A LAWYER’S WORK IS NEVER DONE: SAFEGUARDING CLIENT …

A LAWYER’S WORK IS NEVER DONE: SAFEGUARDING CLIENT AND OTHER

PROTECTED INFORMATION

Moderator: CAREN K. LOCK, Lewisville

Regional Vice President and Associate General Counsel TIAA-CREF

Panelists:

ESTHER CHAVEZ Assistant Attorney General1

Consumer Protection Division Office of the Texas Attorney General

W. REID WITTLIFF, Austin

Lancaster Helling Grable & Wittliff

Written by: ESTHER CHAVEZ

State Bar of Texas 9TH ANNUAL

ADVANCED CONSUMER & COMMERCIAL LAW COURSE August 22-23, 2013

Houston

CHAPTER 18

1 The opinions expressed herein are the opinions of the speaker and do not represent the opinions of the Office of the Attorney General and do not constitute legal advice.

Caren K. Lock

Caren K. Lock is the Regional Vice President and Associate General Counsel of TIAA-CREF. In her role at TIAA-CREF, Caren is the primary interface for the company on all legislative, executive, administrative, and regulatory matters in the southwest region. She also directs all legislative lobbying and regulatory advocacy in her states. TIAA-CREF is a $520 billion full-service financial services group of companies that has dedicated itself to helping those in the academic, medical, cultural, and research fields for over 90 years.

Prior to joining TIAA-CREF, Caren was General Counsel with a consumer financial company in the Dallas/Fort Worth area. While serving as General Counsel, she spearheaded a multi-state legislative initiative focused on helping overextended consumers and advocating for balanced consumer protection legislation. Before entering the corporate world, Caren also spent over a decade litigating complex business matters including copyright and trademark infringement, employment discrimination, shareholder and partnership disputes, aviation, and toxic tort.

Caren currently serves on the Board of the Dallas Women’s Foundation. At the

Dallas Women’s Foundation, she chairs the Advocacy and Policy Committee. She is also a member of the Founders Board of the University of North Texas School of Law. As a result of the Founders Board’s and community efforts, the citizens of the Dallas/Fort Worth will have access to an affordable public law school. Previously, Caren has also served on the Boards of the Dallas Bar Association, State of Texas Asian Pacific Interest Section, and was President and former Board member of the Dallas Asian American Bar Association the Center for Nonprofit Management in Dallas. For the last five years, Caren has served on the Texas State Bar Grievance Panel and is Chair of her panel. Caren is a frequent speaker on racial and gender diversity, nonprofit regulatory issues, legal ethics and grievances, generational dynamics, and community activism.

http://www.tiaa-cref.org/index.html

ESTHER CHAVEZ

Esther Chavez is Senior Assistant Attorney General in the Consumer Protection Division of the Austin Office of Texas Attorney General Greg Abbott. Ms. Chavez’ cases on behalf of the Division encompass a broad range of consumer protection and privacy concerns.

Ms. Chavez’ current professional activities include service as chair of the Texas State Bar’s Consumer and Commercial Law Section Council and membership in the American Bar Association’s Antitrust Section. Previously she has served as Chair of the Texas State Bar’s Hispanic Concerns Section and as Vice Chair of its Legal Services to the Poor in Civil Matters Committee.

Ms. Chavez is a frequent speaker on consumer protection topics and has been a presenter at numerous continuing legal education seminars including most recently at the Practising Law Institute’s Annual Institute on Privacy and Data Security Law (2011, 2012 and 2013) and the American Bar Association’s Annual Antitrust Spring Meeting (2011, 2012 and 2013). Ms. Chavez has also been a speaker at the Texas State Bar’s Advanced Consumer & Commercial Law Course, the University of Texas’ Telecom, Broadband and Wireless Conference, the American Conference Institute’s Data Privacy & Information Security Seminar, the National Association of Attorneys General Consumer Protection Conferences and the Texas State Bar’s Poverty Law Conference for Legal Service Attorneys.

Ms. Chavez grew up in the Rio Grande Valley of Texas and obtained her undergraduate and legal education at the University of Texas at Austin and the University of Texas School of Law.

W. REID WITTLIFF, Partner LANCASTER, HELLING, GRABLE & WITTLIFF, LLP 610 West Lynn Austin, TX 78703 Phone: (512) 874-6102 Email: [email protected] A 1994 graduate of the University of Texas School of Law, Reid Wittliff is a commercial litigator focusing on technology and intellectual property disputes. He is also a founder and President of R3 Digital Forensics, LLC, an Austin-based company that provides electronic evidence and digital forensics services to attorneys, corporations and individuals throughout Texas. As a former state and federal prosecutor, he frequently serves as investigative counsel in white collar crime matters. He is a certified mediator and has been appointed by both state and federal courts to serves as a special master to assist such courts in handling e-Discovery or technology-related issues. Prior to joining Lancaster Helling as a named partner, Mr. Wittliff was a shareholder at the Austin, Texas law firm of Graves, Dougherty, Hearon & Moody, PC. In 2000, then-Texas Attorney General John Cornyn appointed him as the first Division Chief of the Texas Attorney General's Computer Crime Division where he led a team of 14 whose mission was to combat cyber crime across the state of Texas. Before that, Mr. Wittliff served as an Assistant United States Attorney in the Dallas, Texas U.S. Attorney's office and the Sherman, Texas U.S. Attorney's office where he gained significant jury trial experience as lead prosecutor in numerous federal jury trials. Mr. Wittliff earned a J.D. with Honors from the University of Texas School of Law in 1994 where he was a member of Chancellors and the Order of the Coif. After graduating from law school, Mr. Wittliff served as a judicial law clerk to the Honorable William Wayne Justice, United States District Judge for the Eastern District of Texas. He earned a B.A. cum laude from Vanderbilt University in 1991 and was a member of the College Scholars Honors Program. Mr. Wittliff is a member of the State Bar of Texas, the American Bar Association and the Austin Bar Association. He is also a member of the American Law Institute and the Robert W. Calvert Chapter of the American Inns of Court. Mr. Wittliff is admitted to practice before all state courts in the State of Texas and the U.S. Court of Appeals for the Fifth Circuit and the U.S. District Courts for the Northern, Southern, Western and Eastern Districts of Texas.

mailto:[email protected]�

Safeguarding Client and Other Protected Information Chapter 18

i

TABLE OF CONTENTS

I. INTRODUCTION ............................................................................................................................................. 1 II. OVERVIEW OF RELEVANT LAWS AND RULES ....................................................................................... 1 III. FEDERAL AND STATE COURT RULES PROVIDING PRIVACY PROTECTION FOR FILINGS WITH THE COURT .......................................................................................................................... 4 IV. DATA SCURITY REQUIREMENTS ............................................................................................................... 5 V. CONCLUSION .................................................................................................................................................. 7 APPENDIX 1 .................................................................................................................................................................. 8 APPENDIX 2 ................................................................................................................................................................ 11 APPENDIX 3 ................................................................................................................................................................ 14


1

A Lawyer’s Work Is Never Done: Safeguarding Client and Other Protected Information I. Introduction Confidentiality has been long described as the bedrock principle of legal ethics and thus, protecting client communications and information has historically been a priority for attorneys. Over the last several years, as the legal profession embraces 21st century technology, lawyers face new risks and challenges in their commitment to safeguard client information. The risks are reflected in media reports of law firm employees losing laptops and flash drives containing sensitive personal information, service providers using client information for identity theft or tax fraud schemes, and law firms suffering data breaches as a result of hacking. The American Bar Association’s 2012 Legal Technology Survey reported that approximately 10 percent of all law firms have experienced a data breach of some type. While stories of hackers and data breaches may seem far-fetched, the reality is that all practitioners from the largest to the smallest have valuable information about their clients, including Social Security numbers, clients’ asset information, and credit card, insurance and medical information. Even as attorneys face new challenges in protecting client information, they face new legal risks because—in addition to the requirements of the Disciplinary Rules of Professional Conduct—a myriad of federal and state laws may apply to the protection of client as well as other types of information. This paper provides an overview of the laws, rules and data security requirements which may impose obligations on attorneys to safeguard protected information and includes three appendices: (1) a listing of additional privacy and data protection resources for Texas attorneys, including data security best practice recommendations from a variety of sources; (2) a summary of federal consumer protection privacy laws primarily enforced by the Federal Trade Commission; and (3) a listing of Texas laws which provide various measures of protection for specific types of medical records and information, including certain genetic information, test results for HIV and AIDS, hospital records, pharmacy records, donor records, regulatory records and mental health records. II. Overview of Relevant Laws and Rules The Texas Disciplinary Rules of Professional Conduct (Rules) provide that except as otherwise permitted or required, a lawyer shall not knowingly “reveal confidential information of a client or a former client to: (i) a person that the client has instructed is not to receive the information; or (ii) anyone else, other than the client, the client’s representatives, or the members, associates, or employees of the lawyer’s law firm.” Confidential information includes both privileged information and unprivileged client information. Unprivileged client information means all information relating to a client, other than privileged information, acquired by the lawyer during the course of or by reason of the representation of the client. Comment 4 related to Rule 1.05 notes that the rule generally extends ethical protection to unprivileged information relating to the client or furnished by the client during the course of or by reason of the representation of the client. See, Tex. Disciplinary R. Prof’l Conduct 1.05(a) and (b), reprinted in Tex. Gov’t Code Ann., tit. 2, subtit. G, app. A (West 2005 & Supp. 2009). In addition to the ethical duty to protect client information imposed by the Texas Disciplinary Rules of Professional Conduct, a variety of state and federal laws and rules require the protection of certain defined categories of personal information. Some of these laws are best characterized as privacy laws governing the collection, use and disclosure of personal information. Others are best characterized as information security laws focusing on the protection of information against unlawful or unauthorized access, disclosure, use, loss or destruction. The following summary listings are not intended to serve as a detailed or nuanced analysis of each of these laws but rather to alert practitioners to the basic requirements.

A. Relevant state laws include the following:

1. Tex. Bus. & Com. Code § 72.004, Disposal of Business Records Containing Personal Identifying Information: When a business disposes of a business record that contains personal identifying information of a customer of the business, the business shall modify, by shredding, erasing, or other means, the personal identifying information so as to make the information unreadable or undecipherable. Tex. Bus. & Com. Code Ann. § 72.004 (West


2

2009). Exceptions include financial institutions as defined by 15 U.S.C. 6809 and entities defined by 601.001 of the Texas Insurance Code. Id. Violators are subject to a civil penalty of up to $500 for each business record. Id. A business is considered to be in compliance if it contracts with a person engaged in the business of disposing of records for the modification of PII on behalf of the business. Id.

2. Tex. Bus. & Com. Code § 501.052, Privacy Policy Necessary to Require Disclosure of Social Security Number: A person may not require an individual to disclose the individual’s social security number (SSN) to obtain goods or services from or enter into a business transaction with the person unless the person (i) adopts a privacy policy; (ii) makes the privacy policy available to the individual; and (iii) maintains under the privacy policy the confidentiality and security of the SSN disclosed to the person. Tex. Bus. & Com. Code Ann. § 501.052 (West 2009). The privacy policy must include: (i) how personal information is collected; (ii) how and when the personal information is used; (iii) how the personal information is protected; (iv) who has access to the personal information; and (v) method of disposal of the personal information. Id. Certain entities are exempt including those required to maintain privacy policies under the federal Gramm-Leach Bliley Act, the federal Family Educational Rights and Privacy Act of 1974, and the Health Insurance Portability and Accountability Act of 1996. Tex. Bus. & Com. Code Ann. § 501.051 (West 2009).

3. Tex. Bus. & Com. Code § 501.001-.002, Certain Uses of Social Security Numbers Prohibited: All persons and entities, excluding state agencies, are prohibited from (i) intentionally communicating or otherwise making available to the public an individual’s social security number (SSN); (ii) displaying an individual’s SSN on any card or tag required for the individual to access products or services; (iii) requiring an individual to transmit his or her SSN over the Internet without encryption or a secure connection; (iv) requiring an individual to use his or her SSN to access a website (unless a password or similar authentication device is also required); or (v) printing an individual’s SSN on any mailed materials unless authorized by state or federal law. Tex. Bus. & Com. Code Ann. § 501.001 (West 2009). Certain exceptions apply including allowing SSNs to be included in applications and forms sent by mail as part of an application or enrollment process, or to establish, amend, or terminate an account, contract, or policy or to confirm the accuracy of the SSN. Id. A SSN that is permitted to be mailed may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened.

4. Tex. Bus. & Com. Code, Ch. 521, the Texas Identity Theft Enforcement and Protection Act (ITEPA): Requires businesses to (i) implement and maintain reasonable procedures to protect from unlawful use or disclosure any sensitive personal information (SPI) collected or maintained by the business in the regular course of business; (ii) destroy or arrange for the destruction of customer records containing SPI (that are not to be retained) by shredding, erasing or otherwise making the information unreadable or undecipherable. Tex. Bus. & Com. Code Ann. § 521.052 (West 2009). Businesses include nonprofit athletic or sports associations. Id. Section 521.053 requires businesses that operate in Texas, and own or license computerized data that includes sensitive personal information, to disclose any breach of its system security (which means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data) to any person whose information was, or is reasonably believed to have been, acquired by an unauthorized person. Tex. Bus. & Com. Code Ann. § 521.053 (West 2009).

5. Texas Health & Safety Code, Chapter 181, the Texas Medical Records Privacy Act applies to health care providers; health plans; entities that process health insurance claims;


3

and individuals, businesses or organizations which obtain, store or possess protected health information (PHI) as well as their agents, employees and contractors (if they create, receive, obtain use or transmit PHI). Tex. Health & Safety Code § 181.001 (West 2010). In most instances, the Act prohibits these “covered entities” from using or disclosing PHI without first obtaining an individual’s authorization and requires covered entities to provide relevant compliance training for their employees. Tex. Health & Safety Code § 181.101 (West 2010).

6. Numerous other Texas laws also serve to protect from disclosure specific types of medical records and information, including certain genetic information, test results for HIV and AIDS, hospital records, pharmacy records, donor records, regulatory records and mental health records. Those laws are included here as Appendix 3 and can also be found at the website of the Office of the Texas Attorney General.

7. Tex. Bus. & Com. Code, Chapter 17, the Texas Deceptive Trade Practices Act has been the basis of enforcement actions filed by the Texas Attorney General’s Consumer Protection Division alleging that defendants engaged in false, misleading or deceptive acts or practices with respect to their safeguarding of confidential or protected information.

B. At the federal level, numerous laws and related regulations impact consumer privacy and in some instances may be applicable to attorneys, including: 1. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C.

1320d-1320d-8, which requires providers of health care (including mental health care), health plans and other entities that process health insurance claims to ensure the privacy of patient records and PHI. 42 U.S.C. § 1320d-1320d-8 (2012).

2. The Health Information Technology for Economic and Clinical Health Act (the HITECH Act), American Recovery and Reinvestment Act of 2009 (ARRA), Sec. 13001-13424, 4001-4302, Pub.L. No. 111-5, 123 Stat. 260 which imposes information security obligation on HIPAA covered entities and business associates of covered entities. 42 U.S.C. § 17932 (2012).

3. The Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501-6506 (2012), regulates the online collection of personal information from children under 13. The law applies to any website or other online service, including mobile applications directed to children under 13 that collect information from children and to any general audience operator that has actual knowledge that it is collecting personal information from children. Id.

4. The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), 15 U.S.C. 7701-7713 governs email marketing, and while not prohibiting unsolicited email, generally imposes requirements including prohibiting the use of deceptive subject lines or false or misleading header information, requiring that each message include instructions on how to opt out of receiving future email from the sender, and requiring the sender to honor opt-out requests within ten business days. 15 U.S.C. § 7704 (2012). Messages which contain sexually oriented materials must also include the warning “SEXUALLY-EXPLICIT” at the beginning of the subject line. Id.

5. Section 5 of the Federal Trade Commission Act, 15 U.S.C. 45, has been employed by the Federal Trade Commission in enforcement actions against entities which made deceptive or unfair representations regarding their privacy or information security policies.

6. The Fair Credit Reporting Act (FCRA), 15 U.S.C. Sec. 1681(a)-(b), and the Fair and Accurate Credit Transactions Act (FACTA), 15 U.S.C. Sec. 1681-1681x, which govern


4

the collection, dissemination and use of consumer credit information, impose duties and limitations on “consumer reporting agencies” that collect and compile consumer information into “consumer reports” and detailed information security safeguards to help prevent identity theft. See 15 U.S.C. § 1681(a)-(b) (2012). The FTC’s Identity Theft Red Flags Rule implements certain provisions of FCRA and, in relevant part, requires certain entities to develop and implement written identity theft prevention programs. 15 U.S.C. § 1681m(e) (2012). In ABA v. FTC, 671 F. Supp. 2d 64 (D.D.C. 2009), a federal court ruled that law firms were not subject to this Rule.

7. Courts have also exempted law firms from the privacy requirements of the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. Sec. 6809, which requires “financial institutions” to ensure the security and confidentiality of customer data, imposes limitations on their ability to share customer information and to provide an annual notice to customers regarding their privacy policies. See ABA v. FTC, 430 F.3d 457 (D.C. Cir. 2005).

III. Federal and State Court Rules Providing Privacy Protection for Filings with the Court One of the hallmarks of due process is the transparency of the process. Traditionally, this transparency has been achieved in part through public access to court records and judicial proceedings. The use of computer technologies has enhanced that transparency by making information in court files and proceedings easily accessible. That ease of access has led to heightened concerns about the amount of personal information easily found in court records and the resultant risk of identity theft. The federal courts have responded by adopting certain privacy protection measures applicable to filings, and some state district courts encourage or permit litigants to redact sensitive personal information from filings.

A. Federal Rules Requiring Redaction of Personal Information At the federal level, the courts have adopted rules requiring that filers redact from their filings portions of certain “personal identifier” information, such as Social Security or taxpayer identification numbers, dates of birth, names of minor children, and financial account numbers. In criminal cases, home addresses should include only the city and state. See, Fed. R. App. P. 25(a); Fed. R. Civ. P. 5.2; Fed. R. Crim. P. 49.1; Fed. R. Bankr. P. 9037. At login to the electronic filing system, a message reminds attorneys of their responsibility to redact this private information and requires attorneys to affirmatively acknowledge that they have read the notice and complied with these redaction rules. The Rules generally also provide certain exemptions. See Fed. R. Civ. P. 5.2(b) Policies of the federal Judicial Conference require court reporters to electronically file transcripts of proceedings which take place in court and require attorneys of record to review and request the redaction of personal identifiers listed in Fed. R. Civ. P. 5.2(a). That review must take place during the first 90 days after the court reporter electronically files the transcript. In response, federal courts have adopted local orders requiring attorneys to comply with these requirements. See Northern District of Texas, amended Misc. Order No. 61, effective May 28, 2008. (http://www.txnd.uscourts.gov/rules/misc_rules.html) Notices and Orders in other federal districts include similar provisions. See Western District of Texas, Amended Privacy Policy and Public Access to Electronic Files, October 29, 2004. (http://www.txwd.uscourts.gov/Rules/StandingOrders/district/paef_order.pdf)

B. State Guidelines Regarding Redaction At the state court level, the Texas Supreme Court in Miscellaneous Docket Order No. 09-9153 instructs the Clerk of the Court to post redaction guidelines for electronic briefs and those are available at the court’s website. These guidelines do not focus on what information to redact but rather on the process of redaction with the goal of aiding attorneys in preventing the accidental disclosure of information which they intend to redact from electronic briefs submitted to the court for posting on the court’s website. The court’s website includes the National Security Agency’s primer

http://www.txnd.uscourts.gov/rules/misc_rules.html

http://www.txwd.uscourts.gov/Rules/StandingOrders/district/paef_order.pdf


5

on secure redaction. The approach NSA recommends as the safest approach calls for completely deleting sensitive information in the original word processing document, replacing it with innocuous filler (such as strings of XXes) as needed, and then converting it to a PDF document. The NSA primer also explains how to check for other potentially sensitive information that might be hidden in a document’s metadata. See http://www.supreme.courts.state.tx.us/ebriefs/RedactionGuidelines.pdf. The Office of Court Administration’s District Clerk Procedures Manual offers guidance regarding specific types of protected or confidential information which may be redacted from records and filings that are otherwise open to the public. See http://www.courts.state.tx.us/pubs/Manuals/dclerk/dcmanual2011.pdf. In the 281st District Court of Harris County, litigants are encouraged to redact sensitive data prior to filing a pleading, unless the information is critical to the issue before the court. Sensitive data is defined to include personal identifiable information such as a Social Security number, a driver’s license number, passport number, bank account or credit card number and other financial account information as well as protected medical and/or health information. (http://www.justex.net/courts/civil/CourtSection.aspx?crt=22&sid=27) Once in litigation, federal and state rules provide mechanisms to protect any information through the course of discovery and trial. Those mechanisms include motions to seal and protective orders. A discussion of those mechanisms is beyond the scope of this paper.

IV. Data Security Requirements A. Certain Businesses Subject to Extensive Regulation

Certain types of businesses are subject to detailed and extensive regulation regarding data security. The two most obvious examples of this are financial service providers (subject to GLBA) and the healthcare sector (subject to HIPAA and HITECH). Attorneys do not have the “benefit” of these extensive regulatory schemes, and thus face the challenge of deciding what security measures are necessary to fulfill their ethical obligations to protect client information and to comply with any privacy protection laws which may apply to their unique practice.

B. ITEPA Requires “Reasonable Procedures” The Texas Identity Theft Enforcement and Protection Act (ITEPA) offers a starting point for an analysis of attorneys’ obligations insofar as it requires businesses to implement and maintain “reasonable procedures” to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business. Tex. Bus. & Com. Code § 521.052(a). While the phrase “reasonable procedures” is not defined in ITEPA, privacy specialists suggest that a legal standard for “reasonable” is emerging and that such standard rejects a “one size fits all” approach, instead calling for procedures that are appropriate to the company’s size and complexity, the scope of its activities, the risks it faces, the sensitivity of the customer information it handles, and requires continual review and updating. This process-oriented standard has come to be known as a requirement to develop, implement, maintain and regularly update a comprehensive written information security program (WISP). See THOMAS J. SMEDINGHOFF, Data Security Requirements for Non-Regulated Business Sectors, Vol. 1, 14th Annual Institute on Data Security and Privacy Law, Page 583 (2013).

C. ABA Model Rule 1.6(c) Requires “Reasonable” Efforts In August 2012, the American Bar Association added a new Model Rule 1.6(c) which provides: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” New language in the

http://www.supreme.courts.state.tx.us/ebriefs/RedactionGuidelines.pdf

http://www.courts.state.tx.us/pubs/Manuals/dclerk/dcmanual2011.pdf

http://www.justex.net/courts/civil/CourtSection.aspx?crt=22&sid=27


6

comment to this rule identifies factors that lawyers should take into account in determining whether their efforts are reasonable, including the cost of the safeguards and the sensitivity of the information. See, August 2012 Amendments to ABA Model Rules of Professional Conduct. (http://www.americanbar.org/content/dam/aba/administrative/ethics_2020/20120808_revised_resolution_105a_as_amended.authcheckdam.pdf) An ABA law practice article, “Safeguarding Confidential Data: Your Ethical and Legal Obligations,” suggests that “…legal standards that apply in other areas, like financial service, can be helpful in providing a framework even though they do not legally apply to the practice of law” and recommends that attorneys review the FTC’s Safeguards Rule, Standards for Safeguarding Customer Information, 16 C.F.R., Part 314 which provides “…a short yet comprehensive list of the components of a complete security program.” See DAVID G. RIES, Safeguarding Confidential Data: Your Ethical and Legal Obligations, ABA Law Practice (July/August 2010, Vol. 36, No. 4, at 49).

D. FTC Safeguards Rule The Safeguards Rule embodies many of the recommendations of privacy and data protection experts and requires a WISP that describes a company’s plan to protect customer information. As part of its plan, the company must (1) designate at least one employee to coordinate its information security program; (2) identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of its current safeguards for controlling those risks; (3) design and implement a safeguards program, and regularly monitor and test it; (4) evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s operations, or the results of security testing and monitoring; and (5) select service providers that can maintain appropriate safeguards, make sure contracts require them to maintain safeguards, and oversee their handling of customer information. See 16 C.F.R. Part 314.

The Federal Trade Commission provides further guidance regarding the Safeguards Rule at the “BCP Business Center” section of its website, where it spells out that the five basic requirements of the rules are designed to be flexible, that companies should implement safeguards appropriate to their circumstances, and further provides specific guidance with respect to each of the five basic requirements. (http://business.ftc.gov/documents/bus54-financial-institutions-and-customer-information-complying-safeguards-rule) This guidance is generally consistent with “general categories of security measures mentioned most often in…laws, regulations, and security standards…” which generally include the following categories of security measures: “physical facility and device security controls, physical access controls, technical access controls, intrusion detection procedures, employee procedures, system modification procedures, data integrity, confidentiality and storage procedures, data destruction and hardware and media disposal, audit controls, contingency plans and incident response plans.” See THOMAS J. SMEDINGHOFF, Data Security Requirements for Non-Regulated Business Sectors, Vol. 1, 14th Annual Institute on Data Security and Privacy Law, Page 610-612 (2013).

E. Other Safeguarding Obligations A law firm may have more specific obligations in instances in which security obligations are imposed by contract in connection with the representation of a client, ethical screens or participation in systems such as the credit card payment system which requires compliance with Payment Card Industry Data Security Standards as a condition of accepting credit cards. See www.pcisecuritystandards.org. A law firm may further be subject to additional data protection or security obligations on the basis of its handling of Protected Health Information and representations made in privacy policies, advertisements, or websites. Making decisions about information security programs and addressing these issues requires basic knowledge regarding technology. At the same time that the ABA adopted a model rule providing that lawyers make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or

http://www.americanbar.org/content/dam/aba/administrative/ethics_2020/20120808_revised_resolution_105a_as_amended.authcheckdam.pdf

http://www.americanbar.org/content/dam/aba/administrative/ethics_2020/20120808_revised_resolution_105a_as_amended.authcheckdam.pdf

http://business.ftc.gov/documents/bus54-financial-institutions-and-customer-information-complying-safeguards-rule

http://business.ftc.gov/documents/bus54-financial-institutions-and-customer-information-complying-safeguards-rule

http://www.pcisecuritystandards.org/


7

unauthorized access to, information relating to the representation of a client, they also amended the comment to its Model Rule 1.1. The rule itself remains unchanged, providing: “A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” The change was to the comment following the rule which now reads: “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.” This particular rule change was prompted, in part, by the ABA’s Commission on Ethics 20/20 recognition of technology’s impact on the legal profession, and in particular two types of technology now commonly employed by attorneys: “cloud” computing (including online data storage, Internet based email and law practice management applications) and mobile device use (laptops, cell phones and flash drives). While not binding, the ABA Model Rules often serve as models for the ethics rule of other states.

V. Conclusion The overview presented in this article merely scratches the surface of privacy and information security issues that a law firm in 21st century Texas must consider. Given the increased focus placed on privacy by individual consumers, the media, lawmakers and regulators, the prudent law firm will take action to evaluate the state of its privacy compliance, analyze the firm’s legal obligations and then, implement and continually monitor and update a privacy and information management program to address those obligations.


8

APPENDIX 1

Additional Privacy and Data Security Resources

The American Bar Association’s Legal Technology Resource Center provides information regarding the latest legal technology, an extensive resource list on technology related ethics matters including, for example “metadata” and “cloud” ethics opinions from bar associations from around the country. See, www.americanbar.org/groups/departments_offices/legal_technology_resources.html.

The Federal Trade Commission’s Bureau of Consumer Protection maintains at its website a “Business Center” which provides information regarding privacy and security rules and laws as well as recommended “good practices” regarding the securing of wireless networks, securing computer systems and creating data security plans. See, www.ftc.gov.

TRUSTe operates a privacy seal program which certifies how businesses collect and manage personally identifiable information. According to TRUSTe, in order for a business to obtain a TRUSTe certification and the use of the TRUSTe seal, the business must provide proof of its privacy and data governance practices as those practices relate to the notice, choice, and accountability frameworks around the personally identifiable information it collects on behalf of its users, customers, and partners. These practices must reach a minimum standard as defined by TRUSTe’s Program Requirements and must be maintained by the business. The TRUSTe website includes newsletters, white papers and practice tips. See, www.truste.com/about-TRUSTe/. The Better Business Bureau offers a “data security guide” which includes checklists for small businesses to secure sensitive data, safely transmit data, become PCI compliant, properly dispose of paper and electronic records and includes steps to take in the event of a data breach. It also operates a program whereby businesses can earn the right to use the BBB accredited Business seal at their Web site. See, www.bbb.org/us/bbb-online-business/.

Providers of third party services often post white papers and resource pages for prospective clients. Providers which offer services to lawyers often include specialized ethics information for practitioners. Examples of these include www.goclio.com and www.netdocuments.com.

The Texas State Bar Journal features a technology article in almost every edition. These articles typically take a practical nuts and bolts approach to technology and data security issues.

The January 2013 edition featured an article highlighting the fact that mobile devices such as smartphones and tablets automatically save data and if used for business, likely contain confidential information which lawyers have ethical and legal duties to protect. The article provided detailed instructions for securely deleting data from mobile devices. See, Sharon Nelson and John W. Simek, Securely Deleting Data from Mobile Devices, Texas Bar Journal, January 2013, p 13.

In December 2012 the Journal featured an article which discussed Adobe’s latest PDF product including simpler and stronger encryption and other built in defenses for eliminating electronic intrusions and protecting metadata. See, Al Harrison, Adobe Acrobat XI, Texas Bar Journal, December 2012, p 824.

The May 2012 Journal’s article Preventing Law Firm Data Breaches, discussed security basics that every lawyer should be aware of and included twenty six “top” security tips including:

• Have a strong password of at least 12 characters. No matter how strong an eight-character password is, it can now be cracked in about two hours. A strong 12-character password takes roughly 17 years to crack. Use a passphrase so you can remember the password: “EyEluv@B@TeCH- SHOW2012!” would be a perfect example.

• Don’t use the same password everywhere. If they crack you once, they’ve got you in other places too. • Change your passwords regularly. This will foil anyone who has gotten your password.

http://www.americanbar.org/groups/departments_offices/legal_technology_resources.html

http://www.truste.com/about-TRUSTe/

http://www.bbb.org/us/bbb-online-business/

http://www.goclio.com/

http://www.netdocuments.com/


9

• Do not have a file named “passwords” on your computer. And do not have your password on a sticky note under your keyboard or in your top right drawer (the two places we find them most often)!

• Change the defaults. It doesn’t matter if you are configuring a wireless router or installing a server operating system. In all cases, make sure you change any default values. The default user ID and passwords are well known for any software or hardware installation. Apple isn’t immune either, since there are default values for their products as well.

• Your laptop should be protected with whole disk encryption—no exceptions. Stolen and lost laptops are one of the leading causes of data breaches. Many of the newer laptops have built-in whole disk encryption. To state the obvious, make sure you enable the encryption or your data won’t be protected. Also, encryption may be used in conjunction with biometric access. As an example, our laptops require a fingerprint swipe to power on. Failure at that point leaves the computer hard drive fully encrypted.

• Backup media, a huge source of data leaks, should be encrypted. If you use an online backup service, which means you’re storing your data in the cloud, make sure the data is encrypted in transit and while being stored. Also, be sure that employees of the backup vendor do not have access to decrypt keys.

• Thumb drives, which are easy to lose, should be encrypted. You may want to log activity on USB ports, because it is common for employees to lift data via a thumb drive. Without logging, you cannot prove exactly what was copied.

• Keep your server in a locked rack in a locked closet or room. Physical security is essential. • Most smartphones write some amount of data to the phone. Opening a client document may write it to the

smart-phone whether or not you save it. The iPhone is particularly data rich. Make sure you have a PIN for your phone. This is a fundamental protection. Don’t use “swiping” to protect your phone as thieves can discern the swipe the vast majority of the time due to the oils from your fingers. Also make sure that you can wipe the data remotely if you lose your phone.

• Solos and small firms should use a single integrated product to deal with spam, viruses and malware. For solos and small firms, we recommend using Kaspersky Internet Security 2012, which contains firewall, anti-virus, anti-spyware, rootkit detection, anti-spam and much more. For larger firms, we are fans of Trend Micro.

• Wireless networks should be set up with the proper security. First and foremost, encryption should be enabled on the wireless device. Whether using Wired Equivalent Privacy (WEP) 128-bit or WPA encryption, make sure that all communications are secure. WEP is weaker and can be cracked. The only wireless encryption standards that have not been cracked (yet) are WPA with the AES (Advanced Encryption Standard) or WPA2.

• Make sure all critical patches are applied. This may be the job of your IT provider, but too often this is not done.

• If software is no longer being supported, its security may be in jeopardy. Upgrade to a supported version to ensure that it is secure.

• Control access. Does your secretary really need access to Quickbooks? Probably not. This is just another invitation to a breach.

• If you terminate an employee, make sure you kill the id, and immediately cut all possible access (including remote) to your network. Do not let the former employee have access to a computer to download personal files with-out a trusted escort.

• Using cloud providers for software applications is fine, provided that you made reasonable inquiry into their security. Read the terms of service carefully and check your state for current ethics opinions on this subject.

• Be wary of social media applications, as they are now frequently invaded by cybercriminals. Giving another application access to your credentials for Facebook, as an example, could result in your account being hijacked. And even though Facebook now sends all hyperlinks through Websense first (a vast improvement), be wary of clicking on them.

• Consider whether you need cyber insurance to protect against the possible consequences of a breach. Most insurance policies do not cover the cost of investigating a breach, taking remedial steps or notifying those who are affected.

• Have a social media and an incident response policy. • Let your employees know how to use social media as safely as possible, and if an incident happens, it is

helpful to have a plan of action in place.


10

• Dispose of anything that holds data, including a digital copier, securely. For computers, you can use a free product like DBAN to securely wipe the data.

• Make sure all computers require screen saver passwords, and that the screen saver gets invoked within a reasonable period of inactivity.

• Use wireless hot spots with great care. Do not enter any credit card information or login credentials prior to seeing the https: in the URL.

• For remote access, use a VPN or other encrypted connection. • Do not give your user id and password to anybody. This includes your secretary and even the IT support

personnel. None of these safeguards are hard to implement. Unfortunately, even if you implement them all, new dangers will arise tomorrow. The name of the game in information security is “constant vigilance.”

See, Sharon D. Nelson and John W. Simek, Preventing Law Firm Data Breaches, Texas Bar Journal, May 2012, p 364.


11

APPENDIX 2

FEDERAL CONSUMER PROTECTION PRIVACY LAWS

The Federal Trade Commission has responsibility for numerous business related privacy laws which impact consumers. The following listing of federal privacy laws is an excerpt from the FTC’s “Legal Resources-Statutes Relating to Consumer Protection Mission” found at http://ftc.gov/ogc/stat3.shtm.

• The Children's Online Privacy Protection Act (15 U.S.C. §§ 6501-6506). This Act protects children’s privacy by giving parents the tools to control what information is collected from their children online. Under the Act’s implementing Rule (codified at 16 C.F.R. Part 312), operators of commercial websites and online services directed to or knowingly collecting personal information from children under 13 must: (1) notify parents of their information practices; (2) obtain verifiable parental consent before collecting a child’s personal information; (3) give parents a choice as to whether their child’s information will be disclosed to third parties; (4) provide parents access to their child’s information; (5) let parents prevent further use of collected information; (6) not require a child to provide more information than is reasonably necessary to participate in an activity; and (7) maintain the confidentiality, security, and integrity of the information. In order to encourage active industry self-regulation, the Act also includes a "safe harbor" provision allowing industry groups and others to request Commission approval of self-regulatory guidelines to govern participating websites’ compliance with the Rule.

• Identity Theft Assumption and Deterrence Act of 1998 (codified in relevant part at 18 U.S.C. § 1028 note). Section 5 of this Act, Pub. L. No. 105-318, 112 Stat. 3007, makes the FTC a central clearinghouse for identity theft complaints. The Act requires the FTC to log and acknowledge such complaints, provide victims with relevant information, and refer their complaints to appropriate entities (e.g., the major national consumer reporting agencies and other law enforcement agencies).

• Gramm-Leach-Bliley Act (Pub. L. 106-102, 113 Stat. 1338, codified in relevant part at 15 U.S.C. §§ 6801-6809 and §§ 6821-6827, as amended). Title V, subtitle A, of this Act requires the FTC, along with several other agencies, to issue regulations (see 16 CFR Part 313) ensuring that financial institutions protect the privacy of consumers' personal financial information. Such institutions must develop and give notice of their privacy policies to their own customers at least annually and before disclosing any consumer's personal financial information to an unaffiliated third party, must give notice and an opportunity for that consumer to "opt out" from such disclosure. Under the Dodd-Frank Act, this rule transferred to the Bureau of Consumer Financial Protection, but the FTC will continue to have authority to enforce it. The subtitle also requires the FTC and other agencies to issue regulations (see 16 CFR Part 314) for the safeguarding of personal financial information. The Act also limits the sharing of account number information for marketing purposes. Subtitle B of Title V prohibits obtaining customer information of a financial institution by false pretenses. The FTC enforces these provisions with regard to entities not specifically assigned by the provision to the Federal banking agencies or other regulators.

• Do-Not-Call Registry Act. The Do-Not Call Registry Act of 2003 (15 U.S.C. § 6151; originally codified at 15 U.S.C. § 6101 note) expressly authorized the FTC under section 3(a)(3)(A) of the Telemarketing and Consumer Fraud and Abuse Prevention Act to implement and enforce the Do-Not-Call Registry, and ratified the Registry provision of the FTC’s Telemarketing Sales Rule, 16 C.F.R. 310.4(b)(1)(iii) (which became effective on March 31, 2003). The Do-Not-Call Implementation Act of 2003 (15 U.S.C. § 6152 et seq.; originally codified at § 6101 note) authorized the FTC to set and collect Registry fees for fiscal years 2003 through 2007; required the FCC to issue a compatible Do-Not-Call rule; and directed the FTC and the FCC to submit an annual report on the Registry for fiscal years 2003 through 2007 to the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science, and Transportation. The Do-Not-

http://ftc.gov/ogc/stat3.shtm

http://www4.law.cornell.edu/uscode/15/ch91.html

http://www4.law.cornell.edu/uscode/18/1028.html

http://www.law.cornell.edu/uscode/uscode15/usc_sec_15_00006801----000-.html

http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=108_cong_public_laws&docid=f:publ010.108.pdf

http://www.gpo.gov/fdsys/pkg/USCODE-2010-title15/pdf/USCODE-2010-title15-chap87A-sec6151.pdf




12

Call Registry Fee Extension Act of 2007 (15 U.S.C. § 6154) amended the Do-Not-Call Implementation Act to specify by statute the Registry fees for telemarketers, and revised the report requirements in the Telemarketing and Consumer Fraud and Abuse Prevention Act (above). The Do-Not-Call Improvement Act of 2007 (15 U.S.C. § 6155) further amended the Do-Not-Call Implementation Act to prohibit the automatic expiration of Registry listings.

• Fair Credit Reporting Act (15 U.S.C. §§ 1681-1681u, as amended). The Act protects information collected by consumer reporting agencies such as credit bureaus, medical information companies and tenant screening services. Information in a consumer report cannot be provided to anyone who does not have a purpose specified in the Act. Companies that provide information to consumer reporting agencies also have specific legal obligations, including the duty to investigate disputed information. Also, users of the information for credit, insurance, or employment purposes must notify the consumer when an adverse action is taken on the basis of such reports. Further, users must identify the company that provided the report, so that the accuracy and completeness of the report may be verified or contested by the consumer. The Fair and Accurate Credit Transactions Act, the Credit CARD Act and Dodd-Frank Act (see below), made a number of substantial changes to this Act. The Red Flag Program Clarification Act of 2010 (Pub. L. 111-319, 124 Stat. 3457) clarifies and narrows the meaning of “creditor” for purposes of the Red Flags provisions.

• Fair and Accurate Credit Transactions Act of 2003 (codified to 15 U.S.C. §§ 1681-1681x, as amended). This Act, amending the Fair Credit Reporting Act (FCRA), adds provisions designed to improve the accuracy of consumers’ credit-related records. It gives consumers the right to one free credit report a year from the credit reporting agencies, and consumers may also purchase for a reasonable fee a credit score along with information about how the credit score is calculated. The Act also adds provisions designed to prevent and mitigate identity theft, including a section that enables consumers to place fraud alerts in their credit files. Further, the Act grants consumers additional rights with respect to how their information is used. Under the Dodd-Frank Act, most of the FTC’s rulemaking responsibilities and some study requirements transferred to the Bureau of Consumer Financial Protection.

• Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act) (15 U.S.C §§ 7701-7713). This Act establishes requirements for those who send unsolicited commercial email. The Act bans false or misleading header information and prohibits deceptive subject lines. It also requires that unsolicited commercial email provide recipients with a method for opting out of receiving such email and must be identified as an advertisement. In addition to enforcing the statute, the FTC must issue rules involving the required labeling of sexually explicit commercial email and the criteria for determining the primary purpose of a commercial email. The Act also instructs the Commission to report to Congress on the feasibility of a National Do-Not-E-Mail Registry, as well as requiring reports on the labeling of all unsolicited commercial email, the creation of a “bounty system” to promote enforcement of the law, and the effectiveness and enforcement of the statute.

• Health Information Technology (“HITECH”) Provisions of American Recovery and Reinvestment Act of 2009, Title XIII, Subtitle D (Pub. L. 111-5, 123 Stat. 115, codified in relevant part at 42 U.S.C. §§ 17937 and 17954). This Act directs the FTC to issue a rule requiring entities that obtain consumers’ personal information but are not subject to the Health Insurance Portability & Accountability Act (“HIPAA”) (Pub. L. No. 104-191, 110 Stat. 1936 (1996)), such as many vendors of personal health records and third party service providers, to notify affected individuals and the FTC (which notifies the Secretary of Health and Human Services) in the event of a data breach or inadvertent disclosure of unsecured identifiable health information in personal health records. The Act also directs the Secretary of Health and Human Services, consulting with the FTC, to complete a study and report on privacy and security requirements for such entities.




http://www.law.cornell.edu/uscode/15/1681.shtml

http://www.ftc.gov/ogc/stat3/red-flags-111-319.pdf



http://www.ftc.gov/ogc/stat3/hitech-pub-l-111-5.pdf

http://www.ftc.gov/ogc/stat3/hitech-pub-l-111-5.pdf


13

• Restore Online Shopper’s Confidence Act (Pub. L. 111-345, 124 Stat. 3618). This Act prohibits any post-transaction third party seller (a seller who markets goods or services online through an initial merchant after a consumer has initiated a transaction with that merchant) from charging any financial account in an Internet transaction unless it has disclosed clearly all material terms of the transaction and obtained the consumer’s express informed consent to the charge. The seller must obtain the number of the account to be charged directly from the consumer. The Act prohibits initial merchants from disclosing purchasers’ financial account numbers or other billing information to third party sellers. In addition, for all online transactions with a negative option feature (both initial sales and post-transaction sales), the Act requires the seller to disclose clearly all material terms, obtain the consumer’s express informed consent to the charge, and provide a simple means for the consumer to stop recurring charges.

http://www.ftc.gov/ogc/stat3/online-shoppers-enrolled.pdf


14

APPENDIX 3

TEXAS HEALTH INFORMATION PRIVACY LAWS - 2013 In addition to the Texas Medical Records Privacy Act, numerous other state laws pertain to the privacy of medical information in specific contexts. Some of these laws apply to communications between patients and various types of health care providers, such as physicians, dentists and pharmacists. Other laws restrict the disclosure of patient records by health care facilities while others focus on protecting types of information considered particularly sensitive. These types include information related to HIV/AIDS, communicable diseases, substance abuse, reproductive care, minors, domestic violence and genetics. Texas laws also address privacy issues which arise in the handling of health information in civil and criminal court proceedings. These laws are listed below according to their respective codes and can also be found in the Health Information Privacy section of the web site of the Texas Attorney General: www.oag.state.tx.us/consumer/health_info_privacy_laws.shtml. OCCUPATIONS CODE PHYSICIANS

• Medical Practice Act, TEX. OCC. CODE ANN. § 151.001 et seq. • Physician-Patient Communication, TEX. OCC. CODE ANN. § 159.001 et seq. • Link: http://www.statutes.legis.state.tx.us/Docs/OC/htm/OC.159.htm

(Physician-Patient Communications) DENTISTS

• Dental Practice Act, TEX. OCC. CODE ANN. § 251.001 et seq. • Dental Privilege, TEX. OCC. CODE ANN. § 258.101 et seq. • Link: http://www.statutes.legis.state.tx.us/Docs/OC/htm/OC.258.htm#C

(Dental Privilege) CHIROPRACTORS

• Patient Confidentiality (Chiropractors), TEX. OCC. CODE ANN. § 201.401 et seq. • Link: http://www.statutes.legis.state.tx.us/Docs/OC/htm/OC.201.htm#I

(Patient Confidentiality) PODIATRISTS

• Privilege and Confidentiality Requirements (Podiatrists), TEX. OCC. CODE ANN. § 202.401 et seq.

• Link: http://www.statutes.legis.state.tx.us/Docs/OC/htm/OC.202.htm#I (Privilege and Confidentiality Requirements) PHARMACISTS • Texas Pharmacy Act, TEX. OCC. CODE ANN. § 551.001 et seq. • Release of Confidential Records, TEX. OCC. CODE ANN. § 562.052 et seq. • Link: http://www.statutes.legis.state.tx.us/Docs/OC/htm/OC.562.htm#562.052 (Release of Confidential Records)

OPTOMETRISTS • Texas Optometry Act, TEX. OCC. CODE ANN. § 351.001 et seq. • Optometric Files and Records, TEX. OCC. CODE ANN. § 351.352 • Link: http://www.statutes.legis.state.tx.us/Docs/OC/htm/OC.351.htm#351.352

(Optometric Files and Records) PHYSICIAN ASSISTANT

http://www.oag.state.tx.us/consumer/health_info_privacy_laws.shtml

http://www.statutes.legis.state.tx.us/Docs/OC/htm/OC.159.htm

http://www.statutes.legis.state.tx.us/Docs/OC/htm/OC.258.htm#C

http://www.statutes.legis.state.tx.us/Docs/OC/htm/OC.201.htm#I

http://www.statutes.legis.state.tx.us/Docs/OC/htm/OC.202.htm#I

http://www.statutes.legis.state.tx.us/Docs/OC/htm/OC.562.htm#562.052



15

• Physician Assistant Licensing Act, TEX. OCC. CODE ANN. § 204.001 et seq. • Protection of Patient Identity, TEX. OCC. CODE ANN. § 204.309 • Link: http://www.statutes.legis.state.tx.us/Docs/OC/htm/OC.204.htm#204.309

(Protection of Patient Identity) SURGICAL ASSISTANT

• Protection of Patient Identity (Surgical Assistants), TEX. OCC. CODE ANN. § 206.309 • Link: http://www.statutes.legis.state.tx.us/Docs/OC/htm/OC.206.htm#206.309

(Protection of Patient Identity) GENETIC INFORMATION

• Use of Genetic Information, TEX. OCC. CODE ANN. § 58.001 et seq. • Disclosure of Genetic Information; Confidentiality; Exceptions, TEX. OCC. CODE ANN. § 58.101 et seq. • Link: http://www.statutes.legis.state.tx.us/Docs/OC/htm/OC.58.htm#C

(Disclosure of Genetic Information; Confidentiality; Exceptions) REPORT AND CONFIDENTIALITY REQUIREMENTS

• Report and Confidentiality Requirements, TEX. OCC. CODE ANN. § 160.001 et seq. • Board Confidentiality, TEX. OCC. CODE ANN. § 160.006 et seq. • Link: http://www.statutes.legis.state.tx.us/Docs/OC/htm/OC.160.htm#160.006

(Board Confidentiality) TEXAS HEALTH & SAFETY CODE RECORDS, REPORTS OF CERTAIN DISEASES INCLUDING HIV/AIDS

• Communicable Disease Prevention and Control Act, TEX. HEALTH & SAFETY CODE ANN. § 81.001 et seq. • Confidentiality, TEX. HEALTH & SAFETY CODE ANN. § 81.046 • Records, reports and information, regardless of the source, that are provided to health authorities and health

departments and relate to cases or suspected cases of disease or health conditions must be kept confidential (TEX. HEALTH & SAFETY CODE ANN. § 81.046).

• Test results for HIV and AIDS are also confidential (TEX. HEALTH & SAFETY CODE ANN. § 81.103). • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.81.htm#81.046 (Confidentiality)

CANCER INCIDENCE REPORTING • Texas Cancer Incidence Reporting Act, TEX. HEALTH & SAFETY CODE ANN. § 82.001 et seq. • Confidentiality, TEX. HEALTH & SAFETY CODE ANN. § 82.009 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.82.htm#82.009

(Confidentiality) EXPOSURE TO AGENT ORANGE

• Exposure to Agent Orange, TEX. HEALTH & SAFETY CODE ANN. § 83.001 et seq. • Confidentiality, TEX. HEALTH & SAFETY CODE ANN. § 83.005 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.83.htm#83.005

(Confidentiality) OCCUPATIONAL CONDITION

• Occupational Condition Reporting Act, TEX. HEALTH & SAFETY CODE ANN. § 84.001 et seq. • Confidentiality, TEX. HEALTH & SAFETY CODE ANN. § 84.006 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.84.htm#84.006

(Confidentiality) HIV SERVICES

• Human Immunodeficiency Virus Services Act, TEX. HEALTH & SAFETY CODE ANN. § 85.001 et seq.



http://www.statutes.legis.state.tx.us/Docs/OC/htm/OC.58.htm#C


http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.81.htm#81.046





16

• Confidentiality, TEX. HEALTH & SAFETY CODE ANN. § 85.260 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.85.htm#85.260

(Confidentiality) • Confidentiality Guidelines, TEX. HEALTH & SAFETY CODE ANN. § 85.115 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.85.htm#85.115

(Confidentiality Guidelines) BIRTH DEFECTS

• Birth Defects, TEX. HEALTH & SAFETY CODE ANN. § 87.001 et seq. • Confidentiality, TEX. HEALTH & SAFETY CODE ANN. § 87.002 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.87.htm#87.002

(Confidentiality) REPORTS OF CHILDHOOD LEAD POISONING

• Reports of Childhood Lead Poisoning, TEX. HEALTH & SAFETY CODE ANN. § 88.001 et seq. • Confidentiality, TEX. HEALTH & SAFETY CODE ANN. § 88.002 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.88.htm#88.002

(Confidentiality) INJURY PREVENTION AND CONTROL

• Injury Prevention and Control, TEX. HEALTH & SAFETY CODE ANN. § 92.001 et seq. • Confidentiality, TEX. HEALTH & SAFETY CODE ANN. § 92.006 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.92.htm#92.006

(Confidentiality) PREVENTION OF CARDIOVASCULAR DISEASE AND STROKE

• Prevention of Cardiovascular Disease and Stroke, TEX. HEALTH & SAFETY CODE ANN. § 93.001 et seq. • Information Received From Another State Agency; Confidentiality, TEX. HEALTH & SAFETY CODE ANN. §

93.054 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.93.htm#93.054

(Information Received From Another State Agency; Confidentiality) DIABETES

• Diabetes, TEX. HEALTH & SAFETY CODE ANN. § 95.001 et seq. • Confidentiality, TEX. HEALTH & SAFETY CODE ANN. § 95.054 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.95.htm#95.054

(Confidentiality) RESPIRATORY SYNCYTIAL VIRUS

• Respiratory Syncytial Virus, TEX. HEALTH & SAFETY CODE ANN. § 96.001 et seq. • Confidentiality, TEX. HEALTH & SAFETY CODE ANN. § 96.002 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.96.htm#96.002

(Confidentiality) PUBLIC HEALTH PROVISIONS

• Public Health Provisions, TEX. HEALTH & SAFETY CODE ANN. § 161.001 et seq. • Registry Confidentiality, TEX. HEALTH & SAFETY CODE ANN. § 161.0073 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.161.htm#161.0073

(Registry Confidentiality) • Confidentiality, TEX. HEALTH & SAFETY CODE ANN. § 161.0213 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.161.htm#161.0213

(Confidentiality) BLOOD BANKS AND BLOOD DONATION












17

• Blood Banks and Donation of Blood, TEX. HEALTH & SAFETY CODE ANN. § 162.001 et seq. • Confidentiality of Blood Bank Records, TEX. HEALTH & SAFETY CODE ANN. § 162.003 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.162.htm#162.003

(Confidentiality of Blood Bank Records) ADVANCE DIRECTIVES

• Advance Directives Act, TEX. HEALTH & SAFETY CODE ANN. § 166.001 et seq. • Disclosure of Medical Information, TEX. HEALTH & SAFETY CODE ANN. § 166.157 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.166.htm#166.157

(Disclosure of Medical Information) MEDICAL RECORDS

• Texas Medical Records Privacy Act, TEX. HEALTH & SAFETY CODE ANN. § 181.001 et seq. • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.181.htm

(Medical Records Privacy) HOSPITAL LICENSING

• Texas Hospital Licensing Law, TEX. HEALTH & SAFETY CODE ANN. § 241.001 et seq. • Written Authorization for Disclosure of Health Care Information, TEX. HEALTH & SAFETY CODE ANN. §

241.152 et seq. • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.241.htm#241.152

(Written Authorization for Disclosure of Health Care Information) CONVALESCENT AND NURSING HOMES

• Convalescent and Nursing Homes and Related Institutions, TEX. HEALTH & SAFETY CODE ANN. § 242.001 et seq.

• Resident’s Rights, TEX. HEALTH & SAFETY CODE ANN. § 242.501 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.242.htm#242.501

(Resident’s Rights) ABORTION FACILITY REPORTING

• Texas Abortion Facility Reporting and Licensing Act, TEX. HEALTH & SAFETY CODE ANN. § 245.001 et seq. • Reporting Requirements; Criminal Penalty, TEX. HEALTH & SAFETY CODE ANN. § 245.011 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.245.htm#245.011

(Reporting Requirements; Criminal Penalty) CONTINUING CARE AND REHABILITATION

• Texas Continuing Care Facility Disclosure and Rehabilitation Act, TEX. HEALTH & SAFETY CODE ANN. § 246.001 et seq.

• Rights of Residents, TEX. HEALTH & SAFETY CODE ANN. § 246.004 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.246.htm#246.004

(Rights of Residents) INTERMEDIATE CARE

• Intermediate Care Facilities for the Mentally Retarded, TEX. HEALTH & SAFETY CODE ANN. § 252.001 et seq.

• Rights of Residents, TEX. HEALTH & SAFETY CODE ANN. § 252.006 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.252.htm#252.006

(Rights of Residents) HOSPITAL DATA REPORTING AND COLLECTION

• Hospital Data Reporting and Collection System, TEX. HEALTH & SAFETY CODE ANN. § 311.031 et seq. • Confidential Data; Criminal Penalty, TEX. HEALTH & SAFETY CODE ANN. § 311.037 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.311.htm#311.037



http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.181.htm








18

(Confidential Data; Criminal Penalty) MENTAL HEALTH AND MENTAL RETARDATION

• Texas Department of Mental Health and Mental Retardation – Powers and Duties, TEX. HEALTH & SAFETY CODE ANN. § 533.0001 et seq.

• Information Relating to Patient’s Condition, TEX. HEALTH & SAFETY CODE ANN. § 533.010 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.533.htm#533.010

(Information Relating to Patient’s Condition) • Texas Mental Health Code – Rights of Patients, TEX. HEALTH & SAFETY CODE ANN. § 576.001 et seq. • Confidentiality of Records, TEX. HEALTH & SAFETY CODE ANN. § 576.005 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.576.htm#576.005

(Confidentiality of Records) • Persons with Mental Retardation Act, TEX. HEALTH & SAFETY CODE ANN. § 591.001 et seq. • Records, TEX. HEALTH & SAFETY CODE ANN. § 595.001 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.595.htm

(Records) • Mental Health Records, TEX. HEALTH & SAFETY CODE ANN. § 611.001 et seq. • Confidentiality of Information and Prohibition Against Disclosure, TEX. HEALTH & SAFETY CODE ANN. §

611.002 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.611.htm#611.002

(Confidentiality of Information and Prohibition against Disclosure) HERITABLE DISEASES

• Phenylketonuria, Other Heritable Diseases, Hypothyroidism, and Certain Other Disorders, TEX. HEALTH & SAFETY CODE ANN. § 33.001 et seq.

• Newborn Screening - Confidentiality, TEX. HEALTH & SAFETY CODE ANN. § 33.018 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.33.htm#33.018

(Newborn Screening - Confidentiality) HEALTH SERVICES AUTHORITY

• Texas Health Services Authority, TEX. HEALTH & SAFETY CODE ANN. § 182.001 et seq. • Privacy of Information, TEX. HEALTH & SAFETY CODE ANN. § 182.103 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.182.htm#182.103

(Privacy of Information) CORRECTIONAL OFFICE

• Texas Correctional Office on Offenders with Medical or Mental Impairments, TEX. HEALTH & SAFETY CODE ANN. § 614.001 et seq.

• Exchange of Information, TEX. HEALTH & SAFETY CODE ANN. § 614.017 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.614.htm#614.017

(Exchange of Information) EMERGENCY HEALTH CARE

• Emergency Health Care Act, TEX. HEALTH & SAFETY CODE ANN. § 773.001 et seq. • Confidential Communications, TEX. HEALTH & SAFETY CODE ANN. § 773.091 et seq. • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.773.htm#773.091

(Confidential Communications) FETAL AND INFANT MORTALITY

• Fetal and Infant Mortality Review, TEX. HEALTH & SAFETY CODE ANN. § 674.001 et seq. • Confidentiality of Records; Privilege, TEX. HEALTH & SAFETY CODE ANN. § 674.007 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.674.htm#674.007

(Confidentiality of Records; Privilege)



http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.595.htm








19

HEARING LOSS IN NEWBORNS • Hearing Loss in Newborns, TEX. HEALTH & SAFETY CODE ANN. § 47.001 et seq. • Confidentiality and General Access to Data, TEX. HEALTH & SAFETY CODE ANN. § 47.008 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.47.htm#47.008

(Confidentiality and General Access to Data) POWERS AND DUTIES OF THE DEPARTMENT OF HEALTH

• Powers and Duties of Texas Department of Health, TEX. HEALTH & SAFETY CODE ANN. § 12.001 et seq. • Confidentiality Requirements, TEX. HEALTH & SAFETY CODE ANN. § 12.097 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.12.htm#12.097

(Confidentiality Requirements)

COURT-ORDERED MENTAL HEALTH SERVICES • Court-Ordered Mental Health Services, TEX. HEALTH & SAFETY CODE ANN. § 574.001 et seq. • Appointment of Attorney, TEX. HEALTH & SAFETY CODE ANN. § 574.003 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.574.htm#574.003

(Appointment of Attorney) ADULT FATALITY

• Adult Fatality Review and Investigation, TEX. HEALTH & SAFETY CODE ANN. § 672.001 et seq. • Access to Information, TEX. HEALTH & SAFETY CODE ANN. § 672.006 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.672.htm#672.006

(Access to Information) HEALTH CARE INFORMATION COUNCIL

• Texas Health Care Information Council, TEX. HEALTH & SAFETY CODE ANN. § 108.001 et seq. • Data Submission and Collection, TEX. HEALTH & SAFETY CODE ANN. § 108.009 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.108.htm#108.009

(Data Submission and Collection) PROVISION OF SERVICES

• Provision of Mental Health, Chemical Dependency, and Rehabilitation Services, TEX. HEALTH & SAFETY CODE ANN. § 321.001 et seq.

• Bill of Rights, TEX. HEALTH & SAFETY CODE ANN. § 321.002 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.321.htm#321.002

(Bill of Rights) SPECIAL SENSES AND COMMUNICATION DISORDERS

• The Special Senses and Communication Disorders Act, TEX. HEALTH & SAFETY CODE ANN. § 36.001 et seq. • Records; Reports, TEX. HEALTH & SAFETY CODE ANN. § 36.006 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.36.htm#36.006

(Records; Reports) REPORTING OF HEALTH CARE-ASSOCIATED INFECTIONS AND PREVENTABLE ADVERSE EVENTS

• Reporting of Health Care-Associated Infections and Preventable Adverse Events, TEX. HEALTH & SAFETY CODE ANN. § 98.001 et seq.

• Confidentiality; Privilege, TEX. HEALTH & SAFETY CODE ANN. §98.109 • Link: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.98.v2.htm#98.109

(Confidentiality; Privilege) TEXAS BUSINESS & COMMERCE CODE








http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.98.v2.htm#98.109


20

• Biometric Identifiers, TEX. BUS. & COM. CODE ANN. § 503.001 • Capture or Use of Biometric Identifier, TEX. BUS. & COM. CODE ANN. § 503.001 • Link: http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.503.htm#503.001

(Capture or Use of Biometric Identifier) • Identity Theft Enforcement and Protection Act, TEX. BUS. & COM. CODE ANN. § 521.001 et seq. • Business Duty to Protect Sensitive Personal Information (including medical information) TEX. BUS. & COM.

CODE ANN. § 521.052 • Link: http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm#521.052

(Business Duty to Protect Sensitive Personal Information) TEXAS CIVIL PRACTICE AND REMEDIES CODE

• Medical Liability, TEX. CIV. PRAC. & REM. CODE ANN. § 74.001 et seq. • Notice, TEX. TEX. CIV. PRAC. & REM. CODE ANN. § 74.051 • Link: http://www.statutes.legis.state.tx.us/Docs/CP/htm/CP.74.htm#74.051

(Notice) • Claims involving Asbestos and Silica, TEX. CIV. PRAC. & REM. CODE ANN. § 90.001 et seq. • Reports Required for Claims Involving Asbestos-Related Injury, TEX. CIV. PRAC. & REM. CODE ANN. §

90.003 • Link: http://www.statutes.legis.state.tx.us/Docs/CP/htm/CP.90.htm#90.003

(Reports Required for Claims Involving Asbestos-Related Injury) • Reports Required for Claims Involving Silica-Related Injury, TEX. CIV. PRAC. & REM. CODE ANN. § 90.004 • Link: http://www.statutes.legis.state.tx.us/Docs/CP/htm/CP.90.htm#90.004

(Reports Required for Claims Involving Silica-Related Injury) TEXAS CODE OF CRIMINAL PROCEDURE

• Evidence in Criminal Actions, TEX. CODE CRIM. PROC. ANN. § 38.001 et seq. • Communications by Drug Abusers, TEX. INS. CODE ANN. § 38.101 • Link: http://www.statutes.legis.state.tx.us/Docs/CR/htm/CR.38.htm#38.101

(Communications by Drug Abusers) • Missing Children and Missing Persons, TEX. CODE CRIM. PROC. ANN. § 63.001 et seq. • Release of Dental Records, TEX. CODE CRIM. PROC. ANN. § 63.006 et seq.

Link: http://www.statutes.legis.state.tx.us/Docs/CR/htm/CR.63.htm#63.006 (Release of Dental Records of missing children and persons)

• Establishment of DNA Database for Missing or Unidentified Persons, TEX. CODE CRIM. PROC. ANN. § 63.052 et seq.

• Link: http://www.statutes.legis.state.tx.us/Docs/CR/htm/CR.63.htm#63.052 (Establishment of DNA Database for Missing or Unidentified Persons)

• Sealing of Court Records Containing Medical Information for Certain Child Victims, TEX. CODE CRIM. PROC. ANN. § 57C.001 et seq.

• Sealing of Records, TEX. CODE CRIM. PROC. ANN. § 57C.002 • Link: http://www.statutes.legis.state.tx.us/Docs/CR/htm/CR.57C.htm#57C.02

(Sealing of Records) TEXAS EDUCATION CODE

• Safe Schools – Health & Safety, TEX. EDUC. CODE ANN. § 38.001 et seq. • Immunization Records; Reporting, TEX. EDUC. CODE ANN. § 38.002 • Link: http://www.statutes.legis.state.tx.us/Docs/ED/htm/ED.38.htm#38.002

(Immunization Records; Reporting) • Access to Medical Records, TEX. EDUC. CODE ANN. § 38.009 et seq. • Link: http://www.statutes.legis.state.tx.us/Docs/ED/htm/ED.38.htm#38.009

http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.503.htm#503.001

http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm#521.052

http://www.statutes.legis.state.tx.us/Docs/CP/htm/CP.74.htm#74.051



http://www.statutes.legis.state.tx.us/Docs/CR/htm/CR.38.htm#38.101



http://www.statutes.legis.state.tx.us/Docs/CR/htm/CR.57C.htm#57C.02

http://www.statutes.legis.state.tx.us/Docs/ED/htm/ED.38.htm#38.002

http://www.statutes.legis.state.tx.us/Docs/ED/htm/ED.38.htm#38.009


21

(Access to Medical Records) TEXAS FAMILY CODE

• Juvenile Justice Code – Records; Juvenile Justice Information System, TEX. FAM. CODE ANN. § 58.001 et seq.

• Confidentiality of Records, TEX. FAM. CODE ANN. § 58.005 • Link: http://www.statutes.legis.state.tx.us/Docs/FA/htm/FA.58.htm#58.005

(Confidentiality of Records) • Court-Ordered Representation in Suits Affecting the Parent-Child Relationship, TEX. FAM. CODE ANN. §

107.001 et seq. • Powers and Duties of Guardian Ad Litem for Child, TEX. FAM. CODE ANN. § 107.002 • Link: http://www.statutes.legis.state.tx.us/Docs/FA/htm/FA.107.htm#107.002

(Powers and Duties of Guardian Ad Litem for Child) • Access to Child and Information Relating to Child, TEX. FAM. CODE ANN. § 107.006 • Link: http://www.statutes.legis.state.tx.us/Docs/FA/htm/FA.107.htm#107.006

(Access to Child and Information Relating to Child) • Medical Care and Educational Services for Children in Foster Care, TEX. FAM. CODE ANN. § 266.001 et seq. • Health Passport, TEX. FAM. CODE ANN. § 266.006 • Link: http://www.statutes.legis.state.tx.us/Docs/FA/htm/FA.266.htm#266.006

(Health Passport) • Investigation of Child Abuse or Neglect, TEX. FAM. CODE ANN. § 261.001 et seq. • Confidentiality and Disclosure of Information, TEX. FAM. CODE ANN. § 261.201 • Link: http://www.statutes.legis.state.tx.us/Docs/FA/htm/FA.261.htm#261.201

(Confidentiality and Disclosure of Information) • Child Welfare Services, TEX. FAM. CODE ANN. § 264.001 et seq. • Child Fatality Review and Investigation - Access to Information, TEX. FAM. CODE ANN. § 264.509 • Link: http://www.statutes.legis.state.tx.us/Docs/FA/htm/FA.264.htm#264.509

(Access to Information) • Termination of the Parent-Child Relationship, TEX. FAM. CODE ANN. § 161.001 et seq. • Medical History Report, TEX. FAM. CODE ANN. § 161.1031 • Link: http://www.statutes.legis.state.tx.us/Docs/FA/htm/FA.161.htm#161.1031

(Medical History Report) • Conservatorship, Possession and Access, TEX. FAM. CODE ANN. § 153.001 et seq. • Rights of Parent at All Times, TEX. FAM. CODE ANN. § 153.073 • Link: http://www.statutes.legis.state.tx.us/Docs/FA/htm/FA.153.htm#153.073

(Rights of Parents at All Times) • Rights and Duties of Nonparent Appointed as Sole Managing Conservator, TEX. FAM. CODE ANN. § 153.371

et seq. • Link: http://www.statutes.legis.state.tx.us/Docs/FA/htm/FA.153.htm#153.371

(Rights and Duties of Nonparent Appointed as Sole Managing Conservator) • Adoption, TEX. FAM. CODE ANN. § 162.001 et seq. • Right to Examine Records, TEX. FAM. CODE ANN. § 162.006 • Link: http://www.statutes.legis.state.tx.us/Docs/FA/htm/FA.162.htm#162.006

(Right to Examine Records) TEXAS GOVERNMENT CODE

• Corrections – Inmate Welfare, TEX. GOV’T CODE ANN. § 501.001 et seq. • Aids and HIV Education; Testing, TEX. GOV’T CODE ANN. § 501.054 • Link: http://www.statutes.legis.state.tx.us/Docs/GV/htm/GV.501.htm#501.054

(Aids and HIV Education; Testing) • Public Information, TEX. GOV’T CODE ANN. § 552.001 et seq.

http://www.statutes.legis.state.tx.us/Docs/FA/htm/FA.58.htm#58.005










http://www.statutes.legis.state.tx.us/Docs/GV/htm/GV.501.htm#501.054


22

• Exception: Confidential Information, TEX. GOV’T CODE ANN. § 552.101 • Link: http://www.statutes.legis.state.tx.us/Docs/GV/htm/GV.552.htm#552.101

(Exception: Confidential Information) • Health and Human Services Commission – Mortality Review for Certain Individuals with Developmental

Disabilities, TEX. GOV’T CODE ANN. § 531.851 et seq. • Access to Information, TEX. GOV’T CODE ANN. § 531.852 • Link: http://www.statutes.legis.state.tx.us/Docs/GV/htm/GV.531.htm#531.852

(Access to Information) • Department of Public Safety of the State of Texas, TEX. GOV’T CODE ANN. § 411.001 et seq. • Confidentiality of DNA Records, TEX. GOV’T CODE ANN. § 411.153 • Link: http://www.statutes.legis.state.tx.us/Docs/GV/htm/GV.411.htm#411.153

(Confidentiality of DNA Records) • Open Meetings, TEX. GOV’T CODE ANN. § 551.001 et seq. • Medical Board or Medical Committee, TEX. GOV’T CODE ANN. § 551.078 • Link: http://www.statutes.legis.state.tx.us/Docs/GV/htm/GV.551.htm#551.078

(Medical Board or Medical Committee) • Deliberations Involving Medical or Psychiatric Records of Individuals, TEX. GOV’T CODE ANN. § 551.0785 • Link: http://www.statutes.legis.state.tx.us/Docs/GV/htm/GV.551.htm#551.0785

(Deliberations Involving Medical or Psychiatric Records of Individuals) • Biometric Identifier, TEX. GOV’T CODE ANN. § 560.001 et seq. • Disclosure of Biometric Identifier, TEX. GOV’T CODE ANN. § 560.002 • Link: http://www.statutes.legis.state.tx.us/Docs/GV/htm/GV.560.htm#560.002

(Disclosure of Biometric Identifier) TEXAS HUMAN RESOURCES CODE

• Rights of the Elderly, TEX. HUM. RES. CODE ANN. § 102.001 et seq. • Rights of the Elderly, TEX. HUM. RES. CODE ANN. § 102.003 • Link: http://www.statutes.legis.state.tx.us/Docs/HR/htm/HR.102.htm#102.003

(Rights of the Elderly) • Adult Day Care Act, TEX. HUM. RES. CODE ANN. § 103.002 et seq. • Rights of the Elderly, TEX. HUM. RES. CODE ANN. § 103.011 • Link: http://www.statutes.legis.state.tx.us/Docs/HR/htm/HR.103.htm#103.011

(Rights of the Elderly) • Investigations and Protective Services for Elderly and Disabled Persons, TEX. HUM. RES. CODE ANN. §

48.001 et seq. • Access to Records or Documents, TEX. HUM. RES. CODE ANN. § 48.154 • Link: http://www.statutes.legis.state.tx.us/Docs/HR/htm/HR.48.htm#48.154

(Access to Records or Documents) • Regulation of Certain Facilities, Homes, and Agencies That Provide Child-Care Services, TEX. HUM. RES.

CODE ANN. § 42.001 et seq. • Records, TEX. HUM. RES. CODE ANN. § 42.045 • Link: http://www.statutes.legis.state.tx.us/Docs/HR/htm/HR.42.htm#42.045

(Records) • Medicaid Fraud Prevention, TEX. HUM. RES. CODE ANN. § 36.001 et seq. • Documentary Material in Possession of State Agency, TEX. HUM. RES. CODE ANN. § 36.003 • Link: http://www.statutes.legis.state.tx.us/Docs/HR/htm/HR.36.htm#36.003

(Documentary Material in Possession of State Agency) • Department of Aging and Disability Services, TEX. HUM. RES. CODE ANN. § 161.001 et seq. • Access to Records or Documents, TEX. HUM RES. CODE ANN. § 161.109 • Link: http://www.statutes.legis.state.tx.us/Docs/HR/htm/HR.161.htm#161.109

(Access to Records or Documents)







http://www.statutes.legis.state.tx.us/Docs/HR/htm/HR.102.htm#102.003







23

TEXAS INSURANCE CODE

• Privacy - General Provisions, TEX. INS. CODE ANN. § 602.001 et seq. • Authorization for Disclosure of Certain Health Information, TEX. INS. CODE ANN. § 602.051 • Link: http://www.statutes.legis.state.tx.us/Docs/IN/htm/IN.602.htm#602.051

(Authorization for Disclosure of Certain Health Information) • Data Collection and Reporting Relating to HIV and AIDS, TEX. INS. CODE ANN. § 38.101 et seq. • Information Confidential, TEX. INS. CODE ANN. § 38.106 • Link: http://www.statutes.legis.state.tx.us/Docs/IN/htm/IN.38.htm#38.106

(Information Confidential) • HIV Testing, TEX. INS. CODE ANN. § 545.001 et seq. • Confidentiality of Test Result Required, TEX. INS. CODE ANN. § 545.057 • Link: http://www.statutes.legis.state.tx.us/Docs/IN/htm/IN.545.htm#545.057

(Confidentiality of Test Result Required) • Reporting of Claims Information, TEX. INS. CODE ANN. § 1215.001 et seq. • Receipt of and Response to Request for Claim Information, TEX. INS. CODE ANN. § 1215.003 • Link: http://www.statutes.legis.state.tx.us/Docs/IN/htm/IN.1215.htm#1215.003

(Receipt of and Response to Request for Claim Information) • Utilization Review Agents, TEX. INS. CODE ANN. § 4201.001 et seq. • General Confidentiality Requirement, TEX. INS. CODE ANN. § 4201.551, et seq. • Link: http://www.statutes.legis.state.tx.us/Docs/IN/htm/IN.4201.htm#L

(General Confidentiality Requirement) • Use of Genetic Testing Information, TEX. INS. CODE ANN. § 546.001 et seq. • Confidentiality of Genetic Information, TEX. INS. CODE ANN. § 546.102 • Link: http://www.statutes.legis.state.tx.us/Docs/IN/htm/IN.546.htm#546.102

(Confidentiality of Genetic Information) • Preferred Provider Benefit Plans, TEX. INS. CODE ANN. § 1301.001 et seq. • Exclusive Provider Benefit Plans: Quality Improvement and Utilization Management, TEX. INS. CODE ANN.

§ 1301.0051 • Link: http://www.statutes.legis.state.tx.us/Docs/IN/htm/IN.1301.htm#1301.0051

(Exclusive Provider Benefit Plans: Quality Improvement and Utilization Management) • Texas Health Maintenance Organization Act, TEX. INS. CODE ANN. § 843.001 et seq. • Confidentiality of Medical and Health Information, TEX. INS. CODE ANN. § 843.007 • Link: http://www.statutes.legis.state.tx.us/Docs/IN/htm/IN.843.htm#843.007

(Confidentiality of Medical and Health Information) • Examinations, TEX. INS. CODE ANN. § 843.156 • Link: http://www.statutes.legis.state.tx.us/Docs/IN/htm/IN.843.htm#843.156

(Examinations) • HealthCare Collaboratives, TEX. INS. CODE ANN. § 848.001 et seq. • Certain Information Confidential, TEX. INS. CODE ANN. § 848.005 • Link: http://www.statutes.legis.state.tx.us/Docs/IN/htm/IN.848.htm#848.005

(Certain Information Confidential) • Department Rules and Procedures, TEX. INS. CODE ANN. § 36.001 et seq. • Investigation Files Confidential, TEX. INS. CODE ANN. § 36.252 • Link: http://www.statutes.legis.state.tx.us/Docs/IN/htm/IN.36.htm#36.252

(Investigation Files Confidential) • Texas Employees Group Benefits Act, TEX. INS. CODE ANN. § 1551.001 et seq. • Confidentiality of Certain Records, TEX. INS. CODE ANN. § 1551.063 • Link: http://www.statutes.legis.state.tx.us/Docs/IN/htm/IN.1551.htm#1551.063

(Confidentiality of Certain Records) • Workers' Compensation Health Care Networks, TEX. INS. CODE ANN. § 1305.001 et seq. • Independent Review of Adverse Determination (Utilization Review), TEX. INS. CODE ANN. § 1305.355 • Link: http://www.statutes.legis.state.tx.us/Docs/IN/htm/IN.1305.htm#1305.355

http://www.statutes.legis.state.tx.us/Docs/IN/htm/IN.602.htm#602.051




http://www.statutes.legis.state.tx.us/Docs/IN/htm/IN.4201.htm#L










24

(Independent Review of Adverse Determination) TEXAS LABOR CODE

• Confidentiality of Genetic Information, TEX. LAB. CODE ANN. § 21.403 • Link: http://www.statutes.legis.state.tx.us/Docs/LA/htm/LA.21.htm#21.403

(Confidentiality of Genetic Information) • Operation and Administration of Workers’ Compensation System, TEX. LAB. CODE ANN. § 402.001 et seq. • Confidentiality of Injury Information, TEX. LAB. CODE ANN. § 402.083 et seq. • Link: http://www.statutes.legis.state.tx.us/Docs/LA/htm/LA.402.htm#402.083

(Confidentiality of Injury Information) • Workers’ Compensation Benefits, TEX. LAB. CODE ANN. § 408.001 et seq. • Reports and Records Required From Health Care Providers, TEX. LAB. CODE ANN. § 408.025 • Link: http://www.statutes.legis.state.tx.us/Docs/LA/htm/LA.408.htm#408.025

(Reports and Records Required From Health Care Providers) • Office of Injured Employee Counsel, TEX. LAB. CODE ANN. § 404.001 et seq. • Access to Information, TEX. LAB. CODE ANN. § 404.111 • Link: http://www.statutes.legis.state.tx.us/Docs/LA/htm/LA.404.htm#404.111

(Access to Information) TEXAS PROPERTY CODE

• Hospital and Emergency Medical Services Liens, TEX. PROP. CODE ANN. § 55.001 et seq. • Records, TEX. PROP. CODE ANN. § 55.008 • Link: http://www.statutes.legis.state.tx.us/Docs/PR/htm/PR.55.htm#55.008

(Records) TEXAS TRANSPORTATION CODE

• Driver's Licenses and Certificates, ANN. § 521.001 et seq. • Emergency Contact and Medical Information Databases, TEX. TRANSP. CODE ANN. § 521.060 • Link: http://www.statutes.legis.state.tx.us/Docs/TN/htm/TN.521.htm#521.060

(Emergency Contact and Medical Information Databases)

http://www.statutes.legis.state.tx.us/Docs/LA/htm/LA.21.htm#21.403




http://www.statutes.legis.state.tx.us/Docs/PR/htm/PR.55.htm#55.008

http://www.statutes.legis.state.tx.us/Docs/TN/htm/TN.521.htm#521.060

Date post:	18-Dec-2021
Category:	Documents
Upload:	others
View:	11 times
Download:	0 times