Revision 24-3; Effective Sept. 1, 2024
- If information about an applicant or recipient is requested but cannot be released, inform the inquiring person or agency that federal and state laws and HHSC regulations require that the information being requested remain confidential. Refer the questioner to Title 42 of the United States Code, Section 1396a(a)(7); 42 CFR Sections 431.300-431.307; and Texas Human Resource Code, Sections 12.003 and 21.012. For individually identified health information, refer the requestor to 45 CFR sections 164.102-164.534. For tax information obtained through IEVS, also refer the requestor to the Internal Revenue Service (IRS) Code, Sections 7213, 7213A and 7431. Title 26 US Code Section 6103 is the confidentiality statue that prohibits disclosure of FTI. For human services agencies, it is IRC 6103(1)(7).
Note: Refer to Appendix XVIII, IRS Tax Code, Sections 7213, 7213A and 7431. - If subpoenaed to appear in court with an applicant's or recipient's record, notify the supervisor immediately. Give the supervisor all the facts about the case and the date and time of the court hearing. The supervisor should contact the lawyer who is requesting the record and determine if the requested information is confidential. If a problem exists, the supervisor should inform the regional attorney about all relevant facts. Usually, the subpoenaed employee must take the record and appear in court as directed by the summons. When requested to disclose information from the record, ask the judge to be excused from disclosing the information because of the statutory prohibitions stated previously in this section. Abide by the ruling of the judge.
- If subpoenaed to appear in court, and no time is allowed to follow the steps specified in this section, take the record and appear in court as directed by the summons. When requested to disclose the information from the record, follow the procedure described in Step 2.
For individually identifiable health information, refer the requestor to 45 CFR Sections 164.102-164.534.
FTI security incidents include loss of control, unauthorized access, unauthorized disclosure or unauthorized inspection. Once an actual or possible compromise of IRS FTI or an unauthorized inspection or disclosure of IRS FTI is discovered, including breaches and security incidents, the person observing or receiving the information must immediately contact the HHSC IRS coordinator within 24 hours of initial discovery. Send a secure email with the subject line, URGENT: FTI Data Incident Report to the HHSC IRS Coordinator Mailbox.
The HHSC IRS Coordinator reports the incident by:
- contacting the office of the appropriate special agent-in-charge, Treasury Inspector General for Tax Administration (TIGTA); and
- following the IRS Office of Safeguards, as directed in Section 10.2 of IRS Publication 1075.
In the event the HHSC IRS coordinator fails to respond by the close of the next business day, staff immediately inform management by sending an email with the subject line, URGENT – POSSIBLE UNAUTHORIZED DISCLOSURE OR INSPECTION OF FTI to HHSC Offices for Information Technology, Privacy Division, Chief Information Security Office and IRS coordinator.
Examples of FTI security incidents include but are not limited to:
- leaving an agency computer or laptop with FTI unlocked and unattended;
- leaving a file cabinet with FTI unlocked;
- allowing contract IT Help Desk support access to an agency device with FTI while the user is accessing ASOIG;
- printing FTI on Xerox Multi-Factor Office Devices;
- allowing unmonitored contractor access to an FTI hardware server;
- discussing FTI on a Voice over Internet Protocol (VoIP) phone with people or other agency employees;
- viewing FTI remotely without approval;
- sending screenshots of FTI data from the ASOIG application;
- screensharing FTI during virtual meetings, which includes meetings conducted through Microsoft Teams, Zoom, Go To Meeting, Webex and Google Meet; and
- stealing or losing laptop computers, removable devices or non-digital media containing FTI.
C-2610 Penalties for Disclosing FTI
Revision 24-3; Effective Sept. 1, 2024
All Programs
People responsible for the willful unauthorized inspection or disclosure of FTI may be subject to criminal and civil penalties in addition to disciplinary action. Security incidents may also result in temporary or permanent suspension from ASOIG access.
Criminal penalties for willful unauthorized inspection of FTI are:
- a fine up to $1,000; and
- one year in prison, together with the costs of prosecution.
Criminal penalties for willful unauthorized disclosure of FTI are:
- a fine up to $5,000; and
- up to five years in prison, together with the costs of prosecution.
Civil penalties for willful unauthorized inspection or disclosure of FTI are:
- the greater of $1,000 or actual damages for each incident; and
- court costs and attorney fees to the plaintiff.