82R14186 SJM-D
By: Kolkhorst, Naishtat H.B. No. 300
Substitute the following for H.B. No. 300:
By: Laubenberg C.S.H.B. No. 300
A BILL TO BE ENTITLED
AN ACT
relating to the privacy of protected health information; providing
administrative and civil penalties.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 181.001(b), Health and Safety Code, is
amended by amending Subdivisions (1) and (3) and adding
Subdivisions (2-a) and (2-b) to read as follows:
(1) "Commission" ["Commissioner"] means the Health
and Human Services Commission [commissioner of health and human
services].
(2-a) "Disclose" means to release, transfer, provide
access to, or otherwise divulge information to another person.
(2-b) "Executive commissioner" means the executive
commissioner of the Health and Human Services Commission.
(3) "Health Insurance Portability and Accountability
Act and Privacy Standards" means the privacy requirements in
existence on April 1, 2011 [August 14, 2002], of the Administrative
Simplification subtitle of the Health Insurance Portability and
Accountability Act of 1996 (Pub. L. No. 104-191) contained in 45
C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A and E.
SECTION 2. Subchapter A, Chapter 181, Health and Safety
Code, is amended by adding Section 181.004 to read as follows:
Sec. 181.004. APPLICABILITY OF STATE AND FEDERAL LAW. (a)
A covered entity, as that term is defined by 45 C.F.R. Section
160.103, shall comply with the Health Insurance Portability and
Accountability Act and Privacy Standards.
(b) A covered entity, as that term is defined by Section
181.001, shall comply with this chapter.
SECTION 3. Section 181.005, Health and Safety Code, is
amended to read as follows:
Sec. 181.005. DUTIES OF THE EXECUTIVE COMMISSIONER. (a)
The executive commissioner shall administer this chapter and may
adopt rules consistent with the Health Insurance Portability and
Accountability Act and Privacy Standards to administer this
chapter.
(b) The executive commissioner shall review amendments to
the definitions in 45 C.F.R. Parts 160 and 164 that occur after
April 1, 2011 [August 14, 2002], and determine whether it is in the
best interest of the state to adopt the amended federal
regulations. If the executive commissioner determines that it is
in the best interest of the state to adopt the amended federal
regulations, the amended regulations shall apply as required by
this chapter.
(c) In making a determination under this section, the
executive commissioner must consider, in addition to other factors
affecting the public interest, the beneficial and adverse effects
the amendments would have on:
(1) the lives of individuals in this state and their
expectations of privacy; and
(2) governmental entities, institutions of higher
education, state-owned teaching hospitals, private businesses, and
commerce in this state.
(d) The executive commissioner shall prepare a report of the
executive commissioner's determination made under this section and
shall file the report with the presiding officer of each house of
the legislature before the 30th day after the date the
determination is made. The report must include an explanation of
the reasons for the determination.
SECTION 4. Subchapter D, Chapter 181, Health and Safety
Code, is amended by adding Sections 181.153 and 181.154 to read as
follows:
Sec. 181.153. SALE OF PROTECTED HEALTH INFORMATION
PROHIBITED; EXCEPTIONS. A covered entity may not disclose an
individual's protected health information to any other person in
exchange for direct or indirect remuneration, except that a covered
entity may disclose an individual's protected health information:
(1) to another covered entity, as that term is defined
by Section 181.001, or to a covered entity, as that term is defined
by Section 602.001, Insurance Code, for the purpose of:
(A) treatment;
(B) payment; or
(C) health care operations; or
(2) as otherwise authorized or required by state or
federal law.
Sec. 181.154. NOTICE AND AUTHORIZATION REQUIRED FOR
ELECTRONIC DISCLOSURE OF PROTECTED HEALTH INFORMATION; EXCEPTIONS.
(a) A covered entity shall provide notice to an individual for whom
the covered entity creates or receives protected health information
if the individual's protected health information is subject to
electronic disclosure. A covered entity may provide general notice
by:
(1) posting a written notice in the covered entity's
place of business;
(2) posting a notice on the covered entity's Internet
website; or
(3) posting a notice in any other place where
individuals whose protected health information is subject to
electronic disclosure are likely to see the notice.
(b) Except as provided by Subsection (c), a covered entity
may not electronically disclose an individual's protected health
information to any person without a separate authorization from the
individual or the individual's legally authorized representative
for each disclosure. An authorization for disclosure under this
subsection may be made in written or electronic form or in oral form
if it is documented in writing by the covered entity.
(c) The authorization for electronic disclosure of
protected health information described by Subsection (b) is not
required if the disclosure is made:
(1) to another covered entity, as that term is defined
by Section 181.001, or to a covered entity, as that term is defined
by Section 602.001, Insurance Code, for the purpose of:
(A) treatment;
(B) payment; or
(C) health care operations; or
(2) as authorized or required by state or federal law.
(d) The attorney general by rule shall adopt a standard
authorization form for use in complying with this section. The form
must comply with the Health Insurance Portability and
Accountability Act and Privacy Standards and this chapter.
SECTION 5. Section 181.201, Health and Safety Code, is
amended by amending Subsection (c) and adding Subsections (d), (e),
and (f) to read as follows:
(c) If the court in which an action under Subsection (b) is
pending finds that the violations have occurred with a frequency as
to constitute a pattern or practice, the court may assess a civil
penalty not to exceed $1.5 million annually [$250,000].
(d) In determining the amount of a penalty imposed under
Subsection (b), the court shall consider:
(1) the seriousness of the violation, including the
nature, circumstances, extent, and gravity of the disclosure;
(2) the covered entity's compliance history;
(3) whether the violation poses a significant risk of
financial, reputational, or other harm to an individual whose
protected health information is involved in the violation;
(4) whether the covered entity was certified at the
time of the violation as described by Section 182.108;
(5) the amount necessary to deter a future violation;
and
(6) the covered entity's efforts to correct the
violation.
(e) The attorney general may institute an action against a
covered entity that is licensed by a licensing agency of this state
for a civil penalty under this section only if the licensing agency
refers the violation to the attorney general under Section
181.202(2).
(f) The office of the attorney general may retain a
reasonable portion of a civil penalty recovered under this section,
not to exceed amounts specified in the General Appropriations Act,
for the enforcement of this subchapter.
SECTION 6. Section 181.202, Health and Safety Code, is
amended to read as follows:
Sec. 181.202. DISCIPLINARY ACTION. In addition to the
penalties prescribed by this chapter, a violation of this chapter
by a covered entity [an individual or facility] that is licensed by
an agency of this state is subject to investigation and
disciplinary proceedings, including probation or suspension by the
licensing agency. If there is evidence that the violations of this
chapter are serious and constitute a pattern or practice, the
agency may:
(1) revoke the covered entity's [individual's or
facility's] license; or
(2) refer the covered entity's case to the attorney
general for the institution of an action for civil penalties under
Section 181.201(b).
SECTION 7. Subchapter E, Chapter 181, Health and Safety
Code, is amended by adding Section 181.204 to read as follows:
Sec. 181.204. ADMINISTRATIVE PENALTY. (a) The executive
commissioner may impose an administrative penalty on a covered
entity that is not licensed by a licensing agency of this state and
that violates this chapter or a rule adopted under this chapter.
(b) The amount of the penalty may not exceed $3,000 for each
violation, and each day a violation continues or occurs is a
separate violation for the purpose of imposing a penalty. The
amount shall be based on:
(1) the seriousness of the violation, including the
nature, circumstances, extent, and gravity of the disclosure;
(2) the covered entity's compliance history;
(3) whether the violation poses a significant risk of
financial, reputational, or other harm to an individual whose
protected health information is involved in the violation;
(4) whether the covered entity was certified at the
time of the violation as described by Section 182.108;
(5) the amount necessary to deter a future violation;
and
(6) the covered entity's efforts to correct the
violation.
(c) The enforcement of the penalty may be stayed during the
time the order is under judicial review if the covered entity pays
the penalty to the clerk of the court or files a supersedeas bond
with the court in the amount of the penalty. A covered entity that
cannot afford to pay the penalty or file the bond may stay the
enforcement by filing an affidavit in the manner required by the
Texas Rules of Civil Procedure for a party who cannot afford to file
security for costs, subject to the right of the executive
commissioner to contest the affidavit as provided by those rules.
(d) The attorney general may sue to collect the penalty.
(e) A proceeding to impose the penalty is a contested case
under Chapter 2001, Government Code.
SECTION 8. Section 181.205, Health and Safety Code, is
amended by amending Subsection (b) and adding Subsection (c) to
read as follows:
(b) In determining the amount of a penalty imposed under
other law in accordance with Section 181.202, a court or state
agency shall consider the following factors:
(1) the seriousness of the violation, including the
nature, circumstances, extent, and gravity of the disclosure;
(2) the covered entity's compliance history;
(3) whether the violation poses a significant risk of
financial, reputational, or other harm to an individual whose
protected health information is involved in the violation;
(4) whether the covered entity was certified at the
time of the violation as described by Section 182.108;
(5) the amount necessary to deter a future violation;
and
(6) the covered entity's efforts to correct the
violation.
(c) On receipt of evidence under Subsections [Subsection]
(a) and (b), a court or state agency shall consider the evidence and
mitigate imposition of an administrative penalty or assessment of a
civil penalty accordingly.
SECTION 9. Subchapter E, Chapter 181, Health and Safety
Code, is amended by adding Sections 181.206, 181.207, 181.208,
181.209, and 181.210 to read as follows:
Sec. 181.206. RULES. The attorney general may adopt rules
as necessary to enforce this chapter.
Sec. 181.207. AUDITS OF COVERED ENTITIES. (a) The
commission, in coordination with the attorney general, the Texas
Health Services Authority, and the Texas Department of Insurance:
(1) may request that the United States secretary of
health and human services conduct an audit of a covered entity in
this state to determine compliance with the Health Insurance
Portability and Accountability Act and Privacy Standards; and
(2) shall periodically monitor and review the results
of audits of covered entities in this state conducted by the United
States secretary of health and human services.
(b) The commission may require a covered entity to:
(1) conduct an audit of the covered entity's system;
and
(2) submit to the commission a report regarding the
results of an audit conducted under Subdivision (1).
Sec. 181.208. REVIEW OF COMPLAINT BY COMMISSION. (a) The
commission shall review a complaint received from an individual or
an individual's legally authorized representative alleging that a
covered entity violated this chapter with respect to the
individual's protected health information.
(b) The commission shall refer a complaint reviewed under
Subsection (a) to the appropriate licensing agency or the attorney
general, as applicable.
Sec. 181.209. AUDIT AND COMPLAINT REPORT BY COMMISSION.
(a) The commission annually shall submit to the appropriate
standing committees of the senate and the house of representatives
a report that includes:
(1) the number and types of complaints received by the
commission regarding violations of this chapter;
(2) enforcement action taken by the commission, a
licensing agency, or the office of the attorney general under this
chapter; and
(3) the number of federal audits of covered entities
in this state conducted and the number of audits required under
Section 181.207(b).
(b) The commission and the Texas Health Services Authority
shall each publish the report required by Subsection (a) on the
agency's Internet website.
Sec. 181.210. FUNDING. The commission and the Texas
Department of Insurance, in consultation with the Texas Health
Services Authority, shall apply for and actively pursue available
federal funding for enforcement of this chapter.
SECTION 10. Section 182.002, Health and Safety Code, is
amended by adding Subdivisions (2-a), (3-a), and (3-b) to read as
follows:
(2-a) "Covered entity" has the meaning assigned by
Section 181.001.
(3-a) "Disclose" has the meaning assigned by Section
181.001.
(3-b) "Health Insurance Portability and
Accountability Act and Privacy Standards" has the meaning assigned
by Section 181.001.
SECTION 11. Subchapter C, Chapter 182, Health and Safety
Code, is amended by adding Section 182.108 to read as follows:
Sec. 182.108. STANDARDS FOR ELECTRONIC SHARING OF PROTECTED
HEALTH INFORMATION; COVERED ENTITY CERTIFICATION. (a) The
corporation shall develop and submit to the commission for
ratification privacy and security standards for the electronic
sharing of protected health information.
(b) The commission shall review and by rule adopt acceptable
standards submitted for ratification under Subsection (a).
(c) Standards adopted under Subsection (b) must:
(1) comply with the Health Insurance Portability and
Accountability Act and Privacy Standards and Chapter 181;
(2) comply with any other state and federal law
relating to the security and confidentiality of information
electronically maintained or disclosed by a covered entity;
(3) ensure the secure maintenance and disclosure of
personally identifiable health information;
(4) include strategies and procedures for disclosing
personally identifiable health information; and
(5) support a level of system interoperability with
existing health record databases in this state that is consistent
with emerging standards.
(d) The corporation shall establish a process by which a
covered entity may apply for certification by the corporation of a
covered entity's past compliance with standards adopted under
Subsection (b).
(e) The corporation shall publish the standards adopted
under Subsection (b) on the corporation's Internet website.
SECTION 12. Subchapter B, Chapter 602, Insurance Code, is
amended by adding Section 602.054 to read as follows:
Sec. 602.054. COMPLIANCE WITH OTHER LAW. A covered entity
shall comply with:
(1) Subchapter D, Chapter 181, Health and Safety Code,
including Sections 181.153 and 181.154; and
(2) the standards adopted under Section 182.108,
Health and Safety Code.
SECTION 13. (a) In this section, "unsustainable covered
entity" means a covered entity, as defined by Section 181.001,
Health and Safety Code, that ceases to operate.
(b) The Health and Human Services Commission, in
consultation with the Texas Health Services Authority and the Texas
Medical Board, shall review issues regarding the security and
accessibility of protected health information maintained by an
unsustainable covered entity.
(c) Not later than December 1, 2012, the Health and Human
Services Commission shall submit to the appropriate standing
committees of the senate and the house of representatives
recommendations for:
(1) the state agency to which the protected health
information maintained by an unsustainable covered entity should be
transferred for storage;
(2) ensuring the security of protected health
information maintained by unsustainable covered entities in this
state, including secure transfer methods from the covered entity to
the state;
(3) the method and period of time for which protected
health information should be maintained by the state after transfer
from an unsustainable covered entity;
(4) methods and processes by which an individual
should be able to access the individual's protected health
information after transfer to the state; and
(5) funding for the storage of protected health
information after transfer to the state.
(d) This section expires January 1, 2013.
SECTION 14. (a) A task force on health information
technology is created.
(b) The task force is composed of:
(1) 11 members appointed by the attorney general with
the advice of the chairs of the standing committees of the senate
and house of representatives having primary jurisdiction over
health information technology issues, including:
(A) at least two physicians; and
(B) at least two individuals who represent
hospitals; and
(2) the following ex officio members:
(A) the executive commissioner of the Health and
Human Services Commission or an employee of the commission
designated by the executive commissioner;
(B) the commissioner of the Department of State
Health Services or an employee of the department designated by the
commissioner; and
(C) the presiding officer of the Texas Health
Services Authority or an employee of the authority designated by
the presiding officer.
(c) Not later than December 1, 2012, the attorney general
shall appoint the members of the task force and appoint a chair of
the task force from among its membership. The chair of the task
force must have expertise in:
(1) state and federal health information privacy law;
(2) patient rights; and
(3) electronic signatures and other consent tools.
(d) The task force shall develop recommendations regarding:
(1) the improvement of informed consent protocols for
the electronic exchange of protected health information, as that
term is defined by the Health Insurance Portability and
Accountability Act and Privacy Standards, as defined by Section
181.001, Health and Safety Code, as amended by this Act;
(2) the improvement of patient access to and use of
electronically maintained and disclosed protected health
information for the purpose of personal health and coordination of
health care services; and
(3) any other critical issues, as determined by the
task force, related to the exchange of protected health
information.
(e) Not later than January 1, 2014, the task force shall
submit to the standing committees of the senate and house of
representatives having primary jurisdiction over health
information technology issues and the Texas Health Services
Authority a report including the task force's recommendations under
Subsection (d).
(f) The Texas Health Services Authority shall publish the
report submitted under Subsection (e) on the authority's Internet
website.
(g) This section expires February 1, 2014.
SECTION 15. Not later than January 1, 2013:
(1) the attorney general shall adopt the form required
by Section 181.154, Health and Safety Code, as added by this Act;
and
(2) the Health and Human Services Commission shall
adopt the standards required by Section 182.108, Health and Safety
Code, as added by this Act.
SECTION 16. The change in law made by Section 181.154,
Health and Safety Code, as added by this Act, applies only to an
electronic disclosure of protected health information made on or
after the effective date of this Act. An electronic disclosure of
protected health information made before the effective date of this
Act is governed by the law in effect at the time the disclosure was
made, and the former law is continued in effect for that purpose.
SECTION 17. This Act takes effect September 1, 2012.