77(R) SB 11-Sent to Gov

[Guest guest]

77® SB 11 House committee report - Bill Text

77R16892 MCK-D

By , et al. S.B. No. 11

Substitute the following for S.B. No. 11:

By Gray C.S.S.B. No. 11

A BILL TO BE ENTITLED

1-1 AN ACT

1-2 relating to protecting the privacy of medical records; providing

1-3 penalties.

1-4 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:

1-5 SECTION 1. Title 2, Health and Safety Code, is amended by

1-6 adding Subtitle I to read as follows:

1-7 SUBTITLE I. MEDICAL RECORDS

1-8 CHAPTER 181. MEDICAL RECORDS PRIVACY

1-9 SUBCHAPTER A. GENERAL PROVISIONS

1-10 Sec. 181.001. DEFINITIONS. (a) Unless otherwise defined in

1-11 this chapter, each term that is used in this chapter has the

1-12 meaning assigned by the Health Insurance Portability and

1-13 Accountability Act and Privacy Standards.

1-14 ( In this chapter:

1-15 (1) " Covered entity " means any person, other than an

1-16 employer, who:

1-17 (A) for commercial, financial, or professional

1-18 gain, monetary fees, or dues, or on a cooperative, nonprofit, or

1-19 pro bono basis, engages, in whole or in part, and with real or

1-20 constructive knowledge, in the practice of assembling, collecting,

1-21 analyzing, using, evaluating, storing, or transmitting protected

1-22 health information. The term includes a business associate, health

1-23 care payer, governmental unit, information or computer management

1-24 entity, school, health researcher, health care facility, clinic,

2-1 health care provider, or person who maintains an Internet site;

2-2 ( comes into possession of protected health

2-3 information;

2-4 © obtains or stores protected health

2-5 information under this chapter; or

2-6 (D) is an employee, agent, or contractor of a

2-7 person described by Paragraph (A), (, or © insofar as the

2-8 employee, agent, or contractor creates, receives, obtains,

2-9 maintains, uses, or transmits protected health information.

2-10 (2) " Health Insurance Portability and Accountability

2-11 Act and Privacy Standards " means the privacy requirements of the

2-12 Administrative Simplification subtitle of the Health Insurance

2-13 Portability and Accountability Act of 1996 (Pub. L. No. 104-191)

2-14 and the final rules adopted on December 28, 2000, and published at

2-15 65 Fed. Reg. 82798 et seq., and any subsequent amendments.

2-16 (3) " Marketing " means the promotion or advertisement,

2-17 by a covered entity, of specific products or services if the

2-18 covered entity receives, directly or indirectly, a financial

2-19 incentive or remuneration from a third party for the use, access,

2-20 or disclosure of protected health information. Marketing does not

2-21 include a communication, for treatment or health care operations,

2-22 by a health care provider, health plan, or participants in an

2-23 organized health care arrangement or their affiliated covered

2-24 entities or business associates within the meaning of those terms

2-25 under the Health Insurance Portability and Accountability Act and

2-26 Privacy Standards.

2-27 Sec. 181.002. APPLICABILITY. This chapter does not affect

3-1 the validity of another statute of this state that provides greater

3-2 confidentiality for information made confidential by this chapter.

3-3 Sec. 181.003. SOVEREIGN IMMUNITY. This chapter does not

3-4 waive sovereign immunity to suit or liability.

3-5 Sec. 181.004. RULES. A state agency that licenses or

3-6 regulates a covered entity may adopt rules as necessary to carry

3-7 out the purposes of this chapter.

3-8 (Sections 181.005-181.050 reserved for expansion

3-9 SUBCHAPTER B. EXEMPTIONS

3-10 Sec. 181.051. PARTIAL EXEMPTION. Except for Section

3-11 181.152, this chapter does not apply to:

3-12 (1) a covered entity as defined in the Health

3-13 Insurance Portability and Accountability Act and Privacy Standards,

3-14 an affiliate under the covered entity's common ownership or

3-15 control, or an entity participating in an organized health care

3-16 arrangement with the covered entity;

3-17 (2) a business associate of a covered entity if the

3-18 business associate is acting in compliance with the Health

3-19 Insurance Portability and Accountability Act and Privacy Standards;

3-20 (3) a licensee as defined in Article 28B.01, Insurance

3-21 Code; or

3-22 (4) an entity established under Article 5.76-3,

3-23 Insurance Code.

3-24 Sec. 181.052. PROCESSING PAYMENT TRANSACTIONS BY FINANCIAL

3-25 INSTITUTIONS. (a) In this section, " financial institution " has

3-26 the meaning assigned by Section 1101, Right to Financial Privacy

3-27 Act of 1978 (12 U.S.C. Section 3401), and its subsequent

4-1 amendments.

4-2 ( To the extent that a covered entity engages in

4-3 activities of a financial institution, or authorizes, processes,

4-4 clears, settles, bills, transfers, reconciles, or collects payments

4-5 for a financial institution, this chapter and any rule adopted

4-6 under this chapter does not apply to the covered entity with

4-7 respect to those activities, including the following:

4-8 (1) using or disclosing information to authorize,

4-9 process, clear, settle, bill, transfer, reconcile, or collect a

4-10 payment for, or related to, health plan premiums or health care, if

4-11 the payment is made by any means, including a credit, debit, or

4-12 other payment card, an account, a check, or an electronic funds

4-13 transfer; and

4-14 (2) requesting, using, or disclosing information with

4-15 respect to a payment described by Subdivision (1):

4-16 (A) for transferring receivables;

4-17 ( for auditing;

4-18 © in connection with a customer dispute or an

4-19 inquiry from or to a customer;

4-20 (D) in a communication to a customer of the

4-21 entity regarding the customer's transactions, payment card,

4-22 account, check, or electronic funds transfer;

4-23 (E) for reporting to consumer reporting

4-24 agencies; or

4-25 (F) for complying with a civil or criminal

4-26 subpoena or a federal or state law regulating the covered entity.

4-27 Sec. 181.053. NONPROFIT AGENCIES. The department shall by

5-1 rule exempt from this chapter a nonprofit agency that pays for

5-2 health care services or prescription drugs for an indigent person

5-3 only if the agency's primary business is not the provision of

5-4 health care or reimbursement for health care services.

5-5 Sec. 181.054. WORKERS' COMPENSATION. This chapter does not

5-6 apply to:

5-7 (1) workers' compensation insurance or a function

5-8 authorized by Title 5, Labor Code; or

5-9 (2) any person or entity in connection with providing,

5-10 administering, supporting, or coordinating any of the benefits

5-11 under a self-insured program for workers' compensation.

5-12 Sec. 181.055. EMPLOYEE BENEFIT PLAN. This chapter does not

5-13 apply to:

5-14 (1) an employee benefit plan; or

5-15 (2) any covered entity, health care entity, or other

5-16 person, insofar as the entity or person is acting in connection

5-17 with an employee benefit plan.

5-18 Sec. 181.056. AMERICAN RED CROSS. This chapter does not

5-19 prohibit the American Red Cross from accessing any information

5-20 necessary to perform its duties to provide disaster relief,

5-21 disaster communication, or emergency leave verification services

5-22 for military personnel.

5-23 Sec. 181.057. INFORMATION RELATING TO OFFENDERS WITH MENTAL

5-24 IMPAIRMENTS. This chapter does not apply to an agency described by

5-25 Section 614.017 with respect to the disclosure, receipt, transfer,

5-26 or exchange of medical and health information and records relating

5-27 to individuals in the custody of an agency or in community

6-1 supervision.

6-2 Sec. 181.058. EDUCATIONAL RECORDS. In this chapter,

6-3 protected health information does not include:

6-4 (1) education records covered by the Family

6-5 Educational Rights and Privacy Act of 1974 (20 U.S.C. Section

6-6 1232g) and its subsequent amendments; or

6-7 (2) records described by 20 U.S.C. Section

6-8 1232g(a)(4)((iv) and its subsequent amendments.

6-9 (Sections 181.059-181.100 reserved for expansion

6-10 SUBCHAPTER C. ACCESS TO AND USE OF HEALTH CARE INFORMATION

6-11 Sec. 181.101. COMPLIANCE WITH FEDERAL REGULATIONS. (a) A

6-12 covered entity shall comply with the Health Insurance Portability

6-13 and Accountability Act and Privacy Standards relating to:

6-14 (1) an individual's access to the individual's

6-15 protected health information;

6-16 (2) amendment of protected health information;

6-17 (3) uses and disclosures of protected health

6-18 information, including requirements relating to consent; and

6-19 (4) notice of privacy practices for protected health

6-20 information.

6-21 ( To the extent that this chapter differs from the Health

6-22 Insurance Portability and Accountability Act and Privacy Standards,

6-23 this chapter controls if the provisions of this chapter are clearly

6-24 more restrictive than the provisions of the Health Insurance

6-25 Portability and Accountability Act and Privacy Standards.

6-26 Sec. 181.102. INFORMATION FOR RESEARCH. (a) A covered

6-27 entity or health care entity may disclose protected health

7-1 information to a person performing health research, regardless of

7-2 the source of funding of the research, for the purpose of

7-3 conducting health research, only if the person performing health

7-4 research has obtained:

7-5 (1) individual consent or authorization for use or

7-6 disclosure of protected health information for research required by

7-7 federal law;

7-8 (2) the express written authorization of the

7-9 individual required by this chapter;

7-10 (3) documentation that a waiver of individual consent

7-11 or authorization required for use or disclosure of protected health

7-12 information has been granted by an institutional review board or

7-13 privacy board as required under federal law; or

7-14 (4) documentation that a waiver of the individual's

7-15 express written authorization required by this chapter has been

7-16 granted by a privacy board established under this section.

7-17 ( A privacy board:

7-18 (1) must consist of members with varying backgrounds

7-19 and appropriate professional competency as necessary to review the

7-20 effect of the research protocol for the project or projects on the

7-21 privacy rights and related interests of the individuals whose

7-22 protected health information would be used or disclosed;

7-23 (2) must include at least one member who is not

7-24 affiliated with the covered entity or health care entity or an

7-25 entity conducting or sponsoring the research, and not related to

7-26 any person who is affiliated with an entity described by this

7-27 subsection; and

8-1 (3) may not have any member participating in the

8-2 review of any project in which the member has a conflict of

8-3 interest.

8-4 © A privacy board may grant a waiver of the express

8-5 written authorization for the use of protected health information

8-6 if the privacy board obtains the following documentation:

8-7 (1) a statement identifying the privacy board and the

8-8 date on which the waiver of the express written authorization was

8-9 approved by the privacy board;

8-10 (2) a statement that the privacy board has determined

8-11 that the waiver satisfies the following criteria:

8-12 (A) the use or disclosure of protected health

8-13 information involves no more than minimal risk to the affected

8-14 individuals;

8-15 ( the waiver will not adversely affect the

8-16 privacy rights and welfare of those individuals;

8-17 © the research could not practicably be

8-18 conducted without the waiver;

8-19 (D) the research could not practicably be

8-20 conducted without access to and use of the protected health

8-21 information;

8-22 (E) the privacy risks to individuals whose

8-23 protected health information is to be used or disclosed are

8-24 reasonable in relation to the anticipated benefits, if any, to the

8-25 individuals and the importance of the knowledge that may reasonably

8-26 be expected to result from the research;

8-27 (F) there is an adequate plan to protect the

9-1 identifiers from improper use and disclosure;

9-2 (G) there is an adequate plan to destroy the

9-3 identifiers at the earliest opportunity consistent with conduct of

9-4 the research, unless there is a health or research justification

9-5 for retaining the identifiers or the retention is otherwise

9-6 required by law; and

9-7 (H) there are adequate written assurances that

9-8 the protected health information will not be reused or disclosed to

9-9 another person or entity, except:

9-10 (i) as required by law;

9-11 (ii) for authorized oversight of the

9-12 research project; or

9-13 (iii) for other research for which the use

9-14 or disclosure of protected health information would be permitted by

9-15 state or federal law;

9-16 (3) a brief description of the protected health

9-17 information for which use or access has been determined to be

9-18 necessary by the privacy board under Subdivision (2)(D); and

9-19 (4) a statement that the waiver of express written

9-20 authorization has been approved by the privacy board following the

9-21 procedures under Subsection (e).

9-22 (d) A waiver must be signed by the presiding officer of the

9-23 privacy board or the presiding officer's designee.

9-24 (e) The privacy board must review the proposed research at a

9-25 convened meeting at which a majority of the privacy board members

9-26 are present, including at least one member who satisfies the

9-27 requirements of Subsection ((2). The waiver of express written

10-1 authorization must be approved by the majority of the privacy board

10-2 members present at the meeting, unless the privacy board elects to

10-3 use an expedited review procedure. The privacy board may use an

10-4 expedited review procedure only if the research involves no more

10-5 than minimal risk to the privacy of the individual who is the

10-6 subject of the protected health information of which use or

10-7 disclosure is being sought. If the privacy board elects to use an

10-8 expedited review procedure, the review and approval of the waiver

10-9 of express written authorization may be made by the presiding

10-10 officer of the privacy board or by one or more members of the

10-11 privacy board as designated by the presiding officer.

10-12 (f) A covered entity or health care entity may disclose

10-13 protected health information to a person performing health research

10-14 if the covered entity or health care entity obtains from the person

10-15 performing the health research representations that:

10-16 (1) use or disclosure is sought solely to review

10-17 protected health information as necessary to prepare a research

10-18 protocol or for similar purposes preparatory to research;

10-19 (2) no protected health information is to be removed

10-20 from the covered entity or health care entity by the person

10-21 performing the health research in the course of the review; and

10-22 (3) the protected health information for which use or

10-23 access is sought is necessary for the research purposes.

10-24 (g) A person who is the subject of protected health

10-25 information collected or created in the course of a clinical

10-26 research trial may access the information at the conclusion of the

10-27 research trial.

11-1 Sec. 181.103. DISCLOSURE OF INFORMATION TO PUBLIC HEALTH

11-2 AUTHORITY. A covered entity may use or disclose protected health

11-3 information without the express written authorization of the

11-4 individual for public health activities or to comply with the

11-5 requirements of any federal or state health benefit program or any

11-6 federal or state law. A covered entity may disclose protected

11-7 health information:

11-8 (1) to a public health authority that is authorized by

11-9 law to collect or receive such information for the purpose of

11-10 preventing or controlling disease, injury, or disability, including

11-11 the reporting of disease, injury, vital events such as birth or

11-12 death, and the conduct of public health surveillance, public health

11-13 investigations, and public interventions;

11-14 (2) to a public health authority or other appropriate

11-15 government authority authorized by law to receive reports of child

11-16 or adult abuse, neglect, or exploitation; and

11-17 (3) to any state agency in conjunction with a federal

11-18 or state health benefit program.

11-19 (Sections 181.104-181.150 reserved for expansion

11-20 SUBCHAPTER D. PROHIBITED ACTS

11-21 Sec. 181.151. REIDENTIFIED INFORMATION. A person may not

11-22 reidentify or attempt to reidentify an individual who is the

11-23 subject of any protected health information without obtaining the

11-24 individual's consent or authorization if required under this

11-25 chapter or other state or federal law.

11-26 Sec. 181.152. MARKETING USES OF INFORMATION. (a) A covered

11-27 entity may not disclose, use, or sell or coerce an individual to

12-1 consent to the disclosure, use, or sale of protected health

12-2 information, including prescription patterns, for marketing

12-3 purposes without the consent or authorization of the individual who

12-4 is the subject of the protected health information.

12-5 ( A written marketing communication must be sent in an

12-6 envelope showing only the addresses of sender and recipient and

12-7 must:

12-8 (1) state the name and toll-free number of the health

12-9 care entity sending the marketing communication; and

12-10 (2) explain the recipient's right to have the

12-11 recipient's name removed from the sender's mailing list.

12-12 © A person who receives a request under Subsection ((2)

12-13 to remove a person's name from a mailing list shall remove the

12-14 person's name not later than the fifth day after the date the

12-15 person receives the request.

12-16 (Sections 181.153-181.200 reserved for expansion

12-17 SUBCHAPTER E. ENFORCEMENT

12-18 Sec. 181.201. INJUNCTIVE RELIEF; CIVIL PENALTY. (a) The

12-19 attorney general may institute an action for injunctive relief to

12-20 restrain a violation of this chapter.

12-21 ( In addition to the injunctive relief provided by

12-22 Subsection (a), the attorney general may institute an action for

12-23 civil penalties against a covered entity or health care entity for

12-24 a violation of this chapter. A civil penalty assessed under this

12-25 section may not exceed $3,000 for each violation.

12-26 © If the court in which an action under Subsection ( is

12-27 pending finds that the violations have occurred with a frequency as

13-1 to constitute a pattern or practice, the court may assess a civil

13-2 penalty not to exceed $250,000.

13-3 Sec. 181.202. DISCIPLINARY ACTION. In addition to the

13-4 penalties prescribed by this chapter, a violation of this chapter

13-5 by an individual or facility that is licensed by an agency of this

13-6 state is subject to investigation and disciplinary proceedings,

13-7 including probation or suspension by the licensing agency. If

13-8 there is evidence that the violations of this chapter constitute a

13-9 pattern or practice, the agency may revoke the individual's or

13-10 facility's license.

13-11 Sec. 181.203. EXCLUSION FROM STATE PROGRAMS. In addition to

13-12 the penalties prescribed by this chapter, a covered entity shall be

13-13 excluded from participating in any state-funded health care program

13-14 if there is evidence that the covered entity engaged in a pattern

13-15 or practice of violating this chapter.

13-16 Sec. 181.204. AVAILABILITY OF OTHER REMEDIES. This chapter

13-17 does not affect any right of a person under other law to bring a

13-18 cause of action or otherwise seek relief with respect to conduct

13-19 that is a violation of this chapter.

13-20 SECTION 2. Title 1, Insurance Code, is amended by adding

13-21 Chapter 28B to read as follows:

13-22 CHAPTER 28B. PRIVACY OF HEALTH INFORMATION

13-23 SUBCHAPTER A. GENERAL PROVISIONS

13-24 Art. 28B.01. DEFINITIONS. In this chapter:

13-25 (1) " Health information " means any information or data

13-26 regarding an individual, other than age or gender, whether oral or

13-27 recorded in any form or medium, that is created by or derived from

14-1 a health care provider or the individual and that relates to:

14-2 (A) the past, present, or future physical,

14-3 mental, or behavioral health or condition of an individual;

14-4 ( the provision of health care to an

14-5 individual; or

14-6 © payment for the provision of health care to

14-7 an individual.

14-8 (2) " Licensee " means a person who holds or is required

14-9 to hold a license, registration, certificate of authority, or other

14-10 authority under this code or another insurance law of this state.

14-11 The term includes an insurance company, group hospital service

14-12 corporation, mutual insurance company, local mutual aid

14-13 association, statewide mutual assessment company, stipulated

14-14 premium insurance company, health maintenance organization,

14-15 reciprocal or interinsurance exchange, Lloyd's plan, fraternal

14-16 benefit society, county mutual insurer, farm mutual insurer, or

14-17 insurance agent.

14-18 (3) " Nonpublic personal health information " means

14-19 health information:

14-20 (A) that identifies an individual who is the

14-21 subject of the information; or

14-22 ( with respect to which there is a reasonable

14-23 basis to believe that the information could be used to identify an

14-24 individual.

14-25 Art. 28B.02. PERSONALLY IDENTIFIABLE HEALTH INFORMATION:

14-26 PRIVACY NOTICE AND DISCLOSURE AUTHORIZATION. (a) A licensee must

14-27 obtain an authorization to disclose any nonpublic personal health

15-1 information before making such a disclosure.

15-2 ( The request for authorization required by this article

15-3 may be in written or electronic form and must:

15-4 (1) state the identity of the consumer or customer who

15-5 is the subject of the nonpublic personal health information;

15-6 (2) describe:

15-7 (A) the types of nonpublic personal health

15-8 information to be disclosed;

15-9 ( the parties to whom the licensee discloses

15-10 nonpublic personal health information;

15-11 © the purpose of the disclosure;

15-12 (D) how the information will be used; and

15-13 (E) the procedure for revoking the

15-14 authorization;

15-15 (3) include the signature and date signed of:

15-16 (A) the consumer or customer who is the subject

15-17 of the nonpublic personal health information; or

15-18 ( the individual who is legally empowered to

15-19 grant authority;

15-20 (4) provide notice:

15-21 (A) of the length of time for which the

15-22 authorization is valid; and

15-23 ( that the consumer or customer may revoke the

15-24 authorization at any time; and

15-25 (5) specify the amount of time that the authorization

15-26 remains valid, which may not exceed 24 months.

15-27 © The right of a consumer or customer to revoke an

16-1 authorization at any time is subject to the rights of an individual

16-2 who acted in reliance on the authorization before receiving notice

16-3 of a revocation.

16-4 (d) The licensee shall retain the original or a copy of the

16-5 authorization in the record of the individual who is the subject of

16-6 the nonpublic personal health information.

16-7 Art. 28B.03. DELIVERY OF AUTHORIZATION. (a) A request for

16-8 authorization and an authorization form may be delivered to a

16-9 consumer or a customer if the request and the authorization form

16-10 are clear and conspicuous.

16-11 ( A licensee must include delivery of the authorization in

16-12 a notice to the consumer or customer only if the licensee intends

16-13 to disclose protected health information under this chapter.

16-14 Art. 28B.04. EXCEPTIONS. A licensee may disclose nonpublic

16-15 personal health information to the extent that the disclosure is

16-16 necessary to perform the following insurance functions on behalf of

16-17 that licensee:

16-18 (1) the investigation or reporting of actual or

16-19 potential fraud, misrepresentation, or criminal activity;

16-20 (2) underwriting;

16-21 (3) the placement or issuance of an insurance policy;

16-22 (4) loss control services;

16-23 (5) ratemaking and guaranty fund functions;

16-24 (6) reinsurance and excess loss insurance;

16-25 (7) risk management;

16-26 (8) case management;

16-27 (9) disease management;

17-1 (10) quality assurance;

17-2 (11) quality improvement;

17-3 (12) performance evaluation;

17-4 (13) health care provider credentialing verification;

17-5 (14) utilization review;

17-6 (15) peer review activities;

17-7 (16) actuarial, scientific, medical, or public policy

17-8 research;

17-9 (17) grievance procedures;

17-10 (18) the internal administration of compliance,

17-11 managerial, and information systems;

17-12 (19) policyholder services;

17-13 (20) auditing;

17-14 (21) reporting;

17-15 (22) database security;

17-16 (23) the administration of consumer disputes and

17-17 inquiries;

17-18 (24) external accreditation standards;

17-19 (25) the replacement of a group benefit plan or

17-20 workers' compensation policy or program;

17-21 (26) activities in connection with a sale, merger,

17-22 transfer, or exchange of all or part of a business or operating

17-23 unit;

17-24 (27) any activity that permits disclosure without

17-25 authorization under the federal Health Insurance Portability and

17-26 Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), as

17-27 amended;

18-1 (28) disclosure that is required, or is a lawful or

18-2 appropriate method to enforce the licensee's rights or the rights

18-3 of other persons engaged, in carrying out a transaction or

18-4 providing a product or service that the consumer requests or

18-5 authorizes;

18-6 (29) claims administration, adjustment, and

18-7 management;

18-8 (30) any activity otherwise permitted by law, required

18-9 pursuant to a governmental reporting authority, or required to

18-10 comply with legal process; and

18-11 (31) any other insurance functions that the

18-12 commissioner approves that are:

18-13 (A) necessary for appropriate performance of

18-14 insurance functions; and

18-15 ( fair and reasonable to the interests of

18-16 consumers.

18-17 Art. 28B.05. EXCEPTION FOR COMPLIANCE WITH FEDERAL RULES.

18-18 This subchapter does not apply to a licensee who is required to

18-19 comply with the standards governing the privacy of individually

18-20 identifiable health information adopted by the United States

18-21 Secretary of Health and Human Services under Section 262(a), Health

18-22 Insurance Portability and Accountability Act of 1996 (42 U.S.C.

18-23 Sections 1320d-1320d-8).

18-24 Art. 28B.06. PROTECTION OF FAIR CREDIT REPORTING ACTS.

18-25 (a) This chapter may not be construed to modify, limit, or

18-26 supersede the operation of the Fair Credit Reporting Act (15 U.S.C.

18-27 Section 1681 et seq.) and an inference may not be drawn based on

19-1 this chapter regarding whether information is transaction or

19-2 experience information under Section 603 of that Act (15 U.S.C.

19-3 Section 1681a).

19-4 ( This chapter does not preempt or supersede a state law

19-5 related to medical record, health, or insurance information privacy

19-6 that is in effect on July 1, 2002.

19-7 Art. 28B.07. VIOLATION; PENALTIES. (a) A licensee may not

19-8 knowingly or wilfully violate this chapter.

19-9 ( The department may investigate any alleged violation of

19-10 this chapter and may impose fines and other sanctions as determined

19-11 to be appropriate in accordance with Chapters 82 and 84 of this

19-12 code and the other insurance laws of this state.

19-13 Art. 28B.08. RULES. The commissioner may adopt rules as

19-14 necessary to implement this chapter.

19-15 SECTION 3. (a) Chapter 181, Health and Safety Code, as

19-16 added by this Act, takes effect September 1, 2001. A covered

19-17 entity shall comply with the requirements of Chapter 181, Health

19-18 and Safety Code, as added by this Act, not later than September 1,

19-19 2003.

19-20 ( Chapter 28B, Insurance Code, as added by this Act, takes

19-21 effect January 1, 2002.

19-22 © The commissioner of insurance may delay the date for

19-23 compliance with Chapter 28B, Insurance Code, as added by this Act,

19-24 if the commissioner determines that an entity needs more time to

19-25 establish policies and systems to comply with the requirements of

19-26 that chapter.

19-27 (d) An authorization or consent granting access to an

20-1 individual's health care records executed before the effective date

20-2 of this Act is governed by the law in effect when the authorization

20-3 or consent was executed, and the former law continues in effect for

20-4 that purpose.