THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Aviso en español. Si quiere este aviso en español, llame gratis al 2-1-1 o al 1-877-541-7905.
About this Notice:
Effective date: This Notice takes effect on July 20, 2015 and stays in effect until replaced by another notice.
This Notice is required by HIPAA (the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. §1320d, et seq., and regulations adopted under that act).
In this Notice, “agency,” refers to the Texas Department of State Health Services.
This Notice tells you about: (1) your privacy rights, (2) the agency’s duty to protect health information that identifies you, and (3) how the agency can use or share health information that identifies you without your written permission. This Notice doesn't apply to health information that does not identify you or your legally authorized representative.
In this Notice, "You” or “your" means you, the individual to whom this Notice is addressed or your legally authorized representative.
In this Notice, "health information" means:
- Medical information or legally protected health information about you whether in oral, paper or electronic form that relates to:
- Your past, present, or future physical or mental health or condition;
- Health care provided to you; or
- The past, present, or future payment for providing your health care.
- Genetic information about you, and
- Health Information created or received by a health-care service provider, health plan, public health authority, employer, life insurer, school or university, or health-care clearinghouse.
The agency reserves the right to change the terms of this Notice. The new Notice will be sent to your most recent address that the agency has on file. It is your duty to promptly tell the agency if you have had a change of address. The practices in the new Notice will apply to all the health information the agency has about you, regardless of when the agency received or created the information.
The agency is considered a "hybrid covered entity," which means that only certain parts of the agency have health care components and others are not. This Notice applies to the parts of the agency that are health care components, or are serving as a health care provider (for example, agency state mental health hospitals and the agency Laboratory), health plan services known as "Texas Health Steps" and the agency's Centralizing Billing Services health care clearinghouse.
Your privacy rights:
The law gives you the right to:
- Receive adequate notice of: (1) the uses and disclosures of protected health information that can be made by the agency or your health-care service provider, (2) your rights related to your health information, and (3) the agency’s and health-care service provider’s legal duties to protected health information, with some legal exceptions. The agency provides you this notice via this Notice of Privacy Practices, which is also available online on the agency's website: www.dshs.texas.gov.
- Ask the agency or your health-care service provider to restrict certain uses or disclosures of health information about you. The agency is not required to agree to these requests, except in some cases when you request that we not disclose information to your health plan about services for which you paid with your own money in full. The agency may require your request to be in writing.
- Request confidential communications about your health information and make reasonable requests to get information in a different way or location. The agency or health-care service provider may require the request to be in writing with a statement or explanation for the request. For example, you might explain that sending information to your usual address might put you in danger. You must be specific about where and how the agency can contact you.
- In some situations, look at or get a copy of certain health information, including laboratory test results that the agency or your health-care service provider has about you.
- Ask the agency or your health-care service provider's privacy office to correct certain information about you if you believe the information is wrong or incomplete. Most of the time, the agency can't change or delete information, even if it is incorrect. If the agency or health-care service provider decides it should make a correction, it will add the correct information to the record and note that the new information takes the place of the old information. The old information will remain in the record. If the agency or health-care service provider denies your request to change the information, you can have your written disagreement reviewed by the agency's privacy officer and placed in your record.
- Ask for a list of disclosures the agency or health-care service provider has made of certain health information.
- Ask for and get a paper copy of this Notice from the agency or its privacy office.
- Cancel permission you have given the agency or your health-care service provider to use or share health information that identifies you in some cases, unless the agency or health-care service provider has already taken action based on your permission. You must cancel your permission in writing and deliver it to the agency's privacy office.
- In some situations, be notified by letter from the agency's privacy officer if your health information has been used or shared in an unauthorized manner.
- Be notified of material changes to the way the agency uses or shares health information about you. All changes to the Notice will be posted on the agency’s web site and the revised Notice will be available to you at your health provider’s office.
- For all notices to, or requests for copies of information from, the agency or health-care service provider’s privacy office, please see the “Complaints and Questions” section for contact information.
The agency’s duty to protect health information that identifies you:
The law requires the agency to take reasonable steps to protect the privacy and security of your health information. It also requires the agency to give you this Notice, which describes the agency's legal duties and privacy practices. In most situations, the agency can't use or share health information that identifies you without your written authorization, except to carry out treatment, payment for your health care or the agency's health-care operations, or as required by law, as described below. This Notice explains under what circumstances the agency can use or share health information that identifies you without your permission. The agency is required to abide by the terms of the notice currently in effect.
Agency workforce (employees, trainees, volunteers and staff augmentation contractors) are trained and required to protect your health information. The agency does not give employees access to health information unless they need it for a business reason. Business reasons for needing access to health information include but are not limited to making benefit decisions, paying bills and planning for the care you need. The agency will punish employees who do not protect the privacy of health information that identifies you, according to law and agency policy.
The agency will notify you if your unsecured protected health information is
breached, as required by law. The agency is required to notify you even if there is no reason to suspect any misuse of the protected health information. You will be notified by mail or by phone as soon as reasonably possible. It is your duty, or the duty of your legally authorized individual, to promptly tell the agency if you have had a change of address.
Uses and disclosures that might require your written authorization:
Agency uses or disclosures that might require your authorization include but are not limited to the following:
1. Psychotherapy notes. The agency must get your authorization, in some cases, to disclose your psychotherapy notes (certain notes that are taken by
your mental health professional during the course of a counseling session) except:
- To carry out treatment, payment, health-care operations, or as required by law,
- For use by the originator of the psychotherapy notes for treatment,
- For use by the agency for its own training programs, or
- For use by the agency to defend itself in a legal action or other proceedings brought by you or your legally authorized representative.
2. Marketing. If applicable, the agency will not use or share your health information without your authorization for marketing communications about a product, such as a drug or medical device, or services that encourage you to buy or use a product or service, except if the communication is in the form of:
- A face-to-face communication made by the agency to you, or
- A promotional gift of little value provided by the agency.
If the marketing involves direct or indirect payment to the agency from a third party, the authorization must state that such payment is involved. The following activities are not considered marketing and don't require your authorization:
- Refill reminders or other communications about a drug or biologic that is currently being prescribed for you, as long as any payment received by the agency in exchange for the communication is reasonably related to the agency’s cost of the communication.
- Certain treatment and health-care operation activities, except where the agency gets payment in exchange for making the communication.
3. Sale of Protected Health Information. The agency will not sell your protected health information to any other person in exchange for direct or indirect payment, except:
- To another health care provider, health plan or healthcare clearinghouse for treatment, payment, or health care operations; or
- To perform an insurance or health maintenance organization function authorized by law; or
- As otherwise authorized or required by state or federal law.
"Sell" or a "sale" means disclosures by the agency or its business associate where there is a direct or indirect payment from or on behalf of the third-party that gets the protected health information in exchange for payment.
4. Fundraising. If applicable, the agency must get your written authorization if it shares your protected health information for fundraising purposes, except the agency may use or share the following health information with a business associate or to an institutionally related foundation:
- Demographic information relating to an individual, including name, address, other contact information, age, gender, and date of birth; and
- Dates of health care provided to an individual;
- Department of service information;
- Treating physician;
- Health outcome information; and
- Health insurance information.
For example, the agency might participate in fundraising activities, organized by its state mental hospitals’ volunteer services councils that are designed to improve the quality of patient care. These volunteer services council fundraising events are strictly voluntary and might include art shows, walks, runs, or bike rides. You must first provide the agency with your written authorization for any instance in which you choose to share your protected health information for such fundraising purposes.
5. The agency will never use genetic information for underwriting purposes.
Uses and disclosures that do not require your written authorization:
1. Treatment. The agency can use or share your health information with other health-care providers involved with your treatment. For example, the agency may provide your information to other providers so you can be seen by a specialist health-care provider for a consult. Or, if you are in a hospital, you may be treated by multiple health-care providers who have your information. By getting your information, health-care service providers will better understand your health history, which could help them provide your health care.
2. Payment. The agency can use or disclose certain health information about you to pay or collect payment for your health care. For example, when your health-care service provider sends a bill to the agency or your health plan, it includes certain information about your condition and treatment. Another example would be when the agency uses or discloses your health information to determine either your eligibility for government benefits in a health plan, or whether the proposed treatment is covered by your insurance.
3. Health-care operations. The agency can use or share health information about you for its health-care operations. The agency's health-care operations include but are not limited to:
- Conducting quality assessment and improvement activities,
- Reviewing the competence, qualifications, and performance of health-care professionals or health plans,
- Training health-care professionals and others,
- Conducting accreditation, certification, licensing, or credentialing activities,
- Carrying out activities related to the creation, renewal, or replacement of a contract for health insurance or health benefits,
- Providing, receiving or arranging for medical review, legal services, or auditing functions, and
- Engaging in business management or the general administrative activities of the agency.
The agency can also share health information about you with the agency’s business associates (contractors) or it’s the business associate’s subcontractors, if the business associate or the subcontractor:
- Needs the information to perform services on behalf of the agency, and
- Agrees to protect the privacy of the information according to agency standards.
Other examples of uses and disclosures for health-care operations by the agency include but are not limited to using or disclosing health information for case management; ensuring the agency's health-care service provider is qualified to treat individuals; or auditing a health-care service provider's bill to ensure the agency has been billed for only care you received. The agency also can contact you to tell you about treatment alternatives or additional benefits you might be interested in.
4. Government Health Benefits. If you apply for or enroll in government health benefits provided by the agency, such as Medicaid benefits, the agency can use or share health information about you in order to:
- Establish your eligibility for health benefits;
- Determine the amount of Medical Assistance to be provided to you;
- Provide health services to you; and
- Conduct or assist with an investigation, prosecution, or civil or criminal proceeding related to your health benefits.
5. Family members, other relatives, guardians, legally authorized representatives (LAR) or close personal friends. The agency can share your health information, with your agreement, or in an emergency if you are incapable of agreeing, or as otherwise authorized by law, with a family member, other relative, guardian, legal authorized representative, or close personal friend:
- When directly relevant to such person's involvement with your health care or payment related to your health care; or
- To notify the person of your location, general condition, or death.
Your "family" or "relative" means:
(1) Your dependent, or
(2) Any other person who is your first-degree, second-degree, third-degree, or fourth-degree relative, such as your:
- Parents, spouses, siblings, and children.
- Grandparents, grandchildren, aunts, uncles, nephews, and nieces.
- Great-grandparents, great-grandchildren, great aunts, great uncles, and first cousins.
- Great-great grandparents, great-great grandchildren, and children of first cousins.
The agency can make reasonable inferences of your best interest in allowing a person to act on your behalf such as to pick up prescriptions, medical supplies, X-rays, or other similar forms of protected health information, unless disclosure of the information is prohibited by law, such as substance use disorder information.
6. Substance Use Disorder Program Information. The agency is prohibited by law from sharing substance use disorder information about you or information that identifies you as seeking or getting substance use disorder treatment from a substance use disorder provider, program or facility to anyone, including family members, relatives, or friends without your written permission, unless permitted by law, for example in a medical emergency.
7. Mental Health Information. The agency will not share information about your mental health (information about your identity, diagnosis, evaluation, or treatment that are created or maintained by a professional for diagnosis, evaluation, or treatment of any mental or emotional condition or disorder, including alcoholism or drug addiction), unless expressly authorized by law.
8. “Required by law” uses or disclosures of PHI. The agency may use or disclose your protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law, for example:
A. To Government programs providing public benefits. When administering a program providing public benefits, the agency may disclose protected health information relating to the program to another HIPAA-covered entity that is a government agency administering a government program providing public benefits if:
- The programs serve the same or similar types of people, and
- The disclosure of protected health information is necessary to coordinate or improve how the programs are run.
B. For Health oversight activities. The agency might use or share health information about you to a health oversight agency for health oversight activities authorized by law. A health oversight agency must be a government agency or someone acting on behalf of a government agency.
C. For Public health activities. The agency can share health information about you as required by law for public health purposes, such as:
- A public health authority for purposes of preventing or controlling disease, injury, or disability.
- An official of a foreign government agency who is acting with the public health authority, and
- A government agency allowed to get reports of child abuse or neglect.
D. Victims of abuse, neglect or domestic violence. The agency may disclose protected health information about you if the agency reasonably believes you to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency authorized by law to receive reports of such abuse, neglect, or domestic violence, to the extent the disclosure is required by law and the disclosure complies with and is limited to what the law allows if:
- You agree to the disclosure;
- A law authorizes disclosure; and
- The agency, in the exercise of professional judgment, believes the disclosure is necessary to prevent serious harm to your or others, or
- If you are unable to agree because you are incapacitated, a law enforcement or other public official authorized to receive the report represents that the protected health information for which disclosure is sought is not intended to be used against you and is needed for immediate action.
If the agency makes a report under this section, the agency will tell you or your legally authorized representative about the report unless:
- The agency in good faith believes that telling you would place you at risk of harm; or
- The agency reasonably believes your legally authorized representative may be responsible for the abuse and telling that person would not be in your best interests.
E. Serious threat to health or safety. The agency can use or share health information about you if it believes the use or disclosure is needed:
- To prevent or lessen a serious and immediate threat to the health and safety of a person or the public and the disclosure is made to a person reasonably able to lessen or prevent such a threat;
- For law enforcement authorities to identify or catch an individual who has admitted participating in a violent crime that resulted in serious physical harm to the victim, unless the information was learned while initiating or in the course of counseling or therapy; or
- For law enforcement authorities to catch an individual who has escaped from lawful custody.
F. For other law enforcement purposes. The agency can share health information about you to a law enforcement official for the following law enforcement purposes:
- To comply with certain legal reporting requirements;
- To comply with a grand jury subpoena;
- To comply with an administrative request, such as a civil investigative demand that is specific and limited in scope, if the information is relevant to a legitimate law enforcement inquiry and de-identified information cannot reasonably be used;
- To identify and locate a suspect, fugitive, witness, or missing person, as long as the information provided to law enforcement is specifically authorized by law;
- In response to a request for information about an actual or suspected crime victim, if either:
- The individual agrees to the disclosure; or
- The requesting law enforcement official represents that the information is not intended to be used against the victim, is needed to determine whether a violation of law has occurred, and the agency determines that disclosure is in the best interests of the individual;
- To alert a law enforcement official of a death that the agency suspects is the result of criminal conduct; or
- To report evidence of a crime on the agency’s property.
G. For judicial or administrative proceedings. The agency may share your health information in the course of any judicial or administrative proceeding with:
- A court order to share your health information from a regular or administrative court;
- A subpoena or request by a party to a lawsuit that the agency is also a party to, except a court order is required to disclose substance use disorder information, and the agency may ask the court for a protective court order.
- In some situations, you or your legally authorized representative will be notified of the request for your health information in the proceeding.
H. To the Secretary of U.S. Department of Health and Human Services. The agency must share health information about you to the Secretary of U.S. Department of Health and Human Services for legal compliance purposes.
I. Research. The agency can use or share health information about you for research:
- If certain information about you is removed so that it is de-identified,
- If you authorize the research,
- If the research is approved by an Institutional Review Board or Privacy Board, or
- As otherwise authorized by law
Your health information also can be used:
- To allow a researcher to prepare a research protocol, as long as the researcher
- demonstrates that this information is necessary for the research
- does not remove the information from the agency, or
- agrees to keep the information confidential, or
- To allow a researcher to obtain information about people who have died, as long as the researcher
- represents that the information is necessary for research that involves information about people who have died, and
- provides, when requested, evidence of the death of the person whose information is sought
J. Correctional institutions and other law enforcement custodial situations. The agency may disclose an individual’s health information to a correctional institution or law enforcement official that has lawful custody of that individual, as long as the institution or official tells the agency that the information is necessary:
- To provide that individual with health care;
- To protect the health of safety of that individual or others related to the activities of the correctional institution; or
- As otherwise required by law.
K. Other uses and disclosures. The agency can otherwise use or share health information about you:
- To create information that is de-identified and doesn't identify you.
- For military or veteran activities as required by law.
- For purposes of lawful national security activities.
- To federal officials to protect the president of the United States and others.
- To comply with workers’ compensation laws or similar laws.
- To tell coroners or funeral directors about your death as required by law.
- As otherwise required or permitted by local, state or federal law.
Complaints and questions about the use or disclosure of your information:
If you believe your privacy rights have been violated, contact the agency. You may contact the agency if you: (1) have questions about this notice, (2) need more information about your privacy rights, (3) need a physical address for the agency, or (4) are requesting a copy of health information from the agency:
- Texas Department of State Health Services (DSHS): Call 1-512-776-7111 or 1-888-963-7111 (toll free) or email firstname.lastname@example.org.
- To request your results of lab tests performed by the DSHS Laboratory, please call (512) 776-7318 or visit www.dshs.texas.gov/lab/patientresults.aspx.
- If you are receiving care from a DSHS state-operated hospital, contact the hospital’s privacy office, or
- You may also contact: DSHS Consumer Services and Rights Protection/Ombudsman Office by mail at Mail Code 2019, P.O. Box 149347 Austin, TX 78714-9347; or by telephone at (512) 206-5760 or (800) 252-8154 (toll free).
If you believe the agency has violated your privacy rights, you also can file a complaint with the:
Office of Civil Rights
U.S. Department of Health and Human Services
1301 Young St., Suite 1169
Dallas, Texas, 75202
Voice Phone (800) 368-1019
FAX (214) 767-0432
TDD (800) 537-7697
For complaints about a violation of your right to confidentiality by an alcohol or drug abuse treatment program, contact the United States Attorney’s Office for the judicial district in which the violation occurred.
The agency prohibits retaliation against you for filing a complaint.
ISP 01 (07/2015)