85R5920 JG-F     By: Kolkhorst S.B. No. 1574       A BILL TO BE ENTITLED   AN ACT   relating to the electronic sharing of protected health information   and certification of and enforcement actions against certain   covered entities.          BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:          SECTION 1.  Section 181.201(d), Health and Safety Code, is   amended to read as follows:          (d)  In determining the amount of a penalty imposed under   Subsection (b), the court shall consider:                (1)  the seriousness of the violation, including the   nature, circumstances, extent, and gravity of the disclosure;                (2)  the covered entity's compliance history;                (3)  whether the violation poses a significant risk of   financial, reputational, or other harm to an individual whose   protected health information is involved in the violation;                (4)  [whether the covered entity was certified at the   time of the violation as described by Section 182.108;                [(5)]  the amount necessary to deter a future   violation; and                (5) [(6)]  the covered entity's efforts to correct the   violation.          SECTION 2.  Section 181.205(b), Health and Safety Code, is   amended to read as follows:          (b)  In determining the amount of a penalty imposed under   other law in accordance with Section 181.202, a court or state   agency shall consider the following factors:                (1)  the seriousness of the violation, including the   nature, circumstances, extent, and gravity of the disclosure;                (2)  the covered entity's compliance history;                (3)  whether the violation poses a significant risk of   financial, reputational, or other harm to an individual whose   protected health information is involved in the violation;                (4)  [whether the covered entity was certified at the   time of the violation as described by Section 182.108;                [(5)]  the amount necessary to deter a future   violation; and                (5) [(6)]  the covered entity's efforts to correct the   violation.          SECTION 3.  Subchapter E, Chapter 181, Health and Safety   Code, is amended by adding Section 181.208 to read as follows:          Sec. 181.208.  ENFORCEMENT AGAINST CERTAIN COVERED   ENTITIES. Notwithstanding Sections 181.201 and 181.202, the   attorney general may not bring an action for civil penalties under   Section 181.201 and a licensing agency may not conduct a   disciplinary proceeding under Section 181.202 against a covered   entity that holds a certification described by Section 182.108 at   the time of the violation unless the violation is a result of the   covered entity's gross negligence or intentional conduct.          SECTION 4.  Section 182.108, Health and Safety Code, is   amended by adding Subsection (b-1) and amending Subsections (c) and   (d) to read as follows:          (b-1)  The executive commissioner by rule may develop and the   commission may implement a system to offer to a covered entity that   contracts with the commission incentives to obtain a certification   under this section. This subsection does not apply to a covered   entity that is also a health care provider as defined by Section   74A.001, Civil Practice and Remedies Code.          (c)  Standards adopted under Subsection (b) must be designed   to:                (1)  comply with the Health Insurance Portability and   Accountability Act and Privacy Standards and Chapter 181;                (2)  comply with any other state and federal law   relating to the security and confidentiality of information   electronically maintained or disclosed by a covered entity;                (3)  ensure the secure maintenance and disclosure of   personally identifiable health information;                (4)  include strategies and procedures for disclosing   personally identifiable health information; [and]                (5)  support a level of system interoperability with   existing health record databases in this state that is consistent   with emerging standards; and                (6)  ensure compliance with relevant industry   standards relating to security of Internet websites and electronic   information.          (d)  The corporation shall establish a process by which a   covered entity may apply for privacy, security, or privacy and   security certification by the corporation for the [of a] covered   entity's past compliance with standards adopted under Subsection   (b).          SECTION 5.  Sections 182.108(h), (i), (j), (l), and (m),   Health and Safety Code, as effective September 1, 2021, are amended   to read as follows:          (h)  In amending standards under Subsection (g), the   commission shall seek the assistance of an [a private nonprofit]   organization with relevant knowledge and experience in health care   privacy and security certification [establishing statewide health   information exchange capabilities].          (i)  Standards amended under Subsection (g) must be designed   to:                (1)  comply with the Health Insurance Portability and   Accountability Act and Privacy Standards and Chapter 181;                (2)  comply with any other state and federal law   relating to the security and confidentiality of information   electronically maintained or disclosed by a covered entity;                (3)  ensure the secure maintenance and disclosure of   individually identifiable health information;                (4)  include strategies and procedures for disclosing   individually identifiable health information; [and]                (5)  support a level of system interoperability with   existing health record databases in this state that is consistent   with emerging standards; and                (6)  ensure compliance with relevant industry   standards relating to security of Internet websites and electronic   information.          (j)  The commission shall designate an [a private nonprofit]   organization with relevant knowledge and experience in health care   privacy and security certification [establishing statewide health   information exchange capabilities] to establish a process by which   a covered entity may apply for privacy, security, or privacy and   security certification by the designated [private nonprofit]   organization for the [of a] covered entity's past compliance with   standards adopted under this section. If an [a private nonprofit]   organization with relevant knowledge and experience in health care   privacy and security certification [establishing statewide health   information exchange capabilities] does not exist, the commission   shall [either:                [(1)]  establish the process described by this   subsection[; or                [(2)     designate another entity with relevant knowledge   to establish the process described by this subsection].          (l)  The commission shall ensure that any fee charged for the   certification process described in Subsection (j) by the [private   nonprofit] organization [or entity] designated under that   subsection, including a person acting on behalf of a designated   organization [or entity], is reasonable. If the commission   establishes the process as described by Subsection (j) [(j)(1)],   the commission shall set a reasonable fee for the certification   process.          (m)  For good cause, the commission may revoke the   designation or authority of an [a private nonprofit] organization   [or entity] to establish the process or offer certifications under   Subsection (j).          SECTION 6.  The changes in law made by this Act apply only to   a violation that occurs on or after the effective date of this Act.   A violation that occurs before the effective date of this Act is   governed by the law applicable to the violation immediately before   the effective date of this Act, and that law is continued in effect   for that purpose.          SECTION 7.  This Act takes effect immediately if it receives   a vote of two-thirds of all the members elected to each house, as   provided by Section 39, Article III, Texas Constitution.  If this   Act does not receive the vote necessary for immediate effect, this   Act takes effect September 1, 2017.