Bill Text: TX SB1574 | 2017-2018 | 85th Legislature | Introduced
Bill Title: Relating to the electronic sharing of protected health information and certification of and enforcement actions against certain covered entities.
Sponsorship: Partisan Bill (Republican 1)
Status: (Introduced - Dead) 2017-03-21 - Referred to Health & Human Services [SB1574 Detail]
Download: Texas-2017-SB1574-Introduced.html
| 85R5920 JG-F | ||
| By: Kolkhorst | S.B. No. 1574 | |
|
|
||
|
|
||
| relating to the electronic sharing of protected health information | ||
| and certification of and enforcement actions against certain | ||
| covered entities. | ||
| BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
| SECTION 1. Section 181.201(d), Health and Safety Code, is | ||
| amended to read as follows: | ||
| (d) In determining the amount of a penalty imposed under | ||
| Subsection (b), the court shall consider: | ||
| (1) the seriousness of the violation, including the | ||
| nature, circumstances, extent, and gravity of the disclosure; | ||
| (2) the covered entity's compliance history; | ||
| (3) whether the violation poses a significant risk of | ||
| financial, reputational, or other harm to an individual whose | ||
| protected health information is involved in the violation; | ||
| (4) [ |
||
|
|
||
| [ |
||
| violation; and | ||
| (5) [ |
||
| violation. | ||
| SECTION 2. Section 181.205(b), Health and Safety Code, is | ||
| amended to read as follows: | ||
| (b) In determining the amount of a penalty imposed under | ||
| other law in accordance with Section 181.202, a court or state | ||
| agency shall consider the following factors: | ||
| (1) the seriousness of the violation, including the | ||
| nature, circumstances, extent, and gravity of the disclosure; | ||
| (2) the covered entity's compliance history; | ||
| (3) whether the violation poses a significant risk of | ||
| financial, reputational, or other harm to an individual whose | ||
| protected health information is involved in the violation; | ||
| (4) [ |
||
|
|
||
| [ |
||
| violation; and | ||
| (5) [ |
||
| violation. | ||
| SECTION 3. Subchapter E, Chapter 181, Health and Safety | ||
| Code, is amended by adding Section 181.208 to read as follows: | ||
| Sec. 181.208. ENFORCEMENT AGAINST CERTAIN COVERED | ||
| ENTITIES. Notwithstanding Sections 181.201 and 181.202, the | ||
| attorney general may not bring an action for civil penalties under | ||
| Section 181.201 and a licensing agency may not conduct a | ||
| disciplinary proceeding under Section 181.202 against a covered | ||
| entity that holds a certification described by Section 182.108 at | ||
| the time of the violation unless the violation is a result of the | ||
| covered entity's gross negligence or intentional conduct. | ||
| SECTION 4. Section 182.108, Health and Safety Code, is | ||
| amended by adding Subsection (b-1) and amending Subsections (c) and | ||
| (d) to read as follows: | ||
| (b-1) The executive commissioner by rule may develop and the | ||
| commission may implement a system to offer to a covered entity that | ||
| contracts with the commission incentives to obtain a certification | ||
| under this section. This subsection does not apply to a covered | ||
| entity that is also a health care provider as defined by Section | ||
| 74A.001, Civil Practice and Remedies Code. | ||
| (c) Standards adopted under Subsection (b) must be designed | ||
| to: | ||
| (1) comply with the Health Insurance Portability and | ||
| Accountability Act and Privacy Standards and Chapter 181; | ||
| (2) comply with any other state and federal law | ||
| relating to the security and confidentiality of information | ||
| electronically maintained or disclosed by a covered entity; | ||
| (3) ensure the secure maintenance and disclosure of | ||
| personally identifiable health information; | ||
| (4) include strategies and procedures for disclosing | ||
| personally identifiable health information; [ |
||
| (5) support a level of system interoperability with | ||
| existing health record databases in this state that is consistent | ||
| with emerging standards; and | ||
| (6) ensure compliance with relevant industry | ||
| standards relating to security of Internet websites and electronic | ||
| information. | ||
| (d) The corporation shall establish a process by which a | ||
| covered entity may apply for privacy, security, or privacy and | ||
| security certification by the corporation for the [ |
||
| entity's past compliance with standards adopted under Subsection | ||
| (b). | ||
| SECTION 5. Sections 182.108(h), (i), (j), (l), and (m), | ||
| Health and Safety Code, as effective September 1, 2021, are amended | ||
| to read as follows: | ||
| (h) In amending standards under Subsection (g), the | ||
| commission shall seek the assistance of an [ |
||
| organization with relevant knowledge and experience in health care | ||
| privacy and security certification [ |
||
|
|
||
| (i) Standards amended under Subsection (g) must be designed | ||
| to: | ||
| (1) comply with the Health Insurance Portability and | ||
| Accountability Act and Privacy Standards and Chapter 181; | ||
| (2) comply with any other state and federal law | ||
| relating to the security and confidentiality of information | ||
| electronically maintained or disclosed by a covered entity; | ||
| (3) ensure the secure maintenance and disclosure of | ||
| individually identifiable health information; | ||
| (4) include strategies and procedures for disclosing | ||
| individually identifiable health information; [ |
||
| (5) support a level of system interoperability with | ||
| existing health record databases in this state that is consistent | ||
| with emerging standards; and | ||
| (6) ensure compliance with relevant industry | ||
| standards relating to security of Internet websites and electronic | ||
| information. | ||
| (j) The commission shall designate an [ |
||
| organization with relevant knowledge and experience in health care | ||
| privacy and security certification [ |
||
|
|
||
| a covered entity may apply for privacy, security, or privacy and | ||
| security certification by the designated [ |
||
| organization for the [ |
||
| standards adopted under this section. If an [ |
||
| organization with relevant knowledge and experience in health care | ||
| privacy and security certification [ |
||
|
|
||
| shall [ |
||
| [ |
||
| subsection[ |
||
| [ |
||
|
|
||
| (l) The commission shall ensure that any fee charged for the | ||
| certification process described in Subsection (j) by the [ |
||
|
|
||
| subsection, including a person acting on behalf of a designated | ||
| organization [ |
||
| establishes the process as described by Subsection (j) [ |
||
| the commission shall set a reasonable fee for the certification | ||
| process. | ||
| (m) For good cause, the commission may revoke the | ||
| designation or authority of an [ |
||
| [ |
||
| Subsection (j). | ||
| SECTION 6. The changes in law made by this Act apply only to | ||
| a violation that occurs on or after the effective date of this Act. | ||
| A violation that occurs before the effective date of this Act is | ||
| governed by the law applicable to the violation immediately before | ||
| the effective date of this Act, and that law is continued in effect | ||
| for that purpose. | ||
| SECTION 7. This Act takes effect immediately if it receives | ||
| a vote of two-thirds of all the members elected to each house, as | ||
| provided by Section 39, Article III, Texas Constitution. If this | ||
| Act does not receive the vote necessary for immediate effect, this | ||
| Act takes effect September 1, 2017. | ||
