXCEPTION FOR CERTAIN DISCLOSURES. This
subchapter does not apply to a transmittal of individually
identifiable health information:
(1) to the extent the use or disclosure is permitted by
45 C.F.R. Section 164.512;
(2) that occurs because an individual initiates a
request for health care services, diagnosis, or treatment outside
the United States;
(3) to the extent required by law or regulation;
(4) for public health purposes; or
(5) for the purpose of:
(A) collecting or reporting information about an
adverse event or product defect for a product or activity regulated
by the United States Food and Drug Administration;
(B) tracking a product regulated by the United
States Food and Drug Administration;
(C) enabling a recall or post-marketing
surveillance activity or study of a product regulated by the United
States Food and Drug Administration; or
(D) conducting or gathering or reporting data and
results of research studies.
Sec. 181.305. ENFORCEMENT. A person who violates this
subchapter is subject to the enforcement provisions of Subchapter
E.
SECTION 3. This Act takes effect September 1, 2005.