HIPAA Privacy FAQs

What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act. HIPAA is a law passed by Congress in 1996. This law has several parts. One of the parts allows the privacy rule. The privacy rule creates a base of federal safeguards for the privacy of health information. The rule does not take the place of a federal, state or other law that gives even greater privacy rights.

Most health plans, including Medicaid, and health care providers that are covered by the privacy rule started following it by April 14, 2003.

What are Medicaid privacy rights?
The HIPAA privacy rule creates certain rights and safeguards for your health information. Health information used in Medicaid is protected. The law makes us send you a notice that tells you about your privacy rights and how state agencies protect and use your health information.

Some examples of the Medicaid privacy rights explained in the notice are the right to:

  • look at and copy the health information in your case record;
  • ask for a written report on how your health information has been used and disclosed;
  • correct health information in your record that is wrong; and
  • file a complaint if you think we have violated your privacy rights.

What is the privacy notice about? What does all this mean?
The notice you got explains your privacy rights and how health information is used and protected by Medicaid agencies. The HIPAA privacy rule makes us tell you about your privacy rights. The notice does this. This notice does not affect your eligibility or change your benefits.

How does the privacy notice affect my Medicaid?
The notice does not change or deny your Medicaid. You will continue to get Medicaid as long as you qualify.

How can I get a copy of my health information?
To get a copy of your health information, contact the agency from which you are getting services.

Will it cost me money?
The agency may charge you a fee for copying the information. The agency bases the fee on the amount of information copied.

Where do I send new information or changes about my health care?
If the new information or change is about your treatment, talk to your doctor or other health care provider. If the new information or change is about your Medicaid, contact the local office where you get services.

If you have information about me that is wrong, why does it have to stay in my record?
State law stops us from changing or getting rid of information even when it is wrong. However, we have a way to add the right information to your record. To ask for a correction, write to the agency that has information about you. The agency will tell you if it will add information to your record.

The agency does not have to add information to your record if:

  • a law allows the agency to keep you from seeing or getting a copy of the information;
  • someone other than the agency was the source of the information;
  • the information is not part of a record that affects your eligibility, your treatment or payment for services; or
  • the agency thinks that the information in your record is correct and complete.

Who has my health information?
The agencies that give you Medicaid have health information about you. The agencies that offer the most Medicaid services are:

  • Texas Department of Aging and Disability Services (DADS)
  • Texas Department of State Health Services
  • Texas Health and Human Services Commission (HHSC)

Your doctor, dentist and other health care providers also have health information about you. Other state agencies or private companies may have health information about you. They have this information when they serve the agencies listed above. For example, a private company handles bills for Medicaid.

How are my records being kept and where are they being kept?

  • Your records may be kept in paper files or in computer databases.
  • The local office where you go for services keeps most of your records.
  • Main offices in your region or in Austin may also keep some of your records.
  • Companies that have contracts with state agencies to pay medical bills or provide other services may keep other records.

If I agree to let my doctor give information to DADS, does this mean that DADS can share it with HHSC? Or do I have to agree to let each agency get information about me?

  • Each agency is separate. But, at times, Medicaid agencies share information to treat you, pay for your treatment or operate the Medicaid program.
  • If an agency needs your permission to give out information about you, the agency will ask you for it. To give your permission, you will need to complete a form.

Why does an agency have the right to give out my health information? Agencies would not be able to serve you without giving out your information for some reasons. Agencies have the right to give out your information only for some reasons. These reasons include:

  • treating you;
  • getting paid for giving you services; and
  • giving information to public health officials or law enforcement officials, if required by law.

Why would an agency change its privacy policies?
An agency might change its privacy policies if:

  • current privacy laws are changed;
  • new privacy laws are created; or
  • the agency finds ways to make its privacy policies better.

How are you going to protect my health information?
Agencies protect your information by:

  • keeping it in safe places;
  • giving it to employees only when they need it to do their jobs;
  • setting clear rules for employees;
  • giving employees privacy training; and
  • punishing employees who break privacy rules.

Can anyone get my health information?
No. Agencies can only give your health information to those employees who need it to do their jobs. The law says who must and may get your health information. Agencies must follow the law. Many different laws make agencies protect your health information.

How are you going to make sure that my violated rights are fixed?

  • An agency that violates your privacy rights will do whatever it can to fix any bad effects.
  • Each agency has a privacy officer who must make sure that your rights are protected.
  • You may file a complaint.

I don't want my family to see any of my health information. How do I stop them from getting it?
You can write to the agency that has the information and ask the agency not disclose your health information to your family. The agency does not have to agree to your request.

I want to know if anyone asks for my health information. How do I get informed or get a record each time it is asked for?
The agency will not contact and tell you each time your health information is asked for or used. But, you may ask for a list of the times an agency has disclosed your health information. You must ask in writing for the list. The list will describe

  • the information and include the date of the disclosure,
  • the name of the person who got the information, and
  • the purpose of the disclosure.

The list will not cover disclosures made before April 14, 2003. In addition, the list will not include disclosures:

  • for treatment, payment, or health care operations;
  • to you;
  • authorized by you;
  • for a facility's directory;
  • to persons involved in your care;
  • for national security or intelligence purposes;
  • to a prison, jail, or law enforcement official who has custody of you; or
  • in a limited data set used for research, public health, or health care operations.

Why can my health information be used in research without my permission?
Your health information can be used in research without your permission because the law says it can. The law does have some safeguards for you. Your information will be used without your permission only if it does not identify you or a special research board allows its use. The research findings made public will not include information that identifies you.

How will my health information be used in research?
How your information might be used in research depends on the research. For example, your information might be used to see if certain treatments make people well faster. It might also be used to see if people with certain diseases are more likely live in certain areas.

What if I don't want it used for research?
You can ask that your information not be used for research. However, your information can be used anyway if a research board agrees to its use or it does not identify you. The research findings made public will not include your name.

If I die, will you still protect my health information?
Agencies will protect your health information after you die, just as they do now.

I don't speak or read English or Spanish, what other languages can I get the notice in?
You may ask for the notice in any language.