28 TAC §§22.51 - 22.57, 22.60 - 22.67
The Commissioner of Insurance adopts new Subchapter B, §§22.51-22.57
and 22.60-22.67, concerning privacy of nonpublic personal health information
provided by consumers to insurers and other covered entities regulated by
the department. New §§22.51, 22.52, 22.54, 22.57, 22.60, 22.65,
and 22.67 are adopted with changes to the proposed text published in the January
4, 2002 issue of the
Texas Register
(27 TexReg
35). New §§22.53, 22.55, 22.56, 22.61, 22.62, 22.63, 22.64, and
22.66 are adopted without changes and will not be republished. Sections 22.58
and 22.59 are withdrawn and will not be adopted at this time.
The adopted rules are necessary to implement provisions of Senate Bill
(SB) 11, 77th Texas Legislature. SB 11 added Chapter 28B to the Insurance
Code (Article 28B.01 et seq.), which requires entities regulated by the department
to comply with certain health privacy provisions. SB 11 also added Subtitle
I to Title 2 of the Health & Safety Code (Section 181.001 et seq.), which
also addresses privacy of health information. SB 11 authorizes the Commissioner
to adopt rules necessary to implement protected health information privacy
requirements. The new sections set forth the requirements that covered entities
must meet in structuring their consumer health information practices. Specifically,
the rule provides notice requirements, as well as other procedures, that covered
entities must follow with regard to nonpublic personal health information
collected about a consumer. After receiving public comments on the proposed
rules, the department has made changes based upon the public comments, proposed
amendments to existing federal regulations, and for clarification. Most notably,
the department has withdrawn §§22.58 and 22.59 as proposed. These
sections, which dealt, respectively, with the use of protected health information
for marketing purposes and reidentification of an individual using previously
deidentified protected health information, were intended to implement Subchapter
D of Texas Health and Safety Code (H&SC) §181.051, which was also
created by SB 11. Unlike TIC Chapter 28B, H&SC Chapter 181 applies to
entities even if the entity is also in compliance with the federal privacy
regulations implementing the Health Insurance Portability and Accessibility
Act (HIPAA) (42 U.S.C. Sections 1320d-1320d-8). Proposed §§22.58
and 22.59 were intended to mirror the requirements of the HIPAA privacy regulations.
Amendments to the HIPAA privacy regulations were proposed on March 27, 2002,
subsequent to the publication of this proposed rule. Accordingly, the department
has decided to withdraw these particular sections pending the disposition
of the proposed amendments to the HIPAA privacy regulations. Other changes,
made in response to comments received, include changing the term "person"
to "individual" wherever it referenced a natural person in §§22.52(3),
22.52(7), 22.52(9), 22.52(10) and 22.52(11). The option to use a consumer's
"electronic signature" on an authorization, if the consumer has previously
agreed to conduct business with the covered entity electronically, was added
to §22.54(1)(C). Section 22.54(2)(B) was changed to permit an authorization
provided by a consumer's legal representative to remain valid for 24 months
unless the covered entity receives notice that the authorization is revoked.
The five day requirement in proposed §22.56(e) was changed to 15 days.
The department made a minor clerical change to §22.57(a)(28). Section
22.60 was changed to clarify that a covered entity may not disclose protected
health information to a third party unless that third party agrees to use
the information in a manner consistent with the rule. In §22.65, the
term "opted out from the" was changed to "not authorized." The effective date
of February 3, 2002 was changed to September 1, 2002.
Section 22.51 explains the purpose and scope of the subchapter. Section
22.52 defines terms within the subchapter and clarifies that terms defined
in Subchapter A of this chapter also apply to this subchapter. Section 22.53
sets forth the general requirement that an authorization is required prior
to disclosure of any protected health information by a covered entity subject
to the subchapter. Section 22.54 sets forth the required elements of an authorization.
Section 22.55 details how requests for authorizations and authorization forms
must be delivered. Section 22.56 sets forth the requirements for revocation
of an authorization. Section 22.57 sets forth exceptions to the authorization
requirement. Section 22.60 addresses conditions under which a covered entity
may disclose protected health information to a third party. Section 22.61
clarifies that once the federal health privacy rules under HIPAA become effective,
this subchapter shall not apply to covered entities required to comply with
those federal rules. Section 22.62 provides that the subchapter shall not
affect the operation of the federal Fair Credit Reporting Act. Section 22.63
provides that the subchapter does not preempt or supersede existing state
law related to health information privacy. Section 22.64 prohibits covered
entities from violating the subchapter, describes available legal remedies
and disciplinary actions, and provides that the subchapter does not affect
a person's right to seek relief available under other law. Section 22.65 prohibits
discrimination against consumers because of the exercise of rights under this
subchapter. Section 22.66 provides for severability of any section of this
subchapter which may be deemed invalid. Section 22.67 establishes a compliance
date for the subchapter.
General: Several commenters believe that the use of the term "covered entity"
in the rule, rather than "licensee," is confusing because Chapter 181 of the
H&SC uses the term "covered entity" while Texas Insurance Code (TIC) Chapter
28B refers to "licensees."
Agency Response: While the department notes that SB 11 uses the term "licensee"
to distinguish persons subject to the health privacy requirements of TIC Chapter
28B from the "covered entities" defined in H&SC Chapter 181, the department
also notes that TIC Chapter 28A uses the term "covered entity" to apply to
persons subject to the financial privacy requirements of that chapter. The
definition of "covered entity" in TIC Chapter 28A and the definition of "licensee"
in TIC Chapter 28B both reference persons who are subject to the department's
authority but may not actually hold what is technically called a "license"
in the TIC. The financial privacy rule (28 TAC Chapter 22, Subchapter A, implementing
TIC Chapter 28A) utilizes the term "covered entity" to refer to persons subject
to that chapter, which is identical to the definition of "licensee" in TIC
Chapter 28B. Accordingly, the department uses the term "covered entity" in
this rule to be consistent with 28 TAC Chapter 22, Subchapter A. The department
believes it will create even more confusion to readers of 28 TAC Chapter 22
if two different terms are used to define these substantially similar groups.
§22.51. A commenter asks for clarification that, except for Subchapter
D, covered entities are not subject to H&SC Chapter 181.
Agency Response: The department agrees that, as provided in Section 181.051,
TDI licensees are not subject to H&SC Chapter 181, except for Subchapter
D.
§22.51. A commenter believes that covered entities subject to the
HIPAA privacy regulations, 45 CFR Parts 160 through 164, are not subject to
the proposed rule.
Agency Response: The department disagrees. TIC Article 28B.05 provides
that covered entities required to comply with the HIPAA privacy regulations
are not required to also comply with Chapter 28B or rules adopted thereunder.
However, the department notes that the HIPAA privacy standards do not require
compliance until April 13, 2003. Accordingly, until that time, the statutory
exemption is not in effect and covered entities must comply with Chapter 28B
and any rules adopted thereunder.
§§22.51(a)(3) & (4), 22.51(b), 22.52(4), 22.58, 22.59, 22.60,
and 22.65. Several commenters state that H&SC Chapter 181 broadly exempts
workers' compensation system participants, in whole or in part, and request
clarification of the applicability of the rule to them.
Agency Response: The department disagrees. The principal statutory basis
for the rule is TIC Chapter 28B. The scope of this statute includes all persons
who hold or are required to hold a license, registration, certificate of authority,
or other authority under this code or another insurance law of this state.
There is no mention of excepting those entities involved in the business of
workers' compensation insurance. Thus, Chapter 28B, and rules adopted thereunder,
applies to workers' compensation system participants within the scope of SB
11.
H&SC §181.051 also provides statutory authority for this rule
to the extent that it requires TDI licensees to comply with Subchapter D of
Chapter 181. Although the department agrees that H&SC §181.054 excludes
"workers' compensation system participants" from application of Chapter 181
generally, H&SC §181.054 must be read in conjunction with §181.051(1),
which specifically applies Subchapter D of Chapter 181 to TDI licensees. Section
181.054 was added to SB 11 in the Senate Committee Substitute passed by the
Senate on March 21, 2001 (In that version of the bill, it was numbered as §181.002(b)).
Section 181.051 was not added until the House amended SB 11 in the House Committee
Substitute on May 25, 2001. Although §181.054 excludes all workers' compensation
system participants from application of Chapter 181 generally, §181.051
adds back all workers' compensation system participants (that are also TDI
covered entities) for purposes of compliance with Subchapter D of Chapter
181. The structure and timing of these amendments, along with Chapter 28B's
inclusion of workers' compensation participants, indicate that the legislative
intent was to subject those entities to the same standards as all other covered
entities possessing protected health information.
Regarding §§22.58 and 22.59, the department has decided, nevertheless,
to withdraw the sections implementing the provisions of SB 11 which create
H&SC Chapter 181 pending the disposition of amendments to the HIPAA privacy
regulations proposed on March 27, 2002.
§22.52(2). A commenter is concerned that the definition of "authorization
form" does not permit a representative of a covered entity to provide or obtain
an authorization.
Agency Response: The department does not intend to prohibit, and the language
of the subsection does not prohibit, a covered entity from utilizing a representative
to perform this function, as long as that representative complies with this
and all other requirements of the rule on behalf of the covered entity.
§22.52(3). A commenter states that the definition of "consumer" is
broader than the one found in the National Association of Insurance Commissioners
(NAIC) Model Privacy Regulation and exceeds statutory authority.
Agency Response: The department agrees that its definition of "consumer"
is broader that the definition in the NAIC Model Privacy Regulation but disagrees
that the definition exceeds the department's authority under SB 11. The department
also disagrees that the differences in the definitions will have any impact
on the effort required of a covered entity to protect an individual's health
privacy information. Chapter 28B applies to all entities that fit the definition
of "licensee" as set forth in Article 28B.01(2).
This rule is proposed under the authority granted to the department by
SB 11. Nothing in SB 11 limits the application of Chapter 28B only to entities
that are also subject to the NAIC Model Privacy Regulation. Nor does SB 11
indicate that it was intended to provide protection only to consumers of personal,
family, or household products.
There are two reasons why the definition of consumer should always be broader
for health information than for financial information. First, in the context
of financial privacy, the type of financial information a covered entity obtains
in issuing a commercial policy may often differ from the information it obtains
from an individual seeking coverage for personal, family, or household purposes.
An individual's nonpublic personal health information, however, is protected
regardless of the type of policy under which the individual is covered. For
example, an employer seeking group health coverage may tender its employees'
protected health information to a covered entity while attempting to obtain
coverage, but the employer would not be a consumer under the commenter's interpretation.
This would leave the health information privacy of the employees unprotected.
Second, the financial privacy rule requires covered entities, regardless of
whether they disclose their customers' nonpublic personal financial information
to nonaffiliated third parties, to fulfill certain requirements, e.g. sending
annual notices. This rule contains no similar burden. In fact, unless a covered
entity is planning to disclose an individual's protected health information
to third parties, the rule imposes no burdens on covered entities. Accordingly,
while the "personal, family, household" distinction is a logical limitation
to the scope of the financial privacy rule, with regard to health privacy
it would leave many individuals unprotected and would not significantly alter
the cost of compliance.
§22.52(4). A commenter suggests that the department amend some references
to "persons" in the definition of "consumer" to "individuals."
Agency Response. The department agrees and has made this change where appropriate.
§22.52(4). A commenter believes that the definition of "covered entity"
in this rule is broader than the definition used in the HIPAA privacy regulations,
in that HIPAA does not apply to insurers that are not "health plans."
Agency Response: While the department agrees that the definition in the
rule is broader than the HIPAA privacy regulation's definition, the definition
comes directly from TIC Article 28B.01(2) and thus it is not appropriate to
make this change.
§22.52(7). Several commenters are concerned that the definition of
marketing is too broad and could be construed to require authorization before
an insurer may inform its own customers about its own products or services.
Agency Response: The department has decided to withdraw the sections implementing
the provisions of SB 11 which create H&SC Chapter 181 pending the disposition
of amendments to the HIPAA privacy regulations proposed on March 27, 2002.
Any remaining restrictions on marketing set forth in the rule apply only to
marketing involving protected health information. The rule does not apply
to marketing using any other type of information.
§22.52(7). A commenter is concerned that, as used in the rule, marketing
would include research-related communications. The commenter requests additional
guidance regarding the specific requirements to distinguish treatment and
health care operations from marketing communications.
Agency Response. The department believes that the current definition of
marketing, which excludes communications necessary to perform treatment or
health care operations, gives sufficient leeway to covered entities performing
bona fide health research. The rule does not include such activities within
the scope of "marketing." The department believes that a covered entity will
be able to distinguish between research being performed for bona fide health
purposes and research activities that are actually a type of marketing as
defined in the rule. In enforcing the rule, the department will examine such
communications on a case-by-case basis. The department reminds covered entities
that the rule applies only to activities performed in their capacities as
a covered entity of TDI. For example, the activities of a covered entity also
licensed as a hospital, which is conducting research in its capacity as a
hospital, would not fall within the scope of these rules.
§22.52(7) and prescription patterns. A commenter suggests that the
rule's definition of marketing concerning prescription patterns or protected
health information is broader than authorized by statute. The commenter is
concerned that the inclusion of this language will prohibit the use of such
information for legitimate health care operations and treatment.
Agency Response: The department disagrees. The statutory definition of
"protected health information" specifically includes prescription patterns.
The definition of marketing, however, specifically excludes communications
by a covered entity, health care provider, or participants in an organized
health care arrangement necessary to provide treatment or perform health care
operations. Disease management and other legitimate treatments and health
care operations are not included within the definition of marketing.
§22.52(9) & (10). A commenter believes the definitions of "prescription
information" and "prescription pattern" are too broad and should be expressly
limited to identifiable information. The commenter also believes that the
definition of "prescription information" relates to prescriptions received
by a covered entity from sources that are not covered entities.
Agency Response: The department disagrees that this change is necessary.
"Prescription pattern" is a subset of "protected health information," which
is specifically limited to individually identifiable health information. Moreover,
the definitions of "prescription information" and "prescription pattern" are
both limited to information relating to an individual. Therefore, any prohibitions
on the use of prescription information necessarily include the requirement
that such information be personally identifiable. The commenter is correct
that the definition of "prescription information" relates to prescriptions
from sources that may not be covered entities; the definition is intended
to encompass any kind of information a covered entity might have about a prescription
regardless of its source.
§22.52(11). Two commenters believe the definition of "protected health
information" is too broad, specifically with regard to demographic information,
address, and social security number. Another commenter suggests that the rules
should use the statutory term "nonpublic personal health information" in place
of "protected health information."
Agency Response: The statutory definition of protected health information
includes all information that identifies a consumer, and therefore includes
certain demographic information, addresses, and social security numbers. However,
any information that is also available to the covered entity in a non-health
information context would not be considered to be "health information" and
would not be subject to the restrictions placed on health information by the
rule. "Nonpublic personal health information" has exactly the same meaning,
under the rule, as "protected health information."
§22.54(1)(B). A commenter suggests that this subparagraph should be
changed to allow an authorization to describe the general types of information
to be disclosed and the types of parties to whom the information is to be
disclosed.
Agency Response. The department disagrees that it should add the word "general"
to modify the description of types of information to be disclosed. The term
"types of information" already allows covered entities some latitude to generalize
this disclosure. Any generalization, however, must be done in such a way that
identifies the "types" of information to sufficiently allow a consumer to
understand the nature of the information to which the authorization applies.
The department points out that the language of §22.54(1)(B)(ii) already
allows a covered entity to describe, rather than name, parties to whom disclosure
will be made. This would include generic descriptions such as "an accountant"
or a "document copying service." The department stresses, however, that authorization
forms must be sufficiently specific to provide full and fair notice, and to
avoid the effect of a blanket release.
§22.54(1)(C). A commenter suggests revising this subparagraph to permit
electronic signatures.
Agency Response. The department agrees and has revised the text of the
rule accordingly.
§22.54(2). A commenter suggests that an authorization granted for
any claims-related purpose should remain open for the life of the claim.
Agency Response. The rule and TIC Chapter 28B create an exception to the
authorization requirement for claim-related functions; therefore this change
is unnecessary.
§22.54(2)(B). Two commenters request that the rule be revised to modify
time limitations on the duration of an authorization.
Agency Response. The department declines to make this revision. Article
28B.02(b)(5) mandates the 24-month limitation.
§22.54(2)(B). Several commenters request that the rule be revised
to allow a covered entity to rely on an authorization given by a legal representative
until the entity receives actual written notice that the authorization has
been revoked.
Agency Response. The department agrees that covered entities are entitled
to notice that the representative has lost capacity and has revised the text
accordingly.
§22.54(3). A commenter suggests amendment of this subparagraph to
recognize that this information need only be retained for the life of the
claim. Another commenter suggests six years would be appropriate and consistent
with HIPAA standards.
Agency Response. The purpose of the rule is to set forth how protected
information held by a covered entity can be used and shared. It does not prescribe
standards for record retention. Given the variability in products provided
by covered entities to which this rule will apply, it would not promote efficiency
to set one specific time period for this section, and thus the department
declines to make this change.
§22.54(4). A commenter suggests that this subparagraph should permit
covered entities to suspend the request when a claimant refuses to provide
a new authorization along with a request for service. Another commenter requests
a provision allowing a licensee to condition payment of a claim on provision
of an authorization.
Agency Response. Conditioning the provision of services, including payment
of claims, upon a consumer's relinquishment of privacy protections afforded
by this rule would undermine the very purpose of the rule. Authorizations
are required if a covered entity plans to share information for non-insurance
related purposes and other specifically exempted purposes. A covered entity
may not condition the provision of insurance-related services, including payment
of claims, upon a consumer's agreement that protected health information be
used for non-insurance purposes.
§22.55(a)(2)(C). A commenter believes that requiring a separate signature
line on an authorization form included with other written communication will
cause significant administrative burdens.
Agency Response. The department disagrees and declines to make this change.
The purpose of this requirement is to prevent a covered entity from tying
an authorization to release protected health information to any other action.
Given the statute's purpose, the consumer's right to exercise his or her rights
under the rule outweighs the slight administrative burden of requiring a separate
signature line.
§22.56. A commenter suggests that the term "necessary" be changed
or clarified in favor of efficiency or effectiveness out of concern for the
interpretation a court could place on "necessary."
Agency Response. Since the term "necessary" is used in the statute, the
department declines to make this suggested change. The term is also used in
the NAIC Model Privacy Regulation and the department's financial rule, 28
TAC Subchapter 22A. The department notes that even if "efficient" or "effective"
were substituted as recommended by the commenter, those terms would remain
subject to judicial interpretation.
§22.56(e). Several commenters suggest that this section be amended
to grant covered entities a longer period of time, ranging from five business
days to 30 calendar days, to effect a revocation.
Agency Response. The department recognizes the five-day requirement may
present compliance difficulties in some circumstances. However, the department
believes that a 30 day requirement would not constitute a timely response
to a consumer's direction to end disclosure. Accordingly, the department has
modified the text to allow a covered entity 15 days to effect a revocation.
This period should be sufficient for covered entities to effect fully any
revocation; i.e. no disclosure by any party under the revoked authorization
should occur after the 15th day.
§22.57(b). A commenter requests deletion of the restriction on disclosure
for marketing purposes.
Agency Response. The department disagrees and declines to make this change.
A primary purpose of SB 11 is to prevent covered entities from using information
collected for the purpose of providing insurance services for marketing.
§22.58. Commenters believe that the rule incorrectly implements H&SC §181.152,
the provision upon which the marketing requirements in §22.58 of the
rule are based, as it would allow a covered entity to use protected health
information to market a health related service to the consumer without an
authorization as long as the covered entity complies with requirements of
H&SC §§181.152(b) and (c). Commenters also suggest that covered
entitles be permitted more time to remove an individual from a mailing list.
Agency Response. The department has decided to withdraw the sections implementing
the provisions of SB 11 which create H&SC Chapter 181 pending the disposition
of amendments to the HIPAA privacy regulations proposed on March 27, 2002.
Any remaining restrictions on marketing set forth in the rule apply only to
marketing involving protected health information. The rule does not apply
to marketing using any other type of information.
§22.58. Applicability to entities that must comply with HIPAA. A commenter
believes the rule should be clarified to indicate that entities required to
comply with HIPAA, while exempt from compliance with Chapter 28B, must still
comply with the proposed marketing restrictions implementing Chapter 181,
Subchapter D.
Agency Response. The department agrees that the HIPAA-compliance exemption
contained in Article 28B.05 would not apply to the provisions of the rule
implementing Subchapter D of Chapter 181. The department notes, however, that
the HIPAA privacy regulations also contain specific marketing restrictions
which may preempt conflicting Chapter 181 requirements. Nevertheless, the
department has decided to withdraw the sections implementing the provisions
of SB 11 which create H&SC Chapter 181 pending the disposition of amendments
to the HIPAA privacy regulations proposed on March 27, 2002. Any remaining
restrictions on marketing set forth in the rule apply only to marketing involving
protected health information. The rule does not apply to marketing using any
other type of information.
§§22.58 & 22.59. Commenters suggest amending the rule to
recognize that §§22.58 and 22.59 do not apply to employee benefit
plans or persons acting in connection with them. Another commenter suggests
that since the effective date of H&SC Chapter 181 is September 1, 2003,
the department does not currently have authority to enforce rules adopted
under that chapter and should thus delete or revise those sections of the
proposed rules. Another commenter believes that §22.59 only applies if
required specifically by other state or federal law.
Agency Response. The department has decided to withdraw the sections implementing
the provisions of SB 11 which create H&SC Chapter 181 pending the disposition
of amendments to the HIPAA privacy regulations proposed on March 27, 2002.
§22.60. Several commenters request deletion or revision of this section
to a standard similar to that embodied in 45 CFR §164.504(e), on the
grounds that there is no statutory authority for the requirement and that
it subjects covered entities to responsibility for conduct they may not be
able to control.
Agency Response. The department agrees that, as worded, the proposed rule
appears to impose liability on a covered entity for a third party's violation
of this provision. The department has revised the text to implement the statutory
prohibition against knowing violations by clarifying that a covered entity
may not make disclosures unless the third party agrees not to disclose or
use the protected health information other than in a manner consistent with
the rule.
§22.61. A commenter believes that the proposed rule mandates compliance
with both it and the HIPAA privacy regulations. Another commenter objects
to the requirement that covered entities subject to HIPAA comply with the
rule until the HIPAA regulation takes effect. A third commenter asks for clarification
regarding compliance.
Agency Response. SB 11 and this rule require compliance by covered entities,
which may include entities subject to HIPAA privacy laws. Article 28B.05 provides
that covered entities that are required to comply with HIPAA privacy standards
are not required also to comply with Chapter 28B or rules adopted thereunder.
However, currently no entities are required to comply with the HIPAA privacy
standards (scheduled compliance date, April 13, 2003). The Article 28B.05
exemption does not take effect until HIPAA requires compliance; in the interim,
covered entities must comply with Chapter 28B and any rules adopted thereunder.
Section 22.61 provides that the rule does not apply to a covered entity
that is required to comply with the HIPAA privacy standards. The commenter's
interpretation would result in allowing HIPAA-subject entities to remain totally
unregulated until at least April 13, 2003. This disparity would leave a significant
portion of consumers without the protection contemplated and intended by SB
11. Moreover, the department believes that this rule, although not identical
to the HIPAA privacy regulation, should present minimal difficulty in the
transition from one regulation to the other.
§22.61. A commenter requests that the rule be amended to exempt any
HIPAA-compliant covered entity from the scope of the rule, not simply those
required to comply with the HIPAA privacy regulations. Another commenter states
that the rule does not provide clear guidance as to the extent that entities
performing multiple tasks are expected to comply with the proposed regulations,
and suggests including either a hybrid entity exclusion similar to that contained
in federal privacy rules, or an exemption for "federally covered entities."
Agency Response. The department declines to make this change. Article 28B.05
states that this subchapter does not apply to a covered entity that is required
to comply with the HIPAA privacy requirements. The federal government could
not enforce HIPAA standards against an entity not subject to those standards,
and the department has no authority to enforce the HIPAA standards. SB 11
does not provide authority to create a specific exclusion either for hybrid
entities or federally covered entities.
§22.64(d). A commenter requests amendment of this section to require
that a finding by a court is necessary to exclude a covered entity from a
state-funded health care program.
Agency Response. The department recognizes that the corresponding provisions
of H&SC Chapter 181 specifically require a court order. The rule, however,
is consistent with TIC Article 28B.11, which specifies exclusion if there
is evidence that the covered entity engaged in a pattern or practice of violating
the chapter. In any event, the department has decided to withdraw the sections
implementing the provisions of SB 11 which create H&SC Chapter 181 pending
the disposition of amendments to the HIPAA privacy regulations proposed on
March 27, 2002.
§22.65. A commenter suggests revision of this section to reflect the
opt-in nature of this rule's authorization. Another commenter suggests deletion
of this section as it exceeds the department's authority.
Agency Response. The department agrees with the comment regarding opting
in and has revised the text accordingly. The department disagrees with the
commenter who recommends deletion and declines to make that change. The privacy
protections enacted by SB 11 could not be adequately implemented if insurers
could discriminate against those who exercise their right to protect their
personal health information from disclosure, thus making this section a necessary
component of the implementation of Chapter 28B. Article 28B.09 authorizes
the commissioner to adopt rules as necessary to implement this chapter.
§22.67. Several commenters request that the department delay the effective
date of the rule. One commenter believes that the statute mandates an effective
date of September 1, 2003.
Agency Response. The department disagrees that the earliest possible effective
date of the rule is September 1, 2003. The effective date of the portion of
SB 11 enacting Insurance Code Chapter 28B was January 1, 2002. The rule provides
guidance to covered entities that were required to comply with Chapter 28B
as of that date. Therefore, the department attempted to implement the rule
close in time to the statute's effective date. This rule will take effect
on September 1, 2002.
The effective date for Chapter 181 was September 1, 2001. However, the
statute indicates that compliance with Chapter 181 is required not later than
September 1, 2003. The department is specifically authorized under Sec. 181.004
to adopt rules necessary to carry out the purposes of Chapter 181 as they
apply to its licensees. Therefore, the department has the discretion to determine
the compliance date for its rule. In response to comments, however, requesting
additional time for compliance, and pending the disposition of amendments
to the HIPAA privacy regulations proposed on March 27, 2002, the department
has decided to withdraw the sections implementing the provisions of SB 11
which create H&SC Chapter 181. The department will propose these sections
at a later time.
SB 11, Sec. 5. A commenter remarks that the proposed rule fails to reflect
SB 11 Section 5(e) that "grandfathers" authorizations executed before its
effective date. Agency Response. The department disagrees, as §22.63
clarifies that this rule does not preempt or supersede existing state law
related to medical records, health or insurance information privacy. Therefore,
an authorization executed under state law existing prior to the effective
date of SB 11 would continue to be governed by that state law. The department
would point out, however, that SB 11, Section 5(e) only applies to the extent
that there actually is existing law that governs a particular consent or authorization.
One of the purposes of SB 11 was to govern consents and authorizations obtained
by covered entities that were not previously subject to a specific statute.
Covered entities attempting to uphold a pre-existing authorization or consent
will be responsible for determining and demonstrating the legal basis under
which the authorization or consent was granted.
For with changes: Alliance of American Insurers, American Council of Life
Insurers; American Family Life Assurance Company; American Insurance Association;
American International Group, Inc.; Community First Health Plans; Covenant
Management Systems, L.P.; Health Insurance Association of America; Liberty
Mutual Group; Merck-Medco Managed Care, L.L.C.; National Association of Independent
Insurers; Texas Association of Business & Chambers of Commerce; Texas
Association of Health Plans; Texas Association of Life & Health Insurers;
Texas Children's Hospital; Texas Hospital Association; Texas Medical Association;
Texas Mutual Insurance Company; Texas Workers' Compensation Commission; United
Services Automobile Association; Vinson & Elkins.
The new sections are adopted under the Insurance Code Chapter
28B and §36.001 and the H&SC, Section 181.004. Insurance Code Article
28B.08 provides that the Commissioner may adopt rules as necessary to implement
the chapter. H&SC Section 181.004 authorizes a state agency that licenses
or regulates a covered entity subject to Chapter 181 to adopt rules as necessary
to carry out the purposes of the chapter. Insurance Code §36.001 provides
that the Commissioner of Insurance may adopt rules to execute the duties and
functions of the Texas Department of Insurance only as authorized by statute.
§22.51.Purpose and Scope.
(a)
Purpose. This subchapter governs the treatment by all covered
entities of a consumer's nonpublic personal health information. This subchapter:
(1)
requires a covered entity to obtain an authorization prior
to disclosing nonpublic personal health information about a consumer to any
other person for any purpose other than as enumerated in §22.57 of this
subchapter (relating to Exceptions); and
(2)
describes exceptions to the authorization requirement for
certain insurance related transactions and other purposes enumerated in this
subchapter.
(b)
Scope. This subchapter applies to all nonpublic personal
health information held by a covered entity as defined in this subchapter.
§22.52. Definitions.
The following words and terms, when used in this subchapter, shall
have the following meanings, unless the context clearly indicates otherwise.
Unless otherwise defined in this subchapter, each term that is used in this
subchapter that is defined in subchapter A of this chapter shall have the
meaning assigned by subchapter A of this chapter.
(1)
Authorization--Executed document that signifies that the
signer of the authorization is providing informed permission that nonpublic
personal health information held by a covered entity and described in the
document may be released to other parties pursuant to the terms of the document.
(2)
Authorization form--A form provided by a covered entity
which, if signed and dated by a consumer as set forth in this subchapter,
constitutes an authorization under this subchapter.
(3)
Consumer--An individual or that individual's representative
who seeks to obtain, obtains or has obtained an insurance product or service
from a covered entity, and about whom the covered entity has nonpublic personal
health information.
(4)
Covered entity--A person who holds or is required to hold
a license, registration, certificate of authority, or other authority under
the Insurance Code or another insurance law of this state. The term includes,
but is not limited to, an insurance company, group hospital service corporation,
mutual insurance company, local mutual aid association, statewide mutual assessment
company, stipulated premium insurance company, health maintenance organization,
reciprocal or interinsurance exchange, Lloyd's plan, fraternal benefit society,
county mutual insurer, farm mutual insurer, viatical or life settlement provider
or broker, or insurance agent. For purposes of this subchapter, "covered entity"
has the same meaning as "licensee" as used in Article 28B.01(2), Insurance
Code.
(5)
Health care operations--As set forth in the Health Insurance
Portability and Accountability Act and Privacy Standards. The term does not
include marketing as described in 45 C.F.R. §164.514(e) and any subsequent
amendments.
(6)
Health Insurance Portability and Accountability Act and
Privacy Standards--The privacy requirements of the Administrative Simplification
subtitle of the Health Insurance Portability and Accountability Act of 1996
(42 U.S.C. Section 1320d et seq.) and the final rules adopted on December
28, 2000, and published at 65 Fed. Reg. 82798 et seq., and any subsequent
amendments.
(7)
Marketing--The promotion or advertisement, by a covered
entity, of specific products or services if the covered entity receives, directly
or indirectly, a financial incentive or remuneration for the use, access,
or disclosure of protected health information. Marketing includes, but is
not limited to, communications to an individual based on prescription patterns
or protected health information intended to encourage or discourage the individual's
use of prescription or non-prescription medicine, medical devices or any other
product. Marketing does not include a communication, by a covered entity,
health care provider, or participants in an organized health care arrangement
or their affiliated covered entities or business associates, necessary to
provide treatment or perform health care operations.
(8)
Nonpublic personal health information--Has the same meaning
as "protected health information."
(9)
Prescription information--Any information, whether oral
or recorded in any form or medium, that:
(A)
relates to or concerns a prescription created or received
by a covered entity, health care provider, public health authority, employer,
school or university, or health care clearinghouse; and
(B)
relates to the past, present, or future physical or mental
health or condition of an individual, the provision of health care to the
individual, or the utilization of health care by the individual.
(10)
Prescription pattern--A profile or other summary of an
individual's prescription information.
(11)
Protected health information--Individually identifiable
health information collected from an individual, including the individual's
name, address, social security number and demographic information, that:
(A)
relates to:
(i)
the past, present, or future physical or mental health
or condition of the individual;
(ii)
the provision of health care to the individual; or
(iii)
the past, present, or future payment for the provision
of health care to the individual; and
(B)
either identifies the individual or provides a reasonable
basis to believe the information can be used to identify the individual.
(12)
Request for authorization--A written or electronic transmission
requesting an authorization pursuant to this subchapter.
§22.54.Authorizations.
An authorization required by this subchapter shall:
(1)
be in writing or electronic form (if the consumer has agreed
to conduct business with the covered entity electronically), and shall:
(A)
state the identity of the consumer who is the subject of
the nonpublic personal health information;
(B)
describe:
(i)
the types of nonpublic personal health information to be
disclosed;
(ii)
the parties to whom the covered entity discloses nonpublic
personal health information;
(iii)
the purpose of the disclosure;
(iv)
how the information disclosed will be used; and
(v)
the procedure for revoking the authorization.
(C)
include the signature which (if the consumer has agreed
to conduct business with the covered entity electronically) may be in electronic
form, and date signed, of:
(i)
the consumer who is the subject of the nonpublic personal
health information; or
(ii)
a person who is legally empowered to authorize disclosure
of the subject consumer's nonpublic personal health information.
(D)
provide notice:
(i)
of the length of time for which the authorization is valid;
and
(ii)
that the consumer may revoke the authorization at any
time.
(2)
An authorization subject to this subchapter shall specify
the period of time for which the authorization shall remain valid, but shall
in no event be valid:
(A)
in the case of an authorization signed by the consumer
that is the subject of the nonpublic personal health information, for a period
of more than 24 months from the date it was signed; and
(B)
in the case of an authorization signed by another person
who is legally empowered to authorize disclosure on behalf of the consumer,
for a period that ends at the later of:
(i)
the date the covered entity receives notice that the person
has lost the legal capacity to authorize disclosure, or
(ii)
24 months from the date it was signed.
(3)
A covered entity obtaining an authorization pursuant to
this subchapter shall retain the original authorization or a copy thereof
in its records of the consumer who is the subject of nonpublic personal health
information.
(4)
A covered entity may obtain a subsequent authorization
to replace an authorization that has by its terms expired, provided that the
subsequent authorization:
(A)
complies with the requirements of paragraph (1)(C) of this
section, and
(B)
meets all other applicable requirements of this section.
§22.57.Exceptions.
(a)
A covered entity may disclose, without an authorization,
nonpublic personal health information to the extent that the disclosure is
necessary to perform the following insurance functions or legally required
activity on behalf of that covered entity:
(1)
the investigation or reporting of actual or potential fraud,
misrepresentation, or criminal activity;
(2)
underwriting;
(3)
the placement or issuance of an insurance product;
(4)
loss control services;
(5)
ratemaking and guaranty fund functions;
(6)
reinsurance and excess loss insurance;
(7)
risk management;
(8)
case management;
(9)
disease management;
(10)
quality assurance;
(11)
quality improvement;
(12)
performance evaluation;
(13)
health care provider credentialing verification;
(14)
utilization review;
(15)
peer review activities;
(16)
actuarial, scientific, medical, or public policy research;
(17)
grievance procedures;
(18)
the internal administration of compliance, managerial,
and information systems;
(19)
policyholder services;
(20)
auditing;
(21)
reporting;
(22)
database security;
(23)
the administration of consumer disputes and inquiries;
(24)
external accreditation standards;
(25)
the replacement of a group benefit plan or workers' compensation
policy or program;
(26)
activities in connection with a sale, merger, transfer,
or exchange of all or part of a business or operating unit;
(27)
any activity that permits disclosure without authorization
under the federal Health Insurance Portability and Accountability Act of 1996
(42 U.S.C. Section 1320d et seq.), as amended;
(28)
disclosure that is required, or is a lawful or appropriate
method, to enforce the covered entity's rights or the rights of other persons
engaged in carrying out a transaction or providing an insurance product or
service that the consumer requests or authorizes;
(29)
claims administration, adjustment, and management;
(30)
any activity otherwise permitted by law, required pursuant
to a governmental reporting authority, or required to comply with legal process;
and
(31)
any other insurance functions that the commissioner approves
that are:
(A)
necessary for appropriate performance of insurance functions;
and
(B)
fair and reasonable to the interests of consumers.
(b)
A disclosure for marketing purposes shall not be considered
to be an insurance function or any other type of activity that constitutes
an exception under this section.
§22.60.Responsibility for Disclosure to Third Parties.
A covered entity that discloses protected health information to another
person to perform any function on behalf of the covered entity shall not make
any such disclosure unless the third party agrees not to disclose or use the
protected health information other than to carry out the purposes for which
the covered entity disclosed the information or in a manner otherwise consistent
with this subchapter.
§22.65.Nondiscrimination.
A covered entity shall not unfairly discriminate against a consumer
because that consumer has not authorized disclosure of his or her nonpublic
personal health information pursuant to the provisions of this subchapter.
§22.67.Effective date.
This subchapter takes effect on September 1, 2002.
This agency hereby certifies that the adoption has been reviewed
by legal counsel and found to be a valid exercise of the agency's legal authority.
Filed with the Office of
the Secretary of State on July 5, 2002.
TRD-200204243
Lynda Nesenholtz
General Counsel and Chief Clerk
Texas Department of Insurance
Effective date: September 1, 2002
Proposal publication date: January 4, 2002
For further information, please call: (512) 463-6327