By: Nelson S.B. No. 622
A BILL TO BE ENTITLED
AN ACT
relating to the privacy of protected health information and
personal information; providing civil and criminal penalties.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 181.001(b), Health and Safety Code, is
amended by amending Subdivisions (1), (3), and (4) and adding
Subdivision (2-a) to read as follows:
(1) "Commission" ["Commissioner"] means the Health
and Human Services Commission [commissioner of health and human
services].
(2-a) "Executive commissioner" means the executive
commissioner of the Health and Human Services Commission.
(3) "Health Insurance Portability and Accountability
Act and Privacy Standards" means the privacy requirements in
existence on September 1, 2011 [August 14, 2002], of the
Administrative Simplification subtitle of the Health Insurance
Portability and Accountability Act of 1996 (Pub. L. No. 104-191)
contained in 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A
and E.
(4) "Marketing" means:
(A) making a communication about a product or
service that encourages a recipient of the communication to
purchase, [or] use, or request the product or service, unless the
communication is made:
(i) to describe a health-related product or
service or the payment for a health-related product or service that
is provided by, or included in a plan of benefits of, the covered
entity making the communication, including communications about:
(a) the entities participating in a
health care provider network or health plan network;
(b) replacement of, or enhancement
to, a health plan; or
(c) health-related products or
services available only to a health plan enrollee that add value to,
but are not part of, a plan of benefits;
(ii) for treatment of the individual;
(iii) for case management or care
coordination for the individual, or to direct or recommend
alternative treatments, therapies, health care providers, or
settings of care to the individual; or
(iv) by a covered entity to an individual
that encourages a change to a prescription drug included in the
covered entity's drug formulary or preferred drug list; and
(B) [an arrangement between a covered entity and
any other entity under which the covered entity discloses protected
health information to the other entity, in exchange for direct or
indirect remuneration, for the other entity or its affiliate to
make a communication about its own product or service that
encourages recipients of the communication to purchase or use that
product or service; and
[(C)] notwithstanding Paragraphs (A)(ii) and
(iii), a product-specific written communication to a consumer that
encourages a change in products.
SECTION 2. Subchapter A, Chapter 181, Health and Safety
Code, is amended by adding Section 181.004 to read as follows:
Sec. 181.004. APPLICABILITY OF FEDERAL LAW AND COMMISSION
RULES. A covered entity shall comply with:
(1) the Health Insurance Portability and
Accountability Act and Privacy Standards; and
(2) the rules adopted under Sections 181.005 and
181.101(a).
SECTION 3. Section 181.005, Health and Safety Code, is
amended to read as follows:
Sec. 181.005. DUTIES OF THE EXECUTIVE COMMISSIONER.
(a) The executive commissioner shall administer this chapter and
may adopt rules consistent with the Health Insurance Portability
and Accountability Act and Privacy Standards to administer this
chapter.
(b) The executive commissioner shall review amendments to
the definitions in 45 C.F.R. Parts 160 and 164 that occur after
September 1, 2011 [August 14, 2002], and determine whether it is in
the best interest of the state to adopt the amended federal
regulations. If the executive commissioner determines that it is
in the best interest of the state to adopt the amended federal
regulations, the amended regulations shall apply as required by
this chapter.
(c) In making a determination under this section, the
executive commissioner must consider, in addition to other factors
affecting the public interest, the beneficial and adverse effects
the amendments would have on:
(1) the lives of individuals in this state and their
expectations of privacy; and
(2) governmental entities, institutions of higher
education, state-owned teaching hospitals, private businesses, and
commerce in this state.
(d) The executive commissioner shall prepare a report of the
executive commissioner's determination made under this section and
shall file the report with the presiding officer of each house of
the legislature before the 30th day after the date the
determination is made. The report must include an explanation of
the reasons for the determination.
SECTION 4. Chapter 181, Health and Safety Code, is amended
by adding Subchapter C to read as follows:
SUBCHAPTER C. ACCESS TO AND USE OF PROTECTED HEALTH INFORMATION
Sec. 181.101. COMMISSION RULES. The executive commissioner
shall adopt rules consistent with the Health Insurance Portability
and Accountability Act and Privacy Standards relating to sharing or
exchanging protected health information.
Sec. 181.102. TRAINING REQUIRED. (a) Each covered entity
shall provide to employees of the entity a training program
regarding state and federal law concerning protected health
information.
(b) Each employee of a covered entity shall attend the
training program required by this section not later than the 30th
day after the date the employee is hired by the entity and shall
attend supplemental training every two years or sooner, as required
by executive commissioner rule, if there is a material change in the
rules adopted by the executive commissioner under Section 181.101.
(c) Each covered entity shall require an employee of the
entity who attends a training program required by this section to
sign a statement verifying the employee's attendance at the
training program. The covered entity shall file the statement in
the employee's personnel file.
Sec. 181.103. NOTIFICATION AND ACCEPTANCE REQUIRED. Before
a state agency electronically disseminates protected health
information to another person or allows the other person to
electronically access protected health information maintained by
the agency:
(1) the state agency in writing must notify the other
person of legal restrictions on the use and disclosure of the
protected health information to be disseminated or accessed; and
(2) the person who receives notice from the state
agency under Subdivision (1) in writing must acknowledge receipt,
understanding, and acceptance of the restrictions on use and
disclosure of the protected health information to be received or
accessed.
Sec. 181.104. CONSUMER ACCESS TO ELECTRONIC HEALTH RECORDS.
(a) Not later than the fifth business day after the date a health
care provider receives a request from a person for the person's
electronic health record, the health care provider shall provide
the record to the person in electronic form unless the person agrees
to accept the record in another form.
(b) For purposes of Subsection (a), the executive
commissioner, in consultation with the Department of State Health
Services, the Texas Medical Board, and the Texas Department of
Insurance, by rule shall designate a standard electronic format for
the release of requested health records.
Sec. 181.105. CONSUMER INFORMATION WEBSITE. The attorney
general shall maintain an Internet website that provides:
(1) information concerning a consumer's privacy rights
regarding protected health information under federal and state law;
(2) a list of the state agencies, including the
Department of State Health Services, the Texas Medical Board, and
the Texas Department of Insurance, that regulate covered entities
in this state and the types of entities each agency regulates;
(3) detailed information regarding each agency's
complaint enforcement process; and
(4) contact information, including the address of the
agency's Internet website, for each agency listed under Subdivision
(2) for reporting a violation of this chapter.
Sec. 181.106. CONSUMER COMPLAINT REPORT BY ATTORNEY
GENERAL. (a) The attorney general annually shall submit to the
legislature a report describing:
(1) the number and types of complaints received by the
attorney general and by the state agencies receiving consumer
complaints under Section 181.105; and
(2) the enforcement action taken in response to each
complaint reported under Subdivision (1).
(b) Each state agency that receives consumer complaints
under Section 181.105 shall submit to the attorney general, in the
form required by the attorney general, the information the attorney
general requires to compile the report required by Subsection (a).
(c) The attorney general shall deidentify protected health
information from the individual to whom the information pertains
before including the information in the report required by
Subsection (a).
SECTION 5. Subchapter D, Chapter 181, Health and Safety
Code, is amended by adding Section 181.153 to read as follows:
Sec. 181.153. SALE OF PROTECTED HEALTH INFORMATION
PROHIBITED. A covered entity may not disclose protected health
information to any person in exchange for direct or indirect
remuneration.
SECTION 6. Sections 181.201(b) and (c), Health and Safety
Code, are amended to read as follows:
(b) In addition to the injunctive relief provided by
Subsection (a), the attorney general may institute an action for
civil penalties against a covered entity for a violation of this
chapter. A civil penalty assessed under this section may not
exceed:
(1) $5,000 [$3,000] for each violation committed
negligently;
(2) $25,000 for each violation committed knowingly or
intentionally; or
(3) $250,000 for each violation in which the covered
entity knowingly or intentionally uses protected health
information for financial gain.
(c) If the court in which an action under Subsection (b) is
pending finds that the violations have occurred with a frequency as
to constitute a pattern or practice, the court may assess a civil
penalty in an amount the court finds necessary to deter future
violations of this chapter [not to exceed $250,000].
SECTION 7. Section 521.053(b), Business & Commerce Code, is
amended to read as follows:
(b) A person who conducts business in this state and owns or
licenses computerized data that includes sensitive personal
information shall disclose any breach of system security, after
discovering or receiving notification of the breach, to any
individual [resident of this state] whose sensitive personal
information was, or is reasonably believed to have been, acquired
by an unauthorized person. The disclosure shall be made as quickly
as possible, except as provided by Subsection (d) or as necessary to
determine the scope of the breach and restore the reasonable
integrity of the data system.
SECTION 8. Section 521.151, Business & Commerce Code, is
amended by adding Subsection (a-1) to read as follows:
(a-1) In addition to penalties assessed under Subsection
(a), a person who fails to take reasonable action to comply with
Section 521.053(b) is liable to this state for a civil penalty of
not more than $100 for each individual to whom notification is due
under that subsection for each consecutive day that the person
fails to take reasonable action to comply with that subsection.
Civil penalties under this section may not exceed $250,000 for all
individuals to whom notification is due after a single breach. The
attorney general may bring an action to recover the civil penalties
imposed under this subsection.
SECTION 9. Section 522.002(b), Business & Commerce Code, is
amended to read as follows:
(b) An offense under this section is a Class B misdemeanor,
except that the offense is a state jail felony if the information
accessed, read, scanned, stored, or transferred was protected
health information as defined by the Health Insurance Portability
and Accountability Act and Privacy Standards, as defined by Section
181.001, Health and Safety Code.
SECTION 10. Section 531.001, Government Code, is amended by
adding Subdivision (4-a) to read as follows:
(4-a) "Protected health information" has the meaning
assigned by the Health Insurance Portability and Accountability Act
and Privacy Standards, as defined by Section 181.001, Health and
Safety Code.
SECTION 11. Section 531.0315(a), Government Code, is
amended to read as follows:
(a) Each health and human services agency and every other
state agency that acts as a health care provider or a claims payer
for the provision of health care shall[:
[(1)] process information related to health care in
compliance with national data interchange standards adopted under
Subtitle F, Title II, Health Insurance Portability and
Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), and
its subsequent amendments, within the applicable deadline
established under federal law or federal regulations[; or
[(2) demonstrate to the commission the reasons the
agency should not be required to comply with Subdivision (1), and
obtain the commission's approval, to the extent allowed under
federal law:
[(A) to comply with the standards at a later
date; or
[(B) to not comply with one or more of the
standards].
SECTION 12. Subchapter B, Chapter 531, Government Code, is
amended by adding Section 531.0994 to read as follows:
Sec. 531.0994. STUDY; ANNUAL REPORT. (a) The commission
shall explore and evaluate new developments in safeguarding
protected health information.
(b) Not later than December 1 each year, the commission
shall report to the legislature on new developments in safeguarding
protected health information and recommendations for the
implementation of safeguards within the commission.
SECTION 13. Section 31.03(f), Penal Code, is amended to
read as follows:
(f) An offense described for purposes of punishment by
Subsections (e)(1)-(6) is increased to the next higher category of
offense if it is shown on the trial of the offense that:
(1) the actor was a public servant at the time of the
offense and the property appropriated came into the actor's
custody, possession, or control by virtue of his status as a public
servant;
(2) the actor was in a contractual relationship with
government at the time of the offense and the property appropriated
came into the actor's custody, possession, or control by virtue of
the contractual relationship;
(3) the owner of the property appropriated was at the
time of the offense:
(A) an elderly individual; or
(B) a nonprofit organization; [or]
(4) the actor was a Medicare provider in a contractual
relationship with the federal government at the time of the offense
and the property appropriated came into the actor's custody,
possession, or control by virtue of the contractual relationship;
or
(5) the property appropriated was a document
containing protected health information, as that term is defined by
the Health Insurance Portability and Accountability Act and Privacy
Standards, as defined by Section 181.001, Health and Safety Code.
SECTION 14. Section 32.51(c-1), Penal Code, is amended to
read as follows:
(c-1) An offense described for purposes of punishment by
Subsections (c)(1)-(3) is increased to the next higher category of
offense if it is shown on the trial of the offense that:
(1) the offense was committed against an elderly
individual as defined by Section 22.04; or
(2) the information obtained, possessed, transferred,
or used in the commission of the offense was protected health
information, as that term is defined by the Health Insurance
Portability and Accountability Act and Privacy Standards, as
defined by Section 181.001, Health and Safety Code.
SECTION 15. Section 33.02(b), Penal Code, is amended to
read as follows:
(b) An offense under this section is a Class B misdemeanor
unless in committing the offense the actor:
(1) knowingly obtains a benefit, defrauds or harms
another, or alters, damages, or deletes property, in which event
the offense is:
(A) [(1)] a Class A misdemeanor if the aggregate
amount involved is less than $1,500;
(B) [(2)] a state jail felony if:
(i) [(A)] the aggregate amount involved is
$1,500 or more but less than $20,000; or
(ii) [(B)] the aggregate amount involved is
less than $1,500 and the defendant has been previously convicted
two or more times of an offense under this chapter;
(C) [(3)] a felony of the third degree if the
aggregate amount involved is $20,000 or more but less than
$100,000;
(D) [(4)] a felony of the second degree if the
aggregate amount involved is $100,000 or more but less than
$200,000; or
(E) [(5)] a felony of the first degree if the
aggregate amount involved is $200,000 or more; or
(2) accesses protected health information, as that
term is defined by the Health Insurance Portability and
Accountability Act and Privacy Standards, as defined by Section
181.001, Health and Safety Code, in which event the offense is a
state jail felony.
SECTION 16. Section 35A.02, Penal Code, is amended by
adding Subsections (b-1) and (b-2) to read as follows:
(b-1) Except as provided by Subsection (b-2), the
punishment prescribed for an offense under this section is
increased to the punishment prescribed for the next highest
category of offense if it is shown on the trial of the offense that
protected health information, as that term is defined by the Health
Insurance Portability and Accountability Act and Privacy
Standards, as defined by Section 181.001, Health and Safety Code,
was used in the commission of the offense.
(b-2) The punishment for an offense described by this
section may not be increased under Subsection (b-1) if the offense
is punishable as a felony of the first degree.
SECTION 17. Section 531.0315(b), Government Code, is
repealed.
SECTION 18. Not later than January 1, 2012, the executive
commissioner of the Health and Human Services Commission shall
adopt rules as required by Section 181.101, Health and Safety Code,
as added by this Act.
SECTION 19. (a) Not later than January 1, 2012, the
attorney general shall establish the Internet website required by
Section 181.105, Health and Safety Code, as added by this Act.
(b) Not later than December 1, 2012, the attorney general
shall submit the initial report required by Section 181.106, Health
and Safety Code, as added by this Act.
SECTION 20. Not later than December 1, 2012, the Health and
Human Services Commission shall submit the initial report required
by Section 531.0994, Government Code, as added by this Act.
SECTION 21. The changes in law made by Section 181.201,
Health and Safety Code, as amended by this Act, Section 521.053(b),
Business & Commerce Code, as amended by this Act, and Section
521.151(a-1), Business & Commerce Code, as added by this Act, apply
only to conduct that occurs on or after the effective date of this
Act. Conduct that occurs before the effective date of this Act is
governed by the law in effect at the time the conduct occurred, and
the former law is continued in effect for that purpose.
SECTION 22. The changes in law made by Section 522.002,
Business & Commerce Code, and Sections 31.03, 32.51, and 33.02,
Penal Code, as amended by this Act, and Sections 35A.02(b-1) and
(b-2), Penal Code, as added by this Act, apply only to an offense
committed on or after the effective date of this Act. An offense
committed before the effective date of this Act is governed by the
law in effect at the time the offense was committed, and the former
law is continued in effect for that purpose. For purposes of this
section, an offense was committed before the effective date of this
Act if any element of the offense was committed before that date.
SECTION 23. This Act takes effect September 1, 2011.