|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
relating to the privacy of protected health information and |
|
personal information; providing civil and criminal penalties. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. Section 181.001(b), Health and Safety Code, is |
|
amended by amending Subdivisions (1), (3), and (4) and adding |
|
Subdivision (2-a) to read as follows: |
|
(1) "Commission" ["Commissioner"] means the Health |
|
and Human Services Commission [commissioner of health and human
|
|
services]. |
|
(2-a) "Executive commissioner" means the executive |
|
commissioner of the Health and Human Services Commission. |
|
(3) "Health Insurance Portability and Accountability |
|
Act and Privacy Standards" means the privacy requirements in |
|
existence on September 1, 2011 [August 14, 2002], of the |
|
Administrative Simplification subtitle of the Health Insurance |
|
Portability and Accountability Act of 1996 (Pub. L. No. 104-191) |
|
contained in 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A |
|
and E. |
|
(4) "Marketing" means: |
|
(A) making a communication about a product or |
|
service that encourages a recipient of the communication to |
|
purchase, [or] use, or request the product or service, unless the |
|
communication is made: |
|
(i) to describe a health-related product or |
|
service or the payment for a health-related product or service that |
|
is provided by, or included in a plan of benefits of, the covered |
|
entity making the communication, including communications about: |
|
(a) the entities participating in a |
|
health care provider network or health plan network; |
|
(b) replacement of, or enhancement |
|
to, a health plan; or |
|
(c) health-related products or |
|
services available only to a health plan enrollee that add value to, |
|
but are not part of, a plan of benefits; |
|
(ii) for treatment of the individual; |
|
(iii) for case management or care |
|
coordination for the individual, or to direct or recommend |
|
alternative treatments, therapies, health care providers, or |
|
settings of care to the individual; or |
|
(iv) by a covered entity to an individual |
|
that encourages a change to a prescription drug included in the |
|
covered entity's drug formulary or preferred drug list; and |
|
(B) [an arrangement between a covered entity and
|
|
any other entity under which the covered entity discloses protected
|
|
health information to the other entity, in exchange for direct or
|
|
indirect remuneration, for the other entity or its affiliate to
|
|
make a communication about its own product or service that
|
|
encourages recipients of the communication to purchase or use that
|
|
product or service; and
|
|
[(C)] notwithstanding Paragraphs (A)(ii) and |
|
(iii), a product-specific written communication to a consumer that |
|
encourages a change in products. |
|
SECTION 2. Subchapter A, Chapter 181, Health and Safety |
|
Code, is amended by adding Section 181.004 to read as follows: |
|
Sec. 181.004. APPLICABILITY OF FEDERAL LAW AND COMMISSION |
|
RULES. A covered entity shall comply with: |
|
(1) the Health Insurance Portability and |
|
Accountability Act and Privacy Standards; and |
|
(2) the rules adopted under Sections 181.005 and |
|
181.101(a). |
|
SECTION 3. Section 181.005, Health and Safety Code, is |
|
amended to read as follows: |
|
Sec. 181.005. DUTIES OF THE EXECUTIVE COMMISSIONER. |
|
(a) The executive commissioner shall administer this chapter and |
|
may adopt rules consistent with the Health Insurance Portability |
|
and Accountability Act and Privacy Standards to administer this |
|
chapter. |
|
(b) The executive commissioner shall review amendments to |
|
the definitions in 45 C.F.R. Parts 160 and 164 that occur after |
|
September 1, 2011 [August 14, 2002], and determine whether it is in |
|
the best interest of the state to adopt the amended federal |
|
regulations. If the executive commissioner determines that it is |
|
in the best interest of the state to adopt the amended federal |
|
regulations, the amended regulations shall apply as required by |
|
this chapter. |
|
(c) In making a determination under this section, the |
|
executive commissioner must consider, in addition to other factors |
|
affecting the public interest, the beneficial and adverse effects |
|
the amendments would have on: |
|
(1) the lives of individuals in this state and their |
|
expectations of privacy; and |
|
(2) governmental entities, institutions of higher |
|
education, state-owned teaching hospitals, private businesses, and |
|
commerce in this state. |
|
(d) The executive commissioner shall prepare a report of the |
|
executive commissioner's determination made under this section and |
|
shall file the report with the presiding officer of each house of |
|
the legislature before the 30th day after the date the |
|
determination is made. The report must include an explanation of |
|
the reasons for the determination. |
|
SECTION 4. Chapter 181, Health and Safety Code, is amended |
|
by adding Subchapter C to read as follows: |
|
SUBCHAPTER C. ACCESS TO AND USE OF PROTECTED HEALTH INFORMATION |
|
Sec. 181.101. COMMISSION RULES. The executive commissioner |
|
shall adopt rules consistent with the Health Insurance Portability |
|
and Accountability Act and Privacy Standards relating to sharing or |
|
exchanging protected health information. |
|
Sec. 181.102. TRAINING REQUIRED. (a) Each covered entity |
|
shall provide to employees of the entity a training program |
|
regarding state and federal law concerning protected health |
|
information. |
|
(b) Each employee of a covered entity shall attend the |
|
training program required by this section not later than the 30th |
|
day after the date the employee is hired by the entity and shall |
|
attend supplemental training every two years or sooner, as required |
|
by executive commissioner rule, if there is a material change in the |
|
rules adopted by the executive commissioner under Section 181.101. |
|
(c) Each covered entity shall require an employee of the |
|
entity who attends a training program required by this section to |
|
sign a statement verifying the employee's attendance at the |
|
training program. The covered entity shall file the statement in |
|
the employee's personnel file. |
|
Sec. 181.103. NOTIFICATION AND ACCEPTANCE REQUIRED. Before |
|
a state agency electronically disseminates protected health |
|
information to another person or allows the other person to |
|
electronically access protected health information maintained by |
|
the agency: |
|
(1) the state agency in writing must notify the other |
|
person of legal restrictions on the use and disclosure of the |
|
protected health information to be disseminated or accessed; and |
|
(2) the person who receives notice from the state |
|
agency under Subdivision (1) in writing must acknowledge receipt, |
|
understanding, and acceptance of the restrictions on use and |
|
disclosure of the protected health information to be received or |
|
accessed. |
|
Sec. 181.104. CONSUMER ACCESS TO ELECTRONIC HEALTH RECORDS. |
|
(a) Not later than the fifth business day after the date a health |
|
care provider receives a request from a person for the person's |
|
electronic health record, the health care provider shall provide |
|
the record to the person in electronic form unless the person agrees |
|
to accept the record in another form. |
|
(b) For purposes of Subsection (a), the executive |
|
commissioner, in consultation with the Department of State Health |
|
Services, the Texas Medical Board, and the Texas Department of |
|
Insurance, by rule shall designate a standard electronic format for |
|
the release of requested health records. |
|
Sec. 181.105. CONSUMER INFORMATION WEBSITE. The attorney |
|
general shall maintain an Internet website that provides: |
|
(1) information concerning a consumer's privacy rights |
|
regarding protected health information under federal and state law; |
|
(2) a list of the state agencies, including the |
|
Department of State Health Services, the Texas Medical Board, and |
|
the Texas Department of Insurance, that regulate covered entities |
|
in this state and the types of entities each agency regulates; |
|
(3) detailed information regarding each agency's |
|
complaint enforcement process; and |
|
(4) contact information, including the address of the |
|
agency's Internet website, for each agency listed under Subdivision |
|
(2) for reporting a violation of this chapter. |
|
Sec. 181.106. CONSUMER COMPLAINT REPORT BY ATTORNEY |
|
GENERAL. (a) The attorney general annually shall submit to the |
|
legislature a report describing: |
|
(1) the number and types of complaints received by the |
|
attorney general and by the state agencies receiving consumer |
|
complaints under Section 181.105; and |
|
(2) the enforcement action taken in response to each |
|
complaint reported under Subdivision (1). |
|
(b) Each state agency that receives consumer complaints |
|
under Section 181.105 shall submit to the attorney general, in the |
|
form required by the attorney general, the information the attorney |
|
general requires to compile the report required by Subsection (a). |
|
(c) The attorney general shall deidentify protected health |
|
information from the individual to whom the information pertains |
|
before including the information in the report required by |
|
Subsection (a). |
|
SECTION 5. Subchapter D, Chapter 181, Health and Safety |
|
Code, is amended by adding Section 181.153 to read as follows: |
|
Sec. 181.153. SALE OF PROTECTED HEALTH INFORMATION |
|
PROHIBITED. A covered entity may not disclose protected health |
|
information to any person in exchange for direct or indirect |
|
remuneration. |
|
SECTION 6. Sections 181.201(b) and (c), Health and Safety |
|
Code, are amended to read as follows: |
|
(b) In addition to the injunctive relief provided by |
|
Subsection (a), the attorney general may institute an action for |
|
civil penalties against a covered entity for a violation of this |
|
chapter. A civil penalty assessed under this section may not |
|
exceed: |
|
(1) $5,000 [$3,000] for each violation committed |
|
negligently; |
|
(2) $25,000 for each violation committed knowingly or |
|
intentionally; or |
|
(3) $250,000 for each violation in which the covered |
|
entity knowingly or intentionally uses protected health |
|
information for financial gain. |
|
(c) If the court in which an action under Subsection (b) is |
|
pending finds that the violations have occurred with a frequency as |
|
to constitute a pattern or practice, the court may assess a civil |
|
penalty in an amount the court finds necessary to deter future |
|
violations of this chapter [not to exceed $250,000]. |
|
SECTION 7. Section 521.053(b), Business & Commerce Code, is |
|
amended to read as follows: |
|
(b) A person who conducts business in this state and owns or |
|
licenses computerized data that includes sensitive personal |
|
information shall disclose any breach of system security, after |
|
discovering or receiving notification of the breach, to any |
|
individual [resident of this state] whose sensitive personal |
|
information was, or is reasonably believed to have been, acquired |
|
by an unauthorized person. The disclosure shall be made as quickly |
|
as possible, except as provided by Subsection (d) or as necessary to |
|
determine the scope of the breach and restore the reasonable |
|
integrity of the data system. |
|
SECTION 8. Section 521.151, Business & Commerce Code, is |
|
amended by adding Subsection (a-1) to read as follows: |
|
(a-1) In addition to penalties assessed under Subsection |
|
(a), a person who fails to take reasonable action to comply with |
|
Section 521.053(b) is liable to this state for a civil penalty of |
|
not more than $100 for each individual to whom notification is due |
|
under that subsection for each consecutive day that the person |
|
fails to take reasonable action to comply with that subsection. |
|
Civil penalties under this section may not exceed $250,000 for all |
|
individuals to whom notification is due after a single breach. The |
|
attorney general may bring an action to recover the civil penalties |
|
imposed under this subsection. |
|
SECTION 9. Section 522.002(b), Business & Commerce Code, is |
|
amended to read as follows: |
|
(b) An offense under this section is a Class B misdemeanor, |
|
except that the offense is a state jail felony if the information |
|
accessed, read, scanned, stored, or transferred was protected |
|
health information as defined by the Health Insurance Portability |
|
and Accountability Act and Privacy Standards, as defined by Section |
|
181.001, Health and Safety Code. |
|
SECTION 10. Section 531.001, Government Code, is amended by |
|
adding Subdivision (4-a) to read as follows: |
|
(4-a) "Protected health information" has the meaning |
|
assigned by the Health Insurance Portability and Accountability Act |
|
and Privacy Standards, as defined by Section 181.001, Health and |
|
Safety Code. |
|
SECTION 11. Section 531.0315(a), Government Code, is |
|
amended to read as follows: |
|
(a) Each health and human services agency and every other |
|
state agency that acts as a health care provider or a claims payer |
|
for the provision of health care shall[:
|
|
[(1)] process information related to health care in |
|
compliance with national data interchange standards adopted under |
|
Subtitle F, Title II, Health Insurance Portability and |
|
Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), and |
|
its subsequent amendments, within the applicable deadline |
|
established under federal law or federal regulations[; or
|
|
[(2)
demonstrate to the commission the reasons the
|
|
agency should not be required to comply with Subdivision (1), and
|
|
obtain the commission's approval, to the extent allowed under
|
|
federal law:
|
|
[(A)
to comply with the standards at a later
|
|
date; or
|
|
[(B)
to not comply with one or more of the
|
|
standards]. |
|
SECTION 12. Subchapter B, Chapter 531, Government Code, is |
|
amended by adding Section 531.0994 to read as follows: |
|
Sec. 531.0994. STUDY; ANNUAL REPORT. (a) The commission |
|
shall explore and evaluate new developments in safeguarding |
|
protected health information. |
|
(b) Not later than December 1 each year, the commission |
|
shall report to the legislature on new developments in safeguarding |
|
protected health information and recommendations for the |
|
implementation of safeguards within the commission. |
|
SECTION 13. Section 31.03(f), Penal Code, is amended to |
|
read as follows: |
|
(f) An offense described for purposes of punishment by |
|
Subsections (e)(1)-(6) is increased to the next higher category of |
|
offense if it is shown on the trial of the offense that: |
|
(1) the actor was a public servant at the time of the |
|
offense and the property appropriated came into the actor's |
|
custody, possession, or control by virtue of his status as a public |
|
servant; |
|
(2) the actor was in a contractual relationship with |
|
government at the time of the offense and the property appropriated |
|
came into the actor's custody, possession, or control by virtue of |
|
the contractual relationship; |
|
(3) the owner of the property appropriated was at the |
|
time of the offense: |
|
(A) an elderly individual; or |
|
(B) a nonprofit organization; [or] |
|
(4) the actor was a Medicare provider in a contractual |
|
relationship with the federal government at the time of the offense |
|
and the property appropriated came into the actor's custody, |
|
possession, or control by virtue of the contractual relationship; |
|
or |
|
(5) the property appropriated was a document |
|
containing protected health information, as that term is defined by |
|
the Health Insurance Portability and Accountability Act and Privacy |
|
Standards, as defined by Section 181.001, Health and Safety Code. |
|
SECTION 14. Section 32.51(c-1), Penal Code, is amended to |
|
read as follows: |
|
(c-1) An offense described for purposes of punishment by |
|
Subsections (c)(1)-(3) is increased to the next higher category of |
|
offense if it is shown on the trial of the offense that: |
|
(1) the offense was committed against an elderly |
|
individual as defined by Section 22.04; or |
|
(2) the information obtained, possessed, transferred, |
|
or used in the commission of the offense was protected health |
|
information, as that term is defined by the Health Insurance |
|
Portability and Accountability Act and Privacy Standards, as |
|
defined by Section 181.001, Health and Safety Code. |
|
SECTION 15. Section 33.02(b), Penal Code, is amended to |
|
read as follows: |
|
(b) An offense under this section is a Class B misdemeanor |
|
unless in committing the offense the actor: |
|
(1) knowingly obtains a benefit, defrauds or harms |
|
another, or alters, damages, or deletes property, in which event |
|
the offense is: |
|
(A) [(1)] a Class A misdemeanor if the aggregate |
|
amount involved is less than $1,500; |
|
(B) [(2)] a state jail felony if: |
|
(i) [(A)] the aggregate amount involved is |
|
$1,500 or more but less than $20,000; or |
|
(ii) [(B)] the aggregate amount involved is |
|
less than $1,500 and the defendant has been previously convicted |
|
two or more times of an offense under this chapter; |
|
(C) [(3)] a felony of the third degree if the |
|
aggregate amount involved is $20,000 or more but less than |
|
$100,000; |
|
(D) [(4)] a felony of the second degree if the |
|
aggregate amount involved is $100,000 or more but less than |
|
$200,000; or |
|
(E) [(5)] a felony of the first degree if the |
|
aggregate amount involved is $200,000 or more; or |
|
(2) accesses protected health information, as that |
|
term is defined by the Health Insurance Portability and |
|
Accountability Act and Privacy Standards, as defined by Section |
|
181.001, Health and Safety Code, in which event the offense is a |
|
state jail felony. |
|
SECTION 16. Section 35A.02, Penal Code, is amended by |
|
adding Subsections (b-1) and (b-2) to read as follows: |
|
(b-1) Except as provided by Subsection (b-2), the |
|
punishment prescribed for an offense under this section is |
|
increased to the punishment prescribed for the next highest |
|
category of offense if it is shown on the trial of the offense that |
|
protected health information, as that term is defined by the Health |
|
Insurance Portability and Accountability Act and Privacy |
|
Standards, as defined by Section 181.001, Health and Safety Code, |
|
was used in the commission of the offense. |
|
(b-2) The punishment for an offense described by this |
|
section may not be increased under Subsection (b-1) if the offense |
|
is punishable as a felony of the first degree. |
|
SECTION 17. Section 531.0315(b), Government Code, is |
|
repealed. |
|
SECTION 18. Not later than January 1, 2012, the executive |
|
commissioner of the Health and Human Services Commission shall |
|
adopt rules as required by Section 181.101, Health and Safety Code, |
|
as added by this Act. |
|
SECTION 19. (a) Not later than January 1, 2012, the |
|
attorney general shall establish the Internet website required by |
|
Section 181.105, Health and Safety Code, as added by this Act. |
|
(b) Not later than December 1, 2012, the attorney general |
|
shall submit the initial report required by Section 181.106, Health |
|
and Safety Code, as added by this Act. |
|
SECTION 20. Not later than December 1, 2012, the Health and |
|
Human Services Commission shall submit the initial report required |
|
by Section 531.0994, Government Code, as added by this Act. |
|
SECTION 21. The changes in law made by Section 181.201, |
|
Health and Safety Code, as amended by this Act, Section 521.053(b), |
|
Business & Commerce Code, as amended by this Act, and Section |
|
521.151(a-1), Business & Commerce Code, as added by this Act, apply |
|
only to conduct that occurs on or after the effective date of this |
|
Act. Conduct that occurs before the effective date of this Act is |
|
governed by the law in effect at the time the conduct occurred, and |
|
the former law is continued in effect for that purpose. |
|
SECTION 22. The changes in law made by Section 522.002, |
|
Business & Commerce Code, and Sections 31.03, 32.51, and 33.02, |
|
Penal Code, as amended by this Act, and Sections 35A.02(b-1) and |
|
(b-2), Penal Code, as added by this Act, apply only to an offense |
|
committed on or after the effective date of this Act. An offense |
|
committed before the effective date of this Act is governed by the |
|
law in effect at the time the offense was committed, and the former |
|
law is continued in effect for that purpose. For purposes of this |
|
section, an offense was committed before the effective date of this |
|
Act if any element of the offense was committed before that date. |
|
SECTION 23. This Act takes effect September 1, 2011. |