Sec. 182.108. STANDARDS FOR ELECTRONIC SHARING OF PROTECTED HEALTH INFORMATION; COVERED ENTITY CERTIFICATION. (a) The corporation shall develop and submit to the commission for ratification privacy and security standards for the electronic sharing of protected health information.
(b) The commission shall review and the executive commissioner by rule shall adopt acceptable standards submitted for ratification under Subsection (a).
(c) Standards adopted under Subsection (b) must be designed to:
(1) comply with the Health Insurance Portability and Accountability Act and Privacy Standards and Chapter 181;
(2) comply with any other state and federal law relating to the security and confidentiality of information electronically maintained or disclosed by a covered entity;
(3) ensure the secure maintenance and disclosure of personally identifiable health information;
(4) include strategies and procedures for disclosing personally identifiable health information; and
(5) support a level of system interoperability with existing health record databases in this state that is consistent with emerging standards.
(d) The corporation shall establish a process by which a covered entity may apply for certification by the corporation of a covered entity's past compliance with standards adopted under Subsection (b).
(e) The corporation shall publish the standards adopted under Subsection (b) on the corporation's Internet website.
(f) Subsections (a)-(e) and this subsection expire September 1, 2021.
Text of subsection effective on September 01, 2021
(g) The privacy and security standards for the electronic sharing of protected health information adopted under this section and in effect on September 1, 2021, continue until amended by rule by the commission.
Text of subsection effective on September 01, 2021
(h) In amending standards under Subsection (g), the commission shall seek the assistance of a private nonprofit organization with relevant knowledge and experience in establishing statewide health information exchange capabilities.
Text of subsection effective on September 01, 2021
(i) Standards amended under Subsection (g) must be designed to:
(1) comply with the Health Insurance Portability and Accountability Act and Privacy Standards and Chapter 181;
(2) comply with any other state and federal law relating to the security and confidentiality of information electronically maintained or disclosed by a covered entity;
(3) ensure the secure maintenance and disclosure of individually identifiable health information;
(4) include strategies and procedures for disclosing individually identifiable health information; and
(5) support a level of system interoperability with existing health record databases in this state that is consistent with emerging standards.
Text of subsection effective on September 01, 2021
(j) The commission shall designate a private nonprofit organization with relevant knowledge and experience in establishing statewide health information exchange capabilities to establish a process by which a covered entity may apply for certification by the designated private nonprofit organization of a covered entity's past compliance with standards adopted under this section. If a private nonprofit organization with relevant knowledge and experience in establishing statewide health information exchange capabilities does not exist, the commission shall either:
(1) establish the process described by this subsection; or
(2) designate another entity with relevant knowledge to establish the process described by this subsection.
Text of subsection effective on September 01, 2021
(k) The entity that establishes the process under Subsection (j) shall publish the standards adopted under this section on the entity's Internet website.
Text of subsection effective on September 01, 2021
(l) The commission shall ensure that any fee charged for the certification process described in Subsection (j) by the private nonprofit organization or entity designated under that subsection, including a person acting on behalf of a designated organization or entity, is reasonable. If the commission establishes the process as described by Subsection (j)(1), the commission shall set a reasonable fee for the certification process.
Text of subsection effective on September 01, 2021
(m) For good cause, the commission may revoke the designation or authority of a private nonprofit organization or entity to establish the process or offer certifications under Subsection (j).
Text of subsection effective on September 01, 2021
(n) In this section:
(1) "Covered entity" has the meaning assigned by Section 181.001.
(2) "Disclose" has the meaning assigned by Section 181.001.
(3) "Health Insurance Portability and Accountability Act and Privacy Standards" has the meaning assigned by Section 181.001.
(4) "Individually identifiable health information" means individually identifiable health information as that term is defined by the privacy rule of the Health Insurance Portability and Accountability Act and Privacy Standards.
(5) "Protected health information" means protected health information as that term is defined by the privacy rule of the Health Insurance Portability and Accountability Act and Privacy Standards.
Added by Acts 2011, 82nd Leg., R.S., Ch. 1126 (H.B. 300), Sec. 13, eff. September 1, 2012.
Amended by:
Acts 2015, 84th Leg., R.S., Ch. 1 (S.B. 219), Sec. 3.0526, eff. April 2, 2015.
Acts 2015, 84th Leg., R.S., Ch. 12 (S.B. 203), Sec. 15(a), eff. September 1, 2015.
Acts 2015, 84th Leg., R.S., Ch. 12 (S.B. 203), Sec. 15(b), eff. September 1, 2021.
Last modified: September 28, 2016