BILL ANALYSIS |
|
C.S.S.B. 622 |
|
By: Nelson |
|
Public Health |
|
Committee Report (Substituted) |
|
BACKGROUND AND PURPOSE
Provisions of recent federal legislation establish incentives designed to increase the adoption of electronic health record (EHR) systems among certain health care providers. The expanded use of EHR systems is likely to lead to the expansion of the electronic exchange of protected health information, which may require stronger state laws to better ensure the protection of that information. C.S.S.B. 622 seeks to increase privacy and security protections and provide standards of operation for a person who has access to protected health information.
|
|
RULEMAKING AUTHORITY
It is the committee's opinion that rulemaking authority is expressly granted to the attorney general in SECTIONS 4 and 9 and to the executive commissioner of the Health and Human Services Commission in SECTION 11 of this bill.
|
|
ANALYSIS
Section 531.0055, Government Code, as amended by Chapter 198 (H.B. 2292), Acts of the 78th Legislature, Regular Session, 2003, expressly grants to the executive commissioner of the Health and Human Services Commission all rulemaking authority for the operation of and provision of services by the health and human services agencies. Similarly, Sections 1.16-1.29, Chapter 198 (H.B. 2292), Acts of the 78th Legislature, Regular Session, 2003, provide for the transfer of a power, duty, function, program, or activity from a health and human services agency abolished by that act to the corresponding legacy agency. To the extent practical, this bill analysis is written to reflect any transfer of rulemaking authority and to update references as necessary to an agency's authority with respect to a particular health and human services program.
C.S.S.B. 622 amends the Health and Safety Code to require a covered entity, as that term is defined by provisions of the federal Health Insurance Portability and Accountability Act of 1996, to comply with the federal Health Insurance Portability and Accountability Act and Privacy Standards and requires a covered entity, as that term is defined under state medical records privacy laws, to comply with those privacy laws.
C.S.S.B. 622 prohibits a covered entity from disclosing an individual's protected health information to any other person in exchange for direct or indirect remuneration and excepts a covered entity from the prohibition if the disclosure is made to another covered entity, as defined under state medical records privacy laws or Insurance Code provisions relating to privacy of health information, for the purpose of treatment, payment, health care operations, or performance of certain insurance or health maintenance organization functions, or if the disclosure is made as otherwise authorized or required by state or federal law. The bill prohibits the direct or indirect remuneration a covered entity receives for making a disclosure of protected health information from exceeding the covered entity's reasonable costs of preparing or transmitting the protected health information. The bill requires a covered entity to provide notice to an individual for whom the covered entity creates or receives protected health information if the individual's protected health information is subject to electronic disclosure. The bill authorizes a covered entity to provide general notice by posting a written notice in the covered entity's place of business, posting a notice on the covered entity's Internet website, or posting a notice in any other place where individuals whose protected health information is subject to electronic disclosure are likely to see the notice.
C.S.S.B. 622 prohibits a covered entity from making an electronic disclosure of an individual's protected health information to any person without a separate authorization from the individual or the individual's legally authorized representative for each disclosure. The bill authorizes such an authorization to be made in written or electronic form or in oral form if it is documented in writing by the covered entity. The bill excepts a covered entity from the requirement to obtain such authorization if the electronic disclosure is made to another covered entity, as defined under state medical records privacy laws or Insurance Code provisions relating to privacy of health information, for the purpose of treatment, payment, health care operations, or performance of certain insurance or health maintenance organization functions; or if the disclosure is made as otherwise authorized or required by state or federal law. The bill requires the attorney general, by rule, to adopt a standard authorization form for use in complying with the bill's provisions relating to required authorization not later than January 1, 2013, and requires the form to comply with the federal Health Insurance Portability and Accountability Act and Privacy Standards and with state medical records privacy laws. The bill makes its provisions relating to notice and authorizations requirements for disclosing an individual's protected health information inapplicable to a covered entity, as defined by Insurance Code provisions relating to the privacy of health information, if that entity is not a covered entity as defined by provisions of the federal Health Insurance Portability and Accountability Act of 1996.
C.S.S.B. 622 prohibits the total amount of a civil penalty assessed against a covered entity in relation to a violation or violations of the notice and authorizations requirements for disclosing an individual's protected health information from exceeding $250,000 if the court makes certain findings. The bill increases from $250,000 to $1.5 million annually the cap on the civil penalty a court may assess against a covered entity if the court finds that the covered entity's violations of state medical records privacy laws have occurred with a frequency to constitute a pattern or practice. The bill requires a court imposing such a civil penalty to consider certain specified factors in determining the amount of the penalty. The bill authorizes the attorney general to institute an action against a covered entity that is licensed by a licensing agency of the state for such a civil penalty only if the licensing agency refers the violation to the attorney general as authorized in a case in which there is evidence that a violation is egregious and constitutes a pattern or practice. The bill authorizes the office of the attorney general to retain a reasonable portion of a recovered civil penalty, not to exceed the amounts specified in the General Appropriations Act, for the enforcement of state medical records privacy laws. The bill specifies that a violation of state medical records privacy laws is subject to certain investigation and disciplinary proceedings in addition to the penalties prescribed under state medical records privacy laws if the violation is made by a covered entity, rather than by an individual or facility, that is licensed by an agency of the state and makes conforming changes. The bill authorizes a licensing agency, as an alternative to revoking the covered entity's license, to refer certain cases of violations of state medical records privacy laws by a covered entity to the attorney general for the institution of an action for civil penalties and specifies that the conditions under which a licensing agency is authorized to take such actions include that the violation is egregious.
C.S.S.B. 622 authorizes the executive commissioner of the Health and Human Services Commission (HHSC) to impose an administrative penalty not to exceed $3,000 for each violation on a covered entity that is not licensed by a licensing agency of the state and that violates state medical records privacy laws or a rule adopted under those laws. The bill specifies that each day a violation continues or occurs is a separate violation for the purpose of imposing such a penalty and sets out the matters on which the amount of the penalty is required to be based. The bill prohibits the total amount of the penalties for all violations that occur in a year from exceeding $1.5 million. The bill authorizes the enforcement of such an administrative penalty to be stayed during the time the order is under judicial review if the covered entity pays the penalty to the clerk of the court or files a supersedeas bond with the court in the amount of the penalty. The bill authorizes a covered entity that cannot afford to pay the penalty or file the bond to stay the enforcement by filing an affidavit in the manner required by the Texas Rules of Civil Procedure for a party who cannot afford to file security for costs, subject to the right of the executive commissioner to contest the affidavit as provided by those rules. The bill authorizes the attorney general to sue to collect the administrative penalty and establishes that a proceeding to impose such a penalty is a contested case under the Administrative Procedure Act. The bill requires a court or state agency to consider certain specified factors in determining the amount of a penalty imposed under other law in accordance with provisions relating to disciplinary action taken against a covered entity that is licensed by an agency of the state that violates state medical records privacy laws.
C.S.S.B. 622 authorizes the attorney general to adopt rules as necessary to enforce state medical records privacy laws. The bill authorizes HHSC, in coordination with the attorney general, the Texas Health Services Authority (THSA), and the Texas Department of Insurance (TDI), to request that the United States secretary of health and human services conduct an audit of a covered entity in Texas to determine compliance with the federal Health Insurance Portability and Accountability Act and Privacy Standards and requires HHSC, in coordination with those entities, to periodically monitor and review the results of audits of covered entities in Texas conducted by the United States secretary of health and human services. The bill authorizes HHSC, if HHSC has evidence that a covered entity has committed violations of state medical records privacy laws that are egregious and constitute a pattern or practice, to require a covered entity to submit to HHSC the results of a risk analysis conducted by the covered entity as described by federal law, or, if the covered entity is licensed by a licensing agency of the state, request that the licensing agency conduct an audit of the covered entity's system to determine compliance with state medical records privacy laws.
C.S.S.B. 622 requires HHSC to review a complaint received from an individual or an individual's legally authorized representative alleging that a covered entity violated state medical records privacy laws with respect to the individual's protected health information and requires HHSC to refer a reviewed complaint to the appropriate licensing agency or the attorney general, as applicable. The bill requires HHSC to annually submit a report to the appropriate standing committees of the senate and the house of representatives that includes the number and types of complaints received by HHSC regarding violations of state medical records privacy laws; enforcement action taken by HHSC, a licensing agency, or the office of the attorney general under those laws; and the number of federal audits of covered entities in Texas conducted and the number of system audits required of a covered entity by HHSC. The bill requires HHSC and THSA to each publish the report on the agency's Internet website. The bill requires HHSC and TDI, in consultation with THSA, to apply for and actively pursue available federal funding for enforcement of state medical records privacy laws.
C.S.S.B. 622 requires THSA to develop and submit to HHSC for ratification privacy and security standards for the electronic sharing of protected health information. The bill requires HHSC to review and, not later than January 1, 2013, by rule adopt acceptable standards submitted by THSA for ratification. The bill requires the standards to be designed to comply with the federal Health Insurance Portability and Accountability Act and Privacy Standards and state medical records privacy laws, comply with any other state and federal law relating to the security and confidentiality of information electronically maintained or disclosed by a covered entity, ensure the secure maintenance and disclosure of personally identifiable health information, include strategies and procedures for disclosing personally identifiable health information, and support a level of system interoperability with existing health record databases in Texas that is consistent with emerging standards. The bill requires THSA to establish a process by which a covered entity may apply for certification by THSA of a covered entity's past compliance with the adopted standards and requires THSA to publish the adopted standards on its Internet website.
C.S.S.B. 622 makes conforming changes to replace references to the commissioner of health and human services with references to the executive commissioner of HHSC in provisions of law relating to the duties of the executive commissioner regarding state medical records privacy law. The bill requires the executive commissioner to review amendments to the definitions in certain federal regulations relating to medical records privacy that occur after September 1, 2011, rather than August 14, 2002, for the purposes of determining whether it is in the best interest of the state to adopt the amended federal regulations.
C.S.S.B. 622 redefines "Health Insurance Portability and Accountability Act and Privacy Standards," for purposes relating to medical records privacy, to mean the federal privacy requirements in existence on September 1, 2011, rather than August 14, 2002. The bill defines "commission," "disclose," and "executive commissioner" and provides for the meaning of "covered entity" by reference.
C.S.S.B. 622 amends the Insurance Code to require a covered entity to comply with the provisions of state medical records privacy laws relating to prohibited acts and with the standards recommended by THSA and adopted by HHSC under the bill's provisions.
C.S.S.B. 622 requires HHSC, in consultation with THSA and the Texas Medical Board, to review issues regarding the security and accessibility of protected health information maintained by an unsustainable covered entity, defined by the bill as a covered entity under state medical records privacy laws that ceases to operate. The bill requires HHSC, not later than December 1, 2012, to submit to the appropriate standing committees of the senate and the house of representatives recommendations relating to the transfer, administration, and security of such protected health information for storage with a state agency and access to such protected health information by an individual after the information has been transferred to the state. The bill defines "unsustainable covered entity." The bill establishes that its provisions relating to protected health information maintained by an unsustainable covered entity expire January 1, 2013.
C.S.S.B. 622 creates a task force on health information technology. The bill establishes the composition of the members of the task force and requires the attorney general, not later than December 1, 2012, to appoint the members and to appoint a chair of the task force, who must have certain specified subject matter expertise. The bill requires the task force to develop recommendations regarding the improvement of informed consent protocols for the electronic exchange of protected health information; the improvement of patient access to and use of electronically maintained and disclosed protected health information for the purpose of personal health and coordination of health care services; and any other critical issues, as determined by the task force, related to the exchange of protected health information. The bill requires the task force, not later than January 1, 2014, to submit a report of its recommendations to the standing committees of the senate and house of representatives having primary jurisdiction over health information technology issues and to THSA. The bill requires THSA to publish the task force's report on its Internet website. The bill establishes that its provisions relating to the task force expire February 1, 2014.
C.S.S.B. 622 makes conforming changes.
|
|
EFFECTIVE DATE
September 1, 2012.
|
|
COMPARISON OF ORIGINAL AND SUBSTITUTE
|
|
C.S.S.B. 622 contains a provision not included in the original defining "disclose" for purposes of state medical records privacy laws. The substitute omits a provision included in the original redefining "marketing" for purposes of those provisions.
C.S.S.B. 622 contains a provision not included in the original requiring a covered entity, as that term is defined by provisions of the federal Health Insurance Portability and Accountability Act of 1996, to comply with the federal Health Insurance Portability and Accountability Act and Privacy Standards and requires a covered entity, as that term is defined under state medical records privacy laws, to comply with those privacy laws.
C.S.S.B. 622 omits provisions included in the original relating to access to and use of protected health information, including provisions requiring the executive commissioner of the Health and Human Services Commission (HHSC) to adopt rules consistent with the Health Insurance Portability and Accountability Act and Privacy Standards relating to sharing or exchanging protected health information and provisions establishing requirements for training for employees of a covered entity regarding state and federal law concerning protected health information, notification and acceptance requirements that must be met before a state agency is authorized to electronically disseminate protected health information to another person or allow another person to electronically access the information, requirements for allowing a person to access the person's electronic health record on written request, requirements relating to an Internet website maintained by the attorney general providing certain information relating to protected health information to consumers, and requirements relating to a report submitted to the legislature by the attorney general relating to consumer complaints.
C.S.S.B. 622 differs from the original, in the bill provision authorizing a covered entity to disclose protected health information to certain entities for remuneration for certain purposes, by specifying that a covered entity is authorized to disclose such information for certain purposes to another covered entity, as that term is defined by state medical records privacy laws, or to a covered entity, as that term is defined by Insurance Code provisions relating to the privacy of health information, whereas the original includes no such specification. The substitute differs from the original, in the bill provision establishing the purposes for which protected health information is authorized to be disclosed by a covered entity, by including in those purposes performing certain insurance or health maintenance organization functions, whereas the original includes in those purposes public health activities; research or clinical investigation, as described by federal law; and providing the protected health information to the individual who is the subject of the protected health information.
C.S.S.B. 622 contains a provision not included in the original prohibiting the direct or indirect remuneration a covered entity receives for making an authorized disclosure of protected health information from exceeding the covered entity's reasonable costs of preparing or transmitting the protected health information.
C.S.S.B. 622 omits a provision included in the original clarifying that its provisions related to the sale of protected health information do not prohibit a covered entity from disclosing protected health information to and giving remuneration to an agent or contractor of the covered entity in exchange for engaging in an activity authorized by state or federal law involving the exchange of protected health information that the agent or contractor undertakes on behalf of and at the specific request of the covered entity pursuant to an agreement.
C.S.S.B. 622 contains provisions not included in the original relating to required notification of and authorization from an individual relating to the electronic disclosure of the individual's protected health information, including provisions relating to disclosures for which such notification and authorization are not required and the covered entities to which such requirements are inapplicable and provisions requiring the attorney general by rule to adopt a standard authorization form for use in complying with those notification and authorization requirements.
C.S.S.B. 622 omits a provision included in the original increasing the maximum civil penalty authorized to be assessed against a covered entity for a violation of provisions of law relating to medical records privacy from $3,000 for each violation to $5,000 for each violation committed negligently and establishing a civil penalty for each violation committed knowingly or intentionally and each violation in which the covered entity knowingly or intentionally uses protected health information for financial gain and prohibiting such a penalty from exceeding $25,000 and $250,000, respectively.
C.S.S.B. 622 contains a provision not included in the original prohibiting the total amount of a civil penalty assessed against a covered entity in relation to a violation or violations of the notice and authorizations requirements for disclosing an individual's protected health information from exceeding $250,000 if the court makes certain findings.
C.S.S.B. 622 differs from the original by raising from $250,000 to $1.5 million annually the cap on the civil penalty a court may assess against a covered entity if the court finds that the covered entity's violations of state medical records privacy laws have occurred with a frequency to constitute a pattern or practice, whereas the original authorizes the court to assess such a penalty in an amount the court finds necessary to deter future violations.
C.S.S.B. 622 contains a provision not included in the original requiring a court imposing a civil penalty for a violation of state medical records privacy laws to consider certain specified factors in determining the amount of the penalty. The substitute contains a provision not included in the original authorizing the attorney general to institute an action against a covered entity that is licensed by a licensing agency of the state for such a civil penalty only under certain circumstances. The substitute contains a provision not included in the original authorizing the office of the attorney general to retain a reasonable portion of a recovered civil penalty, not to exceed amounts specified in the General Appropriations Act, for the enforcement of state medical records privacy laws.
C.S.S.B. 622 omits provisions included in the original specifying that a person who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information is required to disclose any breach of system security to any individual, rather than to any resident of Texas, whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The substitute omits a provision included in the original establishing provisions relating to the applicability of the disclosure requirement and providing for an alternative notification option.
C.S.S.B. 622 omits provisions included in the original making a person who fails to take reasonable action to disclose a breach of system security, in addition to civil penalties assessed for the violation, liable to the state for a civil penalty of not more than $100 for each individual to whom notification is due for each consecutive day that the person fails to take such action, prohibiting the civil penalties assessed for violations of provisions of law relating to the unauthorized use of identifying information from exceeding $250,000 for all individuals to whom notification is due after a single breach, and authorizing the attorney general to bring an action to recover the civil penalties imposed.
C.S.S.B. 622 omits a provision included in the original increasing the penalty for an offense relating to identity theft by an electronic device from a Class B misdemeanor to a state jail felony if the information accessed, read, scanned, stored, or transferred by the person was protected health information as defined by the Health Insurance Portability and Accountability Act and Privacy Standards.
C.S.S.B. 622 omits a provision included in the original providing for the definition of "protected health information," for purposes of provisions relating to HHSC, by reference.
C.S.S.B. 622 omits a provision included in the original removing a provision of law requiring each health and human services agency and every other state agency that acts as a health care provider or a claims payer for the provision of health care to demonstrate to HHSC the reasons the agency should not be required to process information related to health care in compliance with national data interchange standards adopted under the federal Health Insurance Portability and Accountability Act of 1996 within the applicable deadline established under federal law or federal regulations and to obtain HHSC's approval, to the extent allowed under federal law, to comply with the standards at a later date or to not comply with one or more of the standards.
C.S.S.B. 622 omits a provision included in the original requiring HHSC, in consultation with specified state agencies, to explore and evaluate new developments in safeguarding protected health information and provisions relating to HHSC making a related report to the legislature.
C.S.S.B. 622 omits a provision included in the original enhancing an offense of theft to the next higher category of offense if it is shown on the trial of the offense that the property appropriated was a document containing protected health information. The substitute omits a provision included in the original enhancing an offense of fraudulent use or possession of identifying information to the next higher category of offense if it is shown on the trial of the offense that the information obtained, possessed, transferred, or used in the commission of the offense was protected health information. The substitute omits a provision included in the original enhancing the penalty for an offense of breach of computer security if, in committing the offense, the actor knowingly obtains a benefit, defrauds or harms another, or alters, damages, or deletes property from a Class B misdemeanor offense to a state jail felony offense if the actor accesses protected health information. The substitute omits provisions included in the original enhancing the punishment prescribed for an offense of Medicaid fraud to the punishment prescribed for the next higher category of offense if it is shown on the trial of the offense that protected health information was used in the commission of the offense and prohibiting the punishment for Medicaid fraud from being increased for such purposes if the offense is punishable as a first degree felony.
C.S.S.B. 622 omits a provision included in the original repealing Section 531.0315(b), Government Code, specifying that provisions of law regarding the implementation of national electronic data interchange standards for health care information do not prohibit a state agency from seeking a federal waiver from compliance under applicable federal law.
C.S.S.B. 622 contains a provision not included in the original specifying that a violation of state medical records privacy laws is subject to certain disciplinary actions if the violation is made by a covered entity, rather than by an individual or facility, that is licensed by an agency of the state. The substitute contains a provision not included in the original authorizing a licensing agency, as an alternative to revoking the covered entity's license, to refer certain cases of violations of state medical records privacy laws by a covered entity to the attorney general for the institution of an action for civil penalties and specifies that the conditions under which a licensing agency is authorized to take such actions include that the violation is egregious.
C.S.S.B. 622 contains provisions not included in the original authorizing the executive commissioner of HHSC to impose an administrative penalty, not to exceed $3,000 for each violation, on a covered entity that is not licensed by a licensing agency of the state and that violates state medical records privacy laws or a rule adopted under those laws, specifying that each day a violation occurs is a separate violation, and prohibiting the total amount of penalties that occur in a year from exceeding $1.5 million. The substitute contains provisions not included in the original setting out the matters on which the amount of the administrative penalty is required to be based and the conditions under which the enforcement of the penalty may be stayed. The substitute contains provisions not included in the original authorizing the attorney general to sue to collect the penalty and establishing that a proceeding to impose such a penalty is a contested case under the Administrative Procedure Act.
C.S.S.B. 622 contains a provision not included in the original requiring a court or state agency to consider certain specified factors in determining the amount of a penalty imposed under other law in accordance with provisions relating to disciplinary action taken against a licensed covered entity that violates state medical records privacy laws.
C.S.S.B. 622 contains a provision not included in the original authorizing the attorney general to adopt rules as necessary to enforce state medical records privacy laws.
C.S.S.B. 622 contains a provision not included in the original authorizing HHSC, in coordination with specified state entities, to request that the United States secretary of health and human services conduct an audit of a covered entity in Texas to determine compliance with the federal Health Insurance Portability and Accountability Act and Privacy Standards and requiring HHSC, in coordination with those entities, to periodically monitor and review the results of audits of covered entities in Texas conducted by the United States secretary of health and human services. The substitute contains a provision not included in the original authorizing HHSC, under certain circumstances, to require a covered entity to submit to HHSC the results of a risk analysis conducted by the covered entity as described by federal law or request that the licensing agency conduct an audit of the covered entity's system to determine compliance with state medical records privacy laws.
C.S.S.B. 622 contains provisions not included in the original related to the review of a complaint received from an individual or an individual's legally authorized representative alleging a violation of state medical records privacy laws with respect to the individual's protected health information.
C.S.S.B. 622 contains provisions not included in the original related to an audit and complaint report required to be submitted annually to certain committees by HHSC. The substitute contains a provision not included in the original requiring HHSC and the Texas Department of Insurance, in consultation with the Texas Health Services Authority (THSA), to apply for and actively pursue available federal funding for enforcement of state medical records privacy laws.
C.S.S.B. 622 contains provisions not included in the original defining "covered entity," "disclose," and "Health Insurance Portability and Accountability Act and Privacy Standards" by reference for purposes of provisions of law relating to THSA.
C.S.S.B. 622 contains provisions not included in the original requiring THSA to develop and submit to HHSC for ratification privacy and security standards for the electronic sharing of protected health information and setting out criteria the standards must be designed to meet. The substitute contains a provision not included in the original requiring HHSC, not later than January 1, 2013, to review and by rule adopt acceptable standards submitted by THSA for ratification. The substitute contains provisions not included in the original requiring THSA to establish a process by which a covered entity may apply for certification by THSA of a covered entity's past compliance with the standards and requires THSA to publish the standards on its Internet website.
C.S.S.B. 622 contains a provision not included in the original, for purpose of Insurance Code provisions relating to the privacy of health information, requiring a covered entity to comply with the provisions of state medical records privacy laws relating to prohibited acts and with the standards recommended by THSA and adopted by HHSC under the bill's provisions.
C.S.S.B. 622 contains provisions not included in the original adding a temporary provision, set to expire January 1, 2013, to require HHSC, in consultation with THSA and the Texas Medical Board, to review issues regarding the security and accessibility of protected health information maintained by an unsustainable covered entity and to require HHSC, not later than December 1, 2012, to submit specified recommendations regarding such protected health information to the appropriate standing committees of the senate and the house of representatives. The substitute contains a provision not included in the original defining "unsustainable covered entity" for purposes of provisions relating to the HHSC review and recommendations.
C.S.S.B. 622 contains provisions not included in the original adding a temporary provision, set to expire February 1, 2014, relating to the creation of a task force on health information technology required to develop specified recommendations relating to protected health information and to submit a report of its recommendations to the appropriate standing committees of the senate and house of representatives. The substitute contains a provision not included in the original requiring THSA to publish the task force's report on its Internet website.
C.S.S.B. 622 contains saving provisions not included in the original and omits saving provisions included in the original. The substitute differs from the original by making the bill's provisions effective September 1, 2012, rather than January 1, 2012, as in the original.
C.S.S.B. 622 differs from the original in conforming and nonsubstantive ways. |