By: Nelson	S.B. No. 622

	A BILL TO BE ENTITLED
	AN ACT
	relating to the privacy of protected health information and
	personal information; providing civil and criminal penalties.
	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
	SECTION 1.  Section 181.001(b), Health and Safety Code, is
	amended by amending Subdivisions (1), (3), and (4) and adding
	Subdivision (2-a) to read as follows:
	(1)  "Commission" ["Commissioner"] means the Health
	and Human Services Commission [commissioner of health and human
	services].
	(2-a)  "Executive commissioner" means the executive
	commissioner of the Health and Human Services Commission.
	(3)  "Health Insurance Portability and Accountability
	Act and Privacy Standards" means the privacy requirements in
	existence on September 1, 2011 [August 14, 2002], of the
	Administrative Simplification subtitle of the Health Insurance
	Portability and Accountability Act of 1996 (Pub. L. No. 104-191)
	contained in 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A
	and E.
	(4)  "Marketing" means:
	(A)  making a communication about a product or
	service that encourages a recipient of the communication to
	purchase, [or] use, or request the product or service, unless the
	communication is made:
	(i)  to describe a health-related product or
	service or the payment for a health-related product or service that
	is provided by, or included in a plan of benefits of, the covered
	entity making the communication, including communications about:
	(a)  the entities participating in a
	health care provider network or health plan network;
	(b)  replacement of, or enhancement
	to, a health plan; or
	(c)  health-related products or
	services available only to a health plan enrollee that add value to,
	but are not part of, a plan of benefits;
	(ii)  for treatment of the individual;
	(iii)  for case management or care
	coordination for the individual, or to direct or recommend
	alternative treatments, therapies, health care providers, or
	settings of care to the individual; or
	(iv)  by a covered entity to an individual
	that encourages a change to a prescription drug included in the
	covered entity's drug formulary or preferred drug list; and
	(B)  [an arrangement between a covered entity and
	any other entity under which the covered entity discloses protected
	health information to the other entity, in exchange for direct or
	indirect remuneration, for the other entity or its affiliate to
	make a communication about its own product or service that
	encourages recipients of the communication to purchase or use that
	product or service; and
	[(C)]  notwithstanding Paragraphs (A)(ii) and
	(iii), a product-specific written communication to a consumer that
	encourages a change in products.
	SECTION 2.  Subchapter A, Chapter 181, Health and Safety
	Code, is amended by adding Section 181.004 to read as follows:
	Sec. 181.004.  APPLICABILITY OF FEDERAL LAW AND COMMISSION
	RULES. A covered entity shall comply with:
	(1)  the Health Insurance Portability and
	Accountability Act and Privacy Standards; and
	(2)  the rules adopted under Sections 181.005 and
	181.101(a).
	SECTION 3.  Section 181.005, Health and Safety Code, is
	amended to read as follows:
	Sec. 181.005.  DUTIES OF THE EXECUTIVE COMMISSIONER.
	(a)  The executive commissioner shall administer this chapter and
	may adopt rules consistent with the Health Insurance Portability
	and Accountability Act and Privacy Standards to administer this
	chapter.
	(b)  The executive commissioner shall review amendments to
	the definitions in 45 C.F.R. Parts 160 and 164 that occur after
	September 1, 2011 [August 14, 2002], and determine whether it is in
	the best interest of the state to adopt the amended federal
	regulations. If the executive commissioner determines that it is
	in the best interest of the state to adopt the amended federal
	regulations, the amended regulations shall apply as required by
	this chapter.
	(c)  In making a determination under this section, the
	executive commissioner must consider, in addition to other factors
	affecting the public interest, the beneficial and adverse effects
	the amendments would have on:
	(1)  the lives of individuals in this state and their
	expectations of privacy; and
	(2)  governmental entities, institutions of higher
	education, state-owned teaching hospitals, private businesses, and
	commerce in this state.
	(d)  The executive commissioner shall prepare a report of the
	executive commissioner's determination made under this section and
	shall file the report with the presiding officer of each house of
	the legislature before the 30th day after the date the
	determination is made. The report must include an explanation of
	the reasons for the determination.
	SECTION 4.  Chapter 181, Health and Safety Code, is amended
	by adding Subchapter C to read as follows:
	SUBCHAPTER C. ACCESS TO AND USE OF PROTECTED HEALTH INFORMATION
	Sec. 181.101.  COMMISSION RULES. The executive commissioner
	shall adopt rules consistent with the Health Insurance Portability
	and Accountability Act and Privacy Standards relating to sharing or
	exchanging protected health information.
	Sec. 181.102.  TRAINING REQUIRED. (a)  Each covered entity
	shall provide to employees of the entity a training program
	regarding state and federal law concerning protected health
	information.
	(b)  Each employee of a covered entity shall attend the
	training program required by this section not later than the 30th
	day after the date the employee is hired by the entity and shall
	attend supplemental training every two years or sooner, as required
	by executive commissioner rule, if there is a material change in the
	rules adopted by the executive commissioner under Section 181.101.
	(c)  Each covered entity shall require an employee of the
	entity who attends a training program required by this section to
	sign a statement verifying the employee's attendance at the
	training program. The covered entity shall file the statement in
	the employee's personnel file.
	Sec. 181.103.  NOTIFICATION AND ACCEPTANCE REQUIRED. Before
	a state agency electronically disseminates protected health
	information to another person or allows the other person to
	electronically access protected health information maintained by
	the agency:
	(1)  the state agency in writing must notify the other
	person of legal restrictions on the use and disclosure of the
	protected health information to be disseminated or accessed; and
	(2)  the person who receives notice from the state
	agency under Subdivision (1) in writing must acknowledge receipt,
	understanding, and acceptance of the restrictions on use and
	disclosure of the protected health information to be received or
	accessed.
	Sec. 181.104.  CONSUMER ACCESS TO ELECTRONIC HEALTH RECORDS.
	(a)  Not later than the fifth business day after the date a health
	care provider receives a request from a person for the person's
	electronic health record, the health care provider shall provide
	the record to the person in electronic form unless the person agrees
	to accept the record in another form.
	(b)  For purposes of Subsection (a), the executive
	commissioner, in consultation with the Department of State Health
	Services, the Texas Medical Board, and the Texas Department of
	Insurance, by rule shall designate a standard electronic format for
	the release of requested health records.
	Sec. 181.105.  CONSUMER INFORMATION WEBSITE. The attorney
	general shall maintain an Internet website that provides:
	(1)  information concerning a consumer's privacy rights
	regarding protected health information under federal and state law;
	(2)  a list of the state agencies, including the
	Department of State Health Services, the Texas Medical Board, and
	the Texas Department of Insurance, that regulate covered entities
	in this state and the types of entities each agency regulates;
	(3)  detailed information regarding each agency's
	complaint enforcement process; and
	(4)  contact information, including the address of the
	agency's Internet website, for each agency listed under Subdivision
	(2) for reporting a violation of this chapter.
	Sec. 181.106.  CONSUMER COMPLAINT REPORT BY ATTORNEY
	GENERAL.  (a)  The attorney general annually shall submit to the
	legislature a report describing:
	(1)  the number and types of complaints received by the
	attorney general and by the state agencies receiving consumer
	complaints under Section 181.105; and
	(2)  the enforcement action taken in response to each
	complaint reported under Subdivision (1).
	(b)  Each state agency that receives consumer complaints
	under Section 181.105 shall submit to the attorney general, in the
	form required by the attorney general, the information the attorney
	general requires to compile the report required by Subsection (a).
	(c)  The attorney general shall deidentify protected health
	information from the individual to whom the information pertains
	before including the information in the report required by
	Subsection (a).
	SECTION 5.  Subchapter D, Chapter 181, Health and Safety
	Code, is amended by adding Section 181.153 to read as follows:
	Sec. 181.153.  SALE OF PROTECTED HEALTH INFORMATION
	PROHIBITED. A covered entity may not disclose protected health
	information to any person in exchange for direct or indirect
	remuneration.
	SECTION 6.  Sections 181.201(b) and (c), Health and Safety
	Code, are amended to read as follows:
	(b)  In addition to the injunctive relief provided by
	Subsection (a), the attorney general may institute an action for
	civil penalties against a covered entity for a violation of this
	chapter. A civil penalty assessed under this section may not
	exceed:
	(1)  $5,000 [$3,000] for each violation committed
	negligently;
	(2)  $25,000 for each violation committed knowingly or
	intentionally; or
	(3)  $250,000 for each violation in which the covered
	entity knowingly or intentionally uses protected health
	information for financial gain.
	(c)  If the court in which an action under Subsection (b) is
	pending finds that the violations have occurred with a frequency as
	to constitute a pattern or practice, the court may assess a civil
	penalty in an amount the court finds necessary to deter future
	violations of this chapter [not to exceed $250,000].
	SECTION 7.  Section 521.053(b), Business & Commerce Code, is
	amended to read as follows:
	(b)  A person who conducts business in this state and owns or
	licenses computerized data that includes sensitive personal
	information shall disclose any breach of system security, after
	discovering or receiving notification of the breach, to any
	individual [resident of this state] whose sensitive personal
	information was, or is reasonably believed to have been, acquired
	by an unauthorized person.  The disclosure shall be made as quickly
	as possible, except as provided by Subsection (d) or as necessary to
	determine the scope of the breach and restore the reasonable
	integrity of the data system.
	SECTION 8.  Section 521.151, Business & Commerce Code, is
	amended by adding Subsection (a-1) to read as follows:
	(a-1)  In addition to penalties assessed under Subsection
	(a), a person who fails to take reasonable action to comply with
	Section 521.053(b) is liable to this state for a civil penalty of
	not more than $100 for each individual to whom notification is due
	under that subsection for each consecutive day that the person
	fails to take reasonable action to comply with that subsection.
	Civil penalties under this section may not exceed $250,000 for all
	individuals to whom notification is due after a single breach. The
	attorney general may bring an action to recover the civil penalties
	imposed under this subsection.
	SECTION 9.  Section 522.002(b), Business & Commerce Code, is
	amended to read as follows:
	(b)  An offense under this section is a Class B misdemeanor,
	except that the offense is a state jail felony if the information
	accessed, read, scanned, stored, or transferred was protected
	health information as defined by the Health Insurance Portability
	and Accountability Act and Privacy Standards, as defined by Section
	181.001, Health and Safety Code.
	SECTION 10.  Section 531.001, Government Code, is amended by
	adding Subdivision (4-a) to read as follows:
	(4-a)  "Protected health information" has the meaning
	assigned by the Health Insurance Portability and Accountability Act
	and Privacy Standards, as defined by Section 181.001, Health and
	Safety Code.
	SECTION 11.  Section 531.0315(a), Government Code, is
	amended to read as follows:
	(a)  Each health and human services agency and every other
	state agency that acts as a health care provider or a claims payer
	for the provision of health care shall[:
	[(1)]  process information related to health care in
	compliance with national data interchange standards adopted under
	Subtitle F, Title II, Health Insurance Portability and
	Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), and
	its subsequent amendments, within the applicable deadline
	established under federal law or federal regulations[; or
	[(2)     demonstrate to the commission the reasons the
	agency should not be required to comply with Subdivision (1), and
	obtain the commission's approval, to the extent allowed under
	federal law:
	[(A)     to comply with the standards at a later
	date; or
	[(B)     to not comply with one or more of the
	standards].
	SECTION 12.  Subchapter B, Chapter 531, Government Code, is
	amended by adding Section 531.0994 to read as follows:
	Sec. 531.0994.  STUDY; ANNUAL REPORT. (a)  The commission
	shall explore and evaluate new developments in safeguarding
	protected health information.
	(b)  Not later than December 1 each year, the commission
	shall report to the legislature on new developments in safeguarding
	protected health information and recommendations for the
	implementation of safeguards within the commission.
	SECTION 13.  Section 31.03(f), Penal Code, is amended to
	read as follows:
	(f)  An offense described for purposes of punishment by
	Subsections (e)(1)-(6) is increased to the next higher category of
	offense if it is shown on the trial of the offense that:
	(1)  the actor was a public servant at the time of the
	offense and the property appropriated came into the actor's
	custody, possession, or control by virtue of his status as a public
	servant;
	(2)  the actor was in a contractual relationship with
	government at the time of the offense and the property appropriated
	came into the actor's custody, possession, or control by virtue of
	the contractual relationship;
	(3)  the owner of the property appropriated was at the
	time of the offense:
	(A)  an elderly individual; or
	(B)  a nonprofit organization; [or]
	(4)  the actor was a Medicare provider in a contractual
	relationship with the federal government at the time of the offense
	and the property appropriated came into the actor's custody,
	possession, or control by virtue of the contractual relationship;
	or
	(5)  the property appropriated was a document
	containing protected health information, as that term is defined by
	the Health Insurance Portability and Accountability Act and Privacy
	Standards, as defined by Section 181.001, Health and Safety Code.
	SECTION 14.  Section 32.51(c-1), Penal Code, is amended to
	read as follows:
	(c-1)  An offense described for purposes of punishment by
	Subsections (c)(1)-(3) is increased to the next higher category of
	offense if it is shown on the trial of the offense that:
	(1)  the offense was committed against an elderly
	individual as defined by Section 22.04; or
	(2)  the information obtained, possessed, transferred,
	or used in the commission of the offense was protected health
	information, as that term is defined by the Health Insurance
	Portability and Accountability Act and Privacy Standards, as
	defined by Section 181.001, Health and Safety Code.
	SECTION 15.  Section 33.02(b), Penal Code, is amended to
	read as follows:
	(b)  An offense under this section is a Class B misdemeanor
	unless in committing the offense the actor:
	(1)  knowingly obtains a benefit, defrauds or harms
	another, or alters, damages, or deletes property, in which event
	the offense is:
	(A) [(1)]  a Class A misdemeanor if the aggregate
	amount involved is less than $1,500;
	(B) [(2)]  a state jail felony if:
	(i) [(A)]  the aggregate amount involved is
	$1,500 or more but less than $20,000; or
	(ii) [(B)]  the aggregate amount involved is
	less than $1,500 and the defendant has been previously convicted
	two or more times of an offense under this chapter;
	(C) [(3)]  a felony of the third degree if the
	aggregate amount involved is $20,000 or more but less than
	$100,000;
	(D) [(4)]  a felony of the second degree if the
	aggregate amount involved is $100,000 or more but less than
	$200,000; or
	(E) [(5)]  a felony of the first degree if the
	aggregate amount involved is $200,000 or more; or
	(2)  accesses protected health information, as that
	term is defined by the Health Insurance Portability and
	Accountability Act and Privacy Standards, as defined by Section
	181.001, Health and Safety Code, in which event the offense is a
	state jail felony.
	SECTION 16.  Section 35A.02, Penal Code, is amended by
	adding Subsections (b-1) and (b-2) to read as follows:
	(b-1)  Except as provided by Subsection (b-2), the
	punishment prescribed for an offense under this section is
	increased to the punishment prescribed for the next highest
	category of offense if it is shown on the trial of the offense that
	protected health information, as that term is defined by the Health
	Insurance Portability and Accountability Act and Privacy
	Standards, as defined by Section 181.001, Health and Safety Code,
	was used in the commission of the offense.
	(b-2)  The punishment for an offense described by this
	section may not be increased under Subsection (b-1) if the offense
	is punishable as a felony of the first degree.
	SECTION 17.  Section 531.0315(b), Government Code, is
	repealed.
	SECTION 18.  Not later than January 1, 2012, the executive
	commissioner of the Health and Human Services Commission shall
	adopt rules as required by Section 181.101, Health and Safety Code,
	as added by this Act.
	SECTION 19.  (a)  Not later than January 1, 2012, the
	attorney general shall establish the Internet website required by
	Section 181.105, Health and Safety Code, as added by this Act.
	(b)  Not later than December 1, 2012, the attorney general
	shall submit the initial report required by Section 181.106, Health
	and Safety Code, as added by this Act.
	SECTION 20.  Not later than December 1, 2012, the Health and
	Human Services Commission shall submit the initial report required
	by Section 531.0994, Government Code, as added by this Act.
	SECTION 21.  The changes in law made by Section 181.201,
	Health and Safety Code, as amended by this Act, Section 521.053(b),
	Business & Commerce Code, as amended by this Act, and Section
	521.151(a-1), Business & Commerce Code, as added by this Act, apply
	only to conduct that occurs on or after the effective date of this
	Act. Conduct that occurs before the effective date of this Act is
	governed by the law in effect at the time the conduct occurred, and
	the former law is continued in effect for that purpose.
	SECTION 22.  The changes in law made by Section 522.002,
	Business & Commerce Code, and Sections 31.03, 32.51, and 33.02,
	Penal Code, as amended by this Act, and Sections 35A.02(b-1) and
	(b-2), Penal Code, as added by this Act, apply only to an offense
	committed on or after the effective date of this Act. An offense
	committed before the effective date of this Act is governed by the
	law in effect at the time the offense was committed, and the former
	law is continued in effect for that purpose. For purposes of this
	section, an offense was committed before the effective date of this
	Act if any element of the offense was committed before that date.
	SECTION 23.  This Act takes effect September 1, 2011.