BILL ANALYSIS

 

 

 

C.S.H.B. 764

By: King, Susan

Public Health

Committee Report (Substituted)

 

 

 

BACKGROUND AND PURPOSE

 

Approximately 20 years ago, the Texas Health Care Information Council was created to collect and aggregate statewide health care quality data at hospitals and ambulatory surgical centers in Texas. The council has since been consolidated as a division of the Department of State Health Services, and over the years the legislature has worked to improve the operations of the council and to make the duties of the council more consumer-friendly. C.S.H.B. 764 seeks to build on these efforts.

 

CRIMINAL JUSTICE IMPACT

 

It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.

 

RULEMAKING AUTHORITY

 

It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.

 

ANALYSIS

 

C.S.H.B. 764 amends the Health and Safety Code, including provisions amended by S.B. 219, Acts of the 84th Legislature, Regular Session, 2015, to require the Department of State Health Services (DSHS) or another entity as determined by DSHS to collect health care data from a physician or health care facility to maintain a database that does not include identifying information for use as authorized by law. The bill requires a physician or health care facility to provide a patient whose data is being collected by DSHS or another entity with written notice on a form prescribed by DSHS of the collection of the patient's data for health care purposes. The bill requires DSHS to include the notice on an existing DSHS form and to make the form available on the DSHS website and requires the notice to include the name of the agency or entity receiving the data and of an individual within the agency or entity whom the patient may contact regarding the collection of data.

 

C.S.H.B. 764 requires the procedures adopted by the executive commissioner of the Health and Human Services Commission and DSHS for establishing the accuracy and consistency of public use data before releasing such data to the public to meet available best practices and national standards for public research on and consumer use of health care data collected by governmental agencies. The bill specifies that health care data received by DSHS is to be used by DSHS and the Health and Human Services Commission only for the benefit of the public.

 

C.S.H.B. 764 requires DSHS to prepare for the commissioner of state health services an annual report describing the security measures taken to protect collected health care data and any breaches, attempted cyber attacks, and security issues related to the data that are encountered during the calendar year. The bill specifies that the report is not subject to state public information law but may be released on request to a member of the legislature. The bill requires DSHS, if a cyber attack targeting the collected data occurs, to notify the Texas Department of Public Safety and the Federal Bureau of Investigation of the attack.  

 

EFFECTIVE DATE

 

September 1, 2015.

 

COMPARISON OF ORIGINAL AND SUBSTITUTE

 

While C.S.H.B. 764 may differ from the original in minor or nonsubstantive ways, the following comparison is organized and formatted in a manner that indicates the substantial differences between the introduced and committee substitute versions of the bill and does not indicate differences relating to changes made by S.B. 219, Acts of the 84th Legislature, Regular Session, 2015, which became effective April 2, 2015.

 

INTRODUCED

HOUSE COMMITTEE SUBSTITUTE

SECTION 1.  Section 108.009, Health and Safety Code, is amended by amending Subsection (a) and adding Subsection (c) to read as follows:

(a)  The council may collect, and, except as provided by Subsection [Subsections (c) and] (d), providers shall submit to the council or another entity as determined by the council, all data required by this section.  The data shall be collected according to uniform submission formats, coding systems, and other technical specifications necessary to make the incoming data substantially valid, consistent, compatible, and manageable using electronic data processing, if available.

(c)  The council or another entity as determined by the council to collect data from a provider under Subsection (a) shall remove all sensitive identifying information, including social security numbers and birth dates, from the collected data.

 

SECTION 1.  Section 108.009, Health and Safety Code, is amended by adding Subsection (c) to read as follows:

 

 

 

 

 

 

 

 

 

 

 

 

 

(c)  The department or another entity as determined by the department to collect data from a provider under Subsection (a) shall maintain a database that does not include identifying information for use as authorized by law, including this chapter.

 

SECTION 2.  Chapter 108, Health and Safety Code, is amended by adding Section 108.0095 to read as follows:

Sec. 108.0095.  NOTIFICATION OF DATA COLLECTION.  (a)  A provider shall provide to a patient whose data is being collected under this chapter written notice on a form prescribed by the department of the collection of the patient's data for health care purposes.

(b)  The notice provided under this section must include the name of the agency or entity receiving the data and an individual within the agency or entity whom the patient may contact regarding the collection of data.

(c)  The department shall develop a form for the notice required under this section and make the form available on the department's Internet website.

 

SECTION 2.  Chapter 108, Health and Safety Code, is amended by adding Section 108.0095 to read as follows:

Sec. 108.0095.  NOTIFICATION OF DATA COLLECTION.  (a)  A provider shall provide to a patient whose data is being collected under this chapter written notice on a form prescribed by the department of the collection of the patient's data for health care purposes.

(b)  The notice provided under this section must include the name of the agency or entity receiving the data and of an individual within the agency or entity whom the patient may contact regarding the collection of data.

(c)  The department shall include the notice required under this section on an existing department form and make the form available on the department's Internet website.

 

SECTION 3.  Section 108.011(d), Health and Safety Code, is amended to read as follows:

 

 

(d)  The council shall adopt procedures to establish the accuracy and consistency of the public use data before releasing the public use data to the public. The procedures must meet best practices and national standards for public research on and consumer use of health care data collected by governmental agencies.

 

SECTION 3.  Section 108.011(d), Health and Safety Code, as amended by S.B. 219, Acts of the 84th Legislature, Regular Session, 2015, is amended to read as follows:

(d)  The executive commissioner shall adopt procedures to establish the accuracy and consistency of the public use data before releasing the public use data to the public.  The department may adopt additional procedures as the department determines necessary. The procedures adopted under this subsection must meet available best practices and national standards for public research on and consumer use of health care data collected by governmental agencies.

 

SECTION 4.  Section 108.013(a), Health and Safety Code, is amended.

 

SECTION 4.  Substantially the same as introduced version.

 

SECTION 5.  Section 108.0131, Health and Safety Code, is amended to read as follows:

Sec. 108.0131.  LIST OF [PURCHASERS OR] RECIPIENTS OF DATA.  The department shall post on the department's Internet website a list of each entity that [purchases or] receives data collected under this chapter.

 

No equivalent provision.

 

SECTION 6.  Chapter 108, Health and Safety Code, is amended by adding Sections 108.0132 and 108.0136 to read as follows:

 

Sec. 108.0132.  PROHIBITED SALE OF DATA.  The department may not sell any data collected under this chapter.

 

Sec. 108.0136.  REPORT; NOTIFICATION OF CYBER ATTACK. 

 

SECTION 5.  Chapter 108, Health and Safety Code, is amended by adding Section 108.0136 to read as follows:

 

No equivalent provision.

 

 

 

Sec. 108.0136.  REPORT; NOTIFICATION OF CYBER ATTACK. 

 

SECTION 7.  Not later than January 1, 2016, the Department of State Health Services shall develop a transition plan to prohibit the sale of data collected under Chapter 108, Health and Safety Code, as amended by this Act.

 

No equivalent provision.

 

SECTION 8.  (a)  Except as provided by Subsection (b) of this section, this Act takes effect September 1, 2015.

(b)  Section 108.0131, Health and Safety Code, as amended by this Act, and Section 108.0132, Health and Safety Code, as added by this Act, take effect September 1, 2017.

SECTION 6.  This Act takes effect September 1, 2015.