| |
| |
| |
|
|
AN ACT
|
|
|
relating to the privacy of protected health information; providing |
|
|
administrative, civil, and criminal penalties. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 181.001(b), Health and Safety Code, is |
|
|
amended by amending Subdivisions (1) and (3) and adding |
|
|
Subdivisions (2-a) and (2-b) to read as follows: |
|
|
(1) "Commission" ["Commissioner"] means the Health |
|
|
and Human Services Commission [commissioner of health and human
|
|
|
services]. |
|
|
(2-a) "Disclose" means to release, transfer, provide |
|
|
access to, or otherwise divulge information outside the entity |
|
|
holding the information. |
|
|
(2-b) "Executive commissioner" means the executive |
|
|
commissioner of the Health and Human Services Commission. |
|
|
(3) "Health Insurance Portability and Accountability |
|
|
Act and Privacy Standards" means the privacy requirements in |
|
|
existence on September 1, 2011 [August 14, 2002], of the |
|
|
Administrative Simplification subtitle of the Health Insurance |
|
|
Portability and Accountability Act of 1996 (Pub. L. No. 104-191) |
|
|
contained in 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A |
|
|
and E. |
|
|
SECTION 2. Subchapter A, Chapter 181, Health and Safety |
|
|
Code, is amended by adding Section 181.004 to read as follows: |
|
|
Sec. 181.004. APPLICABILITY OF STATE AND FEDERAL LAW. (a) |
|
|
A covered entity, as that term is defined by 45 C.F.R. Section |
|
|
160.103, shall comply with the Health Insurance Portability and |
|
|
Accountability Act and Privacy Standards. |
|
|
(b) Subject to Section 181.051, a covered entity, as that |
|
|
term is defined by Section 181.001, shall comply with this chapter. |
|
|
SECTION 3. Section 181.005, Health and Safety Code, is |
|
|
amended to read as follows: |
|
|
Sec. 181.005. DUTIES OF THE EXECUTIVE COMMISSIONER. (a) |
|
|
The executive commissioner shall administer this chapter and may |
|
|
adopt rules consistent with the Health Insurance Portability and |
|
|
Accountability Act and Privacy Standards to administer this |
|
|
chapter. |
|
|
(b) The executive commissioner shall review amendments to |
|
|
the definitions in 45 C.F.R. Parts 160 and 164 that occur after |
|
|
September 1, 2011 [August 14, 2002], and determine whether it is in |
|
|
the best interest of the state to adopt the amended federal |
|
|
regulations. If the executive commissioner determines that it is |
|
|
in the best interest of the state to adopt the amended federal |
|
|
regulations, the amended regulations shall apply as required by |
|
|
this chapter. |
|
|
(c) In making a determination under this section, the |
|
|
executive commissioner must consider, in addition to other factors |
|
|
affecting the public interest, the beneficial and adverse effects |
|
|
the amendments would have on: |
|
|
(1) the lives of individuals in this state and their |
|
|
expectations of privacy; and |
|
|
(2) governmental entities, institutions of higher |
|
|
education, state-owned teaching hospitals, private businesses, and |
|
|
commerce in this state. |
|
|
(d) The executive commissioner shall prepare a report of the |
|
|
executive commissioner's determination made under this section and |
|
|
shall file the report with the presiding officer of each house of |
|
|
the legislature before the 30th day after the date the |
|
|
determination is made. The report must include an explanation of |
|
|
the reasons for the determination. |
|
|
SECTION 4. Section 181.006, Health and Safety Code, is |
|
|
amended to read as follows: |
|
|
Sec. 181.006. PROTECTED HEALTH INFORMATION NOT PUBLIC. |
|
|
Notwithstanding Sections 181.004 and 181.051, for [For] a covered |
|
|
entity that is a governmental unit, an individual's protected |
|
|
health information: |
|
|
(1) includes any information that reflects that an |
|
|
individual received health care from the covered entity; and |
|
|
(2) is not public information and is not subject to |
|
|
disclosure under Chapter 552, Government Code. |
|
|
SECTION 5. Subchapter B, Chapter 181, Health and Safety |
|
|
Code, is amended by adding Section 181.059 to read as follows: |
|
|
Sec. 181.059. CRIME VICTIM COMPENSATION. This chapter does |
|
|
not apply to any person or entity in connection with providing, |
|
|
administering, supporting, or coordinating any of the benefits |
|
|
regarding compensation to victims of crime as provided by |
|
|
Subchapter B, Chapter 56, Code of Criminal Procedure. |
|
|
SECTION 6. Chapter 181, Health and Safety Code, is amended |
|
|
by adding Subchapter C to read as follows: |
|
|
SUBCHAPTER C. ACCESS TO AND USE OF PROTECTED HEALTH INFORMATION |
|
|
Sec. 181.101. TRAINING REQUIRED. (a) Each covered entity |
|
|
shall provide a training program to employees of the covered entity |
|
|
regarding the state and federal law concerning protected health |
|
|
information as it relates to: |
|
|
(1) the covered entity's particular course of |
|
|
business; and |
|
|
(2) each employee's scope of employment. |
|
|
(b) An employee of a covered entity must complete training |
|
|
described by Subsection (a) not later than the 60th day after the |
|
|
date the employee is hired by the covered entity. |
|
|
(c) An employee of a covered entity shall receive training |
|
|
described by Subsection (a) at least once every two years. |
|
|
(d) A covered entity shall require an employee of the entity |
|
|
who attends a training program described by Subsection (a) to sign, |
|
|
electronically or in writing, a statement verifying the employee's |
|
|
attendance at the training program. The covered entity shall |
|
|
maintain the signed statement. |
|
|
Sec. 181.102. CONSUMER ACCESS TO ELECTRONIC HEALTH RECORDS. |
|
|
(a) Except as provided by Subsection (b), if a health care |
|
|
provider is using an electronic health records system that is |
|
|
capable of fulfilling the request, the health care provider, not |
|
|
later than the 15th business day after the date the health care |
|
|
provider receives a written request from a person for the person's |
|
|
electronic health record, shall provide the requested record to the |
|
|
person in electronic form unless the person agrees to accept the |
|
|
record in another form. |
|
|
(b) A health care provider is not required to provide access |
|
|
to a person's protected health information that is excepted from |
|
|
access, or to which access may be denied, under 45 C.F.R. Section |
|
|
164.524. |
|
|
(c) For purposes of Subsection (a), the executive |
|
|
commissioner, in consultation with the Department of State Health |
|
|
Services, the Texas Medical Board, and the Texas Department of |
|
|
Insurance, by rule may recommend a standard electronic format for |
|
|
the release of requested health records. The standard electronic |
|
|
format recommended under this section must be consistent, if |
|
|
feasible, with federal law regarding the release of electronic |
|
|
health records. |
|
|
Sec. 181.103. CONSUMER INFORMATION WEBSITE. The attorney |
|
|
general shall maintain an Internet website that provides: |
|
|
(1) information concerning a consumer's privacy rights |
|
|
regarding protected health information under federal and state law; |
|
|
(2) a list of the state agencies, including the |
|
|
Department of State Health Services, the Texas Medical Board, and |
|
|
the Texas Department of Insurance, that regulate covered entities |
|
|
in this state and the types of entities each agency regulates; |
|
|
(3) detailed information regarding each agency's |
|
|
complaint enforcement process; and |
|
|
(4) contact information, including the address of the |
|
|
agency's Internet website, for each agency listed under Subdivision |
|
|
(2) for reporting a violation of this chapter. |
|
|
Sec. 181.104. CONSUMER COMPLAINT REPORT BY ATTORNEY |
|
|
GENERAL. (a) The attorney general annually shall submit to the |
|
|
legislature a report describing: |
|
|
(1) the number and types of complaints received by the |
|
|
attorney general and by the state agencies receiving consumer |
|
|
complaints under Section 181.103; and |
|
|
(2) the enforcement action taken in response to each |
|
|
complaint reported under Subdivision (1). |
|
|
(b) Each state agency that receives consumer complaints |
|
|
under Section 181.103 shall submit to the attorney general, in the |
|
|
form required by the attorney general, the information the attorney |
|
|
general requires to compile the report required by Subsection (a). |
|
|
(c) The attorney general shall de-identify protected health |
|
|
information from the individual to whom the information pertains |
|
|
before including the information in the report required by |
|
|
Subsection (a). |
|
|
SECTION 7. Subchapter D, Chapter 181, Health and Safety |
|
|
Code, is amended by adding Sections 181.153 and 181.154 to read as |
|
|
follows: |
|
|
Sec. 181.153. SALE OF PROTECTED HEALTH INFORMATION |
|
|
PROHIBITED; EXCEPTIONS. (a) A covered entity may not disclose an |
|
|
individual's protected health information to any other person in |
|
|
exchange for direct or indirect remuneration, except that a covered |
|
|
entity may disclose an individual's protected health information: |
|
|
(1) to another covered entity, as that term is defined |
|
|
by Section 181.001, or to a covered entity, as that term is defined |
|
|
by Section 602.001, Insurance Code, for the purpose of: |
|
|
(A) treatment; |
|
|
(B) payment; |
|
|
(C) health care operations; or |
|
|
(D) performing an insurance or health |
|
|
maintenance organization function described by Section 602.053, |
|
|
Insurance Code; or |
|
|
(2) as otherwise authorized or required by state or |
|
|
federal law. |
|
|
(b) The direct or indirect remuneration a covered entity |
|
|
receives for making a disclosure of protected health information |
|
|
authorized by Subsection (a)(1)(D) may not exceed the covered |
|
|
entity's reasonable costs of preparing or transmitting the |
|
|
protected health information. |
|
|
Sec. 181.154. NOTICE AND AUTHORIZATION REQUIRED FOR |
|
|
ELECTRONIC DISCLOSURE OF PROTECTED HEALTH INFORMATION; EXCEPTIONS. |
|
|
(a) A covered entity shall provide notice to an individual for whom |
|
|
the covered entity creates or receives protected health information |
|
|
if the individual's protected health information is subject to |
|
|
electronic disclosure. A covered entity may provide general notice |
|
|
by: |
|
|
(1) posting a written notice in the covered entity's |
|
|
place of business; |
|
|
(2) posting a notice on the covered entity's Internet |
|
|
website; or |
|
|
(3) posting a notice in any other place where |
|
|
individuals whose protected health information is subject to |
|
|
electronic disclosure are likely to see the notice. |
|
|
(b) Except as provided by Subsection (c), a covered entity |
|
|
may not electronically disclose an individual's protected health |
|
|
information to any person without a separate authorization from the |
|
|
individual or the individual's legally authorized representative |
|
|
for each disclosure. An authorization for disclosure under this |
|
|
subsection may be made in written or electronic form or in oral form |
|
|
if it is documented in writing by the covered entity. |
|
|
(c) The authorization for electronic disclosure of |
|
|
protected health information described by Subsection (b) is not |
|
|
required if the disclosure is made: |
|
|
(1) to another covered entity, as that term is defined |
|
|
by Section 181.001, or to a covered entity, as that term is defined |
|
|
by Section 602.001, Insurance Code, for the purpose of: |
|
|
(A) treatment; |
|
|
(B) payment; |
|
|
(C) health care operations; or |
|
|
(D) performing an insurance or health |
|
|
maintenance organization function described by Section 602.053, |
|
|
Insurance Code; or |
|
|
(2) as otherwise authorized or required by state or |
|
|
federal law. |
|
|
(d) The attorney general shall adopt a standard |
|
|
authorization form for use in complying with this section. The form |
|
|
must comply with the Health Insurance Portability and |
|
|
Accountability Act and Privacy Standards and this chapter. |
|
|
(e) This section does not apply to a covered entity, as |
|
|
defined by Section 602.001, Insurance Code, if that entity is not a |
|
|
covered entity as defined by 45 C.F.R. Section 160.103. |
|
|
SECTION 8. Section 181.201, Health and Safety Code, is |
|
|
amended by amending Subsections (b) and (c) and adding Subsections |
|
|
(b-1), (d), (e), and (f) to read as follows: |
|
|
(b) In addition to the injunctive relief provided by |
|
|
Subsection (a), the attorney general may institute an action for |
|
|
civil penalties against a covered entity for a violation of this |
|
|
chapter. A civil penalty assessed under this section may not |
|
|
exceed: |
|
|
(1) $5,000 [$3,000] for each violation that occurs in |
|
|
one year, regardless of how long the violation continues during |
|
|
that year, committed negligently; |
|
|
(2) $25,000 for each violation that occurs in one |
|
|
year, regardless of how long the violation continues during that |
|
|
year, committed knowingly or intentionally; or |
|
|
(3) $250,000 for each violation in which the covered |
|
|
entity knowingly or intentionally used protected health |
|
|
information for financial gain. |
|
|
(b-1) The total amount of a penalty assessed against a |
|
|
covered entity under Subsection (b) in relation to a violation or |
|
|
violations of Section 181.154 may not exceed $250,000 annually if |
|
|
the court finds that the disclosure was made only to another covered |
|
|
entity and only for a purpose described by Section 181.154(c) and |
|
|
the court finds that: |
|
|
(1) the protected health information disclosed was |
|
|
encrypted or transmitted using encryption technology designed to |
|
|
protect against improper disclosure; |
|
|
(2) the recipient of the protected health information |
|
|
did not use or release the protected health information; or |
|
|
|
|
|
(3) at the time of the disclosure of the protected |
|
|
health information, the covered entity had developed, implemented, |
|
|
and maintained security policies, including the education and |
|
|
training of employees responsible for the security of protected |
|
|
health information. |
|
|
(c) If the court in which an action under Subsection (b) is |
|
|
pending finds that the violations have occurred with a frequency as |
|
|
to constitute a pattern or practice, the court may assess a civil |
|
|
penalty not to exceed $1.5 million annually [$250,000]. |
|
|
(d) In determining the amount of a penalty imposed under |
|
|
Subsection (b), the court shall consider: |
|
|
(1) the seriousness of the violation, including the |
|
|
nature, circumstances, extent, and gravity of the disclosure; |
|
|
(2) the covered entity's compliance history; |
|
|
(3) whether the violation poses a significant risk of |
|
|
financial, reputational, or other harm to an individual whose |
|
|
protected health information is involved in the violation; |
|
|
(4) whether the covered entity was certified at the |
|
|
time of the violation as described by Section 182.108; |
|
|
(5) the amount necessary to deter a future violation; |
|
|
and |
|
|
(6) the covered entity's efforts to correct the |
|
|
violation. |
|
|
(e) The attorney general may institute an action against a |
|
|
covered entity that is licensed by a licensing agency of this state |
|
|
for a civil penalty under this section only if the licensing agency |
|
|
refers the violation to the attorney general under Section |
|
|
181.202(2). |
|
|
(f) The office of the attorney general may retain a |
|
|
reasonable portion of a civil penalty recovered under this section, |
|
|
not to exceed amounts specified in the General Appropriations Act, |
|
|
for the enforcement of this subchapter. |
|
|
SECTION 9. Section 181.202, Health and Safety Code, is |
|
|
amended to read as follows: |
|
|
Sec. 181.202. DISCIPLINARY ACTION. In addition to the |
|
|
penalties prescribed by this chapter, a violation of this chapter |
|
|
by a covered entity [an individual or facility] that is licensed by |
|
|
an agency of this state is subject to investigation and |
|
|
disciplinary proceedings, including probation or suspension by the |
|
|
licensing agency. If there is evidence that the violations of this |
|
|
chapter are egregious and constitute a pattern or practice, the |
|
|
agency may: |
|
|
(1) revoke the covered entity's [individual's or
|
|
|
facility's] license; or |
|
|
(2) refer the covered entity's case to the attorney |
|
|
general for the institution of an action for civil penalties under |
|
|
Section 181.201(b). |
|
|
SECTION 10. Section 181.205, Health and Safety Code, is |
|
|
amended by amending Subsection (b) and adding Subsection (c) to |
|
|
read as follows: |
|
|
(b) In determining the amount of a penalty imposed under |
|
|
other law in accordance with Section 181.202, a court or state |
|
|
agency shall consider the following factors: |
|
|
(1) the seriousness of the violation, including the |
|
|
nature, circumstances, extent, and gravity of the disclosure; |
|
|
(2) the covered entity's compliance history; |
|
|
(3) whether the violation poses a significant risk of |
|
|
financial, reputational, or other harm to an individual whose |
|
|
protected health information is involved in the violation; |
|
|
(4) whether the covered entity was certified at the |
|
|
time of the violation as described by Section 182.108; |
|
|
(5) the amount necessary to deter a future violation; |
|
|
and |
|
|
(6) the covered entity's efforts to correct the |
|
|
violation. |
|
|
(c) On receipt of evidence under Subsections [Subsection] |
|
|
(a) and (b), a court or state agency shall consider the evidence and |
|
|
mitigate imposition of an administrative penalty or assessment of a |
|
|
civil penalty accordingly. |
|
|
SECTION 11. Subchapter E, Chapter 181, Health and Safety |
|
|
Code, is amended by adding Sections 181.206 and 181.207 to read as |
|
|
follows: |
|
|
Sec. 181.206. AUDITS OF COVERED ENTITIES. (a) The |
|
|
commission, in coordination with the attorney general, the Texas |
|
|
Health Services Authority, and the Texas Department of Insurance: |
|
|
(1) may request that the United States secretary of |
|
|
health and human services conduct an audit of a covered entity, as |
|
|
that term is defined by 45 C.F.R. Section 160.103, in this state to |
|
|
determine compliance with the Health Insurance Portability and |
|
|
Accountability Act and Privacy Standards; and |
|
|
(2) shall periodically monitor and review the results |
|
|
of audits of covered entities in this state conducted by the United |
|
|
States secretary of health and human services. |
|
|
(b) If the commission has evidence that a covered entity has |
|
|
committed violations of this chapter that are egregious and |
|
|
constitute a pattern or practice, the commission may: |
|
|
(1) require the covered entity to submit to the |
|
|
commission the results of a risk analysis conducted by the covered |
|
|
entity if required by 45 C.F.R. Section 164.308(a)(1)(ii)(A); or |
|
|
(2) if the covered entity is licensed by a licensing |
|
|
agency of this state, request that the licensing agency conduct an |
|
|
audit of the covered entity's system to determine compliance with |
|
|
the provisions of this chapter. |
|
|
(c) The commission annually shall submit to the appropriate |
|
|
standing committees of the senate and the house of representatives |
|
|
a report regarding the number of federal audits of covered entities |
|
|
in this state and the number of audits required under Subsection |
|
|
(b). |
|
|
Sec. 181.207. FUNDING. The commission and the Texas |
|
|
Department of Insurance, in consultation with the Texas Health |
|
|
Services Authority, shall apply for and actively pursue available |
|
|
federal funding for enforcement of this chapter. |
|
|
SECTION 12. Section 182.002, Health and Safety Code, is |
|
|
amended by adding Subdivisions (2-a), (3-a), and (3-b) to read as |
|
|
follows: |
|
|
(2-a) "Covered entity" has the meaning assigned by |
|
|
Section 181.001. |
|
|
(3-a) "Disclose" has the meaning assigned by Section |
|
|
181.001. |
|
|
(3-b) "Health Insurance Portability and |
|
|
Accountability Act and Privacy Standards" has the meaning assigned |
|
|
by Section 181.001. |
|
|
SECTION 13. Subchapter C, Chapter 182, Health and Safety |
|
|
Code, is amended by adding Section 182.108 to read as follows: |
|
|
Sec. 182.108. STANDARDS FOR ELECTRONIC SHARING OF PROTECTED |
|
|
HEALTH INFORMATION; COVERED ENTITY CERTIFICATION. (a) The |
|
|
corporation shall develop and submit to the commission for |
|
|
ratification privacy and security standards for the electronic |
|
|
sharing of protected health information. |
|
|
(b) The commission shall review and by rule adopt acceptable |
|
|
standards submitted for ratification under Subsection (a). |
|
|
(c) Standards adopted under Subsection (b) must be designed |
|
|
to: |
|
|
(1) comply with the Health Insurance Portability and |
|
|
Accountability Act and Privacy Standards and Chapter 181; |
|
|
(2) comply with any other state and federal law |
|
|
relating to the security and confidentiality of information |
|
|
electronically maintained or disclosed by a covered entity; |
|
|
(3) ensure the secure maintenance and disclosure of |
|
|
personally identifiable health information; |
|
|
(4) include strategies and procedures for disclosing |
|
|
personally identifiable health information; and |
|
|
(5) support a level of system interoperability with |
|
|
existing health record databases in this state that is consistent |
|
|
with emerging standards. |
|
|
(d) The corporation shall establish a process by which a |
|
|
covered entity may apply for certification by the corporation of a |
|
|
covered entity's past compliance with standards adopted under |
|
|
Subsection (b). |
|
|
(e) The corporation shall publish the standards adopted |
|
|
under Subsection (b) on the corporation's Internet website. |
|
|
SECTION 14. Section 521.053, Business & Commerce Code, is |
|
|
amended by amending Subsection (b) and adding Subsection (b-1) to |
|
|
read as follows: |
|
|
(b) A person who conducts business in this state and owns or |
|
|
licenses computerized data that includes sensitive personal |
|
|
information shall disclose any breach of system security, after |
|
|
discovering or receiving notification of the breach, to any |
|
|
individual [resident of this state] whose sensitive personal |
|
|
information was, or is reasonably believed to have been, acquired |
|
|
by an unauthorized person. The disclosure shall be made as quickly |
|
|
as possible, except as provided by Subsection (d) or as necessary to |
|
|
determine the scope of the breach and restore the reasonable |
|
|
integrity of the data system. |
|
|
(b-1) Notwithstanding Subsection (b), the requirements of |
|
|
Subsection (b) apply only if the individual whose sensitive |
|
|
personal information was or is reasonably believed to have been |
|
|
acquired by an unauthorized person is a resident of this state or |
|
|
another state that does not require a person described by |
|
|
Subsection (b) to notify the individual of a breach of system |
|
|
security. If the individual is a resident of a state that requires |
|
|
a person described by Subsection (b) to provide notice of a breach |
|
|
of system security, the notice of the breach of system security |
|
|
provided under that state's law satisfies the requirements of |
|
|
Subsection (b). |
|
|
SECTION 15. Section 521.151, Business & Commerce Code, is |
|
|
amended by adding Subsection (a-1) to read as follows: |
|
|
(a-1) In addition to penalties assessed under Subsection |
|
|
(a), a person who fails to take reasonable action to comply with |
|
|
Section 521.053(b) is liable to this state for a civil penalty of |
|
|
not more than $100 for each individual to whom notification is due |
|
|
under that subsection for each consecutive day that the person |
|
|
fails to take reasonable action to comply with that subsection. |
|
|
Civil penalties under this section may not exceed $250,000 for all |
|
|
individuals to whom notification is due after a single breach. The |
|
|
attorney general may bring an action to recover the civil penalties |
|
|
imposed under this subsection. |
|
|
SECTION 16. Section 522.002(b), Business & Commerce Code, |
|
|
is amended to read as follows: |
|
|
(b) An offense under this section is a Class B misdemeanor, |
|
|
except that the offense is a state jail felony if the information |
|
|
accessed, read, scanned, stored, or transferred was protected |
|
|
health information as defined by the Health Insurance Portability |
|
|
and Accountability Act and Privacy Standards, as defined by Section |
|
|
181.001, Health and Safety Code. |
|
|
SECTION 17. Subchapter B, Chapter 531, Government Code, is |
|
|
amended by adding Section 531.0994 to read as follows: |
|
|
Sec. 531.0994. STUDY; ANNUAL REPORT. (a) The commission, |
|
|
in consultation with the Department of State Health Services, the |
|
|
Texas Medical Board, and the Texas Department of Insurance, shall |
|
|
explore and evaluate new developments in safeguarding protected |
|
|
health information. |
|
|
(b) Not later than December 1 each year, the commission |
|
|
shall report to the legislature on new developments in safeguarding |
|
|
protected health information and recommendations for the |
|
|
implementation of safeguards within the commission. |
|
|
SECTION 18. Subchapter B, Chapter 602, Insurance Code, is |
|
|
amended by adding Section 602.054 to read as follows: |
|
|
Sec. 602.054. COMPLIANCE WITH OTHER LAW. A covered entity |
|
|
shall comply with: |
|
|
(1) Subchapter D, Chapter 181, Health and Safety Code, |
|
|
except as otherwise provided by that subchapter; and |
|
|
(2) the standards adopted under Section 182.108, |
|
|
Health and Safety Code. |
|
|
SECTION 19. (a) In this section, "unsustainable covered |
|
|
entity" means a covered entity, as defined by Section 181.001, |
|
|
Health and Safety Code, that ceases to operate. |
|
|
(b) The Health and Human Services Commission, in |
|
|
consultation with the Texas Health Services Authority and the Texas |
|
|
Medical Board, shall review issues regarding the security and |
|
|
accessibility of protected health information maintained by an |
|
|
unsustainable covered entity. |
|
|
(c) Not later than December 1, 2012, the Health and Human |
|
|
Services Commission shall submit to the appropriate standing |
|
|
committees of the senate and the house of representatives |
|
|
recommendations for: |
|
|
(1) the state agency to which the protected health |
|
|
information maintained by an unsustainable covered entity should be |
|
|
transferred for storage; |
|
|
(2) ensuring the security of protected health |
|
|
information maintained by unsustainable covered entities in this |
|
|
state, including secure transfer methods from the covered entity to |
|
|
the state; |
|
|
(3) the method and period of time for which protected |
|
|
health information should be maintained by the state after transfer |
|
|
from an unsustainable covered entity; |
|
|
(4) methods and processes by which an individual |
|
|
should be able to access the individual's protected health |
|
|
information after transfer to the state; and |
|
|
(5) funding for the storage of protected health |
|
|
information after transfer to the state. |
|
|
(d) This section expires January 1, 2013. |
|
|
SECTION 20. (a) A task force on health information |
|
|
technology is created. |
|
|
(b) The task force is composed of: |
|
|
(1) 11 members appointed by the attorney general with |
|
|
the advice of the chairs of the standing committees of the senate |
|
|
and house of representatives having primary jurisdiction over |
|
|
health information technology issues, including: |
|
|
(A) at least two physicians; |
|
|
(B) at least two individuals who represent |
|
|
hospitals; |
|
|
(C) at least one private citizen who represents |
|
|
patient and parental rights; and |
|
|
(D) at least one pharmacist; and |
|
|
(2) the following ex officio members: |
|
|
(A) the executive commissioner of the Health and |
|
|
Human Services Commission or an employee of the commission |
|
|
designated by the executive commissioner; |
|
|
(B) the commissioner of the Department of State |
|
|
Health Services or an employee of the department designated by the |
|
|
commissioner; and |
|
|
(C) the presiding officer of the Texas Health |
|
|
Services Authority or an employee of the authority designated by |
|
|
the presiding officer. |
|
|
(c) Not later than December 1, 2012, the attorney general |
|
|
shall appoint the members of the task force and appoint a chair of |
|
|
the task force from among its membership. The chair of the task |
|
|
force must have expertise in: |
|
|
(1) state and federal health information privacy law; |
|
|
(2) patient rights; and |
|
|
(3) electronic signatures and other consent tools. |
|
|
(d) The task force shall develop recommendations regarding: |
|
|
(1) the improvement of informed consent protocols for |
|
|
the electronic exchange of protected health information, as that |
|
|
term is defined by the Health Insurance Portability and |
|
|
Accountability Act and Privacy Standards, as defined by Section |
|
|
181.001, Health and Safety Code, as amended by this Act; |
|
|
(2) the improvement of patient access to and use of |
|
|
electronically maintained and disclosed protected health |
|
|
information for the purpose of personal health and coordination of |
|
|
health care services; and |
|
|
(3) any other critical issues, as determined by the |
|
|
task force, related to the exchange of protected health |
|
|
information. |
|
|
(e) Not later than January 1, 2014, the task force shall |
|
|
submit to the standing committees of the senate and house of |
|
|
representatives having primary jurisdiction over health |
|
|
information technology issues and the Texas Health Services |
|
|
Authority a report including the task force's recommendations under |
|
|
Subsection (d). |
|
|
(f) The Texas Health Services Authority shall publish the |
|
|
report submitted under Subsection (e) on the authority's Internet |
|
|
website. |
|
|
(g) This section expires February 1, 2014. |
|
|
SECTION 21. Section 531.0315(b), Government Code, is |
|
|
repealed. |
|
|
SECTION 22. Not later than January 1, 2013: |
|
|
(1) the attorney general shall adopt the form required |
|
|
by Section 181.154, Health and Safety Code, as added by this Act; |
|
|
and |
|
|
(2) the Health and Human Services Commission shall |
|
|
adopt the standards required by Section 182.108, Health and Safety |
|
|
Code, as added by this Act. |
|
|
SECTION 23. (a) Not later than May 1, 2013, the attorney |
|
|
general shall establish the Internet website required by Section |
|
|
181.103, Health and Safety Code, as added by this Act. |
|
|
(b) Not later than December 1, 2013, the attorney general |
|
|
shall submit the initial report required by Section 181.104, Health |
|
|
and Safety Code, as added by this Act. |
|
|
SECTION 24. Not later than December 1, 2013, the Health and |
|
|
Human Services Commission shall submit the initial report required |
|
|
by Section 531.0994, Government Code, as added by this Act. |
|
|
SECTION 25. The changes in law made by Section 181.201, |
|
|
Health and Safety Code, as amended by this Act, Section 521.053, |
|
|
Business & Commerce Code, as amended by this Act, and Section |
|
|
521.151(a-1), Business & Commerce Code, as added by this Act, apply |
|
|
only to conduct that occurs on or after the effective date of this |
|
|
Act. Conduct that occurs before the effective date of this Act is |
|
|
governed by the law in effect at the time the conduct occurred, and |
|
|
the former law is continued in effect for that purpose. |
|
|
SECTION 26. The change in law made by Section 522.002(b), |
|
|
Business & Commerce Code, as amended by this Act, applies only to an |
|
|
offense committed on or after the effective date of this Act. An |
|
|
offense committed before the effective date of this Act is governed |
|
|
by the law in effect at the time the offense was committed, and the |
|
|
former law is continued in effect for that purpose. For purposes of |
|
|
this section, an offense was committed before the effective date of |
|
|
this Act if any element of the offense was committed before that |
|
|
date. |
|
|
SECTION 27. This Act takes effect September 1, 2012. |
| |
| |
| |
______________________________ |
______________________________ |
| |
President of the Senate |
Speaker of the House |
| |
| |
|
|
I certify that H.B. No. 300 was passed by the House on May 4, |
|
|
2011, by the following vote: Yeas 141, Nays 0, 2 present, not |
|
|
voting; that the House refused to concur in Senate amendments to |
|
|
H.B. No. 300 on May 26, 2011, and requested the appointment of a |
|
|
conference committee to consider the differences between the two |
|
|
houses; and that the House adopted the conference committee report |
|
|
on H.B. No. 300 on May 29, 2011, by the following vote: Yeas 145, |
|
|
Nays 0, 1 present, not voting. |
|
|
|
|
|
______________________________ |
|
|
Chief Clerk of the House |
| |
|
|
I certify that H.B. No. 300 was passed by the Senate, with |
|
|
amendments, on May 24, 2011, by the following vote: Yeas 31, Nays |
|
|
0; at the request of the House, the Senate appointed a conference |
|
|
committee to consider the differences between the two houses; and |
|
|
that the Senate adopted the conference committee report on H.B. No. |
|
|
300 on May 29, 2011, by the following vote: Yeas 31, Nays 0. |
|
|
|
|
|
______________________________ |
|
|
Secretary of the Senate |
|
|
APPROVED: __________________ |
|
|
Date |
|
|
|
|
|
__________________ |
|
|
Governor |