| 1 | 1 | | 85R5920 JG-F |
|---|
| 2 | 2 | | By: Kolkhorst S.B. No. 1574 |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | A BILL TO BE ENTITLED |
|---|
| 6 | 6 | | AN ACT |
|---|
| 7 | 7 | | relating to the electronic sharing of protected health information |
|---|
| 8 | 8 | | and certification of and enforcement actions against certain |
|---|
| 9 | 9 | | covered entities. |
|---|
| 10 | 10 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 11 | 11 | | SECTION 1. Section 181.201(d), Health and Safety Code, is |
|---|
| 12 | 12 | | amended to read as follows: |
|---|
| 13 | 13 | | (d) In determining the amount of a penalty imposed under |
|---|
| 14 | 14 | | Subsection (b), the court shall consider: |
|---|
| 15 | 15 | | (1) the seriousness of the violation, including the |
|---|
| 16 | 16 | | nature, circumstances, extent, and gravity of the disclosure; |
|---|
| 17 | 17 | | (2) the covered entity's compliance history; |
|---|
| 18 | 18 | | (3) whether the violation poses a significant risk of |
|---|
| 19 | 19 | | financial, reputational, or other harm to an individual whose |
|---|
| 20 | 20 | | protected health information is involved in the violation; |
|---|
| 21 | 21 | | (4) [whether the covered entity was certified at the |
|---|
| 22 | 22 | | time of the violation as described by Section 182.108; |
|---|
| 23 | 23 | | [(5)] the amount necessary to deter a future |
|---|
| 24 | 24 | | violation; and |
|---|
| 25 | 25 | | (5) [(6)] the covered entity's efforts to correct the |
|---|
| 26 | 26 | | violation. |
|---|
| 27 | 27 | | SECTION 2. Section 181.205(b), Health and Safety Code, is |
|---|
| 28 | 28 | | amended to read as follows: |
|---|
| 29 | 29 | | (b) In determining the amount of a penalty imposed under |
|---|
| 30 | 30 | | other law in accordance with Section 181.202, a court or state |
|---|
| 31 | 31 | | agency shall consider the following factors: |
|---|
| 32 | 32 | | (1) the seriousness of the violation, including the |
|---|
| 33 | 33 | | nature, circumstances, extent, and gravity of the disclosure; |
|---|
| 34 | 34 | | (2) the covered entity's compliance history; |
|---|
| 35 | 35 | | (3) whether the violation poses a significant risk of |
|---|
| 36 | 36 | | financial, reputational, or other harm to an individual whose |
|---|
| 37 | 37 | | protected health information is involved in the violation; |
|---|
| 38 | 38 | | (4) [whether the covered entity was certified at the |
|---|
| 39 | 39 | | time of the violation as described by Section 182.108; |
|---|
| 40 | 40 | | [(5)] the amount necessary to deter a future |
|---|
| 41 | 41 | | violation; and |
|---|
| 42 | 42 | | (5) [(6)] the covered entity's efforts to correct the |
|---|
| 43 | 43 | | violation. |
|---|
| 44 | 44 | | SECTION 3. Subchapter E, Chapter 181, Health and Safety |
|---|
| 45 | 45 | | Code, is amended by adding Section 181.208 to read as follows: |
|---|
| 46 | 46 | | Sec. 181.208. ENFORCEMENT AGAINST CERTAIN COVERED |
|---|
| 47 | 47 | | ENTITIES. Notwithstanding Sections 181.201 and 181.202, the |
|---|
| 48 | 48 | | attorney general may not bring an action for civil penalties under |
|---|
| 49 | 49 | | Section 181.201 and a licensing agency may not conduct a |
|---|
| 50 | 50 | | disciplinary proceeding under Section 181.202 against a covered |
|---|
| 51 | 51 | | entity that holds a certification described by Section 182.108 at |
|---|
| 52 | 52 | | the time of the violation unless the violation is a result of the |
|---|
| 53 | 53 | | covered entity's gross negligence or intentional conduct. |
|---|
| 54 | 54 | | SECTION 4. Section 182.108, Health and Safety Code, is |
|---|
| 55 | 55 | | amended by adding Subsection (b-1) and amending Subsections (c) and |
|---|
| 56 | 56 | | (d) to read as follows: |
|---|
| 57 | 57 | | (b-1) The executive commissioner by rule may develop and the |
|---|
| 58 | 58 | | commission may implement a system to offer to a covered entity that |
|---|
| 59 | 59 | | contracts with the commission incentives to obtain a certification |
|---|
| 60 | 60 | | under this section. This subsection does not apply to a covered |
|---|
| 61 | 61 | | entity that is also a health care provider as defined by Section |
|---|
| 62 | 62 | | 74A.001, Civil Practice and Remedies Code. |
|---|
| 63 | 63 | | (c) Standards adopted under Subsection (b) must be designed |
|---|
| 64 | 64 | | to: |
|---|
| 65 | 65 | | (1) comply with the Health Insurance Portability and |
|---|
| 66 | 66 | | Accountability Act and Privacy Standards and Chapter 181; |
|---|
| 67 | 67 | | (2) comply with any other state and federal law |
|---|
| 68 | 68 | | relating to the security and confidentiality of information |
|---|
| 69 | 69 | | electronically maintained or disclosed by a covered entity; |
|---|
| 70 | 70 | | (3) ensure the secure maintenance and disclosure of |
|---|
| 71 | 71 | | personally identifiable health information; |
|---|
| 72 | 72 | | (4) include strategies and procedures for disclosing |
|---|
| 73 | 73 | | personally identifiable health information; [and] |
|---|
| 74 | 74 | | (5) support a level of system interoperability with |
|---|
| 75 | 75 | | existing health record databases in this state that is consistent |
|---|
| 76 | 76 | | with emerging standards; and |
|---|
| 77 | 77 | | (6) ensure compliance with relevant industry |
|---|
| 78 | 78 | | standards relating to security of Internet websites and electronic |
|---|
| 79 | 79 | | information. |
|---|
| 80 | 80 | | (d) The corporation shall establish a process by which a |
|---|
| 81 | 81 | | covered entity may apply for privacy, security, or privacy and |
|---|
| 82 | 82 | | security certification by the corporation for the [of a] covered |
|---|
| 83 | 83 | | entity's past compliance with standards adopted under Subsection |
|---|
| 84 | 84 | | (b). |
|---|
| 85 | 85 | | SECTION 5. Sections 182.108(h), (i), (j), (l), and (m), |
|---|
| 86 | 86 | | Health and Safety Code, as effective September 1, 2021, are amended |
|---|
| 87 | 87 | | to read as follows: |
|---|
| 88 | 88 | | (h) In amending standards under Subsection (g), the |
|---|
| 89 | 89 | | commission shall seek the assistance of an [a private nonprofit] |
|---|
| 90 | 90 | | organization with relevant knowledge and experience in health care |
|---|
| 91 | 91 | | privacy and security certification [establishing statewide health |
|---|
| 92 | 92 | | information exchange capabilities]. |
|---|
| 93 | 93 | | (i) Standards amended under Subsection (g) must be designed |
|---|
| 94 | 94 | | to: |
|---|
| 95 | 95 | | (1) comply with the Health Insurance Portability and |
|---|
| 96 | 96 | | Accountability Act and Privacy Standards and Chapter 181; |
|---|
| 97 | 97 | | (2) comply with any other state and federal law |
|---|
| 98 | 98 | | relating to the security and confidentiality of information |
|---|
| 99 | 99 | | electronically maintained or disclosed by a covered entity; |
|---|
| 100 | 100 | | (3) ensure the secure maintenance and disclosure of |
|---|
| 101 | 101 | | individually identifiable health information; |
|---|
| 102 | 102 | | (4) include strategies and procedures for disclosing |
|---|
| 103 | 103 | | individually identifiable health information; [and] |
|---|
| 104 | 104 | | (5) support a level of system interoperability with |
|---|
| 105 | 105 | | existing health record databases in this state that is consistent |
|---|
| 106 | 106 | | with emerging standards; and |
|---|
| 107 | 107 | | (6) ensure compliance with relevant industry |
|---|
| 108 | 108 | | standards relating to security of Internet websites and electronic |
|---|
| 109 | 109 | | information. |
|---|
| 110 | 110 | | (j) The commission shall designate an [a private nonprofit] |
|---|
| 111 | 111 | | organization with relevant knowledge and experience in health care |
|---|
| 112 | 112 | | privacy and security certification [establishing statewide health |
|---|
| 113 | 113 | | information exchange capabilities] to establish a process by which |
|---|
| 114 | 114 | | a covered entity may apply for privacy, security, or privacy and |
|---|
| 115 | 115 | | security certification by the designated [private nonprofit] |
|---|
| 116 | 116 | | organization for the [of a] covered entity's past compliance with |
|---|
| 117 | 117 | | standards adopted under this section. If an [a private nonprofit] |
|---|
| 118 | 118 | | organization with relevant knowledge and experience in health care |
|---|
| 119 | 119 | | privacy and security certification [establishing statewide health |
|---|
| 120 | 120 | | information exchange capabilities] does not exist, the commission |
|---|
| 121 | 121 | | shall [either: |
|---|
| 122 | 122 | | [(1)] establish the process described by this |
|---|
| 123 | 123 | | subsection[; or |
|---|
| 124 | 124 | | [(2) designate another entity with relevant knowledge |
|---|
| 125 | 125 | | to establish the process described by this subsection]. |
|---|
| 126 | 126 | | (l) The commission shall ensure that any fee charged for the |
|---|
| 127 | 127 | | certification process described in Subsection (j) by the [private |
|---|
| 128 | 128 | | nonprofit] organization [or entity] designated under that |
|---|
| 129 | 129 | | subsection, including a person acting on behalf of a designated |
|---|
| 130 | 130 | | organization [or entity], is reasonable. If the commission |
|---|
| 131 | 131 | | establishes the process as described by Subsection (j) [(j)(1)], |
|---|
| 132 | 132 | | the commission shall set a reasonable fee for the certification |
|---|
| 133 | 133 | | process. |
|---|
| 134 | 134 | | (m) For good cause, the commission may revoke the |
|---|
| 135 | 135 | | designation or authority of an [a private nonprofit] organization |
|---|
| 136 | 136 | | [or entity] to establish the process or offer certifications under |
|---|
| 137 | 137 | | Subsection (j). |
|---|
| 138 | 138 | | SECTION 6. The changes in law made by this Act apply only to |
|---|
| 139 | 139 | | a violation that occurs on or after the effective date of this Act. |
|---|
| 140 | 140 | | A violation that occurs before the effective date of this Act is |
|---|
| 141 | 141 | | governed by the law applicable to the violation immediately before |
|---|
| 142 | 142 | | the effective date of this Act, and that law is continued in effect |
|---|
| 143 | 143 | | for that purpose. |
|---|
| 144 | 144 | | SECTION 7. This Act takes effect immediately if it receives |
|---|
| 145 | 145 | | a vote of two-thirds of all the members elected to each house, as |
|---|
| 146 | 146 | | provided by Section 39, Article III, Texas Constitution. If this |
|---|
| 147 | 147 | | Act does not receive the vote necessary for immediate effect, this |
|---|
| 148 | 148 | | Act takes effect September 1, 2017. |
|---|