Unless otherwise defined in this section, each term used in these rules has the meaning assigned by the Health Insurance Portability and Accountability Act (HIPAA).
  (1) Access--The physical or logical capability to interact with or otherwise make use of information.
  (2) Authorized purpose--A purpose expressly authorized by applicable law, regulation, or agreement.
  (3) Authorized user--A person:
    (A) who is authorized to process, view, handle, examine, interpret, or analyze confidential information;
    (B) who has a demonstrable need to know and have access to the confidential information; and
    (C) who has agreed in writing to be bound by the use and disclosure requirements pertaining to confidential information.
  (4) CFR--The Code of Federal Regulations.
  (5) Confidential information--Any communication or record (whether oral, written, electronically stored or transmitted, or in any other form) that consists of or includes any or all of the following information that must be protected from unauthorized use or disclosure as required by applicable state or federal law (e.g. constitutional, statutory, judicial, and legal agreement requirements):
    (A) information designated as confidential under the laws of the State of Texas and of the United States;
    (B) personally identifiable information (PII), meaning information that can be used to uniquely identify, contact, or locate a single individual or can be used with other sources to uniquely identify a single individual;
    (C) PII about or concerning an individual who receives government benefits under one or more public assistance programs administered or overseen by HHSC (also referred to as "client information");
    (D) protected health information (PHI), including without limitation electronic PHI (ePHI) or unsecured PHI, as defined by HIPAA;
    (E) sensitive personal information (SPI), with the meaning assigned by the Texas Identity Theft Act, Chapter 521 of the Texas Business and Commerce Code;
    (F) federal tax information, with the meaning assigned in the Internal Revenue Code, Title 26 of the United States Code (U.S.C.) and regulations adopted under that code;
    (G) Social Security Administration data, meaning information or data made by the Social Security Administration and disclosed to a state agency for its administration of federally funded benefit programs under various provisions of the Social Security Act, such as §1137 (42 U.S.C. §1320b-7), including the state-funded state supplementary payment programs under Title XVI of the Act, in accordance with the requirements of the Privacy Act of 1974, as amended by the Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. §552a;
    (H) to the extent permitted under the laws and constitution of the State of Texas, all information designated by HHSC or any other state agency as confidential, including all information designated as confidential under the Texas Public Information Act, Texas Government Code, Chapter 552; and
    (I) information that is used, developed, received, or maintained by HHSC or any other state agency, its contractor, or other participating state agencies for the purpose of fulfilling a duty or obligation under an agreement that has not been publicly disclosed.
  (6) Covered entity--Has the meaning assigned by the Medical Records Privacy Act, Health and Safety Code §181.001(b)(2).
  (7) De-identified information--Information excluded from the definition of PHI, for which there is no reasonable basis to believe that the information can be used to identify an individual when individual identifiers have been removed from the information in accordance with HIPAA, 45 CFR §164.514(b)(2).
  (8) Disclose--Has the meaning assigned by the Medical Records Privacy Act, Health and Safety Code §181.001(b)(2-a). See also the definition of "exchange" in this section.
  (9) Exchange--To disclose.
  (10) HHSC--The Health and Human Services Commission.
  (11) HIPAA--Collectively, the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. §§1320d et seq., and regulations adopted under that act, as modified by the Health Information Technology for Economic and Clinical Health Act (HITECH) (P.L. 111-105), and regulations adopted under that act at 45 CFR Parts 160 and 164.
  (12) Individual--The subject of confidential information, and includes the subject's legally authorized representative who qualifies under HIPAA as a legally authorized representative of the individual, as defined by Texas law, for example, without limitation as provided in Texas Occupations Code §151.002(6); Texas Health and Safety Code §166.164; or Texas Probate Code §3.
  (13) State agency--A department, commission, board, office, council, authority, or other agency, other than an institution of higher education, in the executive or judicial branch of state government that is created by the Constitution or a statute of this state.
  (14) Use--Has the meaning assigned by HIPAA.

Source Note: The provisions of this §390.1 adopted to be effective January 27, 2013, 38 TexReg 291