2100, Disclosure of Information

Revision 18-2; Effective September 3, 2018

2110 Confidential Nature of the Case Record

Revision 18-2; Effective September 3, 2018

Information collected in determining initial or continuing eligibility is confidential. The Texas Health and Human Services Commission (HHSC) and the managed care organization (MCO) may disclose general information about policies, procedures or other methods of determining eligibility, and any other information that is not about or does not specifically identify a member.

A member or authorized representative (AR) may review all information in the case record and in HHSC or MCO handbooks that contributed to the decision about eligibility.

2111 Verifying the Identity of an Applicant, Member, Authorized Representative or Third Party Individual

Revision 19-1; Effective June 3, 2019

Keep all information that the Texas Health and Human Services Commission (HHSC) and the managed care organization (MCO) have about a member or authorized representative (AR) on the member's case confidential. Confidential information includes, member’s name, date of birth (DOB), address, Social Security number (SSN), Medicaid identification (ID) number or any other individually identifiable health information.

Before discussing or releasing information about a member or AR on the member's case, take steps to be reasonably sure the individual receiving the confidential information is either the member or an individual the member has authorized to receive confidential information (for example, an attorney or AR).

2111.1 Telephone Communication

Revision 19-1; Effective June 3, 2019

Establish the identity of an individual who identifies herself or himself as an applicant or member by verifying the individual’s knowledge of any of the following:

  • applicant's or member’s Social Security number (SSN) and date of birth (DOB);
  • member’s DOB and Medicaid ID number;
  • member’s SSN and answer to a security question;
  • member’s DOB and answer to a security question; or
  • answer two security questions.

Establish the identity of an AR by using the individual's knowledge of any of the above and any of the following:

  • AR's SSN and DOB;
  • AR’s SSN and answer to a security question;
  • AR’s DOB and answer to a security question; or
  • answer two security questions.

Establish the identity of attorneys or AR by asking for the individual to provide Form 1826-D, Case Information Release, or a document that contains all of the information listed in 2114, Information That May Be Disclosed, completed and signed by the member. The managed care organization (MCO) must maintain this documentation in the member's case file.

2111.2 In-Person Contact Communication

Revision 19-1; Effective June 3, 2019

Establish the identity of the individual who presents herself or himself as an applicant, member or member's authorized representative (AR) at a Texas Health and Human Services Commission (HHSC) or managed care organization (MCO) office by examining:

At least one form of government-issued photo identification (ID):

  • valid U.S. passport;
  • Texas Department of Public Safety (DPS) driver license or identification (ID) card;
  • DPS Texas Election Identification Certificate;
  • DPS handgun license;
  • U.S. military ID card containing the photograph; or
  • state agency employee badge; and

At least one form of other identification:

  • birth certificate or birth record;
  • Social Security Number (SSN) card;
  • Medicaid ID card;
  • hospital record;
  • work or school ID card;
  • voter registration card;
  • wage stub;
  • credit card (including gas cards);
  • department store credit card;
  • annual plastic membership ID card; or
  • utility bill.

Establish the identity of other HHSC or MCO staff, federal agency staff, researchers or contractors by examining at least one source such as:

  • employee badge; or
  • government-issued identification card with a photograph.

Identify the need for other HHSC or MCO staff, federal staff, research staff or contractors to access protected health information (PHI) through one of the following:

  • official correspondence or a telephone call from a state or regional office; or
  • contact with the HHSC Office of Chief Counsel.

Contact appropriate regional or state office staff when federal agency staff, contractors, researchers or other HHSC or MCO staff come to the office without prior notification or adequate identification and request permission to access records.

Refer to 2111.4, Verification and Documentation of Disclosure, if the individual is requesting personally identifiable information (PII) or PHI.

2111.3 Electronic Mail Communication

Revision 19-1; Effective June 3, 2019

If managed care organization (MCO) staff receive electronic mail, also known as email, from an applicant, member, authorized representative (AR) or a third party that contains protected health information (PHI), MCO staff must respond by:

  • copying the original inquiry to a new email, removing PHI from the original request;
  • indicate in the response that PHI has been removed from the original email; and
  • respond without using PHI.

If the answer to the inquiry requires the inclusion of PHI, MCO staff must respond by:

  • copying the original inquiry to a new email, removing PHI from the original request;
  • notify the sender this is not a secure method of PHI transmission; and
  • request the sender submit their request in writing via mail or facsimile.

MCO staff must not send PHI by email to non-government entity individuals, including applicants, members, ARs or third-party individuals. Refer to 2111.4, Verification and Documentation of Disclosure, for approved methods of transmitting PHI to applicants, members, ARs and third-party individuals to whom the applicant, member or AR have provided written consent for the release of PHI.

MCO staff may share PHI by email with Medicaid for the Elderly and People with Disabilities (MEPD), Texas Medicaid & Healthcare Partnership (TMHP), the MCO the applicant or member is enrolled with, and other Texas Health and Human Services Commission (HHSC) staff for work-related purposes, but only if the email:

  • is sent to a verified email address;
  • is sent as an encrypted message;
  • does not contain PHI in the email’s subject line; and
  • contains this disclaimer: "Confidential: This transmission is confidential and intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are notified that any review, retention, disclosure, copying, distribution, or the taking of any other action relevant to the contents of this transmission are strictly prohibited. If you received this transmission in error, please return to sender."

Password-protected documents sent by email and electronic fax (e-fax) documents are not considered a secure method for transmitting PHI.

2111.4 Verification and Documentation of Disclosure

Revision 19-1; Effective June 3, 2019

It is only acceptable to disclose personally identifiable information (PII) or protected health information (PHI) to the applicant, member, authorized representative (AR) or a third-party to whom the applicant, member, or AR have provided written consent for the release of PII or PHI information. If disclosing PII or PHI, document transactions and maintain documentation in the member’s case file pertaining to how the identity of the person was verified when contact is outside the interview and the method of how the information was released to the individual.

Verify the identity of the person who requests disclosure of PII or PHI by examining:

At least one form of government-issued photo identification (ID):

  • valid United States (U.S.) passport;
  • Texas Department of Public Safety (DPS) driver license ID card;
  • DPS Texas Election Identification Certificate;
  • DPS handgun license;
  • U.S. military ID card containing the photograph;
  • U.S. citizenship certificate containing the person's photograph; or
  • state agency employee badge; and

At least one form of other ID:

  • birth certificate or birth record;
  • Social Security number (SSN) card;
  • Medicaid ID card;
  • hospital record;
  • work or school identification card;
  • voter registration card;
  • wage stub;
  • credit card (including gas cards);
  • department store credit card;
  • annual plastic membership ID card; or
  • utility bill.

Refer to 2111.1, Telephone Communication2111.2, In-Person Communication, and 2140, Communication with the Applicant or Member, for acceptable communication channels for external partners.

2112 Custody of Records

Revision 19-1; Effective June 3, 2019

Texas Health and Human Services Commission (HHSC) staff must use reasonable diligence to safeguard, protect and preserve records and prevent disclosure of the information they contain, except as provided by HHSC and managed care organization (MCO) regulations.

Reasonable diligence for employees responsible for records includes keeping records:

  • in a locked office when the building is closed;
  • properly filed during office hours; and
  • in the office at all times, except when authorized to remove or transfer them.

2113 Disposal of Records

Revision 18-2; Effective September 3, 2018

To dispose of documents with member-specific information, Texas Health and Human Services Commission (HHSC) staff must follow established procedures for destruction of confidential data. Managed care organizations (MCOs) must follow procedures contained in the Uniform Managed Care Contract.

2114 Information That May Be Disclosed

Revision 19-1; Effective June 3, 2019

Reasonable efforts must be made to limit the use, request or disclosure of protected health information (PHI) to the minimum necessary to determine eligibility and operate the program. The disclosure of the applicant’s or member’s PHI from Texas Health and Human Services Commission (HHSC) and managed care organization (MCO) records must be limited to the minimum necessary to accomplish the requested disclosure. For example, if an applicant or member authorizes release of income verification, including disability income, do not release related case medical information unless specifically authorized by the applicant or member.

PHI may only be disclosed to a person who has written permission from the applicant, member or authorized representative (AR) to obtain the information. The applicant, member or AR authorizes the release of information by completing and signing:

  • Form 1826-D, Case Information Release; or
  • a document containing all of the following information:
    • the applicant's or member's:
      • full name (including middle initial) and Medicaid identification number; or
      • full name (including middle initial) and either date of birth or Social Security number (SSN);
    • a description of the information to be released. Note: If a general release is authorized, provide the information that can be disclosed to the applicant, member or AR. Withhold PHI from the case record, such as names of persons who disclosed information about the household without the household's knowledge, and the nature of pending criminal prosecution;
    • a statement specifically authorizing HHSC or the MCO to release the information;
    • the name of the person or agency to whom the information will be released;
    • the purpose of the release;
    • an expiration event that is related to the member, the purpose of the release or an expiration date of the release;
    • a statement about whether refusal to sign the release affects eligibility for delivery of services;
    • a statement describing the applicant's or member's right to revoke the authorization to release information;
    • the date the document is signed; and
    • the signature of the applicant, member or AR.

Note: If the case information to be released includes PHI, the case release of information document must also tell the applicant, member or AR that information released under the document may no longer be private, and may be released further by the person receiving the information.

Occasionally requests for information from the case records of deceased members are received. In these instances, protect the confidentiality of the former members and the members' survivors.

The Office of Chief General Counsel at HHSC handles questions about the release of information under the Open Records Act. All questions and problems encountered by individuals concerning release of information should be referred to these offices. MCO staff should contact HHSC’s Managed Care Compliance & Operations (MCCO).

2115 Confidential Nature of Medical Information — HIPAA

Revision 19-1; Effective June 3, 2019

Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets additional standards to protect the confidentiality of protected health information (PHI). PHI is information that identifies or could be used to identify an individual and that relates to the:

  • past, present or future physical, mental or behavioral health or condition of the individual;
  • provision of health care to the individual; or
  • past, present or future payment for the provision of health care to the individual.

PHI includes, but is not limited to, an individual's name, date of birth (DOB), address, Social Security number (SSN), and Medicaid ID number.

2116 Privacy Notice

Revision 19-1; Effective June 3, 2019

Texas Health and Human Services Commission (HHSC) and managed care organization (MCO) staff must send each member the Health and Human Services Agencies' Notice of Privacy Practices, upon certification. This notice tells the member or authorized representative (AR) about:

  • the member's privacy rights;
  • the duties of HHSC and the MCO to protect health information; and
  • how HHSC and the MCO may use or disclose health information without the member's authorization. Examples of use or disclosure include health care operations (e.g., Medicaid), public health purposes, reporting victims of abuse, law enforcement purposes, sharing with HHSC or MCO contractors and coordinating government programs that provide benefits.

2117 Authorized Representatives

Revision 19-1; Effective June 3, 2019

Only the member's authorized representative (AR) can exercise the applicant's or member's rights with respect to protected health information (PHI). Therefore, only an applicant’s or member's AR may authorize the use or disclosure of PHI or obtain PHI on behalf of an applicant or member. Exception: Texas Health and Human Services Commission (HHSC) and the managed care organization (MCO) are not required to disclose the information to the AR if the member is subjected to domestic violence, abuse or neglect by the AR. Consult the Office of Chief Counsel, as described in 2114, Information That May Be Disclosed, if it is believed that health information should not be released to the AR.

Note: A responsible party is not automatically an AR.

2117.1 Adults and Emancipated Minors

Revision 19-1; Effective June 3, 2019

If the member is an adult or emancipated minor, including married minors, the member's authorized representative (AR) is a person who has the authority to make health care decisions about the member and includes a:

  • person the member has appointed under a medical power of attorney, a durable power of attorney with the authority to make health care decisions, or a power of attorney with the authority to make health care decisions;
  • court-appointed guardian for the member; or
  • person designated by law to make health care decisions when the member is in a hospital or nursing home and is incapacitated or mentally or physically incapable of communication.

Consult the Texas Health and Human Services Commission (HHSC) Office of Chief Counsel, as described in 2114, Information That May Be Disclosed, for approval.

2117.2 Unemancipated Minors

Revision 19-1; Effective June 3, 2019

A parent is the authorized representative (AR) for a minor child except when:

  • The minor child can consent to medical treatment. Under these circumstances, do not disclose to a parent information about the medical treatment to which the minor child can consent. A minor child can consent to medical treatment when the:
    • minor is on active duty with the United States (U.S.) military;
    • minor is age 16 or older, lives separately from the parents and manages her or his own financial affairs;
    • consent involves diagnosis and treatment of disease that must be reported to the local health officer or the Texas Department of State Health Services (DSHS);
    • minor is unmarried and pregnant and the treatment (other than abortion) relates to the pregnancy;
    • minor is age 16 years or older and the consent involves examination and treatment for drug or chemical addiction, dependency or use at a treatment facility licensed by DSHS;
    • consent involves examination and treatment for drug or chemical addiction, dependency or use by a physician or counselor at a location other than a treatment facility licensed by the state;
    • minor is unmarried, is the parent of a child, has actual custody of the child and consents to treatment for the child; or
    • consent involves suicide prevention or sexual, physical or emotional abuse.
  • A court is making health care decisions for the minor child or has given the authority to make health care decisions for the minor child to an adult other than a parent or to the minor child. Under these circumstances, do not disclose to a parent information about health care decisions not made by the parent.

2117.3 Deceased Applicant or Member

Revision 19-1; Effective June 3, 2019

The authorized representative (AR) for a deceased applicant or member is an executor, administrator or other person with authority to act on behalf of the applicant, member or the member's estate. These include:

  • an executor, including an independent executor;
  • an administrator, including a temporary administrator;
  • a surviving spouse;
  • a child;
  • a parent; and
  • an heir.

Consult the Texas Health and Human Services Commission (HHSC) Office of Chief Council, as described in 2114, Information That May Be Disclosed, about whether a particular person is the AR of an applicant or member.

2120 Applicant or Member Correction of Information

Revision 19-1; Effective June 3, 2019

An applicant, member or authorized representative (AR) has a right to correct any information that the Texas Health and Human Services Commission (HHSC) or the managed care organization (MCO) has about the applicant or member and any other individual on the member's case.

A request for correction must be in writing and:

  • identify the applicant or member asking for the correction;
  • identify the disputed information about the applicant or member;
  • state why the information is wrong;
  • include any proof that shows the information is wrong;
  • state what correction is requested; and
  • include a return address, telephone number or email address at which HHSC or the MCO can contact the applicant or member.

If HHSC or the MCO agrees to change protected health information (PHI), the corrected information is added to the case record, but the incorrect information remains in the file with a note that the information was amended per the member's request.

Notify the applicant, member or AR in writing within 60 days (using agency letterhead) the information is corrected, or will not be corrected, and the reason. Inform the member if HHSC or MCO needs to extend the 60-day period by an additional 30 days to complete the correction process or obtain additional information.

If HHSC or the MCO makes a correction to PHI, HHSC or the MCO must ask the member for permission before sharing with third parties. The agency will make a reasonable effort to share the correct information with persons who received the incorrect information if they may have relied or could rely on the information and if it’s to the disadvantage of the member. HHSC staff must contact the HHSC Office of Chief Counsel for a record of disclosures. MCOs must follow HHSC procedures as stated in the Uniform Managed Care Contract, Section 11.03, Member Records.

Note: Do not follow above procedures when the accuracy of information provided by an applicant, member or AR is determined by another review process, such as a:

  • fair hearing;
  • civil rights hearing; or
  • other appeal process.

The decision in the above review processes is the decision on the request to correct information.

2130 Communication with the Managed Care Organization

Revision 23-2; Effective June 30, 2023

In order to comply with the Health Insurance Portability and Accountability Act (HIPAA), it is imperative for a member's protected health information (PHI) to be shared only with the selected managed care organization (MCO). This makes it crucial that when documents containing member information are uploaded in the incorrect MCO folder in MCOHub, they be corrected immediately upon realization an error was made.

Send notification of all uploading errors to MCOMailbox@tmhp.com. Include the document identifying information, the name of the folder in which it was erroneously uploaded and the name of the folder into which it should have been uploaded. Include the time the correction was made.

Example: Posted 9F_2067_123456789_ABCD_2S.doc in SUPSPW at 8:54 a.m. on December 20. Should have been uploaded to MOLSPW. Corrected at 9:22 a.m. December 20.

All emails containing member information must be sent using encryption software. No PHI may appear in the subject line.

See also:

2140 Communication with the Applicant or Member

Revision 19-1; Effective June 3, 2019

The Texas Health and Human Services Commission (HHSC) and the managed care organization (MCO) must accommodate an applicant's, member's or authorized representative’s (AR’s) reasonable requests to receive communications by alternative means or at alternate locations

The applicant, member or AR must specify in writing the alternate mailing address or means of contact, and include a statement that using the home mailing address or normal means of contact could endanger the applicant or member.

2200, Member Rights and Responsibilities

Revision 19-1; Effective June 3, 2019

Member rights and responsibilities are included in the Member Handbook. The required critical elements for member handbooks can be found in the Texas Medicaid and CHIP - Uniform Managed Care Manual.

The Member Handbook must be provided to the member at application. This document is shared in the language preference expressed by the applicant/member.

In addition, an applicant, member or AR may refer to the Title 1 Texas Administrative Code (TAC) Part 15 §353 Subchapter C, Member Bill of Rights and Responsibilities, to view the full list of member rights and responsibilities.

2210 Notifications

Revision 19-1; Effective June 3, 2019

2211 Program Support Unit Notification Requirements

Revision 23-2; Effective June 30, 2023

Program Support Unit (PSU) staff are responsible for preparing and sending notifications to the applicant, member or authorized representative (AR) advising of actions taken regarding program eligibility and the right to a fair hearing. Form H2065-D, Notification of Managed Care Program Services, is the legal notice sent to an applicant, member or AR of the actions taken regarding STAR+PLUS Home and Community Based Services (HCBS) program. Form H2065-D must be completed in plain language that can be understood by the applicant, member or AR. The language preference of the applicant, member or AR must be considered.

The applicant, member or AR must be notified on Form H2065-D within two business days of the date a case is certified. Form H2065-D also includes information on the individual's room and board charges and copayment, if applicable.

Form H2065-D is also used to notify an applicant who is denied program eligibility or a member whose program eligibility is denied or terminated. The PSU staff must notify the applicant, member or AR on Form H2065-D of the denial of application within two business days of the decision. Refer to 3630, Denial or Termination Procedures.

Depending on when the notification is generated, it will either be uploaded to the managed care organization’s (MCO’s) STAR+PLUS folder, following the instructions in 5110, MCOHub Naming Convention and File Maintenance, on the case action date.

2212 MCO Notification Requirements

Revision 19-1; Effective June 3, 2019

The managed care organization (MCO) is responsible for notifying the member or authorized representative (AR) when a service is either denied or reduced. This is considered an adverse action and the member or AR has a right to appeal. Appeal rights of STAR+PLUS members are in the Uniform Managed Care Manual (UMCM).

2220 Notifications with MEPD Involvement

Revision 19-1; Effective June 3, 2019

Some actions are based on decisions related to Medicaid financial eligibility determined by Medicaid for the Elderly and People with Disabilities (MEPD) specialist. The Program Support Unit (PSU) staff must coordinate changes, approvals and denials of Home and Community Based Services (HCBS) program services with the MEPD specialist.

Although the MEPD specialist is required to notify the applicant, member or authorized representative (AR) of all Medicaid eligibility decisions, the PSU is required to send the STAR+PLUS HCBS program applicant, member or AR the notification of denial of STAR+PLUS HCBS program services on Form H2065-D, Notification of Managed Care Program Services.