Texas Health and Safety Code

As effective September 1, 2019

Subchapter D

Sec. 181.151: Reidentified Information

A person may not reidentify or attempt to reidentify an individual who is the subject of any protected health information without obtaining the individual's consent or authorization if required under this chapter or other state or federal law.

Comments

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001.

Sec. 181.152: Marketing Uses of Information

(a) A covered entity must obtain clear and unambiguous permission in written or electronic form to use or disclose protected health information for any marketing communication, except if the communication is:

(1) in the form of a face-to-face communication made by a covered entity to an individual;

(2) in the form of a promotional gift of nominal value provided by the covered entity;

(3) necessary for administration of a patient assistance program or other prescription drug savings or discount program; or

(4) made at the oral request of the individual.

(b) If a covered entity uses or discloses protected health information to send a written marketing communication through the mail, the communication must be sent in an envelope showing only the names and addresses of sender and recipient and must:

(1) state the name and toll-free number of the entity sending the marketing communication; and

(2) explain the recipient's right to have the recipient's name removed from the sender's mailing list.

(c) A person who receives a request under Subsection (b)(2) to remove a person's name from a mailing list shall remove the person's name not later than the 45th day after the date the person receives the request.

(d) A marketing communication made at the oral request of the individual under Subsection (a)(4) may be made only if clear and unambiguous oral permission for the use or disclosure of the protected health information is obtained. The marketing communication must be limited to the scope of the oral permission and any further marketing communication must comply with the requirements of this section.

Comments

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001. Amended by Acts 2003, 78th Leg., ch. 924, Sec. 6, eff. Jan. 1, 2004.

Sec. 181.153: Sale of Protected Health Information Prohibited; Exceptions

(a) A covered entity may not disclose an individual's protected health information to any other person in exchange for direct or indirect remuneration, except that a covered entity may disclose an individual's protected health information:

(1) to another covered entity, as that term is defined by Section 181.001, or to a covered entity, as that term is defined by Section 602.001, Insurance Code, for the purpose of:

(A) treatment;

(B) payment;

(C) health care operations; or

(D) performing an insurance or health maintenance organization function described by Section 602.053, Insurance Code; or

(2) as otherwise authorized or required by state or federal law.

(b) The direct or indirect remuneration a covered entity receives for making a disclosure of protected health information authorized by Subsection (a)(1)(D) may not exceed the covered entity's reasonable costs of preparing or transmitting the protected health information.

Comments

Added by Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 7, eff. September 1, 2012.

Sec. 181.154: Notice and Authorization Required for Electronic Disclosure of Protected Health Information; Exceptions

(a) A covered entity shall provide notice to an individual for whom the covered entity creates or receives protected health information if the individual's protected health information is subject to electronic disclosure. A covered entity may provide general notice by:

(1) posting a written notice in the covered entity's place of business;

(2) posting a notice on the covered entity's Internet website; or

(3) posting a notice in any other place where individuals whose protected health information is subject to electronic disclosure are likely to see the notice.

(b) Except as provided by Subsection (c), a covered entity may not electronically disclose an individual's protected health information to any person without a separate authorization from the individual or the individual's legally authorized representative for each disclosure. An authorization for disclosure under this subsection may be made in written or electronic form or in oral form if it is documented in writing by the covered entity.

(c) The authorization for electronic disclosure of protected health information described by Subsection (b) is not required if the disclosure is made:

(1) to another covered entity, as that term is defined by Section 181.001, or to a covered entity, as that term is defined by Section 602.001, Insurance Code, for the purpose of:

(A) treatment;

(B) payment;

(C) health care operations; or

(D) performing an insurance or health maintenance organization function described by Section 602.053, Insurance Code; or

(2) as otherwise authorized or required by state or federal law.

(d) The attorney general shall adopt a standard authorization form for use in complying with this section. The form must comply with the Health Insurance Portability and Accountability Act and Privacy Standards and this chapter.

(e) This section does not apply to a covered entity, as defined by Section 602.001, Insurance Code, if that entity is not a covered entity as defined by 45 C.F.R. Section 160.103.

Comments

Added by Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 7, eff. September 1, 2012.