TX
Texas Senate Bill SB622

Texas 2011 - 82nd Regular

Texas Senate Bill SB622 Compare Versions

The same version is selected twice. Please select two different versions to compare.
OldNewDifferences
11 82R29891 SJM-D
22 By: Nelson S.B. No. 622
33 (Kolkhorst, Naishtat, Truitt)
44 Substitute the following for S.B. No. 622: No.
55
66
77 A BILL TO BE ENTITLED
88 AN ACT
99 relating to the privacy of protected health information; providing
1010 administrative and civil penalties.
1111 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
1212 SECTION 1. Section 181.001(b), Health and Safety Code, is
1313 amended by amending Subdivisions (1) and (3) and adding
1414 Subdivisions (2-a) and (2-b) to read as follows:
1515 (1) "Commission" ["Commissioner"] means the Health
1616 and Human Services Commission [commissioner of health and human
1717 services].
1818 (2-a) "Disclose" means to release, transfer, provide
1919 access to, or otherwise divulge information outside the entity
2020 holding the information.
2121 (2-b) "Executive commissioner" means the executive
2222 commissioner of the Health and Human Services Commission.
2323 (3) "Health Insurance Portability and Accountability
2424 Act and Privacy Standards" means the privacy requirements in
2525 existence on September 1, 2011 [August 14, 2002], of the
2626 Administrative Simplification subtitle of the Health Insurance
2727 Portability and Accountability Act of 1996 (Pub. L. No. 104-191)
2828 contained in 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A
2929 and E.
3030 SECTION 2. Subchapter A, Chapter 181, Health and Safety
3131 Code, is amended by adding Section 181.004 to read as follows:
3232 Sec. 181.004. APPLICABILITY OF STATE AND FEDERAL LAW. (a)
3333 A covered entity, as that term is defined by 45 C.F.R. Section
3434 160.103, shall comply with the Health Insurance Portability and
3535 Accountability Act and Privacy Standards.
3636 (b) Subject to Section 181.051, a covered entity, as that
3737 term is defined by Section 181.001, shall comply with this chapter.
3838 SECTION 3. Section 181.005, Health and Safety Code, is
3939 amended to read as follows:
4040 Sec. 181.005. DUTIES OF THE EXECUTIVE COMMISSIONER. (a)
4141 The executive commissioner shall administer this chapter and may
4242 adopt rules consistent with the Health Insurance Portability and
4343 Accountability Act and Privacy Standards to administer this
4444 chapter.
4545 (b) The executive commissioner shall review amendments to
4646 the definitions in 45 C.F.R. Parts 160 and 164 that occur after
4747 September 1, 2011 [August 14, 2002], and determine whether it is in
4848 the best interest of the state to adopt the amended federal
4949 regulations. If the executive commissioner determines that it is
5050 in the best interest of the state to adopt the amended federal
5151 regulations, the amended regulations shall apply as required by
5252 this chapter.
5353 (c) In making a determination under this section, the
5454 executive commissioner must consider, in addition to other factors
5555 affecting the public interest, the beneficial and adverse effects
5656 the amendments would have on:
5757 (1) the lives of individuals in this state and their
5858 expectations of privacy; and
5959 (2) governmental entities, institutions of higher
6060 education, state-owned teaching hospitals, private businesses, and
6161 commerce in this state.
6262 (d) The executive commissioner shall prepare a report of the
6363 executive commissioner's determination made under this section and
6464 shall file the report with the presiding officer of each house of
6565 the legislature before the 30th day after the date the
6666 determination is made. The report must include an explanation of
6767 the reasons for the determination.
6868 SECTION 4. Subchapter D, Chapter 181, Health and Safety
6969 Code, is amended by adding Sections 181.153 and 181.154 to read as
7070 follows:
7171 Sec. 181.153. SALE OF PROTECTED HEALTH INFORMATION
7272 PROHIBITED; EXCEPTIONS. (a) A covered entity may not disclose an
7373 individual's protected health information to any other person in
7474 exchange for direct or indirect remuneration, except that a covered
7575 entity may disclose an individual's protected health information:
7676 (1) to another covered entity, as that term is defined
7777 by Section 181.001, or to a covered entity, as that term is defined
7878 by Section 602.001, Insurance Code, for the purpose of:
7979 (A) treatment;
8080 (B) payment;
8181 (C) health care operations; or
8282 (D) performing an insurance or health
8383 maintenance organization function described by Section 602.053,
8484 Insurance Code; or
8585 (2) as otherwise authorized or required by state or
8686 federal law.
8787 (b) The direct or indirect remuneration a covered entity
8888 receives for making a disclosure of protected health information
8989 authorized by Subsection (a)(1)(D) may not exceed the covered
9090 entity's reasonable costs of preparing or transmitting the
9191 protected health information.
9292 Sec. 181.154. NOTICE AND AUTHORIZATION REQUIRED FOR
9393 ELECTRONIC DISCLOSURE OF PROTECTED HEALTH INFORMATION; EXCEPTIONS.
9494 (a) A covered entity shall provide notice to an individual for whom
9595 the covered entity creates or receives protected health information
9696 if the individual's protected health information is subject to
9797 electronic disclosure. A covered entity may provide general notice
9898 by:
9999 (1) posting a written notice in the covered entity's
100100 place of business;
101101 (2) posting a notice on the covered entity's Internet
102102 website; or
103103 (3) posting a notice in any other place where
104104 individuals whose protected health information is subject to
105105 electronic disclosure are likely to see the notice.
106106 (b) Except as provided by Subsection (c), a covered entity
107107 may not electronically disclose an individual's protected health
108108 information to any person without a separate authorization from the
109109 individual or the individual's legally authorized representative
110110 for each disclosure. An authorization for disclosure under this
111111 subsection may be made in written or electronic form or in oral form
112112 if it is documented in writing by the covered entity.
113113 (c) The authorization for electronic disclosure of
114114 protected health information described by Subsection (b) is not
115115 required if the disclosure is made:
116116 (1) to another covered entity, as that term is defined
117117 by Section 181.001, or to a covered entity, as that term is defined
118118 by Section 602.001, Insurance Code, for the purpose of:
119119 (A) treatment;
120120 (B) payment;
121121 (C) health care operations; or
122122 (D) performance of an insurance or health
123123 maintenance organization function described by Section 602.053,
124124 Insurance Code; or
125125 (2) as authorized or required by state or federal law.
126126 (d) The attorney general by rule shall adopt a standard
127127 authorization form for use in complying with this section. The form
128128 must comply with the Health Insurance Portability and
129129 Accountability Act and Privacy Standards and this chapter.
130130 (e) This section does not apply to a covered entity, as
131131 defined by Section 602.001, Insurance Code, if that entity is not a
132132 covered entity as defined by 45 C.F.R. Section 160.103.
133133 SECTION 5. Section 181.201, Health and Safety Code, is
134134 amended by amending Subsections (b) and (c) and adding Subsections
135135 (d), (e), and (f) to read as follows:
136136 (b) In addition to the injunctive relief provided by
137137 Subsection (a), the attorney general may institute an action for
138138 civil penalties against a covered entity for a violation of this
139139 chapter. A civil penalty assessed under this section may not exceed
140140 $3,000 for each violation. The total amount of a penalty assessed
141141 against a covered entity under this section in relation to a
142142 violation or violations of Section 181.154 may not exceed $250,000
143143 if the court finds that:
144144 (1) the disclosure was made only to another covered
145145 entity and only for a purpose described by Section 181.154(c);
146146 (2) the protected health information disclosed was
147147 encrypted or transmitted using encryption technology designed to
148148 protect against improper disclosure;
149149 (3) the recipient of the protected health information
150150 did not use or release the protected health information; and
151151 (4) at the time of the disclosure of the protected
152152 health information, the covered entity had developed, implemented,
153153 and maintained security policies, including the education and
154154 training of employees responsible for the security of protected
155155 health information.
156156 (c) If the court in which an action under Subsection (b) is
157157 pending finds that the violations have occurred with a frequency as
158158 to constitute a pattern or practice, the court may assess a civil
159159 penalty not to exceed $1.5 million annually [$250,000].
160160 (d) In determining the amount of a penalty imposed under
161161 Subsection (b), the court shall consider:
162162 (1) the seriousness of the violation, including the
163163 nature, circumstances, extent, and gravity of the disclosure;
164164 (2) the covered entity's compliance history;
165165 (3) whether the violation poses a significant risk of
166166 financial, reputational, or other harm to an individual whose
167167 protected health information is involved in the violation;
168168 (4) whether the covered entity was certified at the
169169 time of the violation as described by Section 182.108;
170170 (5) the amount necessary to deter a future violation;
171171 and
172172 (6) the covered entity's efforts to correct the
173173 violation.
174174 (e) The attorney general may institute an action against a
175175 covered entity that is licensed by a licensing agency of this state
176176 for a civil penalty under this section only if the licensing agency
177177 refers the violation to the attorney general under Section
178178 181.202(2).
179179 (f) The office of the attorney general may retain a
180180 reasonable portion of a civil penalty recovered under this section,
181181 not to exceed amounts specified in the General Appropriations Act,
182182 for the enforcement of this subchapter.
183183 SECTION 6. Section 181.202, Health and Safety Code, is
184184 amended to read as follows:
185185 Sec. 181.202. DISCIPLINARY ACTION. In addition to the
186186 penalties prescribed by this chapter, a violation of this chapter
187187 by a covered entity [an individual or facility] that is licensed by
188188 an agency of this state is subject to investigation and
189189 disciplinary proceedings, including probation or suspension by the
190190 licensing agency. If there is evidence that the violations of this
191191 chapter are egregious and constitute a pattern or practice, the
192192 agency may:
193193 (1) revoke the covered entity's [individual's or
194194 facility's] license; or
195195 (2) refer the covered entity's case to the attorney
196196 general for the institution of an action for civil penalties under
197197 Section 181.201(b).
198198 SECTION 7. Subchapter E, Chapter 181, Health and Safety
199199 Code, is amended by adding Section 181.204 to read as follows:
200200 Sec. 181.204. ADMINISTRATIVE PENALTY. (a) The executive
201201 commissioner may impose an administrative penalty on a covered
202202 entity that is not licensed by a licensing agency of this state and
203203 that violates this chapter or a rule adopted under this chapter.
204204 (b) The amount of the penalty may not exceed $3,000 for each
205205 violation, and each day a violation continues or occurs is a
206206 separate violation for the purpose of imposing a penalty. The total
207207 amount of the penalties for all violations that occur in a year may
208208 not exceed $1.5 million. The amount shall be based on:
209209 (1) the seriousness of the violation, including the
210210 nature, circumstances, extent, and gravity of the disclosure;
211211 (2) the covered entity's compliance history;
212212 (3) whether the violation poses a significant risk of
213213 financial, reputational, or other harm to an individual whose
214214 protected health information is involved in the violation;
215215 (4) whether the covered entity was certified at the
216216 time of the violation as described by Section 182.108;
217217 (5) the amount necessary to deter a future violation;
218218 and
219219 (6) the covered entity's efforts to correct the
220220 violation.
221221 (c) The enforcement of the penalty may be stayed during the
222222 time the order is under judicial review if the covered entity pays
223223 the penalty to the clerk of the court or files a supersedeas bond
224224 with the court in the amount of the penalty. A covered entity that
225225 cannot afford to pay the penalty or file the bond may stay the
226226 enforcement by filing an affidavit in the manner required by the
227227 Texas Rules of Civil Procedure for a party who cannot afford to file
228228 security for costs, subject to the right of the executive
229229 commissioner to contest the affidavit as provided by those rules.
230230 (d) The attorney general may sue to collect the penalty.
231231 (e) A proceeding to impose the penalty is a contested case
232232 under Chapter 2001, Government Code.
233233 SECTION 8. Section 181.205, Health and Safety Code, is
234234 amended by amending Subsection (b) and adding Subsection (c) to
235235 read as follows:
236236 (b) In determining the amount of a penalty imposed under
237237 other law in accordance with Section 181.202, a court or state
238238 agency shall consider the following factors:
239239 (1) the seriousness of the violation, including the
240240 nature, circumstances, extent, and gravity of the disclosure;
241241 (2) the covered entity's compliance history;
242242 (3) whether the violation poses a significant risk of
243243 financial, reputational, or other harm to an individual whose
244244 protected health information is involved in the violation;
245245 (4) whether the covered entity was certified at the
246246 time of the violation as described by Section 182.108;
247247 (5) the amount necessary to deter a future violation;
248248 and
249249 (6) the covered entity's efforts to correct the
250250 violation.
251251 (c) On receipt of evidence under Subsections [Subsection]
252252 (a) and (b), a court or state agency shall consider the evidence and
253253 mitigate imposition of an administrative penalty or assessment of a
254254 civil penalty accordingly.
255255 SECTION 9. Subchapter E, Chapter 181, Health and Safety
256256 Code, is amended by adding Sections 181.206, 181.207, 181.208,
257257 181.209, and 181.210 to read as follows:
258258 Sec. 181.206. RULES. The attorney general may adopt rules
259259 as necessary to enforce this chapter.
260260 Sec. 181.207. AUDITS OF COVERED ENTITIES. (a) The
261261 commission, in coordination with the attorney general, the Texas
262262 Health Services Authority, and the Texas Department of Insurance:
263263 (1) may request that the United States secretary of
264264 health and human services conduct an audit of a covered entity in
265265 this state to determine compliance with the Health Insurance
266266 Portability and Accountability Act and Privacy Standards; and
267267 (2) shall periodically monitor and review the results
268268 of audits of covered entities in this state conducted by the United
269269 States secretary of health and human services.
270270 (b) If the commission has evidence that a covered entity has
271271 committed violations of this chapter that are egregious and
272272 constitute a pattern or practice, the commission may:
273273 (1) require the covered entity to submit to the
274274 commission the results of a risk analysis conducted by the covered
275275 entity as described by 45 C.F.R. Section 164.308(a)(1)(ii)(A); or
276276 (2) if the covered entity is licensed by a licensing
277277 agency of this state, request that the licensing agency conduct an
278278 audit of the covered entity's system to determine compliance with
279279 the provisions of this chapter.
280280 Sec. 181.208. REVIEW OF COMPLAINT BY COMMISSION. (a) The
281281 commission shall review a complaint received from an individual or
282282 an individual's legally authorized representative alleging that a
283283 covered entity violated this chapter with respect to the
284284 individual's protected health information.
285285 (b) The commission shall refer a complaint reviewed under
286286 Subsection (a) to the appropriate licensing agency or the attorney
287287 general, as applicable.
288288 Sec. 181.209. AUDIT AND COMPLAINT REPORT BY COMMISSION.
289289 (a) The commission annually shall submit to the appropriate
290290 standing committees of the senate and the house of representatives
291291 a report that includes:
292292 (1) the number and types of complaints received by the
293293 commission regarding violations of this chapter;
294294 (2) enforcement action taken by the commission, a
295295 licensing agency, or the office of the attorney general under this
296296 chapter; and
297297 (3) the number of federal audits of covered entities
298298 in this state conducted and the number of audits required under
299299 Section 181.207(b).
300300 (b) The commission and the Texas Health Services Authority
301301 shall each publish the report required by Subsection (a) on the
302302 agency's Internet website.
303303 Sec. 181.210. FUNDING. The commission and the Texas
304304 Department of Insurance, in consultation with the Texas Health
305305 Services Authority, shall apply for and actively pursue available
306306 federal funding for enforcement of this chapter.
307307 SECTION 10. Section 182.002, Health and Safety Code, is
308308 amended by adding Subdivisions (2-a), (3-a), and (3-b) to read as
309309 follows:
310310 (2-a) "Covered entity" has the meaning assigned by
311311 Section 181.001.
312312 (3-a) "Disclose" has the meaning assigned by Section
313313 181.001.
314314 (3-b) "Health Insurance Portability and
315315 Accountability Act and Privacy Standards" has the meaning assigned
316316 by Section 181.001.
317317 SECTION 11. Subchapter C, Chapter 182, Health and Safety
318318 Code, is amended by adding Section 182.108 to read as follows:
319319 Sec. 182.108. STANDARDS FOR ELECTRONIC SHARING OF PROTECTED
320320 HEALTH INFORMATION; COVERED ENTITY CERTIFICATION. (a) The
321321 corporation shall develop and submit to the commission for
322322 ratification privacy and security standards for the electronic
323323 sharing of protected health information.
324324 (b) The commission shall review and by rule adopt acceptable
325325 standards submitted for ratification under Subsection (a).
326326 (c) Standards adopted under Subsection (b) must be designed
327327 to:
328328 (1) comply with the Health Insurance Portability and
329329 Accountability Act and Privacy Standards and Chapter 181;
330330 (2) comply with any other state and federal law
331331 relating to the security and confidentiality of information
332332 electronically maintained or disclosed by a covered entity;
333333 (3) ensure the secure maintenance and disclosure of
334334 personally identifiable health information;
335335 (4) include strategies and procedures for disclosing
336336 personally identifiable health information; and
337337 (5) support a level of system interoperability with
338338 existing health record databases in this state that is consistent
339339 with emerging standards.
340340 (d) The corporation shall establish a process by which a
341341 covered entity may apply for certification by the corporation of a
342342 covered entity's past compliance with standards adopted under
343343 Subsection (b).
344344 (e) The corporation shall publish the standards adopted
345345 under Subsection (b) on the corporation's Internet website.
346346 SECTION 12. Subchapter B, Chapter 602, Insurance Code, is
347347 amended by adding Section 602.054 to read as follows:
348348 Sec. 602.054. COMPLIANCE WITH OTHER LAW. A covered entity
349349 shall comply with:
350350 (1) Subchapter D, Chapter 181, Health and Safety Code,
351351 except as otherwise provided by that subchapter; and
352352 (2) the standards adopted under Section 182.108,
353353 Health and Safety Code.
354354 SECTION 13. (a) In this section, "unsustainable covered
355355 entity" means a covered entity, as defined by Section 181.001,
356356 Health and Safety Code, that ceases to operate.
357357 (b) The Health and Human Services Commission, in
358358 consultation with the Texas Health Services Authority and the Texas
359359 Medical Board, shall review issues regarding the security and
360360 accessibility of protected health information maintained by an
361361 unsustainable covered entity.
362362 (c) Not later than December 1, 2012, the Health and Human
363363 Services Commission shall submit to the appropriate standing
364364 committees of the senate and the house of representatives
365365 recommendations for:
366366 (1) the state agency to which the protected health
367367 information maintained by an unsustainable covered entity should be
368368 transferred for storage;
369369 (2) ensuring the security of protected health
370370 information maintained by unsustainable covered entities in this
371371 state, including secure transfer methods from the covered entity to
372372 the state;
373373 (3) the method and period of time for which protected
374374 health information should be maintained by the state after transfer
375375 from an unsustainable covered entity;
376376 (4) methods and processes by which an individual
377377 should be able to access the individual's protected health
378378 information after transfer to the state; and
379379 (5) funding for the storage of protected health
380380 information after transfer to the state.
381381 (d) This section expires January 1, 2013.
382382 SECTION 14. (a) A task force on health information
383383 technology is created.
384384 (b) The task force is composed of:
385385 (1) 11 members appointed by the attorney general with
386386 the advice of the chairs of the standing committees of the senate
387387 and house of representatives having primary jurisdiction over
388388 health information technology issues, including:
389389 (A) at least two physicians;
390390 (B) at least two individuals who represent
391391 hospitals; and
392392 (C) at least one private citizen who represents
393393 patient and parental rights; and
394394 (2) the following ex officio members:
395395 (A) the executive commissioner of the Health and
396396 Human Services Commission or an employee of the commission
397397 designated by the executive commissioner;
398398 (B) the commissioner of the Department of State
399399 Health Services or an employee of the department designated by the
400400 commissioner; and
401401 (C) the presiding officer of the Texas Health
402402 Services Authority or an employee of the authority designated by
403403 the presiding officer.
404404 (c) Not later than December 1, 2012, the attorney general
405405 shall appoint the members of the task force and appoint a chair of
406406 the task force from among its membership. The chair of the task
407407 force must have expertise in:
408408 (1) state and federal health information privacy law;
409409 (2) patient rights; and
410410 (3) electronic signatures and other consent tools.
411411 (d) The task force shall develop recommendations regarding:
412412 (1) the improvement of informed consent protocols for
413413 the electronic exchange of protected health information, as that
414414 term is defined by the Health Insurance Portability and
415415 Accountability Act and Privacy Standards, as defined by Section
416416 181.001, Health and Safety Code, as amended by this Act;
417417 (2) the improvement of patient access to and use of
418418 electronically maintained and disclosed protected health
419419 information for the purpose of personal health and coordination of
420420 health care services; and
421421 (3) any other critical issues, as determined by the
422422 task force, related to the exchange of protected health
423423 information.
424424 (e) Not later than January 1, 2014, the task force shall
425425 submit to the standing committees of the senate and house of
426426 representatives having primary jurisdiction over health
427427 information technology issues and the Texas Health Services
428428 Authority a report including the task force's recommendations under
429429 Subsection (d).
430430 (f) The Texas Health Services Authority shall publish the
431431 report submitted under Subsection (e) on the authority's Internet
432432 website.
433433 (g) This section expires February 1, 2014.
434434 SECTION 15. Not later than January 1, 2013:
435435 (1) the attorney general shall adopt the form required
436436 by Section 181.154, Health and Safety Code, as added by this Act;
437437 and
438438 (2) the Health and Human Services Commission shall
439439 adopt the standards required by Section 182.108, Health and Safety
440440 Code, as added by this Act.
441441 SECTION 16. The change in law made by Section 181.154,
442442 Health and Safety Code, as added by this Act, applies only to an
443443 electronic disclosure of protected health information made on or
444444 after the effective date of this Act. An electronic disclosure of
445445 protected health information made before the effective date of this
446446 Act is governed by the law in effect at the time the disclosure was
447447 made, and the former law is continued in effect for that purpose.
448448 SECTION 17. This Act takes effect September 1, 2012.