HHS is considered a hybrid entity under HIPAA because its activities include both covered and non-covered functions.  HHS has identified specific Health Care Components (covered components) that are required to meet specific standards under HIPAA as participants in covered functions such as:

  • Delivering care
  • Paying for care
  • Providing a health-care plan
  • Providing operational support for health-care services

In addition, programs providing services and support functions to those components involved in treatment, payment, and health care operations must meet specific requirements under HIPAA.

Scope

The HIPAA privacy regulations require that HHS designate its health plan and health care functions as HIPAA-covered.  HHS is a hybrid entity because we care for clients and administer a health plan as we as handle day-to-day operations of running an agency.

• Non-health plan and non-health care provider components are not subject to the HIPAA regulations governing privacy of protected health information, including a notice of privacy practices.  By adopting hybrid entity status, non-covered entity departments possessing individual health care information are not subject to those notification requirements for a breach of PHI under HIPAA.

This policy is applicable to all HHS system components and administrative units and applies to all units determined to be covered under the privacy rule and related regulations issued under HIPAA.

Privacy Division Designation

The HHS Chief Privacy Officer shall administer the program through the HHS Privacy Division that establishes and enforces policies and standards related to implementation of HIPAA requirements as well as the Gramm-Leach-Bliley Act, Red Flags, the Texas Medical Records Privacy Act, the Texas Identity Theft Enforcement and Protection Act, Texas Business & Commerce Code §521.002 and §521.053 and the Texas Penal Code §33.02

Complaints Under HIPAA

The HHS Privacy Division will be responsible for the overall implementation and administration of a system-based complaint process in compliance with the rules and regulations of HIPAA. Patients or clients may complain directly to the HHS system Privacy Division or to the U.S Secretary of Health and Human Services if they believe their privacy rights have been violated. To contact the HHS system Privacy Division, complaints may be directed to:

Chief Privacy Officer
HHS Privacy Division
PO BOX 149030, Mail Code 1355,
Austin TX 78714-9030
Phone 877-378-9869 (toll-free)
Fax 512-833-6043

You also have the right to file a complaint with the U.S Secretary of the Department of Health and Human Services at 200 Independence Avenue, S.E., Washington DC 20201 or call toll-free at 877-696-6775.

HHS System HIPAA Covered Components

The following HHS divisions are designated as covered components:

HHS Medical and Social Services
Medicaid and CHIP

HHS Facilities Division State Supported Living Centers

Abilene
Austin
Brenham
Corpus Christi
Denton
El Paso
Lubbock
Lufkin
Mexia
Richmond
Rio Grande
San Angelo
San Antonio

State Hospitals

Austin State Hospital
Big Springs State Hospital
El Paso Psychiatric Center
Kerrville State Hospital
North Texas State Hospital
Rio Grande State Center
Rusk State Hospital
San Antonio State Hospital
Terrell State Hospital
Waco Center for Youth