The Texas Department of Insurance proposes new 22.51-22.67, concerning privacy of nonpublic personal health information provided by consumers to insurers and other covered entities regulated by the department. This proposal is necessary to implement provisions of Senate Bill (SB) 11, 77 th Texas Legislature. SB 11 added Chapter 28B to the Insurance Code (Article 28B.01 et seq.), which requires entities regulated by the department to comply with the privacy provisions of the Health Insurance Portability and Accessibility Act (HIPAA)(42 U.S.C. Sections 1320d-1320d-8). SB 11 also added Subtitle I to Title 2 of the Health & Safety Code (Section 181.001 et seq.), which requires certain persons, including covered entities subject to regulation by the department, to comply with provisions addressing reidentification of persons and marketing using protected health information. SB 11 authorizes the Commissioner to adopt rules necessary to implement protected health information privacy requirements. The proposed sections set forth the requirements that covered entities must meet in structuring their consumer health information practices to comply with HIPAA and SB 11. Specifically, the rules provide notice requirements, as well as other procedures that covered entities must follow with regard to nonpublic personal health information collected about a consumer.
Proposed 22.51 explains the purpose and scope of the subchapter. Proposed 22.52 defines terms within the subchapter and clarifies that terms defined in Subchapter A of this chapter also apply to this subchapter. Proposed 22.53 sets forth the general requirement that an authorization is required prior to disclosure of any protected health information by a covered entity subject to the subchapter. Proposed 22.54 sets forth the required elements of an authorization. Proposed 22.55 details how requests for authorizations and authorization forms must be delivered. Proposed 22.56 sets forth the requirements for revocation of an authorization. Proposed 22.57 describes exceptions to the applicability of the subchapter and clarifies that marketing does not constitute an exception for purposes of this section. Proposed 22.58 outlines requirements for marketing using protected health information. Proposed 22.59 prohibits reidentification of or any attempt to reidentify a person who is the subject of any protected health information. Proposed 22.60 addresses a covered entity´s responsibility for a third party's treatment of protected health information it discloses to the third party. Proposed 22.61 clarifies that once the federal health privacy rules under HIPAA become effective, this subchapter shall not apply to covered entities required to comply with those federal rules. Proposed 22.62 provides that the subchapter shall not affect the operation of the federal Fair Credit Reporting Act. Proposed 22.63 provides that the subchapter does not preempt or supersede existing state law related to health information privacy. Proposed 22.64 prohibits covered entities from violating the subchapter, describes available legal remedies and disciplinary actions, and provides that the subchapter does not affect a person's right to seek relief available under other law. Proposed 22.65 prohibits discrimination against consumers because of the exercise of rights under this subchapter. Proposed 22.66 provides for severability of any section of this subchapter held invalid. Proposed 22.67 establishes a compliance date for the subchapter.
Kim Stokes, Senior Associate Commissioner for Life, Health, & Licensing, has determined that for each year of the first five years the proposed sections will be in effect, there will be no fiscal impact to state and local governments as a result of the enforcement or administration of the rule. There will be no measurable effect on local employment or the local economy as a result of the proposal.
Ms. Stokes has also determined that for each year of the first five years the sections are in effect, the public benefit anticipated as a result of the proposed sections will be enhanced protection of privacy of consumer health information. Ms. Stokes has determined that any economic cost to persons required to comply with the new sections, as well as any costs to a covered entity qualifying as a small business under Government Code 2006.001, for each year of the first five years the proposed new sections will be in effect are the result of the legislative enactment of the Insurance Code Chapter 28B, and not as a result of the adoption, enforcement, or administration of the proposed new sections. The total cost to a covered entity is not dependent upon the size of the entity, but rather is dependent upon the entity's number of consumers. Therefore, it is the department's position that the adoption of these proposed new sections will have no adverse economic effect on small businesses or micro-businesses. Regardless of the fiscal effect, the department does not believe it legal or feasible to waive the requirements of these rules for small businesses or micro-businesses. To do so would allow differentiation of protection between consumers of small business covered entities compared to those protections provided to the consumers of large covered entities. In an effort to minimize costs, however, covered entities may deliver required notices along with other correspondence rather than in a separate mailing.
To be considered, comments on the proposal must be submitted in writing no later than 5:00 p.m., Central Daylight Time, on February 4, 2002 to Lynda H. Nesenholtz, Chief Clerk, Mail Code 113-2A, Texas Department of Insurance, P. O. Box 149104, Austin, Texas 78714-9104. An additional copy of the comment must be simultaneously submitted to Barbara Holthaus, Director of Project Development, Mail Code 107-2A, Texas Department of Insurance, P.O. Box 149104, Austin, Texas 78714-9104. A request for a public hearing should be submitted separately to the Office of the Chief Clerk.
The new sections are proposed under the Insurance Code Article 28B.08 and 36.001 and the Health & Safety Code, Section 181.004. Insurance Code Article 28B.08 provides that the Commissioner may adopt rules as necessary to implement the chapter. Insurance Code Section 36.001 provides that the Commissioner of Insurance may adopt rules to execute the duties and functions of the Texas Department of Insurance only as authorized by statute. Health & Safety Code Section 181.004 authorizes a state agency that licenses or regulates a covered entity subject to Chapter 181 to adopt rules as necessary to carry out the purposes of the chapter.
The following article of the Insurance Code and sections of Chapter 181 of the Health & Safety Code are affected by this proposal: Insurance Code Art. 28B.01 seq Health & Safety Code, 181.151 and 220.127.116.11. Purpose and Scope. (A) Purpose. This subchapter governs the treatment by all covered entities of a consumer's nonpublic personal health information. This subchapter:
(1) requires a covered entity to obtain an authorization prior to disclosing nonpublic personal health information about a consumer to any other person for any purpose other than as enumerated in 22.57 of this subchapter (relating to Exceptions);
(2) describes exceptions to the authorization requirement for certain insurance related transactions and other purposes enumerated in this subchapter;
(3) prohibits a covered entity from reidentifying or attempting to reidentify a consumer who is the subject of any protected health information without obtaining the consumer's consent or authorization; and
(4) sets forth requirements for written marketing communication using protected health information.
(b) Scope. This subchapter applies to all nonpublic personal health information held by a covered entity as defined in this subchapter. 22.52. Definitions: The following words and terms, when used in this subchapter, shall have the following meanings, unless the context clearly indicates otherwise. Unless otherwise defined in this subchapter, each term that is used in this subchapter that is defined in subchapter A of this chapter shall have the meaning assigned by subchapter A of this chapter.
(1) Authorization--Executed document that signifies that the signer of the authorization is providing informed permission that nonpublic personal health information held by a covered entity and described in the document may be released to other parties pursuant to the terms of the document.
(2) Authorization form--A form provided by a covered entity, which, if signed and dated by a consumer as set forth in this subchapter, constitutes an authorization under this subchapter.
(3) Consumer--A person or that person's representative who seeks to obtain, obtains or has obtained an insurance product or service from a covered entity, and about whom the covered entity has nonpublic personal health information.
(4) Covered entity--A person who holds or is required to hold a license, registration, certificate of authority, or other authority under the Insurance Code or another insurance law of this state. The term includes, but is not limited to, an insurance company, group hospital service corporation, mutual insurance company, local mutual aid association, statewide mutual assessment company, stipulated premium insurance company, health maintenance organization, reciprocal or interinsurance exchange, Lloyd's plan, fraternal benefit society, county mutual insurer, farm mutual insurer, viatical or life settlement provider or broker, or insurance agent. For purposes of this subchapter, "covered entity" has the same meaning as "licensee" as used in Article 28B.01(2), Insurance Code.
(5) Health care operations--As set forth in the Health Insurance Portability and Accountability Act and Privacy Standards. The term does not include marketing as described in 45 C.F.R. 164.514(e) and any subsequent amendments.
(6) Health Insurance Portability and Accountability Act and Privacy Standards--The privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191) and the final rules adopted on December 28, 2000, and published at 65 Fed. Reg. 82798 et seq., and any subsequent amendments.
(7) Marketing--The promotion or advertisement, by a covered entity, of specific products or services if the covered entity receives, directly or indirectly, a financial incentive or remuneration for the use, access, or disclosure of protected health information. Marketing includes, but is not limited to, communications to a person based on prescription patterns or protected health information intended to encourage or discourage the person's use of prescription or non-prescription medicine, medical devices or any other product. Marketing does not include a communication, by a covered entity, health care provider, or participants in an organized health care arrangement or their affiliated covered entities or business associates, necessary to provide treatment or perform health care operations.
(8) Nonpublic personal health information--Has the same meaning as "protected health information."
(9) Prescription information--Any information, whether oral or recorded in any form or medium, that
(A) relates to or concerns a prescription created or received by a covered entity, health care provider, public health authority, employer, school or university, or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental health or condition of a person, the provision of health care to the person, or the utilization of health care by the person.
(10) Prescription Pattern--A profile or other summary of a person's prescription information.
(11) Protected health information--Individually identifiable health information collected from a person, including the person's name, address, social security number and demographic information, that:
(A) relates to:
(i) the past, present, or future physical or mental health or condition of the person;
(ii) the provision of health care to the person; or
(iii) the past, present, or future payment for the provision of health care to the person; and
(B) either identifies the person or provides a reasonable basis to believe the information can be used to identify the person.
(12) Request for authorization--A written or electronic transmission requesting an authorization pursuant to this subchapter.
22.53. Authorization Required for Disclosure of Nonpublic Personal Health Information. Except pursuant to 22.57 of this subchapter (relating to Exceptions) a covered entity must obtain an authorization to disclose any nonpublic personal health information about a consumer to another party before making such a disclosure.
22.54. Authorizations. An authorization required by this subchapter shall:
(1) be in writing or, if the consumer has agreed to conduct business with the covered entity electronically, electronic form, and shall:
(A) state the identity of the consumer who is the subject of the nonpublic personal health information;
(i) the types of nonpublic personal health information to be disclosed;
(ii) the parties to whom the covered entity discloses nonpublic personal health information;
(iii) the purpose of the disclosure;
(iv) how the information disclosed will be used; and
(v) the procedure for revoking the authorization.
(C) include the signature and date signed of:
(i) the consumer who is the subject of the nonpublic personal health information; or
(ii) a person who is legally empowered to authorize disclosure of the subject consumer's nonpublic personal health information.
(D) provide notice:
(i) of the length of time for which the authorization is valid; and
(ii) that the consumer may revoke the authorization at any time.
(2) An authorization subject to this subchapter shall specify the period of time for which the authorization shall remain valid, but shall in no event be valid:
(A) in the case of an authorization signed by the consumer that is the subject of the nonpublic personal health information, for a period of more than 24 months from the date it was signed; and
(B) in the case of an authorization signed by another person who is legally empowered to authorize disclosure on behalf of the consumer, for a period that does not exceed the lesser of the time period during which the person remains so legally empowered or a period of more than 24 months from the date it was signed.
(3) A covered entity obtaining an authorization pursuant to this subchapter shall retain the original authorization or a copy thereof in its records of the consumer who is the subject of nonpublic personal health information.
(4) A covered entity may obtain a subsequent authorization to replace an authorization that has by its terms expired, provided that the subsequent authorization:
(A) complies with the requirements of paragraph (1)(C) of this section, and
(B) meets all other applicable requirements of this section.
22.55. Delivery of Requests for Authorization & Authorization Forms.
(a) A covered entity may deliver a request for authorization and an authorization form to a consumer as required by this subchapter:
(1) separately; or
(2) along with a policy, billing, an opt-out notice pursuant to Subchapter A of this chapter, or other written communication, provided that the request for authorization and the authorization form:
(A) are clear and conspicuous,
(B) are separate in content from any other accompanying written communication, and
(C) require a separate signature on a signature line that is not a part of any signature line relating to any of the other accompanying written communication.
(b) A covered entity is not required to deliver, or include in any other communications, an authorization form to the consumer unless the covered entity intends to disclose protected health information pursuant to 22.53 of this subchapter (relating to Authorization Required for Disclosure of Nonpublic Personal Health Information).
(c) A covered entity must receive an authorization prior to making any disclosures pursuant to that authorization.22.56. Revocation of Authorizations.
(a) A consumer or person who has signed an authorization described in this subchapter may at any time revoke that authorization.
(b) Revocation of any authorization made pursuant to this subchapter is subject to the rights of a person who acted in reasonable reliance on the authorization before receiving notice of the revocation.
(c) A revocation must be in writing and signed by the consumer about whom the authorization was made or by a person legally empowered to authorize disclosure on behalf of the consumer.(d)A covered entity:
(1) may not require a revocation to be on a particular form; and
(2) must honor a revocation that reasonably identifies the authorization that it is intended to revoke.
(e) A covered entity shall effect a revocation as soon as possible after receipt but not later than the fifth day after the date of receipt.
(a) A covered entity may disclose, without an authorization, nonpublic personal health information to the extent that the disclosure is necessary to perform the following insurance functions or legally required activity on behalf of that covered entity:
(1) the investigation or reporting of actual or potential fraud, misrepresentation, or criminal activity;
(3) the placement or issuance of an insurance product;
(4) loss control services;
(5) ratemaking and guaranty fund functions;
(6) reinsurance and excess loss insurance;
(7) risk management;
(8) case management;
(9) disease management;
(10) quality assurance;
(11) quality improvement;
(12) performance evaluation;
(13) health care provider credentialing verification;
(14) utilization review;
(15) peer review activities;
(16) actuarial, scientific, medical, or public policy research;
(17) grievance procedures;
(18) the internal administration of compliance, managerial, and information systems;
(19) policyholder services;
(22) database security;
(23) the administration of consumer disputes and inquiries;
(24) external accreditation standards;
(25) the replacement of a group benefit plan or workers' compensation policy or program;
(26) activities in connection with a sale, merger, transfer, or exchange of all or part of a business or operating unit;
(27) any activity that permits disclosure without authorization under the federal Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), as amended;
(28) disclosure that is required, or is a lawful or appropriate method to enforce the covered entity's rights or the rights of other persons engaged, in carrying out a transaction or providing an insurance product or service that the consumer requests or authorizes;
(29) claims administration, adjustment, and management;
(30) any activity otherwise permitted by law, required pursuant to a governmental reporting authority, or required to comply with legal process; and
(31) any other insurance functions that the commissioner approves that are:
(A) necessary for appropriate performance of insurance functions; and
(B) fair and reasonable to the interests of consumers.
(b) A disclosure for marketing purposes shall not be considered to be an insurance function or any other type of activity that constitutes an exception under this section.
22.58. Disclosure of Protected Health Information for Marketing Purposes, Requirements for Marketing By or On Behalf of a Covered Entity.
(a) A covered entity may not disclose, use, or sell protected health information, including prescription information or prescription patterns, for marketing purposes without an authorization from the person who is the subject of the protected health information which complies with this subchapter.
(b) A covered entity may not coerce or encourage the coercion of a person to consent to or authorize the disclosure, use, or sale of protected health information for marketing purposes.
(c) Any written marketing communications sent by or on behalf of a covered entity must:
(1) be sent in an envelope showing only the address of the sender and the name and address of the recipient; and
(2) state the name and toll-free number of the sender and, if different, the covered entity on whose behalf the communication was sent; and
(3) explain the recipient's right to have the recipient's name removed from the sender's mailing list.
(d) A person who receives a request under subsection (c)(3) of this section to remove a recipient's name from a mailing list shall remove the recipient's name not later than the fifth day after the person receives the request.
22.59. Reidentified Information. A covered entity may not reidentify or attempt to reidentify a person who is the subject of any protected health information without obtaining from that person an authorization that complies with this subchapter.
22.60. Responsibility for Disclosure to Third Parties. A covered entity that discloses protected health information to another a person to perform any function on behalf of the covered entity shall ensure that the person to whom the information is disclosed maintains and discloses the protected health information in compliance with this subchapter, and shall remain responsible for any subsequent unlawful disclosure of, reidentification of, or marketing using the disclosed protected health information.
22.61. Relationship to Federal Rules. This subchapter does not apply to a covered entity that is required to comply with the standards governing the privacy of individually identifiable health information adopted by the United States Secretary of Health and Human Services under Section 262(a), Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Sections 1320d-1320d-8).
22.62. Protection of Fair Credit Reporting Act. This subchapter may not be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.) and an inference may not be drawn based on this subchapter regarding whether information is transaction or experience information under Section 603 of that Act (15 U.S.C. Section 1681a).
22.63. Relationship to State Laws. Nothing in this subchapter shall be construed to preempt or supersede existing state law related to medical records, health or insurance information privacy that is in effect on July 1, 2002.
22.64. Violation; Disciplinary Action.
(a) A covered entity may not knowingly or willfully violate this subchapter.
(b) A knowing or willful violation of any section of this subchapter shall subject the covered entity to the disciplinary and enforcement sanctions and penalties provided in the Insurance Code, Chapters 28B, 82, 83, and 84.
(c) In addition to the penalties prescribed by this subchapter, an alleged violation of this subchapter by a covered entity is subject to investigation and disciplinary proceedings, including probation or suspension. Evidence of a pattern or practice of violations under this subchapter may subject a covered entity to license revocation.
(d) In addition to the penalties prescribed by this subchapter, a covered entity shall be excluded from participating in any state-funded health care program if there is evidence that the covered entity engaged in a pattern or practice of violating this subchapter.
(e) This subchapter does not affect any right of a person to bring a cause of action under other law or otherwise seek relief with respect to conduct that is a violation of this subchapter.
22.65. Nondiscrimination. A covered entity shall not unfairly discriminate against a consumer because that consumer has opted out from the disclosure of his or her nonpublic personal health information pursuant to the provisions of this subchapter.
22.66. Severability. If any section or portion of a section of this subchapter or its applicability to any person or circumstance is held invalid by a court, the remainder of the subchapter or the applicability of the provision to other persons or circumstances shall not be affected.
22.67. Effective date. This subchapter takes effect February 3,2002.