| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to the use, collection, and security of health care data |
|
|
collected by the Department of State Health Services. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 108.009, Health and Safety Code, is |
|
|
amended by amending Subsection (a) and adding Subsection (c) to |
|
|
read as follows: |
|
|
(a) The council may collect, and, except as provided by |
|
|
Subsection [Subsections (c) and] (d), providers shall submit to the |
|
|
council or another entity as determined by the council, all data |
|
|
required by this section. The data shall be collected according to |
|
|
uniform submission formats, coding systems, and other technical |
|
|
specifications necessary to make the incoming data substantially |
|
|
valid, consistent, compatible, and manageable using electronic |
|
|
data processing, if available. |
|
|
(c) The council or another entity as determined by the |
|
|
council to collect data from a provider under Subsection (a) shall |
|
|
remove all sensitive identifying information, including social |
|
|
security numbers and birth dates, from the collected data. |
|
|
SECTION 2. Chapter 108, Health and Safety Code, is amended |
|
|
by adding Section 108.0095 to read as follows: |
|
|
Sec. 108.0095. NOTIFICATION OF DATA COLLECTION. (a) A |
|
|
provider shall provide to a patient whose data is being collected |
|
|
under this chapter written notice on a form prescribed by the |
|
|
department of the collection of the patient's data for health care |
|
|
purposes. |
|
|
(b) The notice provided under this section must include the |
|
|
name of the agency or entity receiving the data and an individual |
|
|
within the agency or entity whom the patient may contact regarding |
|
|
the collection of data. |
|
|
(c) The department shall develop a form for the notice |
|
|
required under this section and make the form available on the |
|
|
department's Internet website. |
|
|
SECTION 3. Section 108.011(d), Health and Safety Code, is |
|
|
amended to read as follows: |
|
|
(d) The council shall adopt procedures to establish the |
|
|
accuracy and consistency of the public use data before releasing |
|
|
the public use data to the public. The procedures must meet best |
|
|
practices and national standards for public research on and |
|
|
consumer use of health care data collected by governmental |
|
|
agencies. |
|
|
SECTION 4. Section 108.013(a), Health and Safety Code, is |
|
|
amended to read as follows: |
|
|
(a) The data received by the department under this chapter |
|
|
shall only be used by the department and commission for the benefit |
|
|
of the public. Subject to specific limitations established by this |
|
|
chapter and executive commissioner rule, the department shall make |
|
|
determinations on requests for information in favor of access. |
|
|
SECTION 5. Section 108.0131, Health and Safety Code, is |
|
|
amended to read as follows: |
|
|
Sec. 108.0131. LIST OF [PURCHASERS OR] RECIPIENTS OF |
|
|
DATA. The department shall post on the department's Internet |
|
|
website a list of each entity that [purchases or] receives data |
|
|
collected under this chapter. |
|
|
SECTION 6. Chapter 108, Health and Safety Code, is amended |
|
|
by adding Sections 108.0132 and 108.0136 to read as follows: |
|
|
Sec. 108.0132. PROHIBITED SALE OF DATA. The department may |
|
|
not sell any data collected under this chapter. |
|
|
Sec. 108.0136. REPORT; NOTIFICATION OF CYBER ATTACK. (a) |
|
|
The department shall prepare for the commissioner an annual report |
|
|
describing the security measures taken to protect data collected |
|
|
under this chapter and any breaches, attempted cyber attacks, and |
|
|
security issues related to the data that are encountered during the |
|
|
calendar year. |
|
|
(b) The report described by this section is not subject to |
|
|
Chapter 552, Government Code, but may be released on request to a |
|
|
member of the legislature. |
|
|
(c) If a cyber attack occurs targeting data collected under |
|
|
this chapter, the department shall notify the Department of Public |
|
|
Safety of the State of Texas and the Federal Bureau of Investigation |
|
|
of the attack. |
|
|
SECTION 7. Not later than January 1, 2016, the Department of |
|
|
State Health Services shall develop a transition plan to prohibit |
|
|
the sale of data collected under Chapter 108, Health and Safety |
|
|
Code, as amended by this Act. |
|
|
SECTION 8. (a) Except as provided by Subsection (b) of this |
|
|
section, this Act takes effect September 1, 2015. |
|
|
(b) Section 108.0131, Health and Safety Code, as amended by |
|
|
this Act, and Section 108.0132, Health and Safety Code, as added by |
|
|
this Act, take effect September 1, 2017. |