|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
relating to the privacy of protected health information and |
|
personal information; providing civil and criminal penalties. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. Subsection (b), Section 181.001, Health and |
|
Safety Code, is amended by amending Subdivisions (1), (3), and (4) |
|
and adding Subdivision (2-a) to read as follows: |
|
(1) "Commission" ["Commissioner"] means the Health |
|
and Human Services Commission [commissioner of health and human
|
|
services]. |
|
(2-a) "Executive commissioner" means the executive |
|
commissioner of the Health and Human Services Commission. |
|
(3) "Health Insurance Portability and Accountability Act |
|
and Privacy Standards" means the privacy requirements in existence on |
|
September 1, 2011 [August 14, 2002], of the Administrative [August 14, 2002], of the Administrative |
|
Simplification subtitle of the Health Insurance Portability and |
|
Accountability Act of 1996 (Pub. L. No. 104-191) contained in 45 C.F.R. |
|
Part 160 and 45 C.F.R. Part 164, Subparts A and E. |
|
(4) "Marketing" means: |
|
(A) making a communication about a product or |
|
service that encourages a recipient of the communication to |
|
purchase, [or] use, or request the product or service, unless the |
|
communication is made: |
|
(i) to describe a health-related product or |
|
service or the payment for a health-related product or service that |
|
is provided by, or included in a plan of benefits of, the covered |
|
entity making the communication, including communications about: |
|
(a) the entities participating in a |
|
health care provider network or health plan network; |
|
(b) replacement of, or enhancement |
|
to, a health plan; or |
|
(c) health-related products or |
|
services available only to a health plan enrollee that add value to, |
|
but are not part of, a plan of benefits; |
|
(ii) for treatment of the individual; |
|
(iii) for case management or care |
|
coordination for the individual, or to direct or recommend |
|
alternative treatments, therapies, health care providers, or |
|
settings of care to the individual; or |
|
(iv) by a covered entity to an individual |
|
that encourages a change to a prescription drug included in the |
|
covered entity's drug formulary or preferred drug list; and |
|
(B) [an arrangement between a covered entity and
|
|
any other entity under which the covered entity discloses protected
|
|
health information to the other entity, in exchange for direct or
|
|
indirect remuneration, for the other entity or its affiliate to
|
|
make a communication about its own product or service that
|
|
encourages recipients of the communication to purchase or use that
|
|
product or service; and
|
|
[(C)] notwithstanding Paragraphs (A)(ii) and |
|
(iii), a product-specific written communication to a consumer that |
|
encourages a change in products. |
|
SECTION 2. Section 181.005, Health and Safety Code, is |
|
amended to read as follows: |
|
Sec. 181.005. DUTIES OF THE EXECUTIVE COMMISSIONER. |
|
(a) The executive commissioner shall administer this chapter and |
|
may adopt rules consistent with the Health Insurance Portability |
|
and Accountability Act and Privacy Standards to administer this |
|
chapter. |
|
(b) The executive commissioner shall review amendments to |
|
the definitions in 45 C.F.R. Parts 160 and 164 that occur after |
|
September 1, 2011 [August 14, 2002], and determine whether it is in |
|
the best interest of the state to adopt the amended federal |
|
regulations. If the executive commissioner determines that it is |
|
in the best interest of the state to adopt the amended federal |
|
regulations, the amended regulations shall apply as required by |
|
this chapter. |
|
(c) In making a determination under this section, the |
|
executive commissioner must consider, in addition to other factors |
|
affecting the public interest, the beneficial and adverse effects |
|
the amendments would have on: |
|
(1) the lives of individuals in this state and their |
|
expectations of privacy; and |
|
(2) governmental entities, institutions of higher |
|
education, state-owned teaching hospitals, private businesses, and |
|
commerce in this state. |
|
(d) The executive commissioner shall prepare a report of the |
|
executive commissioner's determination made under this section and |
|
shall file the report with the presiding officer of each house of |
|
the legislature before the 30th day after the date the |
|
determination is made. The report must include an explanation of |
|
the reasons for the determination. |
|
SECTION 3. Chapter 181, Health and Safety Code, is amended |
|
by adding Subchapter C to read as follows: |
|
SUBCHAPTER C. ACCESS TO AND USE OF PROTECTED HEALTH INFORMATION |
|
Sec. 181.101. COMMISSION RULES. The executive commissioner |
|
shall adopt rules consistent with the Health Insurance Portability |
|
and Accountability Act and Privacy Standards relating to sharing or |
|
exchanging protected health information. |
|
Sec. 181.102. TRAINING REQUIRED. (a) Each covered entity |
|
shall provide a training program to employees of the covered entity |
|
regarding the state and federal law concerning protected health |
|
information as it relates to: |
|
(1) the covered entity's particular course of |
|
business; and |
|
(2) each employee's scope of employment. |
|
(b) An employee of a covered entity must complete training |
|
described by Subsection (a) not later than the 60th day after the |
|
date the employee is hired by the covered entity. |
|
(c) An employee of a covered entity shall receive training |
|
described by Subsection (a) at least once every two years. |
|
(d) A covered entity shall require an employee of the entity |
|
who attends a training program described by Subsection (a) to sign, |
|
electronically or in writing, a statement verifying the employee's |
|
attendance at the training program. The covered entity shall |
|
maintain the signed statement. |
|
Sec. 181.103. NOTIFICATION AND ACCEPTANCE REQUIRED. |
|
(a) Except as provided by Subsection (c), before a state agency |
|
electronically disseminates protected health information to |
|
another person or allows the other person to electronically access |
|
protected health information maintained by the agency: |
|
(1) the state agency in writing must notify the other |
|
person of legal restrictions on the use and disclosure of the |
|
protected health information to be disseminated or accessed; and |
|
(2) the person who receives notice from the state |
|
agency under Subdivision (1) must acknowledge, electronically or in |
|
writing, receipt, understanding, and acceptance of the |
|
restrictions on use and disclosure of the protected health |
|
information to be received or accessed. |
|
(b) The written notice and acknowledgment required by |
|
Subsection (a) may be satisfied by an existing written agreement |
|
between a state agency and a person. |
|
(c) The written notice and acknowledgment required by |
|
Subsection (a) is not required for a disclosure of protected health |
|
information from a state agency to: |
|
(1) the individual whose protected health information |
|
is being disclosed; or |
|
(2) a legally authorized representative of the |
|
individual described by Subdivision (1). |
|
Sec. 181.104. CONSUMER ACCESS TO ELECTRONIC HEALTH RECORDS. |
|
(a) Except as provided by Subsection (b), if a health care |
|
provider is using an electronic health records system that is |
|
capable of fulfilling the request, the health care provider, not |
|
later than the 15th business day after the date the health care |
|
provider receives a written request from a person for the person's |
|
electronic health record, shall provide the requested record to the |
|
person in electronic form unless the person agrees to accept the |
|
record in another form. |
|
(b) A health care provider is not required to provide access |
|
to a person's protected health information that is excepted from |
|
access, or to which access may be denied, under 45 C.F.R. Section |
|
164.524. |
|
(c) For purposes of Subsection (a), the executive |
|
commissioner, in consultation with the Department of State Health |
|
Services, the Texas Medical Board, and the Texas Department of |
|
Insurance, by rule may recommend a standard electronic format for |
|
the release of requested health records. The standard electronic |
|
format recommended under this section must be consistent, if |
|
feasible, with federal law regarding the release of electronic |
|
health records. |
|
Sec. 181.105. CONSUMER INFORMATION WEBSITE. The attorney |
|
general shall maintain an Internet website that provides: |
|
(1) information concerning a consumer's privacy rights |
|
regarding protected health information under federal and state law; |
|
(2) a list of the state agencies, including the |
|
Department of State Health Services, the Texas Medical Board, and |
|
the Texas Department of Insurance, that regulate covered entities |
|
in this state and the types of entities each agency regulates; |
|
(3) detailed information regarding each agency's |
|
complaint enforcement process; and |
|
(4) contact information, including the address of the |
|
agency's Internet website, for each agency listed under Subdivision |
|
(2) for reporting a violation of this chapter. |
|
Sec. 181.106. CONSUMER COMPLAINT REPORT BY ATTORNEY |
|
GENERAL. (a) The attorney general annually shall submit to the |
|
legislature a report describing: |
|
(1) the number and types of complaints received by the |
|
attorney general and by the state agencies receiving consumer |
|
complaints under Section 181.105; and |
|
(2) the enforcement action taken in response to each |
|
complaint reported under Subdivision (1). |
|
(b) Each state agency that receives consumer complaints |
|
under Section 181.105 shall submit to the attorney general, in the |
|
form required by the attorney general, the information the attorney |
|
general requires to compile the report required by Subsection (a). |
|
(c) The attorney general shall de-identify protected health |
|
information from the individual to whom the information pertains |
|
before including the information in the report required by |
|
Subsection (a). |
|
SECTION 4. Subchapter D, Chapter 181, Health and Safety |
|
Code, is amended by adding Section 181.153 to read as follows: |
|
Sec. 181.153. SALE OF PROTECTED HEALTH INFORMATION |
|
PROHIBITED; REMUNERATION OF AGENTS AND CONTRACTORS AUTHORIZED. |
|
(a) Except as provided by Subsection (b), a covered entity may not |
|
disclose protected health information to any person in exchange for |
|
direct or indirect remuneration. |
|
(b) A covered entity may disclose protected health |
|
information in exchange for remuneration only: |
|
(1) for purposes of: |
|
(A) treatment; |
|
(B) payment; |
|
(C) health care operations; |
|
(D) public health activities; |
|
(E) research or clinical investigation, as |
|
described by 42 U.S.C. Section 17935(d)(2)(B) and 21 C.F.R. Section |
|
312.3; or |
|
(F) providing the protected health information |
|
to the individual who is the subject of the protected health |
|
information; or |
|
(2) as otherwise permitted or required by state or |
|
federal law. |
|
(c) This section does not prohibit a covered entity from |
|
disclosing protected health information to and giving remuneration |
|
to an agent or contractor of the covered entity in exchange for |
|
engaging in an activity authorized by state or federal law |
|
involving the exchange of protected health information that the |
|
agent or contractor undertakes on behalf of and at the specific |
|
request of the covered entity pursuant to an agreement. |
|
SECTION 5. Subsections (b) and (c), Sections 181.201, |
|
Health and Safety Code, are amended to read as follows: |
|
(b) In addition to the injunctive relief provided by |
|
Subsection (a), the attorney general may institute an action for |
|
civil penalties against a covered entity for a violation of this |
|
chapter. A civil penalty assessed under this section may not |
|
exceed: |
|
(1) $5,000 [$3,000] for each violation committed |
|
negligently; |
|
(2) $25,000 for each violation committed knowingly or |
|
intentionally; or |
|
(3) $250,000 for each violation in which the covered |
|
entity knowingly or intentionally uses protected health |
|
information for financial gain. |
|
(c) If the court in which an action under Subsection (b) is |
|
pending finds that the violations have occurred with a frequency as |
|
to constitute a pattern or practice, the court may assess a civil |
|
penalty in an amount the court finds necessary to deter future |
|
violations of this chapter [not to exceed $250,000]. |
|
SECTION 6. Section 521.053, Business & Commerce Code, is |
|
amended by amending Subsection (b) and adding Subsection (b-1) to |
|
read as follows: |
|
(b) A person who conducts business in this state and owns or |
|
licenses computerized data that includes sensitive personal |
|
information shall disclose any breach of system security, after |
|
discovering or receiving notification of the breach, to any |
|
individual [resident of this state] whose sensitive personal |
|
information was, or is reasonably believed to have been, acquired |
|
by an unauthorized person. The disclosure shall be made as quickly |
|
as possible, except as provided by Subsection (d) or as necessary to |
|
determine the scope of the breach and restore the reasonable |
|
integrity of the data system. |
|
(b-1) Notwithstanding Subsection (b), the requirements of |
|
Subsection (b) apply only if the individual whose sensitive |
|
personal information was or is reasonably believed to have been |
|
acquired by an unauthorized person is a resident of this state or |
|
another state that does not require a person described by |
|
Subsection (b) to notify the individual of a breach of system |
|
security. If the individual is a resident of a state that requires |
|
a person described by Subsection (b) to provide notice of a breach |
|
of system security, the notice of the breach of system security |
|
provided under that state's law satisfies the requirements of |
|
Subsection (b). |
|
SECTION 7. Section 521.151, Business & Commerce Code, is |
|
amended by adding Subsection (a-1) to read as follows: |
|
(a-1) In addition to penalties assessed under Subsection |
|
(a), a person who fails to take reasonable action to comply with |
|
Section 521.053(b) is liable to this state for a civil penalty of |
|
not more than $100 for each individual to whom notification is due |
|
under that subsection for each consecutive day that the person |
|
fails to take reasonable action to comply with that subsection. |
|
Civil penalties under this section may not exceed $250,000 for all |
|
individuals to whom notification is due after a single breach. The |
|
attorney general may bring an action to recover the civil penalties |
|
imposed under this subsection. |
|
SECTION 8. Subsection (b), Section 522.002, Business & |
|
Commerce Code, is amended to read as follows: |
|
(b) An offense under this section is a Class B misdemeanor, |
|
except that the offense is a state jail felony if the information |
|
accessed, read, scanned, stored, or transferred by the person was |
|
protected health information as defined by the Health Insurance |
|
Portability and Accountability Act and Privacy Standards, as |
|
defined by Section 181.001, Health and Safety Code. |
|
SECTION 9. Section 531.001, Government Code, is amended by |
|
adding Subdivision (4-a) to read as follows: |
|
(4-a) "Protected health information" has the meaning |
|
assigned by the Health Insurance Portability and Accountability Act |
|
and Privacy Standards, as defined by Section 181.001, Health and |
|
Safety Code. |
|
SECTION 10. Subsection (a), Section 531.0315, Government |
|
Code, is amended to read as follows: |
|
(a) Each health and human services agency and every other |
|
state agency that acts as a health care provider or a claims payer |
|
for the provision of health care shall[:
|
|
[(1)] process information related to health care in |
|
compliance with national data interchange standards adopted under |
|
Subtitle F, Title II, Health Insurance Portability and |
|
Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), and |
|
its subsequent amendments, within the applicable deadline |
|
established under federal law or federal regulations[; or
|
|
[(2)
demonstrate to the commission the reasons the
|
|
agency should not be required to comply with Subdivision (1), and
|
|
obtain the commission's approval, to the extent allowed under
|
|
federal law:
|
|
[(A)
to comply with the standards at a later
|
|
date; or
|
|
[(B)
to not comply with one or more of the
|
|
standards]. |
|
SECTION 11. Subchapter B, Chapter 531, Government Code, is |
|
amended by adding Section 531.0994 to read as follows: |
|
Sec. 531.0994. STUDY; ANNUAL REPORT. (a) The commission, |
|
in consultation with the Department of State Health Services, the |
|
Texas Medical Board, and the Texas Department of Insurance, shall |
|
explore and evaluate new developments in safeguarding protected |
|
health information. |
|
(b) Not later than December 1 each year, the commission |
|
shall report to the legislature on new developments in safeguarding |
|
protected health information and recommendations for the |
|
implementation of safeguards within the commission. |
|
SECTION 12. Subsection (f), Section 31.03, Penal Code, is |
|
amended to read as follows: |
|
(f) An offense described for purposes of punishment by |
|
Subsections (e)(1)-(6) is increased to the next higher category of |
|
offense if it is shown on the trial of the offense that: |
|
(1) the actor was a public servant at the time of the |
|
offense and the property appropriated came into the actor's |
|
custody, possession, or control by virtue of his status as a public |
|
servant; |
|
(2) the actor was in a contractual relationship with |
|
government at the time of the offense and the property appropriated |
|
came into the actor's custody, possession, or control by virtue of |
|
the contractual relationship; |
|
(3) the owner of the property appropriated was at the |
|
time of the offense: |
|
(A) an elderly individual; or |
|
(B) a nonprofit organization; [or] |
|
(4) the actor was a Medicare provider in a contractual |
|
relationship with the federal government at the time of the offense |
|
and the property appropriated came into the actor's custody, |
|
possession, or control by virtue of the contractual relationship; |
|
or |
|
(5) the property appropriated was a document |
|
containing protected health information, as that term is defined by |
|
the Health Insurance Portability and Accountability Act and Privacy |
|
Standards, as defined by Section 181.001, Health and Safety Code. |
|
SECTION 13. Subsection (c-1), Section 32.51, Penal Code, is |
|
amended to read as follows: |
|
(c-1) An offense described for purposes of punishment by |
|
Subsections (c)(1)-(3) is increased to the next higher category of |
|
offense if it is shown on the trial of the offense that: |
|
(1) the offense was committed against an elderly |
|
individual as defined by Section 22.04; or |
|
(2) the information obtained, possessed, transferred, |
|
or used in the commission of the offense was protected health |
|
information, as that term is defined by the Health Insurance |
|
Portability and Accountability Act and Privacy Standards, as |
|
defined by Section 181.001, Health and Safety Code. |
|
SECTION 14. Subsection (b), Section 33.02, Penal Code, is |
|
amended to read as follows: |
|
(b) An offense under this section is a Class B misdemeanor |
|
unless in committing the offense the actor knowingly obtains a |
|
benefit, defrauds or harms another, or alters, damages, or deletes |
|
property, in which event the offense is: |
|
(1) a Class A misdemeanor if the aggregate amount |
|
involved is less than $1,500; |
|
(2) a state jail felony if: |
|
(A) the aggregate amount involved is $1,500 or |
|
more but less than $20,000; [or] |
|
(B) the aggregate amount involved is less than |
|
$1,500 and the defendant has been previously convicted two or more |
|
times of an offense under this chapter; or |
|
(C) the actor accesses protected health |
|
information, as that term is defined by the Health Insurance |
|
Portability and Accountability Act and Privacy Standards, as |
|
defined by Section 181.001, Health and Safety Code; |
|
(3) a felony of the third degree if the aggregate |
|
amount involved is $20,000 or more but less than $100,000; |
|
(4) a felony of the second degree if the aggregate |
|
amount involved is $100,000 or more but less than $200,000; or |
|
(5) a felony of the first degree if the aggregate |
|
amount involved is $200,000 or more. |
|
SECTION 15. Section 35A.02, Penal Code, is amended by |
|
adding Subsections (b-1) and (b-2) to read as follows: |
|
(b-1) Except as provided by Subsection (b-2), the |
|
punishment prescribed for an offense under this section is |
|
increased to the punishment prescribed for the next higher category |
|
of offense if it is shown on the trial of the offense that protected |
|
health information, as that term is defined by the Health Insurance |
|
Portability and Accountability Act and Privacy Standards, as |
|
defined by Section 181.001, Health and Safety Code, was used in the |
|
commission of the offense. |
|
(b-2) The punishment for an offense described by this |
|
section may not be increased under Subsection (b-1) if the offense |
|
is punishable as a felony of the first degree. |
|
SECTION 16. Subsection (b), Section 531.0315, Government |
|
Code, is repealed. |
|
SECTION 17. Not later than May 1, 2012, the executive |
|
commissioner of the Health and Human Services Commission shall |
|
adopt rules as required by Section 181.101, Health and Safety Code, |
|
as added by this Act. |
|
SECTION 18. (a) Not later than May 1, 2012, the attorney |
|
general shall establish the Internet website required by Section |
|
181.105, Health and Safety Code, as added by this Act. |
|
(b) Not later than December 1, 2013, the attorney general |
|
shall submit the initial report required by Section 181.106, Health |
|
and Safety Code, as added by this Act. |
|
SECTION 19. Not later than December 1, 2013, the Health and |
|
Human Services Commission shall submit the initial report required |
|
by Section 531.0994, Government Code, as added by this Act. |
|
SECTION 20. The changes in law made by Section 181.201, |
|
Health and Safety Code, as amended by this Act, Section 521.053, |
|
Business & Commerce Code, as amended by this Act, and Subsection |
|
(a-1), Section 521.151, Business & Commerce Code, as added by this |
|
Act, apply only to conduct that occurs on or after the effective |
|
date of this Act. Conduct that occurs before the effective date of |
|
this Act is governed by the law in effect at the time the conduct |
|
occurred, and the former law is continued in effect for that |
|
purpose. |
|
SECTION 21. The changes in law made by Section 522.002, |
|
Business & Commerce Code, and Sections 31.03, 32.51, and 33.02, |
|
Penal Code, as amended by this Act, and Subsections (b-1) and (b-2), |
|
Section 35A.02, Penal Code, as added by this Act, apply only to an |
|
offense committed on or after the effective date of this Act. An |
|
offense committed before the effective date of this Act is governed |
|
by the law in effect at the time the offense was committed, and the |
|
former law is continued in effect for that purpose. For purposes of |
|
this section, an offense was committed before the effective date of |
|
this Act if any element of the offense was committed before that |
|
date. |
|
SECTION 22. This Act takes effect January 1, 2012. |