HEALTH AND SAFETY CODE


TITLE 2. HEALTH


SUBTITLE I. MEDICAL RECORDS


CHAPTER 181. MEDICAL RECORDS PRIVACY


SUBCHAPTER A. GENERAL PROVISIONS


Sec. 181.001. DEFINITIONS. (a) Unless otherwise defined in this chapter, each term that is used in this chapter has the meaning assigned by the Health Insurance Portability and Accountability Act and Privacy Standards.

(b) In this chapter:

(1) Repealed by Acts 2015, 84th Leg., R.S., Ch. 1, Sec. 3.1639(55), eff. April 2, 2015.

(2) "Covered entity" means any person who:

(A) for commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information. The term includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site;

(B) comes into possession of protected health information;

(C) obtains or stores protected health information under this chapter; or

(D) is an employee, agent, or contractor of a person described by Paragraph (A), (B), or (C) insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.

(2-a) "Disclose" means to release, transfer, provide access to, or otherwise divulge information outside the entity holding the information.

(2-b) Repealed by Acts 2015, 84th Leg., R.S., Ch. 1, Sec. 3.1639(55), eff. April 2, 2015.

(3) "Health Insurance Portability and Accountability Act and Privacy Standards" means the privacy requirements in existence on September 1, 2011, of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (Pub. L. No. 104-191) contained in 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A and E.

(4) "Marketing" means:

(A) making a communication about a product or service that encourages a recipient of the communication to purchase or use the product or service, unless the communication is made:

(i) to describe a health-related product or service or the payment for a health-related product or service that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about:

(a) the entities participating in a health care provider network or health plan network;

(b) replacement of, or enhancement to, a health plan; or

(c) health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits;

(ii) for treatment of the individual;

(iii) for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual; or

(iv) by a covered entity to an individual that encourages a change to a prescription drug included in the covered entity's drug formulary or preferred drug list;

(B) an arrangement between a covered entity and any other entity under which the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service; and

(C) notwithstanding Paragraphs (A)(ii) and (iii), a product-specific written communication to a consumer that encourages a change in products.

(5) "Product" means a prescription drug or prescription medical device.

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001. Amended by Acts 2003, 78th Leg., ch. 924, Sec. 2.

Amended by:

Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 1, eff. September 1, 2012.

Acts 2015, 84th Leg., R.S., Ch. 1 (S.B. 219), Sec. 3.1639(55), eff. April 2, 2015.

Sec. 181.002. APPLICABILITY. (a) Except as provided by Section 181.205, this chapter does not affect the validity of another statute of this state that provides greater confidentiality for information made confidential by this chapter.

(b) To the extent that this chapter conflicts with another law, other than Section 58.0052, Family Code, with respect to protected health information collected by a governmental body or unit, this chapter controls.

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001. Amended by Acts 2003, 78th Leg., ch. 924, Sec. 3, eff. Sept. 1, 2003.

Amended by:

Acts 2011, 82nd Leg., R.S., Ch. 653 (S.B. 1106), Sec. 5, eff. June 17, 2011.

Sec. 181.003. SOVEREIGN IMMUNITY. This chapter does not waive sovereign immunity to suit or liability.

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001.

Sec. 181.004. APPLICABILITY OF STATE AND FEDERAL LAW. (a) A covered entity, as that term is defined by 45 C.F.R. Section 160.103, shall comply with the Health Insurance Portability and Accountability Act and Privacy Standards.

(b) Subject to Section 181.051, a covered entity, as that term is defined by Section 181.001, shall comply with this chapter.

Added by Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 2, eff. September 1, 2012.

Sec. 181.005. DUTIES OF THE EXECUTIVE COMMISSIONER. (a) The executive commissioner shall administer this chapter and may adopt rules consistent with the Health Insurance Portability and Accountability Act and Privacy Standards to administer this chapter.

(b) The executive commissioner shall review amendments to the definitions in 45 C.F.R. Parts 160 and 164 that occur after September 1, 2011, and determine whether it is in the best interest of the state to adopt the amended federal regulations. If the executive commissioner determines that it is in the best interest of the state to adopt the amended federal regulations, the amended regulations shall apply as required by this chapter.

(c) In making a determination under this section, the executive commissioner must consider, in addition to other factors affecting the public interest, the beneficial and adverse effects the amendments would have on:

(1) the lives of individuals in this state and their expectations of privacy; and

(2) governmental entities, institutions of higher education, state-owned teaching hospitals, private businesses, and commerce in this state.

(d) The executive commissioner shall prepare a report of the executive commissioner's determination made under this section and shall file the report with the presiding officer of each house of the legislature before the 30th day after the date the determination is made. The report must include an explanation of the reasons for the determination.

Added by Acts 2003, 78th Leg., ch. 924, Sec. 4, eff. Sept. 1, 2003.

Amended by:

Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 3, eff. September 1, 2012.

Sec. 181.006. PROTECTED HEALTH INFORMATION NOT PUBLIC. Notwithstanding Sections 181.004 and 181.051, for a covered entity that is a governmental unit, an individual's protected health information:

(1) includes any information that reflects that an individual received health care from the covered entity; and

(2) is not public information and is not subject to disclosure under Chapter 552, Government Code.

Added by Acts 2009, 81st Leg., R.S., Ch. 419 (H.B. 2004), Sec. 5, eff. September 1, 2009.

Amended by:

Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 4, eff. September 1, 2012.

SUBCHAPTER B. EXEMPTIONS


Sec. 181.051. PARTIAL EXEMPTION. Except for Subchapter D, this chapter does not apply to:

(1) a covered entity as defined by Section 602.001, Insurance Code;

(2) an entity established under Article 5.76-3, Insurance Code; or

(3) an employer.

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001. Amended by Acts 2003, 78th Leg., ch. 1274, Sec. 20, eff. April 1, 2005.

Sec. 181.052. PROCESSING PAYMENT TRANSACTIONS BY FINANCIAL INSTITUTIONS. (a) In this section, "financial institution" has the meaning assigned by Section 1101, Right to Financial Privacy Act of 1978 (12 U.S.C. Section 3401), and its subsequent amendments.

(b) To the extent that a covered entity engages in activities of a financial institution, or authorizes, processes, clears, settles, bills, transfers, reconciles, or collects payments for a financial institution, this chapter and any rule adopted under this chapter does not apply to the covered entity with respect to those activities, including the following:

(1) using or disclosing information to authorize, process, clear, settle, bill, transfer, reconcile, or collect a payment for, or related to, health plan premiums or health care, if the payment is made by any means, including a credit, debit, or other payment card, an account, a check, or an electronic funds transfer; and

(2) requesting, using, or disclosing information with respect to a payment described by Subdivision (1):

(A) for transferring receivables;

(B) for auditing;

(C) in connection with a customer dispute or an inquiry from or to a customer;

(D) in a communication to a customer of the entity regarding the customer's transactions, payment card, account, check, or electronic funds transfer;

(E) for reporting to consumer reporting agencies; or

(F) for complying with a civil or criminal subpoena or a federal or state law regulating the covered entity.

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001.

Sec. 181.053. NONPROFIT AGENCIES. The executive commissioner shall by rule exempt from this chapter a nonprofit agency that pays for health care services or prescription drugs for an indigent person only if the agency's primary business is not the provision of health care or reimbursement for health care services.

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001.

Amended by:

Acts 2015, 84th Leg., R.S., Ch. 1 (S.B. 219), Sec. 3.0521, eff. April 2, 2015.

Sec. 181.054. WORKERS' COMPENSATION. This chapter does not apply to:

(1) workers' compensation insurance or a function authorized by Title 5, Labor Code; or

(2) any person or entity in connection with providing, administering, supporting, or coordinating any of the benefits under a self-insured program for workers' compensation.

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001.

Sec. 181.055. EMPLOYEE BENEFIT PLAN. This chapter does not apply to:

(1) an employee benefit plan; or

(2) any covered entity or other person, insofar as the entity or person is acting in connection with an employee benefit plan.

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001.

Sec. 181.056. AMERICAN RED CROSS. This chapter does not prohibit the American Red Cross from accessing any information necessary to perform its duties to provide biomedical services, disaster relief, disaster communication, or emergency leave verification services for military personnel.

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001. Amended by Acts 2003, 78th Leg., ch. 924, Sec. 5, eff. Sept. 1, 2003.

Sec. 181.057. INFORMATION RELATING TO OFFENDERS WITH MENTAL IMPAIRMENTS. This chapter does not apply to an agency described by Section 614.017 with respect to the disclosure, receipt, transfer, or exchange of medical and health information and records relating to individuals in the custody of an agency or in community supervision.

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001.

Sec. 181.058. EDUCATIONAL RECORDS. In this chapter, protected health information does not include:

(1) education records covered by the Family Educational Rights and Privacy Act of 1974 (20 U.S.C. Section 1232g) and its subsequent amendments; or

(2) records described by 20 U.S.C. Section 1232g(a)(4)(B)(iv) and its subsequent amendments.

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001.

Sec. 181.059. CRIME VICTIM COMPENSATION. This chapter does not apply to any person or entity in connection with providing, administering, supporting, or coordinating any of the benefits regarding compensation to victims of crime as provided by Chapter 56B, Code of Criminal Procedure.

Added by Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 5, eff. September 1, 2012.

Amended by:

Acts 2019, 86th Leg., R.S., Ch. 469 (H.B. 4173), Sec. 2.53, eff. January 1, 2021.

Sec. 181.060. INFORMATION REGARDING COMMUNICABLE DISEASES IN CERTAIN FACILITIES. (a) In this section:

(1) "Communicable disease" has the meaning assigned by Section 81.003.

(2) "Facility" means:

(A) a nursing facility licensed under Chapter 242;

(B) a continuing care facility licensed under Chapter 246; and

(C) an assisted living facility licensed under Chapter 247.

(3) "Resident" means an individual, including a patient, who resides in a facility.

(b) In this chapter, protected health information does not include information that identifies:

(1) the name or location of a facility in which residents have been diagnosed with a communicable disease; or

(2) the number of residents who have been diagnosed with a communicable disease in a facility.

(c) Unless made confidential under other law, the information described by Subsection (b) is not confidential and is subject to disclosure under Chapter 552, Government Code.

Added by Acts 2021, 87th Leg., R.S., Ch. 95 (S.B. 930), Sec. 2, eff. September 1, 2021.

SUBCHAPTER C. ACCESS TO AND USE OF PROTECTED HEALTH INFORMATION


Sec. 181.101. TRAINING REQUIRED. (a) Each covered entity shall provide training to employees of the covered entity regarding the state and federal law concerning protected health information as necessary and appropriate for the employees to carry out the employees' duties for the covered entity.

(b) An employee of a covered entity must complete training described by Subsection (a) not later than the 90th day after the date the employee is hired by the covered entity.

(c) If the duties of an employee of a covered entity are affected by a material change in state or federal law concerning protected health information, the employee shall receive training described by Subsection (a) within a reasonable period, but not later than the first anniversary of the date the material change in law takes effect.

(d) A covered entity shall require an employee of the entity who receives training described by Subsection (a) to sign, electronically or in writing, a statement verifying the employee's completion of training. The covered entity shall maintain the signed statement until the sixth anniversary of the date the statement is signed.

Added by Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 6, eff. September 1, 2012.

Amended by:

Acts 2013, 83rd Leg., R.S., Ch. 1367 (S.B. 1609), Sec. 1, eff. June 14, 2013.

Sec. 181.102. CONSUMER ACCESS TO ELECTRONIC HEALTH RECORDS. (a) Except as provided by Subsection (b), if a health care provider is using an electronic health records system that is capable of fulfilling the request, the health care provider, not later than the 15th business day after the date the health care provider receives a written request from a person for the person's electronic health record, shall provide the requested record to the person in electronic form unless the person agrees to accept the record in another form.

(b) A health care provider is not required to provide access to a person's protected health information that is excepted from access, or to which access may be denied, under 45 C.F.R. Section 164.524.

(c) For purposes of Subsection (a), the executive commissioner, in consultation with the department, the Texas Medical Board, and the Texas Department of Insurance, by rule may recommend a standard electronic format for the release of requested health records. The standard electronic format recommended under this section must be consistent, if feasible, with federal law regarding the release of electronic health records.

Added by Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 6, eff. September 1, 2012.

Amended by:

Acts 2015, 84th Leg., R.S., Ch. 1 (S.B. 219), Sec. 3.0522, eff. April 2, 2015.

Sec. 181.103. CONSUMER INFORMATION WEBSITE. The attorney general shall maintain an Internet website that provides:

(1) information concerning a consumer's privacy rights regarding protected health information under federal and state law;

(2) a list of the state agencies, including the department, the Texas Medical Board, and the Texas Department of Insurance, that regulate covered entities in this state and the types of entities each agency regulates;

(3) detailed information regarding each agency's complaint enforcement process; and

(4) contact information, including the address of the agency's Internet website, for each agency listed under Subdivision (2) for reporting a violation of this chapter.

Added by Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 6, eff. September 1, 2012.

Amended by:

Acts 2015, 84th Leg., R.S., Ch. 1 (S.B. 219), Sec. 3.0523, eff. April 2, 2015.

Sec. 181.104. CONSUMER COMPLAINT REPORT BY ATTORNEY GENERAL. (a) The attorney general annually shall submit to the legislature a report describing:

(1) the number and types of complaints received by the attorney general and by the state agencies receiving consumer complaints under Section 181.103; and

(2) the enforcement action taken in response to each complaint reported under Subdivision (1).

(b) Each state agency that receives consumer complaints under Section 181.103 shall submit to the attorney general, in the form required by the attorney general, the information the attorney general requires to compile the report required by Subsection (a).

(c) The attorney general shall de-identify protected health information from the individual to whom the information pertains before including the information in the report required by Subsection (a).

Added by Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 6, eff. September 1, 2012.

SUBCHAPTER D. PROHIBITED ACTS


Sec. 181.151. REIDENTIFIED INFORMATION. A person may not reidentify or attempt to reidentify an individual who is the subject of any protected health information without obtaining the individual's consent or authorization if required under this chapter or other state or federal law.

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001.

Sec. 181.152. MARKETING USES OF INFORMATION. (a) A covered entity must obtain clear and unambiguous permission in written or electronic form to use or disclose protected health information for any marketing communication, except if the communication is:

(1) in the form of a face-to-face communication made by a covered entity to an individual;

(2) in the form of a promotional gift of nominal value provided by the covered entity;

(3) necessary for administration of a patient assistance program or other prescription drug savings or discount program; or

(4) made at the oral request of the individual.

(b) If a covered entity uses or discloses protected health information to send a written marketing communication through the mail, the communication must be sent in an envelope showing only the names and addresses of sender and recipient and must:

(1) state the name and toll-free number of the entity sending the marketing communication; and

(2) explain the recipient's right to have the recipient's name removed from the sender's mailing list.

(c) A person who receives a request under Subsection (b)(2) to remove a person's name from a mailing list shall remove the person's name not later than the 45th day after the date the person receives the request.

(d) A marketing communication made at the oral request of the individual under Subsection (a)(4) may be made only if clear and unambiguous oral permission for the use or disclosure of the protected health information is obtained. The marketing communication must be limited to the scope of the oral permission and any further marketing communication must comply with the requirements of this section.

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001. Amended by Acts 2003, 78th Leg., ch. 924, Sec. 6, eff. Jan. 1, 2004.

Sec. 181.153. SALE OF PROTECTED HEALTH INFORMATION PROHIBITED; EXCEPTIONS. (a) A covered entity may not disclose an individual's protected health information to any other person in exchange for direct or indirect remuneration, except that a covered entity may disclose an individual's protected health information:

(1) to another covered entity, as that term is defined by Section 181.001, or to a covered entity, as that term is defined by Section 602.001, Insurance Code, for the purpose of:

(A) treatment;

(B) payment;

(C) health care operations; or

(D) performing an insurance or health maintenance organization function described by Section 602.053, Insurance Code; or

(2) as otherwise authorized or required by state or federal law.

(b) The direct or indirect remuneration a covered entity receives for making a disclosure of protected health information authorized by Subsection (a)(1)(D) may not exceed the covered entity's reasonable costs of preparing or transmitting the protected health information.

Added by Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 7, eff. September 1, 2012.

Sec. 181.154. NOTICE AND AUTHORIZATION REQUIRED FOR ELECTRONIC DISCLOSURE OF PROTECTED HEALTH INFORMATION; EXCEPTIONS. (a) A covered entity shall provide notice to an individual for whom the covered entity creates or receives protected health information if the individual's protected health information is subject to electronic disclosure. A covered entity may provide general notice by:

(1) posting a written notice in the covered entity's place of business;

(2) posting a notice on the covered entity's Internet website; or

(3) posting a notice in any other place where individuals whose protected health information is subject to electronic disclosure are likely to see the notice.

(b) Except as provided by Subsection (c), a covered entity may not electronically disclose an individual's protected health information to any person without a separate authorization from the individual or the individual's legally authorized representative for each disclosure. An authorization for disclosure under this subsection may be made in written or electronic form or in oral form if it is documented in writing by the covered entity.

(c) The authorization for electronic disclosure of protected health information described by Subsection (b) is not required if the disclosure is made:

(1) to another covered entity, as that term is defined by Section 181.001, or to a covered entity, as that term is defined by Section 602.001, Insurance Code, for the purpose of:

(A) treatment;

(B) payment;

(C) health care operations; or

(D) performing an insurance or health maintenance organization function described by Section 602.053, Insurance Code; or

(2) as otherwise authorized or required by state or federal law.

(d) The attorney general shall adopt a standard authorization form for use in complying with this section. The form must comply with the Health Insurance Portability and Accountability Act and Privacy Standards and this chapter.

(e) This section does not apply to a covered entity, as defined by Section 602.001, Insurance Code, if that entity is not a covered entity as defined by 45 C.F.R. Section 160.103.

Added by Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 7, eff. September 1, 2012.

SUBCHAPTER E. ENFORCEMENT


Sec. 181.201. INJUNCTIVE RELIEF; CIVIL PENALTY. (a) The attorney general may institute an action for injunctive relief to restrain a violation of this chapter.

(b) In addition to the injunctive relief provided by Subsection (a), the attorney general may institute an action for civil penalties against a covered entity for a violation of this chapter. A civil penalty assessed under this section may not exceed:

(1) $5,000 for each violation that occurs in one year, regardless of how long the violation continues during that year, committed negligently;

(2) $25,000 for each violation that occurs in one year, regardless of how long the violation continues during that year, committed knowingly or intentionally; or

(3) $250,000 for each violation in which the covered entity knowingly or intentionally used protected health information for financial gain.

(b-1) The total amount of a penalty assessed against a covered entity under Subsection (b) in relation to a violation or violations of Section 181.154 may not exceed $250,000 annually if the court finds that the disclosure was made only to another covered entity and only for a purpose described by Section 181.154(c) and the court finds that:

(1) the protected health information disclosed was encrypted or transmitted using encryption technology designed to protect against improper disclosure;

(2) the recipient of the protected health information did not use or release the protected health information; or

(3) at the time of the disclosure of the protected health information, the covered entity had developed, implemented, and maintained security policies, including the education and training of employees responsible for the security of protected health information.

(c) If the court in which an action under Subsection (b) is pending finds that the violations have occurred with a frequency as to constitute a pattern or practice, the court may assess a civil penalty not to exceed $1.5 million annually.

(d) In determining the amount of a penalty imposed under Subsection (b), the court shall consider:

(1) the seriousness of the violation, including the nature, circumstances, extent, and gravity of the disclosure;

(2) the covered entity's compliance history;

(3) whether the violation poses a significant risk of financial, reputational, or other harm to an individual whose protected health information is involved in the violation;

(4) whether the covered entity was certified at the time of the violation as described by Section 182.108;

(5) the amount necessary to deter a future violation; and

(6) the covered entity's efforts to correct the violation.

(e) The attorney general may institute an action against a covered entity that is licensed by a licensing agency of this state for a civil penalty under this section only if the licensing agency refers the violation to the attorney general under Section 181.202(2).

(f) The office of the attorney general may retain a reasonable portion of a civil penalty recovered under this section, not to exceed amounts specified in the General Appropriations Act, for the enforcement of this subchapter.

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001.

Amended by:

Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 8, eff. September 1, 2012.

Sec. 181.202. DISCIPLINARY ACTION. In addition to the penalties prescribed by this chapter, a violation of this chapter by a covered entity that is licensed by an agency of this state is subject to investigation and disciplinary proceedings, including probation or suspension by the licensing agency. If there is evidence that the violations of this chapter are egregious and constitute a pattern or practice, the agency may:

(1) revoke the covered entity's license; or

(2) refer the covered entity's case to the attorney general for the institution of an action for civil penalties under Section 181.201(b).

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001.

Amended by:

Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 9, eff. September 1, 2012.

Sec. 181.203. EXCLUSION FROM STATE PROGRAMS. In addition to the penalties prescribed by this chapter, a covered entity shall be excluded from participating in any state-funded health care program if a court finds the covered entity engaged in a pattern or practice of violating this chapter.

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001.

Sec. 181.205. MITIGATION. (a) In an action or proceeding to impose an administrative penalty or assess a civil penalty for actions related to the disclosure of individually identifiable health information, a covered entity may introduce, as mitigating evidence, evidence of the entity's good faith efforts to comply with:

(1) state law related to the privacy of individually identifiable health information; or

(2) the Health Insurance Portability and Accountability Act and Privacy Standards.

(b) In determining the amount of a penalty imposed under other law in accordance with Section 181.202, a court or state agency shall consider the following factors:

(1) the seriousness of the violation, including the nature, circumstances, extent, and gravity of the disclosure;

(2) the covered entity's compliance history;

(3) whether the violation poses a significant risk of financial, reputational, or other harm to an individual whose protected health information is involved in the violation;

(4) whether the covered entity was certified at the time of the violation as described by Section 182.108;

(5) the amount necessary to deter a future violation; and

(6) the covered entity's efforts to correct the violation.

(c) On receipt of evidence under Subsections (a) and (b), a court or state agency shall consider the evidence and mitigate imposition of an administrative penalty or assessment of a civil penalty accordingly.

Added by Acts 2003, 78th Leg., ch. 924, Sec. 7, eff. Sept. 1, 2003.

Amended by:

Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 10, eff. September 1, 2012.

Sec. 181.206. AUDITS OF COVERED ENTITIES. (a) The commission, in coordination with the attorney general and the Texas Department of Insurance:

(1) may request that the United States secretary of health and human services conduct an audit of a covered entity, as that term is defined by 45 C.F.R. Section 160.103, in this state to determine compliance with the Health Insurance Portability and Accountability Act and Privacy Standards; and

(2) shall periodically monitor and review the results of audits of covered entities in this state conducted by the United States secretary of health and human services.

(b) If the commission has evidence that a covered entity has committed violations of this chapter that are egregious and constitute a pattern or practice, the commission may:

(1) require the covered entity to submit to the commission the results of a risk analysis conducted by the covered entity if required by 45 C.F.R. Section 164.308(a)(1)(ii)(A); or

(2) if the covered entity is licensed by a licensing agency of this state, request that the licensing agency conduct an audit of the covered entity's system to determine compliance with the provisions of this chapter.

(c) The commission annually shall submit to the appropriate standing committees of the senate and the house of representatives a report regarding the number of federal audits of covered entities in this state and the number of audits required under Subsection (b).

Added by Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 11, eff. September 1, 2012.

Amended by:

Acts 2015, 84th Leg., R.S., Ch. 12 (S.B. 203), Sec. 2, eff. September 1, 2015.

Sec. 181.207. FUNDING. (a) The commission and the Texas Department of Insurance shall apply for and actively pursue available federal funding for enforcement of this chapter.

(b) Expired.

Added by Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 11, eff. September 1, 2012.

Amended by:

Acts 2015, 84th Leg., R.S., Ch. 12 (S.B. 203), Sec. 3, eff. September 1, 2015.