1500, Disclosure of Information

1510 Confidential Nature of Medical Information - HIPAA

Revision 19-13; Effective November 5, 2019

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets additional standards to protect the confidentiality of protected health information (PHI). PHI is information that identifies or could be used to identify an applicant or member and that relates to the:

  • past, present or future physical, mental or behavioral health or condition of the applicant or member;
  • provision of health care to the applicant or member; or
  • past, present or future payment for the provision of health care to the applicant or member.

PHI includes an individual's date of birth (DOB), address, Social Security number (SSN), Medicaid identification (ID) number and demographic data.

1511 Confidential Nature of a Case Record

Revision 19-13; Effective November 5, 2019
 
Information collected in determining initial or continuing eligibility is confidential. The Texas Health and Human Services Commission (HHSC) and the managed care organization (MCO) may disclose general information about policies, procedures or other methods of determining eligibility, and any other information that is not about, or does not specifically identify an applicant or member.

An applicant, member or authorized representative (AR) may review all information in the case record and in HHSC or MCO handbooks that contributed to the decision about eligibility.

1512 Custody of Records

Revision 19-13; Effective November 5, 2019

Texas Health and Human Services Commission (HHSC) staff must use reasonable diligence to safeguard, protect and preserve records and prevent disclosure of the information they contain, except as provided by HHSC regulations.

Reasonable diligence for employees responsible for records includes keeping records:

  • in a locked office when the building is closed;
  • properly filed during office hours; and
  • in the office at all times, except when authorized to remove or transfer them.

1520 Responsible Party to Authorize Disclosure

Revision 19-13; Effective November 5, 2019

 

1520.1 Authorized Representative

Revision 19-13; Effective November 5, 2019

Only the member's authorized representative (AR) can exercise the applicant’s or member's rights with respect to protected health information (PHI). Therefore, only an applicant or member's AR may authorize the use or disclosure of PHI or obtain PHI on behalf of an applicant or member. Exception: Texas Health and Human Services Commission (HHSC) is not required to disclose the information to the AR if the applicant or member is subjected to domestic violence, abuse or neglect by the AR. Consult the HHSC Office of Chief Counsel, as described in Section 1530, Information May Be Disclosed, if it is believed that health information should not be released to the AR.

Note: A responsible party is not automatically an AR.

1520.2 Unemancipated Minors

Revision 19-13; Effective November 5, 2019

A parent is the authorized representative (AR) for a minor child except when:

  • the minor child can consent to medical treatment. Under these circumstances, do not disclose to a parent information about the medical treatment to which the minor child can consent. A minor child can consent to medical treatment when the:
    • minor is on active duty with the U.S. military;
    • minor is age 16 or older, lives separately from the parents and manages his or her own financial affairs;
    • consent involves diagnosis and treatment of disease that must be reported to the local health officer or the Texas Department of State Health Services (DSHS);
    • minor is unmarried and pregnant and the treatment (other than abortion) relates to the pregnancy;
    • minor is age 16 years or older and the consent involves examination and treatment for drug or chemical addiction, dependency or use at a treatment facility licensed by DSHS;
    • consent involves examination and treatment for drug or chemical addiction, dependency or use by a physician or counselor at a location other than a treatment facility licensed by the state of Texas;
    • minor is unmarried, is the parent of a child, has actual custody of the child and consents to treatment for the child; or
    • consent involves suicide prevention or sexual, physical or emotional abuse.
  • a court is making health care decisions for the minor child or has given the authority to make health care decisions for the minor child to an adult other than a parent or to the minor child. Under these circumstances, do not disclose to a parent information about health care decisions not made by the parent.

1520.3 Adults and Emancipated Minors

Revision 19-13; Effective November 5, 2019

The applicant’s or member’s authorized representative (AR) has authority to make health care decisions for the applicant or member if the applicant or member is an adult, emancipated minor or married minor. An AR may be a:

  • person the applicant or member has appointed under a medical power of attorney, a durable power of attorney with the authority to make health care decisions, or a power of attorney with the authority to make health care decisions;
  • court appointed guardian for the applicant or member; or
  • person designated by law to make health care decisions when the applicant or member is in a hospital or nursing facility (NF) and is incapacitated or mentally or physically incapable of communication.

Consult the Texas Health and Human Services Commission (HHSC) Office of Chief Counsel, as described in Section 1530, Information May Be Disclosed, for approval.

1520.4 Deceased Applicant or Member

Revision 19-13; Effective November 5, 2019

The authorized representative (AR) for a deceased applicant or member is an executor, administrator or other person with authority to act on behalf of the applicant, member or the member's estate. These include:

  • an executor, including an independent executor;
  • an administrator, including a temporary administrator;
  • a surviving spouse;
  • a child;
  • a parent; and
  • an heir.

Consult the Texas Health and Human Services Commission (HHSC) Office of Chief Counsel, as described in Section 1530, Information May Be Disclosed, about whether a particular person is the AR of an applicant or member.

1521 Verifying the Identity of an Applicant, Member, Authorized Representative or Third-Party Individual

Revision 19-13; Effective November 5, 2019

 

1521.1 Phone Communication

Revision 23-3; Effective Aug. 21, 2023

Program Support Unit (PSU) staff must establish the identity of a person who self-identifies as an individual, applicant, member, or authorized representative (AR) over the phone. PSU staff must verify the person’s knowledge of two of the following about the applicant or member’s:

  • Social Security number (SSN);
  • date of birth (DOB); or
  • Medicaid identification (ID) number.

PSU staff must verify that the person who self-identifies as an AR over the phone is listed as the AR in:

  • the Texas Integrated Eligibility Redesign System (TIERS);
  • the most recent signed Form H1200, Application for Assistance – Your Texas Benefits; or 
  • Form H1826, Case Information Release, completed and signed by the individual, applicant or member.  

PSU staff must not release case information to a person who is not able to be verified as the individual, applicant, member or AR. 

Refer to Section 1530, Information That May Be Disclosed, for more information about scenarios when: 

  • PSU staff is not able to verify the person calling;
  • the person calling PSU staff is not the individual, applicant, member or AR; or 
  • PSU staff must obtain Form 1826.

PSU staff must direct all case-related information requests from a lawyer to the PSU supervisor.
 

1521.2 In-Person Communication

Revision 19-13; Effective November 5, 2019

Program Support Unit (PSU) staff must establish the identity of the individual who presents himself or herself as an applicant, member or authorized representative (AR) at a Texas Health and Human Services Commission (HHSC) office by examining two forms of valid identification (ID) with at least one form of ID being a government-issued photo ID:

  • U.S. passport;
  • Texas Department of Public Safety (DPS) ID card;
  • DPS driver license;
  • DPS Texas Election Identification Certificate;
  • DPS handgun license;
  • U.S. military ID card containing the photograph;
  • U.S. citizenship certificate containing the person’s photograph;
  • state agency employee badge;
  • Social Security number (SSN) card;
  • Medicaid ID card;
  • birth certificate or birth record;
  • hospital record;
  • work or school ID card;
  • voter registration card; and/or
  • wage stub.

Establish the identity of other HHSC or MCO staff, federal agency staff, research staff or contractors by examining at least one source such as:

  • employee badge; or
  • government-issued identification card with a photograph.

Identify the need for other HHSC or MCO staff, federal staff, research staff or contractors to access protected health information (PHI) through one of the following:

  • official correspondence or a telephone call from a state or regional office; or
  • contact with an HHSC Office of Chief Counsel.

Program Support Unit (PSU) staff must contact the HHSC Office of Chief Counsel staff when other HHSC or MCO staff, federal agency staff, research staff or contractors come to the office without prior notification or inadequate identification and request permission to access records.

1521.3 Electronic Mail Communication

Revision 19-13; Effective November 5, 2019

Program Support Unit (PSU) staff must respond to electronic mail, also known as email, from an applicant, member, authorized representative (AR) or a third party that contains protected health information (PHI) by using the following procedures:

  • If PSU staff can answer the inquiry without supplying PHI, remove any PHI in the original request, notify the sender that this is not a secure method of transmission for PHI, and respond to the sender appropriately; or
  • If the answer to the inquiry requires the inclusion of PHI, remove any PHI in the original request, notify the sender that this is not a secure method of transmission of PHI, and respond to the sender that he or she must submit their request in writing by mail or fax.

PSU staff must not send PHI by email to non-government entity individuals, including applicants, members, ARs or third-party individuals. Refer to Section 1531, Verification and Documentation of Disclosure, for approved methods of transmitting PHI to applicants, members, ARs and third-party individuals to whom the applicant, member or AR have provided written consent for the release of PHI.

PSU staff may share PHI by email with Medicaid for the Elderly and People with Disabilities (MEPD), Texas Medicaid & Healthcare Partnership (TMHP), managed care organization (MCO) the applicant or member is enrolled with, and other Texas Health and Human Services Commission (HHSC) staff for work-related purposes, but only if the email:

  • is sent to a verified email address;
  • is sent as an encrypted message;
  • does not contain PHI in the email’s subject line; and
  • contains this disclaimer: "Confidential: This transmission is confidential and intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are notified that any review, retention, disclosure, copying, distribution, or the taking of any other action relevant to the contents of this transmission are strictly prohibited. If you received this transmission in error, please return to sender."

PSU staff must include the first three letters of the applicant’s or member’s first and last name in the subject line of emails for case-specific communications. For example, an email subject line for an applicant named John Smith would include “JOH.SMI.” in the email’s subject line.

Password-protected documents sent by email and electronic fax (e-fax) documents are not considered a secure method for transmitting PHI.

1530 Information That May Be Disclosed

Revision Notice 23-3; Effective Aug. 21, 2023

The Texas Health and Human Services Commission (HHSC) follows Title 20 Code of Federal Regulations (CFR) Section 401-403 concerning the disclosure of information about: 

  • a person, both with and without the person's consent; 
  • the maintenance of records; and 
  • the general guidelines in deciding whether to make a disclosure.

Program Support Unit (PSU) staff must make reasonable efforts to limit the use, request or disclosure of protected health information (PHI) to the minimum necessary to: 

  • determine eligibility; 
  • operate the program; and 
  • accomplish the request for disclosure.

PSU staff must only disclose case-related information with a person verified by the methods described in Section 1521.1, Phone  Communication, Section 1521.2, In-Person Communication, and Section 1521.3, Electronic Mail Communication, when:

  • the Texas Integrated Eligibility Redesign System (TIERS) indicates that the person requesting the information is the AR; 
  • a signed Form H1200, Application for Assistance – Your Texas Benefits, indicates the person requesting the information is the AR; or
  • a valid Form H1826, Case Information Release, is on file or received;
  • the person is HHSC staff including the Medicaid for the Elderly and People with Disabilities (MEPD) specialist; or
  • the person is an HHSC contractor, such as managed care organization (MCO), or the Texas Medicaid & Healthcare Partnership (TMHP) staff.

PSU staff must refer requests to disclose information from federal agency staff, research staff, or a lawyer to the PSU supervisor.

PSU staff must complete the following activities when a person requesting the information does not fit in the categories noted in the previous paragraphs:

  • research the Texas Health and Human Services (HHS) Enterprise Administrative Report and Tracking System (HEART) case record for Form H1826;
  • verify the individual, applicant, member or AR signed Form H1826;
  • ensure the person only receives the information approved for release on Form H1826; and 
  • ensure Form H1826 is not expired.

PSU staff may use the following: 

  •  an existing and valid Form H1826 found in the HEART case record; or 
  •  a newly submitted Form H1826 received from the individual, applicant, member or AR.

A valid Form H1826 is:

  • signed by the individual, applicant, member or AR; and
  • within the information release authorization time frame.

PSU staff must ask the person requesting the information to provide a new Form H1826 if an existing Form H1826:

  • is not signed;
  • is expired; or 
  • does not authorize the release of the information requested.

PSU staff must complete the following activities within two business days of receiving a valid Form H1826:

  • create a HEART case record, if applicable;
  • upload Form H1826 to the HEART case record;
  • contact the person approved by the individual, applicant, member or AR, as applicable, to receive case information;
  • provide only the specific case information noted on Form H1826 during the approved time frame specified on Form H1826; and
  • document the HEART case record.

The Office of the Chief Counsel at HHSC manages questions and concerns about releasing information. PSU staff must refer an individual, applicant, member or AR to the Office of the Chief Counsel if there are questions and problems concerning releasing information.

PSU staff must notify a person who requests copies of an individual, applicant, or member’s records maintained by HHSC to email the HHSC Open Records Coordinator mailbox.

PSU staff may refer to Title 20 CFR Section 401-403 for more information about the disclosure of PHI.

1531 Verification and Documentation of Disclosure

Revision 19-13; Effective November 5, 2019

Program Support Unit (PSU) staff may only disclose protected health information (PHI) to the applicant, member, authorized representative (AR) or a third-party individual if written consent is provided.

PSU staff verify the identity of the person who requests disclosure of PHI by examining two forms of valid identification (ID), with at least one form of ID being a government-issued photo ID:

  • U.S. passport;
  • Texas Department of Public Safety (DPS) ID card;
  • DPS driver license;
  • DPS Texas Education Identification Certificate;
  • DPS handgun license;
  • U.S. military ID card containing the person’s photograph;
  • U.S. citizenship certificate containing the person’s photograph;
  • state agency employee badge;
  • Social Security number (SSN) card;
  • Medicaid ID card;
  • birth certificate or birth record;
  • hospital record;
  • work or school ID card;
  • voter registration card; and/or
  • wage stubs.

When disclosing PHI, PSU staff must document transactions and maintain documentation in the member's Texas Health and Human Services (HHS) Enterprise Administrative Report and Tracking System (HEART) case record pertaining to how the identity of the person was verified and the method of how the information was released to the individual. Approved methods of releasing PHI include providing the requestor copies of documentation in person, by fax or by mail.

1532 Communication with the Applicant or Member

Revision 19-13; Effective November 5, 2019

The Texas Health and Human Services Commission (HHSC) and the managed care organization (MCO) must accommodate an applicant’s, member’s or authorized representative’s (AR’s) reasonable requests to receive communications by alternative means or at alternate locations.

The applicant, member or AR must specify in writing the alternate mailing address or means of contact and include a statement that using the home mailing address or normal means of contact could endanger the applicant or member.

1533 Confidential Information on Notifications

Revision 19-13; Effective November 5, 2019

The Texas Health and Human Services Commission (HHSC) is committed to protecting all protected health information (PHI) supplied by the applicant, member or authorized representative (AR) during the eligibility determination process. This includes inclusion of PHI by HHSC staff to third parties who receive a copy of a notification of eligibility form.

HHSC staff must not include PHI on the eligibility notice shared with the service provider or another third party.

Examples:

  • Notification is received from Medicaid for the Elderly and People with Disabilities (MEPD) that the member has lost Medicaid because the member’s income of $2,892 exceeds the eligibility limit of $2,313. It is a violation of confidentiality to record on Form H2065-D, Notification of Managed Care Program Services, “Your income of $2,892 exceeds the eligibility limit of $2,313.” The comment should simply state, “You are no longer eligible for Medicaid.”
  • Another applicant is being denied STAR+PLUS Home and Community Based Services (HCBS) program services because the presence of weapons in the member’s home presents a hazard to service providers. It is a violation of confidentiality to record on Form H2065-D, "The presence of weapons in your home presents a hazard to service providers." The comment should simply state, "Your services are being denied due to hazardous conditions in your home."

In the examples above, revealing specifics of the applicant’s or member’s income or the condition of the home environment is a violation of the member’s right to confidentiality. In all cases, HHSC staff must assess any information provided by the applicant or member to determine if its release would be a confidentiality violation.

1534 PSU Communication with the MCOs

Revision 19-13; Effective November 5, 2019

In order to comply with the Health Insurance Portability and Accountability Act (HIPAA), it is imperative for an applicant’s or member's protected health information (PHI) to be shared only with the selected managed care organization (MCO). Program Support Unit (PSU) staff can securely upload documents with PHI by using TxMedCentral. PSU staff must follow Appendix XXXIV, STAR+PLUS TxMedCentral Naming Conventions, when uploading documents to TxMedCentral. If PSU staff upload a document containing member PHI to the incorrect MCO ISP or SPW folder in TxMedCentral, it must be corrected immediately upon realization an error was made.

PSU staff must send notification of all TxMedCentral upload errors to PSU Operations staff. Include the document identifying information, the name of the folder in which it was erroneously uploaded, the name of the folder into which it should have been uploaded and the time the correction was made.

Example: Uploaded XX_2067_123456789_ABCD_1P.doc in SUPSPW at 8:54 a.m. on December 20. Should have been uploaded to MOLSPW. Corrected at 9:22 a.m. December 20.

1535 Applicant or Member Correction of Information

Revision 19-13; Effective November 5, 2019

An applicant, member or authorized representative (AR) has a right to correct any information the Texas Health and Human Services Commission (HHSC) or the managed care organization (MCO) has about the applicant or member and any other individual on the applicant’s or member's case.

A request for correction must be in writing and:

  • identify the applicant or member asking for the correction;
  • identify the disputed information about the applicant or member;
  • state why the information is wrong;
  • include any proof that shows the information is wrong;
  • state what correction is requested; and
  • include a return address, telephone number or email address at which HHSC or the MCO can contact the applicant or member.

HHSC or the MCO must add corrected information to the case record when HHSC or the MCO agrees to change protected health information (PHI). The incorrect information remains in the file with a note that the information was amended per the member's request.

Notify the applicant, member or AR in writing within 60 days (using agency letterhead) the information is corrected, or will not be corrected, and the reason. Inform the member if HHSC or the MCO needs to extend the 60-day period by an additional 30 days to complete the correction process or obtain additional information.

HHSC or the MCO must ask the member for permission before sharing with third parties if HHSC or the MCO makes a correction to PHI. The agency will make a reasonable effort to share the correct information with persons who received the incorrect information if they may have relied, or could rely, on the information and if it is to the disadvantage of the member. HHSC staff must contact the HHSC Office of Chief Counsel for a record of disclosure. MCOs must follow HHSC procedures as stated in the Uniform Managed Care Contract (UMCC), Section 11.03, Member Records.

Note: Do not follow above procedures when the accuracy of information provided by a member or AR is determined by another review process, such as a:

  • fair hearing;
  • civil rights hearing; or
  • other appeal process.

The decision in the above review processes is the decision on the request to correct information.

1536 Disposal of Records

Revision 19-13; Effective November 5, 2019

To dispose of documents with member-specific information, Texas Health and Human Services Commission (HHSC) staff must follow established procedures for destruction of confidential data as described in the Health and Human Services (HHS) Computer Usage and Information Security Training.