AUTHOR'S / SPONSOR'S STATEMENT OF INTENT
H.B. 300 amends current law relating to the privacy of protected health information and provides administrative and civil penalties.
RULEMAKING AUTHORITY
Rulemaking authority is expressly granted to the attorney general in SECTION 4 (Section 181.154, Health and Safety Code) and SECTION 9 (Section 181.206, Health and Safety Code) of this bill.
Rulemaking authority is expressly granted to the Health and Human Services Commission in SECTION 11 (Section 182.108, Health and Safety Code) of this bill.
SECTION BY SECTION ANALYSIS
SECTION 1. Amends Section 1801.001(b), Health and Safety Code, by amending Subdivisions (1) and (3) and adding Subdivisions (2-a) and (2-b), as follows:
(1) Defines "commission." Deletes existing definition of "commissioner."
(2-a) Defines "disclose."
(2-b) Defines "executive commissioner."
(3) Redefines "Health Insurance Portability and Accountability Act and Privacy Standards."
SECTION 2. Amends Subchapter A, Chapter 181, Health and Safety Code, by adding Section 181.004, as follows:
Sec. 181.004. APPLICABILITY OF STATE AND FEDERAL LAW. (a) Requires that a covered entity, as that term is defined by 45 C.F.R. Section 160.103, comply with the Health Insurance Portability and Accountability Act and Privacy Standards (HIPAA).
(b) Requires that a covered entity, as that term is defined by Section 181.001, subject to Section 181.051, comply with this chapter.
SECTION 3. Amends Section 181.005, Health and Safety Code, as follows:
Sec. 181.005. New heading: DUTIES OF THE EXECUTIVE COMMISSIONER. (a) Requires the executive commissioner of the Health and Human Services Commission (executive commissioner), rather than the commissioner of health and human services, to administer this chapter, and authorizes the executive commissioner to adopt rules consistent with the Health Insurance Portability and Accountability Act and Privacy Standards to administer this chapter.
(b) Requires the executive commissioner to review amendments to definitions in 45 C.F.R. Parts 160 and 164 that occur after September 1, 2011, rather than after August 14, 2002, and determine whether it is in the best interest of the state to adopt the amended federal regulations. Makes conforming changes.
(c)-(d) Makes conforming changes.
SECTION 4. Amends Subchapter D, Chapter 181, Health and Safety Code, by adding Sections 181.153 and 181.154, as follows:
Sec. 181.153. SALE OF PROTECTED HEALTH INFORMATION PROHIBITED; EXCEPTIONS. (a) Prohibits a covered entity from disclosing an individual's protected health information to any other person in exchange for direct or indirect remuneration, except that a covered entity may disclose an individual's protected health information:
(1) to another covered entity, as that term is defined by Section 181.001, or to a covered entity, as that term is defined by Section 602.001 (Definitions), Insurance Code, for the purpose of:
(A) treatment;
(B) payment;
(C) health care operations; or
(D) performing an insurance or health maintenance organization function described by Section 602.053 (Exceptions), Insurance Code; or
(2) as otherwise authorized or required by state or federal law.
(b) Prohibits the direct or indirect remuneration a covered entity receives for making a disclosure of protected health information authorized by Subsection (a)(1)(D) from exceeding the covered entity's reasonable costs of preparing or transmitting the protected health information.
Sec. 181.154. NOTICE AND AUTHORIZATION REQUIRED FOR ELECTRONIC DISCLOSURE OF PROTECTED HEALTH INFORMATION; EXCEPTIONS. (a) Requires a covered entity to provide notice to an individual for whom the covered entity creates or receives protected health information if the individual's protected health information is subject to electronic disclosure. Authorizes a covered entity to provide general notice by:
(1) posting a written notice in the covered entity's place of business;
(2) posting a notice on the covered entity's Internet website; or
(3) posting a notice in any other place where individuals whose protected health information is subject to electronic disclosure are likely to see the notice.
(b) Prohibits a covered entity, except as provided by Subsection (c), from electronically disclosing an individual's protected health information to any person without a separate authorization from the individual or the individual's legally authorized representative for each disclosure. Authorizes an authorization for disclosure under this subsection to be made in written or electronic form or in oral form if it is documented in writing by the covered entity.
(c) Provides that the authorization for electronic disclosure of protected health information described by Subsection (b) is not required if the disclosure is made:
(1) to another covered entity, as that term is defined by Section 181.001, or to a covered entity, as that term is defined by Section 602.001, Insurance Code, for the purpose of:
(A) treatment;
(B) payment; or
(C) health care operations; or
(2) as authorized or required by state or federal law.
(d) Requires the attorney general by rule to adopt a standard authorization form for use in complying with this section. Requires that the form comply with HIPAA and this chapter.
(e) Provides that this section does not apply to a covered entity, as defined by Section 602.001, Insurance Code, if that entity is not a covered entity as defined by 45 C.F.R. Section 160.103 or Section 181.001 of this code.
SECTION 5. Amends Section 181.201, Health and Safety Code, by amending Subsection (c) ad adding Subsections (d), (e), and (f), as follows:
(c) Authorizes the court, if the court in which an action under Subsection (b) is pending finds that the violations have occurred with a frequency as to constitute a pattern or practice, to assess a civil penalty not to exceed $1.5 million annually, rather than not to exceed $250,000.
(d) Requires the court, in determining the amount of a penalty imposed under Subsection (b), to consider:
(1) the seriousness of the violation, including the nature, circumstances, extent, and gravity of the disclosure;
(2) the covered entity's compliance history;
(3) whether the violation poses a significant risk of financial, reputational, or other harm to an individual whose protected health information is involved in the violation;
(4) whether the covered entity was certified at the time of the violation as described by Section 182.108;
(5) the amount necessary to deter a future violation; and
(6) the covered entity's efforts to correct the violation.
(e) Authorizes the attorney general to institute an action against a covered entity that is licensed by a licensing agency of this state for a civil penalty under this section only if the licensing agency refers the violation to the attorney general under Section 181.202(2).
(f) Authorizes the office of the attorney general to retain a reasonable portion of a civil penalty recovered under this section, not to exceed amounts specified in the General Appropriations Act, for the enforcement of this subchapter.
SECTION 6. Amends Section 181.202, Health and Safety Code, as follows:
Sec. 181.202. DISCIPLINARY ACTION. Provides that, in addition to the penalties prescribed by this chapter, a violation of this chapter by a covered entity, rather than a violation of this chapter by an individual or facility, that is licensed by an agency of this state is subject to investigation and disciplinary proceedings, including probation or suspension by the licensing agency. Authorizes the agency, if there is evidence that the violations of this chapter are egregious and constitute a pattern or practice, to revoke the covered entity's license, rather than the individual's or facility's license, or refer the covered entity's case to the attorney general for the institution of an action for civil penalties under Section 181.201(b) (authorizing the attorney general to institute an action for civil penalties against a covered entity for a violation of this chapter). Makes nonsubstantive changes.
SECTION 7. Amends Subchapter E, Chapter 181, Health and Safety Code, by adding Section 181.204, as follows:
Sec. 181.204. ADMINISTRATIVE PENALTY. (a) Authorizes the executive commissioner to impose an administrative penalty on a covered entity that is not licensed by a licensing agency of this state and that violates this chapter or a rule adopted under this chapter.
(b) Prohibits the amount of the penalty from exceeding $3,000 for each violation, and provides that each day a violation continues or occurs is a separate violation for the purpose of imposing a penalty. Requires that the amount be based on:
(1) the seriousness of the violation, including the nature, circumstances, extent, and gravity of the disclosure;
(2) the covered entity's compliance history;
(3) whether the violation poses a significant risk of financial, reputational, or other harm to an individual whose protected health information is involved in the violation;
(4) whether the covered entity was certified at the time of the violation as described by Section 182.108;
(5) the amount necessary to deter a future violation; and
(6) the covered entity's efforts to correct the violation.
(c) Provides that the enforcement of the penalty may be stayed during the time the order is under judicial review if the covered entity pays the penalty to the clerk of the court or files a supersedeas bond with the court in the amount of the penalty. Authorizes a covered entity that cannot afford to pay the penalty or file the bond to stay the enforcement by filing an affidavit in the manner required by the Texas Rules of Civil Procedure for a party who cannot afford to file security for costs, subject to the right of the executive commissioner to contest the affidavit as provided by those rules.
(d) Authorizes the attorney general to sue to collect the penalty.
(e) Provides that a proceeding to impose the penalty is a contested case under Chapter 2001 (Administrative Procedure), Government Code.
SECTION 8. Amends Section 181.205, Health and Safety Code, by amending Subsection (b) and adding Subsection (c), as follows:
(b) Requires a court or state agency, in determining the amount of a penalty imposed under other law in accordance with Section 181.202, to consider the following factors:
(1) the seriousness of the violation, including the nature, circumstances, extent, and gravity of the disclosure;
(2) the covered entity's compliance history;
(3) whether the violation poses a significant risk of financial, reputational, or other harm to an individual whose protected health information is involved in the violation;
(4) whether the covered entity was certified at the time of the violation as described by Section 182.108;
(5) the amount necessary to deter a future violation; and
(6) the covered entity's efforts to correct the violation.
(c) Creates this subsection from existing text. Requires a court or state agency, on receipt of evidence under Subsections (a) (authorizing a covered entity, in an action or proceeding to impose an administrative penalty or assess a civil penalty for actions related to the disclosure of individually identifiable health information, to introduce, as mitigating evidence, evidence of the entity's good faith efforts to comply with certain state law and HIPAA) and (b), rather than Subsection (a), to consider the evidence and mitigate imposition of an administrative penalty or assessment of a civil penalty accordingly.
SECTION 9. Amends Subchapter E, Chapter 181, Health and Safety Code, by adding Sections 181.206, 181.207, 181.208, 181.209, and 181.210, as follows:
Sec. 181.206. RULES. Authorizes the attorney general to adopt rules as necessary to enforce this chapter.
Sec. 181.207. AUDITS OF COVERED ENTITIES. (a) Provides that the Health and Human Services Commission (HHSC), in coordination with the attorney general, the Texas Health Services Authority (THSA), and the Texas Department of Insurance (TDI):
(1) may request that the United States secretary of health and human services conduct an audit of a covered entity in this state to determine compliance with HIPAA; and
(2) is required to periodically monitor and review the results of audits of covered entities in this state conducted by the United States secretary of health and human services.
(b) Authorizes HHSC, if it has evidence that a covered entity has committed violations of this chapter that are egregious and constitute a pattern or practice, to:
(1) require the covered entity to submit to the commission the results of a risk analysis conducted by the covered entity as described by 45 C.F.R. Section 164.308(a)(1)(ii)(A); or
(2) if the covered entity is licensed by a licensing agency of this state, request that the licensing agency conduct an audit of the covered entity's system to determine compliance with the provisions of this chapter.
Sec. 181.208. REVIEW OF COMPLAINT BY COMMISSION. (a) Requires HHSC to review a complaint received from an individual or an individual's legally authorized representative alleging that a covered entity violated this chapter with respect to the individual's protected health information.
(b) Requires HHSC to refer a complaint reviewed under Subsection (a) to the appropriate licensing agency or the attorney general, as applicable.
Sec. 181.209. AUDIT AND COMPLAINT REPORT BY COMMISSION. (a) Requires HHSC to annually submit to the appropriate standing committees of the senate and the house of representatives a report that includes:
(1) the number and types of complaints received by the commission regarding violations of this chapter;
(2) enforcement action taken by the commission, a licensing agency, or the office of the attorney general under this chapter; and
(3) the number of federal audits of covered entities in this state conducted and the number of audits required under Section 181.207(b).
(b) Requires HHSC and THSA to each publish the report required by Subsection (a) on the agency's Internet website.
Sec. 181.210. FUNDING. Requires HHSC and TDI, in consultation with THSA, to apply for and actively pursue available federal funding for enforcement of this chapter.
SECTION 10. Amends Section 182.002, Health and Safety Code, by adding Subdivisions (2-a), (3-a), and (3-b), to define "covered entity," "disclose," and "Health Insurance Portability and Accountability Act and Privacy Standards."
SECTION 11. Amends Subchapter C, Chapter 182, Health and Safety Code, by adding Section 182.108, as follows:
Sec. 182.108. STANDARDS FOR ELECTRONIC SHARING OF PROTECTED HEALTH INFORMATION; COVERED ENTITY CERTIFICATION. (a) Requires THSA to develop and submit to HHSC for ratification privacy and security standards for the electronic sharing of protected health information.
(b) Requires THSA to review and by rule adopt acceptable standards submitted for ratification under Subsection (a).
(c) Requires that standards adopted under Subsection (b) be designed to:
(1) comply with HIPAA and Chapter 181 (Medical Records Privacy);
(2) comply with any other state and federal law relating to the security and confidentiality of information electronically maintained or disclosed by a covered entity;
(3) ensure the secure maintenance and disclosure of personally identifiable health information;
(4) include strategies and procedures for disclosing personally identifiable health information; and
(5) support a level of system interoperability with existing health record databases in this state that is consistent with emerging standards.
(d) Requires THSA to establish a process by which a covered entity may apply for certification by the corporation of a covered entity's past compliance with standards adopted under Subsection (b).
(e) Requires THSA to publish the standards adopted under Subsection (b) on the corporation's Internet website.
SECTION 12. Amends Subchapter B, Chapter 602, Insurance Code, by adding Section 602.054, as follows:
Sec. 602.054. COMPLIANCE WITH OTHER LAW. Requires a covered entity to comply with:
(1) Subchapter D (Prohibited Acts), Chapter 181, Health and Safety Code, except as otherwise provided by that subchapter; and
(2) the standards adopted under Section 182.108, Health and Safety Code.
SECTION 13. (a) Defines, in this section, "unsustainable covered entity."
(b) Requires HHSC, in consultation with THSA and the Texas Medical Board, to review issues regarding the security and accessibility of protected health information maintained by an unsustainable covered entity.
(c) Requires HHSC, not later than December 1, 2012, to submit to the appropriate standing committees of the senate and the house of representatives recommendations for:
(1) the state agency to which the protected health information maintained by an unsustainable covered entity should be transferred for storage;
(2) ensuring the security of protected health information maintained by unsustainable covered entities in this state, including secure transfer methods from the covered entity to the state;
(3) the method and period of time for which protected health information should be maintained by the state after transfer from an unsustainable covered entity;
(4) methods and processes by which an individual should be able to access the individual's protected health information after transfer to the state; and
(5) funding for the storage of protected health information after transfer to the state.
(d) Provides that this section expires January 1, 2013.
SECTION 14. (a) Provides that a task force on health information technology (task force) is created.
(b) Provides that the task force is composed of:
(1) 11 members appointed by the attorney general with the advice of the chairs of the standing committees of the senate and house of representatives having primary jurisdiction over health information technology issues, including:
(A) at least two physicians;
(B) at least two individuals who represent hospitals; and
(C) at least one private citizen who represents patient and parental rights; and
(2) the following ex officio members:
(A) the executive commissioner or an employee of HHSC designated by the executive commissioner;
(B) the commissioner of the Department of State Health Services (DSHS) or an employee of DSHS designated by the commissioner; and
(C) the presiding officer of THSA or an employee of the authority designated by the presiding officer.
(c) Requires the attorney general, not later than December 1, 2012, to appoint the members of the task force and appoint a chair of the task force from among its membership. Requires the chair of the task force to have expertise in:
(1) state and federal health information privacy law;
(2) patient rights; and
(3) electronic signatures and other consent tools.
(d) Requires the task force to develop recommendations regarding:
(1) the improvement of informed consent protocols for the electronic exchange of protected health information, as that term is defined by HIPAA, as defined by Section 181.001, Health and Safety Code, as amended by this Act;
(2) the improvement of patient access to and use of electronically maintained and disclosed protected health information for the purpose of personal health and coordination of health care services; and
(3) any other critical issues, as determined by the task force, related to the exchange of protected health information.
(e) Requires the task force, not later than January 1, 2014, to submit to the standing committees of the senate and house of representatives having primary jurisdiction over health information technology issues and THSA a report including the task force's recommendations under Subsection (d).
(f) Requires THSA to publish the report submitted under Subsection (e) on the authority's Internet website.
(g) Provides that this section expires February 1, 2014.
SECTION 15. Provides that, not later than January 1, 2013:
(1) the attorney general is required to adopt the form required by Section 181.154, Health and Safety Code, as added by this Act; and
(2) HHSC is required to adopt the standards required by Section 182.108, Health and Safety Code, as added by this Act.
SECTION 16. Provides that the change in law made by Section 181.154, Health and Safety Code, as added by this Act, applies only to an electronic disclosure of protected health information made on or after the effective date of this Act. Provides that an electronic disclosure of protected health information made before the effective date of this Act is governed by the law in effect at the time the disclosure was made, and the former law is continued in effect for that purpose.
SECTION 17. Effective date: September 1, 2012.