IMPORTANT MESSAGE ABOUT HIPAA PRIVACY STANDARDS TO PROVIDERS AND ENTITIES THAT ARE LICENSED OR REGULATED BY THE DEPARTMENT OF STATE HEALTH SERVICES (DSHS)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations implemented standards for how information that identifies a patient can be used and disclosed. (Title 45, Code of Federal Regulations (CFR), Parts 160 and 164) The regulations apply to “covered entities” including health-care plans, health-care clearinghouses, and health-care providers. These privacy standards went into effect on April 14, 2003.
You can continue to provide protected health information to DSHS investigators, inspectors, and licensing and enforcement divisions under one or more of the following exceptions in the HIPAA Privacy Standards. We have listed first the one that applies to most DSHS activities, including regulatory inspections.
***USE AND DISCLOSURE FOR HEALTH OVERSIGHT ACTIVITIES: Section 164.512(d) permits covered entities to disclose private health information to a health oversight agency for oversight activities including audits, civil, administrative or criminal investigations, inspections, licensure or disciplinary actions, or other activities necessary for the oversight of the health-care system, government benefit programs, compliance with governmental regulation or compliance with civil rights laws.
USE AND DISCLOSURE REQUIRED BY LAW: Section 164.512(a) allows covered entities to use and disclose private health information if the use or disclosure is required by law. For example, TDH rules require certain diseases, injuries and conditions to be reported to TDH. Under the “required by law” exception you can continue to comply with these mandatory reporting rules.
USE AND DISCLOSURE FOR PUBLIC HEALTH ACTIVITIES: Section 164.512(b) permits covered entities to release private health information to a public health authority that is authorized by law to collect and receive information for preventing and controlling disease, injury, or disability. This information includes reporting of; disease, injury, vital statistics like births, deaths, marriages, divorces, etc., public health investigations, and public health interventions. Under this exception you are authorized to release information to TDH, or other public health authorities. Disclosure can be initiated by either the public health authority or by you, if it is for one of the above reasons.
USE AND DISCLOSURE FOR LAW ENFORCEMENT PURPOSES: Section 164.512(f) permits disclosure of private health information to a law enforcement officer for certain law enforcement purposes.
USE AND DISCLOSURE TO AVERT A SERIOUS THREAT TO HEALTH OR SAFETY: Section 164.512(j) permits disclosure of private health information if a covered entity in good faith believes the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. The disclosure must be made to a person who is reasonably able to prevent or lessen the threat, or for identification and apprehension of an individual.
THIS NOTICE IS YOUR AUTHORIZATION UNDER THE ABOVE EXCEPTIONS TO CONTINUE TO PROVIDE ACCESS TO THE INFORMATION REQUESTED BY DSHS AND OTHER PUBLIC HEALTH, LAW ENFORCEMENT AND REGULATORY AUTHORITIES. A Public Health, Licensing, Oversight, Law Enforcement or Regulatory Authority that falls within one of the above exceptions is not required to have a business associate agreement under HIPAA. These entities are not acting on behalf of the covered entity but by a grant of authority under Federal, State or Local Laws.
DSHS inspectors or other personnel should contact their program attorney for more information. (Revised: August 2008).
Select the link below to read an important message about HIPAA Privacy Standards for providers and entities that submit protected health information to the Texas Department of State Health Services.
External email links are provided to you as a courtesy. Please be advised that you are not emailing the Texas Department of State Health Services (TDH) and TDH policies do not apply should you choose to correspond.