85R5920 JG-F
By: Kolkhorst S.B. No. 1574
A BILL TO BE ENTITLED
AN ACT
relating to the electronic sharing of protected health information
and certification of and enforcement actions against certain
covered entities.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 181.201(d), Health and Safety Code, is
amended to read as follows:
(d) In determining the amount of a penalty imposed under
Subsection (b), the court shall consider:
(1) the seriousness of the violation, including the
nature, circumstances, extent, and gravity of the disclosure;
(2) the covered entity's compliance history;
(3) whether the violation poses a significant risk of
financial, reputational, or other harm to an individual whose
protected health information is involved in the violation;
(4) [whether the covered entity was certified at the
time of the violation as described by Section 182.108;
[(5)] the amount necessary to deter a future
violation; and
(5) [(6)] the covered entity's efforts to correct the
violation.
SECTION 2. Section 181.205(b), Health and Safety Code, is
amended to read as follows:
(b) In determining the amount of a penalty imposed under
other law in accordance with Section 181.202, a court or state
agency shall consider the following factors:
(1) the seriousness of the violation, including the
nature, circumstances, extent, and gravity of the disclosure;
(2) the covered entity's compliance history;
(3) whether the violation poses a significant risk of
financial, reputational, or other harm to an individual whose
protected health information is involved in the violation;
(4) [whether the covered entity was certified at the
time of the violation as described by Section 182.108;
[(5)] the amount necessary to deter a future
violation; and
(5) [(6)] the covered entity's efforts to correct the
violation.
SECTION 3. Subchapter E, Chapter 181, Health and Safety
Code, is amended by adding Section 181.208 to read as follows:
Sec. 181.208. ENFORCEMENT AGAINST CERTAIN COVERED
ENTITIES. Notwithstanding Sections 181.201 and 181.202, the
attorney general may not bring an action for civil penalties under
Section 181.201 and a licensing agency may not conduct a
disciplinary proceeding under Section 181.202 against a covered
entity that holds a certification described by Section 182.108 at
the time of the violation unless the violation is a result of the
covered entity's gross negligence or intentional conduct.
SECTION 4. Section 182.108, Health and Safety Code, is
amended by adding Subsection (b-1) and amending Subsections (c) and
(d) to read as follows:
(b-1) The executive commissioner by rule may develop and the
commission may implement a system to offer to a covered entity that
contracts with the commission incentives to obtain a certification
under this section. This subsection does not apply to a covered
entity that is also a health care provider as defined by Section
74A.001, Civil Practice and Remedies Code.
(c) Standards adopted under Subsection (b) must be designed
to:
(1) comply with the Health Insurance Portability and
Accountability Act and Privacy Standards and Chapter 181;
(2) comply with any other state and federal law
relating to the security and confidentiality of information
electronically maintained or disclosed by a covered entity;
(3) ensure the secure maintenance and disclosure of
personally identifiable health information;
(4) include strategies and procedures for disclosing
personally identifiable health information; [and]
(5) support a level of system interoperability with
existing health record databases in this state that is consistent
with emerging standards; and
(6) ensure compliance with relevant industry
standards relating to security of Internet websites and electronic
information.
(d) The corporation shall establish a process by which a
covered entity may apply for privacy, security, or privacy and
security certification by the corporation for the [of a] covered
entity's past compliance with standards adopted under Subsection
(b).
SECTION 5. Sections 182.108(h), (i), (j), (l), and (m),
Health and Safety Code, as effective September 1, 2021, are amended
to read as follows:
(h) In amending standards under Subsection (g), the
commission shall seek the assistance of an [a private nonprofit]
organization with relevant knowledge and experience in health care
privacy and security certification [establishing statewide health
information exchange capabilities].
(i) Standards amended under Subsection (g) must be designed
to:
(1) comply with the Health Insurance Portability and
Accountability Act and Privacy Standards and Chapter 181;
(2) comply with any other state and federal law
relating to the security and confidentiality of information
electronically maintained or disclosed by a covered entity;
(3) ensure the secure maintenance and disclosure of
individually identifiable health information;
(4) include strategies and procedures for disclosing
individually identifiable health information; [and]
(5) support a level of system interoperability with
existing health record databases in this state that is consistent
with emerging standards; and
(6) ensure compliance with relevant industry
standards relating to security of Internet websites and electronic
information.
(j) The commission shall designate an [a private nonprofit]
organization with relevant knowledge and experience in health care
privacy and security certification [establishing statewide health
information exchange capabilities] to establish a process by which
a covered entity may apply for privacy, security, or privacy and
security certification by the designated [private nonprofit]
organization for the [of a] covered entity's past compliance with
standards adopted under this section. If an [a private nonprofit]
organization with relevant knowledge and experience in health care
privacy and security certification [establishing statewide health
information exchange capabilities] does not exist, the commission
shall [either:
[(1)] establish the process described by this
subsection[; or
[(2) designate another entity with relevant knowledge
to establish the process described by this subsection].
(l) The commission shall ensure that any fee charged for the
certification process described in Subsection (j) by the [private
nonprofit] organization [or entity] designated under that
subsection, including a person acting on behalf of a designated
organization [or entity], is reasonable. If the commission
establishes the process as described by Subsection (j) [(j)(1)],
the commission shall set a reasonable fee for the certification
process.
(m) For good cause, the commission may revoke the
designation or authority of an [a private nonprofit] organization
[or entity] to establish the process or offer certifications under
Subsection (j).
SECTION 6. The changes in law made by this Act apply only to
a violation that occurs on or after the effective date of this Act.
A violation that occurs before the effective date of this Act is
governed by the law applicable to the violation immediately before
the effective date of this Act, and that law is continued in effect
for that purpose.
SECTION 7. This Act takes effect immediately if it receives
a vote of two-thirds of all the members elected to each house, as
provided by Section 39, Article III, Texas Constitution. If this
Act does not receive the vote necessary for immediate effect, this
Act takes effect September 1, 2017.