28 TAC §§22.51 - 22.67
The Texas Department of Insurance proposes new §§22.51-22.67,
concerning privacy of nonpublic personal health information provided by consumers
to insurers and other covered entities regulated by the department. This proposal
is necessary to implement provisions of Senate Bill (SB) 11, 77th Texas Legislature.
SB 11 added Chapter 28B to the Insurance Code (Article 28B.01 et seq.), which
requires entities regulated by the department to comply with the privacy provisions
of the Health Insurance Portability and Accessibility Act (HIPAA)(42 U.S.C.
Sections 1320d-1320d-8). SB 11 also added Subtitle I to Title 2 of the Health &
Safety Code (Section 181.001 et seq.), which requires certain persons, including
covered entities subject to regulation by the department, to comply with provisions
addressing reidentification of persons and marketing using protected health
information. SB 11 authorizes the Commissioner to adopt rules necessary to
implement protected health information privacy requirements. The proposed
sections set forth the requirements that covered entities must meet in structuring
their consumer health information practices to comply with HIPAA and SB 11.
Specifically, the rules provide notice requirements, as well as other procedures
that covered entities must follow with regard to nonpublic personal health
information collected about a consumer.
Proposed §22.51 explains the purpose and scope of the subchapter.
Proposed §22.52 defines terms within the subchapter and clarifies that
terms defined in Subchapter A of this chapter also apply to this subchapter.
Proposed §22.53 sets forth the general requirement that an authorization
is required prior to disclosure of any protected health information by a covered
entity subject to the subchapter. Proposed §22.54 sets forth the required
elements of an authorization. Proposed §22.55 details how requests for
authorizations and authorization forms must be delivered. Proposed §22.56
sets forth the requirements for revocation of an authorization. Proposed §22.57
describes exceptions to the applicability of the subchapter and clarifies
that marketing does not constitute an exception for purposes of this section.
Proposed §22.58 outlines requirements for marketing using protected health
information. Proposed §22.59 prohibits reidentification of or any attempt
to reidentify a person who is the subject of any protected health information.
Proposed §22.60 addresses a covered entity's responsibility for a third
party's treatment of protected health information it discloses to the third
party. Proposed §22.61 clarifies that once the federal health privacy
rules under HIPAA become effective, this subchapter shall not apply to covered
entities required to comply with those federal rules. Proposed §22.62
provides that the subchapter shall not affect the operation of the federal
Fair Credit Reporting Act. Proposed §22.63 provides that the subchapter
does not preempt or supersede existing state law related to health information
privacy. Proposed §22.64 prohibits covered entities from violating the
subchapter, describes available legal remedies and disciplinary actions, and
provides that the subchapter does not affect a person's right to seek relief
available under other law. Proposed §22.65 prohibits discrimination against
consumers because of the exercise of rights under this subchapter. Proposed §22.66
provides for severability of any section of this subchapter held invalid.
Proposed §22.67 establishes a compliance date for the subchapter.
Kim Stokes, Senior Associate Commissioner for Life, Health, & Licensing,
has determined that for each year of the first five years the proposed sections
will be in effect, there will be no fiscal impact to state and local governments
as a result of the enforcement or administration of the rule. There will be
no measurable effect on local employment or the local economy as a result
of the proposal.
Ms. Stokes has also determined that for each year of the first five years
the sections are in effect, the public benefit anticipated as a result of
the proposed sections will be enhanced protection of privacy of consumer health
information. Ms. Stokes has determined that any economic cost to persons required
to comply with the new sections, as well as any costs to a covered entity
qualifying as a small business under Government Code §2006.001, for each
year of the first five years the proposed new sections will be in effect are
the result of the legislative enactment of the Insurance Code Chapter 28B,
and not as a result of the adoption, enforcement, or administration of the
proposed new sections. The total cost to a covered entity is not dependent
upon the size of the entity, but rather is dependent upon the entity's number
of consumers. Therefore, it is the department's position that the adoption
of these proposed new sections will have no adverse economic effect on small
businesses or micro-businesses. Regardless of the fiscal effect, the department
does not believe it legal or feasible to waive the requirements of these rules
for small businesses or micro-businesses. To do so would allow differentiation
of protection between consumers of small business covered entities compared
to those protections provided to the consumers of large covered entities.
In an effort to minimize costs, however, covered entities may deliver required
notices along with other correspondence rather than in a separate mailing.
To be considered, comments on the proposal must be submitted in writing
no later than 5:00 p.m., Central Daylight Time, on February 4, 2002 to Lynda
H. Nesenholtz, Chief Clerk, Mail Code 113-2A, Texas Department of Insurance,
P. O. Box 149104, Austin, Texas 78714-9104. An additional copy of the comment
must be simultaneously submitted to Barbara Holthaus, Director of Project
Development, Mail Code 107-2A, Texas Department of Insurance, P.O. Box 149104,
Austin, Texas 78714-9104. A request for a public hearing should be submitted
separately to the Office of the Chief Clerk.
The new sections are proposed under the Insurance Code Article
28B.08 and §36.001 and the Health & Safety Code, Section 181.004.
Insurance Code Article 28B.08 provides that the Commissioner may adopt rules
as necessary to implement the chapter. Insurance Code Section 36.001 provides
that the Commissioner of Insurance may adopt rules to execute the duties and
functions of the Texas Department of Insurance only as authorized by statute.
Health & Safety Code Section 181.004 authorizes a state agency that licenses
or regulates a covered entity subject to Chapter 181 to adopt rules as necessary
to carry out the purposes of the chapter.
The following article of the Insurance Code and sections of Chapter 181
of the Health & Safety Code are affected by this proposal: Insurance Code
Art. 28B.01 et seq. Health & Safety Code, §§181.151 and 181.152.
§22.51.Purpose and Scope.
(a)
Purpose. This subchapter governs the treatment by all covered
entities of a consumer's nonpublic personal health information. This subchapter:
(1)
requires a covered entity to obtain an authorization prior
to disclosing nonpublic personal health information about a consumer to any
other person for any purpose other than as enumerated in §22.57 of this
subchapter (relating to Exceptions);
(2)
describes exceptions to the authorization requirement for
certain insurance related transactions and other purposes enumerated in this
subchapter;
(3)
prohibits a covered entity from reidentifying or attempting
to reidentify a consumer who is the subject of any protected health information
without obtaining the consumer's consent or authorization; and
(4)
sets forth requirements for written marketing communication
using protected health information.
(b)
Scope. This subchapter applies to all nonpublic personal
health information held by a covered entity as defined in this subchapter.
§22.52.Definitions:
The following words and terms, when used in this subchapter, shall
have the following meanings, unless the context clearly indicates otherwise.
Unless otherwise defined in this subchapter, each term that is used in this
subchapter that is defined in subchapter A of this chapter shall have the
meaning assigned by subchapter A of this chapter.
(1)
Authorization--Executed document that signifies that the
signer of the authorization is providing informed permission that nonpublic
personal health information held by a covered entity and described in the
document may be released to other parties pursuant to the terms of the document.
(2)
Authorization form--A form provided by a covered entity,
which, if signed and dated by a consumer as set forth in this subchapter,
constitutes an authorization under this subchapter.
(3)
Consumer--A person or that person's representative who
seeks to obtain, obtains or has obtained an insurance product or service from
a covered entity, and about whom the covered entity has nonpublic personal
health information.
(4)
Covered entity--A person who holds or is required to hold
a license, registration, certificate of authority, or other authority under
the Insurance Code or another insurance law of this state. The term includes,
but is not limited to, an insurance company, group hospital service corporation,
mutual insurance company, local mutual aid association, statewide mutual assessment
company, stipulated premium insurance company, health maintenance organization,
reciprocal or interinsurance exchange, Lloyd's plan, fraternal benefit society,
county mutual insurer, farm mutual insurer, viatical or life settlement provider
or broker, or insurance agent. For purposes of this subchapter, "covered entity"
has the same meaning as "licensee" as used in Article 28B.01(2), Insurance
Code.
(5)
Health care operations--As set forth in the Health Insurance
Portability and Accountability Act and Privacy Standards. The term does not
include marketing as described in 45 C.F.R. §164.514(e) and any subsequent
amendments.
(6)
Health Insurance Portability and Accountability Act and
Privacy Standards--The privacy requirements of the Administrative Simplification
subtitle of the Health Insurance Portability and Accountability Act of 1996
(Pub. L. No. 104-191) and the final rules adopted on December 28, 2000, and
published at 65 Fed. Reg. 82798 et seq., and any subsequent amendments.
(7)
Marketing--The promotion or advertisement, by a covered
entity, of specific products or services if the covered entity receives, directly
or indirectly, a financial incentive or remuneration for the use, access,
or disclosure of protected health information. Marketing includes, but is
not limited to, communications to a person based on prescription patterns
or protected health information intended to encourage or discourage the person's
use of prescription or non-prescription medicine, medical devices or any other
product. Marketing does not include a communication, by a covered entity,
health care provider, or participants in an organized health care arrangement
or their affiliated covered entities or business associates, necessary to
provide treatment or perform health care operations.
(8)
Nonpublic personal health information--Has the same meaning
as "protected health information."
(9)
Prescription information--Any information, whether oral
or recorded in any form or medium, that
(A)
relates to or concerns a prescription created or received
by a covered entity, health care provider, public health authority, employer,
school or university, or health care clearinghouse; and
(B)
relates to the past, present, or future physical or mental
health or condition of a person, the provision of health care to the person,
or the utilization of health care by the person.
(10)
Prescription Pattern--A profile or other summary of a
person's prescription information.
(11)
Protected health information--Individually identifiable
health information collected from a person, including the person's name, address,
social security number and demographic information, that:
(A)
relates to:
(i)
the past, present, or future physical or mental health
or condition of the person;
(ii)
the provision of health care to the person; or
(iii)
the past, present, or future payment for the provision
of health care to the person; and
(B)
either identifies the person or provides a reasonable basis
to believe the information can be used to identify the person.
(12)
Request for authorization--A written or electronic transmission
requesting an authorization pursuant to this subchapter.
§22.53.Authorization Required for Disclosure of Nonpublic Personal Health Information.
Except pursuant to §22.57 of this subchapter (relating to Exceptions)
a covered entity must obtain an authorization to disclose any nonpublic personal
health information about a consumer to another party before making such a
disclosure.
§22.54.Authorizations.
An authorization required by this subchapter shall:
(1)
be in writing or, if the consumer has agreed to conduct
business with the covered entity electronically, electronic form, and shall:
(A)
state the identity of the consumer who is the subject of
the nonpublic personal health information;
(B)
describe:
(i)
the types of nonpublic personal health information to be
disclosed;
(ii)
the parties to whom the covered entity discloses nonpublic
personal health information;
(iii)
the purpose of the disclosure;
(iv)
how the information disclosed will be used; and
(v)
the procedure for revoking the authorization.
(C)
include the signature and date signed of:
(i)
the consumer who is the subject of the nonpublic personal
health information; or
(ii)
a person who is legally empowered to authorize disclosure
of the subject consumer's nonpublic personal health information.
(D)
provide notice:
(i)
of the length of time for which the authorization is valid;
and
(ii)
that the consumer may revoke the authorization at any
time.
(2)
An authorization subject to this subchapter shall specify
the period of time for which the authorization shall remain valid, but shall
in no event be valid:
(A)
in the case of an authorization signed by the consumer
that is the subject of the nonpublic personal health information, for a period
of more than 24 months from the date it was signed; and
(B)
in the case of an authorization signed by another person
who is legally empowered to authorize disclosure on behalf of the consumer,
for a period that does not exceed the lesser of the time period during which
the person remains so legally empowered or a period of more than 24 months
from the date it was signed.
(3)
A covered entity obtaining an authorization pursuant to
this subchapter shall retain the original authorization or a copy thereof
in its records of the consumer who is the subject of nonpublic personal health
information.
(4)
A covered entity may obtain a subsequent authorization
to replace an authorization that has by its terms expired, provided that the
subsequent authorization:
(A)
complies with the requirements of paragraph (1)(C) of this
section, and
(B)
meets all other applicable requirements of this section.
§22.55.Delivery of Requests for Authorization and Authorization Forms.
(a)
A covered entity may deliver a request for authorization
and an authorization form to a consumer as required by this subchapter:
(1)
separately; or
(2)
along with a policy, billing, an opt-out notice pursuant
to Subchapter A of this chapter, or other written communication, provided
that the request for authorization and the authorization form:
(A)
are clear and conspicuous,
(B)
are separate in content from any other accompanying written
communication, and
(C)
require a separate signature on a signature line that is
not a part of any signature line relating to any of the other accompanying
written communication.
(b)
A covered entity is not required to deliver, or include
in any other communications, an authorization form to the consumer unless
the covered entity intends to disclose protected health information pursuant
to §22.53 of this subchapter (relating to Authorization Required for
Disclosure of Nonpublic Personal Health Information).
(c)
A covered entity must receive an authorization prior to
making any disclosures pursuant to that authorization.
§22.56.Revocation of Authorizations.
(a)
A consumer or person who has signed an authorization described
in this subchapter may at any time revoke that authorization.
(b)
Revocation of any authorization made pursuant to this subchapter
is subject to the rights of a person who acted in reasonable reliance on the
authorization before receiving notice of the revocation.
(c)
A revocation must be in writing and signed by the consumer
about whom the authorization was made or by a person legally empowered to
authorize disclosure on behalf of the consumer.
(d)
A covered entity:
(1)
may not require a revocation to be on a particular form;
and
(2)
must honor a revocation that reasonably identifies the
authorization that it is intended to revoke.
(e)
A covered entity shall effect a revocation as soon as possible
after receipt but not later than the fifth day after the date of receipt.
§22.57.Exceptions.
(a)
A covered entity may disclose, without an authorization,
nonpublic personal health information to the extent that the disclosure is
necessary to perform the following insurance functions or legally required
activity on behalf of that covered entity:
(1)
the investigation or reporting of actual or potential fraud,
misrepresentation, or criminal activity;
(2)
underwriting;
(3)
the placement or issuance of an insurance product;
(4)
loss control services;
(5)
ratemaking and guaranty fund functions;
(6)
reinsurance and excess loss insurance;
(7)
risk management;
(8)
case management;
(9)
disease management;
(10)
quality assurance;
(11)
quality improvement;
(12)
performance evaluation;
(13)
health care provider credentialing verification;
(14)
utilization review;
(15)
peer review activities;
(16)
actuarial, scientific, medical, or public policy research;
(17)
grievance procedures;
(18)
the internal administration of compliance, managerial,
and information systems;
(19)
policyholder services;
(20)
auditing;
(21)
reporting;
(22)
database security;
(23)
the administration of consumer disputes and inquiries;
(24)
external accreditation standards;
(25)
the replacement of a group benefit plan or workers' compensation
policy or program;
(26)
activities in connection with a sale, merger, transfer,
or exchange of all or part of a business or operating unit;
(27)
any activity that permits disclosure without authorization
under the federal Health Insurance Portability and Accountability Act of 1996
(42 U.S.C. Section 1320d et seq.), as amended;
(28)
disclosure that is required, or is a lawful or appropriate
method to enforce the covered entity's rights or the rights of other persons
engaged, in carrying out a transaction or providing an insurance product or
service that the consumer requests or authorizes;
(29)
claims administration, adjustment, and management;
(30)
any activity otherwise permitted by law, required pursuant
to a governmental reporting authority, or required to comply with legal process;
and
(31)
any other insurance functions that the commissioner approves
that are:
(A)
necessary for appropriate performance of insurance functions;
and
(B)
fair and reasonable to the interests of consumers.
(b)
A disclosure for marketing purposes shall not be considered
to be an insurance function or any other type of activity that constitutes
an exception under this section.
§22.58.Disclosure of Protected Health Information for Marketing Purposes, Requirements for Marketing By or On Behalf of a Covered Entity.
(a)
A covered entity may not disclose, use, or sell protected
health information, including prescription information or prescription patterns,
for marketing purposes without an authorization from the person who is the
subject of the protected health information which complies with this subchapter.
(b)
A covered entity may not coerce or encourage the coercion
of a person to consent to or authorize the disclosure, use, or sale of protected
health information for marketing purposes.
(c)
Any written marketing communications sent by or on behalf
of a covered entity must:
(1)
be sent in an envelope showing only the address of the
sender and the name and address of the recipient; and
(2)
state the name and toll-free number of the sender and,
if different, the covered entity on whose behalf the communication was sent;
and
(3)
explain the recipient's right to have the recipient's name
removed from the sender's mailing list.
(d)
A person who receives a request under subsection (c)(3)
of this section to remove a recipient's name from a mailing list shall remove
the recipient's name not later than the fifth day after the person receives
the request.
§22.59.Reidentified Information.
A covered entity may not reidentify or attempt to reidentify a person
who is the subject of any protected health information without obtaining from
that person an authorization that complies with this subchapter.
§22.60.Responsibility for Disclosure to Third Parties.
A covered entity that discloses protected health information to another
a person to perform any function on behalf of the covered entity shall ensure
that the person to whom the information is disclosed maintains and discloses
the protected health information in compliance with this subchapter, and shall
remain responsible for any subsequent unlawful disclosure of, reidentification
of, or marketing using the disclosed protected health information.
§22.61.Relationship to Federal Rules.
This subchapter does not apply to a covered entity that is required
to comply with the standards governing the privacy of individually identifiable
health information adopted by the United States Secretary of Health and Human
Services under Section 262(a), Health Insurance Portability and Accountability
Act of 1996 (42 U.S.C. Sections 1320d-1320d-8).
§22.62.Protection of Fair Credit Reporting Act.
This subchapter may not be construed to modify, limit, or supersede
the operation of the Fair Credit Reporting Act (15 U.S.C. Section 1681 et
seq.) and an inference may not be drawn based on this subchapter regarding
whether information is transaction or experience information under Section
603 of that Act (15 U.S.C. Section 1681a).
§22.63.Relationship to State Laws.
Nothing in this subchapter shall be construed to preempt or supersede
existing state law related to medical records, health or insurance information
privacy that is in effect on July 1, 2002.
§22.64.Violation; Disciplinary Action.
(a)
A covered entity may not knowingly or willfully violate
this subchapter.
(b)
A knowing or willful violation of any section of this subchapter
shall subject the covered entity to the disciplinary and enforcement sanctions
and penalties provided in the Insurance Code, Chapters 28B, 82, 83, and 84.
(c)
In addition to the penalties prescribed by this subchapter,
an alleged violation of this subchapter by a covered entity is subject to
investigation and disciplinary proceedings, including probation or suspension.
Evidence of a pattern or practice of violations under this subchapter may
subject a covered entity to license revocation.
(d)
In addition to the penalties prescribed by this subchapter,
a covered entity shall be excluded from participating in any state-funded
health care program if there is evidence that the covered entity engaged in
a pattern or practice of violating this subchapter.
(e)
This subchapter does not affect any right of a person to
bring a cause of action under other law or otherwise seek relief with respect
to conduct that is a violation of this subchapter.
§22.65.Nondiscrimination.
A covered entity shall not unfairly discriminate against a consumer
because that consumer has opted out from the disclosure of his or her nonpublic
personal health information pursuant to the provisions of this subchapter.
§22.66.Severability.
If any section or portion of a section of this subchapter or its applicability
to any person or circumstance is held invalid by a court, the remainder of
the subchapter or the applicability of the provision to other persons or circumstances
shall not be affected.
§22.67.Effective date.
This subchapter takes effect February 3, 2002.
This agency hereby certifies that the proposal has been reviewed
by legal counsel and found to be within the agency's legal authority to adopt.
Filed with the Office of
the Secretary of State, on December 21, 2001.
TRD-200108223
Gene Jarmon
Assistant General Counsel
Texas Department of Insurance
Earliest possible date of adoption: February 3, 2002
For further information, please call: (512) 463-6327