Revision 14-2; Effective June 1, 2014
Information that is collected in determining initial or continuing eligibility is confidential. The restriction on disclosing information is limited to information about individual applicants/recipients. HHSC may disclose general information, including financial or statistical reports; information about policies, procedures or methods of determining eligibility; and any other information that is not about or does not specifically identify an applicant/recipient.
An applicant/recipient may review all information in the case record and in HHSC handbooks that contributed to the decision about his eligibility.
Applicants/recipients have a right to correct any information that HHSC has about the applicant/recipient and any other individual on the applicant's/recipient's case.
A request for correction must be in writing and must:
- identify the individual asking for the correction;
- identify the disputed information about the individual;
- state why the information is wrong;
- include any proof that shows the information is wrong;
- state what correction is requested; and
- include a return address, telephone number or email address at which HHSC can contact the individual.
If HHSC agrees to change individually identifiable health information, the corrected information is added to the case record, but the incorrect information remains in the file with a note that the information was amended per the applicant's/recipient's request.
Notify the applicant/recipient in writing within 60 days (using current HHSC letterhead) that the information is corrected or will not be corrected and the reason. Inform the applicant/recipient if HHSC needs to extend the 60-day period by an additional 30 days to complete the correction process or obtain additional information.
If HHSC makes a correction to individually identifiable health information, ask the applicant/recipient for permission before sharing with third parties. HHSC will make a reasonable effort to share the correct information with persons who received the incorrect information from HHSC if they may have relied or could rely on it to the disadvantage of the applicant/recipient. Follow regional procedures to contact HHSC's privacy officer for a record of disclosures.
Note: Do not follow procedures above if the accuracy of information provided by a applicant/recipient is determined by another review process, such as:
- a fair hearing;
- a civil rights hearing; or
- another appeal process.
The decision in that review process is the decision on the request to correct information.
Keep all information HHSC has about an applicant/recipient or any individual on the applicant's/recipient's case confidential. Confidential information includes, but is not limited to, individually identifiable health information.
Before discussing or releasing information about an applicant/recipient or any individual on the applicant's/recipient's case, take steps to be reasonably sure the individual receiving the confidential information is either the applicant/recipient or an individual the applicant/recipient authorized to receive confidential information (for example, an attorney or personal representative).
Establish the identity of an individual who identifies himself/herself as an applicant/recipient using his/her knowledge of the applicant's/recipient's:
- Social Security number;
- date of birth;
- other identifying information; or
- call back to the individual.
Establish the identity of a personal representative by using the individual's knowledge of the applicant's/recipient's:
- Social Security number;
- date of birth;
- other identifying information;
- call back to the individual; or
- the knowledge of the same information about the applicant's/recipient's representative.
Establish the identity of attorneys or legal representatives by asking the individual to provide Form H1003, Appointment of an Authorized Representative, completed and signed by the applicant/recipient.
Establish the identity of legislators or their staff by following regional procedures.
Establish the identity of the individual who presents himself/herself as an applicant/recipient or applicant's/recipient's representative at an HHSC office by:
- driver's license;
- date of birth;
- Social Security number; or
- other identifying information.
Establish the identity of other HHSC staff, federal agency staff, researchers or contractors by:
- employee badge; or
- government-issued identification card with a photograph.
Identify the need for other HHSC staff, federal staff, research staff or contractors to access confidential information through:
- official correspondence or telephone call from state office or regional offices, or
- contact with regional attorney.
Contact appropriate regional or state office staff when federal agency staff, contractors, researchers or other HHSC staff, etc., come to the office without prior notification or adequate identification and request permission to access HHSC records.
Note: Contractors cannot have access to IRS Federal Tax Information (FTI).
If disclosing individually identifiable health information, document how you verified the identity of the person if contact is outside the interview.
Verify the identity of the person who contacts you with a request to disclose individually identifiable health information using sources such as:
- valid driver's license or Department of Public Safety ID card;
- birth certificate;
- hospital or birth record;
- adoption papers or records;
- work or school ID card;
- voter registration card;
- wage stubs; and
- U.S. passport.
As a condition for receiving federal taxpayer returns and return information from the IRS, HHSC is required pursuant to IRC 6103(p)(4) to establish and maintain, to the satisfaction of the IRS, safeguards designed to prevent unauthorized access, disclosure, and use of all returns and return information and to maintain the confidentiality of that information. The IRS security requirements for safeguarding IRS FTI are outlined in Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Safeguards for Protecting Federal Tax Returns and Return Information.
MEPD Income Eligibility and Verification System (IEVS) specialists must independently verify the income and resource information from any of the data matches to ensure continuous financial eligibility for the MEPD programs.
For all case actions regarding the clearance of the IEVS match of IRS FTI, MEPD staff must not enter any IRS FTI into TIERS (including comments). Documentation on the TIERS income/resource screen is limited to the approved language indicated in the centralized process available on the Social Services Intranet on the Medicaid Eligibility for the Elderly and People with Disabilities home page at hhs.texas.gov/laws-regulations/handbooks/medicaid-elderly-people-disabilities-handbook.
HHSC must accommodate an applicant's/recipient's reasonable request to receive communications by alternative means or at alternate locations.
The applicant/recipient must specify in writing the alternate mailing address or means of contact and include a statement that using the home mailing address or normal means of contact could endanger the applicant/recipient.
Records must be safeguarded. Use reasonable diligence to protect and preserve records and to prevent disclosure of the information they contain except as provided by HHSC regulations.
"Reasonable diligence" for employees responsible for records includes keeping records:
- in a locked office when the building is closed;
- properly filed during office hours;
- in the office at all times except when authorized to remove or transfer them; and
- electronic file information as referenced in HHS Computer Usage and Information Security training.
Reporting Unauthorized Inspection or Disclosure of Internal Revenue Service (IRS) Federal Tax Information (FTI)
Upon discovery of an actual or possible compromise of an unauthorized inspection or disclosure of IRS FTI including breaches and security incidents, the individual making the observation or receiving the information must immediately contact the HHSC IRS Coordinator at 512-206-5681. If you are unable to personally reach the HHSC IRS Coordinator by phone, send a secure email to HHSC IRS_FTI_Safeguards@hhsc.state.tx.us.
The HHSC IRS Coordinator will report the incident by contacting the office of the appropriate Special Agent-in-Charge, Treasury Inspector General for Tax Administration (TIGTA) and the IRS Office of Safeguards as directed in Section 10.2 of Publication 1075.
Reporting Unauthorized Inspection or Disclosure of Social Security Administration (SSA) Provided Information
Staff who become aware of an incident of unauthorized access to, or disclosure of, restricted (IRS FTI and verified SSA information) or confidential information must immediately contact the HHSC IRS Coordinator at 512-206-5681. If you are unable to personally reach the HHSC IRS Coordinator by phone, send a secure email to: HHSC IRS_FTI_Safeguards@hhsc.state.tx.us.
The HHSC IRS Coordinator will report the incident by contacting the Information Security Officer (ISO).
If a person is responsible for a security breach or an employee's employment is terminated, the user's access to all information resources will be removed. Supervisors must follow agency procedures for removing access for employees, contractors, vendors or trainees.
In addition to the measures in Section C-2300, Custody of Records, use the following to safeguard tape match data obtained through the Income Eligibility and Verification System (IEVS):
- Use IEVS data only for the purpose of determining eligibility for MEPD, Medicaid, TANF and Supplemental Nutrition Assistance Program (SNAP) food benefits.
- Verify IEVS tax data before taking adverse case actions.
- Review once a year the following three laws that explain criminal and civil penalties for unauthorized disclosure of tax data:
- Section 7213 – Unauthorized Disclosure of Returns or Return Information, a criminal felony punishable upon conviction by a fine as much as $5,000 or imprisonment for as long as 5 years, or both, together with the cost of prosecution.
- Section 7213A – Unauthorized Inspection of Returns or Return Information, a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as 1 year, or both, together with the cost of prosecution.
- Section 7431 – Civil Damages for Unauthorized Disclosure of Returns and Return Information, permits a taxpayer to sue for civil damages if a person knowingly or negligently discloses tax return information and upon conviction, a notification to the taxpayer.
To dispose of documents with applicant/recipient-specific information, staff follow procedures for destruction of confidential data according to Health and Human Services records management policies.
The approved method of destruction of IRS FTI is shredding. The IRS requires the following safeguards:
- HHSC staff must perform the destruction of IRS FTI at an HHSC facility.
- Destruction of IRS FTI must be documented on Form H1861, Federal Tax Information Record Keeping and Destruction Log.
- IRS FTI documents should be inserted into the shredder so the lines of print are perpendicular to the cutting line to render the document undisclosable.
- IRS FTI documents should be shredded to 5/16-inch or smaller strips.
- If information about an applicant/recipient is requested but cannot be released, inform the inquiring person or agency that federal and state laws and HHSC regulations require that the information being requested remain confidential. Refer the questioner to Title 42 of the United States Code, Section 1396a(a)(7); 42 CFR Sections 431.300-431.307; and Texas Human Resource Code, Sections 12.003 and 21.012. For individually identified health information, refer the requestor to 45 CFR sections 164.102-164.534. For tax information obtained through IEVS, also refer the requestor to the Internal Revenue Service (IRS) Code, Sections 7213, 7213A and 7431. Title 26 US Code Section 6103 is the confidentiality statue that prohibits disclosure of FTI. For human services agencies, it is IRC 6103(1)(7).
Reference: See Appendix XVIII, IRS Tax Code, Sections 7213, 7213A and 7431.
If subpoenaed to appear in court with an applicant's/recipient's record, notify the supervisor immediately. Give the supervisor all the facts about the case and the date and time of the court hearing. The supervisor should contact the lawyer who is requesting the record and determine whether the requested information is confidential. If a problem exists, the supervisor should inform the regional attorney about all relevant facts. Usually, the subpoenaed employee must take the record and appear in court as directed by the summons. When requested to disclose information from the record, ask the judge to be excused from disclosing the information because of the statutory prohibitions stated previously in this section. Abide by the ruling of the judge.
- If subpoenaed to appear in court, and no time is allowed to follow the steps specified in this section, take the record and appear in court as directed by the summons. When requested to disclose the information from the record, follow the procedure described in Step 2.
For individually identifiable health information, refer the requestor to 45 CFR Sections 164.102-164.534.