(a) The attorney general may institute an action for injunctive relief to restrain a violation of this chapter.
(b) In addition to the injunctive relief provided by Subsection (a), the attorney general may institute an action for civil penalties against a covered entity for a violation of this chapter. A civil penalty assessed under this section may not exceed:
(1) $5,000 for each violation that occurs in one year, regardless of how long the violation continues during that year, committed negligently;
(2) $25,000 for each violation that occurs in one year, regardless of how long the violation continues during that year, committed knowingly or intentionally; or
(3) $250,000 for each violation in which the covered entity knowingly or intentionally used protected health information for financial gain.
(b-1) The total amount of a penalty assessed against a covered entity under Subsection (b) in relation to a violation or violations of Section 181. 154 may not exceed $250,000 annually if the court finds that the disclosure was made only to another covered entity and only for a purpose described by Section 181.154(c) and the court finds that:
(1) the protected health information disclosed was encrypted or transmitted using encryption technology designed to protect against improper disclosure;
(2) the recipient of the protected health information did not use or release the protected health information; or
(3) at the time of the disclosure of the protected health information, the covered entity had developed, implemented, and maintained security policies, including the education and training of employees responsible for the security of protected health information.
(c) If the court in which an action under Subsection (b) is pending finds that the violations have occurred with a frequency as to constitute a pattern or practice, the court may assess a civil penalty not to exceed $1. 5 million annually.
(d) In determining the amount of a penalty imposed under Subsection (b), the court shall consider:
(1) the seriousness of the violation, including the nature, circumstances, extent, and gravity of the disclosure;
(2) the covered entity's compliance history;
(3) whether the violation poses a significant risk of financial, reputational, or other harm to an individual whose protected health information is involved in the violation;
(4) whether the covered entity was certified at the time of the violation as described by Section 182.108 ;
(5) the amount necessary to deter a future violation; and
(6) the covered entity's efforts to correct the violation.
(e) The attorney general may institute an action against a covered entity that is licensed by a licensing agency of this state for a civil penalty under this section only if the licensing agency refers the violation to the attorney general under Section 181.202(2) .
(f) The office of the attorney general may retain a reasonable portion of a civil penalty recovered under this section, not to exceed amounts specified in the General Appropriations Act, for the enforcement of this subchapter.
FindLaw Codes are provided courtesy of Thomson Reuters Westlaw, the industry-leading online legal research system. For more detailed codes research information, including annotations and citations, please visit Westlaw.
FindLaw Codes may not reflect the most recent version of the law in your jurisdiction. Please verify the status of the code you are researching with the state legislature or via Westlaw before relying on it for your legal needs.