Scope of this standard

These standards apply to all workforce members of TXST’s HIPAA-covered components (HCC), including faculty, staff, student workers, volunteers, contractors, and business associates who access or disclose PHI. 

Expand FAQ List

    1. To the individual or personal representative or a family member or any other individual identified by the patient involved in the patient’s care or payment.
      1. TXST must verify the identity of the person requesting the information or the authority of that person to have access to the PHI. Documentation to demonstrate the authority of a personal representative may be requested.

    1. Treatment  
      1. TXST may use and disclose a patient’s PHI to provide the patient with treatment or services. Treatment activities include the provision, coordination, or management of health care and related services, including the coordination or management of health care with a third party, consultation with other health care providers related to a patient, or the referral of a patient for health care to another health care provider.
      2. Share a patient’s PHI with other departments within the covered healthcare component if the department is providing or has in the past provided services to the patient.
      3. Disclose a patient’s PHI to physicians and other healthcare professionals who are involved in the patient’s care, including individuals or entities participating in an Organized Health Care Arrangement (“OHCA”) with TXST.
    2. Payment  
      1. Use and disclose a patient’s PHI for payment for the treatment and services provided to the patient. Payment activities include providing or obtaining reimbursement for health care, determinations of eligibility or coverage, coordination of benefits, billing and collection activities.
      2. Disclose a patient’s PHI to the patient’s health plan to obtain prior approval for treatment or to determine whether the patient’s plan will cover the treatment.
      3. Disclose a patient’s PHI to other healthcare providers to facilitate the other healthcare provider’s billing and collecting efforts and as permitted by applicable law, including to other individuals or entities participating in an OHCA with TXST. TXST shall verify the identity and authority of the health care provider or other Covered Entities prior to disclosing PHI.
    3. Health Care Operations
      1. Performing quality assessments and improvement activities
      2. Analyzing the cost of treatment and improving care
      3. Aggregate patient information to decide what additional  services should be offered, what services are not needed and whether certain new treatments are effective.
      4. Performing audits  
      5. Evaluating competence and qualifications of healthcare professionals
      6. Developing clinical guidelines conducting patient safety activities as defined in applicable regulations.

    1. The privacy custodian or HIPAA Privacy Officer must be consulted for this category or use or disclosure.
    2. Required by law for  
      1. Reporting victims of abuse, neglect, or domestic violence
      2. Judicial and administrative proceedings:
        1. Court order or administrative order or tribunal – TXST may disclose PHI in compliance with and limited by the relevant requirements of a court order or administrative tribunal order.  
        2. TXST may disclose PHI in response to a subpoena, discovery request, or other lawful process not accompanied by a court order, but only if TXST receives satisfactory assurances from the party requesting the information that the patient was given notice of the request or efforts were made to obtain a qualified protective order that restricts Use or disclosure of the information to the proceeding for which it was requested and requires return or destruction of such information at the end of the litigation or proceeding. Satisfactory assurances are not required in limited circumstances specified in the Privacy Rule.
      3. Law enforcement purposes:  
        1. For identification and location purposes.
        2. For victims of a crime.
        3. To notify of a death if criminal conduct suspected.
        4. To report crime on premises
        5. Report crime in an emergency
      4. Public Health Activities
        1. Disease prevention, injury, or disability
        2. Reporting births and deaths  
        3. Reporting reactions to medications or product problems
        4. To inform people of recalls of products they may be using
        5. To inform a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition
        6. To an employer who provided health care to the patient at the request of the employer
        7. Limited to proof of immunization to a school if patient is a student or prospective student
      5. For Health Oversight Activities
        1. TXST may release PHI to a Health Oversight Agency for limited oversight activities authorized by law, such as audits and investigations necessary for oversight of the health care system and government benefit programs.
      6. To coroners, medical examiners, and funeral directors
      7. For cadaveric organ, eye, or tissue donation
      8. Research purposes with IRB approval or privacy board approval
      9. For Health and Safety
        1. TXST may release the minimum necessary PHI without the patient’s authorization to prevent a serious threat to health or safety if there exists a reasonable and good faith belief that:
          1. Disclosure is necessary to prevent or reduce a serious and imminent threat to the health or safety of the public.
            1. The disclosure will be made only to a person or persons reasonably able to prevent or reduce the threat; and
            2. The disclosure may be made to the individual associated with the threat.
          2. Disclosure is requested by law enforcement authorities and is necessary for them to identify or apprehend a suspect, fugitive, material witness or missing person. Only certain limited information may be shared in accordance with HIPAA and applicable state law.
        2. Questions about whether a disclosure is required to prevent a serious threat to health or safety or what information may be disclosed should be directed to the Privacy Office.
      10. For fundraising, limited to demographic information and dates of health care provided
      11. For specialized government functions
        1. TXST may use and disclose PHI in various circumstances involving specialize government functions, including but not limited to military and veterans’ activities, national security and intelligence activities protective services for the President of the United States and medial suitability determinations.
      12. To comply with workers’ compensation laws or other programs established by law, that provide benefits for work-related injuries or illness without regard to fault.
      13. Disclosures by Whistleblowers
        1. TXST will not be considered to have violated the requirements of the Privacy Standard if a member of its workforce or a business associate discloses PHI according to TXST policy Disclosures by Whistleblowers.