BILL ANALYSIS

 

 

Senate Research Center

C.S.H.B. 300

82R30084 SJM-F

By: Kolkhorst et al. (Nelson)

 

Health & Human Services

 

5/20/2011

 

Committee Report (Substituted)

 

 

 

AUTHOR'S / SPONSOR'S STATEMENT OF INTENT

 

C.S.H.B. 300 amends current law relating to the privacy of protected health information and provide administrative and civil penalties.

 

RULEMAKING AUTHORITY

 

Rulemaking authority previously granted to the commissioner of health and human services is transferred to the executive commissioner of the Health and Human Services Commission (executive commissioner) in SECTION 3 (Section 181.005, Health and Safety Code) of this bill.

 

Rulemaking authority is expressly granted to the executive commissioner in SECTION 5 (Section 181.102, Health and Safety Code) of this bill.

 

Rulemaking authority is expressly granted to the Health and Human Services Commission in SECTION 12 (Section 182.108, Health and Safety Code) of this bill.

 

SECTION BY SECTION ANALYSIS

 

SECTION 1.  Amends Section 1801.001(b), Health and Safety Code, by amending Subdivisions (1) and (3) and adding Subdivisions (2-a) and (2-b), as follows:

 

(1)  Defines "commission."  Deletes existing definition of "commissioner."

 

(2-a)  Defines "disclose."

 

(2-b)  Defines "executive commissioner."

 

(3)  Redefines "Health Insurance Portability and Accountability Act and Privacy Standards."

 

SECTION 2.  Amends Subchapter A, Chapter 181, Health and Safety Code, by adding Section 181.004, as follows:

 

Sec. 181.004.  APPLICABILITY OF STATE AND FEDERAL LAW.  (a)  Requires that a covered entity, as that term is defined by 45 C.F.R. Section 160.103, comply with the Health Insurance Portability and Accountability Act and Privacy Standards (HIPAA).

 

(b)  Requires that a covered entity, as that term is defined by Section 181.001, subject to Section 181.051,  comply with this chapter.

 

SECTION 3.  Amends Section 181.005, Health and Safety Code, as follows:

 

Sec. 181.005.  New heading:  DUTIES OF THE EXECUTIVE COMMISSIONER.  (a)  Requires the executive commissioner of the Health and Human Services Commission (executive commissioner; HHSC), rather than the commissioner of health and human services,  to administer this chapter, and authorizes the executive commissioner to adopt rules consistent with the HIPAA to administer this chapter.

 

(b)  Requires the executive commissioner to review amendments to definitions in 45 C.F.R. Parts 160 and 164 that occur after September 1, 2011, rather than after August 14, 2002, and determine whether it is in the best interest of the state to adopt the amended federal regulations.  Makes conforming changes.

 

(c)-(d)  Makes conforming changes.

 

SECTION 4.  Amends Section 181.006, Health and Safety Code, to provide that, notwithstanding Sections 181.004 and 181.051, for a covered entity that is a governmental unit, an individual's protected health information includes any information that reflects that an individual received health care from the covered entity, and is not public information and is not subject to disclosure under Chapter 552, Government Code.

 

SECTION 5.  Amends Chapter 181, Health and Safety Code, by adding Subchapter C, as follows:

 

SUBCHAPTER C.  ACCESS TO AND USE OF PROTECTED HEALTH INFORMATION

 

Sec. 181.101.  TRAINING REQUIRED.  (a)  Requires each covered entity to provide a training program to employees of the covered entity regarding the state and federal law concerning protected health information as it relates to the covered entity's particular course of business, and each employee's scope of employment.

 

(b)  Requires an employee of a covered entity to complete training described by Subsection (a) not later than the 60th day after the date the employee is hired by the covered entity.

 

(c)  Requires an employee of a covered entity to receive training described by Subsection (a) at least once every two years.

 

(d)  Requires a covered entity to require an employee of the entity who attends a training program described by Subsection (a) to sign, electronically or in writing, a statement verifying the employee's attendance at the training program.  Requires the covered entity to maintain the signed statement.

 

Sec. 181.102.  CONSUMER ACCESS TO ELECTRONIC HEALTH RECORDS.  (a)  Requires a health care provider, except as provided by Subsection (b), if the health care provider is using an electronic health records system that is capable of fulfilling the request, not later than the 15th business day after the date the health care provider receives a written request from a person for the person's electronic health record, to provide the requested record to the person in electronic form unless the person agrees to accept the record in another form.

 

(b)  Provides that a health care provider is not required to provide access to a person's protected health information that is excepted from access, or to which access may be denied, under 45 C.F.R. Section 164.524.

 

(c)  Authorizes the executive commissioner, for purposes of Subsection (a), in consultation with the Department of State Health Services (DSHS), the Texas Medical Board (TMB), and the Texas Department of Insurance (TDI), by rule to recommend a standard electronic format for the release of requested health records.  Requires that the standard electronic format recommended under this section be consistent, if feasible, with federal law regarding the release of electronic health records.

 

Sec. 181.103.  CONSUMER INFORMATION WEBSITE.  Requires the attorney general to maintain an Internet website that provides:

 

(1)  information concerning a consumer's privacy rights regarding protected health information under federal and state law;

 

(2)  a list of the state agencies, including DSHS, TMB, and TDI, that regulate covered entities in this state and the types of entities each agency regulates;

 

(3)  detailed information regarding each agency's complaint enforcement process; and

 

(4)  contact information, including the address of the agency's Internet website, for each agency listed under Subdivision (2) for reporting a violation of this chapter.

 

Sec. 181.104.  CONSUMER COMPLAINT REPORT BY ATTORNEY GENERAL.  (a)  Requires the attorney general annually to submit to the legislature a report describing:

 

(1)  the number and types of complaints received by the attorney general and by the state agencies receiving consumer complaints under Section 181.103; and

 

(2)  the enforcement action taken in response to each complaint reported under Subdivision (1).

 

(b)  Requires each state agency that receives consumer complaints under Section 181.103 to submit to the attorney general, in the form required by the attorney general, the information the attorney general requires to compile the report required by Subsection (a).

 

(c)  Requires the attorney general to de-identify protected health information from the individual to whom the information pertains before including the information in the report required by Subsection (a).

 

SECTION 6.  Amends Subchapter D, Chapter 181, Health and Safety Code, by adding Sections 181.153 and 181.154, as follows:

 

Sec. 181.153.  SALE OF PROTECTED HEALTH INFORMATION PROHIBITED; EXCEPTIONS.  (a)  Prohibits  a covered entity from disclosing an individual's protected health information to any other person in exchange for direct or indirect remuneration, except that a covered entity may disclose an individual's protected health information:

 

(1)  to another covered entity, as that term is defined by Section 181.001, or to a covered entity, as that term is defined by Section 602.001 (Definitions), Insurance Code, for the purpose of:

 

(A)  treatment;

 

(B)  payment;

 

(C)  health care operations; or

 

(D)  performing an insurance or health maintenance organization function described by Section 602.053 (Exceptions), Insurance Code; or

 

(2)  as otherwise authorized permitted or required by state or federal law.

 

(b)  Prohibits the direct or indirect remuneration a covered entity receives for making a disclosure of protected health information authorized by Subsection (a)(1)(D) from exceeding the covered entity's reasonable costs of preparing or transmitting the protected health information.

 

Sec. 181.154.  NOTICE AND AUTHORIZATION REQUIRED FOR ELECTRONIC DISCLOSURE OF PROTECTED HEALTH INFORMATION; EXCEPTIONS.  (a) Requires a covered entity to provide notice to an individual for whom the covered entity creates or receives protected health information if the individual's protected health information is subject to electronic disclosure.  Authorizes a covered entity to provide general notice by:

 

(1)  posting a written notice in the covered entity's place of business;

 

(2)  posting a notice on the covered entity's Internet website; or

 

(3)  posting a notice in any other place where individuals whose protected health information is subject to electronic disclosure are likely to see the notice.

 

(b)  Prohibits a covered entity, except as provided by Subsection (c), from electronically disclosing an individual's protected health information to any person without a separate authorization from the individual or the individual's legally authorized representative for each disclosure.  Authorizes an authorization for disclosure under this subsection to be made in written or electronic form or in oral form if it is documented in writing by the covered entity.

 

(c)  Provides that the authorization for electronic disclosure of protected health information described by Subsection (b) is not required if the disclosure is made:

 

(1)  to another covered entity, as that term is defined by Section 181.001, or to a covered entity, as that term is defined by Section 602.001, Insurance Code, for the purpose of:

 

(A)  treatment;

 

(B)  payment;

 

(C)  health care operations; or

 

(D)  performing an insurance or health maintenance organization function described by Section 602.053, Insurance Code; or

 

(2)  as otherwise permitted or required by state or federal law.

 

(d)  Requires the attorney general to adopt a standard authorization form for use in complying with this section.  Requires that the form comply with HIPAA and this chapter.

 

(e)  Provides that this section does not apply to a covered entity, as defined by Section 602.001, Insurance Code, if that entity is not a covered entity as defined by 45 C.F.R. Section 160.103 or Section 181.001 of this code.

 

SECTION 7.  Amends Section 181.201, Health and Safety Code, by amending Subsections (b) and (c) and adding Subsections (b-1), (d), (e), and (f), as follows:

 

(b)  Authorizes the attorney general, in addition to the injunctive relief provided by Subsection (a), to institute an action for civil penalties against a covered entity for a violation of this chapter.  Prohibits a civil penalty assessed under this section from exceeding:

 

(1)  $5,000, rather than $3,000, for each violation committed negligently;

 

(2)  $25,000 for each violation committed knowingly or intentionally; or

 

(3)  $250,000 for each violation in which the covered entity knowingly or intentionally uses protected health information for financial gain.

 

(b-1)  Prohibits the total amount of a penalty assessed against a covered entity under Subsection (b) in relation to a violation or violations of Section 181.154 from exceeding $250,000 annually if the court finds that:

 

(1)  the disclosure was made only to another covered entity and only for a purpose described by Section 181.154(c);

 

(2)  the protected health information disclosed was encrypted or transmitted using encryption technology designed to protect against improper disclosure;

 

(3)  the recipient of the protected health information did not use or release the protected health information; and

 

(4)  at the time of the disclosure of the protected health information, the covered entity had developed, implemented, and maintained security policies, including the education and training of employees responsible for the security of protected health information.

 

(c)  Authorizes the court, if the court in which an action under Subsection (b) is pending finds that the violations have occurred with a frequency as to constitute a pattern or practice, to assess a civil penalty not to exceed $1.5 million annually, rather than not to exceed $250,000.

 

(d)  Requires the court, in determining the amount of a penalty imposed under Subsection (b), to consider:

 

(1)  the seriousness of the violation, including the nature, circumstances, extent, and gravity of the disclosure;

 

(2)  the covered entity's compliance history;

 

(3)  whether the violation poses a significant risk of financial, reputational, or other harm to an individual whose protected health information is involved in the violation;

 

(4)  whether the covered entity was certified at the time of the violation as described by Section 182.108;

 

(5)  the amount necessary to deter a future violation; and

 

(6)  the covered entity's efforts to correct the violation.

 

(e)  Authorizes the attorney general to institute an action against a covered entity that is licensed by a licensing agency of this state for a civil penalty under this section only if the licensing agency refers the violation to the attorney general under Section 181.202(2).

 

(f)  Authorizes the office of the attorney general to retain a reasonable portion of a civil penalty recovered under this section, not to exceed amounts specified in the General Appropriations Act, for the enforcement of this subchapter.

 

SECTION 8.  Amends Section 181.202, Health and Safety Code, as follows:

 

Sec. 181.202.  DISCIPLINARY ACTION.  Provides that, in addition to the penalties prescribed by this chapter, a violation of this chapter by a covered entity, rather than a violation of this chapter by an individual or facility, that is licensed by an agency of this state is subject to investigation and disciplinary proceedings, including probation or suspension by the licensing agency.  Authorizes the agency, if there is evidence that the violations of this chapter are egregious and constitute a pattern or practice, to revoke the covered entity's license, rather than the individual's or facility's license, or refer the covered entity's case to the attorney general for the institution of an action for civil penalties under Section 181.201(b) (authorizing the attorney general to institute an action for civil penalties against a covered entity for a violation of this chapter).  Makes nonsubstantive changes.

 

SECTION 9.  Amends Section 181.205, Health and Safety Code, by amending Subsection (b) and adding Subsection (c), as follows:

 

(b)  Requires a court or state agency, in determining the amount of a penalty imposed under other law in accordance with Section 181.202, to consider the following factors:

 

(1)  the seriousness of the violation, including the nature, circumstances, extent, and gravity of the disclosure;

 

(2)  the covered entity's compliance history;

 

(3)  whether the violation poses a significant risk of financial, reputational, or other harm to an individual whose protected health information is involved in the violation;

 

(4)  whether the covered entity was certified at the time of the violation as described by Section 182.108;

 

(5)  the amount necessary to deter a future violation; and

 

(6)  the covered entity's efforts to correct the violation.

 

(c)  Creates this subsection from existing text.  Requires a court or state agency, on receipt of evidence under Subsections (a) (authorizing a covered entity, in an action or proceeding to impose an administrative penalty or assess a civil penalty for actions related to the disclosure of individually identifiable health information, to introduce, as mitigating evidence, evidence of the entity's good faith efforts to comply with certain state law and HIPAA) and (b), rather than Subsection (a), to consider the evidence and mitigate imposition of an administrative penalty or assessment of a civil penalty accordingly.

 

SECTION 10.  Amends Subchapter E, Chapter 181, Health and Safety Code, by adding Sections 181.206, 181.207, and 181.208, as follows: 

 

Sec. 181.206.  AUDITS OF COVERED ENTITIES.  (a)  Provides that HHSC, in coordination with the attorney general, the Texas Health Services Authority (THSA), and TDI:

 

(1)  may request that the United States secretary of health and human services conduct an audit of a covered entity in this state to determine compliance with HIPAA; and

 

(2)  is required to periodically monitor and review the results of audits of covered entities in this state conducted by the United States secretary of health and human services.

 

(b)  Authorizes HHSC, if it has evidence that a covered entity has committed violations of this chapter that are egregious and constitute a pattern or practice, to:

 

(1)  require the covered entity to submit to the commission the results of a risk analysis conducted by the covered entity if required by 45 C.F.R. Section 164.308(a)(1)(ii)(A); or

 

(2)  if the covered entity is licensed by a licensing agency of this state, request that the licensing agency conduct an audit of the covered entity's system to determine compliance with the provisions of this chapter.

 

(c)  Requires HHSC to annually submit to the appropriate standing committees of the senate and the house of representatives a report regarding the number of federal audits of covered entities in this state and the number of audits required under Subsection (b).

 

Sec. 181.207.  REVIEW OF COMPLAINT BY COMMISSION.  (a)  Requires HHSC to review a complaint received from an individual or an individual's legally authorized representative alleging that a covered entity violated this chapter with respect to the individual's protected health information.

 

(b)  Requires HHSC to refer a complaint reviewed under Subsection (a) to the appropriate licensing agency or the attorney general, as applicable.

 

Sec. 181.208.  FUNDING.  Requires HHSC and TDI, in consultation with THSA, to apply for and actively pursue available federal funding for enforcement of this chapter.

 

SECTION 11.  Amends Section 182.002, Health and Safety Code, by adding Subdivisions (2-a), (3-a), and (3-b), to define "covered entity," "disclose," and "Health Insurance Portability and Accountability Act and Privacy Standards."

 

SECTION 12.  Amends Subchapter C, Chapter 182, Health and Safety Code, by adding Section 182.108, as follows:

 

Sec. 182.108.  STANDARDS FOR ELECTRONIC SHARING OF PROTECTED HEALTH INFORMATION; COVERED ENTITY CERTIFICATION.  (a) Requires THSA to develop and submit to HHSC for ratification privacy and security standards for the electronic sharing of protected health information.

 

(b)  Requires THSA to review and by rule adopt acceptable standards submitted for ratification under Subsection (a).

 

(c)  Requires that standards adopted under Subsection (b) be designed to:

 

(1)  comply with HIPAA and Chapter 181 (Medical Records Privacy);

 

(2)  comply with any other state and federal law relating to the security and confidentiality of information electronically maintained or disclosed by a covered entity;

 

(3)  ensure the secure maintenance and disclosure of personally identifiable health information;

 

(4)  include strategies and procedures for disclosing personally identifiable health information; and

 

(5)  support a level of system interoperability with existing health record databases in this state that is consistent with emerging standards.

 

(d)  Requires THSA to establish a process by which a covered entity may apply for certification by the corporation of a covered entity's past compliance with standards adopted under Subsection (b).

 

(e)  Requires THSA to publish the standards adopted under Subsection (b) on the corporation's Internet website.

 

SECTION 13.  Amends Section 521.053, Business and Commerce Code, by amending Subsection (b) and adding Subsection (b-1), as follows:

 

(b)  Requires a person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information to disclose any breach of system security, after discovering or receiving notification of the breach, to any individual, rather than to any resident of this state, whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

 

(b-1)  Provides that, notwithstanding Subsection (b), the requirements of Subsection (b) apply only if the individual whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person is a resident of this state or another state that does not require a person described by Subsection (b) to notify the individual of a breach of system security.  Provides that, if the individual is a resident of a state that requires a person described by Subsection (b) to provide notice of a breach of system security, the notice of the breach of system security provided under that state's law satisfies the requirements of Subsection (b).

 

SECTION 14.  Amends Section 521.151, Business & Commerce Code, by adding Subsection (a-1), as follows:

 

(a-1)  Provides that, in addition to penalties assessed under Subsection (a), a person who fails to take reasonable action to comply with Section 521.053(b) is liable to this state for a civil penalty of not more than $100 for each individual to whom notification is due under that subsection for each consecutive day that the person fails to take reasonable action to comply with that subsection.  Prohibits civil penalties under this section from exceeding $250,000 for all individuals to whom notification is due after a single breach.  Authorizes the attorney general to bring an action to recover the civil penalties imposed under this subsection.

 

SECTION 15.  Amends Subchapter B, Chapter 531, Government Code, by adding Section 531.0994, as follows:

 

Sec. 531.0994.  STUDY; ANNUAL REPORT.  (a)  Requires HHSC, in consultation with DSHS, TMB, and TDI, to explore and evaluate new developments in safeguarding protected health information.

 

(b)  Requires HHSC, not later than December 1 each year, to report to the legislature on new developments in safeguarding protected health information and recommendations for the implementation of safeguards within HHSC.

 

SECTION 16.  Amends Subchapter B, Chapter 602, Insurance Code, by adding Section 602.054, as follows:

 

Sec. 602.054.  COMPLIANCE WITH OTHER LAW.  Requires a covered entity to comply with:

 

(1)  Subchapter D (Prohibited Acts), Chapter 181, Health and Safety Code, except as otherwise provided by that subchapter; and

 

(2)  the standards adopted under Section 182.108, Health and Safety Code.

 

SECTION 17.  (a)  Defines, in this section, "unsustainable covered entity."

 

(b)  Requires HHSC, in consultation with THSA and TMB, to review issues regarding the security and accessibility of protected health information maintained by an unsustainable covered entity.

 

(c)  Requires HHSC, not later than December 1, 2012, to submit to the appropriate standing committees of the senate and the house of representatives recommendations for:

 

(1)  the state agency to which the protected health information maintained by an unsustainable covered entity should be transferred for storage;

 

(2)  ensuring the security of protected health information maintained by unsustainable covered entities in this state, including secure transfer methods from the covered entity to the state;

 

(3)  the method and period of time for which protected health information should be maintained by the state after transfer from an unsustainable covered entity;

 

(4)  methods and processes by which an individual should be able to access the individual's protected health information after transfer to the state; and

 

(5)  funding for the storage of protected health information after transfer to the state.

 

(d)  Provides that this section expires January 1, 2013.

 

SECTION 18.  (a) Provides that a task force on health information technology (task force) is created.

 

(b)  Provides that the task force is composed of:

 

(1)  11 members appointed by the attorney general with the advice of the chairs of the standing committees of the senate and house of representatives having primary jurisdiction over health information technology issues, including:

 

(A)  at least two physicians;

 

(B)  at least two individuals who represent hospitals; and

 

(C)  at least one private citizen who represents patient and parental rights; and

 

(2)  the following ex officio members:

 

(A)  the executive commissioner or an employee of HHSC designated by the executive commissioner;

 

(B)  the commissioner of DSHS or an employee of DSHS designated by the commissioner; and

 

(C)  the presiding officer of THSA or an employee of the authority designated by the presiding officer.

 

(c)  Requires the attorney general, not later than December 1, 2012, to appoint the members of the task force and appoint a chair of the task force from among its membership.  Requires the chair of the task force to have expertise in:

 

(1)  state and federal health information privacy law;

 

(2)  patient rights; and

 

(3)  electronic signatures and other consent tools.

 

(d)  Requires the task force to develop recommendations regarding:

 

(1)  the improvement of informed consent protocols for the electronic exchange of protected health information, as that term is defined by HIPAA, as defined by Section 181.001, Health and Safety Code, as amended by this Act;

 

(2)  the improvement of patient access to and use of electronically maintained and disclosed protected health information for the purpose of personal health and coordination of health care services; and

 

(3)  any other critical issues, as determined by the task force, related to the exchange of protected health information.

 

(e)  Requires the task force, not later than January 1, 2014, to submit to the standing committees of the senate and house of representatives having primary jurisdiction over health information technology issues and THSA a report including the task force's recommendations under Subsection (d).

 

(f)  Requires THSA to publish the report submitted under Subsection (e) on the authority's Internet website.

 

(g)  Provides that this section expires February 1, 2014.

 

SECTION 19.  Repealer:  Section 531.0315(b) (providing that this section does not prohibit a state agency from seeking a federal waiver from compliance under applicable federal law), Government Code.

 

SECTION 20.  Provides that, not later than January 1, 2013:

 

(1)  the attorney general is required to adopt the form required by Section 181.154, Health and Safety Code, as added by this Act; and

 

(2)  HHSC is required to adopt the standards required by Section 182.108, Health and Safety Code, as added by this Act.

 

SECTION 21.  (a)  Requires the attorney general, not later than May 1, 2012, to establish the Internet website required by Section 181.103, Health and Safety Code, as added by this Act.

 

(b)  Requires the attorney general, not later than December 1, 2013, to submit the initial report required by Section 181.104, Health and Safety Code, as added by this Act.

 

SECTION 22.  Requires HHSC, not later than December 1, 2013, to submit the initial report required by Section 531.0994, Government Code, as added by this Act.

 

SECTION 23.  Provides that the changes in law made by Section 181.201, Health and Safety Code, as amended by this Act, Section 521.053, Business & Commerce Code, as amended by this Act, and Section 521.151(a-1), Business & Commerce Code, as added by this Act, apply only to conduct that occurs on or after the effective date of this Act.  Provides that conduct that occurs before the effective date of this Act is governed by the law in effect at the time the conduct occurred, and the former law is continued in effect for that purpose.

 

SECTION 24.  Effective date:  September 1, 2012.