| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
| |
|
|
relating to the privacy of protected health information and |
|
|
personal information; providing civil and criminal penalties. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Subsection (b), Section 181.001, Health and |
|
|
Safety Code, is amended by amending Subdivisions (1), (3), and (4) |
|
|
and adding Subdivision (2-a) to read as follows: |
|
|
(1) "Commission" ["Commissioner"] means the Health |
|
|
and Human Services Commission [commissioner of health and human |
|
|
services].
|
|
|
(2-a) "Executive commissioner" means the executive |
|
|
commissioner of the Health and Human Services Commission. |
|
|
(3) "Health Insurance Portability and Accountability |
|
|
Act and Privacy Standards" means the privacy requirements in |
|
|
existence on September 1, 2011 [August 14, 2002], of the
|
|
|
Administrative Simplification subtitle of the Health Insurance |
|
|
Portability and Accountability Act of 1996 (Pub. L. No. 104-191) |
|
|
contained in 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A |
|
|
and E. |
|
|
(4) "Marketing" means: |
|
|
(A) making a communication about a product or |
|
|
service that encourages a recipient of the communication to |
|
|
purchase, [or] use, or request the product or service, unless the
|
|
|
communication is made: |
|
|
(i) to describe a health-related product or |
|
|
service or the payment for a health-related product or service that |
|
|
is provided by, or included in a plan of benefits of, the covered |
|
|
entity making the communication, including communications about: |
|
|
(a) the entities participating in a |
|
|
health care provider network or health plan network; |
|
|
(b) replacement of, or enhancement |
|
|
to, a health plan; or |
|
|
(c) health-related products or |
|
|
services available only to a health plan enrollee that add value to, |
|
|
but are not part of, a plan of benefits; |
|
|
(ii) for treatment of the individual; |
|
|
(iii) for case management or care |
|
|
coordination for the individual, or to direct or recommend |
|
|
alternative treatments, therapies, health care providers, or |
|
|
settings of care to the individual; or |
|
|
(iv) by a covered entity to an individual |
|
|
that encourages a change to a prescription drug included in the |
|
|
covered entity's drug formulary or preferred drug list; and |
|
|
(B) [an arrangement between a covered entity and |
|
|
any other entity under which the covered entity discloses protected |
|
|
health information to the other entity, in exchange for direct or |
|
|
indirect remuneration, for the other entity or its affiliate to |
|
|
make a communication about its own product or service that |
|
|
encourages recipients of the communication to purchase or use that |
|
|
product or service; and |
|
|
[(C)] notwithstanding Paragraphs (A)(ii) and
|
|
|
(iii), a product-specific written communication to a consumer that |
|
|
encourages a change in products. |
|
|
SECTION 2. Section 181.005, Health and Safety Code, is |
|
|
amended to read as follows: |
|
|
Sec. 181.005. DUTIES OF THE EXECUTIVE COMMISSIONER.
|
|
|
(a) The executive commissioner shall administer this chapter and
|
|
|
may adopt rules consistent with the Health Insurance Portability |
|
|
and Accountability Act and Privacy Standards to administer this |
|
|
chapter. |
|
|
(b) The executive commissioner shall review amendments to
|
|
|
the definitions in 45 C.F.R. Parts 160 and 164 that occur after |
|
|
September 1, 2011 [August 14, 2002], and determine whether it is in
|
|
|
the best interest of the state to adopt the amended federal |
|
|
regulations. If the executive commissioner determines that it is
|
|
|
in the best interest of the state to adopt the amended federal |
|
|
regulations, the amended regulations shall apply as required by |
|
|
this chapter. |
|
|
(c) In making a determination under this section, the |
|
|
executive commissioner must consider, in addition to other factors
|
|
|
affecting the public interest, the beneficial and adverse effects |
|
|
the amendments would have on: |
|
|
(1) the lives of individuals in this state and their |
|
|
expectations of privacy; and |
|
|
(2) governmental entities, institutions of higher |
|
|
education, state-owned teaching hospitals, private businesses, and |
|
|
commerce in this state. |
|
|
(d) The executive commissioner shall prepare a report of the
|
|
|
executive commissioner's determination made under this section and
|
|
|
shall file the report with the presiding officer of each house of |
|
|
the legislature before the 30th day after the date the |
|
|
determination is made. The report must include an explanation of |
|
|
the reasons for the determination. |
|
|
SECTION 3. Chapter 181, Health and Safety Code, is amended |
|
|
by adding Subchapter C to read as follows: |
|
|
SUBCHAPTER C. ACCESS TO AND USE OF PROTECTED HEALTH INFORMATION |
|
|
Sec. 181.101. COMMISSION RULES. The executive commissioner |
|
|
shall adopt rules consistent with the Health Insurance Portability |
|
|
and Accountability Act and Privacy Standards relating to sharing or |
|
|
exchanging protected health information. |
|
|
Sec. 181.102. TRAINING REQUIRED. (a) Each covered entity |
|
|
shall provide a training program to employees of the covered entity |
|
|
regarding the state and federal law concerning protected health |
|
|
information as it relates to: |
|
|
(1) the covered entity's particular course of |
|
|
business; and |
|
|
(2) each employee's scope of employment. |
|
|
(b) An employee of a covered entity must complete training |
|
|
described by Subsection (a) not later than the 60th day after the |
|
|
date the employee is hired by the covered entity. |
|
|
(c) An employee of a covered entity shall receive training |
|
|
described by Subsection (a) at least once every two years. |
|
|
(d) A covered entity shall require an employee of the entity |
|
|
who attends a training program described by Subsection (a) to sign a |
|
|
statement verifying the employee's attendance at the training |
|
|
program. The covered entity shall maintain the signed statement. |
|
|
Sec. 181.103. NOTIFICATION AND ACCEPTANCE REQUIRED. Before |
|
|
a state agency electronically disseminates protected health |
|
|
information to another person or allows the other person to |
|
|
electronically access protected health information maintained by |
|
|
the agency: |
|
|
(1) the state agency in writing must notify the other |
|
|
person of legal restrictions on the use and disclosure of the |
|
|
protected health information to be disseminated or accessed; and |
|
|
(2) the person who receives notice from the state |
|
|
agency under Subdivision (1) in writing must acknowledge receipt, |
|
|
understanding, and acceptance of the restrictions on use and |
|
|
disclosure of the protected health information to be received or |
|
|
accessed. |
|
|
Sec. 181.104. CONSUMER ACCESS TO ELECTRONIC HEALTH RECORDS. |
|
|
(a) Not later than the 15th business day after the date a health |
|
|
care provider receives a written request from a person for the |
|
|
person's electronic health record, the health care provider shall |
|
|
provide the requested record to the person in electronic form |
|
|
unless the person agrees to accept the record in another form. |
|
|
(b) For purposes of Subsection (a), the executive |
|
|
commissioner, in consultation with the Department of State Health |
|
|
Services, the Texas Medical Board, and the Texas Department of |
|
|
Insurance, by rule may recommend a standard electronic format for |
|
|
the release of requested health records. |
|
|
Sec. 181.105. CONSUMER INFORMATION WEBSITE. The attorney |
|
|
general shall maintain an Internet website that provides: |
|
|
(1) information concerning a consumer's privacy rights |
|
|
regarding protected health information under federal and state law; |
|
|
(2) a list of the state agencies, including the |
|
|
Department of State Health Services, the Texas Medical Board, and |
|
|
the Texas Department of Insurance, that regulate covered entities |
|
|
in this state and the types of entities each agency regulates; |
|
|
(3) detailed information regarding each agency's |
|
|
complaint enforcement process; and |
|
|
(4) contact information, including the address of the |
|
|
agency's Internet website, for each agency listed under Subdivision |
|
|
(2) for reporting a violation of this chapter. |
|
|
Sec. 181.106. CONSUMER COMPLAINT REPORT BY ATTORNEY |
|
|
GENERAL. (a) The attorney general annually shall submit to the |
|
|
legislature a report describing: |
|
|
(1) the number and types of complaints received by the |
|
|
attorney general and by the state agencies receiving consumer |
|
|
complaints under Section 181.105; and |
|
|
(2) the enforcement action taken in response to each |
|
|
complaint reported under Subdivision (1). |
|
|
(b) Each state agency that receives consumer complaints |
|
|
under Section 181.105 shall submit to the attorney general, in the |
|
|
form required by the attorney general, the information the attorney |
|
|
general requires to compile the report required by Subsection (a). |
|
|
(c) The attorney general shall de-identify protected health |
|
|
information from the individual to whom the information pertains |
|
|
before including the information in the report required by |
|
|
Subsection (a). |
|
|
SECTION 4. Subchapter D, Chapter 181, Health and Safety |
|
|
Code, is amended by adding Section 181.153 to read as follows: |
|
|
Sec. 181.153. SALE OF PROTECTED HEALTH INFORMATION |
|
|
PROHIBITED. (a) Except as provided by Subsection (b), a covered |
|
|
entity may not disclose protected health information to any person |
|
|
in exchange for direct or indirect remuneration. |
|
|
(b) A covered entity may disclose protected health |
|
|
information in exchange for remuneration only for purposes of: |
|
|
(1) medical treatment; |
|
|
(2) payment of health care costs; |
|
|
(3) health care operations; or |
|
|
(4) research, as described by 42 U.S.C. Section |
|
|
17935(d)(2)(B). |
|
|
SECTION 5. Subsections (b) and (c), Section 181.201, Health |
|
|
and Safety Code, are amended to read as follows: |
|
|
(b) In addition to the injunctive relief provided by |
|
|
Subsection (a), the attorney general may institute an action for |
|
|
civil penalties against a covered entity for a violation of this |
|
|
chapter. A civil penalty assessed under this section may not |
|
|
exceed: |
|
|
(1) $5,000 [$3,000] for each violation committed |
|
|
negligently; |
|
|
(2) $25,000 for each violation committed knowingly or |
|
|
intentionally; or |
|
|
(3) $250,000 for each violation in which the covered |
|
|
entity knowingly or intentionally uses protected health |
|
|
information for financial gain.
|
|
|
(c) If the court in which an action under Subsection (b) is |
|
|
pending finds that the violations have occurred with a frequency as |
|
|
to constitute a pattern or practice, the court may assess a civil |
|
|
penalty in an amount the court finds necessary to deter future |
|
|
violations of this chapter [not to exceed $250,000].
|
|
|
SECTION 6. Subsection (b), Section 521.053, Business & |
|
|
Commerce Code, is amended to read as follows: |
|
|
(b) A person who conducts business in this state and owns or |
|
|
licenses computerized data that includes sensitive personal |
|
|
information shall disclose any breach of system security, after |
|
|
discovering or receiving notification of the breach, to any |
|
|
individual [resident of this state] whose sensitive personal
|
|
|
information was, or is reasonably believed to have been, acquired |
|
|
by an unauthorized person. The disclosure shall be made as quickly |
|
|
as possible, except as provided by Subsection (d) or as necessary to |
|
|
determine the scope of the breach and restore the reasonable |
|
|
integrity of the data system. |
|
|
SECTION 7. Section 521.151, Business & Commerce Code, is |
|
|
amended by adding Subsection (a-1) to read as follows: |
|
|
(a-1) In addition to penalties assessed under Subsection |
|
|
(a), a person who fails to take reasonable action to comply with |
|
|
Section 521.053(b) is liable to this state for a civil penalty of |
|
|
not more than $100 for each individual to whom notification is due |
|
|
under that subsection for each consecutive day that the person |
|
|
fails to take reasonable action to comply with that subsection. |
|
|
Civil penalties under this section may not exceed $250,000 for all |
|
|
individuals to whom notification is due after a single breach. The |
|
|
attorney general may bring an action to recover the civil penalties |
|
|
imposed under this subsection. |
|
|
SECTION 8. Subsection (b), Section 522.002, Business & |
|
|
Commerce Code, is amended to read as follows: |
|
|
(b) An offense under this section is a Class B misdemeanor, |
|
|
except that the offense is a state jail felony if the information |
|
|
accessed, read, scanned, stored, or transferred was protected |
|
|
health information as defined by the Health Insurance Portability |
|
|
and Accountability Act and Privacy Standards, as defined by Section |
|
|
181.001, Health and Safety Code.
|
|
|
SECTION 9. Section 531.001, Government Code, is amended by |
|
|
adding Subdivision (4-a) to read as follows: |
|
|
(4-a) "Protected health information" has the meaning |
|
|
assigned by the Health Insurance Portability and Accountability Act |
|
|
and Privacy Standards, as defined by Section 181.001, Health and |
|
|
Safety Code. |
|
|
SECTION 10. Subsection (a), Section 531.0315, Government |
|
|
Code, is amended to read as follows: |
|
|
(a) Each health and human services agency and every other |
|
|
state agency that acts as a health care provider or a claims payer |
|
|
for the provision of health care shall[: |
|
|
[(1)] process information related to health care in
|
|
|
compliance with national data interchange standards adopted under |
|
|
Subtitle F, Title II, Health Insurance Portability and |
|
|
Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), and |
|
|
its subsequent amendments, within the applicable deadline |
|
|
established under federal law or federal regulations[; or |
|
|
[(2) demonstrate to the commission the reasons the |
|
|
agency should not be required to comply with Subdivision (1), and |
|
|
obtain the commission's approval, to the extent allowed under |
|
|
federal law: |
|
|
[(A) to comply with the standards at a later |
|
|
date; or |
|
|
[(B) to not comply with one or more of the |
|
|
standards].
|
|
|
SECTION 11. Subchapter B, Chapter 531, Government Code, is |
|
|
amended by adding Section 531.0994 to read as follows: |
|
|
Sec. 531.0994. STUDY; ANNUAL REPORT. (a) The commission, |
|
|
in consultation with the Department of State Health Services, the |
|
|
Texas Medical Board, and the Texas Department of Insurance, shall |
|
|
explore and evaluate new developments in safeguarding protected |
|
|
health information. |
|
|
(b) Not later than December 1 each year, the commission |
|
|
shall report to the legislature on new developments in safeguarding |
|
|
protected health information and recommendations for the |
|
|
implementation of safeguards within the commission. |
|
|
SECTION 12. Subsection (f), Section 31.03, Penal Code, is |
|
|
amended to read as follows: |
|
|
(f) An offense described for purposes of punishment by |
|
|
Subsections (e)(1)-(6) is increased to the next higher category of |
|
|
offense if it is shown on the trial of the offense that: |
|
|
(1) the actor was a public servant at the time of the |
|
|
offense and the property appropriated came into the actor's |
|
|
custody, possession, or control by virtue of his status as a public |
|
|
servant; |
|
|
(2) the actor was in a contractual relationship with |
|
|
government at the time of the offense and the property appropriated |
|
|
came into the actor's custody, possession, or control by virtue of |
|
|
the contractual relationship; |
|
|
(3) the owner of the property appropriated was at the |
|
|
time of the offense: |
|
|
(A) an elderly individual; or |
|
|
(B) a nonprofit organization; [or]
|
|
|
(4) the actor was a Medicare provider in a contractual |
|
|
relationship with the federal government at the time of the offense |
|
|
and the property appropriated came into the actor's custody, |
|
|
possession, or control by virtue of the contractual relationship; |
|
|
or |
|
|
(5) the property appropriated was a document |
|
|
containing protected health information, as that term is defined by |
|
|
the Health Insurance Portability and Accountability Act and Privacy |
|
|
Standards, as defined by Section 181.001, Health and Safety Code.
|
|
|
SECTION 13. Subsection (c-1), Section 32.51, Penal Code, is |
|
|
amended to read as follows: |
|
|
(c-1) An offense described for purposes of punishment by |
|
|
Subsections (c)(1)-(3) is increased to the next higher category of |
|
|
offense if it is shown on the trial of the offense that: |
|
|
(1) the offense was committed against an elderly
|
|
|
individual as defined by Section 22.04; or |
|
|
(2) the information obtained, possessed, transferred, |
|
|
or used in the commission of the offense was protected health |
|
|
information, as that term is defined by the Health Insurance |
|
|
Portability and Accountability Act and Privacy Standards, as |
|
|
defined by Section 181.001, Health and Safety Code.
|
|
|
SECTION 14. Subsection (b), Section 33.02, Penal Code, is |
|
|
amended to read as follows: |
|
|
(b) An offense under this section is a Class B misdemeanor |
|
|
unless in committing the offense the actor knowingly obtains a |
|
|
benefit, defrauds or harms another, or alters, damages, or deletes |
|
|
property, in which event the offense is: |
|
|
(1) a Class A misdemeanor if the aggregate amount |
|
|
involved is less than $1,500; |
|
|
(2) a state jail felony if: |
|
|
(A) the aggregate amount involved is $1,500 or |
|
|
more but less than $20,000; [or]
|
|
|
(B) the aggregate amount involved is less than |
|
|
$1,500 and the defendant has been previously convicted two or more |
|
|
times of an offense under this chapter; or |
|
|
(C) the actor accesses protected health |
|
|
information, as that term is defined by the Health Insurance |
|
|
Portability and Accountability Act and Privacy Standards, as |
|
|
defined by Section 181.001, Health and Safety Code; |
|
|
(3) a felony of the third degree if the aggregate |
|
|
amount involved is $20,000 or more but less than $100,000; |
|
|
(4) a felony of the second degree if the aggregate |
|
|
amount involved is $100,000 or more but less than $200,000; or |
|
|
(5) a felony of the first degree if the aggregate |
|
|
amount involved is $200,000 or more. |
|
|
SECTION 15. Section 35A.02, Penal Code, is amended by |
|
|
adding Subsections (b-1) and (b-2) to read as follows: |
|
|
(b-1) Except as provided by Subsection (b-2), the |
|
|
punishment prescribed for an offense under this section is |
|
|
increased to the punishment prescribed for the next highest |
|
|
category of offense if it is shown on the trial of the offense that |
|
|
protected health information, as that term is defined by the Health |
|
|
Insurance Portability and Accountability Act and Privacy |
|
|
Standards, as defined by Section 181.001, Health and Safety Code, |
|
|
was used in the commission of the offense. |
|
|
(b-2) The punishment for an offense described by this |
|
|
section may not be increased under Subsection (b-1) if the offense |
|
|
is punishable as a felony of the first degree. |
|
|
SECTION 16. Subsection (b), Section 531.0315, Government |
|
|
Code, is repealed. |
|
|
SECTION 17. Not later than January 1, 2012, the executive |
|
|
commissioner of the Health and Human Services Commission shall |
|
|
adopt rules as required by Section 181.101, Health and Safety Code, |
|
|
as added by this Act. |
|
|
SECTION 18. (a) Not later than January 1, 2012, the |
|
|
attorney general shall establish the Internet website required by |
|
|
Section 181.105, Health and Safety Code, as added by this Act. |
|
|
(b) Not later than December 1, 2012, the attorney general |
|
|
shall submit the initial report required by Section 181.106, Health |
|
|
and Safety Code, as added by this Act. |
|
|
SECTION 19. Not later than December 1, 2012, the Health and |
|
|
Human Services Commission shall submit the initial report required |
|
|
by Section 531.0994, Government Code, as added by this Act. |
|
|
SECTION 20. The changes in law made by Section 181.201, |
|
|
Health and Safety Code, as amended by this Act, Subsection (b), |
|
|
Section 521.053, Business & Commerce Code, as amended by this Act, |
|
|
and Subsection (a-1), Section 521.151, Business & Commerce Code, as |
|
|
added by this Act, apply only to conduct that occurs on or after the |
|
|
effective date of this Act. Conduct that occurs before the |
|
|
effective date of this Act is governed by the law in effect at the |
|
|
time the conduct occurred, and the former law is continued in effect |
|
|
for that purpose. |
|
|
SECTION 21. The changes in law made by Section 522.002, |
|
|
Business & Commerce Code, and Sections 31.03, 32.51, and 33.02, |
|
|
Penal Code, as amended by this Act, and Subsections (b-1) and (b-2), |
|
|
Section 35A.02, Penal Code, as added by this Act, apply only to an |
|
|
offense committed on or after the effective date of this Act. An |
|
|
offense committed before the effective date of this Act is governed |
|
|
by the law in effect at the time the offense was committed, and the |
|
|
former law is continued in effect for that purpose. For purposes of |
|
|
this section, an offense was committed before the effective date of |
|
|
this Act if any element of the offense was committed before that |
|
|
date. |
|
|
SECTION 22. This Act takes effect September 1, 2011. |
|
|
|
|
|
* * * * * |