SECTION 1. Section 181.001(b), Health and Safety Code, is amended by amending Subdivisions (1), (3), and (4) and adding Subdivision (2-a) to read as follows:

(1) "Commission" [~~"Commissioner"~~] means the Health and Human Services Commission [~~commissioner of health and human services~~].

(2-a) "Executive commissioner" means the executive commissioner of the Health and Human Services Commission.

(3) "Health Insurance Portability and Accountability Act and Privacy Standards" means the privacy requirements in existence on September 1, 2011 [~~August 14, 2002~~], of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191) contained in 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A and E.

(4) "Marketing" means:

(A) making a communication about a product or service that encourages a recipient of the communication to purchase, [or] use, or request the product or service, unless the communication is made:

(i) to describe a health-related product or service or the payment for a health-related product or service that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about:

(a) the entities participating in a health care provider network or health plan network;

(b) replacement of, or enhancement to, a health plan; or

(c) health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits;

(ii) for treatment of the individual;

(iii) for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual; or

(iv) by a covered entity to an individual that encourages a change to a prescription drug included in the covered entity's drug formulary or preferred drug list; and

(B) [an arrangement between a covered entity and any other entity under which the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service; and

[~~(C)~~] notwithstanding Paragraphs (A)(ii) and (iii), a product-specific written communication to a consumer that encourages a change in products.

SECTION 2. Section 181.005, Health and Safety Code, is amended to read as follows:

Sec. 181.005. DUTIES OF THE EXECUTIVE COMMISSIONER. (a) The executive commissioner shall administer this chapter and may adopt rules consistent with the Health Insurance Portability and Accountability Act and Privacy Standards to administer this chapter.

(b) The executive commissioner shall review amendments to the definitions in 45 C.F.R. Parts 160 and 164 that occur after September 1, 2011 [~~August 14, 2002~~], and determine whether it is in the best interest of the state to adopt the amended federal regulations. If the executive commissioner determines that it is in the best interest of the state to adopt the amended federal regulations, the amended regulations shall apply as required by this chapter.

(c) In making a determination under this section, the executive commissioner must consider, in addition to other factors affecting the public interest, the beneficial and adverse effects the amendments would have on:

(1) the lives of individuals in this state and their expectations of privacy; and

(2) governmental entities, institutions of higher education, state-owned teaching hospitals, private businesses, and commerce in this state.

(d) The executive commissioner shall prepare a report of the executive commissioner's determination made under this section and shall file the report with the presiding officer of each house of the legislature before the 30th day after the date the determination is made. The report must include an explanation of the reasons for the determination.

SECTION 3. Chapter 181, Health and Safety Code, is amended by adding Subchapter C to read as follows:

SUBCHAPTER C. ACCESS TO AND USE OF PROTECTED HEALTH INFORMATION

Sec. 181.101. COMMISSION RULES. The executive commissioner shall adopt rules consistent with the Health Insurance Portability and Accountability Act and Privacy Standards relating to sharing or exchanging protected health information.

Sec. 181.102. TRAINING REQUIRED. (a) Each covered entity shall provide a training program to employees of the covered entity regarding the state and federal law concerning protected health information as it relates to:

(1) the covered entity's particular course of business; and

(2) each employee's scope of employment.

(b) An employee of a covered entity must complete training described by Subsection (a) not later than the 60th day after the date the employee is hired by the covered entity.

(d) A covered entity shall require an employee of the entity who attends a training program described by Subsection (a) to sign, electronically or in writing, a statement verifying the employee's attendance at the training program. The covered entity shall maintain the signed statement.

Sec. 181.103. NOTIFICATION AND ACCEPTANCE REQUIRED. (a) Except as provided by Subsection (c), before a state agency electronically disseminates protected health information to another person or allows the other person to electronically access protected health information maintained by the agency:

(1) the state agency in writing must notify the other person of legal restrictions on the use and disclosure of the protected health information to be disseminated or accessed; and

(2) the person who receives notice from the state agency under Subdivision (1) must acknowledge, electronically or in writing, receipt, understanding, and acceptance of the restrictions on use and disclosure of the protected health information to be received or accessed.

(b) The written notice and acknowledgment required by Subsection (a) may be satisfied by an existing written agreement between a state agency and a person.

(c) The written notice and acknowledgment required by Subsection (a) is not required for a disclosure of protected health information from a state agency to:

(1) the individual whose protected health information is being disclosed; or

(2) a legally authorized representative of the individual described by Subdivision (1).

Sec. 181.104. CONSUMER ACCESS TO ELECTRONIC HEALTH RECORDS. (a) Except as provided by Subsection (b), if a health care provider is using an electronic health records system that is capable of fulfilling the request, the health care provider, not later than the 15th business day after the date the health care provider receives a written request from a person for the person's electronic health record, shall provide the requested record to the person in electronic form unless the person agrees to accept the record in another form.

(b) A health care provider is not required to provide access to a person's protected health information that is excepted from access, or to which access may be denied, under 45 C.F.R. Section 164.524.

(c) For purposes of Subsection (a), the executive commissioner, in consultation with the Department of State Health Services, the Texas Medical Board, and the Texas Department of Insurance, by rule may recommend a standard electronic format for the release of requested health records. The standard electronic format recommended under this section must be consistent, if feasible, with federal law regarding the release of electronic health records.

Sec. 181.105. CONSUMER INFORMATION WEBSITE. The attorney general shall maintain an Internet website that provides:

(1) information concerning a consumer's privacy rights regarding protected health information under federal and state law;

(2) a list of the state agencies, including the Department of State Health Services, the Texas Medical Board, and the Texas Department of Insurance, that regulate covered entities in this state and the types of entities each agency regulates;

(3) detailed information regarding each agency's complaint enforcement process; and

(4) contact information, including the address of the agency's Internet website, for each agency listed under Subdivision (2) for reporting a violation of this chapter.

Sec. 181.106. CONSUMER COMPLAINT REPORT BY ATTORNEY GENERAL. (a) The attorney general annually shall submit to the legislature a report describing:

(1) the number and types of complaints received by the attorney general and by the state agencies receiving consumer complaints under Section 181.105; and

(2) the enforcement action taken in response to each complaint reported under Subdivision (1).

(b) Each state agency that receives consumer complaints under Section 181.105 shall submit to the attorney general, in the form required by the attorney general, the information the attorney general requires to compile the report required by Subsection (a).

(c) The attorney general shall deidentify protected health information from the individual to whom the information pertains before including the information in the report required by Subsection (a).

SECTION 4. Subchapter D, Chapter 181, Health and Safety Code, is amended by adding Section 181.153 to read as follows:

Sec. 181.153. SALE OF PROTECTED HEALTH INFORMATION PROHIBITED; REMUNERATION OF AGENTS AND CONTRACTORS AUTHORIZED. (a) Except as provided by Subsection (b), a covered entity may not disclose protected health information to any person in exchange for direct or indirect remuneration.

(b) A covered entity may disclose protected health information in exchange for remuneration only:

(1) for purposes of:

(D) public health activities;

(E) research or clinical investigation, as described by 42 U.S.C. Section 17935(d)(2)(B) and 21 C.F.R. Section 312.3; or

(F) providing the protected health information to the individual who is the subject of the protected health information; or

(2) as otherwise permitted or required by state or federal law.

(c) This section does not prohibit a covered entity from disclosing protected health information to and giving remuneration to an agent or contractor of the covered entity in exchange for engaging in an activity authorized by state or federal law involving the exchange of protected health information that the agent or contractor undertakes on behalf of and at the specific request of the covered entity pursuant to an agreement.

SECTION 5. Sections 181.201(b) and (c), Health and Safety Code, are amended to read as follows:

(b) In addition to the injunctive relief provided by Subsection (a), the attorney general may institute an action for civil penalties against a covered entity for a violation of this chapter. A civil penalty assessed under this section may not exceed:

(1) $5,000 [~~$3,000~~] for each violation committed negligently;

(2) $25,000 for each violation committed knowingly or intentionally; or

(3) $250,000 for each violation in which the covered entity knowingly or intentionally uses protected health information for financial gain.

(c) If the court in which an action under Subsection (b) is pending finds that the violations have occurred with a frequency as to constitute a pattern or practice, the court may assess a civil penalty in an amount the court finds necessary to deter future violations of this chapter [~~not to exceed $250,000~~].

SECTION 6. Section 521.053, Business & Commerce Code, is amended by amending Subsection (b) and adding Subsection (b-1) to read as follows:

(b) A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual [~~resident of this state~~] whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made as quickly as possible, except as provided by Subsection (d) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

(b-1) Notwithstanding Subsection (b), the requirements of Subsection (b) apply only if the individual whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person is a resident of this state or another state that does not require a person described by Subsection (b) to notify the individual of a breach of system security. If the individual is a resident of a state that requires a person described by Subsection (b) to provide notice of a breach of system security, the notice of the breach of system security provided under that state's law satisfies the requirements of Subsection (b).

SECTION 7. Section 521.151, Business & Commerce Code, is amended by adding Subsection (a-1) to read as follows:

(a-1) In addition to penalties assessed under Subsection (a), a person who fails to take reasonable action to comply with Section 521.053(b) is liable to this state for a civil penalty of not more than $100 for each individual to whom notification is due under that subsection for each consecutive day that the person fails to take reasonable action to comply with that subsection. Civil penalties under this section may not exceed $250,000 for all individuals to whom notification is due after a single breach. The attorney general may bring an action to recover the civil penalties imposed under this subsection.

SECTION 8. Section 522.002(b), Business & Commerce Code, is amended to read as follows:

(b) An offense under this section is a Class B misdemeanor, except that the offense is a state jail felony if the information accessed, read, scanned, stored, or transferred by the person was protected health information as defined by the Health Insurance Portability and Accountability Act and Privacy Standards, as defined by Section 181.001, Health and Safety Code.

SECTION 9. Section 531.001, Government Code, is amended by adding Subdivision (4-a) to read as follows:

(4-a) "Protected health information" has the meaning assigned by the Health Insurance Portability and Accountability Act and Privacy Standards, as defined by Section 181.001, Health and Safety Code.

SECTION 10. Section 531.0315(a), Government Code, is amended to read as follows:

(a) Each health and human services agency and every other state agency that acts as a health care provider or a claims payer for the provision of health care shall[:

[~~(1)~~] process information related to health care in compliance with national data interchange standards adopted under Subtitle F, Title II, Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), and its subsequent amendments, within the applicable deadline established under federal law or federal regulations[~~; or~~

[~~(2)~~ ~~demonstrate to the commission the reasons the agency should not be required to comply with Subdivision (1), and obtain the commission's approval, to the extent allowed under federal law:~~

[~~(A)~~ ~~to comply with the standards at a later date; or~~

[~~(B)~~ ~~to not comply with one or more of the standards~~].

SECTION 11. Subchapter B, Chapter 531, Government Code, is amended by adding Section 531.0994 to read as follows:

Sec. 531.0994. STUDY; ANNUAL REPORT. (a) The commission, in consultation with the Department of State Health Services, the Texas Medical Board, and the Texas Department of Insurance, shall explore and evaluate new developments in safeguarding protected health information.

(b) Not later than December 1 each year, the commission shall report to the legislature on new developments in safeguarding protected health information and recommendations for the implementation of safeguards within the commission.

SECTION 12. Section 31.03(f), Penal Code, is amended to read as follows:

(f) An offense described for purposes of punishment by Subsections (e)(1)-(6) is increased to the next higher category of offense if it is shown on the trial of the offense that:

(1) the actor was a public servant at the time of the offense and the property appropriated came into the actor's custody, possession, or control by virtue of his status as a public servant;

(2) the actor was in a contractual relationship with government at the time of the offense and the property appropriated came into the actor's custody, possession, or control by virtue of the contractual relationship;

(3) the owner of the property appropriated was at the time of the offense:

(A) an elderly individual; or

(B) a nonprofit organization; [or]

(4) the actor was a Medicare provider in a contractual relationship with the federal government at the time of the offense and the property appropriated came into the actor's custody, possession, or control by virtue of the contractual relationship; or

(5) the property appropriated was a document containing protected health information, as that term is defined by the Health Insurance Portability and Accountability Act and Privacy Standards, as defined by Section 181.001, Health and Safety Code.

SECTION 13. Section 32.51(c-1), Penal Code, is amended to read as follows:

(c-1) An offense described for purposes of punishment by Subsections (c)(1)-(3) is increased to the next higher category of offense if it is shown on the trial of the offense that:

(1) the offense was committed against an elderly individual as defined by Section 22.04; or

(2) the information obtained, possessed, transferred, or used in the commission of the offense was protected health information, as that term is defined by the Health Insurance Portability and Accountability Act and Privacy Standards, as defined by Section 181.001, Health and Safety Code.

SECTION 14. Section 33.02(b), Penal Code, is amended to read as follows:

(b) An offense under this section is a Class B misdemeanor unless in committing the offense the actor knowingly obtains a benefit, defrauds or harms another, or alters, damages, or deletes property, in which event the offense is:

(1) a Class A misdemeanor if the aggregate amount involved is less than $1,500;

(2) a state jail felony if:

(A) the aggregate amount involved is $1,500 or more but less than $20,000; [or]

(B) the aggregate amount involved is less than $1,500 and the defendant has been previously convicted two or more times of an offense under this chapter; or

(C) the actor accesses protected health information, as that term is defined by the Health Insurance Portability and Accountability Act and Privacy Standards, as defined by Section 181.001, Health and Safety Code;

(3) a felony of the third degree if the aggregate amount involved is $20,000 or more but less than $100,000;

(4) a felony of the second degree if the aggregate amount involved is $100,000 or more but less than $200,000; or

(5) a felony of the first degree if the aggregate amount involved is $200,000 or more.

SECTION 15. Section 35A.02, Penal Code, is amended by adding Subsections (b-1) and (b-2) to read as follows:

(b-1) Except as provided by Subsection (b-2), the punishment prescribed for an offense under this section is increased to the punishment prescribed for the next highest category of offense if it is shown on the trial of the offense that protected health information, as that term is defined by the Health Insurance Portability and Accountability Act and Privacy Standards, as defined by Section 181.001, Health and Safety Code, was used in the commission of the offense.

(b-2) The punishment for an offense described by this section may not be increased under Subsection (b-1) if the offense is punishable as a felony of the first degree.

SECTION 16. Section 531.0315(b), Government Code, is repealed.

SECTION 17. Not later than May 1, 2012, the executive commissioner of the Health and Human Services Commission shall adopt rules as required by Section 181.101, Health and Safety Code, as added by this Act.

SECTION 18. (a) Not later than May 1, 2012, the attorney general shall establish the Internet website required by Section 181.105, Health and Safety Code, as added by this Act.

(b) Not later than December 1, 2013, the attorney general shall submit the initial report required by Section 181.106, Health and Safety Code, as added by this Act.

SECTION 19. Not later than December 1, 2013, the Health and Human Services Commission shall submit the initial report required by Section 531.0994, Government Code, as added by this Act.

SECTION 20. The changes in law made by Section 181.201, Health and Safety Code, as amended by this Act, Section 521.053, Business & Commerce Code, as amended by this Act, and Section 521.151(a-1), Business & Commerce Code, as added by this Act, apply only to conduct that occurs on or after the effective date of this Act. Conduct that occurs before the effective date of this Act is governed by the law in effect at the time the conduct occurred, and the former law is continued in effect for that purpose.

SECTION 21. The changes in law made by Section 522.002, Business & Commerce Code, and Sections 31.03, 32.51, and 33.02, Penal Code, as amended by this Act, and Sections 35A.02(b-1) and (b-2), Penal Code, as added by this Act, apply only to an offense committed on or after the effective date of this Act. An offense committed before the effective date of this Act is governed by the law in effect at the time the offense was committed, and the former law is continued in effect for that purpose. For purposes of this section, an offense was committed before the effective date of this Act if any element of the offense was committed before that date.

This website will be unavailable from Thursday, May 30, 2024 at 6:00 p.m. through Monday, June 3, 2024 at 7:00 a.m. due to data center maintenance.