Unless otherwise defined in this section, each term used in
these rules has the meaning assigned by the Health Insurance Portability
and Accountability Act (HIPAA).
(1) Access--The physical or logical capability to interact
with or otherwise make use of information.
(2) Authorized purpose--A purpose expressly authorized
by applicable law, regulation, or agreement.
(3) Authorized user--A person:
(A) who is authorized to process, view, handle, examine,
interpret, or analyze confidential information;
(B) who has a demonstrable need to know and have access
to the confidential information; and
(C) who has agreed in writing to be bound by the use
and disclosure requirements pertaining to confidential information.
(4) CFR--The Code of Federal Regulations.
(5) Confidential information--Any communication or
record (whether oral, written, electronically stored or transmitted,
or in any other form) that consists of or includes any or all of the
following information that must be protected from unauthorized use
or disclosure as required by applicable state or federal law (e.g.
constitutional, statutory, judicial, and legal agreement requirements):
(A) information designated as confidential under the
laws of the State of Texas and of the United States;
(B) personally identifiable information (PII), meaning
information that can be used to uniquely identify, contact, or locate
a single individual or can be used with other sources to uniquely
identify a single individual;
(C) PII about or concerning an individual who receives
government benefits under one or more public assistance programs administered
or overseen by HHSC (also referred to as "client information");
(D) protected health information (PHI), including without
limitation electronic PHI (ePHI) or unsecured PHI, as defined by HIPAA;
(E) sensitive personal information (SPI), with the
meaning assigned by the Texas Identity Theft Act, Chapter 521 of the
Texas Business and Commerce Code;
(F) federal tax information, with the meaning assigned
in the Internal Revenue Code, Title 26 of the United States Code (U.S.C.)
and regulations adopted under that code;
(G) Social Security Administration data, meaning information
or data made by the Social Security Administration and disclosed to
a state agency for its administration of federally funded benefit
programs under various provisions of the Social Security Act, such
as §1137 (42 U.S.C. §1320b-7), including the state-funded
state supplementary payment programs under Title XVI of the Act, in
accordance with the requirements of the Privacy Act of 1974, as amended
by the Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. §552a;
(H) to the extent permitted under the laws and constitution
of the State of Texas, all information designated by HHSC or any other
state agency as confidential, including all information designated
as confidential under the Texas Public Information Act, Texas Government
Code, Chapter 552; and
(I) information that is used, developed, received,
or maintained by HHSC or any other state agency, its contractor, or
other participating state agencies for the purpose of fulfilling a
duty or obligation under an agreement that has not been publicly disclosed.
(6) Covered entity--Has the meaning assigned by the
Medical Records Privacy Act, Health and Safety Code §181.001(b)(2).
(7) De-identified information--Information excluded
from the definition of PHI, for which there is no reasonable basis
to believe that the information can be used to identify an individual
when individual identifiers have been removed from the information
in accordance with HIPAA, 45 CFR §164.514(b)(2).
(8) Disclose--Has the meaning assigned by the Medical
Records Privacy Act, Health and Safety Code §181.001(b)(2-a).
See also the definition of "exchange" in this section.
(9) Exchange--To disclose.
(10) HHSC--The Health and Human Services Commission.
(11) HIPAA--Collectively, the Health Insurance Portability
and Accountability Act of 1996, 42 U.S.C. §§1320d et seq.,
and regulations adopted under that act, as modified by the Health
Information Technology for Economic and Clinical Health Act (HITECH)
(P.L. 111-105), and regulations adopted under that act at 45 CFR Parts
160 and 164.
(12) Individual--The subject of confidential information,
and includes the subject's legally authorized representative who qualifies
under HIPAA as a legally authorized representative of the individual,
as defined by Texas law, for example, without limitation as provided
in Texas Occupations Code §151.002(6); Texas Health and Safety
Code §166.164; or Texas Probate Code §3.
(13) State agency--A department, commission, board,
office, council, authority, or other agency, other than an institution
of higher education, in the executive or judicial branch of state
government that is created by the Constitution or a statute of this
(14) Use--Has the meaning assigned by HIPAA.