BILL ANALYSIS

 

 

 

C.S.H.B. 300

By: Kolkhorst

Public Health

Committee Report (Substituted)

 

 

 

BACKGROUND AND PURPOSE

 

Provisions of recent federal legislation establish incentives designed to increase the adoption of electronic health record systems among certain health care providers.  The expanded use of such systems is likely to lead to the expansion of the electronic exchange of protected health information, which may require stronger state laws to better ensure the protection of that information.  C.S.H.B. 300 seeks to increase privacy and security protections for protected health information.

 

RULEMAKING AUTHORITY

 

It is the committee's opinion that rulemaking authority is expressly granted to the attorney general in SECTIONS 4 and 9 and to the executive commissioner of the Health and Human Services Commission in SECTION 11 of this bill.

 

ANALYSIS

 

Section 531.0055, Government Code, as amended by Chapter 198 (H.B. 2292), Acts of the 78th Legislature, Regular Session, 2003, expressly grants to the executive commissioner of the Health and Human Services Commission all rulemaking authority for the operation of and provision of services by the health and human services agencies.  Similarly, Sections 1.16-1.29, Chapter 198 (H.B. 2292), Acts of the 78th Legislature, Regular Session, 2003, provide for the transfer of a power, duty, function, program, or activity from a health and human services agency abolished by that act to the corresponding legacy agency. To the extent practical, this bill analysis is written to reflect any transfer of rulemaking authority and to update references as necessary to an agency's authority with respect to a particular health and human services program. 

 

C.S.H.B. 300 amends the Health and Safety Code to require a covered entity, as that term is defined by provisions of the federal Health Insurance Portability and Accountability Act of 1996, to comply with the federal Health Insurance Portability and Accountability Act and Privacy Standards and requires a covered entity, as that term is defined under state medical records privacy laws, to comply with those privacy laws.

                                                 

C.S.H.B. 300 prohibits a covered entity from disclosing an individual's protected health information to any other person in exchange for remuneration and excepts a covered entity from the prohibition if the disclosure is made to another covered entity, as defined under state medical records privacy laws or Insurance Code provisions relating to privacy of health information, for the purpose of treatment, payment, or health care operations or if the disclosure is made as otherwise authorized or required by state or federal law. The bill requires a covered entity to provide notice to an individual for whom the covered entity creates or receives protected health information if the individual's protected health information is subject to electronic disclosure. The bill authorizes a covered entity to provide general notice by posting a written notice in the covered entity's place of business, posting a notice on the covered entity's Internet website, or posting a notice in any other place where individuals whose protected health information is subject to electronic disclosure are likely to see the notice.

                                                                                                                             

C.S.H.B. 300 prohibits a covered entity from making an electronic disclosure of an individual's protected health information to any person without a separate authorization from the individual or the individual's legally authorized representative for each disclosure. The bill authorizes such an authorization to be made in written or electronic form or in oral form if it is documented in writing by the covered entity. The bill excepts a covered entity from the requirement to obtain such authorization if the electronic disclosure is made to another covered entity, as defined under state medical records privacy law or Insurance Code provisions relating to privacy of health information, for the purpose of treatment, payment, or health care operations or if the disclosure is made as otherwise authorized or required by state or federal law. The bill requires the attorney general, by rule, to adopt a standard authorization form for use in complying with the bill's provisions relating to required authorization not later than January 1, 2013, and requires the form to comply with the federal Health Insurance Portability and Accountability Act and Privacy Standards and with state medical records privacy laws.

 

C.S.H.B. 300 raises from $250,000 to $1.5 million annually the cap on the civil penalty a court may assess against a covered entity if the court finds that the covered entity's violations of state medical records privacy laws have occurred with a frequency to constitute a pattern or practice. The bill requires a court imposing such a civil penalty to consider certain specified factors in determining the amount of the penalty. The bill authorizes the attorney general to institute an action against a covered entity that is licensed by a licensing agency of the state for such a civil penalty only if the licensing agency refers the violation to the attorney general as authorized in a case in which there is evidence that a violation is serious and constitutes a pattern or practice. The bill authorizes the office of the attorney general to retain a reasonable portion of the assessed penalty, not to exceed the amounts specified in the General Appropriations Act, for the enforcement of state medical records privacy laws. The bill specifies that a violation of state medical records privacy laws is subject to certain disciplinary action in addition to the penalties prescribed under state medical records privacy laws if the violation is made by a covered entity, rather than by an individual or facility, that is licensed by an agency of the state and makes conforming changes. The bill authorizes a licensing agency, as an alternative to revoking the covered entity's license, to refer certain cases of violations of state medical records privacy laws by a covered entity to the attorney general for the institution of an action for civil penalties and specifies that the conditions under which a licensing agency is authorized to take such actions include that the violation is serious.

 

C.S.H.B. 300 authorizes the executive commissioner of the Health and Human Services Commission to impose an administrative penalty not to exceed $3,000 for each violation on a covered entity that is not licensed by a licensing agency of the state and that violates state medical records privacy laws or a rule adopted under those laws. The bill specifies that each day a violation continues or occurs is a separate violation for the purpose of imposing such an administrative penalty and sets out the matters on which the amount of the administrative penalty is required to be based. The bill authorizes the enforcement of such an administrative penalty to be stayed during the time the order is under judicial review if the covered entity pays the penalty to the clerk of the court or files a supersedeas bond with the court in the amount of the penalty. The bill authorizes a covered entity that cannot afford to pay the penalty or file the bond to stay the enforcement by filing an affidavit in the manner required by the Texas Rules of Civil Procedure for a party who cannot afford to file security for costs, subject to the right of the executive commissioner to contest the affidavit as provided by those rules. The bill authorizes the attorney general to sue to collect the  administrative penalty and establishes that a proceeding to impose such a penalty is a contested case under the Administrative Procedure Act. The bill requires a court or state agency to consider certain specified factors in determining the amount of a penalty imposed under other law in accordance with provisions relating to disciplinary action taken against a licensed covered entity that violates state medical records privacy laws.

 

C.S.H.B. 300 authorizes the attorney general to adopt rules as necessary to enforce state medical records privacy laws. The bill authorizes the Health and Human Services Commission (HHSC), in coordination with the attorney general, the Texas Health Services Authority (THSA), and the Texas Department of Insurance (TDI), to request that the United States secretary of health and human services conduct an audit of a covered entity in Texas to determine compliance with the federal Health Insurance Portability and Accountability Act and Privacy Standards and requires HHSC, in coordination with those entities, to periodically monitor and review the results of audits of covered entities in Texas conducted by the United States secretary of health and human services. The bill authorizes HHSC to require a covered entity to conduct an audit of its system and to submit to HHSC the results of the audit. 

 

C.S.H.B. 300 requires HHSC to review a complaint received from an individual or an individual's legally authorized representative alleging that a covered entity violated state medical records privacy laws with respect to the individual's protected health information and requires HHSC to refer a reviewed complaint to the appropriate licensing agency or the attorney general, as applicable. The bill requires HHSC to annually submit a report to the appropriate standing committees of the senate and the house of representatives that includes the number and types of complaints received by HHSC regarding violations of state medical records privacy laws; enforcement action taken by HHSC, a licensing agency, or the office of the attorney general under those laws; and the number of federal audits of covered entities in Texas conducted and the number of system audits required of a covered entity by HHSC. The bill requires HHSC and THSA to each publish the report on the agency's Internet website. The bill requires HHSC and TDI, in consultation with THSA, to apply for and actively pursue available federal funding for enforcement of state medical records privacy laws.

 

C.S.H.B. 300 requires THSA to develop and submit to HHSC for ratification privacy and security standards for the electronic sharing of protected health information. The bill requires HHSC, not later than January 1, 2013, to review and by rule adopt acceptable standards submitted by THSA for ratification. The bill requires the standards to comply with the federal Health Insurance Portability and Accountability Act and Privacy Standards and state medical records privacy laws, comply with any other state or federal law relating to the security and confidentiality of information electronically maintained or disclosed by a covered entity, ensure the secure maintenance and disclosure of personally identifiable health information, include strategies and procedures for disclosing personally identifiable health information, and support a level of system interoperability with existing health record databases in Texas that is consistent with emerging standards. The bill requires THSA to establish a process by which a covered entity may apply for certification by THSA of a covered entity's past compliance with the standards and requires THSA to publish the standards on its Internet website.

 

C.S.H.B. 300 makes conforming changes to replace references to the commissioner of health and human services with references to the executive commissioner of HHSC in provisions of law  relating to the duties of the executive commissioner regarding state medical records privacy law. The bill requires the executive commissioner to review amendments to the definitions in certain federal regulations relating to medical records privacy that occur after April 1, 2011, rather than August 14, 2002, for the purposes of determining whether it is in the best interest of the state to adopt the amended federal regulations.

 

C.S.H.B. 300 redefines "Health Insurance Portability and Accountability Act and Privacy Standards" for purposes relating to medical records privacy to mean the federal privacy requirements in existence on April 1, 2011, rather than August 14, 2002. The bill defines "commission," "covered entity," "disclose," and "executive commissioner."

 

C.S.H.B. 300 amends the Insurance Code to require a covered entity to comply with the provisions of state medical records privacy laws relating to prohibited acts and with the standards recommended by THSA and adopted by HHSC under the bill's provisions.

 

C.S.H.B. 300 adds a temporary provision, set to expire January 1, 2013, to require HHSC, in consultation with THSA and the Texas Medical Board, to review issues regarding the security and accessibility of protected health information maintained by an unsustainable covered entity, defined by the bill as a covered entity under state medical records privacy laws that ceases to operate. The bill requires HHSC, not later than December 1, 2012, to submit a report to the appropriate standing committees of the senate and the house of representatives containing recommendations relating to the transfer, administration, and security of such protected health information for storage with a state agency and access to such protected health information by an individual after the information has been transferred to the state. The bill defines "unsustainable covered entity."

 

C.S.H.B. 300 adds a temporary provision, set to expire February 1, 2014, to create a task force on health information technology. The bill establishes the composition of the members of the task force and requires the attorney general, not later than December 1, 2012, to appoint the members and to appoint a chair of the task force, who must have certain specified subject matter expertise. The bill requires the task force to develop recommendations regarding the improvement of informed consent protocols for the electronic exchange of protected health information; the improvement of patient access to and use of electronically maintained and disclosed protected health information for the purpose of personal health and coordination of health care services; and any other critical issues, as determined by the task force, related to the exchange of protected health information. The bill requires the task force, not later than January 1, 2014, to submit a report of its recommendations to the standing committees of the senate and house of representatives having primary jurisdiction over health information technology issues and to THSA. The bill requires THSA to publish the task force's report on its Internet website.

 

C.S.H.B. 300 makes conforming and nonsubstantive changes.

 

EFFECTIVE DATE

 

September 1, 2012.

 

COMPARISON OF ORIGINAL AND SUBSTITUTE

 

C.S.H.B. 300 differs from the original, in a bill  provision establishing the applicability of certain state and federal laws to a covered entity, by limiting the applicability of a provision requiring a covered entity to comply with federal Health Insurance Portability and Accountability Act and Privacy Standards to a covered entity as defined under federal law. The substitute differs from the original, in the same bill provision, by requiring certain covered entities to comply with provisions of state medical records privacy law, whereas the original required a covered entity to comply with security standards adopted by the Texas Health Services Authority (THSA).

 

C.S.H.B. 300 omits provisions included in the original relating to access to and use of protected health information, including provisions requiring a covered entity to provide a requested record or accounting to an individual whose protected health information is contained in the record or accounting by a certain deadline and provisions relating to reasonable fees for copies of a requested record, the duties of a covered entity while maintaining and disclosing protected health information, and a minimum period of maintenance required for certain records of protected health information.

 

C.S.H.B. 300 contains provisions not included in the original making conforming changes to replace certain references to the commissioner of state health services with references to the executive commissioner of the Health and Human Services Commission and specifying that the executive commissioner is required to review amendments to the definitions in certain federal regulations that occur after April 1, 2011, rather than August 14, 2002, as in the original.

 

C.S.H.B. 300 differs from the original by specifying that provisions excepting a covered entity under certain circumstances from the prohibition against the disclosure of protected health information for remuneration are applicable to a disclosure to a covered entity as defined by certain specified provisions of law. The substitute contains a provision not included in the original excepting a covered entity from that prohibition if the covered entity discloses the protected health information as otherwise authorized or required by state or federal law.

 

C.S.H.B. 300 contains a provision not included in the original requiring a covered entity to provide notice to an individual for whom the covered entity creates or receives protected health information if the individual's protected health information is subject to electronic disclosure. The substitute contains a provision not included in the original authorizing a covered entity to provide general notice by posting notice in certain locations. The substitute differs from the original, in the bill provision prohibiting a covered entity from disclosing an individual's protected health information to any person without a separate authorization from the individual or the individual's legally authorized representative, by limiting that prohibition to an electronic disclosure. The substitute contains a provision not included in the original authorizing such an authorization, as an alternative to written or electronic form, to be made in oral form if it is documented in writing by the covered entity. The substitute contains a provision not included in the original excepting a covered entity from the requirement to obtain authorization for such an electronic disclosure if the disclosure is made to another covered entity for certain specified purposes or if the disclosure is made as authorized or required by state or federal law. The substitute omits a provision included in the original authorizing consent to disclose protected health information for medical treatment, payment of health care costs, or health care operations to be provided in a signed general authorization form. The substitute omits a provision included in the original authorizing the disclosure of protected health information to another person only as necessary to facilitate the individual's medical treatment under certain circumstances. The substitute contains a provision not included in the original requiring the standard authorization form adopted by attorney general rule to comply with the federal Health Insurance Portability and Accountability Act and Privacy Standards and with state medical records privacy laws.

 

C.S.H.B. 300 differs from the original by raising from $250,000 to $1.5 million annually the cap on the civil penalty a court may assess against a covered entity if the court finds that the covered entity's violations of state medical records privacy laws have occurred with a frequency to constitute a pattern or practice, whereas the original raises that cap to $5 million. The substitute contains a provision not included in the original requiring a court imposing such a civil penalty to consider certain specified factors in determining the amount of the penalty. The substitute contains a provision not included in the original authorizing the attorney general to institute an action against certain covered entities for such a civil penalty only if the licensing agency refers the violation to the attorney general. The substitute differs from the original by making provisions of law relating to disciplinary actions for violations of state medical records privacy laws applicable to a violation by a covered entity, whereas the original retains current law making such provisions applicable to a violation by an individual or facility. The substitute contains a provision not included in the original making a licensing agency's authority to revoke a covered entity's license or refer a case to the attorney general for the institution of an action for civil penalties contingent on evidence that the covered entity's violations of state medical records privacy law are serious.

 

C.S.H.B. 300 contains a provision not included in the original authorizing the executive commissioner to impose an administrative penalty on certain covered entities that violate state medical records privacy laws or a rule adopted under those laws. The substitute contains provisions not included in the original relating to the amount of the penalty for each violation, establishing the methods by which a covered entity may stay enforcement of such a penalty,  authorizing the attorney general to sue to collect such a penalty, and specifying that a proceeding to impose the penalty is a contested case. The substitute contains a provision not included in the original requiring a court or state agency to consider certain specified factors in determining the amount of a penalty imposed under other law in accordance with provisions relating to disciplinary action taken against a covered entity that is licensed by the state and that violates state medical records privacy laws.

 

C.S.H.B. 300 differs from the original, in provisions of the bill relating to audits of covered entities, review of complaints received from certain individuals, and audit and complaint reports, by authorizing the Health and Human Services Commission (HHSC), in coordination with the attorney general and certain other entities, to request certain audits and by requiring HHSC to monitor and review the results of certain audits, review such complaints, and submit and publish an annual report regarding audits conducted and complaints received, whereas the original gives such authority to and requires such action from the attorney general, in coordination with HHSC and certain other entities. The substitute differs from the original by authorizing HHSC to request that the United States secretary of health and human services conduct an audit of a covered entity in Texas to determine compliance with the federal Health Insurance Portability and Accountability Act and Privacy Standards, whereas the original requires the attorney general to conduct periodic audits of such covered entities to determine compliance with state medical records privacy laws. The substitute contains a provision not included in the original requiring HHSC to refer a reviewed complaint to the appropriate licensing agency or the attorney general, as applicable. The substitute differs from the original, in its provision establishing the information required to be included in an annual report regarding audits conducted and complaints received, by including enforcement action taken by HHSC or a licensing agency, in addition to action taken by the office of the attorney general. The substitute differs from the original by including the number of audits of covered entity systems required by HHSC in the information required to be included in the annual report, rather than including state audits in such information, as in the original. The substitute omits a provision included in the original applying the requirement for HHSC and the Texas Department of Insurance, in consultation with THSA, to apply for and actively pursue available federal funding for enforcement of state medical records privacy laws to certain audits of covered entities.

 

C.S.H.B. 300 omits a provision included in the original authorizing THSA to establish, rather than promote, definitions and standards for electronic health information interactions statewide. The substitute omits provisions included in the original requiring THSA to support regional health information exchange initiatives by engaging in certain specified activities and the secure, electronic exchange of health information through other strategies identified by the THSA board of directors. The substitute omits a provision included in the original requiring THSA to adopt, publish, and distribute standards for streamlining health administrative functions across payors and providers and including in those streamlining standards security standards for the electronic disclosure of protected health information.

 

C.S.H.B. 300 differs from the original by requiring THSA to develop and submit to HHSC for ratification privacy and security standards for the electronic sharing of protected health information, whereas the original requires THSA by rule to adopt security standards for the electronic disclosure of such information. The substitute omits a provision included in the original providing for the definition of protected health information for purposes of the security standards. The substitute contains a provision not included in the original requiring HHSC to review and by rule adopt acceptable standards submitted for ratification. The substitute contains a provision not included in the original requiring such standards to comply with the federal Health Insurance Portability and Accountability Act and Privacy Standards and with state medical records privacy laws. The substitute differs from the original by providing that adopted standards address personally identifiable health information whereas the original requires that the standards address personally identifiable information.  The substitute contains a provision not included in the original requiring THSA to establish a process by which a covered entity may apply for certification by THSA of a covered entity's past compliance with privacy and security standards.

 

C.S.H.B. 300 differs from the original, in a temporary provision of the bill creating a task force on health information technology, by creating a task force consisting of 11 members, whereas the original specifies a seven-member task force, and by listing specific officials and categories of individuals to be included in the composition of the task force. The substitute differs from the original by setting a December 1, 2012, deadline for the attorney general to appoint members of the task force and appoint a chair of the task force, whereas the original sets a deadline of December 1, 2011. The substitute differs from the original by setting a January 1, 2014, deadline for the task force to submit its recommendations to certain standing committees of the senate and house of representatives, whereas the original sets a deadline of January 1, 2013. The substitute differs from the original by making its provisions relating to the task force expire February 1, 2014, rather than February 1, 2013, as in the original. 

 

C.S.H.B. 300 contains a provision not included in the original amending the Insurance Code to require a covered entity to comply with the provisions of state medical records privacy laws relating to prohibited acts and with the standards recommended by THSA and adopted by HHSC under the bill's provisions.

 

C.S.H.B. 300 differs from the original by requiring the attorney general to adopt the standard authorization form required for electronic disclosure  and requiring HHSC to adopt standards for electronic sharing of protected health information not later than January 1, 2013, rather than January 1, 2012, as in the original. The substitute omits a provision included in the original requiring THSA to adopt standards for streamlining health administrative functions not later than January 1, 2012.

 

C.S.H.B. 300 contains a provision not included in the original making its provisions relating to required notice and authorization for electronic disclosure of protected health information applicable only to an electronic disclosure of such information made on or after the effective date of the bill. The substitute makes its provisions effective September 1, 2012, rather than September 1, 2011, as in the original. The substitute differs from the original by making conforming and nonsubstantive changes.