The Commissioner of Insurance adopts new Subchapter B, §§22.51-22.57 and 22.60-22.67, concerning privacy of nonpublic personal health information provided by consumers to insurers and other covered entities regulated by the department. New §§22.51, 22.52, 22.54, 22.56, 22.57, 22.60, 22.65, and 22.67 are adopted with changes to the proposed text published in the January 4, 2002 issue of the Texas Register (27 TexReg 35). New §§22.53, 22.55, 22.61, 22.62, 22.63, 22.64, and 22.66 are adopted without changes and will not be republished. Sections 22.58 and 22.59 are withdrawn and will not be adopted at this time.
The adopted rules are necessary to implement provisions of Senate Bill (SB) 11, 77 th Texas Legislature. SB 11 added Chapter 28B to the Insurance Code (Article 28B.01 et seq.), which requires entities regulated by the department to comply with certain health privacy provisions. SB 11 also added Subtitle I to Title 2 of the Health & Safety Code (Section 181.001 et seq.), which also addresses privacy of health information. SB 11 authorizes the Commissioner to adopt rules necessary to implement protected health information privacy requirements. The new sections set forth the requirements that covered entities must meet in structuring their consumer health information practices. Specifically, the rule provides notice requirements, as well as other procedures, that covered entities must follow with regard to nonpublic personal health information collected about a consumer. After receiving public comments on the proposed rules, the department has made changes based upon the public comments, proposed amendments to existing federal regulations, and for clarification. Most notably, the department has withdrawn §§22.58 and 22.59 as proposed. These sections, which dealt, respectively, with the use of protected health information for marketing purposes and reidentification of an individual using previously deidentified protected health information, were intended to implement Subchapter D of Texas Health and Safety Code (H&SC) §181.051, which was also created by SB 11. Unlike TIC Chapter 28B, H&SC Chapter 181 applies to entities even if the entity is also in compliance with the federal privacy regulations implementing the Health Insurance Portability and Accessibility Act (HIPAA) (42 U.S.C. Sections 1320d-1320d-8). Proposed §§22.58 and 22.59 were intended to mirror the requirements of the HIPAA privacy regulations. Amendments to the HIPAA privacy regulations were proposed on March 27, 2002, subsequent to the publication of this proposed rule. Accordingly, the department has decided to withdraw these particular sections pending the disposition of the proposed amendments to the HIPAA privacy regulations. Other changes, made in response to comments received, include changing the term "person" to "individual" wherever it referenced a natural person in §§22.52(3), 22.52(7), 22.52(9), 22.52(10) and 22.52(11). The option to use a consumer's "electronic signature" on an authorization, if the consumer has previously agreed to conduct business with the covered entity electronically, was added to §22.54(1)(C). Section 22.54(2)(B) was changed to permit an authorization provided by a consumer's legal representative to remain valid for 24 months unless the covered entity receives notice that the authorization is revoked. The five day requirement in proposed §22.56(e) was changed to 15 days. The department made a minor clerical change to §22.57(a)(28). Section 22.60 was changed to clarify that a covered entity may not disclose protected health information to a third party unless that third party agrees to use the information in a manner consistent with the rule. In §22.65, the term "opted out from the" was changed to "not authorized." The effective date of February 3, 2002 was changed to September 1, 2002.
Section 22.51 explains the purpose and scope of the subchapter. Section 22.52 defines terms within the subchapter and clarifies that terms defined in Subchapter A of this chapter also apply to this subchapter. Section 22.53 sets forth the general requirement that an authorization is required prior to disclosure of any protected health information by a covered entity subject to the subchapter. Section 22.54 sets forth the required elements of an authorization. Section 22.55 details how requests for authorizations and authorization forms must be delivered. Section 22.56 sets forth the requirements for revocation of an authorization. Section 22.57 sets forth exceptions to the authorization requirement. Section 22.60 addresses conditions under which a covered entity may disclose protected health information to a third party. Section 22.61 clarifies that once the federal health privacy rules under HIPAA become effective, this subchapter shall not apply to covered entities required to comply with those federal rules. Section 22.62 provides that the subchapter shall not affect the operation of the federal Fair Credit Reporting Act. Section 22.63 provides that the subchapter does not preempt or supersede existing state law related to health information privacy. Section 22.64 prohibits covered entities from violating the subchapter, describes available legal remedies and disciplinary actions, and provides that the subchapter does not affect a person's right to seek relief available under other law. Section 22.65 prohibits discrimination against consumers because of the exercise of rights under this subchapter. Section 22.66 provides for severability of any section of this subchapter which may be deemed invalid. Section 22.67 establishes a compliance date for the subchapter.
General:Several commenters believe that the use of the term "covered entity" in the rule, rather than "licensee," is confusing because Chapter 181 of the H&SC uses the term "covered entity" while Texas Insurance Code (TIC) Chapter 28B refers to "licensees."
Agency Response: While the department notes that SB 11 uses the term "licensee" to distinguish persons subject to the health privacy requirements of TIC Chapter 28B from the "covered entities" defined in H&SC Chapter 181, the department also notes that TIC Chapter 28A uses the term "covered entity" to apply to persons subject to the financial privacy requirements of that chapter. The definition of "covered entity" in TIC Chapter 28A and the definition of "licensee" in TIC Chapter 28B both reference persons who are subject to the department's authority but may not actually hold what is technically called a "license" in the TIC. The financial privacy rule (28 TAC Chapter 22, Subchapter A, implementing TIC Chapter 28A) utilizes the term "covered entity" to refer to persons subject to that chapter, which is identical to the definition of "licensee" in TIC Chapter 28B. Accordingly, the department uses the term "covered entity" in this rule to be consistent with 28 TAC Chapter 22, Subchapter A. The department believes it will create even more confusion to readers of 28 TAC Chapter 22 if two different terms are used to define these substantially similar groups.
§22.51. A commenter asks for clarification that, except for Subchapter D, covered entities are not subject to H&SC Chapter 181.
Agency Response: The department agrees that, as provided in Section 181.051, TDI licensees are not subject to H&SC Chapter 181, except for Subchapter D.
§22.51. A commenter believes that covered entities subject to the HIPAA privacy regulations, 45 CFR Parts 160 through 164, are not subject to the proposed rule.
Agency Response: The department disagrees. TIC Article 28B.05 provides that covered entities required to comply with the HIPAA privacy regulations are not required to also comply with Chapter 28B or rules adopted thereunder. However, the department notes that the HIPAA privacy standards do not require compliance until April 13, 2003. Accordingly, until that time, the statutory exemption is not in effect and covered entities must comply with Chapter 28B and any rules adopted thereunder.
§§22.51(a)(3) & (4), 22.51(b), 22.52(4), 22.58, 22.59, 22.60, and 22.65. Several commenters state that H&SC Chapter 181 broadly exempts workers´ compensation system participants, in whole or in part, and request clarification of the applicability of the rule to them.
Agency Response: The department disagrees. The principal statutory basis for the rule is TIC Chapter 28B. The scope of this statute includes all persons who hold or are required to hold a license, registration, certificate of authority, or other authority under this code or another insurance law of this state. There is no mention of excepting those entities involved in the business of workers´ compensation insurance. Thus, Chapter 28B, and rules adopted thereunder, applies to workers´ compensation system participants within the scope of SB 11.
H&SC §181.051 also provides statutory authority for this rule to the extent that it requires TDI licensees to comply with Subchapter D of Chapter 181. Although the department agrees that H&SC §181.054 excludes "workers´ compensation system participants" from application of Chapter 181 generally, H&SC §181.054 must be read in conjunction with §181.051(1), which specifically applies Subchapter D of Chapter 181 to TDI licensees. Section 181.054 was added to SB 11 in the Senate Committee Substitute passed by the Senate on March 21, 2001 (In that version of the bill, it was numbered as §181.002(b)). Section 181.051 was not added until the House amended SB 11 in the House Committee Substitute on May 25, 2001. Although §181.054 excludes all workers´ compensation system participants from application of Chapter 181 generally, §181.051 adds back all workers´ compensation system participants (that are also TDI covered entities) for purposes of compliance with Subchapter D of Chapter 181. The structure and timing of these amendments, along with Chapter 28B´s inclusion of workers´ compensation participants, indicate that the legislative intent was to subject those entities to the same standards as all other covered entities possessing protected health information.
Regarding §§22.58 and 22.59, the department has decided, nevertheless, to withdraw the sections implementing the provisions of SB 11 which create H&SC Chapter 181 pending the disposition of amendments to the HIPAA privacy regulations proposed on March 27, 2002.
§22.52(2). A commenter is concerned that the definition of "authorization form" does not permit a representative of a covered entity to provide or obtain an authorization.
Agency Response: The department does not intend to prohibit, and the language of the subsection does not prohibit, a covered entity from utilizing a representative to perform this function, as long as that representative complies with this and all other requirements of the rule on behalf of the covered entity.
§22.52(3). A commenter states that the definition of "consumer" is broader than the one found in the National Association of Insurance Commissioners (NAIC) Model Privacy Regulation and exceeds statutory authority.
Agency Response: The department agrees that its definition of "consumer" is broader that the definition in the NAIC Model Privacy Regulation but disagrees that the definition exceeds the department´s authority under SB 11. The department also disagrees that the differences in the definitions will have any impact on the effort required of a covered entity to protect an individual's health privacy information. Chapter 28B applies to all entities that fit the definition of "licensee" as set forth in Article 28B.01(2).
This rule is proposed under the authority granted to the department by SB 11. Nothing in SB 11 limits the application of Chapter 28B only to entities that are also subject to the NAIC Model Privacy Regulation. Nor does SB 11 indicate that it was intended to provide protection only to consumers of personal, family, or household products.
There are two reasons why the definition of consumer should always be broader for health information than for financial information. First, in the context of financial privacy, the type of financial information a covered entity obtains in issuing a commercial policy may often differ from the information it obtains from an individual seeking coverage for personal, family, or household purposes. An individual´s nonpublic personal health information, however, is protected regardless of the type of policy under which the individual is covered. For example, an employer seeking group health coverage may tender its employees´ protected health information to a covered entity while attempting to obtain coverage, but the employer would not be a consumer under the commenter´s interpretation. This would leave the health information privacy of the employees unprotected. Second, the financial privacy rule requires covered entities, regardless of whether they disclose their customers´ nonpublic personal financial information to nonaffiliated third parties, to fulfill certain requirements, e.g. sending annual notices. This rule contains no similar burden. In fact, unless a covered entity is planning to disclose an individual´s protected health information to third parties, the rule imposes no burdens on covered entities. Accordingly, while the "personal, family, household" distinction is a logical limitation to the scope of the financial privacy rule, with regard to health privacy it would leave many individuals unprotected and would not significantly alter the cost of compliance.
§22.52(4). A commenter suggests that the department amend some references to "persons" in the definition of "consumer" to "individuals."
Agency Response. The department agrees and has made this change where appropriate.
§22.52(4). A commenter believes that the definition of "covered entity" in this rule is broader than the definition used in the HIPAA privacy regulations, in that HIPAA does not apply to insurers that are not "health plans."
Agency Response: While the department agrees that the definition in the rule is broader than the HIPAA privacy regulation's definition, the definition comes directly from TIC Article 28B.01(2) and thus it is not appropriate to make this change.
§22.52(7). Several commenters are concerned that the definition of marketing is too broad and could be construed to require authorization before an insurer may inform its own customers about its own products or services.
Agency Response: The department has decided to withdraw the sections implementing the provisions of SB 11 which create H&SC Chapter 181 pending the disposition of amendments to the HIPAA privacy regulations proposed on March 27, 2002. Any remaining restrictions on marketing set forth in the rule apply only to marketing involving protected health information. The rule does not apply to marketing using any other type of information.
§22.52(7). A commenter is concerned that, as used in the rule, marketing would include research-related communications. The commenter requests additional guidance regarding the specific requirements to distinguish treatment and health care operations from marketing communications.
Agency Response. The department believes that the current definition of marketing, which excludes communications necessary to perform treatment or health care operations, gives sufficient leeway to covered entities performing bona fide health research. The rule does not include such activities within the scope of "marketing." The department believes that a covered entity will be able to distinguish between research being performed for bona fide health purposes and research activities that are actually a type of marketing as defined in the rule. In enforcing the rule, the department will examine such communications on a case-by-case basis. The department reminds covered entities that the rule applies only to activities performed in their capacities as a covered entity of TDI. For example, the activities of a covered entity also licensed as a hospital, which is conducting research in its capacity as a hospital, would not fall within the scope of these rules.
§22.52(7) and prescription patterns. A commenter suggests that the rule´s definition of marketing concerning prescription patterns or protected health information is broader than authorized by statute. The commenter is concerned that the inclusion of this language will prohibit the use of such information for legitimate health care operations and treatment.
Agency Response: The department disagrees. The statutory definition of "protected health information" specifically includes prescription patterns. The definition of marketing, however, specifically excludes communications by a covered entity, health care provider, or participants in an organized health care arrangement necessary to provide treatment or perform health care operations. Disease management and other legitimate treatments and health care operations are not included within the definition of marketing.
§22.52(9) & (10). A commenter believes the definitions of "prescription information" and "prescription pattern" are too broad and should be expressly limited to identifiable information. The commenter also believes that the definition of "prescription information" relates to prescriptions received by a covered entity from sources that are not covered entities.
Agency Response: The department disagrees that this change is necessary. "Prescription pattern" is a subset of "protected health information," which is specifically limited to individually identifiable health information. Moreover, the definitions of "prescription information" and "prescription pattern" are both limited to information relating to an individual. Therefore, any prohibitions on the use of prescription information necessarily include the requirement that such information be personally identifiable. The commenter is correct that the definition of "prescription information" relates to prescriptions from sources that may not be covered entities; the definition is intended to encompass any kind of information a covered entity might have about a prescription regardless of its source.
§22.52(11). Two commenters believe the definition of "protected health information" is too broad, specifically with regard to demographic information, address, and social security number. Another commenter suggests that the rules should use the statutory term "nonpublic personal health information" in place of "protected health information."
Agency Response: The statutory definition of protected health information includes all information that identifies a consumer, and therefore includes certain demographic information, addresses, and social security numbers. However, any information that is also available to the covered entity in a non-health information context would not be considered to be "health information" and would not be subject to the restrictions placed on health information by the rule. "Nonpublic personal health information" has exactly the same meaning, under the rule, as "protected health information."
§22.54(1)(B). A commenter suggests that this subparagraph should be changed to allow an authorization to describe the general types of information to be disclosed and the types of parties to whom the information is to be disclosed.
Agency Response. The department disagrees that it should add the word "general" to modify the description of types of information to be disclosed. The term "types of information" already allows covered entities some latitude to generalize this disclosure. Any generalization, however, must be done in such a way that identifies the "types" of information to sufficiently allow a consumer to understand the nature of the information to which the authorization applies.
The department points out that the language of §22.54(1)(B)(ii) already allows a covered entity to describe, rather than name, parties to whom disclosure will be made. This would include generic descriptions such as "an accountant" or a "document copying service." The department stresses, however, that authorization forms must be sufficiently specific to provide full and fair notice, and to avoid the effect of a blanket release.
§22.54(1)(C). A commenter suggests revising this subparagraph to permit electronic signatures.
Agency Response. The department agrees and has revised the text of the rule accordingly.
§22.54(2). A commenter suggests that an authorization granted for any claims-related purpose should remain open for the life of the claim.
Agency Response. The rule and TIC Chapter 28B create an exception to the authorization requirement for claim-related functions; therefore this change is unnecessary.
§22.54(2)(B). Two commenters request that the rule be revised to modify time limitations on the duration of an authorization.
Agency Response. The department declines to make this revision. Article 28B.02(b)(5) mandates the 24-month limitation.
§22.54(2)(B). Several commenters request that the rule be revised to allow a covered entity to rely on an authorization given by a legal representative until the entity receives actual written notice that the authorization has been revoked.
Agency Response. The department agrees that covered entities are entitled to notice that the representative has lost capacity and has revised the text accordingly.
§22.54(3). A commenter suggests amendment of this subparagraph to recognize that this information need only be retained for the life of the claim. Another commenter suggests six years would be appropriate and consistent with HIPAA standards.
Agency Response. The purpose of the rule is to set forth how protected information held by a covered entity can be used and shared. It does not prescribe standards for record retention. Given the variability in products provided by covered entities to which this rule will apply, it would not promote efficiency to set one specific time period for this section, and thus the department declines to make this change.
§22.54(4). A commenter suggests that this subparagraph should permit covered entities to suspend the request when a claimant refuses to provide a new authorization along with a request for service. Another commenter requests a provision allowing a licensee to condition payment of a claim on provision of an authorization.
Agency Response. Conditioning the provision of services, including payment of claims, upon a consumer's relinquishment of privacy protections afforded by this rule would undermine the very purpose of the rule. Authorizations are required if a covered entity plans to share information for non-insurance related purposes and other specifically exempted purposes. A covered entity may not condition the provision of insurance-related services, including payment of claims, upon a consumer´s agreement that protected health information be used for non-insurance purposes.
§22.55(a)(2)(C). A commenter believes that requiring a separate signature line on an authorization form included with other written communication will cause significant administrative burdens.
Agency Response. The department disagrees and declines to make this change. The purpose of this requirement is to prevent a covered entity from tying an authorization to release protected health information to any other action. Given the statute´s purpose, the consumer´s right to exercise his or her rights under the rule outweighs the slight administrative burden of requiring a separate signature line.
§22.56. A commenter suggests that the term "necessary" be changed or clarified in favor of efficiency or effectiveness out of concern for the interpretation a court could place on "necessary."
Agency Response. Since the term "necessary" is used in the statute, the department declines to make this suggested change. The term is also used in the NAIC Model Privacy Regulation and the department's financial rule, 28 TAC Subchapter 22A. The department notes that even if "efficient" or "effective" were substituted as recommended by the commenter, those terms would remain subject to judicial interpretation.
§22.56(e). Several commenters suggest that this section be amended to grant covered entities a longer period of time, ranging from five business days to 30 calendar days, to effect a revocation.
Agency Response. The department recognizes the five-day requirement may present compliance difficulties in some circumstances. However, the department believes that a 30 day requirement would not constitute a timely response to a consumer´s direction to end disclosure. Accordingly, the department has modified the text to allow a covered entity 15 days to effect a revocation. This period should be sufficient for covered entities to effect fully any revocation; i.e. no disclosure by any party under the revoked authorization should occur after the 15 th day.
§22.57(b). A commenter requests deletion of the restriction on disclosure for marketing purposes.
Agency Response. The department disagrees and declines to make this change. A primary purpose of SB 11 is to prevent covered entities from using information collected for the purpose of providing insurance services for marketing.
§22.58. Commenters believe that the rule incorrectly implements H&SC §181.152, the provision upon which the marketing requirements in §22.58 of the rule are based, as it would allow a covered entity to use protected health information to market a health related service to the consumer without an authorization as long as the covered entity complies with requirements of H&SC §§181.152(b) and (c). Commenters also suggest that covered entitles be permitted more time to remove an individual from a mailing list.
Agency Response. The department has decided to withdraw the sections implementing the provisions of SB 11 which create H&SC Chapter 181 pending the disposition of amendments to the HIPAA privacy regulations proposed on March 27, 2002. Any remaining restrictions on marketing set forth in the rule apply only to marketing involving protected health information. The rule does not apply to marketing using any other type of information.
§22.58. Applicability to entities that must comply with HIPAA. A commenter believes the rule should be clarified to indicate that entities required to comply with HIPAA, while exempt from compliance with Chapter 28B, must still comply with the proposed marketing restrictions implementing Chapter 181, Subchapter D.
Agency Response. The department agrees that the HIPAA-compliance exemption contained in Article 28B.05 would not apply to the provisions of the rule implementing Subchapter D of Chapter 181. The department notes, however, that the HIPAA privacy regulations also contain specific marketing restrictions which may preempt conflicting Chapter 181 requirements. Nevertheless, the department has decided to withdraw the sections implementing the provisions of SB 11 which create H&SC Chapter 181 pending the disposition of amendments to the HIPAA privacy regulations proposed on March 27, 2002. Any remaining restrictions on marketing set forth in the rule apply only to marketing involving protected health information. The rule does not apply to marketing using any other type of information.
§§22.58 & 22.59. Commenters suggest amending the rule to recognize that §§22.58 and 22.59 do not apply to employee benefit plans or persons acting in connection with them. Another commenter suggests that since the effective date of H&SC Chapter 181 is September 1, 2003, the department does not currently have authority to enforce rules adopted under that chapter and should thus delete or revise those sections of the proposed rules. Another commenter believes that §22.59 only applies if required specifically by other state or federal law.
Agency Response. The department has decided to withdraw the sections implementing the provisions of SB 11 which create H&SC Chapter 181 pending the disposition of amendments to the HIPAA privacy regulations proposed on March 27, 2002.
§22.60. Several commenters request deletion or revision of this section to a standard similar to that embodied in 45 CFR §164.504(e), on the grounds that there is no statutory authority for the requirement and that it subjects covered entities to responsibility for conduct they may not be able to control.
Agency Response. The department agrees that, as worded, the proposed rule appears to impose liability on a covered entity for a third party´s violation of this provision. The department has revised the text to implement the statutory prohibition against knowing violations by clarifying that a covered entity may not make disclosures unless the third party agrees not to disclose or use the protected health information other than in a manner consistent with the rule.
§22.61. A commenter believes that the proposed rule mandates compliance with both it and the HIPAA privacy regulations. Another commenter objects to the requirement that covered entities subject to HIPAA comply with the rule until the HIPAA regulation takes effect. A third commenter asks for clarification regarding compliance.
Agency Response. SB 11 and this rule require compliance by covered entities, which may include entities subject to HIPAA privacy laws. Article 28B.05 provides that covered entities that are required to comply with HIPAA privacy standards are not required also to comply with Chapter 28B or rules adopted thereunder. However, currently no entities are required to comply with the HIPAA privacy standards (scheduled compliance date, April 13, 2003). The Article 28B.05 exemption does not take effect until HIPAA requires compliance; in the interim, covered entities must comply with Chapter 28B and any rules adopted thereunder.
Section 22.61 provides that the rule does not apply to a covered entity that is required to comply with the HIPAA privacy standards. The commenter´s interpretation would result in allowing HIPAA-subject entities to remain totally unregulated until at least April 13, 2003. This disparity would leave a significant portion of consumers without the protection contemplated and intended by SB 11. Moreover, the department believes that this rule, although not identical to the HIPAA privacy regulation, should present minimal difficulty in the transition from one regulation to the other.
§22.61. A commenter requests that the rule be amended to exempt any HIPAA-compliant covered entity from the scope of the rule, not simply those required to comply with the HIPAA privacy regulations. Another commenter states that the rule does not provide clear guidance as to the extent that entities performing multiple tasks are expected to comply with the proposed regulations, and suggests including either a hybrid entity exclusion similar to that contained in federal privacy rules, or an exemption for "federally covered entities."
Agency Response. The department declines to make this change. Article 28B.05 states that this subchapter does not apply to a covered entity that is required to comply with the HIPAA privacy requirements. The federal government could not enforce HIPAA standards against an entity not subject to those standards, and the department has no authority to enforce the HIPAA standards. SB 11 does not provide authority to create a specific exclusion either for hybrid entities or federally covered entities.
§22.64(d). A commenter requests amendment of this section to require that a finding by a court is necessary to exclude a covered entity from a state-funded health care program.
Agency Response. The department recognizes that the corresponding provisions of H&SC Chapter 181 specifically require a court order. The rule, however, is consistent with TIC Article 28B.11, which specifies exclusion if there is evidence that the covered entity engaged in a pattern or practice of violating the chapter. In any event, the department has decided to withdraw the sections implementing the provisions of SB 11 which create H&SC Chapter 181 pending the disposition of amendments to the HIPAA privacy regulations proposed on March 27, 2002.
§22.65. A commenter suggests revision of this section to reflect the opt-in nature of this rule´s authorization. Another commenter suggests deletion of this section as it exceeds the department´s authority.
Agency Response. The department agrees with the comment regarding opting in and has revised the text accordingly. The department disagrees with the commenter who recommends deletion and declines to make that change. The privacy protections enacted by SB 11 could not be adequately implemented if insurers could discriminate against those who exercise their right to protect their personal health information from disclosure, thus making this section a necessary component of the implementation of Chapter 28B. Article 28B.09 authorizes the commissioner to adopt rules as necessary to implement this chapter.
§22.67. Several commenters request that the department delay the effective date of the rule. One commenter believes that the statute mandates an effective date of September 1, 2003.
Agency Response. The department disagrees that the earliest possible effective date of the rule is September 1, 2003. The effective date of the portion of SB 11 enacting Insurance Code Chapter 28B was January 1, 2002. The rule provides guidance to covered entities that were required to comply with Chapter 28B as of that date. Therefore, the department attempted to implement the rule close in time to the statute´s effective date. This rule will take effect on September 1, 2002.
The effective date for Chapter 181 was September 1, 2001. However, the statute indicates that compliance with Chapter 181 is required not later than September 1, 2003. The department is specifically authorized under Sec. 181.004 to adopt rules necessary to carry out the purposes of Chapter 181 as they apply to its licensees. Therefore, the department has the discretion to determine the compliance date for its rule. In response to comments, however, requesting additional time for compliance, and pending the disposition of amendments to the HIPAA privacy regulations proposed on March 27, 2002, the department has decided to withdraw the sections implementing the provisions of SB 11 which create H&SC Chapter 181. The department will propose these sections at a later time.
SB 11, Sec. 5. A commenter remarks that the proposed rule fails to reflect SB 11 Section 5(e) that "grandfathers" authorizations executed before its effective date.
Agency Response. The department disagrees, as §22.63 clarifies that this rule does not preempt or supersede existing state law related to medical records, health or insurance information privacy. Therefore, an authorization executed under state law existing prior to the effective date of SB 11 would continue to be governed by that state law. The department would point out, however, that SB 11, Section 5(e) only applies to the extent that there actually is existing law that governs a particular consent or authorization. One of the purposes of SB 11 was to govern consents and authorizations obtained by covered entities that were not previously subject to a specific statute. Covered entities attempting to uphold a pre-existing authorization or consent will be responsible for determining and demonstrating the legal basis under which the authorization or consent was granted.
For with changes: Alliance of American Insurers, American Council of Life Insurers; American Family Life Assurance Company; American Insurance Association; American International Group, Inc.; Community First Health Plans; Covenant Management Systems, L.P.; Health Insurance Association of America; Liberty Mutual Group; Merck-Medco Managed Care, L.L.C.; National Association of Independent Insurers; Texas Association of Business & Chambers of Commerce; Texas Association of Health Plans; Texas Association of Life & Health Insurers; Texas Children's Hospital; Texas Hospital Association; Texas Medical Association; Texas Mutual Insurance Company; Texas Workers´ Compensation Commission; United Services Automobile Association; Vinson & Elkins.
The new sections are adopted under the Insurance Code Chapter 28B and §36.001 and the H&SC, Section 181.004. Insurance Code Article 28B.08 provides that the Commissioner may adopt rules as necessary to implement the chapter. H&SC Section 181.004 authorizes a state agency that licenses or regulates a covered entity subject to Chapter 181 to adopt rules as necessary to carry out the purposes of the chapter. Insurance Code §36.001 provides that the Commissioner of Insurance may adopt rules to execute the duties and functions of the Texas Department of Insurance only as authorized by statute.
§22.51. Purpose and Scope.
(a) Purpose. This subchapter governs the treatment by all covered entities of a consumer´s nonpublic personal health information. This subchapter:
(1) requires a covered entity to obtain an authorization prior to disclosing nonpublic personal health information about a consumer to any other person for any purpose other than as enumerated in §22.57 of this subchapter (relating to Exceptions); and
(2) describes exceptions to the authorization requirement for certain insurance related transactions and other purposes enumerated in this subchapter.
(b) Scope. This subchapter applies to all nonpublic personal health information held by a covered entity as defined in this subchapter.
§22.52. Definitions. The following words and terms, when used in this subchapter, shall have the following meanings, unless the context clearly indicates otherwise. Unless otherwise defined in this subchapter, each term that is used in this subchapter that is defined in subchapter A of this chapter shall have the meaning assigned by subchapter A of this chapter.
(1) Authorization--Executed document that signifies that the signer of the authorization is providing informed permission that nonpublic personal health information held by a covered entity and described in the document may be released to other parties pursuant to the terms of the document.
(2) Authorization form--A form provided by a covered entity which, if signed and dated by a consumer as set forth in this subchapter, constitutes an authorization under this subchapter.
(3) Consumer--An individual or that individual´s representative who seeks to obtain, obtains or has obtained an insurance product or service from a covered entity, and about whom the covered entity has nonpublic personal health information.
(4) Covered entity--A person who holds or is required to hold a license, registration, certificate of authority, or other authority under the Insurance Code or another insurance law of this state. The term includes, but is not limited to, an insurance company, group hospital service corporation, mutual insurance company, local mutual aid association, statewide mutual assessment company, stipulated premium insurance company, health maintenance organization, reciprocal or interinsurance exchange, Lloyd's plan, fraternal benefit society, county mutual insurer, farm mutual insurer, viatical or life settlement provider or broker, or insurance agent. For purposes of this subchapter, "covered entity" has the same meaning as "licensee" as used in Article 28B.01(2), Insurance Code.
(5) Health care operations--As set forth in the Health Insurance Portability and Accountability Act and Privacy Standards. The term does not include marketing as described in 45 C.F.R. §164.514(e) and any subsequent amendments.
(6) Health Insurance Portability and Accountability Act and Privacy Standards--The privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.) and the final rules adopted on December 28, 2000, and published at 65 Fed. Reg. 82798 et seq., and any subsequent amendments.
(7) Marketing--The promotion or advertisement, by a covered entity, of specific products or services if the covered entity receives, directly or indirectly, a financial incentive or remuneration for the use, access, or disclosure of protected health information. Marketing includes, but is not limited to, communications to an individual based on prescription patterns or protected health information intended to encourage or discourage the individual's use of prescription or non-prescription medicine, medical devices or any other product. Marketing does not include a communication, by a covered entity, health care provider, or participants in an organized health care arrangement or their affiliated covered entities or business associates, necessary to provide treatment or perform health care operations.
(8) Nonpublic personal health information--Has the same meaning as "protected health information."
(9) Prescription information--Any information, whether oral or recorded in any form or medium, that:
(A) relates to or concerns a prescription created or received by a covered entity, health care provider, public health authority, employer, school or university, or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to the individual, or the utilization of health care by the individual.
(10) Prescription pattern--A profile or other summary of an individual's prescription information.
(11) Protected health information--Individually identifiable health information collected from an individual, including the individual's name, address, social security number and demographic information, that:
(A) relates to:
(i) the past, present, or future physical or mental health or condition of the individual;
(ii) the provision of health care to the individual; or
(iii) the past, present, or future payment for the provision of health care to the individual; and
(B) either identifies the individual or provides a reasonable basis to believe the information can be used to identify the individual.
(12) Request for authorization--A written or electronic transmission requesting an authorization pursuant to this subchapter.
§22.53. Authorization Required for Disclosure of Nonpublic Personal Health Information. Except pursuant to §22.57 of this subchapter (relating to Exceptions) a covered entity must obtain an authorization to disclose any nonpublic personal health information about a consumer to another party before making such a disclosure.
§22.54. Authorizations. An authorization required by this subchapter shall:
(1) be in writing or electronic form (if the consumer has agreed to conduct business with the covered entity electronically), and shall:
(A) state the identity of the consumer who is the subject of the nonpublic personal health information;
(i) the types of nonpublic personal health information to be disclosed;
(ii) the parties to whom the covered entity discloses nonpublic personal health information;
(iii) the purpose of the disclosure;
(iv) how the information disclosed will be used; and
(v) the procedure for revoking the authorization.
(C) include the signature which (if the consumer has agreed to conduct business with the covered entity electronically) may be in electronic form, and date signed, of:
(i) the consumer who is the subject of the nonpublic personal health information; or
(ii) a person who is legally empowered to authorize disclosure of the subject consumer´s nonpublic personal health information.
(D) provide notice:
(i) of the length of time for which the authorization is valid; and
(ii) that the consumer may revoke the authorization at any time.
(2) An authorization subject to this subchapter shall specify the period of time for which the authorization shall remain valid, but shall in no event be valid:
(A) in the case of an authorization signed by the consumer that is the subject of the nonpublic personal health information, for a period of more than 24 months from the date it was signed; and
(B) in the case of an authorization signed by another person who is legally empowered to authorize disclosure on behalf of the consumer, for a period that ends at the later of:
(i) the date the covered entity receives notice that the person has lost the legal capacity to authorize disclosure, or
(ii) 24 months from the date it was signed.
(3) A covered entity obtaining an authorization pursuant to this subchapter shall retain the original authorization or a copy thereof in its records of the consumer who is the subject of nonpublic personal health information.
(4) A covered entity may obtain a subsequent authorization to replace an authorization that has by its terms expired, provided that the subsequent authorization:
(A) complies with the requirements of paragraph (1)(C) of this section, and
(B) meets all other applicable requirements of this section.
§22.55. Delivery of Requests for Authorization & Authorization Forms.
(a) A covered entity may deliver a request for authorization and an authorization form to a consumer as required by this subchapter:
(1) separately; or
(2) along with a policy, billing, an opt-out notice pursuant to Subchapter A of this chapter, or other written communication, provided that the request for authorization and the authorization form:
(A) are clear and conspicuous,
(B) are separate in content from any other accompanying written communication, and
(C) require a separate signature on a signature line that is not a part of any signature line relating to any of the other accompanying written communication.
(b) A covered entity is not required to deliver, or include in any other communications, an authorization form to the consumer unless the covered entity intends to disclose protected health information pursuant to §22.53 of this subchapter (relating to Authorization Required for Disclosure of Nonpublic Personal Health Information).
(c) A covered entity must receive an authorization prior to making any disclosures pursuant to that authorization.
§22.56. Revocation of Authorizations.
(a) A consumer or person who has signed an authorization described in this subchapter may at any time revoke that authorization.
(b) Revocation of any authorization made pursuant to this subchapter is subject to the rights of a person who acted in reasonable reliance on the authorization before receiving notice of the revocation.
(c) A revocation must be in writing and signed by the consumer about whom the authorization was made or by a person legally empowered to authorize disclosure on behalf of the consumer.
(d) A covered entity:
(1) may not require a revocation to be on a particular form; and
(2) must honor a revocation that reasonably identifies the authorization that it is intended to revoke.
(e) A covered entity shall effect a revocation as soon as possible after receipt but not later than 15 days after the date of receipt.
§ 22.57. Exceptions.
(a) A covered entity may disclose, without an authorization, nonpublic personal health information to the extent that the disclosure is necessary to perform the following insurance functions or legally required activity on behalf of that covered entity:
(1) the investigation or reporting of actual or potential fraud, misrepresentation, or criminal activity;
(3) the placement or issuance of an insurance product;
(4) loss control services;
(5) ratemaking and guaranty fund functions;
(6) reinsurance and excess loss insurance;
(7) risk management;
(8) case management;
(9) disease management;
(10) quality assurance;
(11) quality improvement;
(12) performance evaluation;
(13) health care provider credentialing verification;
(14) utilization review;
(15) peer review activities;
(16) actuarial, scientific, medical, or public policy research;
(17) grievance procedures;
(18) the internal administration of compliance, managerial, and information systems;
(19) policyholder services;
(22) database security;
(23) the administration of consumer disputes and inquiries;
(24) external accreditation standards;
(25) the replacement of a group benefit plan or workers' compensation policy or program;
(26) activities in connection with a sale, merger, transfer, or exchange of all or part of a business or operating unit;
(27) any activity that permits disclosure without authorization under the federal Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), as amended;
(28) disclosure that is required, or is a lawful or appropriate method, to enforce the covered entity's rights or the rights of other persons engaged in carrying out a transaction or providing an insurance product or service that the consumer requests or authorizes;
(29) claims administration, adjustment, and management;
(30) any activity otherwise permitted by law, required pursuant to a governmental reporting authority, or required to comply with legal process; and
(31) any other insurance functions that the commissioner approves that are:
(A) necessary for appropriate performance of insurance functions; and
(B) fair and reasonable to the interests of consumers.
(b) A disclosure for marketing purposes shall not be considered to be an insurance function or any other type of activity that constitutes an exception under this section.
§22.60. Responsibility for Disclosure to Third Parties. A covered entity that discloses protected health information to another person to perform any function on behalf of the covered entity shall not make any such disclosure unless the third party agrees not to disclose or use the protected health information other than to carry out the purposes for which the covered entity disclosed the information or in a manner otherwise consistent with this subchapter.
§22.61. Relationship to Federal Rules. This subchapter does not apply to a covered entity that is required to comply with the standards governing the privacy of individually identifiable health information adopted by the United States Secretary of Health and Human Services under Section 262(a), Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Sections 1320d-1320d-8).
§22.62. Protection of Fair Credit Reporting Act. This subchapter may not be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.) and an inference may not be drawn based on this subchapter regarding whether information is transaction or experience information under Section 603 of that Act (15 U.S.C. Section 1681a).
§22.63. Relationship to State Laws. Nothing in this subchapter shall be construed to preempt or supersede existing state law related to medical records, health or insurance information privacy that is in effect on July 1, 2002.
§22.64. Violation; Disciplinary Action.
(a) A covered entity may not knowingly or willfully violate this subchapter.
(b) A knowing or willful violation of any section of this subchapter shall subject the covered entity to the disciplinary and enforcement sanctions and penalties provided in the Insurance Code, Chapters 28B, 82, 83, and 84.
(c) In addition to the penalties prescribed by this subchapter, an alleged violation of this subchapter by a covered entity is subject to investigation and disciplinary proceedings, including probation or suspension. Evidence of a pattern or practice of violations under this subchapter may subject a covered entity to license revocation.
(d) In addition to the penalties prescribed by this subchapter, a covered entity shall be excluded from participating in any state-funded health care program if there is evidence that the covered entity engaged in a pattern or practice of violating this subchapter.
(e) This subchapter does not affect any right of a person to bring a cause of action under other law or otherwise seek relief with respect to conduct that is a violation of this subchapter.
§22.65. Nondiscrimination. A covered entity shall not unfairly discriminate against a consumer because that consumer has not authorized disclosure of his or her nonpublic personal health information pursuant to the provisions of this subchapter.
§22.66. Severability. If any section or portion of a section of this subchapter or its applicability to any person or circumstance is held invalid by a court, the remainder of the subchapter or the applicability of the provision to other persons or circumstances shall not be affected.
§22.67. Effective date. This subchapter takes effect on September 1, 2002.