85R5920 JG-F
	By: Kolkhorst	S.B. No. 1574

	A BILL TO BE ENTITLED
	AN ACT
	relating to the electronic sharing of protected health information
	and certification of and enforcement actions against certain
	covered entities.
	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
	SECTION 1.  Section 181.201(d), Health and Safety Code, is
	amended to read as follows:
	(d)  In determining the amount of a penalty imposed under
	Subsection (b), the court shall consider:
	(1)  the seriousness of the violation, including the
	nature, circumstances, extent, and gravity of the disclosure;
	(2)  the covered entity's compliance history;
	(3)  whether the violation poses a significant risk of
	financial, reputational, or other harm to an individual whose
	protected health information is involved in the violation;
	(4)  [whether the covered entity was certified at the
	time of the violation as described by Section 182.108;
	[(5)]  the amount necessary to deter a future
	violation; and
	(5) [(6)]  the covered entity's efforts to correct the
	violation.
	SECTION 2.  Section 181.205(b), Health and Safety Code, is
	amended to read as follows:
	(b)  In determining the amount of a penalty imposed under
	other law in accordance with Section 181.202, a court or state
	agency shall consider the following factors:
	(1)  the seriousness of the violation, including the
	nature, circumstances, extent, and gravity of the disclosure;
	(2)  the covered entity's compliance history;
	(3)  whether the violation poses a significant risk of
	financial, reputational, or other harm to an individual whose
	protected health information is involved in the violation;
	(4)  [whether the covered entity was certified at the
	time of the violation as described by Section 182.108;
	[(5)]  the amount necessary to deter a future
	violation; and
	(5) [(6)]  the covered entity's efforts to correct the
	violation.
	SECTION 3.  Subchapter E, Chapter 181, Health and Safety
	Code, is amended by adding Section 181.208 to read as follows:
	Sec. 181.208.  ENFORCEMENT AGAINST CERTAIN COVERED
	ENTITIES. Notwithstanding Sections 181.201 and 181.202, the
	attorney general may not bring an action for civil penalties under
	Section 181.201 and a licensing agency may not conduct a
	disciplinary proceeding under Section 181.202 against a covered
	entity that holds a certification described by Section 182.108 at
	the time of the violation unless the violation is a result of the
	covered entity's gross negligence or intentional conduct.
	SECTION 4.  Section 182.108, Health and Safety Code, is
	amended by adding Subsection (b-1) and amending Subsections (c) and
	(d) to read as follows:
	(b-1)  The executive commissioner by rule may develop and the
	commission may implement a system to offer to a covered entity that
	contracts with the commission incentives to obtain a certification
	under this section. This subsection does not apply to a covered
	entity that is also a health care provider as defined by Section
	74A.001, Civil Practice and Remedies Code.
	(c)  Standards adopted under Subsection (b) must be designed
	to:
	(1)  comply with the Health Insurance Portability and
	Accountability Act and Privacy Standards and Chapter 181;
	(2)  comply with any other state and federal law
	relating to the security and confidentiality of information
	electronically maintained or disclosed by a covered entity;
	(3)  ensure the secure maintenance and disclosure of
	personally identifiable health information;
	(4)  include strategies and procedures for disclosing
	personally identifiable health information; [and]
	(5)  support a level of system interoperability with
	existing health record databases in this state that is consistent
	with emerging standards; and
	(6)  ensure compliance with relevant industry
	standards relating to security of Internet websites and electronic
	information.
	(d)  The corporation shall establish a process by which a
	covered entity may apply for privacy, security, or privacy and
	security certification by the corporation for the [of a] covered
	entity's past compliance with standards adopted under Subsection
	(b).
	SECTION 5.  Sections 182.108(h), (i), (j), (l), and (m),
	Health and Safety Code, as effective September 1, 2021, are amended
	to read as follows:
	(h)  In amending standards under Subsection (g), the
	commission shall seek the assistance of an [a private nonprofit]
	organization with relevant knowledge and experience in health care
	privacy and security certification [establishing statewide health
	information exchange capabilities].
	(i)  Standards amended under Subsection (g) must be designed
	to:
	(1)  comply with the Health Insurance Portability and
	Accountability Act and Privacy Standards and Chapter 181;
	(2)  comply with any other state and federal law
	relating to the security and confidentiality of information
	electronically maintained or disclosed by a covered entity;
	(3)  ensure the secure maintenance and disclosure of
	individually identifiable health information;
	(4)  include strategies and procedures for disclosing
	individually identifiable health information; [and]
	(5)  support a level of system interoperability with
	existing health record databases in this state that is consistent
	with emerging standards; and
	(6)  ensure compliance with relevant industry
	standards relating to security of Internet websites and electronic
	information.
	(j)  The commission shall designate an [a private nonprofit]
	organization with relevant knowledge and experience in health care
	privacy and security certification [establishing statewide health
	information exchange capabilities] to establish a process by which
	a covered entity may apply for privacy, security, or privacy and
	security certification by the designated [private nonprofit]
	organization for the [of a] covered entity's past compliance with
	standards adopted under this section. If an [a private nonprofit]
	organization with relevant knowledge and experience in health care
	privacy and security certification [establishing statewide health
	information exchange capabilities] does not exist, the commission
	shall [either:
	[(1)]  establish the process described by this
	subsection[; or
	[(2)     designate another entity with relevant knowledge
	to establish the process described by this subsection].
	(l)  The commission shall ensure that any fee charged for the
	certification process described in Subsection (j) by the [private
	nonprofit] organization [or entity] designated under that
	subsection, including a person acting on behalf of a designated
	organization [or entity], is reasonable. If the commission
	establishes the process as described by Subsection (j) [(j)(1)],
	the commission shall set a reasonable fee for the certification
	process.
	(m)  For good cause, the commission may revoke the
	designation or authority of an [a private nonprofit] organization
	[or entity] to establish the process or offer certifications under
	Subsection (j).
	SECTION 6.  The changes in law made by this Act apply only to
	a violation that occurs on or after the effective date of this Act.
	A violation that occurs before the effective date of this Act is
	governed by the law applicable to the violation immediately before
	the effective date of this Act, and that law is continued in effect
	for that purpose.
	SECTION 7.  This Act takes effect immediately if it receives
	a vote of two-thirds of all the members elected to each house, as
	provided by Section 39, Article III, Texas Constitution.  If this
	Act does not receive the vote necessary for immediate effect, this
	Act takes effect September 1, 2017.