BILL ANALYSIS
|
Senate Research Center |
C.S.H.B. 3233 |
|
89R32032 SCR-D |
By: Harris (Kolkhorst) |
|
|
Health & Human Services |
|
|
5/21/2025 |
|
|
Committee Report (Substituted) |
AUTHOR'S / SPONSOR'S STATEMENT OF INTENT
Pharmacy benefit managers (PBMs) manage prescription drug benefits for health plans, insurers, pharmacies, and drug manufacturers, process prescription drug claims, calculate enrollee out-of-pocket costs, and are responsible for keeping patient data secure. PBMs often form as Group Purchasing Organizations (GPOs) when operating offshore, which exposes patient data to foreign servers. In 2023, Montana and Florida required healthcare providers to store patient information only within the continental United States or Canada. From January through March 2025, over 422,000 Texans have been affected by health data breaches.���
An increase in cybersecurity attacks has led to illegal access to patient data,
including patients' Social Security numbers, Medicaid and Medicare ID numbers,
full names, phone numbers, and health certificates. Texas must act to safeguard
patient data.�
H.B. 3233 aims to protect Texans' privacy by prohibiting PBMs from storing any
patient data in countries where the U.S. Secretary of State has determined that
the government has promoted international terrorist activities.
Key Provisions:����������
� H.B. 3233 prevents PBMs from storing patient data in a country that the U.S. Secretary of State has found the government has routinely supported terrorist activities through:��
o Section 620 of the Foreign Assistance Act of 1961;�
o Section 40 of the Arms Export Control Act; or���������
o Section 1754(c) of the John S. McCain National Defense Authorization Act for Fiscal Year 2019.�����������
� Four countries currently meet this criteria, including:����������
o Cuba;
o Syria;
o Iran; and���������
o North Korea.
Committee Substitute:
� The committee substitute returns the bill to the filed version, banning storage of any patient data in a location outside of the United States. It also allows this data to be stored in U.S. territories.����������
� The substitute is acceptable to the House author and retains the prospective applicability to contracts entered into or renewed on or after September 1, 2025.
C.S.H.B. 3233 amends current law relating to patient data maintained by pharmacy benefit managers.
RULEMAKING AUTHORITY
This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency.
SECTION BY SECTION ANALYSIS
SECTION 1. Amends Subchapter D, Chapter 4151, Insurance Code, by adding Section 4151.1531, as follows:
Sec. 4151.1531. SECURITY OF PATIENT DATA. Prohibits a pharmacy benefit manager from storing or processing patient data for a resident of this state in a location outside of the United States or its territories.
SECTION 2. Makes application of Section 4151.1531, Insurance Code, as added by this Act, prospective.
SECTION 3. Effective date: September 1, 2025.