(a) Purpose.
- (1) The purpose of this section is to inform individuals of the department's privacy practices and establish department procedures to allow individuals to exercise their rights under the federal Standards for Privacy of Individually Identifiable Health Information, 45 Code of Federal Regulations (C.F.R.) Parts 160 and 164.
- (2) Unless otherwise specified, this section applies only to HIPAA-covered programs within the department.
(b) Definitions. Unless otherwise specified, terms have the meaning assigned by the federal Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. §§160.103 and 164.501, or their common use meaning.
- (1) Department--The Texas Department of Health.
(2) Designated record set--A group of records maintained by or for the department that consists of:
- (A) the medical records and billing records about individuals maintained by or for the department when the department provides direct health care services;
- (B) the enrollment, payment, claims adjudication, and case or medical management records systems maintained by or for health plans within the department; or
- (C) records that contain protected health information used, in whole or in part, by or for the department to make decisions about individuals regarding eligibility, prior authorization, treatment, or payment.
- (3) HIPAA-covered program--A department program or office identified by the department as a health care component in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 45 C.F.R. Parts 160 and 164.
(4) Non-profit organization--An organization that:
- (A) does not have as its primary purpose the provision of or payment for health care services, but may incidental to its primary purpose pay for health care services or prescription drugs for indigent persons; and
- (B) is organized as a non-profit corporation under the Texas Non-Profit Corporation Act, Article 1396-1.01 et seq., Vernon's Texas Civil Statutes, unless organized under Article 1396-2.01(C) or (D); or
- (C) is organized and operated in a way that does not result in accrual of distributable profits, realization of private gain resulting from payment of compensation other than reasonable compensation for services rendered by persons who are not members of the organization, or realization of any other form of private gain.
- (5) Protected health information (PHI)--Individually identifiable health information about an individual, including demographic information, which relates to the individual's past, present, or future physical or mental health condition, provision of health care, or payment for the provision of health care.
- (6) Record--Any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for the department.
(c) Right to notice of privacy practices.
- (1) An individual has the right to notice of how the department uses and discloses PHI and of the individual's rights and the department's duties with respect to PHI.
(2) An individual may request a copy of the notice from:
- (A) the department clinic, hospital, or office where the individual received or receives services;
- (B) the department's Internet web site; or
- (C) the department's Privacy Officer by sending a request in writing to the department's Privacy Officer at the Privacy Officer's electronic mail address indicated on the department's Internet web site or at 1100 West 49th Street, Austin, Texas 78756.
(d) Right of access to protected health information.
- (1) An individual has the right to view or obtain a copy of PHI about the individual.
- (2) An individual must follow the Public Information Act, Government Code, Chapter 552, and the department's procedures in §1.251 of this title (relating to Procedures for Handling Requests for Public Information) to access PHI about the individual held by the department.
- (3) The department will follow the time requirements and access procedures in the Public Information Act and in §1.251 of this title for access to records under this section.
- (4) The department will assess charges in accordance with the Public Information Act and §1.251 of this title for access to records under this section.
(5) An individual who is denied access to records in a designated record set has a right to request a review of the department's decision if the department denied access because:
- (A) a licensed health care professional decided that giving the individual access to the information would likely put the individual or another person in danger;
- (B) the information refers to another person other than a health care provider, and a licensed health care professional decided that giving the individual access to the information would likely cause the other person substantial harm; or
- (C) the individual's personal representative asked for the information, and a licensed health care professional decided that giving the personal representative access to the information would likely cause the individual or another person substantial harm.
- (6) If the denial is reviewable, the individual will be informed in the denial letter. An individual may submit a written request for review in accordance with instructions in the denial letter.
(e) Right to request an amendment to a designated record set.
- (1) An individual has the right to request an amendment to PHI about the individual in a designated record set.
- (2) An individual must follow the procedures in §1.502 of this title (relating to an Individual's Right to Correction of Incorrect Information) to request an amendment to PHI in a designated record set.
- (3) The department will follow the procedures in §1.503 of this title (relating to Correction Procedure) for amendments to designated record sets under this section.
(4) The department may deny a request for amendment if:
- (A) the department could deny access to the information under subsection (d) of this section;
- (B) the department did not create the information;
- (C) the information is not contained in a designated record set; or
- (D) the information is correct and complete.
- (5) An individual may submit a written statement of disagreement if the department denies the individual's request for amendment. The written statement must state the basis for the disagreement with the department's decision. The statement of disagreement must be submitted in accordance with instructions in the denial letter.
(f) Right to report (accounting) of certain disclosures made by a HIPAA-covered program.
- (1) An individual has the right to receive a report of certain disclosures of the individual's PHI made by a HIPAA-covered program.
- (2) The types of disclosures that must be included in the report are described in 45 C.F.R. §164.528, and include disclosures for public health activities.
- (3) An individual may submit a written request for a list of the department's HIPAA-covered programs to the department's Privacy Officer at the Privacy Officer's electronic mail address indicated on the department's Internet web site or at 1100 West 49th Street, Austin, Texas 78756.
(4) An individual may submit a written request for a report of certain disclosures of the individual's PHI made by a HIPAA-covered program to either:
- (A) the HIPAA-covered program that is in possession of the individual's PHI; or
- (B) the department's Privacy Officer at the Privacy Officer's electronic mail address indicated on the department's Internet web site or at 1100 West 49th Street, Austin, Texas 78756.
- (5) A request for a report submitted to the department's Privacy Officer must include the name(s) of the HIPAA-covered program(s) from which a report is requested.
(g) Right to request further limits on uses and disclosures of protected health information.
- (1) An individual has the right to request that the department restrict its uses and disclosures of PHI about the individual. However, the department is not required to agree to any restrictions.
- (2) An individual may submit a written request for restrictions of uses and disclosures to the department's Privacy Officer at the Privacy Officer's electronic mail address indicated on the department's Internet web site or at 1100 West 49th Street, Austin, Texas 78756.
(h) Right to request confidential communication from a HIPAA-covered program by different means or at different locations.
- (1) An individual has the right to submit a written request that the individual receive communications of PHI from a HIPAA-covered program in a way and in a place that is most appropriate for the individual. The written request must specify the reasonable accommodations that are required and the HIPAA-covered program. A request related to a HIPAA-covered program that is a health plan must include a statement as to whether the normal means of communication of PHI could endanger the individual.
(2) An individual may submit a written request for accommodation to:
- (A) the HIPAA-covered program that is in possession of the individual's PHI; or
- (B) the department's Privacy Officer at the Privacy Officer's electronic mail address indicated on the department's Internet web site or at 1100 West 49th Street, Austin, Texas 78756.
- (3) The individual shall be provided with a written approval or denial of the request for accommodation.
(i) Complaints.
- (1) An individual has the right to complain about the department's privacy policies or how the department complies with its privacy policies related to PHI.
(2) An individual may file a complaint by telephone to the number printed on the TDH HIPAA Privacy Notice, or in writing to:
- (A) the department's Privacy Officer at the Privacy Officer's electronic mail address indicated on the department's Internet web site or at 1100 West 49th Street, Austin, Texas 78756; or
- (B) the Texas Attorney General's Office at P.O. Box 12548, Austin, Texas 78711.
(j) Uses and disclosures of protected health information within the department.
- (1) Programs or offices within the department may share PHI as necessary to accomplish the public health, health care oversight, business, and other essential functions of the department.
- (2) The department will use and disclose PHI within the department in accordance with the requirements in 45 C.F.R. §164.504, when applicable.
(k) Exemption for non-profit agencies. Certain non-profit agencies are exempt from the requirements of this section and Health and Safety Code, Chapter 181. A non-profit agency must meet the following criteria to be exempt:
- (1) the agency does not provide health care services or prescription drugs as its primary business or purpose; and
- (2) incidental to its primary business or purpose the agency may provide health care services or prescription drugs to an indigent person receiving other services from the agency.
Source Note:The provisions of this §1.501 adopted to be effective April 14, 2003, 28 TexReg 2325.