The bill would amend Chapter 181 of the Health and Safety Code to direct all covered entities to comply with the Health Insurance Portability and Accountability Act and Privacy (HIPAA) standards and rules regarding access to and use of protected health information. The bill would require employees at covered entities receive training regarding protected health information. The bill would also require a health care provider to provide a person's electronic health record within fifteen business days of receiving a request for the information if a health care provider has a system capable of fulfilling the request.

The bill would require the Office of the Attorney General (OAG) to maintain an internet website with information for consumers regarding privacy rights under federal and state law related to protected health information, a list of state agencies that regulate covered entities in the state, information regarding the complaint enforcement process, and contact information for each agency. The bill would also require the OAG to submit annually to the legislature a report on the number and types of complaints received.

The bill would prohibit a covered entity from disclosing protected health information to any person in exchange for direct or indirect remuneration, with certain exemptions. The bill would require the OAG to adopt a standard authorization form for use in complying with authorized requests for disclosure of protected health information.

The bill would authorize the Attorney General to institute an action against a covered entity that is licensed by a licensing agency of the state for a civil penalty and to retain a reasonable portion of a civil penalty for enforcement. The bill would increase the maximum civil penalties for violations of the Medical Privacy Act. The bill would authorize the Health and Human Services Commission (HHSC) to refer disciplinary licensing actions involving violations to the OAG for civil enforcement. The number of potential violations and the amount of penalties levied are unknown; therefore, there could be an indeterminate revenue increase to the state.

The bill would authorize HHSC to request that the United States Secretary of Health and Human Services conduct a compliance audit of covered entities. The bill would authorize HHSC and the OAG to require a covered entity to conduct periodic compliance audits and submit a report to HHSC. HHSC could require certain audits or submission of risk analysis reports if the commission finds a covered entity commits egregious violations. HHSC would be required to submit an annual report to the Legislature regarding the number of audits performed.

The bill would require HHSC to review all complaints alleging Public Health Information compliance violations and refer complaints to appropriate licensing agencies or the attorney general. HHSC indicates there could be an increased cost for responding to the increased complaint volumes, as HHSC does not currently regulate all of the covered entities; however, the increased number of complaints and potential costs to HHSC cannot be estimated at this time.

The bill would direct the Texas Health Services Authority (THSA) to develop privacy and security standards in compliance with HIPAA for the electronic sharing of protected health information. THSA would be required to publish the standards on its website.

The bill would amend the Business and Commerce Code by adding a liability to the state for a civil penalty of no more than $100 for each individual to whom notification of a breach of system security is due and the person or entity fails to take reasonable action to notify the individual.

The bill would direct HHSC, in consultation with the Department of State Health Services, the Texas Medical Board, and the Texas Department of Insurance, to provide a report to the legislature on new developments in safeguarding protected health information.

The bill would direct HHSC, with the Texas Health Services Authority and the Texas Medical Board, to review issues regarding security and accessibility of protected health information maintained by "unsustainable" covered entities (assumed to mean a covered entity that goes out of business).

The bill would direct the OAG to establish a task force on health information technology to develop recommendations regarding the informed consent protocols, improvements in patient access to electronic protected health information, and other issues. The bill would require the task force to submit its report of recommendations to the Legislature by January 1, 2014.

The bill would take effect September 1, 2012.

The federal Health Information Technology for Economic and Clinical Health Act (HITECH Act), which included enhanced medical record and HIPAA privacy provisions, provided funding for health information technology development at the state level. Health Information Technology provides a framework for the management of health information and its exchange between consumers, providers, insurers, government, and quality review entities. The Health Information Exchange (HIE) Plan was developed by HHSC and the Texas Health Service Authority and approved in November of 2010. The plan is extensive and provides a four-year outline for the state's HIE implementation schedule, which includes policy and technology system development for several state agencies.

This analysis assumes costs of implementing the provisions of the bill specific to electronic transfer of protected health information and related technology costs could be absorbed within the agencies' current resources, which include Federal Funds specifically for this purpose.