| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to the privacy of protected health information; providing |
|
|
civil penalties. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 181.001(b), Health and Safety Code, is |
|
|
amended by amending Subdivisions (1) and (3) and adding |
|
|
Subdivisions (2-a) and (2-b) to read as follows: |
|
|
(1) "Commission" ["Commissioner"] means the Health |
|
|
and Human Services Commission [commissioner of health and human
|
|
|
services]. |
|
|
(2-a) "Disclose" means to release, transfer, provide |
|
|
access to, or otherwise divulge information to another person. |
|
|
(2-b) "Executive commissioner" means the executive |
|
|
commissioner of the Health and Human Services Commission. |
|
|
(3) "Health Insurance Portability and Accountability |
|
|
Act and Privacy Standards" means the privacy requirements in |
|
|
existence on April 1, 2011 [August 14, 2002], of the Administrative |
|
|
Simplification subtitle of the Health Insurance Portability and |
|
|
Accountability Act of 1996 (Pub. L. No. 104-191) contained in 45 |
|
|
C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A and E. |
|
|
SECTION 2. Subchapter A, Chapter 181, Health and Safety |
|
|
Code, is amended by adding Section 181.004 to read as follows: |
|
|
Sec. 181.004. APPLICABILITY OF FEDERAL LAW AND TEXAS HEALTH |
|
|
SERVICES AUTHORITY STANDARDS. A covered entity shall comply with: |
|
|
(1) the Health Insurance Portability and |
|
|
Accountability Act and Privacy Standards; and |
|
|
(2) the standards adopted under Section 182.108. |
|
|
SECTION 3. Chapter 181, Health and Safety Code, is amended |
|
|
by adding Subchapter C to read as follows: |
|
|
SUBCHAPTER C. ACCESS TO AND USE OF |
|
|
PROTECTED HEALTH INFORMATION |
|
|
Sec. 181.101. ACCESS TO RECORDS AND DISCLOSURE ACCOUNTING. |
|
|
Not later than the 15th day after the date a covered entity receives |
|
|
a request from an individual: |
|
|
(1) for a record containing the individual's protected |
|
|
health information, the covered entity shall provide the record to |
|
|
the individual in the form requested by the individual, including |
|
|
printed or electronic form; and |
|
|
(2) for an accounting of disclosures of the |
|
|
individual's protected health information, the covered entity |
|
|
shall provide the accounting to the individual in the form |
|
|
requested by the individual, including printed or electronic form, |
|
|
in accordance with 45 C.F.R. Section 164.528. |
|
|
Sec. 181.102. FEES FOR COPIES OF RECORDS. A covered entity |
|
|
may charge a reasonable fee for a photocopy of a record that |
|
|
contains protected health information, subject to any limit or |
|
|
restriction applicable to the record under other law. |
|
|
Sec. 181.103. DUTY OF COVERED ENTITY. (a) A covered entity |
|
|
that maintains or discloses protected health information bears the |
|
|
responsibility of securely maintaining and disclosing the |
|
|
information in compliance with this chapter and other law. |
|
|
(b) Except as provided by other law, a covered entity may |
|
|
not: |
|
|
(1) prevent an individual from obtaining a copy of the |
|
|
individual's record; or |
|
|
(2) deny an individual's request to correct a |
|
|
confirmed factual error in the individual's record. |
|
|
Sec. 181.104. MINIMUM MAINTENANCE OF RECORDS OF PROTECTED |
|
|
HEALTH INFORMATION. (a) A covered entity shall: |
|
|
(1) for an individual 18 years of age or older on the |
|
|
date of the last entry in a record that contains protected health |
|
|
information, maintain the record until the seventh anniversary of |
|
|
the date of the last entry in the record; |
|
|
(2) for an individual younger than 18 years of age on |
|
|
the date of the last entry in a record that contains protected |
|
|
health information, maintain the record until the later of: |
|
|
(A) the individual's 21st birthday; or |
|
|
(B) the seventh anniversary of the date of the |
|
|
last entry in the record; and |
|
|
(3) maintain a medical record relating to a criminal, |
|
|
civil, or administrative action until the later of: |
|
|
(A) the date specified by Subdivision (1) or (2); |
|
|
or |
|
|
(B) the date of final disposition of the action. |
|
|
(b) If another law requires a covered entity to maintain a |
|
|
record described by Subsection (a) for a period longer than the |
|
|
period specified by Subsection (a), the covered entity shall |
|
|
maintain the record for the period required by the other law. |
|
|
SECTION 4. Subchapter D, Chapter 181, Health and Safety |
|
|
Code, is amended by adding Sections 181.153 and 181.154 to read as |
|
|
follows: |
|
|
Sec. 181.153. SALE OF PROTECTED HEALTH INFORMATION |
|
|
PROHIBITED; EXCEPTIONS. A covered entity may not disclose an |
|
|
individual's protected health information to any other person in |
|
|
exchange for direct or indirect remuneration, except that a covered |
|
|
entity may disclose an individual's protected health information to |
|
|
another covered entity for the purpose of: |
|
|
(1) provision of medical treatment to the individual; |
|
|
(2) payment of the individual's health care costs; or |
|
|
(3) health care operations between the covered |
|
|
entities. |
|
|
Sec. 181.154. AUTHORIZATION REQUIRED FOR DISCLOSURE OF |
|
|
PROTECTED HEALTH INFORMATION; EXCEPTIONS. (a) Except as provided |
|
|
by Subsections (c) and (d), a covered entity may not disclose an |
|
|
individual's protected health information to any person without a |
|
|
separate authorization for each record disclosed signed by the |
|
|
individual or the individual's legally authorized representative. |
|
|
(b) For purposes of this section, and individual may sign an |
|
|
authorization of disclosure in writing or electronically. |
|
|
(c) The consent required by Subsection (a) to disclose |
|
|
protected health information for medical treatment, payment of |
|
|
health care costs, or health care operations may be provided in a |
|
|
signed general authorization form. |
|
|
(d) A covered entity may disclose an individual's protected |
|
|
health information to another person only as necessary to |
|
|
facilitate the individual's medical treatment if: |
|
|
(1) an agent of the covered entity reasonably believes |
|
|
the individual requires lifesaving medical treatment; |
|
|
(2) the individual is not able to provide |
|
|
authorization for disclosure under this section; and |
|
|
(3) a legally authorized representative of the |
|
|
individual is not available to provide authorization for disclosure |
|
|
under this section. |
|
|
(e) The attorney general by rule shall adopt standard |
|
|
authorization forms for use in complying with this section. |
|
|
SECTION 5. Section 181.201, Health and Safety Code, is |
|
|
amended by amending Subsection (c) and adding Subsection (d) to |
|
|
read as follows: |
|
|
(c) If the court in which an action under Subsection (b) is |
|
|
pending finds that the violations have occurred with a frequency as |
|
|
to constitute a pattern or practice, the court may assess a civil |
|
|
penalty not to exceed $5 million [$250,000]. |
|
|
(d) The office of the attorney general may retain a |
|
|
reasonable portion of a civil penalty recovered under this section, |
|
|
not to exceed amounts specified in the General Appropriations Act, |
|
|
for the enforcement of this subchapter. |
|
|
SECTION 6. Section 181.202, Health and Safety Code, is |
|
|
amended to read as follows: |
|
|
Sec. 181.202. DISCIPLINARY ACTION. In addition to the |
|
|
penalties prescribed by this chapter, a violation of this chapter |
|
|
by an individual or facility that is licensed by an agency of this |
|
|
state is subject to investigation and disciplinary proceedings, |
|
|
including probation or suspension by the licensing agency. If |
|
|
there is evidence that the violations of this chapter constitute a |
|
|
pattern or practice, the agency may: |
|
|
(1) revoke the individual's or facility's license; or |
|
|
(2) refer the individual's or facility's case to the |
|
|
attorney general for the institution of an action for civil |
|
|
penalties under Section 181.201(b). |
|
|
SECTION 7. Subchapter E, Chapter 181, Health and Safety |
|
|
Code, is amended by adding Sections 181.206, 181.207, 181.208, |
|
|
181.209, and 181.210 to read as follows: |
|
|
Sec. 181.206. RULES. The attorney general may adopt rules |
|
|
as necessary to enforce this chapter. |
|
|
Sec. 181.207. AUDITS OF COVERED ENTITIES. (a) The attorney |
|
|
general, in coordination with the commission, the Texas Health |
|
|
Services Authority, and the Texas Department of Insurance: |
|
|
(1) may conduct periodic audits of covered entities in |
|
|
this state to determine compliance with this chapter; and |
|
|
(2) shall periodically monitor and review the results |
|
|
of audits of covered entities in this state conducted by the United |
|
|
States secretary of health and human services. |
|
|
(b) In addition to periodic audits conducted under |
|
|
Subsection (a)(1), the attorney general may require a covered |
|
|
entity to: |
|
|
(1) conduct an audit of the covered entity's system; |
|
|
and |
|
|
(2) submit to the attorney general a report regarding |
|
|
the results of an audit conducted under Subdivision (1). |
|
|
Sec. 181.208. REVIEW OF COMPLAINT BY ATTORNEY GENERAL. The |
|
|
attorney general shall review a complaint received from an |
|
|
individual or an individual's authorized legal representative |
|
|
alleging that a covered entity violated this chapter with respect |
|
|
to the individual's protected health information. |
|
|
Sec. 181.209. AUDIT AND COMPLAINT REPORT BY ATTORNEY |
|
|
GENERAL. (a) The attorney general annually shall submit to the |
|
|
appropriate standing committees of the senate and the house of |
|
|
representatives a report that includes: |
|
|
(1) the number and types of complaints received by the |
|
|
office of the attorney general regarding violations of this |
|
|
chapter; |
|
|
(2) enforcement action taken by the office of the |
|
|
attorney general under this chapter; and |
|
|
(3) the number of federal and state audits of covered |
|
|
entities in this state conducted. |
|
|
(b) The attorney general and the Texas Health Services |
|
|
Authority shall each publish the report required by Subsection (a) |
|
|
on the agency's Internet website. |
|
|
Sec. 181.210. FUNDING. The commission and the Texas |
|
|
Department of Insurance, in consultation with the Texas Health |
|
|
Services Authority, shall apply for and actively pursue available |
|
|
federal funding for enforcement of this chapter, including the |
|
|
audits described by Section 181.207. |
|
|
SECTION 8. Section 182.002, Health and Safety Code, is |
|
|
amended by adding Subdivisions (2-a), (3-a), and (3-b) to read as |
|
|
follows: |
|
|
(2-a) "Covered entity" has the meaning assigned by |
|
|
Section 181.001. |
|
|
(3-a) "Disclose" has the meaning assigned by Section |
|
|
181.001. |
|
|
(3-b) "Health Insurance Portability and |
|
|
Accountability Act and Privacy Standards" has the meaning assigned |
|
|
by Section 181.001. |
|
|
SECTION 9. Section 182.101, Health and Safety Code, is |
|
|
amended to read as follows: |
|
|
Sec. 182.101. GENERAL POWERS AND DUTIES. The corporation |
|
|
[may]: |
|
|
(1) may establish statewide health information |
|
|
exchange capabilities, including capabilities for electronic |
|
|
laboratory results, diagnostic studies, and medication history |
|
|
delivery, and, where applicable, establish [promote] definitions |
|
|
and standards for electronic interactions statewide; |
|
|
(2) may seek funding to: |
|
|
(A) implement, promote, and facilitate the |
|
|
voluntary exchange of secure electronic health information between |
|
|
and among individuals and entities that are providing or paying for |
|
|
health care services or procedures; and |
|
|
(B) create incentives to implement, promote, and |
|
|
facilitate the voluntary exchange of secure electronic health |
|
|
information between and among individuals and entities that are |
|
|
providing or paying for health care services or procedures; |
|
|
(3) may establish statewide health information |
|
|
exchange capabilities for streamlining health care administrative |
|
|
functions including: |
|
|
(A) communicating point of care services, |
|
|
including laboratory results, diagnostic imaging, and prescription |
|
|
histories; |
|
|
(B) communicating patient identification and |
|
|
emergency room required information in conformity with state and |
|
|
federal privacy laws; |
|
|
(C) real-time communication of enrollee status |
|
|
in relation to health plan coverage, including enrollee |
|
|
cost-sharing responsibilities; and |
|
|
(D) current census and status of health plan |
|
|
contracted providers; |
|
|
(4) shall support regional health information |
|
|
exchange initiatives by: |
|
|
(A) identifying data and messaging standards for |
|
|
health information exchange and for ensuring that the data that is |
|
|
exchanged is accurate and complete; |
|
|
(B) administering programs providing financial |
|
|
incentives, including grants and loans for the creation and support |
|
|
of regional health information networks, subject to available |
|
|
funds; |
|
|
(C) providing technical expertise where |
|
|
appropriate; |
|
|
(D) sharing intellectual property developed |
|
|
under Section 182.105; |
|
|
(E) waiving the corporation's fees associated |
|
|
with intellectual property, data, expertise, and other services or |
|
|
materials provided to regional health information exchanges |
|
|
operated on a nonprofit basis; and |
|
|
(F) applying operational and technical standards |
|
|
developed by the corporation to existing health information |
|
|
exchanges only on a voluntary basis, except for standards related |
|
|
to ensuring effective privacy and security of individually |
|
|
identifiable health information; |
|
|
(5) shall adopt, publish, and distribute [identify] |
|
|
standards for streamlining health care administrative functions |
|
|
across payors and providers, including standards for the electronic |
|
|
disclosure of protected health information as required by Section |
|
|
182.108, electronic patient registration, communication of |
|
|
enrollment in health plans, and information at the point of care |
|
|
regarding services covered by health plans; and |
|
|
(6) shall support the secure, electronic exchange of |
|
|
health information through other strategies identified by the |
|
|
board. |
|
|
SECTION 10. Subchapter C, Chapter 182, Health and Safety |
|
|
Code, is amended by adding Section 182.108 to read as follows: |
|
|
Sec. 182.108. STANDARDS FOR ELECTRONIC DISCLOSURE OF |
|
|
PROTECTED HEALTH INFORMATION. (a) The corporation by rule shall |
|
|
adopt security standards for the electronic disclosure of protected |
|
|
health information, as defined by the Health Insurance Portability |
|
|
and Accountability Act and Privacy Standards. The standards must: |
|
|
(1) comply with federal and state law relating to the |
|
|
security and confidentiality of information electronically |
|
|
maintained or disclosed by a covered entity; |
|
|
(2) ensure the secure maintenance and disclosure of |
|
|
personally identifiable health information; |
|
|
(3) include strategies and procedures for disclosing |
|
|
personally identifiable information; and |
|
|
(4) support a level of system interoperability with |
|
|
existing health record databases in this state that is consistent |
|
|
with emerging standards. |
|
|
(b) The corporation shall publish the standards adopted |
|
|
under Subsection (a) on the corporation's Internet website. |
|
|
SECTION 11. (a) In this section, "unsustainable covered |
|
|
entity" means a covered entity that ceases to operate. |
|
|
(b) The Health and Human Services Commission, in |
|
|
consultation with the Texas Health Services Authority and the Texas |
|
|
Medical Board, shall review issues regarding the security and |
|
|
accessibility of protected health information maintained by an |
|
|
unsustainable covered entity. |
|
|
(c) Not later than December 1, 2012, the Health and Human |
|
|
Services Commission shall submit to the appropriate standing |
|
|
committees of the senate and the house of representatives |
|
|
recommendations for: |
|
|
(1) the state agency to which the protected health |
|
|
information maintained by an unsustainable covered entity should be |
|
|
transferred for storage; |
|
|
(2) ensuring the security of protected health |
|
|
information maintained by unsustainable covered entities in this |
|
|
state, including secure transfer methods from the covered entity to |
|
|
the state; |
|
|
(3) the method and period of time for which protected |
|
|
health information should be maintained by the state after transfer |
|
|
from an unsustainable covered entity; |
|
|
(4) methods and processes by which an individual |
|
|
should be able to access the individual's protected health |
|
|
information after transfer to the state; and |
|
|
(5) funding for the storage of protected health |
|
|
information after transfer to the state. |
|
|
(d) This section expires January 1, 2013. |
|
|
SECTION 12. (a) A task force on health information |
|
|
technology is created. |
|
|
(b) The task force is composed of seven members appointed by |
|
|
the attorney general with the advice of the chairs of the standing |
|
|
committees of the senate and house of representatives having |
|
|
primary jurisdiction over health information technology issues. |
|
|
Not later than December 1, 2011, the attorney general shall appoint |
|
|
the members of the task force and appoint a chair of the task force |
|
|
from among its membership. The chair of the task force must have |
|
|
expertise in: |
|
|
(1) state and federal health information privacy law; |
|
|
(2) patient rights; and |
|
|
(3) electronic signatures and other consent tools. |
|
|
(c) The task force shall develop recommendations regarding: |
|
|
(1) the improvement of informed consent protocols for |
|
|
the electronic exchange of protected health information, as that |
|
|
term is defined by the Health Insurance Portability and |
|
|
Accountability Act and Privacy Standards, as defined by Section |
|
|
181.001, Health and Safety Code, as amended by this Act; |
|
|
(2) the improvement of patient access to and use of |
|
|
electronically maintained and disclosed protected health |
|
|
information for the purpose of personal health and coordination of |
|
|
health care services; and |
|
|
(3) any other critical issues, as determined by the |
|
|
task force, related to the exchange of protected health |
|
|
information. |
|
|
(d) Not later than January 1, 2013, the task force shall |
|
|
submit to the standing committees of the senate and house of |
|
|
representatives having primary jurisdiction over health |
|
|
information technology issues and the Texas Health Services |
|
|
Authority a report including the task force's recommendations under |
|
|
Subsection (c). |
|
|
(e) The Texas Health Services Authority shall publish the |
|
|
report submitted under Subsection (d) on the authority's Internet |
|
|
website. |
|
|
(f) This section expires February 1, 2013. |
|
|
SECTION 13. Not later than January 1, 2012: |
|
|
(1) the attorney general shall adopt the forms |
|
|
required by Section 181.154, Health and Safety Code, as added by |
|
|
this Act; and |
|
|
(2) the Texas Health Services Authority shall adopt |
|
|
the standards required by Section 182.101, Health and Safety Code, |
|
|
as amended by this Act, and Section 182.108, Health and Safety Code, |
|
|
as added by this Act. |
|
|
SECTION 14. This Act takes effect September 1, 2011. |