AUTHOR'S / SPONSOR'S STATEMENT OF INTENT
S.B. 622 seeks to improve the privacy of patient medical information in Texas.
The key provisions include: updating statutes to reflect advances in health information technology and the increasing use of electronic health records; increasing penalties for violations, including the use of protected health information; requiring covered entities to provide training to staff on sharing or exchanging protected health information; requiring state agencies disseminating protected health information to notify the person receiving the information in writing of the restrictions on use and disclosure of the information; prohibiting the sale of protected health information; and establishing a time line for when a health care provider must provide a patient's medical record.
As proposed, S.B. 622 amends current law relating to the privacy of protected health information and personal information, and providing civil and criminal penalties.
RULEMAKING AUTHORITY
Rulemaking authority previously granted to the commissioner of health and human services is transferred to the executive commissioner of the Health and Human Services Commission and modified in SECTION 3 (Section 181.005, Health and Safety Code) of this bill.
Rulemaking authority is expressly granted to the executive commissioner of the Health and Human Services Commission in SECTION 4 (Sections 181.101 and 181.104, Health and Safety Code) of this bill.
SECTION BY SECTION ANALYSIS
SECTION 1. Amends Section 181.001(b), Health and Safety Code, by amending Subdivisions (1), (3), and (4) and adding Subdivision (2-a), as follows:
(1) Defines "commission," rather than "commissioner."
(2-a) Defines "executive commissioner."
(3) Redefines "Health Insurance Portability and Accountability Act and Privacy Standards."
(4) Redefines "marketing."
SECTION 2. Amends Subchapter A, Chapter 181, Health and Safety Code, by adding Section 181.004, as follows:
Sec. 181.004. Applicability of Federal Law and Commission Rules. Requires a covered entity to comply with the Health Insurance Portability and Accountability Act (HIPAA) and Privacy Standards, and the rules adopted under Sections 181.005 and 181.101(a).
SECTION 3. Amends Section 181.005, as follows:
Sec. 181.005. New heading: DUTIES OF THE EXECUTIVE COMMISSIONER. (a) Requires the executive commissioner of the Health and Human Services Commission (HHSC; executive commissioner) to administer this chapter and authorizes the executive commissioner to adopt rules consistent with HIPAA and Privacy Standards to administer this chapter.
(b) Requires the executive commissioner to review amendments to the definitions in 45 C.F.R. Parts 160 and 164 that occur after September 1, 2011, rather than after August 14, 2002, and determine whether it is in the best interest of the state to adopt the amended federal regulations. Requires that the amended regulations, if the executive commissioner determines that is in the best interest of the state to adopt the amended federal regulations, apply as required by this chapter.
(c)-(d) Makes conforming changes.
SECTION 4. Amends Chapter 181, Health and Safety Code, by adding Subchapter C, as follows:
SUBCHAPTER C. ACCESS TO AND USE OF PROTECTED HEALTH INFORMATION
Sec. 181.101. COMMISSION RULES. Requires the executive commissioner to adopt rules consistent with HIPAA and Privacy Standards relating to sharing or exchanging protected health information.
Sec. 181.102. TRAINING REQUIRED. (a) Requires each covered entity to provide to employees of the entity a training program regarding state and federal law concerning protected health information.
(b) Requires each employee of a covered entity to attend the training program required by this section not later than the 30th day after the date the employee is hired by the entity and to attend supplemental training every two years or sooner, as required by executive commissioner rule, if there is a material change in the rules adopted by the executive commissioner under Section 181.101.
(c) Requires each covered entity to require an employee of the entity who attends a training program required by this section to sign a statement verifying the employee's attendance at the training program. Requires the covered entity to file the statement in the employee's personnel file.
Sec. 181.103. NOTIFICATION AND ACCEPTANCE REQUIRED. Provides that before a state agency electronically disseminates protected health information to another person or allows the other person to electronically access protected health information maintained by the agency:
(1) the state agency in writing must notify the other person of legal restrictions on the use and disclosure of the protected health information to be disseminated or accessed; and
(2) the person who receives notice from the state agency under Subdivision (1) in writing must acknowledge receipt, understanding, and acceptance of the restrictions on use and disclosure of the protected health information to be received or accessed.
Sec. 181.104. CONSUMER ACCESS TO ELECTRONIC HEALTH RECORDS. (a) Requires the health care provider, not later than the fifth business day after the date a health care provider receives a request from a person for the person's electronic health record, to provide the record to the person in electronic form unless the person agrees to accept the record in another form.
(b) Requires the executive commissioner, in consultation with the Department of State Health Services (DSHS), the Texas Medical Board (TMB), and the Texas Department of Insurance (TDI), for purposes of Subsection (a), by rule to designate a standard electronic format for the release of requested health records.
Sec. 181.105. CONSUMER INFORMATION WEBSITE. Requires the attorney general to maintain an Internet website that provides:
(1) information concerning a consumer's privacy rights regarding protected health information under federal and state law;
(2) a list of the state agencies, including DSHS, TMB, and TDI, that regulate covered entities in this state and the types of entities each agency regulates;
(3) detailed information regarding each agency's complaint enforcement process; and
(4) contact information, including the address of the agency's Internet website, for each agency listed under Subdivision (2) for reporting a violation of this chapter.
Sec. 181.106. CONSUMER COMPLAINT REPORT BY ATTORNEY GENERAL. (a) Requires the attorney general annually to submit to the legislature a report describing:
(1) the number and types of complaints received by the attorney general and by the state agencies receiving consumer complaints under Section 181.105; and
(2) the enforcement action taken in response to each complaint reported under Subdivision (1).
(b) Requires each state agency that receives consumer complaints under Section 181.105 to submit to the attorney general, in the form required by the attorney general, the information the attorney general requires to compile the report required by Subsection (a).
(c) Requires the attorney general to deidentify protected health information from the individual to whom the information pertains before including the information in the report required by Subsection (a).
SECTION 5. Amends Subchapter D, Chapter 181, Health and Safety Code, by adding Section 181.153, as follows:
Sec. 181.153. SALE OF PROTECTED HEALTH INFORMATION PROHIBITED. Prohibits a covered entity from disclosing protected health information to any person in exchange for direct or indirect remuneration.
SECTION 6. Amends Sections 181.201(b) and (c), Health and Safety Code, as follows:
(b) Authorizes the attorney general, in addition to the injunctive relief provided by Subsection (a) (relating to authorizing the attorney general to institute an action for injunctive relief to restrain a violation of this chapter), to institute an action for civil penalties against a covered entity for a violation of this chapter. Prohibits a civil penalty assessed under this section from exceeding:
(1) $5,000, rather than $3,000, for each violation committed negligently;
(2) $25,000 for each violation committed knowingly or intentionally; or
(3) $250,000 for each violation in which the covered entity knowingly or intentionally uses protected health information for financial gain.
(c) Authorizes the court, if the court in which an action under Subsection (b) is pending finds that the violations have occurred with a frequency as to constitute a pattern or practice, to assess a civil penalty in an amount the court finds necessary to deter future violations of this chapter, rather than a civil penalty not to exceed $250,000.
SECTION 7. Amends Section 521.053(b), Business & Commerce Code, as follows:
(b) Requires a person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information to disclose any breach of system security, after discovering or receiving notification of the breach, to any individual, rather than to any resident of this state, whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Requires that the disclosure be made as quickly as possible, except as provided by Subsection (d) (relating to delaying notice if the notification will impede a criminal investigation) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
SECTION 8. Amends Section 521.151, Business & Commerce Code, by adding Subsection (a-1), as follows:
(a-1) Provides that in addition to penalties assessed under Subsection (a) (relating to the civil penalty to be enforced on a person violating this chapter), a person who fails to take reasonable action to comply with Section 521.053(b) is liable to this state for a civil penalty of not more than $100 for each individual to whom notification is due under that subsection for each consecutive day that the person fails to take reasonable action to comply with that subsection. Prohibits civil penalties under this section from exceeding $250,000 for all individuals to whom notification is due after a single breach. Authorizes the attorney general to bring an action to recover the civil penalties imposed under this subsection.
SECTION 9. Amends Section 522.002(b), Business & Commerce Code, to provide that an offense under this section is a Class B misdemeanor, except that the offense is a state jail felony if the information accessed, read, scanned, stored, or transferred was protected health information as defined by HIPAA and Privacy Standards, as defined by Section 181.001, Health and Safety Code.
SECTION 10. Amends Section 531.001, Government Code, by adding Subdivision (4-a), to define "protected health information."
SECTION 11. Amends Section 531.0315(a), Government Code, as follows:
(a) Requires each health and human services agency and every other state agency that acts as a health care provider or a claims payer for the provision of health care to process information related to health care in compliance with national data interchange standards adopted under Subtitle F, Title II, Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), and its subsequent amendments, within the applicable deadline established under federal law or federal regulations. Deletes existing Subdivision (1) designation. Deletes existing text requiring the various agencies to demonstrate to HHSC the reasons the agency should not be required to comply with Subdivision (1), and obtain the commission's approval, to the extent allowed under federal law to comply with the standards at a later date, or to not comply with one or more the standards. Makes nonsubstantive changes.
SECTION 12. Amends Subchapter B, Chapter 531, Government Code, by adding Section 531.0994, as follows:
Sec. 531.0994. STUDY; ANNUAL REPORT. (a) Requires HHSC to explore and evaluate new developments in safeguarding protected health information.
(b) Requires HHSC, not later than December 1 each year, to report to the legislature on new developments in safeguarding protected health information and recommendations for the implementation of safeguards within HHSC.
SECTION 13. Amends Section 31.03(f), Penal Code, as follows:
(f) Provides that an offense described for purposes of punishment by Subsections (e)(1-6) (relating to the magnitude of the penalty associated with the magnitude of the offense) is increased to the next higher category of offense if it is shown on the trial of the offense that certain conditions are met including the property appropriated was a document containing protected health information, as that term is defined by HIPAA and Privacy Standards, as defined by Section 181.001, Health and Safety Code. Makes a nonsubstantive change.
SECTION 14. Amends Section 32.51(c-1), Penal Code, as follows:
(c-1) Provides that an offense described for purposes of punishment by Subsections (c)(1)-(3) (relating to the magnitude of the penalty associated with the magnitude of the offense) is increased to the next higher category of offense if it is shown on the trial of the offense that:
(1) the offense was committed against an elderly individual as defined by Section 22.04 (Injury to a Child, Elderly Individual, or Disabled Individual); or
(2) the information obtained, possessed, transferred, or used in the commission of the offense was protected health information, as that term is defined by HIPAA and Privacy Standards, as defined by Section 181.001, Health and Safety Code.
SECTION 15. Amends Section 33.02(b), Penal Code, as follows:
(b) Provides that an offense under this section is a Class B misdemeanor unless in committing the offense the actor:
(1) knowingly obtains a benefit, defrauds or harms another, or alters, damages, or deletes property, in which event the offense is a certain category of criminal offense based on the aggregate amount of the offense set forth; or
(2) accesses protected health information, as that term is defined by the HIPAA and Privacy Standards, as defined by Section 181.001, Health and Safety Code, in which event the offense is a state jail felony. Makes nonsubstantive changes.
SECTION 16. Amends Section 35A.02, Penal Code, by adding Subsections (b-1) and (b-2), as follows:
(b-1) Provides that except as provided by Subsection (b-2), the punishment prescribed for an offense under this section is increased to the punishment prescribed for the next highest category of offense if it is shown on the trial of the offense that protected health information, as that term is defined by HIPAA and Privacy Standards, as defined by Section 181.001, Health and Safety Code, was used in commission of the offense.
(b-2) Prohibits the punishment for an offense described by this section from being increased under Subsection (b-1) if the offense is punishable as a felony of the first degree.
SECTION 17. Repealer: Section 531.0315(b) (relating to not prohibiting a state agency from seeking a federal waiver from compliance under applicable federal law), Government Code.
SECTION 18. Requires the executive commissioner, not later than January 1, 2012, to adopt rules as required by Section 181.101, Health and Safety Code, as added by this Act.
SECTION 19. (a) Requires the attorney general, not later than January 1, 2012, to establish the Internet website required by Section 181.105, Health and Safety Code, as added by this Act.
(b) Requires the attorney general, not later than December 1, 2012, to submit the initial report required by Section 181.106, Health and Safety Code, as added by this Act.
SECTION 20. Requires HHSC, not later than December 1, 2012, to submit the initial report required by Section 531.0994, Government Code, as added by this Act.
SECTION 21. Makes application of changes in law made by Section 181.201, Health and Safety Code, as amended by this Act, Section 521.053(b), Business & Commerce Code, as amended by this Act, and Section 521.151(a-1), Business & Commerce Code, as added by this Act, prospective.
SECTION 22. Makes application of changes in law made by Section 522.002, Business & Commerce Code, and Sections 31.03, 32.51, and 33.02, Penal Code, as amended by this Act, and Sections 35A.02(b-1) and (b-2), Penal Code, as added by this Act, prospective.
SECTION 23. Effective date: September 1, 2011.