Revision 09-4; Effective December 1, 2009

Applicants/recipients have a right to correct any information that HHSC has about the applicant/recipient and any other individual on the applicant's/recipient's case.

A request for correction must be in writing and must:

• identify the individual asking for the correction;
• identify the disputed information about the individual;
• state why the information is wrong;
• include any proof that shows the information is wrong;
• state what correction is requested; and
• include a return address, telephone number or email address at which HHSC can contact the individual.

If HHSC agrees to change individually identifiable health information, the corrected information is added to the case record, but the incorrect information remains in the file with a note that the information was amended per the applicant's/recipient's request.

Notify the applicant/recipient in writing within 60 days (using current HHSC letterhead) that the information is corrected or will not be corrected and the reason. Inform the applicant/recipient if HHSC needs to extend the 60-day period by an additional 30 days to complete the correction process or obtain additional information.

If HHSC makes a correction to individually identifiable health information, ask the applicant/recipient for permission before sharing with third parties. HHSC will make a reasonable effort to share the correct information with persons who received the incorrect information from HHSC if they may have relied or could rely on it to the disadvantage of the applicant/recipient. Follow regional procedures to contact HHSC's privacy officer for a record of disclosures.

Note: Do not follow procedures above if the accuracy of information provided by a applicant/recipient is determined by another review process, such as:

• a fair hearing;
• a civil rights hearing; or
• another appeal process.

The decision in that review process is the decision on the request to correct information.

Revision 09-4; Effective December 1, 2009

Keep all information HHSC has about an applicant/recipient or any individual on the applicant's/recipient's case confidential. Confidential information includes, but is not limited to, individually identifiable health information.

Before discussing or releasing information about an applicant/recipient or any individual on the applicant's/recipient's case, take steps to be reasonably sure the individual receiving the confidential information is either the applicant/recipient or an individual the applicant/recipient authorized to receive confidential information (for example, an attorney or personal representative).

 

C-2210 Telephone Contact

Revision 11-4; Effective December 1, 2011

Establish the identity of an individual who identifies himself/herself as an applicant/recipient using his/her knowledge of the applicant's/recipient's:

• Social Security number;
• date of birth;
• other identifying information; or
• call back to the individual.

Establish the identity of a personal representative by using the individual's knowledge of the applicant's/recipient's:

• Social Security number;
• date of birth;
• other identifying information;
• call back to the individual; or
• the knowledge of the same information about the applicant's/recipient's representative.

Establish the identity of attorneys or legal representatives by asking the individual to provide Form H1003, Appointment of an Authorized Representative, completed and signed by the applicant/recipient.

Establish the identity of legislators or their staff by following regional procedures.

 

C-2220 In-Person Contact

Revision 12-3; Effective September 1, 2012

Establish the identity of the individual who presents himself/herself as an applicant/recipient or applicant's/recipient's representative at an HHSC office by:

• driver's license;
• date of birth;
• Social Security number; or
• other identifying information.

Establish the identity of other HHSC staff, federal agency staff, researchers or contractors by:

• employee badge; or
• government-issued identification card with a photograph.

Identify the need for other HHSC staff, federal staff, research staff or contractors to access confidential information through:

• official correspondence or telephone call from state office or regional offices, or
• contact with regional attorney.

Contact appropriate regional or state office staff when federal agency staff, contractors, researchers or other HHSC staff, etc., come to the office without prior notification or adequate identification and request permission to access HHSC records.

Note: Contractors cannot have access to IRS Federal Tax Information (FTI).

 

C-2230 Verification and Documentation

Revision 12-3; Effective September 1, 2012

If disclosing individually identifiable health information, document how you verified the identity of the person if contact is outside the interview.

Verify the identity of the person who contacts you with a request to disclose individually identifiable health information using sources such as:

• valid driver's license or Department of Public Safety ID card;
• birth certificate;
• hospital or birth record;
• adoption papers or records;
• work or school ID card;
• voter registration card;
• wage stubs; and
• U.S. passport.

As a condition for receiving federal taxpayer returns and return information from the IRS, HHSC is required pursuant to IRC 6103(p)(4) to establish and maintain, to the satisfaction of the IRS, safeguards designed to prevent unauthorized access, disclosure, and use of all returns and return information and to maintain the confidentiality of that information. The IRS security requirements for safeguarding IRS FTI are outlined in Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Safeguards for Protecting Federal Tax Returns and Return Information.

MEPD Income Eligibility and Verification System (IEVS) specialists must independently verify the income and resource information from any of the data matches to ensure continuous financial eligibility for the MEPD programs.

For all case actions regarding the clearance of the IEVS match of IRS FTI, MEPD staff must not enter any IRS FTI into TIERS (including comments). Documentation on the TIERS income/resource screen is limited to the approved language indicated in the centralized process available on the Social Services Intranet on the Medicaid Eligibility for the Elderly and People with Disabilities home page at hhs.texas.gov/laws-regulations/handbooks/medicaid-elderly-people-disabilities-handbook.

 

C-2240 Alternate Means of Communication

Revision 09-4; Effective December 1, 2009

HHSC must accommodate an applicant's/recipient's reasonable request to receive communications by alternative means or at alternate locations.

The applicant/recipient must specify in writing the alternate mailing address or means of contact and include a statement that using the home mailing address or normal means of contact could endanger the applicant/recipient.

Revision 21-3; Effective September 1, 2021

Records must be safeguarded. Use reasonable diligence to protect and preserve records and to prevent disclosure of the information they contain except as provided by HHS regulations.

"Reasonable diligence" for employees responsible for records includes keeping records:

• in a locked office when the building is closed;
• properly filed during office hours;
• always in the office except when authorized to remove or transfer them; and
• electronic file information as referenced in HHS Computer Usage and Information Security training.

Reporting Unauthorized Inspection or Disclosure of Internal Revenue Service (IRS) Federal Tax Information (FTI)

Upon discovery of an actual or possible compromise of an unauthorized inspection or disclosure of IRS FTI including breaches and security incidents, the person making the observation or receiving the information must contact the HHS IRS Coordinator immediately at 512-706-7158. They must also email the HHS Privacy Office Mailbox. If you are unable to personally reach the HHS IRS Coordinator by phone, send a secure email to the HHS IRS Coordinator Mailbox.

The HHS IRS Coordinator will report the incident by contacting the office of the appropriate Special Agent-in-Charge, Treasury Inspector General for Tax Administration (TIGTA) and the IRS Office of Safeguards as directed in Section 10.2 of Publication 1075.

Reporting Unauthorized Inspection or Disclosure of Social Security Administration (SSA) Provided Information

Staff who become aware of an incident of unauthorized access to, or disclosure of, restricted verified SSA information or confidential information must contact the HHS Privacy Office Mailbox immediately.

The HHS Privacy Office will report the incident by contacting the Chief Information Security Office (CISO).

If a person is responsible for a security breach or an employee's employment is terminated, the user's access to all information resources is removed. Supervisors must follow agency procedures for removing access for employees, contractors, vendors or trainees.

Revision 21-3; Effective September 1, 2021

Revision 21-3; Effective September 1, 2021

To dispose of documents with an applicant or recipient's information, follow procedures for destruction of confidential data according to Texas Health and Human Services records management policies.

The approved method of destruction of IRS FTI is shredding. The IRS requires the following safeguards:

• HHS staff must perform the destruction of IRS FTI at an HHS facility.
• Destruction of IRS FTI must be documented on Form H1861, Federal Tax Information Record Keeping and Destruction Log.
• IRS FTI documents should be inserted into the shredder so the lines of print are perpendicular to the cutting line to render the document undisclosable.
• IRS FTI documents should be shredded to 1 mm x 5 mm (0.04 in. x 0.2 in.) in size (or smaller).

Revision 12-3; Effective September 1, 2012

1. If information about an applicant/recipient is requested but cannot be released, inform the inquiring person or agency that federal and state laws and HHSC regulations require that the information being requested remain confidential. Refer the questioner to Title 42 of the United States Code, Section 1396a(a)(7); 42 CFR Sections 431.300-431.307; and Texas Human Resource Code, Sections 12.003 and 21.012. For individually identified health information, refer the requestor to 45 CFR sections 164.102-164.534. For tax information obtained through IEVS, also refer the requestor to the Internal Revenue Service (IRS) Code, Sections 7213, 7213A and 7431. Title 26 US Code Section 6103 is the confidentiality statue that prohibits disclosure of FTI. For human services agencies, it is IRC 6103(1)(7).
   
   Reference: See Appendix XVIII, IRS Tax Code, Sections 7213, 7213A and 7431.

2. If subpoenaed to appear in court with an applicant's/recipient's record, notify the supervisor immediately. Give the supervisor all the facts about the case and the date and time of the court hearing. The supervisor should contact the lawyer who is requesting the record and determine whether the requested information is confidential. If a problem exists, the supervisor should inform the regional attorney about all relevant facts. Usually, the subpoenaed employee must take the record and appear in court as directed by the summons. When requested to disclose information from the record, ask the judge to be excused from disclosing the information because of the statutory prohibitions stated previously in this section. Abide by the ruling of the judge.

3. If subpoenaed to appear in court, and no time is allowed to follow the steps specified in this section, take the record and appear in court as directed by the summons. When requested to disclose the information from the record, follow the procedure described in Step 2.

For individually identifiable health information, refer the requestor to 45 CFR Sections 164.102-164.534.