82R7206 SJM-D
By: Kolkhorst H.B. No. 300
A BILL TO BE ENTITLED
AN ACT
relating to the privacy of protected health information; providing
civil penalties.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 181.001(b), Health and Safety Code, is
amended by amending Subdivisions (1) and (3) and adding
Subdivisions (2-a) and (2-b) to read as follows:
(1) "Commission" ["Commissioner"] means the Health
and Human Services Commission [commissioner of health and human
services].
(2-a) "Disclose" means to release, transfer, provide
access to, or otherwise divulge information to another person.
(2-b) "Executive commissioner" means the executive
commissioner of the Health and Human Services Commission.
(3) "Health Insurance Portability and Accountability
Act and Privacy Standards" means the privacy requirements in
existence on April 1, 2011 [August 14, 2002], of the Administrative
Simplification subtitle of the Health Insurance Portability and
Accountability Act of 1996 (Pub. L. No. 104-191) contained in 45
C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A and E.
SECTION 2. Subchapter A, Chapter 181, Health and Safety
Code, is amended by adding Section 181.004 to read as follows:
Sec. 181.004. APPLICABILITY OF FEDERAL LAW AND TEXAS HEALTH
SERVICES AUTHORITY STANDARDS. A covered entity shall comply with:
(1) the Health Insurance Portability and
Accountability Act and Privacy Standards; and
(2) the standards adopted under Section 182.108.
SECTION 3. Chapter 181, Health and Safety Code, is amended
by adding Subchapter C to read as follows:
SUBCHAPTER C. ACCESS TO AND USE OF
PROTECTED HEALTH INFORMATION
Sec. 181.101. ACCESS TO RECORDS AND DISCLOSURE ACCOUNTING.
Not later than the 15th day after the date a covered entity receives
a request from an individual:
(1) for a record containing the individual's protected
health information, the covered entity shall provide the record to
the individual in the form requested by the individual, including
printed or electronic form; and
(2) for an accounting of disclosures of the
individual's protected health information, the covered entity
shall provide the accounting to the individual in the form
requested by the individual, including printed or electronic form,
in accordance with 45 C.F.R. Section 164.528.
Sec. 181.102. FEES FOR COPIES OF RECORDS. A covered entity
may charge a reasonable fee for a photocopy of a record that
contains protected health information, subject to any limit or
restriction applicable to the record under other law.
Sec. 181.103. DUTY OF COVERED ENTITY. (a) A covered entity
that maintains or discloses protected health information bears the
responsibility of securely maintaining and disclosing the
information in compliance with this chapter and other law.
(b) Except as provided by other law, a covered entity may
not:
(1) prevent an individual from obtaining a copy of the
individual's record; or
(2) deny an individual's request to correct a
confirmed factual error in the individual's record.
Sec. 181.104. MINIMUM MAINTENANCE OF RECORDS OF PROTECTED
HEALTH INFORMATION. (a) A covered entity shall:
(1) for an individual 18 years of age or older on the
date of the last entry in a record that contains protected health
information, maintain the record until the seventh anniversary of
the date of the last entry in the record;
(2) for an individual younger than 18 years of age on
the date of the last entry in a record that contains protected
health information, maintain the record until the later of:
(A) the individual's 21st birthday; or
(B) the seventh anniversary of the date of the
last entry in the record; and
(3) maintain a medical record relating to a criminal,
civil, or administrative action until the later of:
(A) the date specified by Subdivision (1) or (2);
or
(B) the date of final disposition of the action.
(b) If another law requires a covered entity to maintain a
record described by Subsection (a) for a period longer than the
period specified by Subsection (a), the covered entity shall
maintain the record for the period required by the other law.
SECTION 4. Subchapter D, Chapter 181, Health and Safety
Code, is amended by adding Sections 181.153 and 181.154 to read as
follows:
Sec. 181.153. SALE OF PROTECTED HEALTH INFORMATION
PROHIBITED; EXCEPTIONS. A covered entity may not disclose an
individual's protected health information to any other person in
exchange for direct or indirect remuneration, except that a covered
entity may disclose an individual's protected health information to
another covered entity for the purpose of:
(1) provision of medical treatment to the individual;
(2) payment of the individual's health care costs; or
(3) health care operations between the covered
entities.
Sec. 181.154. AUTHORIZATION REQUIRED FOR DISCLOSURE OF
PROTECTED HEALTH INFORMATION; EXCEPTIONS. (a) Except as provided
by Subsections (c) and (d), a covered entity may not disclose an
individual's protected health information to any person without a
separate authorization for each record disclosed signed by the
individual or the individual's legally authorized representative.
(b) For purposes of this section, and individual may sign an
authorization of disclosure in writing or electronically.
(c) The consent required by Subsection (a) to disclose
protected health information for medical treatment, payment of
health care costs, or health care operations may be provided in a
signed general authorization form.
(d) A covered entity may disclose an individual's protected
health information to another person only as necessary to
facilitate the individual's medical treatment if:
(1) an agent of the covered entity reasonably believes
the individual requires lifesaving medical treatment;
(2) the individual is not able to provide
authorization for disclosure under this section; and
(3) a legally authorized representative of the
individual is not available to provide authorization for disclosure
under this section.
(e) The attorney general by rule shall adopt standard
authorization forms for use in complying with this section.
SECTION 5. Section 181.201, Health and Safety Code, is
amended by amending Subsection (c) and adding Subsection (d) to
read as follows:
(c) If the court in which an action under Subsection (b) is
pending finds that the violations have occurred with a frequency as
to constitute a pattern or practice, the court may assess a civil
penalty not to exceed $5 million [$250,000].
(d) The office of the attorney general may retain a
reasonable portion of a civil penalty recovered under this section,
not to exceed amounts specified in the General Appropriations Act,
for the enforcement of this subchapter.
SECTION 6. Section 181.202, Health and Safety Code, is
amended to read as follows:
Sec. 181.202. DISCIPLINARY ACTION. In addition to the
penalties prescribed by this chapter, a violation of this chapter
by an individual or facility that is licensed by an agency of this
state is subject to investigation and disciplinary proceedings,
including probation or suspension by the licensing agency. If
there is evidence that the violations of this chapter constitute a
pattern or practice, the agency may:
(1) revoke the individual's or facility's license; or
(2) refer the individual's or facility's case to the
attorney general for the institution of an action for civil
penalties under Section 181.201(b).
SECTION 7. Subchapter E, Chapter 181, Health and Safety
Code, is amended by adding Sections 181.206, 181.207, 181.208,
181.209, and 181.210 to read as follows:
Sec. 181.206. RULES. The attorney general may adopt rules
as necessary to enforce this chapter.
Sec. 181.207. AUDITS OF COVERED ENTITIES. (a) The attorney
general, in coordination with the commission, the Texas Health
Services Authority, and the Texas Department of Insurance:
(1) may conduct periodic audits of covered entities in
this state to determine compliance with this chapter; and
(2) shall periodically monitor and review the results
of audits of covered entities in this state conducted by the United
States secretary of health and human services.
(b) In addition to periodic audits conducted under
Subsection (a)(1), the attorney general may require a covered
entity to:
(1) conduct an audit of the covered entity's system;
and
(2) submit to the attorney general a report regarding
the results of an audit conducted under Subdivision (1).
Sec. 181.208. REVIEW OF COMPLAINT BY ATTORNEY GENERAL. The
attorney general shall review a complaint received from an
individual or an individual's authorized legal representative
alleging that a covered entity violated this chapter with respect
to the individual's protected health information.
Sec. 181.209. AUDIT AND COMPLAINT REPORT BY ATTORNEY
GENERAL. (a) The attorney general annually shall submit to the
appropriate standing committees of the senate and the house of
representatives a report that includes:
(1) the number and types of complaints received by the
office of the attorney general regarding violations of this
chapter;
(2) enforcement action taken by the office of the
attorney general under this chapter; and
(3) the number of federal and state audits of covered
entities in this state conducted.
(b) The attorney general and the Texas Health Services
Authority shall each publish the report required by Subsection (a)
on the agency's Internet website.
Sec. 181.210. FUNDING. The commission and the Texas
Department of Insurance, in consultation with the Texas Health
Services Authority, shall apply for and actively pursue available
federal funding for enforcement of this chapter, including the
audits described by Section 181.207.
SECTION 8. Section 182.002, Health and Safety Code, is
amended by adding Subdivisions (2-a), (3-a), and (3-b) to read as
follows:
(2-a) "Covered entity" has the meaning assigned by
Section 181.001.
(3-a) "Disclose" has the meaning assigned by Section
181.001.
(3-b) "Health Insurance Portability and
Accountability Act and Privacy Standards" has the meaning assigned
by Section 181.001.
SECTION 9. Section 182.101, Health and Safety Code, is
amended to read as follows:
Sec. 182.101. GENERAL POWERS AND DUTIES. The corporation
[may]:
(1) may establish statewide health information
exchange capabilities, including capabilities for electronic
laboratory results, diagnostic studies, and medication history
delivery, and, where applicable, establish [promote] definitions
and standards for electronic interactions statewide;
(2) may seek funding to:
(A) implement, promote, and facilitate the
voluntary exchange of secure electronic health information between
and among individuals and entities that are providing or paying for
health care services or procedures; and
(B) create incentives to implement, promote, and
facilitate the voluntary exchange of secure electronic health
information between and among individuals and entities that are
providing or paying for health care services or procedures;
(3) may establish statewide health information
exchange capabilities for streamlining health care administrative
functions including:
(A) communicating point of care services,
including laboratory results, diagnostic imaging, and prescription
histories;
(B) communicating patient identification and
emergency room required information in conformity with state and
federal privacy laws;
(C) real-time communication of enrollee status
in relation to health plan coverage, including enrollee
cost-sharing responsibilities; and
(D) current census and status of health plan
contracted providers;
(4) shall support regional health information
exchange initiatives by:
(A) identifying data and messaging standards for
health information exchange and for ensuring that the data that is
exchanged is accurate and complete;
(B) administering programs providing financial
incentives, including grants and loans for the creation and support
of regional health information networks, subject to available
funds;
(C) providing technical expertise where
appropriate;
(D) sharing intellectual property developed
under Section 182.105;
(E) waiving the corporation's fees associated
with intellectual property, data, expertise, and other services or
materials provided to regional health information exchanges
operated on a nonprofit basis; and
(F) applying operational and technical standards
developed by the corporation to existing health information
exchanges only on a voluntary basis, except for standards related
to ensuring effective privacy and security of individually
identifiable health information;
(5) shall adopt, publish, and distribute [identify]
standards for streamlining health care administrative functions
across payors and providers, including standards for the electronic
disclosure of protected health information as required by Section
182.108, electronic patient registration, communication of
enrollment in health plans, and information at the point of care
regarding services covered by health plans; and
(6) shall support the secure, electronic exchange of
health information through other strategies identified by the
board.
SECTION 10. Subchapter C, Chapter 182, Health and Safety
Code, is amended by adding Section 182.108 to read as follows:
Sec. 182.108. STANDARDS FOR ELECTRONIC DISCLOSURE OF
PROTECTED HEALTH INFORMATION. (a) The corporation by rule shall
adopt security standards for the electronic disclosure of protected
health information, as defined by the Health Insurance Portability
and Accountability Act and Privacy Standards. The standards must:
(1) comply with federal and state law relating to the
security and confidentiality of information electronically
maintained or disclosed by a covered entity;
(2) ensure the secure maintenance and disclosure of
personally identifiable health information;
(3) include strategies and procedures for disclosing
personally identifiable information; and
(4) support a level of system interoperability with
existing health record databases in this state that is consistent
with emerging standards.
(b) The corporation shall publish the standards adopted
under Subsection (a) on the corporation's Internet website.
SECTION 11. (a) In this section, "unsustainable covered
entity" means a covered entity that ceases to operate.
(b) The Health and Human Services Commission, in
consultation with the Texas Health Services Authority and the Texas
Medical Board, shall review issues regarding the security and
accessibility of protected health information maintained by an
unsustainable covered entity.
(c) Not later than December 1, 2012, the Health and Human
Services Commission shall submit to the appropriate standing
committees of the senate and the house of representatives
recommendations for:
(1) the state agency to which the protected health
information maintained by an unsustainable covered entity should be
transferred for storage;
(2) ensuring the security of protected health
information maintained by unsustainable covered entities in this
state, including secure transfer methods from the covered entity to
the state;
(3) the method and period of time for which protected
health information should be maintained by the state after transfer
from an unsustainable covered entity;
(4) methods and processes by which an individual
should be able to access the individual's protected health
information after transfer to the state; and
(5) funding for the storage of protected health
information after transfer to the state.
(d) This section expires January 1, 2013.
SECTION 12. (a) A task force on health information
technology is created.
(b) The task force is composed of seven members appointed by
the attorney general with the advice of the chairs of the standing
committees of the senate and house of representatives having
primary jurisdiction over health information technology issues.
Not later than December 1, 2011, the attorney general shall appoint
the members of the task force and appoint a chair of the task force
from among its membership. The chair of the task force must have
expertise in:
(1) state and federal health information privacy law;
(2) patient rights; and
(3) electronic signatures and other consent tools.
(c) The task force shall develop recommendations regarding:
(1) the improvement of informed consent protocols for
the electronic exchange of protected health information, as that
term is defined by the Health Insurance Portability and
Accountability Act and Privacy Standards, as defined by Section
181.001, Health and Safety Code, as amended by this Act;
(2) the improvement of patient access to and use of
electronically maintained and disclosed protected health
information for the purpose of personal health and coordination of
health care services; and
(3) any other critical issues, as determined by the
task force, related to the exchange of protected health
information.
(d) Not later than January 1, 2013, the task force shall
submit to the standing committees of the senate and house of
representatives having primary jurisdiction over health
information technology issues and the Texas Health Services
Authority a report including the task force's recommendations under
Subsection (c).
(e) The Texas Health Services Authority shall publish the
report submitted under Subsection (d) on the authority's Internet
website.
(f) This section expires February 1, 2013.
SECTION 13. Not later than January 1, 2012:
(1) the attorney general shall adopt the forms
required by Section 181.154, Health and Safety Code, as added by
this Act; and
(2) the Texas Health Services Authority shall adopt
the standards required by Section 182.101, Health and Safety Code,
as amended by this Act, and Section 182.108, Health and Safety Code,
as added by this Act.
SECTION 14. This Act takes effect September 1, 2011.