HHS System Privacy Division Hybrid Entity Statement

HHS is considered a hybrid entity under HIPAA because its activities include both covered and non-covered functions. HHS has identified specific health care components (covered components) that are required to meet specific standards under HIPAA as participants in covered functions such as:

  • Delivering care
  • Paying for care
  • Providing a health care plan
  • Providing operational support for health care services

In addition, programs providing services and support functions to those components involved in treatment, payment, and health care operations must meet specific requirements under HIPAA.


HIPAA privacy regulations require that HHS designate its health plan and health care functions as HIPAA-covered. HHS is a hybrid entity because we care for clients and administer a health plan as we as handle day-to-day operations of running an agency.

Non-health plan and non-health care provider components are not subject to HIPAA regulations governing privacy of protected health information, including a notice of privacy practices. By adopting hybrid entity status, non-covered entity departments possessing individual health care information are not subject to those notification requirements for a breach of PHI under HIPAA.

This policy is applicable to all HHS system components and administrative units and applies to all units determined to be covered under the privacy rule and related regulations issued under HIPAA.

Privacy Division Designation

The HHS Chief Privacy Officer shall administer the program through the HHS Privacy Division that establishes and enforces policies and standards related to implementation of HIPAA requirements as well as the Gramm-Leach-Bliley Act, Red Flags, the Texas Medical Records Privacy Act, the Texas Identity Theft Enforcement and Protection Act, Texas Business and Commerce Code §521.002 and §521.053 and the Texas Penal Code §33.02.

Complaints Under HIPAA

The HHS Privacy Division will be responsible for the overall implementation and administration of a system-based complaint process in compliance with the rules and regulations of HIPAA. Patients or clients may complain directly to the HHS system Privacy Division or to the U.S Secretary of Health and Human Services if they believe their privacy rights have been violated. To contact the HHS Privacy Division, complaints may be directed to:

Chief Privacy Officer
HHS Privacy Division
PO BOX 149030, Mail Code 1355
Austin TX 78714-9030
Phone: 877-378-9869 (toll-free)
Fax: 512-833-6043

You also have the right to file a complaint with the U.S Secretary of the Department of Health and Human Services at 200 Independence Avenue, S.W., Washington DC 20201, or call toll-free at 877-696-6775.

HHS System HIPAA Covered Components

The following HHS divisions are designated as covered components:

HHS Medical and Social Services

  • Medicaid and CHIP

HHS Facilities Division State Supported Living Centers

  • Abilene
  • Austin
  • Brenham
  • Corpus Christi
  • Denton
  • El Paso
  • Lubbock
  • Lufkin
  • Mexia
  • Richmond
  • Rio Grande
  • San Angelo
  • San Antonio

State Hospitals

  • Austin State Hospital
  • Big Spring State Hospital
  • El Paso Psychiatric Center
  • Kerrville State Hospital
  • North Texas State Hospital
  • Rio Grande State Center
  • Rusk State Hospital
  • San Antonio State Hospital
  • Terrell State Hospital
  • Waco Center for Youth