Health and Human Services Agencies' Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU OR YOUR CHILD MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
This notice describes: (1) how health information provided by you, your legally authorized representative, or your minor child can be used and shared, and (2) how you can get copies of your health information. PLEASE REVIEW IT CAREFULLY.
Si quiere este aviso en español, llame gratis al 2-1-1 o al 1-877-541-7905.
About this notice:
Effective date: This notice takes effect on September 1, 2014 and stays in effect until replaced by another notice.
This notice is required by HIPAA (the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. §1320d, et seq., and regulations adopted under that act).
In this privacy notice, “agency,” "agencies," and "Health and Human Services Enterprise System" could mean an individual agency, an affiliated Texas agency, or agencies participating in an organized health-care arrangement:
- Texas Health and Human Services Commission (HHSC)
- Texas Department of Aging and Disability Services (DADS)
- Texas Department of State Health Services (DSHS)
This notice tells you about: (1) your privacy rights, (2) each agency’s duty to protect health information that identifies you, and (3) how each agency can use or share health information that identifies you without your written permission. This notice doesn't apply to health information that doesn't identify you or your legally authorized representative. For purposes of CHIP perinatal coverage, health information includes health information of an unborn child and the mother. Please share this notice with everyone on your case who gets health-care benefits or health-care services from an agency.
When this notice refers to a specific agency, we use its initials. In this notice, "health information" means the same as “medical information” or "protected health information." "Health information" in this notice also can include genetic information, whether oral or recorded in any form or medium that that is created or received by a health-care service provider, health plan, public health authority, employer, life insurer, school or university, or health-care clearinghouse. Health information might identify you and can relate to: (1) your past, present, or future physical or mental health or condition; (2) providing health care to you; or (3) the past, present, or future payment for providing your health care.
When you get government benefits, such as Medicaid, CHIP or TANF, that agency can use or share health information about you.
DSHS is a "hybrid covered entity," which means that certain DSHS programs are covered by HIPAA and others are not. DSHS programs covered by HIPAA include those serving as health-care providers (for example, DSHS state mental health hospitals and the DSHS Laboratory), health plans (for example, Texas Health Steps) and health-care clearinghouses (for example, DSHS Centralizing Billing Services).
Your privacy rights:
The law gives you the right to:
- Adequate notice of: (1) the uses and disclosures of protected health information that can be made by an agency or your health-care service provider, (2) your rights related to your health information, and (3) the agency and health-care service provider’s legal duties to protected health information, with some legal exceptions. This notice is available online on the agency's website: www.dshs.state.tx.us
- Ask an agency or your health-care service provider to restrict certain uses or disclosures of health information about you. However, the law doesn't require an agency or health-care service provider to agree to a requested restriction if it is more than what the law allows.
- An agency or health-care service provider must agree to your request to restrict disclosure of protected health information about you to a health plan if: (1) the disclosure is for the purpose of carrying out payment or health-care operations and isn't otherwise required by law, and (2) the protected health information pertains solely to a health-care item or service for which you, or a person, other than the health plan, on behalf of the individual, has paid the covered entity in full.
- Get confidential communications of health information and make reasonable requests to get information in a different way or location. However, the agency or health-care service provider will require the request in writing with a statement or explanation for the request. For example, you might explain that sending information to your usual address might put you in danger. You must be specific about where and how we can contact you.
- In some situations, look at or get a copy of certain health information, including laboratory test results, an agency or your health-care service provider has about you.
- Ask an agency or your health-care service provider's privacy office to correct certain information about you if you believe the information is wrong or incomplete. Most of the time, an agency can't change or delete information, even if it is incorrect. However, if an agency or health-care service provider decides it should make a correction, it will add the correct information to the record and note that the new information takes the place of the old information. The old information will remain in the record. If an agency or health-care service provider denies your request to change the information, you can have your written disagreement reviewed by your agency or health-care service provider’s privacy office and placed in your record.
- Ask for a list of disclosures an agency or health-care service provider has made of certain health information in some situations.
- Ask for and get a paper copy of this notice from any agency or the privacy office of your health-care service provider.
- Cancel permission you have given an agency or your health-care service provider to use or share health information that identifies you in some cases, unless the agency or health-care service provider has already taken action based on your permission. You must cancel your permission in writing and deliver it to the agency or your health-care service provider's privacy office.
- In some situations, be notified by letter from the agency privacy officer if your health information has been used or shared in an unauthorized manner.
- Be notified with a revised notice at certain times after significant changes are made in the use or disclosure of your health information.
- For all notices to, or requests for copies of information from, the agency or health-care service provider’s privacy office, please see the Complaint and Question section for contact information.
An agency’s duty to protect health information that identifies you:
The law requires an agency to take reasonable steps to protect the privacy and security of your health information. It also requires an agency to give you this notice, which describes the agency's legal duties and privacy practices. In most situations, an agency can't use or share health information that identifies you without your written authorization, except to carry out treatment, payment for your health care or an agency's health-care operations, or as required by law, as described below. This notice explains under what circumstances an agency can use or share health information that identifies you without your permission.
Medicaid, CHIP and TANF laws limit an agency's use or disclosure of Medicaid, CHIP or TANF information that identifies you for purposes directly connected to administration of those programs.
For all other uses and disclosures, an agency must get your written permission. You can cancel your permission at any time, unless the agency has already taken action based on your permission, unless otherwise concerns your: (1) treatment, (2) payment for your health care, (3) agency's health-care operations, or (4) as required or authorized by law.
Uses or disclosures that might require your authorization:
Psychotherapy notes. An agency must get your authorization, in some cases, for disclosure of your psychotherapy notes, except to:
- Carry out treatment, payment, health-care operations, or as required by law.
- Be used by the originator of the psychotherapy notes for treatment.
- Be used by the agency for its own training programs.
- Be used by the agency to defend itself in a legal action or other proceedings brought by you or your legally authorized representative.
Marketing. An agency will ask for your authorization for most marketing communications about a product, such as a drug or medical device, or service that encourages you to buy or use a product or service, except if the communication is in the form of:
- A face-to-face communication made by an agency to you.
- A promotional gift of little value provided by the agency.
If the marketing involves direct or indirect payment to the agency from a third party, the authorization must state that such payment is involved. The following activities aren't considered marketing and don't require your authorization:
- For refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for you, only if any payment received by the agency in exchange for the communication is reasonably related to the agency’s cost of the communication.
- For the following treatment and health-care operations purposes, except where the agency gets payment in exchange for making the communication:
(A) For your treatment by a health-care service provider, including case management or care coordination for you, or to direct or recommend alternative treatments, therapies, health-care service providers, or settings of care to you.
(B) To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the agency making the communication, including communications about: (1) the agency's participating in a health-care service provider network or health-plan network; (2) replacement of, or enhancements to, a health plan; and, (3) health-related products or services available only to a health plan enrollee that add value to, but aren't part of, a plan of benefits.
(C) For case management or care coordination, contacting of individuals with information about treatment alternatives and related functions to the extent these activities don't fall within the definition of treatment.
Sale of Protected Health Information. An agency must get your written permission to sell your protected health information. Sale means a disclosure by an agency or its business associate where there is a direct or indirect payment from or on behalf of the third-party that gets the protected health information in exchange for payment. The authorization will state that the disclosure will result in payment to the agency. The following aren't considered sale of protected health information:
- For public health purposes.
- For research purposes, where the only payment received by the agency or business associate is a reasonable cost-based fee to cover the cost to prepare and transmit the protected health information for such purposes.
- For treatment and payment purposes.
- For the sale, transfer, merger, or consolidation of all or part of the agency and for health-care operations.
- To or by a business associate for activities that the business associate undertakes on behalf of an agency, or on behalf of a business associate in the case of a subcontractor and the only payment provided is by the agency to the business associate, or by the business associate to the subcontractor, if applicable, for the performance of such activities.
- To you in some cases.
- As required by law.
- Where the only payment received by the agency or business associate is a reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for such purpose or a fee otherwise expressly permitted by other law.
Fundraising. An agency must get your written authorization if it shares your protected health information for fundraising purposes. For example, the Texas Department of State Health Services (DSHS) might participate in fundraising activities through its state mental hospitals for improving the quality of patient care. Fundraising events, which are coordinated by a state hospital’s volunteer council, are strictly voluntary and might include art shows, walks, runs, or bike rides. You must first provide DSHS with your written authorization for any instance in which you choose to share your protected health information for such fundraising purposes.
Material changes to privacy practices
You will get this notice before getting health-care services through an agency or as soon as reasonably practicable after an emergency or upon enrollment in an agency health plan, then once every three years thereafter. You will be notified of the availability of the notice and how to get it. If an agency materially changes its privacy practices, it must notify you of the changes within 60 days by mailing a new Notice of Privacy Practices, or by posting the notice prominently on its website. It will then be redistributed with the next annual mailing. Agencies reserve the right to change their privacy practices.
The new privacy notice will be sent to the most recent address you have given the agency if it is mailed. It is your duty, or the duty of your legally authorized individual, to promptly tell the agency if you had a change of address.
The new practices will apply to all the health information the agency has about you, regardless of when the agency received or created the information.
Breach of Protected Health Information
In the event your protected health information is unsecured and disclose without the authorization of an agency or you, you will be notified of a data breach. An agency is required to notify you even if there is no reason to suspect any misuse of the protected health information. You will be notified by mail or by phone as soon as reasonably possible. It is your duty, or the duty of your legally authorized individual, to promptly tell the agency if you had a change of address.
An agency will never use genetic information for underwriting purposes. An agency is required to comply with the terms of the notice currently in effect.
Agency employees are trained and required to protect the privacy of health information that identifies you. An agency doesn't give employees access to health information unless they need it for a business reason. Business reasons for needing access to health information include making benefit decisions, paying bills, and planning for the care you need. The agency will punish employees who don't protect the privacy of health information that identifies you.
Complaints and questions
If you believe your privacy rights have been violated, contact the appropriate agency listed below. You also can contact the appropriate agency listed below if you: (1) have questions about this notice, (2) need more information about your privacy rights, (3) need a physical address for an agency, or (4) are requesting a copy of health information from an agency.
- To request your results of lab tests performed by the DSHS Laboratory, please call (512) 776-7318.
- If you are receiving care from a DSHS state-operated hospital, then you should contact the hospital’s privacy officer.
- You may also contact: DSHS Consumer Services and Rights Protection/Ombudsman Office by mail at Mail Code 2019, P.O. Box 149347 Austin, TX 78714-9347; or by telephone at (512) 206-5760 or (800) 252-8154 (toll free);
If you believe an agency has violated your privacy rights, you also can file a complaint with the:
Office of Civil Rights
U.S. Department of Health and Human Services
1301 Young St., Suite 1169
Dallas, Texas, 75202
Voice Phone (800) 368-1019
FAX (214) 767-0432
TDD (800) 537-7697
For complaints regarding the violation of your right to confidentiality by an alcohol or drug abuse treatment program, contact the United States Attorney’s Office for the judicial district in which the violation occurred.
There will be no retaliation for filing a complaint.
How an agency uses and shares health information that identifies you:
An agency can use or share your health information with other health-care providers or other participants of agencies' organized health-care arrangement. For example, by getting your information, health-care service providers will better understand your health history, which could help them provide your health care. Or, sending your information so you can be seen by a specialist health-care provider for a consult. Or, when in a hospital you may be treated by multiple health-care providers who have your information.
An agency or its organized health-care arrangement participants can use or disclose certain health information about you to pay or collect payment for your health care. For example, when your health-care service provider sends a bill to an agency or your health plan, it includes certain information about your condition and treatment. Another example would be when an agency uses or discloses your health information to determine your eligibility for government benefits in a health plan or whether the proposed treatment is covered by your insurance.
An agency can use or share health information about you for its health-care operations. An agency's health-care operations can include:
- Conducting quality assessment and improvement activities.
- Reviewing the competence, qualifications, and performance of health-care professionals or health plans.
- Training health-care professionals and others.
- Conducting accreditation, certification, licensing, or credentialing activities.
- Carrying out activities related to the creation, renewal, or replacement of a contract for health insurance or health benefits.
- Providing, receiving or arranging for medical review, legal services, or auditing functions.
- Engaging in business management or the general administrative activities of the agency.
The agencies participate in an organized health-care arrangement with each other and their business associates (contractor) and can share health information about you with the other participants in the organized health-care arrangement for any health-care operations activities of the organized health-care arrangement.
An agency or its organized health-care arrangement participants can share health information about you with an agency’s business associate (contractor) or by the contractor to its subcontractor, if the business associate:
- Needs the information to perform services on behalf of the agency or organized health-care arrangement.
- Agrees to protect the privacy of the information.
Other examples of uses and disclosures for health-care operations include using or disclosing health information for case management; ensuring an agency's health-care service provider is qualified to treat individuals; or auditing a health-care service provider's bill to ensure an agency has been billed for only care you received. An agency also can contact you to tell you about treatment alternatives or additional benefits you might be interested in.
Family member, other relative, guardian, legally authorized representative (LAR) or close personal friend
An agency can share health information about you to a family member, other relative, guardian, legal authorized representative, or close personal friend:
- When directly relevant to such person's involvement with your health care or payment related to your health care.
- To notify the person of your location, general condition, or death.
- With your agreement, if you are capable, unless you are unable or in an emergency.
Your family means:
(2) Any other person who is your first-degree, second-degree, third-degree, or fourth-degree relative, such as your:
- Parents, spouses, siblings, and children.
- Grandparents, grandchildren, aunts, uncles, nephews, and nieces.
- Great-grandparents, great-grandchildren, great aunts, great uncles, and first cousins.
- Great-great grandparents, great-great grandchildren, and children of first cousins.
An agency can make reasonable inferences of your best interest in allowing a person to act on your behalf such as pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information.
Mental health or substance use.
An agency can't share mental health records about you or information that identifies you as seeking or getting substance abuse services to family members, relatives, or friends without your written permission or the written permission of your legally authorized representative, unless legally authorized by you or required by law, for example, your treatment, or in a medical emergency.
"Required by law" uses or disclosures of PHI
Government programs providing public benefits
An agency can share health information about you with another government agency offering public benefits if:
- The information relates to whether you qualify for or are signed-up for Medicaid or the Children’s Health Insurance Program and the law requires or specifically allows the disclosure.
- The other government agency has the same privacy protections we do, has programs that serve similar types of people, and the disclosure is needed to coordinate or improve how the programs are run.
Health oversight activities
An agency might use or share health information about you for health oversight activities. Health oversight activities can include investigations of:
- Medicaid fraud, waste, or abuse.
- Whether a nursing home is providing good care.
- Whether a nurse aide hurt a nursing home resident.
An agency can share health information for oversight activities only to another health oversight agency. A health oversight agency must be a government agency or someone acting on behalf of a government agency.
An agency can share health information about you with:
- A public health authority for purposes of preventing or controlling disease, injury, or disability.
- An official of a foreign government agency who is acting with the public health authority.
- A government agency allowed to get reports of child abuse or neglect.
Victims of abuse, neglect, or domestic violence
If an agency believes you are the victim or perpetrator of abuse, neglect, or domestic violence, the agency might share health information about you with a government agency that gets reports of abuse, neglect, or domestic violence if:
- You agree to the disclosure.
- A law requires the disclosure.
- A law requires or permits disclosure and the disclosure is needed to prevent serious harm to you or someone else, or you are unable to agree or disagree, the information is needed for immediate action, and the information won't be used against you.
If an agency makes a report under this section, the agency will tell you or your representative about the report unless it believes that telling you would place you at risk of harm or you are a suspected perpetrator.
Serious threat to health or safety
An agency can use or share health information about you if it believes the use or disclosure is needed:
- To prevent or lessen a serious and immediate threat to the health and safety of a person or the public.
- For law enforcement authorities to identify or catch an individual who has admitted participating in a violent crime that resulted in serious physical harm to the victim, unless the information was learned while initiating or in the course of counseling or therapy.
- For law enforcement authorities to catch an individual who has escaped from lawful custody.
For other law enforcement purposes
An agency can share health information about you to a law enforcement official for the following law enforcement purposes:
- To comply with a grand jury subpoena.
- To comply with an administrative request, such as a civil investigative demand, if the information is relevant to an investigation that relates to the administration of one of the agency’s programs.
- To identify and locate a suspect, fugitive, witness, or missing person.
- In response to a request for information about an actual or suspected crime victim.
- To alert a law enforcement official of a death that an agency suspects is the result of criminal conduct.
- To report evidence of a crime on an agency’s property.
For judicial or administrative proceedings
An agency can share health information about you in response to:
- An order from a regular or administrative court.
- A subpoena or other discovery request by a party to a lawsuit when that agency or another agency is a party to the lawsuit.
- A judicial or administrative proceeding. In some situations, you or your legally authorized representative will be notified of the request for your PHI.
Secretary of U.S. Department of Health and Human Services
Agencies must share health information about you to the Secretary of Health and Human Services when the Secretary requests to review compliance with HIPAA.
Agencies can use or share health information about you for research, which sometimes requires an Institutional Review Board to review confidentiality of your information and approve the use or disclosure. Your health information also can be used:
- To allow a researcher to prepare for research, as long as the researcher agrees to keep the information confidential.
- After you die, for research that involves information about people who have died.
An agency won't combine authorizations for use or disclosure of your PHI with any other document to create a compound authorization, except:
- For certain research combining any other type of written permission for the same or another research study. The authorization will state what are conditioned and unconditioned parts of the authorization and provide you with an opportunity to opt-in to the research activities described in the unconditioned authorization.
- For use or disclosure of psychotherapy notes combined with another authorization for a use or disclosure of psychotherapy notes.
An authorization under this section, other than an authorization for a use or disclosure of psychotherapy notes, can be combined with any other such authorization under this section, except when an agency has conditioned the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of one of the authorizations. The prohibition on combining authorizations where one authorization conditions the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits doesn't apply to a combined authorization created in accordance with the research provision above.
An agency can't condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except:
- An agency can condition the provision of research-related treatment on provision of an authorization for the use or disclosure of protected health information for such research.
- An agency health plan can condition enrollment in the health plan or eligibility for benefits on provision of an authorization requested by the health plan before an individual's enrollment in the health plan, if:
- The authorization sought is for the health plan's eligibility or enrollment determinations relating to the individual or for its underwriting or risk rating determinations.
- The authorization isn't for a use or disclosure of psychotherapy notes under paragraph (a)(2) of this section.
- A covered entity can condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on provision of an authorization for the disclosure of the protected health information to such third party.
An individual can cancel an authorization provided by giving written notice to the agency or the privacy office of your health-care service provider.
Other uses and disclosures
An agency can use or share health information about you:
- To create information that is de-identified and doesn't identify you.
- To the U.S. military or a foreign military for military purposes, or if you are a member of the group asking for the information.
- For purposes of lawful national security activities.
- To federal officials to protect the president of the United States and others.
- To a prison or jail, if you are an inmate of that prison or jail, or to law enforcement personnel if you are in custody.
- To comply with workers’ compensation laws or similar laws.
- To tell or help in telling a family member or another person involved in your care about your location, general condition, or death. HHSC can't share mental health records about you or information that identifies you as seeking or giving substance abuse services to a family member or anyone without your written permission or the written permission of your guardian, unless authorized by law.
ISP 01 (9/2014)