H.B. No. 300
AN ACT
relating to the privacy of protected health information; providing
administrative, civil, and criminal penalties.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 181.001(b), Health and Safety Code, is
amended by amending Subdivisions (1) and (3) and adding
Subdivisions (2-a) and (2-b) to read as follows:
(1) "Commission" ["Commissioner"] means the Health
and Human Services Commission [commissioner of health and human
services].
(2-a) "Disclose" means to release, transfer, provide
access to, or otherwise divulge information outside the entity
holding the information.
(2-b) "Executive commissioner" means the executive
commissioner of the Health and Human Services Commission.
(3) "Health Insurance Portability and Accountability
Act and Privacy Standards" means the privacy requirements in
existence on September 1, 2011 [August 14, 2002], of the
Administrative Simplification subtitle of the Health Insurance
Portability and Accountability Act of 1996 (Pub. L. No. 104-191)
contained in 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A
and E.
SECTION 2. Subchapter A, Chapter 181, Health and Safety
Code, is amended by adding Section 181.004 to read as follows:
Sec. 181.004. APPLICABILITY OF STATE AND FEDERAL LAW. (a)
A covered entity, as that term is defined by 45 C.F.R. Section
160.103, shall comply with the Health Insurance Portability and
Accountability Act and Privacy Standards.
(b) Subject to Section 181.051, a covered entity, as that
term is defined by Section 181.001, shall comply with this chapter.
SECTION 3. Section 181.005, Health and Safety Code, is
amended to read as follows:
Sec. 181.005. DUTIES OF THE EXECUTIVE COMMISSIONER. (a)
The executive commissioner shall administer this chapter and may
adopt rules consistent with the Health Insurance Portability and
Accountability Act and Privacy Standards to administer this
chapter.
(b) The executive commissioner shall review amendments to
the definitions in 45 C.F.R. Parts 160 and 164 that occur after
September 1, 2011 [August 14, 2002], and determine whether it is in
the best interest of the state to adopt the amended federal
regulations. If the executive commissioner determines that it is
in the best interest of the state to adopt the amended federal
regulations, the amended regulations shall apply as required by
this chapter.
(c) In making a determination under this section, the
executive commissioner must consider, in addition to other factors
affecting the public interest, the beneficial and adverse effects
the amendments would have on:
(1) the lives of individuals in this state and their
expectations of privacy; and
(2) governmental entities, institutions of higher
education, state-owned teaching hospitals, private businesses, and
commerce in this state.
(d) The executive commissioner shall prepare a report of the
executive commissioner's determination made under this section and
shall file the report with the presiding officer of each house of
the legislature before the 30th day after the date the
determination is made. The report must include an explanation of
the reasons for the determination.
SECTION 4. Section 181.006, Health and Safety Code, is
amended to read as follows:
Sec. 181.006. PROTECTED HEALTH INFORMATION NOT PUBLIC.
Notwithstanding Sections 181.004 and 181.051, for [For] a covered
entity that is a governmental unit, an individual's protected
health information:
(1) includes any information that reflects that an
individual received health care from the covered entity; and
(2) is not public information and is not subject to
disclosure under Chapter 552, Government Code.
SECTION 5. Subchapter B, Chapter 181, Health and Safety
Code, is amended by adding Section 181.059 to read as follows:
Sec. 181.059. CRIME VICTIM COMPENSATION. This chapter does
not apply to any person or entity in connection with providing,
administering, supporting, or coordinating any of the benefits
regarding compensation to victims of crime as provided by
Subchapter B, Chapter 56, Code of Criminal Procedure.
SECTION 6. Chapter 181, Health and Safety Code, is amended
by adding Subchapter C to read as follows:
SUBCHAPTER C. ACCESS TO AND USE OF PROTECTED HEALTH INFORMATION
Sec. 181.101. TRAINING REQUIRED. (a) Each covered entity
shall provide a training program to employees of the covered entity
regarding the state and federal law concerning protected health
information as it relates to:
(1) the covered entity's particular course of
business; and
(2) each employee's scope of employment.
(b) An employee of a covered entity must complete training
described by Subsection (a) not later than the 60th day after the
date the employee is hired by the covered entity.
(c) An employee of a covered entity shall receive training
described by Subsection (a) at least once every two years.
(d) A covered entity shall require an employee of the entity
who attends a training program described by Subsection (a) to sign,
electronically or in writing, a statement verifying the employee's
attendance at the training program. The covered entity shall
maintain the signed statement.
Sec. 181.102. CONSUMER ACCESS TO ELECTRONIC HEALTH RECORDS.
(a) Except as provided by Subsection (b), if a health care
provider is using an electronic health records system that is
capable of fulfilling the request, the health care provider, not
later than the 15th business day after the date the health care
provider receives a written request from a person for the person's
electronic health record, shall provide the requested record to the
person in electronic form unless the person agrees to accept the
record in another form.
(b) A health care provider is not required to provide access
to a person's protected health information that is excepted from
access, or to which access may be denied, under 45 C.F.R. Section
164.524.
(c) For purposes of Subsection (a), the executive
commissioner, in consultation with the Department of State Health
Services, the Texas Medical Board, and the Texas Department of
Insurance, by rule may recommend a standard electronic format for
the release of requested health records. The standard electronic
format recommended under this section must be consistent, if
feasible, with federal law regarding the release of electronic
health records.
Sec. 181.103. CONSUMER INFORMATION WEBSITE. The attorney
general shall maintain an Internet website that provides:
(1) information concerning a consumer's privacy rights
regarding protected health information under federal and state law;
(2) a list of the state agencies, including the
Department of State Health Services, the Texas Medical Board, and
the Texas Department of Insurance, that regulate covered entities
in this state and the types of entities each agency regulates;
(3) detailed information regarding each agency's
complaint enforcement process; and
(4) contact information, including the address of the
agency's Internet website, for each agency listed under Subdivision
(2) for reporting a violation of this chapter.
Sec. 181.104. CONSUMER COMPLAINT REPORT BY ATTORNEY
GENERAL. (a) The attorney general annually shall submit to the
legislature a report describing:
(1) the number and types of complaints received by the
attorney general and by the state agencies receiving consumer
complaints under Section 181.103; and
(2) the enforcement action taken in response to each
complaint reported under Subdivision (1).
(b) Each state agency that receives consumer complaints
under Section 181.103 shall submit to the attorney general, in the
form required by the attorney general, the information the attorney
general requires to compile the report required by Subsection (a).
(c) The attorney general shall de-identify protected health
information from the individual to whom the information pertains
before including the information in the report required by
Subsection (a).
SECTION 7. Subchapter D, Chapter 181, Health and Safety
Code, is amended by adding Sections 181.153 and 181.154 to read as
follows:
Sec. 181.153. SALE OF PROTECTED HEALTH INFORMATION
PROHIBITED; EXCEPTIONS. (a) A covered entity may not disclose an
individual's protected health information to any other person in
exchange for direct or indirect remuneration, except that a covered
entity may disclose an individual's protected health information:
(1) to another covered entity, as that term is defined
by Section 181.001, or to a covered entity, as that term is defined
by Section 602.001, Insurance Code, for the purpose of:
(A) treatment;
(B) payment;
(C) health care operations; or
(D) performing an insurance or health
maintenance organization function described by Section 602.053,
Insurance Code; or
(2) as otherwise authorized or required by state or
federal law.
(b) The direct or indirect remuneration a covered entity
receives for making a disclosure of protected health information
authorized by Subsection (a)(1)(D) may not exceed the covered
entity's reasonable costs of preparing or transmitting the
protected health information.
Sec. 181.154. NOTICE AND AUTHORIZATION REQUIRED FOR
ELECTRONIC DISCLOSURE OF PROTECTED HEALTH INFORMATION; EXCEPTIONS.
(a) A covered entity shall provide notice to an individual for whom
the covered entity creates or receives protected health information
if the individual's protected health information is subject to
electronic disclosure. A covered entity may provide general notice
by:
(1) posting a written notice in the covered entity's
place of business;
(2) posting a notice on the covered entity's Internet
website; or
(3) posting a notice in any other place where
individuals whose protected health information is subject to
electronic disclosure are likely to see the notice.
(b) Except as provided by Subsection (c), a covered entity
may not electronically disclose an individual's protected health
information to any person without a separate authorization from the
individual or the individual's legally authorized representative
for each disclosure. An authorization for disclosure under this
subsection may be made in written or electronic form or in oral form
if it is documented in writing by the covered entity.
(c) The authorization for electronic disclosure of
protected health information described by Subsection (b) is not
required if the disclosure is made:
(1) to another covered entity, as that term is defined
by Section 181.001, or to a covered entity, as that term is defined
by Section 602.001, Insurance Code, for the purpose of:
(A) treatment;
(B) payment;
(C) health care operations; or
(D) performing an insurance or health
maintenance organization function described by Section 602.053,
Insurance Code; or
(2) as otherwise authorized or required by state or
federal law.
(d) The attorney general shall adopt a standard
authorization form for use in complying with this section. The form
must comply with the Health Insurance Portability and
Accountability Act and Privacy Standards and this chapter.
(e) This section does not apply to a covered entity, as
defined by Section 602.001, Insurance Code, if that entity is not a
covered entity as defined by 45 C.F.R. Section 160.103.
SECTION 8. Section 181.201, Health and Safety Code, is
amended by amending Subsections (b) and (c) and adding Subsections
(b-1), (d), (e), and (f) to read as follows:
(b) In addition to the injunctive relief provided by
Subsection (a), the attorney general may institute an action for
civil penalties against a covered entity for a violation of this
chapter. A civil penalty assessed under this section may not
exceed:
(1) $5,000 [$3,000] for each violation that occurs in
one year, regardless of how long the violation continues during
that year, committed negligently;
(2) $25,000 for each violation that occurs in one
year, regardless of how long the violation continues during that
year, committed knowingly or intentionally; or
(3) $250,000 for each violation in which the covered
entity knowingly or intentionally used protected health
information for financial gain.
(b-1) The total amount of a penalty assessed against a
covered entity under Subsection (b) in relation to a violation or
violations of Section 181.154 may not exceed $250,000 annually if
the court finds that the disclosure was made only to another covered
entity and only for a purpose described by Section 181.154(c) and
the court finds that:
(1) the protected health information disclosed was
encrypted or transmitted using encryption technology designed to
protect against improper disclosure;
(2) the recipient of the protected health information
did not use or release the protected health information; or
(3) at the time of the disclosure of the protected
health information, the covered entity had developed, implemented,
and maintained security policies, including the education and
training of employees responsible for the security of protected
health information.
(c) If the court in which an action under Subsection (b) is
pending finds that the violations have occurred with a frequency as
to constitute a pattern or practice, the court may assess a civil
penalty not to exceed $1.5 million annually [$250,000].
(d) In determining the amount of a penalty imposed under
Subsection (b), the court shall consider:
(1) the seriousness of the violation, including the
nature, circumstances, extent, and gravity of the disclosure;
(2) the covered entity's compliance history;
(3) whether the violation poses a significant risk of
financial, reputational, or other harm to an individual whose
protected health information is involved in the violation;
(4) whether the covered entity was certified at the
time of the violation as described by Section 182.108;
(5) the amount necessary to deter a future violation;
and
(6) the covered entity's efforts to correct the
violation.
(e) The attorney general may institute an action against a
covered entity that is licensed by a licensing agency of this state
for a civil penalty under this section only if the licensing agency
refers the violation to the attorney general under Section
181.202(2).
(f) The office of the attorney general may retain a
reasonable portion of a civil penalty recovered under this section,
not to exceed amounts specified in the General Appropriations Act,
for the enforcement of this subchapter.
SECTION 9. Section 181.202, Health and Safety Code, is
amended to read as follows:
Sec. 181.202. DISCIPLINARY ACTION. In addition to the
penalties prescribed by this chapter, a violation of this chapter
by a covered entity [an individual or facility] that is licensed by
an agency of this state is subject to investigation and
disciplinary proceedings, including probation or suspension by the
licensing agency. If there is evidence that the violations of this
chapter are egregious and constitute a pattern or practice, the
agency may:
(1) revoke the covered entity's [individual's or
facility's] license; or
(2) refer the covered entity's case to the attorney
general for the institution of an action for civil penalties under
Section 181.201(b).
SECTION 10. Section 181.205, Health and Safety Code, is
amended by amending Subsection (b) and adding Subsection (c) to
read as follows:
(b) In determining the amount of a penalty imposed under
other law in accordance with Section 181.202, a court or state
agency shall consider the following factors:
(1) the seriousness of the violation, including the
nature, circumstances, extent, and gravity of the disclosure;
(2) the covered entity's compliance history;
(3) whether the violation poses a significant risk of
financial, reputational, or other harm to an individual whose
protected health information is involved in the violation;
(4) whether the covered entity was certified at the
time of the violation as described by Section 182.108;
(5) the amount necessary to deter a future violation;
and
(6) the covered entity's efforts to correct the
violation.
(c) On receipt of evidence under Subsections [Subsection]
(a) and (b), a court or state agency shall consider the evidence and
mitigate imposition of an administrative penalty or assessment of a
civil penalty accordingly.
SECTION 11. Subchapter E, Chapter 181, Health and Safety
Code, is amended by adding Sections 181.206 and 181.207 to read as
follows:
Sec. 181.206. AUDITS OF COVERED ENTITIES. (a) The
commission, in coordination with the attorney general, the Texas
Health Services Authority, and the Texas Department of Insurance:
(1) may request that the United States secretary of
health and human services conduct an audit of a covered entity, as
that term is defined by 45 C.F.R. Section 160.103, in this state to
determine compliance with the Health Insurance Portability and
Accountability Act and Privacy Standards; and
(2) shall periodically monitor and review the results
of audits of covered entities in this state conducted by the United
States secretary of health and human services.
(b) If the commission has evidence that a covered entity has
committed violations of this chapter that are egregious and
constitute a pattern or practice, the commission may:
(1) require the covered entity to submit to the
commission the results of a risk analysis conducted by the covered
entity if required by 45 C.F.R. Section 164.308(a)(1)(ii)(A); or
(2) if the covered entity is licensed by a licensing
agency of this state, request that the licensing agency conduct an
audit of the covered entity's system to determine compliance with
the provisions of this chapter.
(c) The commission annually shall submit to the appropriate
standing committees of the senate and the house of representatives
a report regarding the number of federal audits of covered entities
in this state and the number of audits required under Subsection
(b).
Sec. 181.207. FUNDING. The commission and the Texas
Department of Insurance, in consultation with the Texas Health
Services Authority, shall apply for and actively pursue available
federal funding for enforcement of this chapter.
SECTION 12. Section 182.002, Health and Safety Code, is
amended by adding Subdivisions (2-a), (3-a), and (3-b) to read as
follows:
(2-a) "Covered entity" has the meaning assigned by
Section 181.001.
(3-a) "Disclose" has the meaning assigned by Section
181.001.
(3-b) "Health Insurance Portability and
Accountability Act and Privacy Standards" has the meaning assigned
by Section 181.001.
SECTION 13. Subchapter C, Chapter 182, Health and Safety
Code, is amended by adding Section 182.108 to read as follows:
Sec. 182.108. STANDARDS FOR ELECTRONIC SHARING OF PROTECTED
HEALTH INFORMATION; COVERED ENTITY CERTIFICATION. (a) The
corporation shall develop and submit to the commission for
ratification privacy and security standards for the electronic
sharing of protected health information.
(b) The commission shall review and by rule adopt acceptable
standards submitted for ratification under Subsection (a).
(c) Standards adopted under Subsection (b) must be designed
to:
(1) comply with the Health Insurance Portability and
Accountability Act and Privacy Standards and Chapter 181;
(2) comply with any other state and federal law
relating to the security and confidentiality of information
electronically maintained or disclosed by a covered entity;
(3) ensure the secure maintenance and disclosure of
personally identifiable health information;
(4) include strategies and procedures for disclosing
personally identifiable health information; and
(5) support a level of system interoperability with
existing health record databases in this state that is consistent
with emerging standards.
(d) The corporation shall establish a process by which a
covered entity may apply for certification by the corporation of a
covered entity's past compliance with standards adopted under
Subsection (b).
(e) The corporation shall publish the standards adopted
under Subsection (b) on the corporation's Internet website.
SECTION 14. Section 521.053, Business & Commerce Code, is
amended by amending Subsection (b) and adding Subsection (b-1) to
read as follows:
(b) A person who conducts business in this state and owns or
licenses computerized data that includes sensitive personal
information shall disclose any breach of system security, after
discovering or receiving notification of the breach, to any
individual [resident of this state] whose sensitive personal
information was, or is reasonably believed to have been, acquired
by an unauthorized person. The disclosure shall be made as quickly
as possible, except as provided by Subsection (d) or as necessary to
determine the scope of the breach and restore the reasonable
integrity of the data system.
(b-1) Notwithstanding Subsection (b), the requirements of
Subsection (b) apply only if the individual whose sensitive
personal information was or is reasonably believed to have been
acquired by an unauthorized person is a resident of this state or
another state that does not require a person described by
Subsection (b) to notify the individual of a breach of system
security. If the individual is a resident of a state that requires
a person described by Subsection (b) to provide notice of a breach
of system security, the notice of the breach of system security
provided under that state's law satisfies the requirements of
Subsection (b).
SECTION 15. Section 521.151, Business & Commerce Code, is
amended by adding Subsection (a-1) to read as follows:
(a-1) In addition to penalties assessed under Subsection
(a), a person who fails to take reasonable action to comply with
Section 521.053(b) is liable to this state for a civil penalty of
not more than $100 for each individual to whom notification is due
under that subsection for each consecutive day that the person
fails to take reasonable action to comply with that subsection.
Civil penalties under this section may not exceed $250,000 for all
individuals to whom notification is due after a single breach. The
attorney general may bring an action to recover the civil penalties
imposed under this subsection.
SECTION 16. Section 522.002(b), Business & Commerce Code,
is amended to read as follows:
(b) An offense under this section is a Class B misdemeanor,
except that the offense is a state jail felony if the information
accessed, read, scanned, stored, or transferred was protected
health information as defined by the Health Insurance Portability
and Accountability Act and Privacy Standards, as defined by Section
181.001, Health and Safety Code.
SECTION 17. Subchapter B, Chapter 531, Government Code, is
amended by adding Section 531.0994 to read as follows:
Sec. 531.0994. STUDY; ANNUAL REPORT. (a) The commission,
in consultation with the Department of State Health Services, the
Texas Medical Board, and the Texas Department of Insurance, shall
explore and evaluate new developments in safeguarding protected
health information.
(b) Not later than December 1 each year, the commission
shall report to the legislature on new developments in safeguarding
protected health information and recommendations for the
implementation of safeguards within the commission.
SECTION 18. Subchapter B, Chapter 602, Insurance Code, is
amended by adding Section 602.054 to read as follows:
Sec. 602.054. COMPLIANCE WITH OTHER LAW. A covered entity
shall comply with:
(1) Subchapter D, Chapter 181, Health and Safety Code,
except as otherwise provided by that subchapter; and
(2) the standards adopted under Section 182.108,
Health and Safety Code.
SECTION 19. (a) In this section, "unsustainable covered
entity" means a covered entity, as defined by Section 181.001,
Health and Safety Code, that ceases to operate.
(b) The Health and Human Services Commission, in
consultation with the Texas Health Services Authority and the Texas
Medical Board, shall review issues regarding the security and
accessibility of protected health information maintained by an
unsustainable covered entity.
(c) Not later than December 1, 2012, the Health and Human
Services Commission shall submit to the appropriate standing
committees of the senate and the house of representatives
recommendations for:
(1) the state agency to which the protected health
information maintained by an unsustainable covered entity should be
transferred for storage;
(2) ensuring the security of protected health
information maintained by unsustainable covered entities in this
state, including secure transfer methods from the covered entity to
the state;
(3) the method and period of time for which protected
health information should be maintained by the state after transfer
from an unsustainable covered entity;
(4) methods and processes by which an individual
should be able to access the individual's protected health
information after transfer to the state; and
(5) funding for the storage of protected health
information after transfer to the state.
(d) This section expires January 1, 2013.
SECTION 20. (a) A task force on health information
technology is created.
(b) The task force is composed of:
(1) 11 members appointed by the attorney general with
the advice of the chairs of the standing committees of the senate
and house of representatives having primary jurisdiction over
health information technology issues, including:
(A) at least two physicians;
(B) at least two individuals who represent
hospitals;
(C) at least one private citizen who represents
patient and parental rights; and
(D) at least one pharmacist; and
(2) the following ex officio members:
(A) the executive commissioner of the Health and
Human Services Commission or an employee of the commission
designated by the executive commissioner;
(B) the commissioner of the Department of State
Health Services or an employee of the department designated by the
commissioner; and
(C) the presiding officer of the Texas Health
Services Authority or an employee of the authority designated by
the presiding officer.
(c) Not later than December 1, 2012, the attorney general
shall appoint the members of the task force and appoint a chair of
the task force from among its membership. The chair of the task
force must have expertise in:
(1) state and federal health information privacy law;
(2) patient rights; and
(3) electronic signatures and other consent tools.
(d) The task force shall develop recommendations regarding:
(1) the improvement of informed consent protocols for
the electronic exchange of protected health information, as that
term is defined by the Health Insurance Portability and
Accountability Act and Privacy Standards, as defined by Section
181.001, Health and Safety Code, as amended by this Act;
(2) the improvement of patient access to and use of
electronically maintained and disclosed protected health
information for the purpose of personal health and coordination of
health care services; and
(3) any other critical issues, as determined by the
task force, related to the exchange of protected health
information.
(e) Not later than January 1, 2014, the task force shall
submit to the standing committees of the senate and house of
representatives having primary jurisdiction over health
information technology issues and the Texas Health Services
Authority a report including the task force's recommendations under
Subsection (d).
(f) The Texas Health Services Authority shall publish the
report submitted under Subsection (e) on the authority's Internet
website.
(g) This section expires February 1, 2014.
SECTION 21. Section 531.0315(b), Government Code, is
repealed.
SECTION 22. Not later than January 1, 2013:
(1) the attorney general shall adopt the form required
by Section 181.154, Health and Safety Code, as added by this Act;
and
(2) the Health and Human Services Commission shall
adopt the standards required by Section 182.108, Health and Safety
Code, as added by this Act.
SECTION 23. (a) Not later than May 1, 2013, the attorney
general shall establish the Internet website required by Section
181.103, Health and Safety Code, as added by this Act.
(b) Not later than December 1, 2013, the attorney general
shall submit the initial report required by Section 181.104, Health
and Safety Code, as added by this Act.
SECTION 24. Not later than December 1, 2013, the Health and
Human Services Commission shall submit the initial report required
by Section 531.0994, Government Code, as added by this Act.
SECTION 25. The changes in law made by Section 181.201,
Health and Safety Code, as amended by this Act, Section 521.053,
Business & Commerce Code, as amended by this Act, and Section
521.151(a-1), Business & Commerce Code, as added by this Act, apply
only to conduct that occurs on or after the effective date of this
Act. Conduct that occurs before the effective date of this Act is
governed by the law in effect at the time the conduct occurred, and
the former law is continued in effect for that purpose.
SECTION 26. The change in law made by Section 522.002(b),
Business & Commerce Code, as amended by this Act, applies only to an
offense committed on or after the effective date of this Act. An
offense committed before the effective date of this Act is governed
by the law in effect at the time the offense was committed, and the
former law is continued in effect for that purpose. For purposes of
this section, an offense was committed before the effective date of
this Act if any element of the offense was committed before that
date.
SECTION 27. This Act takes effect September 1, 2012.
______________________________ ______________________________
President of the Senate Speaker of the House
I certify that H.B. No. 300 was passed by the House on May 4,
2011, by the following vote: Yeas 141, Nays 0, 2 present, not
voting; that the House refused to concur in Senate amendments to
H.B. No. 300 on May 26, 2011, and requested the appointment of a
conference committee to consider the differences between the two
houses; and that the House adopted the conference committee report
on H.B. No. 300 on May 29, 2011, by the following vote: Yeas 145,
Nays 0, 1 present, not voting.
______________________________
Chief Clerk of the House
I certify that H.B. No. 300 was passed by the Senate, with
amendments, on May 24, 2011, by the following vote: Yeas 31, Nays
0; at the request of the House, the Senate appointed a conference
committee to consider the differences between the two houses; and
that the Senate adopted the conference committee report on H.B. No.
300 on May 29, 2011, by the following vote: Yeas 31, Nays 0.
______________________________
Secretary of the Senate
APPROVED: __________________
Date
__________________
Governor