HHSC Notice On Reporting Privacy Breach Incidents

A provider or agency contracted with the Texas Health and Human Services Commission may receive or create sensitive personal information (defined by Section 521.002 of the Business and Commerce Code). The provider or agency must protect this sensitive personal information from unauthorized acquisition. Safeguards must include maintaining this information such that it is unusable, unreadable or indecipherable to unauthorized persons.

To determine ways to meet this standard, consult “Guidance to Render Protected Health Information Unusable, Unreadable or Indecipherable to Unauthorized Individuals,” (link is external) issued by the U.S. Department of Health and Human Services.

Reporting Incidents

The provider or agency must notify HHSC of any unauthorized acquisition of sensitive personal information related to its contract with HHSC, including any breach of system security (defined by Section 521.053 of the Business and Commerce Code).

The provider or agency should report potential incidents to privacy@hhsc.state.tx.us using Form 0402, Potential Privacy/Security Incident.

The provider or agency must:

  • Submit Potential Privacy/Security Incident Form to HHSC as soon as possible and no later than 48 consecutive clock hours after discovery of an event or breach of confidential information or a time within which discovery reasonably should have been made.
  • Continue to provide the HHSC Privacy Office with updates regarding the investigation and mitigation of the breach until the matter is resolved and closed.

Please complete the entire form. If any fields are left blank, Privacy Office staff will return the form for completion.

If you have questions regarding this alert, please contact the HHSC Privacy Office at 877-378-9869.