INSURANCE CODE


TITLE 5. PROTECTION OF CONSUMER INTERESTS


SUBTITLE D. PRIVACY


CHAPTER 602. PRIVACY OF HEALTH INFORMATION


SUBCHAPTER A. GENERAL PROVISIONS


Sec. 602.001. DEFINITIONS. In this chapter:

(1) "Covered entity" means a person who holds or is required to hold a license, registration, certificate of authority, or other authorization under this code or another insurance law of this state. The term includes:

(A) an insurance company, including:

(i) a county mutual insurance company;

(ii) a farm mutual insurance company;

(iii) a fraternal benefit society;

(iv) a group hospital service corporation;

(v) a Lloyd's plan;

(vi) a local mutual aid association;

(vii) a mutual insurance company;

(viii) a reciprocal or interinsurance exchange;

(ix) a statewide mutual assessment company; and

(x) a stipulated premium company;

(B) a health maintenance organization; and

(C) an insurance agent.

(2) "Health information" means information regarding an individual, other than the individual's age or gender, whether provided orally or recorded in any medium or form, that is created by or derived from the individual or a health care provider and that relates to:

(A) the past, present, or future physical, mental, or behavioral health or condition of the individual;

(B) the provision of health care to the individual; or

(C) payment for the provision of health care to the individual.

(3) "Nonpublic personal health information" means health information:

(A) that identifies an individual who is the subject of the information; or

(B) with respect to which there is a reasonable basis to believe that the information could be used to identify an individual.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1, 2005.

Sec. 602.002. APPLICABILITY OF CHAPTER TO COVERED ENTITY REQUIRED TO COMPLY WITH CERTAIN FEDERAL STANDARDS. This chapter does not apply to a covered entity that is required to comply with the standards governing the privacy of individually identifiable health information adopted by the United States secretary of health and human services under Section 262(a), Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.).

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1, 2005.

Sec. 602.003. CONSTRUCTION OF CHAPTER. (a) This chapter does not preempt or supersede state law in effect on July 1, 2002, that relates to the privacy of medical records, health information, or insurance information.

(b) This chapter may not be construed to modify, limit, or supersede the operation of the federal Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.).

(c) This chapter may not be used as a basis for drawing an inference that information is or is not transaction or experience information under Section 603 of the federal Fair Credit Reporting Act (15 U.S.C. Section 1681a).

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1, 2005.

Sec. 602.004. RULES. The commissioner may adopt rules as necessary to implement this chapter.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1, 2005.

SUBCHAPTER B. AUTHORIZED DISCLOSURE OF CERTAIN HEALTH INFORMATION


Sec. 602.051. AUTHORIZATION FOR DISCLOSURE OF CERTAIN HEALTH INFORMATION. (a) Except as provided by Section 602.053, a covered entity must obtain authorization to disclose nonpublic personal health information before disclosing the information.

(b) A request for authorization to disclose nonpublic personal health information may be in written or electronic form and must:

(1) state the identity of the consumer or customer who is the subject of the information;

(2) describe:

(A) each type of information to be disclosed;

(B) each party to whom the covered entity intends to disclose the information;

(C) the purpose of the disclosure;

(D) how the information will be used; and

(E) the procedure for revoking the authorization;

(3) include the signature of:

(A) the consumer or customer who is the subject of the information; or

(B) the individual who is legally empowered to grant authorization;

(4) state the date the authorization is signed; and

(5) provide notice of:

(A) the period for which the authorization is valid; and

(B) the consumer's or customer's right to revoke the authorization at any time.

(c) The period for which the authorization is valid may not exceed 24 months.

(d) The right of a consumer or customer to revoke an authorization at any time is subject to the rights of an individual who, before receiving notice of a revocation, acted in reliance on the authorization.

(e) The covered entity shall retain the original or a copy of the authorization in the records of the individual who is the subject of the nonpublic personal health information.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1, 2005.

Sec. 602.052. DELIVERY OF AUTHORIZATION FORM AND REQUEST FOR AUTHORIZATION. (a) A covered entity may deliver to a consumer or customer a request for authorization and an authorization form only if the request and form are clear and conspicuous.

(b) A covered entity is required to include delivery of the authorization form in a notice to a consumer or customer only if the covered entity intends to disclose health information protected under this chapter.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1, 2005.

Sec. 602.053. EXCEPTIONS. A covered entity may disclose nonpublic personal health information to the extent that the disclosure is necessary to perform the following insurance or health maintenance organization functions on behalf of the covered entity:

(1) the investigation or reporting of actual or potential fraud, misrepresentation, or criminal activity;

(2) underwriting;

(3) the placement or issuance of an insurance policy or evidence of coverage;

(4) loss control services;

(5) ratemaking or guaranty fund functions;

(6) reinsurance or excess loss insurance;

(7) risk management;

(8) case management;

(9) disease management;

(10) quality assurance;

(11) quality improvement;

(12) performance evaluation;

(13) health care provider credentialing verification;

(14) utilization review;

(15) peer review activities;

(16) actuarial, scientific, medical, or public policy research;

(17) grievance procedures;

(18) the internal administration of compliance, managerial, and information systems;

(19) policyholder or enrollee services;

(20) auditing;

(21) reporting;

(22) database security;

(23) the administration of consumer disputes and inquiries;

(24) external accreditation standards;

(25) the replacement of a group benefit plan or workers' compensation policy or program;

(26) activities in connection with a sale, merger, transfer, or exchange of all or part of a business or operating unit;

(27) any activity that permits disclosure without authorization under the federal Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), as amended;

(28) disclosure that is required, or that is a lawful or appropriate method to enforce the covered entity's rights or the rights of other persons engaged, in carrying out a transaction or providing a product or service that the consumer requests or authorizes;

(29) claims administration, adjustment, and management;

(30) any activity that is:

(A) otherwise permitted by law;

(B) required by a governmental reporting authority; or

(C) required to comply with legal process; and

(31) any other insurance or health maintenance organization functions the commissioner approves that are:

(A) necessary for appropriate performance of insurance or health maintenance organization functions; and

(B) fair and reasonable to the interests of consumers.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1, 2005.

Sec. 602.054. COMPLIANCE WITH OTHER LAW. A covered entity shall comply with:

(1) Subchapter D, Chapter 181, Health and Safety Code, except as otherwise provided by that subchapter; and

(2) the standards adopted under Section 182.108, Health and Safety Code.

Added by Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 18, eff. September 1, 2012.

SUBCHAPTER C. PENALTIES AND ENFORCEMENT


Sec. 602.101. PROHIBITION. A covered entity may not knowingly or wilfully violate this chapter.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1, 2005.

Sec. 602.102. INJUNCTION. The attorney general may bring an action for injunctive relief to restrain a violation of this chapter.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1, 2005.

Sec. 602.103. CIVIL PENALTY. (a) The attorney general may bring an action for a civil penalty against a covered entity or health care entity for a violation of this chapter.

(b) A civil penalty assessed under this section may not be less than $3,000 for each violation.

(c) If the court in which an action under this section is pending finds that the violations have occurred with a frequency as to constitute a pattern or practice, the court may assess a civil penalty not to exceed $250,000.

(d) A civil penalty authorized by this section is in addition to any other civil, administrative, or criminal action provided by law, including an action for injunctive relief provided by Section 602.102.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1, 2005.

Sec. 602.104. DISCIPLINARY ACTION. (a) In addition to a penalty prescribed by this subchapter, a covered entity that violates this chapter is subject to investigation, disciplinary proceedings, and probation or suspension of the covered entity's license or other form of authorization to engage in business.

(b) If there is evidence that a covered entity has engaged in a pattern or practice of violating this chapter, the covered entity's license or other form of authorization to engage in business may be revoked.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1, 2005.

Sec. 602.105. EXCLUSION FROM STATE PROGRAMS. If there is evidence that a covered entity has engaged in a pattern or practice of violating this chapter, in addition to the other penalties prescribed by this subchapter, the covered entity shall be excluded from participating in any state-funded health care program.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1, 2005.

Sec. 602.106. REMEDIES AVAILABLE. This subchapter does not affect any right of a person under other law to bring a cause of action or otherwise seek relief with respect to conduct that violates this chapter.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1, 2005.