From the Courier-Gazette, some positive news from Texas that the Senate passed SB 622, a bill proposed by Senator Jane Nelson last month .
“Medical records include highly sensitive information, and the misuse of this information can put patients at risk for severe financial and personal consequences,” Nelson said. “This bill protects patients from having their information improperly sold to unauthorized third parties and ensures that patients have the right to access their own electronic medical records.”
I have not yet worked through all of the language or provisions in the bill, but one of the most significant sections reads:
Sec.i181.153. SALE OF PROTECTED HEALTH INFORMATION PROHIBITED; REMUNERATION OF AGENTS AND CONTRACTORS AUTHORIZED.
(a) Except as provided by Subsection (b), a covered entity may not disclose protected health information to any person in exchange for direct or indirect remuneration.
(b) A covered entity may disclose protected health information in exchange for remuneration only:
(1) for purposes of:
(A) treatment;
(B) payment;
(C) health care operations;
(D) public health activities;
(E) research or clinical investigation, as described by 42 U.S.C. Section 17935(d)(2)(B) and 21 C.F.R. Section 312.3; or
(F) providing the protected health information to the individual who is the subject of the protected health information; or
(2) as otherwise permitted or required by state or federal law.
(c) This section does not prohibit a covered entity from disclosing protected health information to and giving remuneration to an agent or contractor of the covered entity in exchange for engaging in an activity authorized by state or federal law involving the exchange of protected health information that the agent or contractor undertakes on behalf of and at the specific request of the covered entity pursuant to an agreement.
SECTIONi5. Sections 181.201(b) and (c), Health and Safety Code, are amended to read as follows:
(b In addition to the injunctive relief provided by Subsection (a), the attorney general may institute an action for civil penalties against a covered entity for a violation of this chapter. A civil penalty assessed under this section may not exceed:
(1 $5,000 [$3,000] for each violation committed negligently;
(2) $25,000 for each violation committed knowingly or intentionally; or
(3) $250,000 for each violation in which the covered entity knowingly or intentionally uses protected health information for financial gain.
The bill also contains data breach notification requirements, but only, it seems, for records in electronic format. Failure to provide notification, as required, can lead to fines, also specified in the bill.
Limiting the sale of protected health information is a tremendous step. An investigative report by Suzanne Batchelor published in the Austin Bulldog last September exposed how much identified PHI was being sold by the state’s own health agency for “research” purposes. Whether this bill would significantly reduce that type of sale remains to be seen.