<<Prev Rule

Texas Administrative Code

Next Rule>>
TITLE 25HEALTH SERVICES
PART 1DEPARTMENT OF STATE HEALTH SERVICES
CHAPTER 1MISCELLANEOUS PROVISIONS
SUBCHAPTER WPRIVACY POLICY
RULE §1.501Privacy of Health Information under the Health Insurance Portability and Accountability Act of 1996

(a) Purpose.

  (1) The purpose of this section is to inform individuals of the department's privacy practices and establish department procedures to allow individuals to exercise their rights under the federal Standards for Privacy of Individually Identifiable Health Information, 45 Code of Federal Regulations (C.F.R.) Parts 160 and 164, which were promulgated to implement the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

  (2) The department is a hybrid entity as that term is defined in 45 C.F.R. §164.103. The department has designated its health care components in accordance with 45 C.F.R. §164.105(a)(2)(iii)(C). Unless otherwise specified, this section applies only to the designated health care components within the department.

(b) Definitions. Unless otherwise specified, terms have the meaning assigned by 45 C.F.R. §160.103, §164.103, and §164.501, or their common use meaning.

  (1) Department--The Department of State Health Services.

  (2) Designated health care component--A program or office within the department that performs services or functions as a covered entity.

  (3) Designated record set--A group of records maintained by or for a designated health care component of the department that consists of:

    (A) the medical records and billing records about individuals maintained by or for the department when the department provides direct health care services;

    (B) the enrollment, payment, claims adjudication, and case or medical management records systems maintained by or for health plans within the department; or

    (C) records that contain protected health information used, in whole or in part, by or for the department to make decisions about individuals regarding eligibility, prior authorization, treatment, or payment.

  (4) Health and Human Services (HHS) System--Interchangeably known as the HHS Enterprise, the coordinating entity providing common direction for the five agencies that comprise it are as follows:

    (A) Health and Human Services Commission (HHSC);

    (B) Department of Aging and Disability Services (DADS);

    (C) Department of Assistive and Rehabilitative Services (DARS);

    (D) Department of Family and Protective Services (DFPS); and

    (E) Department of State Health Services (DSHS).

  (5) Protected health information (PHI)--Individually identifiable health information about an individual, including demographic information, which relates to the individual's past, present, or future physical or mental health condition, provision of health care, or payment for the provision of health care.

  (6) Record--Any item, collection, or grouping of information that includes PHI and is created, maintained, collected, used, or disseminated by or for a designated health care component of the department.

(c) Right to notice of privacy practices.

  (1) An individual has the right to receive notice of how the department uses and discloses PHI and of the individual's rights and the department's duties with respect to PHI.

  (2) A designated health care component of the department where an individual receives services shall post the notice of privacy practices in a prominent location.

  (3) An individual may request a copy of the notice from:

    (A) the department clinic, hospital, or office where the individual received or receives services;

    (B) the department's Internet web site at www.dshs.state.tx.us/hipaa/privacynotices.shtm; or

    (C) the department's Privacy Officer by sending a request in writing to the department's Privacy Officer's e-mail address at hipaa.privacy@dshs.state.tx.us or by mail to the DSHS Privacy Officer, Mail Code 1915, P.O. Box 149347, Austin, Texas 78714-9347.

(d) Right of access to protected health information.

  (1) An individual has the right to view or obtain a copy of PHI about the individual for as long as the PHI is maintained by the department.

  (2) An individual shall follow the Public Information Act, Government Code, Chapter 552, and the department's procedures in §1.251 of this title (relating to Procedures for Handling Requests for Public Information) to access and obtain copies of PHI about the individual held by the department. Requests that are submitted by entities or by persons authorized by state or federal law to obtain an individual's medical or behavioral health records, which were created within department mental health facilities, other state hospitals, clinics, or laboratories are excluded from following the requirements of the Public Information Act.

  (3) The department shall follow the time requirements and access procedures in the Public Information Act and in §1.251 of this title to provide access to and copies of records under this section.

  (4) The department shall charge the same amount for copies of records under this section as charged for copies under the Public Information Act and §1.251 of this title or as specified by other state or federal law.

  (5) The department may deny access to records in a designated record set. The department shall send a denial letter explaining why access has been denied. The individual has a right to request a review of the department's decision if the decision was based on any of the following reasons:

    (A) a licensed health care professional decided that giving the individual access to the information would likely put the individual or another person in danger;

    (B) the information refers to another person other than a health care provider, and a licensed health care professional decided that giving the individual access to the information would likely cause the other person substantial harm; or

    (C) the individual's personal representative asked for the information, and a licensed health care professional decided that giving the personal representative access to the information would likely cause the individual or another person substantial harm.

  (6) If the denial is reviewable, the department shall provide the individual with instructions in a denial letter about how to request a review of the decision.

(e) Right to request an amendment to a designated record set.

  (1) An individual has the right to request an amendment to PHI about the individual in a designated record set.

  (2) An individual shall follow the procedures in §1.503 of this title (relating to an Individual's Right to Correction of Incorrect Information) to request an amendment to PHI in a designated record set.

  (3) The department shall follow the procedures in §1.504 of this title (relating to Correction Procedure) for amendments to designated record sets under this section.

  (4) The department may deny a request for amendment for any of the following reasons:

    (A) the department could deny access to the information under subsection (d) of this section;

    (B) the department did not create the information;

    (C) the information is not contained in a designated record set; or

    (D) the information is correct and complete.

  (5) If the request for amendment is denied, the department shall send a letter explaining the decision and include instructions on how the individual can submit a written statement of disagreement with the department's decision. The written statement must contain specific facts that explain the basis for the disagreement.

(f) Right to receive an accounting of certain disclosures made by a designated health care component of the department.

  (1) An individual has the right to receive an accounting of certain disclosures of the individual's PHI made by a designated health care component of the department.

  (2) The types of disclosures that must be included in the accounting are described in 45 C.F.R. §164.528.

  (3) An individual may submit a written request for a list of the designated health care components of the department to the department's Privacy Officer at the Privacy Officer's electronic mail address at hipaa.privacy@dshs.state.tx.us or by mail to the DSHS Privacy Officer, Mail Code 1915, P.O. Box 149347, Austin, Texas 78714-9347.

  (4) An individual may submit a written request for an accounting of certain disclosures of the individual's PHI made by a designated health care component of the department to either:

    (A) the designated health care component of the department that is in possession of the individual's PHI; or

Cont'd...

Next Page

Link to Texas Secretary of State Home Page | link to Texas Register home page | link to Texas Administrative Code home page | link to Open Meetings home page