The bill would amend Chapter 181 of the Health and Safety Code to direct all covered entities to comply with the Health Insurance Portability and Accountability Act and Privacy (HIPAA) standards and rules regarding access to and use of protected health information. 

The bill would require the Office of the Attorney General (OAG) to adopt rules, no later than January 1, 2012, to create and adopt a standard authoriziation form for use in complying with authorized requests for disclosure of protected health information.

The bill would increase the maximum civil penalties for violations of the Medical Privacy Act. The bill would authorize the Health and Human Services Commission (HHSC) to refer disciplinary licensing actions involving violations to the OAG for civil enforcement. The number of potential violations and the amount of penalties levied are unknown; therefore, there could be an indeterminate revenue increase to the state.

The bill would authorize HHSC to impose an administrative penalty on an unlicensed entity that violates the health information privacy regulations. The bill would establish the criteria for assessing the financial penalty and for court or state agency mitigation of the penalty. The number of potential violations and the amount of penalties levied are unknown; therefore, there could be an indeterminate revenue increase to the state.

The bill would authorize HHSC to request that the United States Secretary of Health and Human Services conduct a compliance audit of covered entities. The bill would authorize HHSC and the OAG to require a covered entity to conduct periodic compliance audits and submit a report to HHSC. The bill would require HHSC to review all complaints alleging Public Health Information compliance violations and refer complaints to appropriate licensing agencies or the attorney general. HHSC would be required to submit an annual report to the Legislature regarding the complaints received and the enforcement action taken. HHSC indicates there could be an increased cost for responding to the increased complaint volumes, as HHSC does not currently regulate all of the covered entities; however, the increased number of complaints and potential costs to HHSC cannot be estimated at this time.

The bill would direct HHSC, with the Texas Health Services Authority and the Texas Medical Board, to review issues regarding security and accessibility of protected health information maintained by "unsustainable" covered entities (assumed to mean a covered entity that goes out of business).

The bill would direct the OAG to establish a task force on health information technology to develop recommendations regarding the informed consent protocols, improvements in patient access to electronic protected health information, and other issues. The bill would require the task force to submit its report of recommendations to the Legislature by January 1, 2014.

The bill would take effect September 1, 2012.

The federal Health Information Technology for Economic and Clinical Health Act (HITECH Act), which included enhanced medical record and HIPAA privacy provisions, provided funding for health information technology development at the state level. Health Information Technology provides a framework for the management of health information and its exchange between consumers, providers, insurers, government, and quality review entities. The Health Information Exchange (HIE) Plan was developed by HHSC and the Texas Health Service Authority and approved in November of 2010. The plan is extensive and provides a four-year outline for the state's HIE implementation schedule, which includes policy and technology system development for several state agencies.

This analysis assumes costs of implementing the provisions of the bill specific to electronic transfer of protected health information and related technology costs could be absorbed within the agencies' current resources, which include Federal Funds specifically for this purpose.