(a) Purpose.
(1) The purpose of this section is to inform individuals of the department's privacy practices and establish department procedures to allow individuals to exercise their rights under the federal Standards for Privacy of Individually Identifiable Health Information, 45 Code of Federal Regulations (C.F.R.) Parts 160 and 164, which were promulgated to implement the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
(2) The department is a hybrid entity as that term is defined in 45 C.F.R. §164.103. The department has designated its health care components in accordance with 45 C.F.R. §164.105(a)(2)(iii)(C). Unless otherwise specified, this section applies only to the designated health care components within the department.
(b) Definitions. Unless otherwise specified, terms have the meaning assigned by 45 C.F.R. §160.103, §164.103, and §164.501, or their common use meaning.
(1) Department--The Department of State Health Services.
(2) Designated health care component--A program or office within the department that performs services or functions as a covered entity.
(3) Designated record set--A group of records maintained by or for a designated health care component of the department that consists of:
(A) the medical records and billing records about individuals maintained by or for the department when the department provides direct health care services;
(B) the enrollment, payment, claims adjudication, and case or medical management records systems maintained by or for health plans within the department; or
(C) records that contain protected health information used, in whole or in part, by or for the department to make decisions about individuals regarding eligibility, prior authorization, treatment, or payment.
(4) Health and Human Services (HHS) System--Interchangeably known as the HHS Enterprise, the coordinating entity providing common direction for the five agencies that comprise it are as follows:
(A) Health and Human Services Commission (HHSC);
(B) Department of Aging and Disability Services (DADS);
(C) Department of Assistive and Rehabilitative Services (DARS);
(D) Department of Family and Protective Services (DFPS); and
(E) Department of State Health Services (DSHS).
(5) Protected health information (PHI)--Individually identifiable health information about an individual, including demographic information, which relates to the individual's past, present, or future physical or mental health condition, provision of health care, or payment for the provision of health care.
(6) Record--Any item, collection, or grouping of information that includes PHI and is created, maintained, collected, used, or disseminated by or for a designated health care component of the department.
(c) Right to notice of privacy practices.
(1) An individual has the right to receive notice of how the department uses and discloses PHI and of the individual's rights and the department's duties with respect to PHI.
(2) A designated health care component of the department where an individual receives services shall post the notice of privacy practices in a prominent location.
(3) An individual may request a copy of the notice from:
(A) the department clinic, hospital, or office where the individual received or receives services;
(B) the department's Internet web site at www.dshs.state.tx.us/hipaa/privacynotices.shtm; or
(C) the department's Privacy Officer by sending a request in writing to the department's Privacy Officer's e-mail address at hipaa.privacy@dshs.state.tx.us or by mail to the DSHS Privacy Officer, Mail Code 1915, P.O. Box 149347, Austin, Texas 78714-9347.
(d) Right of access to protected health information.
(1) An individual has the right to view or obtain a copy of PHI about the individual for as long as the PHI is maintained by the department.
(2) An individual shall follow the Public Information Act, Government Code, Chapter 552, and the department's procedures in §1.251 of this title (relating to Procedures for Handling Requests for Public Information) to access and obtain copies of PHI about the individual held by the department. Requests that are submitted by entities or by persons authorized by state or federal law to obtain an individual's medical or behavioral health records, which were created within department mental health facilities, other state hospitals, clinics, or laboratories are excluded from following the requirements of the Public Information Act.
(3) The department shall follow the time requirements and access procedures in the Public Information Act and in §1.251 of this title to provide access to and copies of records under this section.
(4) The department shall charge the same amount for copies of records under this section as charged for copies under the Public Information Act and §1.251 of this title or as specified by other state or federal law.
(5) The department may deny access to records in a designated record set. The department shall send a denial letter explaining why access has been denied. The individual has a right to request a review of the department's decision if the decision was based on any of the following reasons:
(A) a licensed health care professional decided that giving the individual access to the information would likely put the individual or another person in danger;
(B) the information refers to another person other than a health care provider, and a licensed health care professional decided that giving the individual access to the information would likely cause the other person substantial harm; or
(C) the individual's personal representative asked for the information, and a licensed health care professional decided that giving the personal representative access to the information would likely cause the individual or another person substantial harm.
(6) If the denial is reviewable, the department shall provide the individual with instructions in a denial letter about how to request a review of the decision.
(e) Right to request an amendment to a designated record set.
(1) An individual has the right to request an amendment to PHI about the individual in a designated record set.
(2) An individual shall follow the procedures in §1.503 of this title (relating to an Individual's Right to Correction of Incorrect Information) to request an amendment to PHI in a designated record set.
(3) The department shall follow the procedures in §1.504 of this title (relating to Correction Procedure) for amendments to designated record sets under this section.
(4) The department may deny a request for amendment for any of the following reasons:
(A) the department could deny access to the information under subsection (d) of this section;
(B) the department did not create the information;
(C) the information is not contained in a designated record set; or
(D) the information is correct and complete.
(5) If the request for amendment is denied, the department shall send a letter explaining the decision and include instructions on how the individual can submit a written statement of disagreement with the department's decision. The written statement must contain specific facts that explain the basis for the disagreement.
(f) Right to receive an accounting of certain disclosures made by a designated health care component of the department.
(1) An individual has the right to receive an accounting of certain disclosures of the individual's PHI made by a designated health care component of the department.
(2) The types of disclosures that must be included in the accounting are described in 45 C.F.R. §164.528.
(3) An individual may submit a written request for a list of the designated health care components of the department to the department's Privacy Officer at the Privacy Officer's electronic mail address at hipaa.privacy@dshs.state.tx.us or by mail to the DSHS Privacy Officer, Mail Code 1915, P.O. Box 149347, Austin, Texas 78714-9347.
(4) An individual may submit a written request for an accounting of certain disclosures of the individual's PHI made by a designated health care component of the department to either:
(A) the designated health care component of the department that is in possession of the individual's PHI; or
Cont'd...
(B) the department's Privacy Officer at the Privacy Officer's electronic mail address at hipaa.privacy@dshs.state.tx.us or by mail to the DSHS HIPAA Privacy Officer, Mail Code 1915, P.O. Box 149347, Austin, Texas 78714-9347.
(5) A request for a report submitted to the department's Privacy Officer must include the name(s) of the designated health care component of the department from which a report is requested.
(g) Right to request further limits on uses and disclosures of protected health information.
(1) An individual has the right to request that the department restrict its uses and disclosures of PHI about the individual; however, the department is not required to agree to any restrictions that are not required by law, rule, or regulation.
(2) An individual may submit a written request for restrictions of uses and disclosures to the department's Privacy Officer at the Privacy Officer's electronic mail address at hipaa.privacy@dshs.state.tx.us or by mail to the DSHS HIPAA Privacy Officer, Mail Code 1915, P.O. Box 149347, Austin, Texas 78714-9347.
(h) Right to request confidential communication from a designated health care component of the department by different means or at different locations.
(1) An individual has the right to submit a written request that the individual receive communications of PHI from a designated health care component of the department in a way and in a place that is most appropriate for the individual. The written request must specify the reasonable accommodations that are required and the designated health care component of the department to which the request relates.
(2) An individual may submit a written request for accommodation to:
(A) the designated health care component of the department that is in possession of the individual's PHI; or
(B) the department's Privacy Officer at the Privacy Officer's electronic mail address at hipaa.privacy@dshs.state.tx.us or by mail to the DSHS Privacy Officer, Mail Code 1915, P.O. Box 149347, Austin, Texas 78714-9347.
(3) The department shall provide a written approval or denial of the request for accommodation.
(i) Complaints.
(1) An individual has the right to complain about the department's privacy policies or how the department complies with its privacy policies related to PHI.
(2) An individual may file a complaint by telephone to the number printed on the department's HIPAA Privacy Notice, or in writing to:
(A) the department's Privacy Officer at the Privacy Officer's email address at hipaa.privacy@dshs.state.tx.us or by mail to DSHS Privacy Officer, Mail Code 1915, P.O. Box 149347, Austin, Texas 78714-9347; or
(B) Region VI - Dallas Office for Civil Rights (OCR), U.S. Department of Health and Human Services, by mail to 1301 Young Street, Suite 1169, Dallas, Texas 75202, or by email to OCR at OCRcomplaint@hhs.gov, or by phone at: (214) 767-4056, (214) 767-8940 (TDD), or by fax at (214) 767-0432; or
(C) the Texas Attorney General's Office, Consumer Protection Division, by mail at: P.O. Box 12548, Austin, Texas 78711 or at the Attorney General's Internet web site at http://www.oag.state.tx.us/consumer/complain.shtml.
(3) An individual may download a copy of a complaint form and instructions on how to file it at:
(A) the department's HIPAA Internet web site at http://www.dshs.state.tx.us/hipaa/privacycomplaints.shtm; or
(B) the U.S. Department Health and Human Services, OCR's Internet web site at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.
(j) Uses and disclosures of protected health information among HHS System agencies, and other state agencies.
(1) As authorized or required by law, programs or offices among HHS System agencies, and other state agencies may share PHI as necessary to accomplish the public health, health care oversight, business, and other essential functions of the HHS System, and other state agencies.
(2) The department shall use and disclose PHI within the department in accordance with the applicable requirements in 45 C.F.R. §164.504, and federal and state statutes that require the department to protect the confidentiality of PHI.
Source Note: The provisions of this §1.501 adopted to be effective February 12, 2012, 37 TexReg 496