(a) Purpose.
(1) The purpose of this section is to inform individuals
of the department's privacy practices and establish department procedures
to allow individuals to exercise their rights under the federal Standards
for Privacy of Individually Identifiable Health Information, 45 Code
of Federal Regulations (C.F.R.) Parts 160 and 164, which were promulgated
to implement the Health Insurance Portability and Accountability Act
of 1996 (HIPAA).
(2) The department is a hybrid entity as that term
is defined in 45 C.F.R. §164.103. The department has designated
its health care components in accordance with 45 C.F.R. §164.105(a)(2)(iii)(C).
Unless otherwise specified, this section applies only to the designated
health care components within the department.
(b) Definitions. Unless otherwise specified, terms
have the meaning assigned by 45 C.F.R. §160.103, §164.103,
and §164.501, or their common use meaning.
(1) Department--The Department of State Health Services.
(2) Designated health care component--A program or
office within the department that performs services or functions as
a covered entity.
(3) Designated record set--A group of records maintained
by or for a designated health care component of the department that
consists of:
(A) the medical records and billing records about individuals
maintained by or for the department when the department provides direct
health care services;
(B) the enrollment, payment, claims adjudication, and
case or medical management records systems maintained by or for health
plans within the department; or
(C) records that contain protected health information
used, in whole or in part, by or for the department to make decisions
about individuals regarding eligibility, prior authorization, treatment,
or payment.
(4) Health and Human Services (HHS) System--Interchangeably
known as the HHS Enterprise, the coordinating entity providing common
direction for the five agencies that comprise it are as follows:
(A) Health and Human Services Commission (HHSC);
(B) Department of Aging and Disability Services (DADS);
(C) Department of Assistive and Rehabilitative Services
(DARS);
(D) Department of Family and Protective Services (DFPS);
and
(E) Department of State Health Services (DSHS).
(5) Protected health information (PHI)--Individually
identifiable health information about an individual, including demographic
information, which relates to the individual's past, present, or future
physical or mental health condition, provision of health care, or
payment for the provision of health care.
(6) Record--Any item, collection, or grouping of information
that includes PHI and is created, maintained, collected, used, or
disseminated by or for a designated health care component of the department.
(c) Right to notice of privacy practices.
(1) An individual has the right to receive notice of
how the department uses and discloses PHI and of the individual's
rights and the department's duties with respect to PHI.
(2) A designated health care component of the department
where an individual receives services shall post the notice of privacy
practices in a prominent location.
(3) An individual may request a copy of the notice
from:
(A) the department clinic, hospital, or office where
the individual received or receives services;
(B) the department's Internet web site at www.dshs.state.tx.us/hipaa/privacynotices.shtm;
or
(C) the department's Privacy Officer by sending a request
in writing to the department's Privacy Officer's e-mail address at
hipaa.privacy@dshs.state.tx.us or by mail to the DSHS Privacy Officer,
Mail Code 1915, P.O. Box 149347, Austin, Texas 78714-9347.
(d) Right of access to protected health information.
(1) An individual has the right to view or obtain a
copy of PHI about the individual for as long as the PHI is maintained
by the department.
(2) An individual shall follow the Public Information
Act, Government Code, Chapter 552, and the department's procedures
in §1.251 of this title (relating to Procedures for Handling
Requests for Public Information) to access and obtain copies of PHI
about the individual held by the department. Requests that are submitted
by entities or by persons authorized by state or federal law to obtain
an individual's medical or behavioral health records, which were created
within department mental health facilities, other state hospitals,
clinics, or laboratories are excluded from following the requirements
of the Public Information Act.
(3) The department shall follow the time requirements
and access procedures in the Public Information Act and in §1.251
of this title to provide access to and copies of records under this
section.
(4) The department shall charge the same amount for
copies of records under this section as charged for copies under the
Public Information Act and §1.251 of this title or as specified
by other state or federal law.
(5) The department may deny access to records in a
designated record set. The department shall send a denial letter explaining
why access has been denied. The individual has a right to request
a review of the department's decision if the decision was based on
any of the following reasons:
(A) a licensed health care professional decided that
giving the individual access to the information would likely put the
individual or another person in danger;
(B) the information refers to another person other
than a health care provider, and a licensed health care professional
decided that giving the individual access to the information would
likely cause the other person substantial harm; or
(C) the individual's personal representative asked
for the information, and a licensed health care professional decided
that giving the personal representative access to the information
would likely cause the individual or another person substantial harm.
(6) If the denial is reviewable, the department shall
provide the individual with instructions in a denial letter about
how to request a review of the decision.
(e) Right to request an amendment to a designated record
set.
(1) An individual has the right to request an amendment
to PHI about the individual in a designated record set.
(2) An individual shall follow the procedures in §1.503
of this title (relating to an Individual's Right to Correction of
Incorrect Information) to request an amendment to PHI in a designated
record set.
(3) The department shall follow the procedures in §1.504
of this title (relating to Correction Procedure) for amendments to
designated record sets under this section.
(4) The department may deny a request for amendment
for any of the following reasons:
(A) the department could deny access to the information
under subsection (d) of this section;
(B) the department did not create the information;
(C) the information is not contained in a designated
record set; or
(D) the information is correct and complete.
(5) If the request for amendment is denied, the department
shall send a letter explaining the decision and include instructions
on how the individual can submit a written statement of disagreement
with the department's decision. The written statement must contain
specific facts that explain the basis for the disagreement.
(f) Right to receive an accounting of certain disclosures
made by a designated health care component of the department.
(1) An individual has the right to receive an accounting
of certain disclosures of the individual's PHI made by a designated
health care component of the department.
(2) The types of disclosures that must be included
in the accounting are described in 45 C.F.R. §164.528.
(3) An individual may submit a written request for
a list of the designated health care components of the department
to the department's Privacy Officer at the Privacy Officer's electronic
mail address at hipaa.privacy@dshs.state.tx.us or by mail to the DSHS
Privacy Officer, Mail Code 1915, P.O. Box 149347, Austin, Texas 78714-9347.
(4) An individual may submit a written request for
an accounting of certain disclosures of the individual's PHI made
by a designated health care component of the department to either:
(A) the designated health care component of the department
that is in possession of the individual's PHI; or
Cont'd... |