BILL ANALYSIS H.B. 4224 By: Hull Public Health Committee Report (Unamended) BACKGROUND AND PURPOSE The bill author has informed the committee that access to medical records is a HIPAA-protected right that is essential for making treatment decisions for individuals and their loved ones, and covered entities are required to provide these records to patients, their parents or guardians, and their legal representatives within a specific period of time. However, the bill author has further informed the committee that each covered entity, such as a hospital, clinic, or doctor's office, can have its own policy for how to request those records and that the request process can be very confusing, be completely unknown, or even contain discrepancies between providers in the same practice group. When a covered entity does not provide the information or violates its own policy or even the law, it can be difficult for consumers to figure out how to file a complaint, if they even know that they have that option. In order to protect consumers' rights to access their own protected health information and help make them aware of complaint procedures, H.B. 4224 requires an applicable covered entity to prominently post on the entity's website and at any entity facility detailed instructions for a consumer to take certain actions. CRIMINAL JUSTICE IMPACT It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision. RULEMAKING AUTHORITY It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution. ANALYSIS H.B. 4224 amends the Health and Safety Code, for purposes of statutory provisions governing access to and use of protected health information with respect to medical records privacy, to require an applicable covered entity to prominently post on the entity's website and at any entity facility detailed instructions for a consumer to, as follows: request the consumer's health care records from the entity; contact the disciplinary or licensing authority for the entity; and file a consumer complaint as described by statutory provisions relating to the consumer information website maintained by the attorney general regarding access to and use of protected health information. For purposes of the bill's requirement, a covered entity, as defined in the statutory provisions governing medical records privacy, is any person who does the following: for commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information, including a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site; comes into possession of protected health information; obtains or stores protected health information under the medical records privacy provisions; or is an employee, agent, or contractor of any such person insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information. EFFECTIVE DATE September 1, 2025.
BILL ANALYSIS
# BILL ANALYSIS
H.B. 4224
By: Hull
Public Health
Committee Report (Unamended)
H.B. 4224
By: Hull
Public Health
Committee Report (Unamended)
BACKGROUND AND PURPOSE The bill author has informed the committee that access to medical records is a HIPAA-protected right that is essential for making treatment decisions for individuals and their loved ones, and covered entities are required to provide these records to patients, their parents or guardians, and their legal representatives within a specific period of time. However, the bill author has further informed the committee that each covered entity, such as a hospital, clinic, or doctor's office, can have its own policy for how to request those records and that the request process can be very confusing, be completely unknown, or even contain discrepancies between providers in the same practice group. When a covered entity does not provide the information or violates its own policy or even the law, it can be difficult for consumers to figure out how to file a complaint, if they even know that they have that option. In order to protect consumers' rights to access their own protected health information and help make them aware of complaint procedures, H.B. 4224 requires an applicable covered entity to prominently post on the entity's website and at any entity facility detailed instructions for a consumer to take certain actions.
CRIMINAL JUSTICE IMPACT It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.
RULEMAKING AUTHORITY It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.
ANALYSIS H.B. 4224 amends the Health and Safety Code, for purposes of statutory provisions governing access to and use of protected health information with respect to medical records privacy, to require an applicable covered entity to prominently post on the entity's website and at any entity facility detailed instructions for a consumer to, as follows: request the consumer's health care records from the entity; contact the disciplinary or licensing authority for the entity; and file a consumer complaint as described by statutory provisions relating to the consumer information website maintained by the attorney general regarding access to and use of protected health information. For purposes of the bill's requirement, a covered entity, as defined in the statutory provisions governing medical records privacy, is any person who does the following: for commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information, including a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site; comes into possession of protected health information; obtains or stores protected health information under the medical records privacy provisions; or is an employee, agent, or contractor of any such person insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.
EFFECTIVE DATE September 1, 2025.
BACKGROUND AND PURPOSE
The bill author has informed the committee that access to medical records is a HIPAA-protected right that is essential for making treatment decisions for individuals and their loved ones, and covered entities are required to provide these records to patients, their parents or guardians, and their legal representatives within a specific period of time. However, the bill author has further informed the committee that each covered entity, such as a hospital, clinic, or doctor's office, can have its own policy for how to request those records and that the request process can be very confusing, be completely unknown, or even contain discrepancies between providers in the same practice group. When a covered entity does not provide the information or violates its own policy or even the law, it can be difficult for consumers to figure out how to file a complaint, if they even know that they have that option. In order to protect consumers' rights to access their own protected health information and help make them aware of complaint procedures, H.B. 4224 requires an applicable covered entity to prominently post on the entity's website and at any entity facility detailed instructions for a consumer to take certain actions.
CRIMINAL JUSTICE IMPACT
It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.
RULEMAKING AUTHORITY
It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.
ANALYSIS
H.B. 4224 amends the Health and Safety Code, for purposes of statutory provisions governing access to and use of protected health information with respect to medical records privacy, to require an applicable covered entity to prominently post on the entity's website and at any entity facility detailed instructions for a consumer to, as follows:
request the consumer's health care records from the entity;
contact the disciplinary or licensing authority for the entity; and
file a consumer complaint as described by statutory provisions relating to the consumer information website maintained by the attorney general regarding access to and use of protected health information.
For purposes of the bill's requirement, a covered entity, as defined in the statutory provisions governing medical records privacy, is any person who does the following:
for commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information, including a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site;
comes into possession of protected health information;
obtains or stores protected health information under the medical records privacy provisions; or
is an employee, agent, or contractor of any such person insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.
EFFECTIVE DATE
September 1, 2025.