Medicaid for the Elderly and People with Disabilities Handbook

C-2000, Confidential Nature of the Case Record

Revision 24-3; Effective Sept. 1, 2024

Information collected when determining eligibility is confidential. The restriction on disclosing information is limited to information about applicants and recipients. HHSC may disclose general information, including:

  • financial or statistical reports;
  • information about policies, procedures or methods of determining eligibility; and
  • any other information that is not about or does not specifically identify an applicant or recipient.

An applicant or recipient may review all information in the case record and in HHSC handbooks that contributed to the eligibility decision.

C-2100, Correcting Information

Revision 24-3; Effective Sept. 1, 2024

Applicants and recipients have a right to correct any information that HHSC has about them or any other person on their case.

A request for correction must:

  • be in writing;
  • identify the person asking for the correction;
  • identify the disputed information;
  • state the reason the information is incorrect;
  • include any verification that the information is incorrect;
  • state what correction is requested; and
  • include a return address, phone number or email address where HHSC can contact the person.

If HHSC agrees to change individually identifiable health information, the corrected information is added to the case record. The incorrect information remains in the file with a note that the information was amended per the applicant's or recipient's request.

Notify the requestor within 60 days that the information has been corrected or will not be corrected and the reason. Inform the requestor if HHSC needs to extend the 60-day period by an additional 30 days to complete the correction process or obtain additional information.

If HHSC makes a correction to individually identifiable health information, ask the person for permission before sharing with third parties. HHSC will make a reasonable effort to share the correction with any entity who may have used the incorrect information from HHSC, and it adversely impacted the person. Contact the HHSC Privacy Office for a record of disclosures

Note: Do not follow procedures above if the accuracy of information provided by an applicant or recipient is reviewed by another process, such as:

  • a fair hearing;
  • a civil rights hearing; or
  • another appeal process.

The decision in that review process is the decision on the request to correct information.

C-2200, Establishing Identity for Contact

Revision 24-3; Effective Sept. 1, 2024

Keep all information confidential about an applicant, recipient or any person on a case. Confidential information includes, but is not limited to, individually identifiable health information.

Before discussing or releasing confidential information about a person, take steps to ensure the person receiving the information is either the applicant or recipient or someone authorized to receive confidential information, such as an attorney or personal representative.

C-2210 Phone Contact

Revision 24-3; Effective Sept. 1, 2024

To establish the identity of a person who claims to be the applicant, recipient or personal representative, request the following:

  • the Social Security number, date of birth or other identifying information for the applicant or recipient, or their representative;
  • to call the person back at a number that has been verified as belonging to the person or their representative.

Establish the identity of attorneys or legal representatives by asking the person to provide Form H1003, Appointment of an Authorized Representative, completed and signed by the applicant or recipient.

Contact the HHS Office of Chief Counsel upon receipt of any requests for confidential information from law enforcement, state officials or legislators.

C-2220 In-Person Contact

Revision 24-3; Effective Sept. 1, 2024

Establish the identity of a person at an HHSC office who states they are an applicant, recipient or personal representative by requesting their:

  • driver's license;
  • date of birth;
  • Social Security number; or
  • other identifying information.

Establish the identity of other HHSC staff, federal agency staff, researchers or contractors by viewing their:

  • employee badge; or
  • government-issued identification card with a photograph.

Verify the need for other HHSC staff, federal agency staff, researchers or contractors to access confidential information through:

  • official correspondence or phone call from state office or regional offices; or
  • contact with regional attorney.

Contact appropriate regional or state office staff when federal agency staff, contractors, researchers or other HHSC staff come to an HHSC office without prior notification or adequate identification and request permission to access HHSC records.

Note: Contractors cannot have access to Internal Revenue Service (IRS) Federal Tax Information (FTI).

C-2230 Verification and Documentation

Revision 24-3; Effective Sept. 1, 2024

When disclosing individually identifiable health information, document the method of verification for the identity of the person if contact is outside an interview.

Verify the identity of a person who requests disclosure of individually identifiable health information using the following sources:

  • valid driver's license or Department of Public Safety identification (ID) card;
  • birth certificate;
  • hospital or birth record;
  • adoption papers or records;
  • work or school ID card;
  • voter registration card;
  • wage stubs; or
  • U.S. passport.

As a condition for receiving federal taxpayer information from the IRS, HHSC is required per Internal Revenue Code 6103(p)(4) to establish and maintain, to the satisfaction of the IRS, safeguards designed to prevent unauthorized access, disclosure, and use of all returns and return information and to maintain the confidentiality of that information. The IRS security requirements for safeguarding IRS FTI are outlined in Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Safeguards for Protecting Federal Tax Returns and Return Information.

Income Eligibility and Verification System (IEVS) specialists must independently verify the income and resource information from any data matches to ensure continuous financial eligibility.

When processing the IEVS match of IRS FTI, staff must not enter any IRS FTI into TIERS, including comments. Documentation in the TIERS income or resource screens is limited to the approved language available for staff use on The LOOP.

C-2240 Alternate Means of Communication

Revision 24-3; Effective Sept. 1, 2024

HHSC must accommodate a person’s reasonable request to receive communications by alternative means or at alternate locations.

The person must specify in writing the alternate mailing address or means of contact and include a statement that using the home mailing address or normal means of contact could endanger the applicant or recipient.

C-2300, Safeguarding Federal Income Data

Revision 24-3; Effective Sept. 1, 2024

Federal Tax Information (FTI) includes tax returns or return information received directly from the Internal Revenue Service (IRS) or obtained through an authorized secondary source, such as the Social Security Administration. Staff must protect digital and non-digital media containing FTI from unauthorized inspection and disclosure. Digital media includes computers, mobile devices and removable storage, such as CDs, DVDs and external hard drives. Non-digital media includes a paper form, report and log.

HHSC limits FTI access to staff whose duties require access. HHSC agency and non-agency staff access FTI physically and through the Automated System for Office of Inspector General (ASOIG). Staff must handle FTI using the following policies to ensure information does not become misplaced, stolen or made available to unauthorized personnel.

HHSC Income Eligibility Verification System (IEVS) staff must retain electronic IEVS worksheets for five years. Staff may log and destroy any printed IEVS module records using IRS safeguarding requirements once they are no longer needed because the electronic records are available and kept in ASOIG for the applicable retention period.

The following forms must be kept for five years from the date of the last entry on the form:

  • Form H1861, Federal Tax Information Record Keeping and Destruction Log;
  • Form H1862, Federal Tax Information Transmittal Memorandum;
  • Form H1863, Federal Tax Information Removal Log;
  • Form H1864, Federal Tax Information Fax Transmittal; and
  • Form H1866, Federal Tax Information Visitor Access Log.

C-2310 IRS FTI Security and Awareness Training

Revision 24-3; Effective Sept. 1, 2024

HHSC and non-HHSC staff who access or may potentially encounter FTI must take and pass the annual Safeguarding IRS Federal Tax Information training to receive and maintain their access permissions to ASOIG. HHSC staff access the training course under System Training Solutions (STS) in the Centralized Accounting and Payroll/Personnel System (CAPPS). Non-HHSC staff may contact the HHSC IRS Coordinator by email at the HHSC AES Federal Tax Info Training Mailbox to get a copy of the training.

HHSC developed the Safeguarding IRS Federal Tax Information training with role-based job aids as an agency resource for security and privacy awareness. HHSC updates this training on an annual basis to reflect any system and policy changes and address audit findings.

HHSC staff submit a confirmation of understanding in STS once the Safeguarding IRS Federal Tax Information training is complete. The confirmation acknowledges staff completed a thorough review of the web-based training and job aids in the resources tab relevant to their professional role. Additionally, it confirms understanding of incident reporting requirements. STS maintains a record of completion for each employee. Non-HHSC staff must review a PDF version of the training, sign Form H4096, Safeguarding Information Certification, and submit the form to their management. The form confirms completion and understanding of the material within the training, as well as the penalties involved for any unauthorized inspection and disclosure of FTI. Non-HHSC management must maintain a copy of the Form H4096 in the employee’s file.

HHSC staff must also complete the HHS Information Security/Cybersecurity Awareness Training and the HHS Privacy Training within 30 days from their hire date and before accessing ASOIG. These trainings are available in STS in CAPPS.

C-2400, Custody of Records

Revision 24-3; Effective Sept. 1, 2024

Records must be safeguarded. Use reasonable diligence to protect and preserve records and to prevent disclosure of the information they contain except as provided by HHS regulations.

Reasonable diligence for employees responsible for records includes always keeping records:

  • in a locked office when the building is closed;
  • properly filed during office hours;
  • in the office except when authorized to remove or transfer them; and
  • per the guidelines for electronic file information as referenced in the HHS Computer Usage and Information Security training.

In addition to the measures for custody of records, use the following to safeguard tape match data obtained through the Income Eligibility and Verification System (IEVS) module within the Automated System of Office of Inspector General (ASOIG) application:

  • Use IEVS data only for the purpose of determining eligibility for MEPD, Medicare Savings Program (MSP), Medical Assistance, Temporary Assistance for Needy Families (TANF) and Supplemental Nutrition Assistance Program (SNAP) benefits.
  • Verify IEVS tax data before taking adverse case actions.
  • Review the Annual Safeguarding IRS Federal Tax Information training and the following three laws that explain criminal and civil penalties for unauthorized disclosure of tax data once a year:
    • Section 7213 – Unauthorized Disclosure of Returns or Return Information, a criminal felony punishable upon conviction by a fine up to $5,000 not including the cost of prosecution, imprisonment for up to five years or both.
    • Section 7213A – Unauthorized Inspection of Returns or Return Information, a criminal misdemeanor punishable upon conviction by a fine up to $1,000 not including the cost of prosecution, imprisonment for up to one year or both.
    • Section 7431 – Civil Damages for Unauthorized Disclosure of Returns and Return Information, which permits a taxpayer to sue for civil damages if a person knowingly or negligently discloses tax return information and upon conviction, a notification to the taxpayer.

Related Policy

Custody of Records, C-2300
System Generated IEVS Worksheet Legends of IRS Tax Data, Appendix XVII
IRS Tax Code, Sections 7213, 7213A and 7431, Appendix XVIII

C-2410 Accessing IRS FTI

Revision 24-3; Effective Sept. 1, 2024

All Programs

HHSC and non-HHSC staff are prohibited from using personally owned media on agency systems or system components. Staff are also prohibited from using portable storage devices in agency systems when such devices have no identifiable owner.

HHSC and non-HHSC staff must adhere to policies and procedures for the handling and protection of FTI to prevent unauthorized access and disclosure. Failure to adhere to the policies or procedures will result in disciplinary action, including warnings, access suspension, permanent access removal or termination.

HHSC and non-HHSC management notify their staff within 72 hours when the formal employee sanction process is initiated. The notification includes the staff member sanctioned and the reason for the sanction.

HHSC and non-HHSC management must remove system and physical access when their staff transfer or are reassigned to a position that no longer requires ongoing operational need to access FTI. HHSC and non-HHSC management submit a modified access request within 24 hours of the transfer or reassignment.

HHSC and non-HHSC management must remove system and physical access and discuss information security during an exit interview when employment is terminated. HHSC and non-HHSC management submit a modified access request within 24 hours of the termination.

Work areas where staff physically access FTI should be limited to authorized personnel only. These areas must be prominently posted and separated from non-restricted areas by physical barriers that control access. FTI must be secured during and after normal operating hours. Staff accessing secured areas must clearly display a picture identification badge. The badge may not be obstructed and must be displayed above the waist.

Staff responsible for protecting access to FTI must mark system media containing FTI to show the distribution limitations, handling caveats and applicable security markings, if any. Additionally, staff responsible for protecting access to FTI must physically control and securely store media containing FTI within agency-controlled areas. Protect system media until it is sanitized or disposed of using approved equipment and methods.

C-2411 Minimum Protection Standards

Revision 24-3; Effective Sept. 1, 2024

All Programs

Minimum protection standards (MPS) require the agency to use at least two barriers to protect FTI from unauthorized access. These barriers include a combination of secured perimeters, security rooms, badged employees and security containers.

  • Secured Perimeters are enclosed by slab-to-slab walls constructed of durable materials and supplemented by periodic inspection. Any lesser-type partition must be supplemented by electronic intrusion detection and fire detection systems. All doors entering the space must be locked per Locking Systems for Secured Areas. In the case of a fence or gate, the fence must have intrusion detection devices or be continually guarded. The gate must be either guarded or locked with intrusion alarms.
  • Security Rooms are constructed to resist forced entry. The entire room must be enclosed by slab-to-slab walls constructed of approved materials, such as masonry brick or concrete, and supplemented by periodic inspection. Door hinge pins must be non-removable or installed on the inside of the room. Access must be limited to specifically authorized personnel.
  • Badged Employees can serve as the second barrier during business hours between FTI and unauthorized persons. The authorized personnel must wear picture identification badges or credentials. The badge must be clearly displayed and worn above the waist.
  • Security Containers are storage devices, such as turtle cases, safes, vaults or locked IT cabinets, with resistance to forced penetration and a security lock with controlled access to keys or combinations.

C-2412 Locking Mechanisms

Revision 24-3; Effective Sept. 1, 2024

All Programs

All buildings, rooms and containers containing FTI must be locked when not in actual use. Key or combination locking mechanisms may secure FTI. Staff not authorized to access FTI may have a key to the building but not the secured room. This includes unauthorized agency staff, contractors, security personnel, custodial staff and landlords.

The following guidelines apply to key locking mechanisms:

  • The number of keys must be kept to a minimum.
  • Only authorized staff can access the secured area.
  • The unauthorized duplication of keys is prohibited.
  • Keys must be returned before departure for staff who retire, terminate employment or transfer to another position.
  • Management must conduct annual reconciliation of key records.

The following rules apply to combination locking mechanisms:

  • The combination is only shared with authorized staff.
  • The unauthorized disclosure of the combination is prohibited.
  • Management must change the combination at least annually or upon departure of staff that retire, terminate employment or transfer to another position.

C—2413 Authorized Access, Visitor Access and Authorized Personnel Lists

Revision 24-3; Effective Sept. 1, 2024

All Programs

HHSC must maintain a visitor log and authorized access list (AAL) to record access to physical work areas containing FTI. Staff maintain Form H1866 as a record of visitor access to a restricted area. Security staff must validate a visitor’s identity by examining a government-issued identification, such as a state-issued identification, driver’s license or passport. An AAL is maintained and MPS enforced to facilitate the entry of staff who have a frequent and continuing need to enter a restricted area but who are not assigned to the area. The AAL must contain the following:

  • name of employee, vendor, contractor or non-agency personnel;
  • name of agency or department;
  • name and phone number of the agency point-of-contact authorizing access;
  • address of agency, vendor or contractor; and
  • purpose and level of access.

HHSC management must review the AAL monthly or upon potential indication of an event such as a security breach or personnel change. HHSC management must maintain an authorized personnel list of all staff who have access to information systems areas containing FTI.

C-2414 Access Control Systems

Revision 24-3; Effective Sept. 1, 2024

All Programs

Access control systems such as badge readers, smart cards or biometrics, that provide the capability to audit access control attempts must maintain access control logs with successful and failed access attempts to secured areas containing FTI or systems that process FTI. Management must review access control logs monthly. Access control logs must contain the following information for each access request:

  • the name of the access control device owner;
  • the success or failure of the access request; and
  • the date and time of the access request.

C-2420 Transporting IRS FTI

Revision 24-3; Effective Sept. 1, 2024

All Programs

Staff must transport media containing FTI in a way that prevents loss or unauthorized disclosure. The IRS prohibits staff from transmitting FTI by agency email systems, Microsoft Teams or by phone. Staff must not use HHSC email addresses to send confidential or agency-sensitive information to personal email addresses.

Staff must secure computers and electronic media that receive, process, store, access, protect or transmit FTI in an area with restricted access. The agency must use encryption mechanisms on all computers and mobile devices that contain FTI to prevent access if lost or stolen. Staff must label removable media containing FTI.

Authorized staff must keep all computers, electronic media and removable storage containing FTI in their immediate protection and control during use. When not in use, authorized staff must secure the device in the proper storage area or container. Staff may not leave devices unattended in a public area. HHSC management must maintain inventory records of computers, electronic devices and removable media and complete a semi-annual review for control and accountability.

C-2421 In-Person Transport

Revision 24-3; Effective Sept. 1, 2024

All Programs

Staff transporting media containing FTI must always keep it in their possession. Never leave FTI unattended in a public setting. Use Form H1863 when removing FTI from a file and retain the form for five years from the last FTI removal indicated.

For office relocations, ensure plans include the proper protection and accountability of all FTI. Staff must lock FTI in cabinets or sealed packing cartons while in transit. HHSC staff maintain custody of FTI to ensure cabinets or cartons containing FTI are not misplaced or lost in transit.

C-2422 Mail or Courier Transport

Revision 24-3; Effective Sept. 1, 2024

All Programs

Double seal all FTI transported through the mail by sealing one envelope within another envelope. On the inner envelope, staff must mark Confidential to indicate that only the designated recipient is authorized to open it. Do not label the outermost envelope as FTI or provide any indication that it contains FTI. Use Form H1862 when mailing all paper documents that contain IRS data. The sender ensures the receiver acknowledges the receipt of the information.

C-2423 Fax Transport

Revision 24-3; Effective Sept. 1, 2024

All Programs

Fax machines must be placed in a secure area and staff should refrain from faxing FTI, when possible. There must be trusted staff at both the sending and receiving fax machines. When faxing is required, staff must use Form H1864. The form must accompany all faxed documents that contain IRS data when transferred from one office to another or from an office to a banking institution for verification purposes. The sender ensures the receiver acknowledges the receipt of the information and retains this form for five years.

C-2500, Disposal of Records

Revision 24-3; Effective Sept. 1, 2024

To dispose of documents with an applicant or recipient's information, follow procedures for destruction of confidential data per Texas Health and Human Services (HHSC) records management policies.

C-2510 Internal Revenue Service (IRS) Federal Tax Information (FTI) Sanitization

Revision 24-3; Effective Sept. 1, 2024

All Programs

The sanitization process removes FTI from media to ensure the information cannot be retrieved or reconstructed. Examples include, but are not limited to, digital media found in scanners, copiers, printers, computers, network components, mobile devices, and non-digital media such as paper and microfilm. Staff must use agency-approved software and methods for sanitizing FTI. The following are acceptable sanitization methods:

  • Clearing protects the confidentiality of information against a robust keyboard attack. Simple deletion of items is not sufficient. Clearing must not allow information to be retrieved by data, disk or file recovery utilities. It must be resistant to keystroke recovery attempts. Overwriting is an example of an acceptable clearing method.
  • Purging protects the confidentiality of information against a laboratory attack. This type of attack involves using signal processing equipment and specially trained personnel. Examples of acceptable purging methods are executing the firmware Secure Erase command for ATA drives and degaussing by destabilizing a device’s magnetic field.

HHSC must maintain sanitization records which include the:

  • control number, file name and contents, or both for each record;
  • total number of records;
  • date and method of sanitation; and
  • date of sanitization verification.

C-2520 IRS FTI Destruction

Revision 24-3; Effective Sept. 1, 2024

All Programs

The destruction process ensures that media with FTI cannot be reused as originally intended. Examples include but are not limited to disintegration, incineration, pulverizing, shredding and melting. Staff use Form H1861 to record and track the destruction of FTI. If non-HHSC staff destroy FTI, an HHSC employee must witness the destruction. Staff must use the following approved destruction methods for destroying FTI:

  • Incinerators certified to produce enough heat to burn the entire bundle. If the incinerator cannot burn the entire bundle, separate the pages to ensure all materials are incinerated.
  • Shredders producing crosscut particles which are a maximum of 1 mm by 5 mm or 0.04 inches by 0.2 inches. If shredding deviates from these specifications, then the FTI must be safeguarded until it reaches the stage where it is rendered unreadable through additional means, such as burning or pulping.
  • Disintegrator or Pulverizer equipped with a 2.4-mm or 3/32-inch security screen.

HHSC must maintain destruction records which include:

  • date the records were received;
  • control number, file name and contents, or both for each record;
  • name of the person receiving the records;
  • total number of records, if available;
  • movement of records from receipt to destruction; and
  • date and method of destruction.

C-2600, Reporting Security Incidents

Revision 24-3; Effective Sept. 1, 2024

  1. If information about an applicant or recipient is requested but cannot be released, inform the inquiring person or agency that federal and state laws and HHSC regulations require that the information being requested remain confidential. Refer the questioner to Title 42 of the United States Code, Section 1396a(a)(7); 42 CFR Sections 431.300-431.307; and Texas Human Resource Code, Sections 12.003 and 21.012. For individually identified health information, refer the requestor to 45 CFR sections 164.102-164.534. For tax information obtained through IEVS, also refer the requestor to the Internal Revenue Service (IRS) Code, Sections 7213, 7213A and 7431. Title 26 US Code Section 6103 is the confidentiality statue that prohibits disclosure of FTI. For human services agencies, it is IRC 6103(1)(7).

    Note: Refer to Appendix XVIII, IRS Tax Code, Sections 7213, 7213A and 7431.
  2. If subpoenaed to appear in court with an applicant's or recipient's record, notify the supervisor immediately. Give the supervisor all the facts about the case and the date and time of the court hearing. The supervisor should contact the lawyer who is requesting the record and determine if the requested information is confidential. If a problem exists, the supervisor should inform the regional attorney about all relevant facts. Usually, the subpoenaed employee must take the record and appear in court as directed by the summons. When requested to disclose information from the record, ask the judge to be excused from disclosing the information because of the statutory prohibitions stated previously in this section. Abide by the ruling of the judge.
  3. If subpoenaed to appear in court, and no time is allowed to follow the steps specified in this section, take the record and appear in court as directed by the summons. When requested to disclose the information from the record, follow the procedure described in Step 2.

For individually identifiable health information, refer the requestor to 45 CFR Sections 164.102-164.534.

FTI security incidents include loss of control, unauthorized access, unauthorized disclosure or unauthorized inspection. Once an actual or possible compromise of IRS FTI or an unauthorized inspection or disclosure of IRS FTI is discovered, including breaches and security incidents, the person observing or receiving the information must immediately contact the HHSC IRS coordinator within 24 hours of initial discovery. Send a secure email with the subject line, URGENT: FTI Data Incident Report to the HHSC IRS Coordinator Mailbox.

The HHSC IRS Coordinator reports the incident by:

  • contacting the office of the appropriate special agent-in-charge, Treasury Inspector General for Tax Administration (TIGTA); and
  • following the IRS Office of Safeguards, as directed in Section 10.2 of IRS Publication 1075.

In the event the HHSC IRS coordinator fails to respond by the close of the next business day, staff immediately inform management by sending an email with the subject line, URGENT – POSSIBLE UNAUTHORIZED DISCLOSURE OR INSPECTION OF FTI to HHSC Offices for Information Technology, Privacy Division, Chief Information Security Office and IRS coordinator.

Examples of FTI security incidents include but are not limited to:

  • leaving an agency computer or laptop with FTI unlocked and unattended;
  • leaving a file cabinet with FTI unlocked;
  • allowing contract IT Help Desk support access to an agency device with FTI while the user is accessing ASOIG;
  • printing FTI on Xerox Multi-Factor Office Devices;
  • allowing unmonitored contractor access to an FTI hardware server;
  • discussing FTI on a Voice over Internet Protocol (VoIP) phone with people or other agency employees;
  • viewing FTI remotely without approval;
  • sending screenshots of FTI data from the ASOIG application;
  • screensharing FTI during virtual meetings, which includes meetings conducted through Microsoft Teams, Zoom, Go To Meeting, Webex and Google Meet; and
  • stealing or losing laptop computers, removable devices or non-digital media containing FTI.

C-2610 Penalties for Disclosing FTI

Revision 24-3; Effective Sept. 1, 2024

All Programs

People responsible for the willful unauthorized inspection or disclosure of FTI may be subject to criminal and civil penalties in addition to disciplinary action. Security incidents may also result in temporary or permanent suspension from ASOIG access.

Criminal penalties for willful unauthorized inspection of FTI are:

  • a fine up to $1,000; and
  • one year in prison, together with the costs of prosecution.

Criminal penalties for willful unauthorized disclosure of FTI are:

  • a fine up to $5,000; and
  • up to five years in prison, together with the costs of prosecution.

Civil penalties for willful unauthorized inspection or disclosure of FTI are:

  • the greater of $1,000 or actual damages for each incident; and
  • court costs and attorney fees to the plaintiff.