Texas Health and Safety Code

As effective September 1, 2019

Subchapter E

Sec. 181.201: Injunctive Relief; Civil Penalty

(a) The attorney general may institute an action for injunctive relief to restrain a violation of this chapter.

(b) In addition to the injunctive relief provided by Subsection (a), the attorney general may institute an action for civil penalties against a covered entity for a violation of this chapter. A civil penalty assessed under this section may not exceed:

(1) $5,000 for each violation that occurs in one year, regardless of how long the violation continues during that year, committed negligently;

(2) $25,000 for each violation that occurs in one year, regardless of how long the violation continues during that year, committed knowingly or intentionally; or

(3) $250,000 for each violation in which the covered entity knowingly or intentionally used protected health information for financial gain.

(b-1) The total amount of a penalty assessed against a covered entity under Subsection (b) in relation to a violation or violations of Section 181.154 may not exceed $250,000 annually if the court finds that the disclosure was made only to another covered entity and only for a purpose described by Section 181.154(c) and the court finds that:

(1) the protected health information disclosed was encrypted or transmitted using encryption technology designed to protect against improper disclosure;

(2) the recipient of the protected health information did not use or release the protected health information; or

(3) at the time of the disclosure of the protected health information, the covered entity had developed, implemented, and maintained security policies, including the education and training of employees responsible for the security of protected health information.

(c) If the court in which an action under Subsection (b) is pending finds that the violations have occurred with a frequency as to constitute a pattern or practice, the court may assess a civil penalty not to exceed $1.5 million annually.

(d) In determining the amount of a penalty imposed under Subsection (b), the court shall consider:

(1) the seriousness of the violation, including the nature, circumstances, extent, and gravity of the disclosure;

(2) the covered entity's compliance history;

(3) whether the violation poses a significant risk of financial, reputational, or other harm to an individual whose protected health information is involved in the violation;

(4) whether the covered entity was certified at the time of the violation as described by Section 182.108;

(5) the amount necessary to deter a future violation; and

(6) the covered entity's efforts to correct the violation.

(e) The attorney general may institute an action against a covered entity that is licensed by a licensing agency of this state for a civil penalty under this section only if the licensing agency refers the violation to the attorney general under Section 181.202(2).

(f) The office of the attorney general may retain a reasonable portion of a civil penalty recovered under this section, not to exceed amounts specified in the General Appropriations Act, for the enforcement of this subchapter.

Comments

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001.

Amended by:

Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 8, eff. September 1, 2012.

Sec. 181.202: Disciplinary Action

In addition to the penalties prescribed by this chapter, a violation of this chapter by a covered entity that is licensed by an agency of this state is subject to investigation and disciplinary proceedings, including probation or suspension by the licensing agency. If there is evidence that the violations of this chapter are egregious and constitute a pattern or practice, the agency may:

(1) revoke the covered entity's license; or

(2) refer the covered entity's case to the attorney general for the institution of an action for civil penalties under Section 181.201(b).

Comments

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001.

Amended by:

Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 9, eff. September 1, 2012.

Sec. 181.203: Exclusion from State Programs

In addition to the penalties prescribed by this chapter, a covered entity shall be excluded from participating in any state-funded health care program if a court finds the covered entity engaged in a pattern or practice of violating this chapter.

Comments

Added by Acts 2001, 77th Leg., ch. 1511, Sec. 1, eff. Sept. 1, 2001.

Sec. 181.205: Mitigation

(a) In an action or proceeding to impose an administrative penalty or assess a civil penalty for actions related to the disclosure of individually identifiable health information, a covered entity may introduce, as mitigating evidence, evidence of the entity's good faith efforts to comply with:

(1) state law related to the privacy of individually identifiable health information; or

(2) the Health Insurance Portability and Accountability Act and Privacy Standards.

(b) In determining the amount of a penalty imposed under other law in accordance with Section 181.202, a court or state agency shall consider the following factors:

(1) the seriousness of the violation, including the nature, circumstances, extent, and gravity of the disclosure;

(2) the covered entity's compliance history;

(3) whether the violation poses a significant risk of financial, reputational, or other harm to an individual whose protected health information is involved in the violation;

(4) whether the covered entity was certified at the time of the violation as described by Section 182.108;

(5) the amount necessary to deter a future violation; and

(6) the covered entity's efforts to correct the violation.

(c) On receipt of evidence under Subsections (a) and (b), a court or state agency shall consider the evidence and mitigate imposition of an administrative penalty or assessment of a civil penalty accordingly.

Comments

Added by Acts 2003, 78th Leg., ch. 924, Sec. 7, eff. Sept. 1, 2003.

Amended by:

Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 10, eff. September 1, 2012.

Sec. 181.206: Audits of Covered Entities

(a) The commission, in coordination with the attorney general and the Texas Department of Insurance:

(1) may request that the United States secretary of health and human services conduct an audit of a covered entity, as that term is defined by 45 C.F.R. Section 160.103, in this state to determine compliance with the Health Insurance Portability and Accountability Act and Privacy Standards; and

(2) shall periodically monitor and review the results of audits of covered entities in this state conducted by the United States secretary of health and human services.

(a-1) Notwithstanding Subsection (a), the commission shall also coordinate with the Texas Health Services Authority when requesting an audit or monitoring and reviewing the results of an audit under Subsection (a). This subsection expires September 1, 2021.

(b) If the commission has evidence that a covered entity has committed violations of this chapter that are egregious and constitute a pattern or practice, the commission may:

(1) require the covered entity to submit to the commission the results of a risk analysis conducted by the covered entity if required by 45 C.F.R. Section 164.308(a)(1)(ii)(A); or

(2) if the covered entity is licensed by a licensing agency of this state, request that the licensing agency conduct an audit of the covered entity's system to determine compliance with the provisions of this chapter.

(c) The commission annually shall submit to the appropriate standing committees of the senate and the house of representatives a report regarding the number of federal audits of covered entities in this state and the number of audits required under Subsection (b).

Comments

Added by Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 11, eff. September 1, 2012.

Amended by:

Acts 2015, 84th Leg., R.S., Ch. 12 (S.B. 203), Sec. 2, eff. September 1, 2015.

Sec. 181.207: Funding

(a) The commission and the Texas Department of Insurance shall apply for and actively pursue available federal funding for enforcement of this chapter.

(b) Notwithstanding Subsection (a), the commission and the Texas Department of Insurance shall consult with the Texas Health Services Authority when applying for or pursuing federal funding under Subsection (a). This subsection expires September 1, 2021.

Comments

Added by Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 11, eff. September 1, 2012.

Amended by:

Acts 2015, 84th Leg., R.S., Ch. 12 (S.B. 203), Sec. 3, eff. September 1, 2015.