Texas: Sectoral Exceptions Regulated by Other Laws

The Texas Data Privacy and Security Act (TDPSA) includes several sectoral exceptions that exclude specific types of personal data from the law's scope. These exceptions recognize and avoid duplicative regulation where existing federal or sectoral laws already provide robust data protection standards.

Text of Relevant Provisions

TDPSA Sec.541.003(12)

"(12) personal data collected, processed, sold, or disclosed in compliance with the Driver's Privacy Protection Act of 1994 (18 U.S.C. Section 2721 et seq.);"

TDPSA Sec. 541.002(b)(2)

"(b) This chapter does not apply to: (2) a financial institution or data subject to Title V, Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.);"

TDPSA Sec.541.003(11)

"(11) the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that the activity is regulated by and authorized under the Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.);"

TDPSA Sec.541.003(14)

"(14) personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act of 1971 (12 U.S.C. Section 2001 et seq.);"

TDPSA Sec.541.003(1)

"(1) protected health information under the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.);"

TDPSA Sec.541.003(3)

"(3) patient identifying information for purposes of 42 U.S.C. Section 290dd-2;"

TDPSA Sec.541.003(4)(A)

"(4) identifiable private information: (A) for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46;"

TDPSA Sec.541.003(4)(B)

"(4) identifiable private information: (B) collected as part of human subjects research under the good clinical practice guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH) or of the protection of human subjects under 21 C.F.R. Parts 50 and 56;"

TDPSA Sec.541.003(5)

"(5) information and documents created for purposes of the Health Care Quality Improvement Act of 1986 (42 U.S.C. Section 11101 et seq.);"

TDPSA Sec.541.003(6)

"(6) patient safety work product for purposes of the Patient Safety and Quality Improvement Act of 2005 (42 U.S.C. Section 299b-21 et seq.);"

TDPSA Sec.541.003(7)

"(7) information derived from any of the health care-related information listed in this section that is deidentified in accordance with the requirements for deidentification under the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.);"

TDPSA Sec.541.003(8)

"(8) information originating from, and intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under this section that is maintained by a covered entity or business associate as defined by the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.) or by a program or a qualified service organization as defined by 42 U.S.C. Section 290dd-2;"

TDPSA Sec.541.003(10)

"(10) information collected or used only for public health activities and purposes as authorized by the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.);"

TDPSA Sec.541.003(9)

"(9) information that is included in a limited data set as described by 45 C.F.R. Section 164.514(e), to the extent that the information is used, disclosed, and maintained in the manner specified by 45 C.F.R. Section 164.514(e);"

TDPSA Sec. 541.002(b)(3)

"(b) This chapter does not apply to: (3) a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 C.F.R. Parts 160 and 164, established under the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), and the Health Information Technology for Economic and Clinical Health Act (Division A, Title XIII, and Division B, Title IV, Pub. L. No. 111-5);"

TDPSA Sec.541.003(13)

"(13) personal data regulated by the Family Educational Rights and Privacy Act of 1974 (20 U.S.C. Section 1232g);"

TDPSA Sec. 541.002(b)(6)

"(b) This chapter does not apply to: (6) an electric utility, a power generation company, or a retail electric provider, as those terms are defined by Section 31.002, Utilities Code."

Analysis of Provisions

Driver's Privacy Protection Act (TDPSA Sec.541.003(12))

The exemption for data processed under the Driver's Privacy Protection Act of 1994 ensures that personal information related to motor vehicle records is protected under a specialized federal framework, preventing the need for additional state-level regulation.

Financial Institutions (TDPSA Sec. 541.002(b)(2))

Financial institutions and data subject to the Gramm-Leach-Bliley Act are exempt, as GLBA already provides stringent requirements for handling and protecting financial information, ensuring these entities adhere to consistent standards.

Consumer Reporting (TDPSA Sec.541.003(11))

Activities regulated under the Fair Credit Reporting Act are exempt, recognizing that FCRA provides comprehensive guidelines for managing consumer credit information, focusing on accuracy and privacy.

Farm Credit Act (TDPSA Sec.541.003(14))

The exemption for personal data managed under the Farm Credit Act of 1971 acknowledges that agricultural financial information is already governed by specific federal standards, eliminating redundant compliance efforts.

Health Information (TDPSA Sec.541.003(1))

Protected health information under HIPAA is exempt to avoid conflicts and redundancy, ensuring that healthcare providers comply with uniform federal privacy and security standards.

Research Data (TDPSA Sec.541.003(3) and Sec.541.003(4))

Data used in research following federal policies for human subjects protection, such as 45 C.F.R. Part 46 and 21 C.F.R. Parts 50 and 56, are exempt, ensuring research activities comply with established ethical and privacy guidelines without additional state mandates.

Health Care Quality (TDPSA Sec.541.003(5) and Sec.541.003(6))

Information related to healthcare quality improvement and patient safety under acts like the Health Care Quality Improvement Act of 1986 and the Patient Safety and Quality Improvement Act of 2005 is exempt, recognizing existing frameworks that ensure data is used to enhance healthcare outcomes.

Deidentified and Intermingled Data (TDPSA Sec.541.003(7) and Sec.541.003(8))

Data deidentified in accordance with HIPAA and data intermingled with exempt information maintained by HIPAA-covered entities or qualified service organizations are exempt, ensuring consistent application of privacy standards across mixed data sets.

Public Health Activities (TDPSA Sec.541.003(10))

Information used solely for public health activities authorized by HIPAA is exempt, facilitating public health initiatives without additional regulatory burdens.

Limited Data Sets (TDPSA Sec.541.003(9))

Information in limited data sets used in compliance with 45 C.F.R. Section 164.514(e) is exempt, allowing the use of deidentified data for research and other purposes under federal guidelines.

Covered Entities and Business Associates (TDPSA Sec. 541.002(b)(3))

Covered entities and business associates governed by HIPAA and the HITECH Act are exempt, ensuring that entities adhere to federal privacy and security standards without conflicting state requirements.

Educational Records (TDPSA Sec.541.003(13))

Data regulated by the Family Educational Rights and Privacy Act (FERPA) is exempt, recognizing FERPA's comprehensive protections for student education records.

Utilities (TDPSA Sec. 541.002(b)(6))

Personal data handled by electric utilities, power generation companies, or retail electric providers, as defined by state utilities code, are exempt, acknowledging sector-specific privacy regulations.

Implications

For Financial Institutions

• Regulatory Consistency:

Financial institutions can adhere to the GLBA without additional state-level requirements, ensuring consistent data protection practices.

• Compliance Efficiency: Reduces the complexity and cost of complying with multiple regulatory frameworks.

For Healthcare Providers

• Unified Standards: Healthcare entities follow uniform federal HIPAA standards, avoiding conflicting state regulations.
• Operational Clarity: Streamlined compliance requirements improve operational efficiency and reduce administrative burdens.

For Research Institutions

• Facilitated Research: Exemptions for federally regulated research ensure that research activities comply with ethical and privacy standards without additional state regulation.
• Enhanced Data Use: Encourages the use of deidentified and limited data sets for research, fostering innovation while protecting privacy.

For Educational Institutions

• FERPA Compliance: Educational institutions continue to follow FERPA standards without added state mandates, maintaining clarity in data protection responsibilities.

For Consumer Reporting Agencies

• FCRA Adherence: Ensures compliance with the FCRA without conflicting state requirements, providing a clear framework for protecting consumer credit information.

For Utilities

• Sector-Specific Regulations: Utilities adhere to privacy regulations specific to their industry, avoiding redundant state-level compliance.

These exemptions provide clarity and efficiency in regulatory compliance, allowing entities to focus on adhering to comprehensive federal standards without the added complexity of state-specific requirements. This approach benefits both the regulated entities and the consumers whose data is being protected.