STATE STATUTES & CODES

INSURANCE CODE

TITLE 5. PROTECTION OF CONSUMER INTERESTS

SUBTITLE D. PRIVACY

CHAPTER 602. PRIVACY OF HEALTH INFORMATION

SUBCHAPTER A. GENERAL PROVISIONS

Sec. 602.001. DEFINITIONS. In this chapter:

(1) "Covered entity" means a person who holds or is required to

hold a license, registration, certificate of authority, or other

authorization under this code or another insurance law of this

state. The term includes:

(A) an insurance company, including:

(i) a county mutual insurance company;

(ii) a farm mutual insurance company;

(iii) a fraternal benefit society;

(iv) a group hospital service corporation;

(v) a Lloyd's plan;

(vi) a local mutual aid association;

(vii) a mutual insurance company;

(viii) a reciprocal or interinsurance exchange;

(ix) a statewide mutual assessment company; and

(x) a stipulated premium company;

(B) a health maintenance organization; and

(C) an insurance agent.

(2) "Health information" means information regarding an

individual, other than the individual's age or gender, whether

provided orally or recorded in any medium or form, that is

created by or derived from the individual or a health care

provider and that relates to:

(A) the past, present, or future physical, mental, or behavioral

health or condition of the individual;

(B) the provision of health care to the individual; or

(C) payment for the provision of health care to the individual.

(3) "Nonpublic personal health information" means health

information:

(A) that identifies an individual who is the subject of the

information; or

(B) with respect to which there is a reasonable basis to believe

that the information could be used to identify an individual.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1,

2005.

Sec. 602.002. APPLICABILITY OF CHAPTER TO COVERED ENTITY

REQUIRED TO COMPLY WITH CERTAIN FEDERAL STANDARDS. This chapter

does not apply to a covered entity that is required to comply

with the standards governing the privacy of individually

identifiable health information adopted by the United States

secretary of health and human services under Section 262(a),

Health Insurance Portability and Accountability Act of 1996 (42

U.S.C. Section 1320d et seq.).

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1,

2005.

Sec. 602.003. CONSTRUCTION OF CHAPTER. (a) This chapter does

not preempt or supersede state law in effect on July 1, 2002,

that relates to the privacy of medical records, health

information, or insurance information.

(b) This chapter may not be construed to modify, limit, or

supersede the operation of the federal Fair Credit Reporting Act

(15 U.S.C. Section 1681 et seq.).

(c) This chapter may not be used as a basis for drawing an

inference that information is or is not transaction or experience

information under Section 603 of the federal Fair Credit

Reporting Act (15 U.S.C. Section 1681a).

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1,

2005.

Sec. 602.004. RULES. The commissioner may adopt rules as

necessary to implement this chapter.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1,

2005.

SUBCHAPTER B. AUTHORIZED DISCLOSURE OF CERTAIN HEALTH INFORMATION

Sec. 602.051. AUTHORIZATION FOR DISCLOSURE OF CERTAIN HEALTH

INFORMATION. (a) Except as provided by Section 602.053, a

covered entity must obtain authorization to disclose nonpublic

personal health information before disclosing the information.

(b) A request for authorization to disclose nonpublic personal

health information may be in written or electronic form and must:

(1) state the identity of the consumer or customer who is the

subject of the information;

(2) describe:

(A) each type of information to be disclosed;

(B) each party to whom the covered entity intends to disclose

the information;

(C) the purpose of the disclosure;

(D) how the information will be used; and

(E) the procedure for revoking the authorization;

(3) include the signature of:

(A) the consumer or customer who is the subject of the

information; or

(B) the individual who is legally empowered to grant

authorization;

(4) state the date the authorization is signed; and

(5) provide notice of:

(A) the period for which the authorization is valid; and

(B) the consumer's or customer's right to revoke the

authorization at any time.

(c) The period for which the authorization is valid may not

exceed 24 months.

(d) The right of a consumer or customer to revoke an

authorization at any time is subject to the rights of an

individual who, before receiving notice of a revocation, acted in

reliance on the authorization.

(e) The covered entity shall retain the original or a copy of

the authorization in the records of the individual who is the

subject of the nonpublic personal health information.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1,

2005.

Sec. 602.052. DELIVERY OF AUTHORIZATION FORM AND REQUEST FOR

AUTHORIZATION. (a) A covered entity may deliver to a consumer

or customer a request for authorization and an authorization form

only if the request and form are clear and conspicuous.

(b) A covered entity is required to include delivery of the

authorization form in a notice to a consumer or customer only if

the covered entity intends to disclose health information

protected under this chapter.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1,

2005.

Sec. 602.053. EXCEPTIONS. A covered entity may disclose

nonpublic personal health information to the extent that the

disclosure is necessary to perform the following insurance or

health maintenance organization functions on behalf of the

covered entity:

(1) the investigation or reporting of actual or potential fraud,

misrepresentation, or criminal activity;

(2) underwriting;

(3) the placement or issuance of an insurance policy or evidence

of coverage;

(4) loss control services;

(5) ratemaking or guaranty fund functions;

(6) reinsurance or excess loss insurance;

(7) risk management;

(8) case management;

(9) disease management;

(10) quality assurance;

(11) quality improvement;

(12) performance evaluation;

(13) health care provider credentialing verification;

(14) utilization review;

(15) peer review activities;

(16) actuarial, scientific, medical, or public policy research;

(17) grievance procedures;

(18) the internal administration of compliance, managerial, and

information systems;

(19) policyholder or enrollee services;

(20) auditing;

(21) reporting;

(22) database security;

(23) the administration of consumer disputes and inquiries;

(24) external accreditation standards;

(25) the replacement of a group benefit plan or workers'

compensation policy or program;

(26) activities in connection with a sale, merger, transfer, or

exchange of all or part of a business or operating unit;

(27) any activity that permits disclosure without authorization

under the federal Health Insurance Portability and Accountability

Act of 1996 (42 U.S.C. Section 1320d et seq.), as amended;

(28) disclosure that is required, or that is a lawful or

appropriate method to enforce the covered entity's rights or the

rights of other persons engaged, in carrying out a transaction or

providing a product or service that the consumer requests or

authorizes;

(29) claims administration, adjustment, and management;

(30) any activity that is:

(A) otherwise permitted by law;

(B) required by a governmental reporting authority; or

(C) required to comply with legal process; and

(31) any other insurance or health maintenance organization

functions the commissioner approves that are:

(A) necessary for appropriate performance of insurance or health

maintenance organization functions; and

(B) fair and reasonable to the interests of consumers.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1,

2005.

SUBCHAPTER C. PENALTIES AND ENFORCEMENT

Sec. 602.101. PROHIBITION. A covered entity may not knowingly

or wilfully violate this chapter.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1,

2005.

Sec. 602.102. INJUNCTION. The attorney general may bring an

action for injunctive relief to restrain a violation of this

chapter.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1,

2005.

Sec. 602.103. CIVIL PENALTY. (a) The attorney general may

bring an action for a civil penalty against a covered entity or

health care entity for a violation of this chapter.

(b) A civil penalty assessed under this section may not be less

than $3,000 for each violation.

(c) If the court in which an action under this section is

pending finds that the violations have occurred with a frequency

as to constitute a pattern or practice, the court may assess a

civil penalty not to exceed $250,000.

(d) A civil penalty authorized by this section is in addition to

any other civil, administrative, or criminal action provided by

law, including an action for injunctive relief provided by

Section 602.102.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1,

2005.

Sec. 602.104. DISCIPLINARY ACTION. (a) In addition to a

penalty prescribed by this subchapter, a covered entity that

violates this chapter is subject to investigation, disciplinary

proceedings, and probation or suspension of the covered entity's

license or other form of authorization to engage in business.

(b) If there is evidence that a covered entity has engaged in a

pattern or practice of violating this chapter, the covered

entity's license or other form of authorization to engage in

business may be revoked.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1,

2005.

Sec. 602.105. EXCLUSION FROM STATE PROGRAMS. If there is

evidence that a covered entity has engaged in a pattern or

practice of violating this chapter, in addition to the other

penalties prescribed by this subchapter, the covered entity shall

be excluded from participating in any state-funded health care

program.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1,

2005.

Sec. 602.106. REMEDIES AVAILABLE. This subchapter does not

affect any right of a person under other law to bring a cause of

action or otherwise seek relief with respect to conduct that

violates this chapter.

Added by Acts 2003, 78th Leg., ch. 1274, Sec. 2, eff. April 1,

2005.