1610 Confidential Nature of Medical Information - Health Insurance Portability and Accountability Act

Revision 18-0; Effective September 4, 2018

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets additional standards to secure the confidentiality of protected health information (PHI). PHI is information that identifies or could be used to identify an applicant or member and that relates to the:

  • past, present or future physical, mental or behavioral health or condition of the applicant or member;
  • provision of health care to the applicant or member; or
  • past, present or future payment for the provision of health care to the applicant or member.

PHI includes an applicant or member’s date of birth (DOB), address, Social Security number (SSN), Medicaid identification (ID) number, and demographic data.

1611 Confidential Nature of a Case Record

Revision 18-0; Effective September 4, 2018

Information collected in determining initial or continuing eligibility is confidential. The Texas Health and Human Services Commission (HHSC) and the managed care organization (MCO) may disclose general information about policies, procedures or other methods of determining eligibility, and any other information that is not about or does not specifically identify an applicant or member. An applicant, member, legally authorized representative (LAR) or authorized representative (AR) may review all information in the case record and in HHSC or MCO handbooks that contributed to the decision about eligibility.

1612 Custody of Records

Revision 18-0; Effective September 4, 2018

Texas Health and Human Services Commission (HHSC) staff must use reasonable diligence to safeguard, protect and preserve records and prevent disclosure of the protected health information (PHI) he or she contain, except as provided by the HHSC regulations.

Reasonable diligence for employees responsible for records includes keeping records:

  • in a locked office when the building is closed;
  • properly filed during office hours; and
  • in the office at all times, except when authorized to remove or transfer them.

1613 Responsible Party to Authorize Disclosure

Revision 18-0; Effective September 4, 2018

 

1613.1 Legally Authorized Representatives and Authorized Representatives

Revision 18-0; Effective September 4, 2018

Only the member’s legally authorized representative (LAR) or authorized representative (AR) can exercise the applicant’s or member’s rights with respect to protected health information (PHI). Therefore, only an applicant, member, LAR or AR may authorize the use or disclosure of PHI or obtain PHI on behalf of an applicant or member. Exception: Texas Health and Human Services Commission (HHSC) is not required to disclose the information to the LAR or AR if the applicant or member is subjected to domestic violence, abuse or neglect by the LAR or AR. Consult HHSC Privacy Office, as described in Section 1615, Information That May Be Disclosed, if it is believed that health information should not be released to the LAR or AR.

Note: A responsible party is not automatically an LAR or AR.

1613.2 Unemancipated Minors

Revision 18-0; Effective September 4, 2018

A parent is the legally authorized representative (LAR) for a minor child except when:

  • the minor child can consent to medical treatment. Under these circumstances, do not disclose to a parent information about the medical treatment to which the minor child can consent. A minor child can consent to medical treatment when the:
    • minor is on active duty with the U.S. military;
    • minor is age 16 years or older, lives separately from the parents and manages his or her own financial affairs;
    • consent involves diagnosis and treatment of disease that must be reported to the local health officer or the Texas Department of State Health Services (DSHS);
    • minor is unmarried and pregnant and the treatment (other than abortion) relates to the pregnancy;
    • minor is age 16 years or older and the consent involves examination and treatment for drug or chemical addiction, dependency or use at a treatment facility licensed by DSHS;
    • consent involves examination and treatment for drug or chemical addiction, dependency or use by a physician or counselor at a location other than a treatment facility licensed by the state of Texas;
    • minor is unmarried, is the parent of a child, has actual custody of the child and consents to treatment for the child; or
    • consent involves suicide prevention or sexual, physical or emotional abuse.
  • a court is making health care decisions for the minor child or has given the authority to make health care decisions for the minor child to an adult other than a parent or to the minor child. Under these circumstances, do not disclose to a parent information about health care decisions not made by the parent.

1613.3 Adults and Emancipated Minors

Revision 18-0; Effective September 4, 2018

If the applicant or member is an adult or emancipated minor, including married minors, the applicant’s or member’s legally authorized representative (LAR) or authorized representative (AR) is a person who has the authority to make health care decisions about the member and includes a:

  • person the member has appointed under a medical power of attorney, a durable power of attorney with the authority to make health care decisions, or a power of attorney with the authority to make health care decisions;
  • court-appointed guardian for the applicant or member; or
  • person designated by law to make health care decisions when the applicant or member is in a hospital or nursing facility (NF) and is incapacitated or mentally or physically incapable of communication.

Consult Texas Health and Human Services Commission (HHSC) Privacy Office, as described in Section 1615, Information That May Be Disclosed, for approval.

1613.4 Deceased Applicant or Member

Revision 18-0; Effective September 4, 2018

The legally authorized representative (LAR) or authorized representative (AR) for a deceased applicant or member is an executor, administrator or other person with authority to act on behalf of the applicant, member or the member’s estate. These include:

  • an executor, including an independent executor;
  • an administrator, including a temporary administrator;
  • a surviving spouse;
  • a child;
  • a parent; and
  • an heir.

Consult Texas Health and Human Services Commission (HHSC) Privacy Office, as described in Section 1615, Information That May Be Disclosed, about whether a particular person is the LAR or AR of an applicant or member.

1614 Establishing Identity 

Revision 23-4; Effective Aug. 21, 2023

 

1614.1 Phone Communication

Revision 23-4; Effective Aug. 21, 2023

Program Support Unit (PSU) staff must establish the identity of a person who self-identifies as an individual, applicant, member, legally authorized representative (LAR) or medical consenter over the phone. PSU staff must verify the person’s knowledge of two of the following about the individual, applicant or member:

  • Social Security number (SSN);
  • date of birth (DOB); or
  • Medicaid identification (ID) number.

PSU staff must verify that the person who self-identifies as a LAR or medical consenter over the phone is listed as the LAR or medical consenter in:

  • the Texas Integrated Eligibility Redesign System (TIERS); or
    • Note: The medical consenter is known as the ‘Alternate Payee’ in TIERS when the individual, applicant, or member has STAR Health or Medicaid as a result of Department of Family and Protective Services (DFPS) involvement.
  • the most recent signed Form H1200, Application for Assistance – Your Texas Benefits; or
  • Form H1826, Case Information Release, completed and signed by the individual, applicant or member.

PSU staff must not release case information to a person who is not able to be verified as the individual, applicant, member, LAR or medical consenter.

Refer to Section 1615, Information That May Be Disclosed, for more information about scenarios when: 

  • PSU staff is not able to verify the person calling;
  • the person calling PSU staff is not the individual, applicant, member, LAR or medical consenter; or
  • PSU staff must obtain Form H1826.

PSU staff must direct all case-related information requests from a lawyer to the PSU supervisor. 

1614.2 In-Person Communication

Revision 18-0; Effective September 4, 2018

Program Support Unit (PSU) staff must establish the identity of the individual who presents himself or herself as an applicant, member, legally authorized representative (LAR) or authorized representative (AR) at a Texas Health and Human Services Commission (HHSC) office by examining two forms of identification with at least one form of identification being a government-issued photo identification (ID):

  • valid U.S. passport;
  • Texas Department of Public Safety (DPS) ID card;
  • DPS driver license;
  • DPS Texas Election Identification Certificate;
  • DPS handgun license;
  • U.S. military identification card containing the person’s photograph;
  • U.S. citizenship certificate containing the person’s photograph;
  • state agency employee badge;
  • Social Security number (SSN) card;
  • Medicaid ID card;
  • birth certificate or birth record;
  • hospital record;
  • work or school ID card;
  • voter registration card; and/or
  • wage stub.

Establish the identity of other HHSC or MCO staff, federal agency staff, researchers or contractors by examining at least one source such as:

  • employee badge; or
  • government-issued identification card with a photograph.

Identify the need for other HHSC or MCO staff, federal staff, research staff or contractors to access confidential information through one of the following:

  • official correspondence or a telephone call from a state or regional office; or
  • contact the HHSC Office of Chief Counsel.

Contact the HHSC Office of Chief Counsel when federal agency staff, contractors, researchers or other HHSC or MCO staff come to the office without prior notification or adequate identification and request permission to access records.

1614.3 Electronic Mail Communication

Revision 18-0; Effective September 4, 2018

If Program Support Unit (PSU) staff receive electronic mail, also known as email, from an applicant, member, legally authorized representative (LAR), authorized representative (AR) or a third-party that contains protected health information (PHI), PSU staff must respond using the following procedures:

  • if PSU staff can answer the inquiry without supplying PHI, remove any PHI in the original request, notify the sender that this is not a secure method of transmission for PHI, and respond to the sender appropriately; or
  • if the answer to the inquiry requires the inclusion of PHI, remove any PHI in the original request, notify the sender that this is not a secure method of transmission of PHI, and respond to the sender that he or she must submit their request in writing via mail or facsimile.

PSU staff must not send PHI by email to non-government entity individuals, including applicants, members, LARs, ARs or third-party individuals. Refer to Section 1616, Verification and Documentation of Disclosure, for approved methods of transmitting PHI to applicants, members, LARs, ARs, and third party individuals to whom the applicant, member, LAR or AR have provided written consent for the release of PHI.

PSU staff may share PHI by email with Medicaid for the Elderly and People with Disabilities (MEPD), Texas Medicaid & Healthcare Partnership (TMHP), managed care organization (MCO) the applicant or member is enrolled with, and other Texas Health and Human Services Commission (HHSC) staff for work-related purposes, but only if the email:

  • is sent to a verified email address;
  • is sent as an encrypted message;
  • does not contain PHI in the email’s subject line; and
  • contains this disclaimer: "Confidential: This transmission is confidential and intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are notified that any review, retention, disclosure, copying, distribution, or the taking of any other action relevant to the contents of this transmission are strictly prohibited. If you received this transmission in error please return to sender."

Password-protected documents sent by email and electronic fax (e-fax) documents are not considered a secure method for transmitting PHI.

1615 Information That May Be Disclosed

Revision 23-4; Effective Aug. 21, 2023

The Texas Health and Human Services Commission (HHSC) follows Title 20 Code of Federal Regulations (CFR) Sections 401-403 concerning the disclosure of information about: 

  • a person, both with and without the person's consent; 
  • the maintenance of records; and
  • the general guidelines in deciding whether to make a disclosure.

Program Support Unit (PSU) staff must make reasonable efforts to limit the use, request or disclosure of protected health information (PHI) to the minimum necessary to:

  • determine eligibility;
  • operate the program; and
  • accomplish the request for disclosure.

PSU staff must only disclose case-related information with a person verified by the methods described in Section 1614.1, Phone Communication, Section 1614.2, In-Person Communication, and Section 1614.3, Electronic Mail Communication, when:

  • the Texas Integrated Eligibility Redesign System (TIERS) indicates that the person requesting the information is the legally authorized representative (LAR);
  • the person is the medical consenter as indicated in TIERS; 
    • The medical consenter is known as the ‘Alternate Payee’ in TIERS when the individual, applicant, or member has STAR Health or Medicaid as a result of Department of Family and Protective Services (DFPS) involvement.
  • a signed Form H1200, Application for Assistance – Your Texas Benefits, indicates the person requesting the information is the LAR or medical consenter;
  • a valid Form H1826, Case Information Release, is on file or received;
  • the person is HHSC staff including the Medicaid for the Elderly and People with Disabilities (MEPD) specialist; or
  • the person is an HHSC contractor such as the managed care organization (MCO) or the Texas Medicaid & Healthcare Partnership (TMHP) staff.

PSU staff must refer requests to disclose information from federal agency staff, research staff or lawyer to the PSU supervisor.

PSU staff must complete the following activities when a person requesting the information does not fit in the categories noted in the previous paragraphs:

  • research the Texas Health and Human Services (HHS) Enterprise Administrative Report and Tracking System (HEART) case record for Form H1826;
  • verify the individual, applicant, member, LAR or medical consenter signed Form H1826;
  • ensure the person only receives the information approved for release on Form H1826; and 
  • ensure Form H1826 is not expired.

PSU staff may use the following: 

  • an existing and valid Form H1826 found in the HEART case record; or 
  • a newly submitted Form H1826 received from the individual, applicant, member, LAR or medical consenter.

A valid Form H1826 is:

  • signed by the individual, applicant, member, LAR or medical consenter; and
  • within the information release authorization time frame.

PSU staff must ask the person requesting the information to provide a new Form H1826 if an existing Form H1826:

  • is not signed;
  • is expired; or 
  • does not authorize the release of the information requested.

PSU staff must complete the following activities within two business days of receiving a valid Form H1826:

  • create a HEART case record, if applicable;
  • upload Form H1826 to the HEART case record;
  • contact the person approved by the individual, applicant, member, LAR or medical consenter, as applicable, to receive case information;
  • provide only the specific case information noted on Form H1826 during the approved time frame specified on Form H1826; and
  • document the HEART case record.

The Office of the Chief Counsel at HHSC manages questions and concerns about releasing information. PSU staff must refer an individual, applicant, member, LAR or medical consenter to the Office of the Chief Counsel if there are questions and problems concerning releasing information.

PSU staff must notify the PSU supervisor if a person requests copies of an individual, applicant, or member’s records maintained by the HHSC.

PSU staff may refer to Title 20 CFR Sections 401-403, for more information regarding the disclosure of PHI.

PSU staff may refer to the Uniform Managed Care Manual (UMCM) Section 16.2 for specific requirements regarding STAR Health individuals, applicants, members or medical consenters.
 

1616 Verification and Documentation of Disclosure

Revision 18-0; Effective September 4, 2018

It is only acceptable for Program Support Unit (PSU) staff to disclose protected health information (PHI) to the applicant, member, legally authorized representative (LAR), authorized representative (AR) or a third-party individual to whom the applicant, member, LAR or AR has provided written consent for the release of PHI.

PSU staff verify the identity of the person who requests disclosure of PHI by examining two forms of identification, with at least one form of identification being a government-issued photo identification (ID):

  • Valid U.S. passport;
  • Texas Department of Public Safety (DPS) ID card;
  • DPS driver license;
  • DPS Texas Election Identification Certificate;
  • DPS handgun license;
  • U.S. military identification card containing the person’s photograph;
  • U.S. citizenship certificate containing the person’s photograph;
  • work or school identification card;
  • state agency employee badge;
  • Social Security number (SSN) card;
  • Medicaid ID card;
  • birth certificate or birth record;
  • hospital record;
  • work or school ID card;
  • voter registration card; and/or
  • wage stub.

When disclosing PHI, PSU staff must document transactions and maintain documentation in the member’s Texas Health and Human Services (HHS) Enterprise Administrative Report and Tracking System (HEART) case record pertaining to how the identity of the person was verified and the method of how the information was released to the individual. Approved methods of releasing PHI include providing the requestor copies of documentation in person, by facsimile or by regular mail.

1620 Alternate Means of Communication with the Applicant or Member

Revision 18-0; Effective September 4, 2018

The Texas Health and Human Services Commission (HHSC) and the managed care organization (MCO) must accommodate an applicant, member, legally authorized representative (LAR) or authorized representative’s (AR’s) reasonable requests to receive communications by alternative means or at alternate locations.

The applicant, member, LAR or AR must specify in writing the alternate mailing address or means of contact, and include a statement that using the home mailing address or normal means of contact could endanger the applicant or member.

1630 Confidential Information on Notifications

Revision 18-0; Effective September 4, 2018

The Texas Health and Human Services Commission (HHSC) is committed to protecting all protected health information (PHI) supplied by the applicant, member, legally authorized representative (LAR) or authorized representative (AR) during the eligibility determination process. This includes inclusion of PHI by HHSC staff to third parties who receive a copy of a notification of eligibility form.

HHSC staff must not include PHI on the eligibility notice shared with the service provider or another third party.

Examples:

  • Notification is received from Medicaid for the Elderly and People with Disabilities (MEPD) that the member has lost Medicaid because his income of $2,892 exceeds the eligibility limit of $2,022. It is a violation of confidentiality to record on Form H2065-D, Notification of Managed Care Program Services, "Your income of $2,892 exceeds the eligibility limit of $2,022." The comment should simply state, "You are no longer eligible for Medicaid."
  • Another applicant is being denied Medically Dependent Children Program (MDCP) services because the presence of weapons in his or her home presents a hazard to service providers. It is a violation of confidentiality to record on Form H2065-D, "The presence of weapons in your home presents a hazard to service providers." The comment should simply state, "Your services are being denied due to hazardous conditions in your home."

In the examples above, revealing specifics of the applicant or member’s income or the condition of his home environment is a violation of his or her right to confidentiality. In all cases, HHSC staff must assess any information provided by the applicant or member to determine if its release would be a confidentiality violation.

1631 Program Support Unit Communications with Managed Care Organizations

Revision 18-0; Effective September 4, 2018

In order to comply with the Health Insurance Portability and Accountability Act (HIPAA), it is imperative for a member’s protected health information (PHI) to be shared only with his or her selected managed care organization (MCO). This makes it crucial that when documents containing member information are posted in the incorrect MCO folder in TxMedCentral, it be corrected immediately upon realization an error was made.

Program Support Unit (PSU) staff must send notification of all TxMedCentral posting errors to PSU Operations staff, including the document identifying information, the name of the folder in which it was erroneously posted, the name of the folder into which it should have been posted, and the time the correction was made.

Example: Posted XX_2067_123456789_ABCD_IM_MFP.doc in SUPSKW at 8:54 a.m. on December 20. Should have been posted to MOLSKW. Corrected at 9:22 a.m. December 20.

1640 Applicant or Member Correction of Information

Revision 18-0; Effective September 4, 2018

An applicant, member, legally authorized representative (LAR) or authorized representative (AR) has a right to correct any information that the Texas Health and Human Services Commission (HHSC) has about the applicant or member and any other individual on the applicant or member’s case.

A request for correction must be in writing and:

  • identify the applicant or member asking for the correction;
  • identify the disputed information about the applicant or member;
  • state why the information is wrong;
  • include any proof that shows the information is wrong;
  • state what correction is requested; and
  • include a return address, telephone number or email address at which HHSC can contact the applicant or member.

If HHSC agrees to change protected health information (PHI), the corrected information is added to the case record, but the incorrect information remains in the file with a note that the information was amended per the member’s request.

Notify the member, LAR or AR in writing within 60 days (using current agency letterhead) that the information is corrected, or will not be corrected, and the reason. Inform the member if HHSC or the MCO needs to extend the 60-day period by an additional 30 days to complete the correction process or obtain additional information.

If HHSC or the MCO makes a correction to PHI, HHSC or the MCO must ask the member for permission before sharing with third parties. The agency will make a reasonable effort to share the correct information with persons who received the incorrect information if those persons may have relied or could rely on it to the disadvantage of the member. HHSC staff must follow regional procedures to contact the HHSC Office of Chief Counsel for a record of disclosures. MCOs must follow HHSC procedures as stated in the STAR Kids Managed Care Contract.

Note: Do not follow above procedures when the accuracy of information provided by a member, LAR or AR is determined by another review process, such as a:

  • fair hearing;
  • civil rights hearing; or
  • other appeal process.

The decision in the above review processes is the decision on the request to correct information.

1650 Disposal of Records

Revision 18-0; Effective September 4, 2018

To dispose of documents with member-specific information, Texas Health and Human Services Commission (HHSC) staff must follow established procedures for destruction of confidential data, as described in the Health and Human Services (HHS) Computer Usage and Information Security Training.