| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to the privacy of protected health information; providing |
|
|
administrative and civil penalties. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 181.001(b), Health and Safety Code, is |
|
|
amended by amending Subdivisions (1) and (3) and adding |
|
|
Subdivisions (2-a) and (2-b) to read as follows: |
|
|
(1) "Commission" ["Commissioner"] means the Health |
|
|
and Human Services Commission [commissioner of health and human
|
|
|
services]. |
|
|
(2-a) "Disclose" means to release, transfer, provide |
|
|
access to, or otherwise divulge information outside the entity |
|
|
holding the information. |
|
|
(2-b) "Executive commissioner" means the executive |
|
|
commissioner of the Health and Human Services Commission. |
|
|
(3) "Health Insurance Portability and Accountability |
|
|
Act and Privacy Standards" means the privacy requirements in |
|
|
existence on September 1, 2011 [August 14, 2002], of the |
|
|
Administrative Simplification subtitle of the Health Insurance |
|
|
Portability and Accountability Act of 1996 (Pub. L. No. 104-191) |
|
|
contained in 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A |
|
|
and E. |
|
|
SECTION 2. Subchapter A, Chapter 181, Health and Safety |
|
|
Code, is amended by adding Section 181.004 to read as follows: |
|
|
Sec. 181.004. APPLICABILITY OF STATE AND FEDERAL LAW. (a) |
|
|
A covered entity, as that term is defined by 45 C.F.R. Section |
|
|
160.103, shall comply with the Health Insurance Portability and |
|
|
Accountability Act and Privacy Standards. |
|
|
(b) Subject to Section 181.051, a covered entity, as that |
|
|
term is defined by Section 181.001, shall comply with this chapter. |
|
|
SECTION 3. Section 181.005, Health and Safety Code, is |
|
|
amended to read as follows: |
|
|
Sec. 181.005. DUTIES OF THE EXECUTIVE COMMISSIONER. (a) |
|
|
The executive commissioner shall administer this chapter and may |
|
|
adopt rules consistent with the Health Insurance Portability and |
|
|
Accountability Act and Privacy Standards to administer this |
|
|
chapter. |
|
|
(b) The executive commissioner shall review amendments to |
|
|
the definitions in 45 C.F.R. Parts 160 and 164 that occur after |
|
|
September 1, 2011 [August 14, 2002], and determine whether it is in |
|
|
the best interest of the state to adopt the amended federal |
|
|
regulations. If the executive commissioner determines that it is |
|
|
in the best interest of the state to adopt the amended federal |
|
|
regulations, the amended regulations shall apply as required by |
|
|
this chapter. |
|
|
(c) In making a determination under this section, the |
|
|
executive commissioner must consider, in addition to other factors |
|
|
affecting the public interest, the beneficial and adverse effects |
|
|
the amendments would have on: |
|
|
(1) the lives of individuals in this state and their |
|
|
expectations of privacy; and |
|
|
(2) governmental entities, institutions of higher |
|
|
education, state-owned teaching hospitals, private businesses, and |
|
|
commerce in this state. |
|
|
(d) The executive commissioner shall prepare a report of the |
|
|
executive commissioner's determination made under this section and |
|
|
shall file the report with the presiding officer of each house of |
|
|
the legislature before the 30th day after the date the |
|
|
determination is made. The report must include an explanation of |
|
|
the reasons for the determination. |
|
|
SECTION 4. Subchapter D, Chapter 181, Health and Safety |
|
|
Code, is amended by adding Sections 181.153 and 181.154 to read as |
|
|
follows: |
|
|
Sec. 181.153. SALE OF PROTECTED HEALTH INFORMATION |
|
|
PROHIBITED; EXCEPTIONS. (a) A covered entity may not disclose an |
|
|
individual's protected health information to any other person in |
|
|
exchange for direct or indirect remuneration, except that a covered |
|
|
entity may disclose an individual's protected health information: |
|
|
(1) to another covered entity, as that term is defined |
|
|
by Section 181.001, or to a covered entity, as that term is defined |
|
|
by Section 602.001, Insurance Code, for the purpose of: |
|
|
(A) treatment; |
|
|
(B) payment; |
|
|
(C) health care operations; or |
|
|
(D) performing an insurance or health |
|
|
maintenance organization function described by Section 602.053, |
|
|
Insurance Code; or |
|
|
(2) as otherwise authorized or required by state or |
|
|
federal law. |
|
|
(b) The direct or indirect remuneration a covered entity |
|
|
receives for making a disclosure of protected health information |
|
|
authorized by Subsection (a)(1)(D) may not exceed the covered |
|
|
entity's reasonable costs of preparing or transmitting the |
|
|
protected health information. |
|
|
Sec. 181.154. NOTICE AND AUTHORIZATION REQUIRED FOR |
|
|
ELECTRONIC DISCLOSURE OF PROTECTED HEALTH INFORMATION; EXCEPTIONS. |
|
|
(a) A covered entity shall provide notice to an individual for whom |
|
|
the covered entity creates or receives protected health information |
|
|
if the individual's protected health information is subject to |
|
|
electronic disclosure. A covered entity may provide general notice |
|
|
by: |
|
|
(1) posting a written notice in the covered entity's |
|
|
place of business; |
|
|
(2) posting a notice on the covered entity's Internet |
|
|
website; or |
|
|
(3) posting a notice in any other place where |
|
|
individuals whose protected health information is subject to |
|
|
electronic disclosure are likely to see the notice. |
|
|
(b) Except as provided by Subsection (c), a covered entity |
|
|
may not electronically disclose an individual's protected health |
|
|
information to any person without a separate authorization from the |
|
|
individual or the individual's legally authorized representative |
|
|
for each disclosure. An authorization for disclosure under this |
|
|
subsection may be made in written or electronic form or in oral form |
|
|
if it is documented in writing by the covered entity. |
|
|
(c) The authorization for electronic disclosure of |
|
|
protected health information described by Subsection (b) is not |
|
|
required if the disclosure is made: |
|
|
(1) to another covered entity, as that term is defined |
|
|
by Section 181.001, or to a covered entity, as that term is defined |
|
|
by Section 602.001, Insurance Code, for the purpose of: |
|
|
(A) treatment; |
|
|
(B) payment; or |
|
|
(C) health care operations; or |
|
|
(2) as authorized or required by state or federal law. |
|
|
(d) The attorney general by rule shall adopt a standard |
|
|
authorization form for use in complying with this section. The form |
|
|
must comply with the Health Insurance Portability and |
|
|
Accountability Act and Privacy Standards and this chapter. |
|
|
(e) This section does not apply to a covered entity, as |
|
|
defined by Section 602.001, Insurance Code, if that entity is not a |
|
|
covered entity as defined by 45 C.F.R. Section 160.103 or Section |
|
|
181.001 of this code. |
|
|
SECTION 5. Section 181.201, Health and Safety Code, is |
|
|
amended by amending Subsection (c) and adding Subsections (d), (e), |
|
|
and (f) to read as follows: |
|
|
(c) If the court in which an action under Subsection (b) is |
|
|
pending finds that the violations have occurred with a frequency as |
|
|
to constitute a pattern or practice, the court may assess a civil |
|
|
penalty not to exceed $1.5 million annually [$250,000]. |
|
|
(d) In determining the amount of a penalty imposed under |
|
|
Subsection (b), the court shall consider: |
|
|
(1) the seriousness of the violation, including the |
|
|
nature, circumstances, extent, and gravity of the disclosure; |
|
|
(2) the covered entity's compliance history; |
|
|
(3) whether the violation poses a significant risk of |
|
|
financial, reputational, or other harm to an individual whose |
|
|
protected health information is involved in the violation; |
|
|
(4) whether the covered entity was certified at the |
|
|
time of the violation as described by Section 182.108; |
|
|
(5) the amount necessary to deter a future violation; |
|
|
and |
|
|
(6) the covered entity's efforts to correct the |
|
|
violation. |
|
|
(e) The attorney general may institute an action against a |
|
|
covered entity that is licensed by a licensing agency of this state |
|
|
for a civil penalty under this section only if the licensing agency |
|
|
refers the violation to the attorney general under Section |
|
|
181.202(2). |
|
|
(f) The office of the attorney general may retain a |
|
|
reasonable portion of a civil penalty recovered under this section, |
|
|
not to exceed amounts specified in the General Appropriations Act, |
|
|
for the enforcement of this subchapter. |
|
|
SECTION 6. Section 181.202, Health and Safety Code, is |
|
|
amended to read as follows: |
|
|
Sec. 181.202. DISCIPLINARY ACTION. In addition to the |
|
|
penalties prescribed by this chapter, a violation of this chapter |
|
|
by a covered entity [an individual or facility] that is licensed by |
|
|
an agency of this state is subject to investigation and |
|
|
disciplinary proceedings, including probation or suspension by the |
|
|
licensing agency. If there is evidence that the violations of this |
|
|
chapter are egregious and constitute a pattern or practice, the |
|
|
agency may: |
|
|
(1) revoke the covered entity's [individual's or
|
|
|
facility's] license; or |
|
|
(2) refer the covered entity's case to the attorney |
|
|
general for the institution of an action for civil penalties under |
|
|
Section 181.201(b). |
|
|
SECTION 7. Subchapter E, Chapter 181, Health and Safety |
|
|
Code, is amended by adding Section 181.204 to read as follows: |
|
|
Sec. 181.204. ADMINISTRATIVE PENALTY. (a) The executive |
|
|
commissioner may impose an administrative penalty on a covered |
|
|
entity that is not licensed by a licensing agency of this state and |
|
|
that violates this chapter or a rule adopted under this chapter. |
|
|
(b) The amount of the penalty may not exceed $3,000 for each |
|
|
violation, and each day a violation continues or occurs is a |
|
|
separate violation for the purpose of imposing a penalty. The |
|
|
amount shall be based on: |
|
|
(1) the seriousness of the violation, including the |
|
|
nature, circumstances, extent, and gravity of the disclosure; |
|
|
(2) the covered entity's compliance history; |
|
|
(3) whether the violation poses a significant risk of |
|
|
financial, reputational, or other harm to an individual whose |
|
|
protected health information is involved in the violation; |
|
|
(4) whether the covered entity was certified at the |
|
|
time of the violation as described by Section 182.108; |
|
|
(5) the amount necessary to deter a future violation; |
|
|
and |
|
|
(6) the covered entity's efforts to correct the |
|
|
violation. |
|
|
(c) The enforcement of the penalty may be stayed during the |
|
|
time the order is under judicial review if the covered entity pays |
|
|
the penalty to the clerk of the court or files a supersedeas bond |
|
|
with the court in the amount of the penalty. A covered entity that |
|
|
cannot afford to pay the penalty or file the bond may stay the |
|
|
enforcement by filing an affidavit in the manner required by the |
|
|
Texas Rules of Civil Procedure for a party who cannot afford to file |
|
|
security for costs, subject to the right of the executive |
|
|
commissioner to contest the affidavit as provided by those rules. |
|
|
(d) The attorney general may sue to collect the penalty. |
|
|
(e) A proceeding to impose the penalty is a contested case |
|
|
under Chapter 2001, Government Code. |
|
|
SECTION 8. Section 181.205, Health and Safety Code, is |
|
|
amended by amending Subsection (b) and adding Subsection (c) to |
|
|
read as follows: |
|
|
(b) In determining the amount of a penalty imposed under |
|
|
other law in accordance with Section 181.202, a court or state |
|
|
agency shall consider the following factors: |
|
|
(1) the seriousness of the violation, including the |
|
|
nature, circumstances, extent, and gravity of the disclosure; |
|
|
(2) the covered entity's compliance history; |
|
|
(3) whether the violation poses a significant risk of |
|
|
financial, reputational, or other harm to an individual whose |
|
|
protected health information is involved in the violation; |
|
|
(4) whether the covered entity was certified at the |
|
|
time of the violation as described by Section 182.108; |
|
|
(5) the amount necessary to deter a future violation; |
|
|
and |
|
|
(6) the covered entity's efforts to correct the |
|
|
violation. |
|
|
(c) On receipt of evidence under Subsections [Subsection] |
|
|
(a) and (b), a court or state agency shall consider the evidence and |
|
|
mitigate imposition of an administrative penalty or assessment of a |
|
|
civil penalty accordingly. |
|
|
SECTION 9. Subchapter E, Chapter 181, Health and Safety |
|
|
Code, is amended by adding Sections 181.206, 181.207, 181.208, |
|
|
181.209, and 181.210 to read as follows: |
|
|
Sec. 181.206. RULES. The attorney general may adopt rules |
|
|
as necessary to enforce this chapter. |
|
|
Sec. 181.207. AUDITS OF COVERED ENTITIES. (a) The |
|
|
commission, in coordination with the attorney general, the Texas |
|
|
Health Services Authority, and the Texas Department of Insurance: |
|
|
(1) may request that the United States secretary of |
|
|
health and human services conduct an audit of a covered entity in |
|
|
this state to determine compliance with the Health Insurance |
|
|
Portability and Accountability Act and Privacy Standards; and |
|
|
(2) shall periodically monitor and review the results |
|
|
of audits of covered entities in this state conducted by the United |
|
|
States secretary of health and human services. |
|
|
(b) If the commission has evidence that a covered entity has |
|
|
committed violations of this chapter that are egregious and |
|
|
constitute a pattern or practice, the commission may: |
|
|
(1) require the covered entity to submit to the |
|
|
commission the results of a risk analysis conducted by the covered |
|
|
entity as described by 45 C.F.R. Section 164.308(a)(1)(ii)(A); or |
|
|
(2) if the covered entity is licensed by a licensing |
|
|
agency of this state, request that the licensing agency conduct an |
|
|
audit of the covered entity's system to determine compliance with |
|
|
the provisions of this chapter. |
|
|
Sec. 181.208. REVIEW OF COMPLAINT BY COMMISSION. (a) The |
|
|
commission shall review a complaint received from an individual or |
|
|
an individual's legally authorized representative alleging that a |
|
|
covered entity violated this chapter with respect to the |
|
|
individual's protected health information. |
|
|
(b) The commission shall refer a complaint reviewed under |
|
|
Subsection (a) to the appropriate licensing agency or the attorney |
|
|
general, as applicable. |
|
|
Sec. 181.209. AUDIT AND COMPLAINT REPORT BY COMMISSION. |
|
|
(a) The commission annually shall submit to the appropriate |
|
|
standing committees of the senate and the house of representatives |
|
|
a report that includes: |
|
|
(1) the number and types of complaints received by the |
|
|
commission regarding violations of this chapter; |
|
|
(2) enforcement action taken by the commission, a |
|
|
licensing agency, or the office of the attorney general under this |
|
|
chapter; and |
|
|
(3) the number of federal audits of covered entities |
|
|
in this state conducted and the number of audits required under |
|
|
Section 181.207(b). |
|
|
(b) The commission and the Texas Health Services Authority |
|
|
shall each publish the report required by Subsection (a) on the |
|
|
agency's Internet website. |
|
|
Sec. 181.210. FUNDING. The commission and the Texas |
|
|
Department of Insurance, in consultation with the Texas Health |
|
|
Services Authority, shall apply for and actively pursue available |
|
|
federal funding for enforcement of this chapter. |
|
|
SECTION 10. Section 182.002, Health and Safety Code, is |
|
|
amended by adding Subdivisions (2-a), (3-a), and (3-b) to read as |
|
|
follows: |
|
|
(2-a) "Covered entity" has the meaning assigned by |
|
|
Section 181.001. |
|
|
(3-a) "Disclose" has the meaning assigned by Section |
|
|
181.001. |
|
|
(3-b) "Health Insurance Portability and |
|
|
Accountability Act and Privacy Standards" has the meaning assigned |
|
|
by Section 181.001. |
|
|
SECTION 11. Subchapter C, Chapter 182, Health and Safety |
|
|
Code, is amended by adding Section 182.108 to read as follows: |
|
|
Sec. 182.108. STANDARDS FOR ELECTRONIC SHARING OF PROTECTED |
|
|
HEALTH INFORMATION; COVERED ENTITY CERTIFICATION. (a) The |
|
|
corporation shall develop and submit to the commission for |
|
|
ratification privacy and security standards for the electronic |
|
|
sharing of protected health information. |
|
|
(b) The commission shall review and by rule adopt acceptable |
|
|
standards submitted for ratification under Subsection (a). |
|
|
(c) Standards adopted under Subsection (b) must be designed |
|
|
to: |
|
|
(1) comply with the Health Insurance Portability and |
|
|
Accountability Act and Privacy Standards and Chapter 181; |
|
|
(2) comply with any other state and federal law |
|
|
relating to the security and confidentiality of information |
|
|
electronically maintained or disclosed by a covered entity; |
|
|
(3) ensure the secure maintenance and disclosure of |
|
|
personally identifiable health information; |
|
|
(4) include strategies and procedures for disclosing |
|
|
personally identifiable health information; and |
|
|
(5) support a level of system interoperability with |
|
|
existing health record databases in this state that is consistent |
|
|
with emerging standards. |
|
|
(d) The corporation shall establish a process by which a |
|
|
covered entity may apply for certification by the corporation of a |
|
|
covered entity's past compliance with standards adopted under |
|
|
Subsection (b). |
|
|
(e) The corporation shall publish the standards adopted |
|
|
under Subsection (b) on the corporation's Internet website. |
|
|
SECTION 12. Subchapter B, Chapter 602, Insurance Code, is |
|
|
amended by adding Section 602.054 to read as follows: |
|
|
Sec. 602.054. COMPLIANCE WITH OTHER LAW. A covered entity |
|
|
shall comply with: |
|
|
(1) Subchapter D, Chapter 181, Health and Safety Code, |
|
|
except as otherwise provided by that subchapter; and |
|
|
(2) the standards adopted under Section 182.108, |
|
|
Health and Safety Code. |
|
|
SECTION 13. (a) In this section, "unsustainable covered |
|
|
entity" means a covered entity, as defined by Section 181.001, |
|
|
Health and Safety Code, that ceases to operate. |
|
|
(b) The Health and Human Services Commission, in |
|
|
consultation with the Texas Health Services Authority and the Texas |
|
|
Medical Board, shall review issues regarding the security and |
|
|
accessibility of protected health information maintained by an |
|
|
unsustainable covered entity. |
|
|
(c) Not later than December 1, 2012, the Health and Human |
|
|
Services Commission shall submit to the appropriate standing |
|
|
committees of the senate and the house of representatives |
|
|
recommendations for: |
|
|
(1) the state agency to which the protected health |
|
|
information maintained by an unsustainable covered entity should be |
|
|
transferred for storage; |
|
|
(2) ensuring the security of protected health |
|
|
information maintained by unsustainable covered entities in this |
|
|
state, including secure transfer methods from the covered entity to |
|
|
the state; |
|
|
(3) the method and period of time for which protected |
|
|
health information should be maintained by the state after transfer |
|
|
from an unsustainable covered entity; |
|
|
(4) methods and processes by which an individual |
|
|
should be able to access the individual's protected health |
|
|
information after transfer to the state; and |
|
|
(5) funding for the storage of protected health |
|
|
information after transfer to the state. |
|
|
(d) This section expires January 1, 2013. |
|
|
SECTION 14. (a) A task force on health information |
|
|
technology is created. |
|
|
(b) The task force is composed of: |
|
|
(1) 11 members appointed by the attorney general with |
|
|
the advice of the chairs of the standing committees of the senate |
|
|
and house of representatives having primary jurisdiction over |
|
|
health information technology issues, including: |
|
|
(A) at least two physicians; |
|
|
(B) at least two individuals who represent |
|
|
hospitals; and |
|
|
(C) at least one private citizen who represents |
|
|
patient and parental rights; and |
|
|
(2) the following ex officio members: |
|
|
(A) the executive commissioner of the Health and |
|
|
Human Services Commission or an employee of the commission |
|
|
designated by the executive commissioner; |
|
|
(B) the commissioner of the Department of State |
|
|
Health Services or an employee of the department designated by the |
|
|
commissioner; and |
|
|
(C) the presiding officer of the Texas Health |
|
|
Services Authority or an employee of the authority designated by |
|
|
the presiding officer. |
|
|
(c) Not later than December 1, 2012, the attorney general |
|
|
shall appoint the members of the task force and appoint a chair of |
|
|
the task force from among its membership. The chair of the task |
|
|
force must have expertise in: |
|
|
(1) state and federal health information privacy law; |
|
|
(2) patient rights; and |
|
|
(3) electronic signatures and other consent tools. |
|
|
(d) The task force shall develop recommendations regarding: |
|
|
(1) the improvement of informed consent protocols for |
|
|
the electronic exchange of protected health information, as that |
|
|
term is defined by the Health Insurance Portability and |
|
|
Accountability Act and Privacy Standards, as defined by Section |
|
|
181.001, Health and Safety Code, as amended by this Act; |
|
|
(2) the improvement of patient access to and use of |
|
|
electronically maintained and disclosed protected health |
|
|
information for the purpose of personal health and coordination of |
|
|
health care services; and |
|
|
(3) any other critical issues, as determined by the |
|
|
task force, related to the exchange of protected health |
|
|
information. |
|
|
(e) Not later than January 1, 2014, the task force shall |
|
|
submit to the standing committees of the senate and house of |
|
|
representatives having primary jurisdiction over health |
|
|
information technology issues and the Texas Health Services |
|
|
Authority a report including the task force's recommendations under |
|
|
Subsection (d). |
|
|
(f) The Texas Health Services Authority shall publish the |
|
|
report submitted under Subsection (e) on the authority's Internet |
|
|
website. |
|
|
(g) This section expires February 1, 2014. |
|
|
SECTION 15. Not later than January 1, 2013: |
|
|
(1) the attorney general shall adopt the form required |
|
|
by Section 181.154, Health and Safety Code, as added by this Act; |
|
|
and |
|
|
(2) the Health and Human Services Commission shall |
|
|
adopt the standards required by Section 182.108, Health and Safety |
|
|
Code, as added by this Act. |
|
|
SECTION 16. The change in law made by Section 181.154, |
|
|
Health and Safety Code, as added by this Act, applies only to an |
|
|
electronic disclosure of protected health information made on or |
|
|
after the effective date of this Act. An electronic disclosure of |
|
|
protected health information made before the effective date of this |
|
|
Act is governed by the law in effect at the time the disclosure was |
|
|
made, and the former law is continued in effect for that purpose. |
|
|
SECTION 17. This Act takes effect September 1, 2012. |