Privacy and Security

Purpose

To establish comprehensive administrative, physical, and technical safeguards for the protection of Protected Health Information (PHI) and Texas Health and Human Services Commission (HHSC) Confidential Information. This policy ensures compliance with the HIPAA Privacy and Security Rules, CLASS Waiver program requirements, Data Use Agreements (DUAs), TMHP policies, and relevant state/federal laws.

1. Scope

This policy applies to all workforce members—including employees, contractors, volunteers, and subcontractors—who access, create, receive, transmit, or maintain PHI or HHSC Confidential Information under the CLASS Waiver or other Texas HHS programs.

2. Collection, Use, and Disclosure of Information

2.1 Collection

  • Types of Information: PHI (e.g., medical records, billing data, SSNs, demographics).

  • Sources: Healthcare providers, clients/patients, TMHP portal, etc.

  • Purpose: To deliver services under the CLASS Waiver, process claims via TMHP, and meet HHSC requirements.

2.2 Use & Disclosure

  • Use and disclosure must comply with HIPAA’s Minimum Necessary standard.

  • Access is granted only for authorized purposes, such as treatment, payment, and operations.

  • Disclosure may occur in cases like HHSC audits, public health reporting, or TMHP billing.

  • All uses and disclosures must align with the DUA.

3. Individual Rights

3.1 Access

Clients may request access to their PHI. Requests must follow HIPAA/HHSC guidelines.

3.2 Amendment

Clients may request corrections to their PHI. Denials must be documented and justified under HIPAA.

3.3 Accounting of Disclosures

Individuals may request a record of certain disclosures of their PHI.

4. Safeguards

4.1 Administrative Safeguards

  • Risk Analysis & Management: Conduct annual risk assessments; implement mitigation strategies.

  • Workforce Security: Access is role-based; revoke access immediately upon role change or termination.

  • Training: Annual HIPAA security and privacy training is mandatory. Document completion.

  • Incident Response: Define procedures for reporting and escalating security incidents. Notify HHSC if their confidential information is involved.

  • Sanctions: Enforce disciplinary actions for policy violations.

4.2 Physical Safeguards

  • Facility Access: Limit physical access to areas where PHI is stored; use locks, badges, alarms.

  • Workstation Security: Position screens away from public view; auto-lock after inactivity.

  • Device & Media Control: Maintain an inventory and securely dispose of devices/media containing PHI.

4.3 Technical Safeguards

  • Access Control: Unique logins, role-based permissions, automatic logoff, and encryption (in transit & at rest).

  • Audit Controls: Maintain and review logs of system activity.

  • Integrity Controls: Use antivirus software and system scans.

  • Transmission Security: Use VPN, TLS, SFTP for transmitting PHI. Prevent external emails of PHI without safeguards.

4.4 Contingency Planning

  • Backups & Recovery: Maintain regular backups; test restoration procedures.

  • Emergency Operations: Ensure essential functions continue during outages or disasters.

5. Notice of Privacy Practices (NOPP)

  • Posting: Display NOPP prominently online and at service locations.

  • Content: Must outline rights, obligations, complaint process, and contact information.

6. Breach Notification

  • Procedure: Promptly report and document any suspected or confirmed breach of PHI.

  • Notification: Notify HHSC, TMHP (if applicable), and affected individuals in accordance with HIPAA and DUA timelines (typically within 60 days).

  • Documentation: Maintain records of all breach investigations and corrective actions.

7. Policy Training & Enforcement

  • Training: All staff receive privacy and security training annually and upon any policy/system updates.

  • Sanctions: Violations are subject to disciplinary action under workforce HR policy and HHSC requirements.

  • Monitoring: Regular audits ensure policy compliance.

8. Policy Review & Updates

  • Annual Review: Policies must be reviewed at least once annually.

  • 60-Day Update Rule: Update policies within 60 days of any material change to HHSC, CLASS Waiver, or DUA standards.

Let me know if you'd like this formatted into a PDF, with a signature block or attestation form for staff acknowledgment.

Experience a new level of wellness — with Blisspoint Care.

Experience a new level of wellness — with Blisspoint Care.

Experience a new level of wellness — with Blisspoint Care.

Questions? Send us an email.