1.0 Purpose

This policy establishes standards for identifying, authorizing, deactivating, and managing users of the TakeChargeTexas (TCT) application. It defines criteria for user eligibility based on documented job duties, program affiliation, and organizational role, ensuring users receive only the minimum access necessary to perform their responsibilities.

This policy supports role-based access control (RBAC) and secure authentication through the HHS IAMOnline platform. It defines how to request access, complete required training, and maintain confidentiality agreements.

This policy protects the confidentiality, integrity, and availability of protected health information (PHI), personally identifiable information (PII), and sensitive personal information (SPI) stored in the TCT application by enforcing consistent user management practices throughout the access lifecycle. It ensures compliance with DSHS confidentiality, security, and quality assurance standards and aligns with the Health and Human Services Information Security Control Catalog (HHS IS Controls).

This policy also complies with DSHS confidentiality, security, and quality assurance standards and aligns with the Health and Human Services Information Security Control Catalog (HHS IS Controls), Section AC-02(3), which requires organizations to disable user accounts within 120 days when access is no longer associated with a user or after 90 days of inactivity.
 

2.0 Authority

Ryan White HIV/AIDS Treatment Extension Act of 2009; Texas Health and Safety Code, Chapter 85, §85.032, §85.040, and §85.041; Texas Administrative Code (TAC), Title 1, Part 10, Chapter 202, Subchapter B, Information Security Standards for State Agencies; and Information Resources Management Act, Texas Government Code 2054.
 

3.0 Definitions

AIDS Drug Assistance Program (ADAP) – A federally funded program that provides medications and other HIV-related services to low-income, uninsured, and underinsured people with HIV/AIDS. AIDS Drug Assistance Program (ADAP) services are available in all 50 states and U.S. territories. The Texas HIV Medication Program (THMP) serves as the state's official ADAP.

Administrative Agency (AA) – An organization contracted with DSHS to administer Ryan White Part B and State Services funds within a defined geographic service area. The AA ensures a comprehensive continuum of HIV care by overseeing fiscal management, program monitoring, and data quality. It also manages user access and enforces role-based access standards within the TakeChargeTexas (TCT) application for its service network. For a list of HIV Administrative Agencies, including contact information and coverage areas, visit HIV Administrative Agencies.

Administrative Agency Data Manager (AA DM) – A staff member designated by an AA to support contracted HIV service providers in maintaining data quality and ensuring appropriate use of the TCT application. The AA DM validates access requests, confirms that role assignments align with documented job duties, and monitors access certification cycles. As the second-level approver in the IAMOnline identity and access management workflow, the AA DM also oversees user management, account compliance, and coordinates with DSHS on data quality, training, and security requirements.

Approver and Authenticator – An individual with designated authority to review and authorize user access requests, role assignments, or system changes through IAMOnline.

Application Vendor – Entities that support TCT configuration, access management, and maintenance.

Authorized User – An individual who completes the required confidentiality and security training, signs applicable agreements, and receives approval through the IAMOnline identity and access management workflow to access the TCT application. Authorized Users maintain compliance with annual training and agreement requirements, actively use their accounts, and participate in access recertification as required. They access only the minimum necessary data to perform documented job functions, following the principle of least privilege and official program use.

Eligible Clients – Low-income Texas residents with a documented diagnosis of HIV. (Note: Certain services may also be available to individuals without an HIV diagnosis as permitted under Health Resources and Services Administration (HRSA) HIV/AIDS Bureau HRSA Policy Clarification Notice 16-02, Ryan White HIV/AIDS Program Services: Eligible Individuals & Allowable Uses of Funds, and as otherwise stipulated by HRSA HAB). HIV/STD Policy 220.001 – Eligibility to Receive HIV Services, and HRSA Policy Clarification Notice 16-02 outline the eligibility requirements for specific services.

Health Insurance Portability and Accountability Act (HIPAA) – Federal legislation enacted in 1996 that establishes national standards for protecting the privacy and security of protected health information (PHI). HIPAA regulations require covered entities, including DSHS and its contracted partners, to implement administrative, physical, and technical safeguards to protect PHI from unauthorized access, use, or disclosure.

Health Resources and Services Administration (HRSA) – The federal agency within the U.S. Department of Health and Human Services responsible for improving access to health care services for people who are uninsured, isolated, or medically vulnerable. The HRSA administers the Ryan White HIV/AIDS Program, providing oversight, guidance, and funding for HIV care services nationwide.

HIV/AIDS Bureau (HAB) – The division within HRSA responsible for administering the Ryan White HIV/AIDS Program. HAB provides grants to states, cities, and community-based organizations; issues policy guidance and program clarifications; and monitors program compliance to ensure the delivery of quality HIV care and treatment services to eligible individuals.

IAMOnline – The HHS Identity and Access Management (IAM) platform controls secure access to HHSC applications, including TCT. IAMOnline authenticates users through single sign-on (SSO) and multi-factor authentication (MFA) and authorizes access using Role-Based Access Control (RBAC) and automated workflows. It manages the full access lifecycle, including account provisioning, modification, recertification, and deactivation, for HHS employees, contractors, providers, clients, and partners. It enforces HHS IS Control AC-02 (Account Management).

HIV Service Provider – An organization with a contractual agreement with an AA to provide HIV-related medical and support services to person(s) living with HIV (PLWH). Service providers must comply with DSHS policies and RWHAP requirements. DSHS may grant non-contracted HIV service providers access to TCT at its sole discretion.

Housing Opportunities for Persons with AIDS (HOPWA) Program – HOPWA funding provides housing assistance and related supportive services to eligible persons living with diagnosed HIV.

Local Responsible Party (LRP) – The designated individual within an organization responsible for implementing, enforcing, and maintaining TCT security and confidentiality policies and procedures. The LRP serves as the third-level approver in the IAMOnline identity and access management workflow, validating access requests, confirming compliance with training and confidentiality agreements, and ensuring role assignments align with documented job duties. The LRP monitors account activity, oversees access certification cycles, and coordinates with the HIV/STD Section Privacy Coordinator to investigate and respond to privacy incidents. For DSHS staff, Minority AIDS Initiative (MAI) grantees, and participating pharmacy staff, the HIV Care and Medications Unit Director or their designee serves as the designated LRP.

Minority AIDS Initiative (MAI) – A federal funding initiative that provides resources specifically targeted to address HIV-related disparities in racial and ethnic minority communities disproportionately affected by HIV/AIDS. MAI grants support HIV prevention, care, and treatment services tailored to the cultural and linguistic needs of minority populations.

Personally Identifiable Information (PII) – Information that identifies an individual or traces their identity, either alone or combined with other data. PII in TCT includes names, addresses, Social Security numbers, dates of birth, phone numbers, email addresses, and other identifying information.

Principle of Least Privilege – An information security standard requiring users to have only the minimum level of access necessary to perform assigned job functions. Least privilege minimizes security risks by limiting potential exposure of sensitive data and reducing the impact of compromised accounts.

Protected Health Information (PHI) – Individually identifiable health information maintained or transmitted in any form that relates to a person’s physical or mental health, health care services received, or payment for those services. Organizations safeguard PHI in accordance with the HIPAA, applicable state laws including Texas Health and Safety Code §81, and HHS Information Security Controls.

Role-Based Access Control (RBAC) – A security model that assigns system permissions based on predefined roles aligned with job duties and organizational responsibilities. RBAC enforces the principle of least privilege by granting users only the minimum access necessary to perform their documented functions. It supports consistent, auditable access management through automated workflows, ensuring compliance with applicable security standards.

Ryan White HIV/AIDS Program (RWHAP) – A federal program authorized in 1990 and administered by the HRSA HIV/AIDS Bureau. The program provides grant funds to states, metropolitan areas with high numbers of PLWH, and selected treatment providers to fill gaps in the system of outpatient medical and social support services for low-income people diagnosed with HIV. RWHAP funds serve as the payer of last resort.

Ryan White Part B – The component of the Ryan White HIV/AIDS Program that provides formula and supplemental grants to all 50 states, the District of Columbia, Puerto Rico, Guam, the U.S. Virgin Islands, and five U.S. Pacific Territories. Part B funds support core medical and support services, including the ADAP, as well as emerging community needs. DSHS administers Ryan White Part B funds for the State of Texas through contracts with Administrative Agencies and service providers.

Sensitive Personal Information (SPI) – A category of PII that, if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. SPI in TCT includes HIV status, diagnosis dates, treatment information, medication records, eligibility determination data, and service utilization records.

Supervisors – The immediate manager or designated authority at an employing organization who oversees an employee's work and has the authority to validate job responsibilities and access needs. Supervisors may serve as First Level Approvers for TCT access requests, conduct periodic access reviews, and initiate deactivation requests when employees separate from employment or change roles that no longer require TCT access.

TakeChargeTexas (TCT) – The secure, web-based application administered by DSHS that streamlines eligibility determination for HIV Care Services (CARE) and the Texas HIV Medication Program (THMP), processes medication orders, and records client-level data for Ryan White and State Services programs. It supports case management, reporting, and data sharing. It serves as the Uniform Reporting System (URS) for HIV Care Services to ensure continuity of care while safeguarding PHI, PII, and SPI.

Texas HIV Medication Program (THMP) – A state-funded program that provides HIV-related medications and pharmacy services for low-income Texans living with HIV. THMP is the official ADAP for the State of Texas. The program also operates the State Pharmacy Assistance Program and the Texas Insurance Assistance Program to help eligible clients access medications and maintain insurance coverage.

Uniform Reporting System (URS) – A standardized data collection and reporting system required by HRSA for Ryan White Part A and Part B grantees. The URS captures client-level data on demographics, services provided, clinical outcomes, and program performance measures. TCT serves as the URS for Texas, enabling service providers to document services and generate required reports for HRSA compliance.
  

4.0 Persons Affected

This policy applies to individuals and entities who access the TakeChargeTexas (TCT) system, including:

• Application Vendor – Entities that support TCT configuration, access management, and maintenance. 
• HHS and DSHS Employees, Contractors, and Interns – Individuals employed by or contracted with DSHS who administer, support, or oversee TCT operations.
• External Users, including Administrative Agencies (AAs), Service Providers, and Partner-Organizations – Staff with a direct and ongoing need for TCT information to provide or coordinate client care and services.
• Pharmacy Personnel – Staff at THMP-participating pharmacies who process medication orders and manage pharmacy-specific functions.
• Supervisors, Administrative Agency Data Managers (AA DM), and Local Responsible Parties (LRP) – Individuals who serve as approvers for access requests, conduct access reviews, and ensure compliance with security and confidentiality requirements
• Clients – Eligible individuals receiving HIV care services and medications who access TCT client portal functions.

NOTE: Administrative agencies and contractors may not create users whose sole need for access relates to surveillance, research, grant reporting, or other ancillary uses. Only DSHS may approve authorized users for these purposes.
 

5.0 Responsibilities

This section defines the responsibilities of individuals and entities that request, approve, manage, or support access to the TakeChargeTexas (TCT) application.

5.1 Authorized Users

Authorized users must comply with the following requirements to access TCT:

5.1.1 Complete required training and agreements

Complete the TB/HIV/STD Data Security and Confidentiality Training before initial access and annually thereafter. Sign and maintain confidentiality agreements acknowledging responsibility to protect PHI, PII, and SPI.

5.1.2 Request and maintain access appropriately

Submit a complete access request through IAMOnline and receive three levels of approval. Request role access only for assigned job duties under the principle of least privilege. Notify supervisors and the TCT Help Desk immediately when job duties change or employment ends to ensure timely access modification or deactivation.

5.1.3 Use TCT responsibly and securely

Access TCT only for authorized job functions and view or modify only the data necessary to perform assigned duties. Use only assigned login credentials; never share passwords or account access. Log out when leaving workstations unattended and secure devices used to access TCT.

5.1.4 Protect confidentiality and comply with policy

Safeguard client information, program data, and system details. Comply with DSHS security policies, HIPAA requirements, and HHS IS Controls applicable to TCT use. Access records only for individuals actively receiving services under the user’s care or coordination. Use TCT data solely for authorized program purposes; never access for personal reasons or unauthorized uses such as surveillance or research without DSHS approval.

5.1.5 Report issues promptly

Report unauthorized access, suspected breaches, security incidents, or unusual system activity immediately to supervisors and the TCT Help Desk. Report technical issues, system errors, or access problems to the TCT Help Desk for resolution.

5.1.6 Maintain compliance and participate in reviews

Keep user information accurate and current. Participate in periodic access reviews and respond to recertification or deactivation notices. Review policy updates from DSHS or agency leadership and comply with new requirements.

5.1.7 Comply with deactivation guidelines

Authorized users are responsible for maintaining appropriate access to TCT and must:

• Notify their supervisor immediately upon termination, resignation, role change, transfer, or when TCT access is no longer necessary for job duties.
• Maintain active use of their TCT account by logging in at least once every 90 days if access is still necessary.
• Complete annual Security and Confidentiality Training and sign the Confidentiality Agreement before renewal deadlines to retain access.
• Respond to pre-deactivation notifications within specified timeframes if continued access is necessary.
• Comply with DSHS security policies and report security incidents or unauthorized access attempts that may require emergency deactivation.
• Understand deactivation triggers and take proactive steps to maintain access when appropriate.
   

5.2 Supervisors (First-Level Approvers)

Supervisors are responsible for initiating and managing TCT user deactivations for staff under their supervision. They must:

• Submit deactivation requests within five business days of employee or contractor termination, resignation, or role change that no longer requires TCT access.
• Monitor staff roles to ensure continued need for access and appropriateness of assigned permissions.
• Review weekly automated TCT Access Request status reports and respond to Data Manager inquiries regarding users requiring deactivation.
• Verify deactivation completion in IAMOnline and document the reason for each request.
• Participate in semi-annual access reviews per HIV/STD Policy 231.001 – TCT Security to identify users who no longer require access.
• Process reinstatement requests for users returning after deactivation due to inactivity or expired requirements.
• Maintain communication with Data Managers and HR departments to stay informed of staff changes affecting TCT access.
• Provide advance notice to users when anticipating deactivation and ensure departing staff understand the removal of their access the return of TCT-related materials must.
   

5.3 Administrative Agency Data Managers (Second-Level Approvers)

Administrative Agency (AA) Data Managers are responsible for reviewing and processing deactivation requests and ensuring compliance across their service area. They must:

• Review supervisor-submitted deactivation requests within 3 business days and verify removal from active user listings.
• Monitor weekly automated TCT Access Request status reports to identify pending deactivations, users nearing inactivity, and those with expiring training or confidentiality requirements.
• Coordinate with supervisors to confirm user status changes and initiate deactivations for users who have not completed annual requirements.
• Maintain documentation of processed deactivations and track quarterly metrics, including counts by reason, processing times, and compliance indicators.
• Participate in semi-annual access reviews per Section Policy 231.001, TCT Security and cross-reference findings with weekly reports.
• Coordinate bulk deactivations for contract terminations and provider changes and escalate unresolved or complex issues to LRPs or the DSHS HIV Care and Medications Unit.
• Provide technical assistance to supervisors regarding deactivation procedures and follow up on delays or incomplete requests.
   

5.4 Local Responsible Parties (LRPs) (Third-Level Approvers)

LRPs serve as the final approvers for TCT user deactivations and ensure agency-wide compliance with deactivation policies. They must:

• Provide final approval for deactivation requests, especially for high-access roles requiring additional oversight.
• Monitor deactivation patterns and metrics quarterly to identify trends or potential compliance concerns.
• Notify the DSHS HIV Care and Medications Unit of users requiring immediate deactivation due to security risks or policy violations.
• Maintain current lists of authorized TCT users within their jurisdiction and coordinate with Data Managers to ensure timely processing across contracted providers.
• Oversee bulk deactivations resulting from organizational changes and approve emergency deactivations within four business hours when immediate action is necessary.
• Conduct periodic reviews of deactivation processes to support quality assurance and report delays or incomplete actions to DSHS for resolution.
   

5.5 DSHS HIV Care and Medications Unit

The DSHS HIV Care and Medications Unit oversees statewide deactivation compliance and system-level coordination. Responsibilities include:

• Monitor deactivation compliance across agencies and ensure timely removal of DSHS staff accounts.
• Review weekly and quarterly reports to track deactivation metrics and support internal quality assurance.
• Coordinate with IT and IAMOnline teams to manage system-level deactivations and implement process improvements.
• Provide training and technical support to Data Managers and supervisors on deactivation procedures.
• Maintain oversight through documentation updates and participation in semi-annual access reviews.
• Respond to urgent deactivation requests within business hours, ensuring timely resolution.
   

5.6 HHS IT Public Health Applications (IT-PHA)

HHS IT-PHA manages database and server account access and performs the following actions:

• Process database and server account deactivation requests within 10 business days, in accordance with IS Controls and quality assurance standards.
• Respond to emergency deactivation requests for database and server accounts within four business hours when required.
• Coordinate with the DSHS HIV Care and Medications Unit to confirm deactivation request status and completion.
• Conduct periodic user access reviews for database and server accounts and compile access lists for review.
• Verify current and appropriate approvals for users with database and server access.
• Document completion of deactivations and maintain records for quality assurance.
• Report quarterly on database and server account deactivations to the DSHS HIV Care and Medications Unit.
   

5.7 IAMOnline Development Team

The IAMOnline Development Team supports account management and system integration by:

• Maintain automated deactivation functionality for accounts inactive for 90 days and implement pre-deactivation notifications to alert users in advance.
• Generate and distribute weekly automated TCT Access Request status reports to Data Managers and supervisors.
• Capture and track user login activity to support inactivity-based deactivation and synchronize user status with the TCT application.
• Provide suspension and reinstatement functionality through the IAMOnline interface and process manual deactivation requests submitted via IAMOnline workflows.
• Maintain system logs of deactivation activities and ensure technical support is available for deactivation-related issues.
• Coordinate with the TCT application team to ensure seamless data exchange and implement system enhancements based on operational feedback.
   

5.8 TCT Help Desk

The TCT Help Desk supports users, supervisors, AA Data Managers and LRPs and must:

• Provide technical support to supervisors, Data Managers, and users for deactivation procedures, including IAMOnline navigation and troubleshooting.
• Escalate urgent deactivation requests to the DSHS HIV Care and Medications Unit for processing within four business hours.
• Coordinate with Data Managers and LRPs to resolve deactivation-related issues across agencies and service areas.
• Track and report deactivation processing times to identify delays or bottlenecks and support quality assurance.
• Maintain a help desk procedures manual with detailed deactivation instructions and update it based on recurring issues and operational needs.
• Document and respond to inquiries about deactivation triggers, timelines, reinstatement procedures, and related requirements.
   

5.9 Authorized User Roles and Permissions

DSHS assigns TCT access through role-based access control (RBAC) to ensure users receive only the permissions necessary for documented job duties. Program areas and organizational functions categorize roles and define access levels, screen permissions, and system capabilities. Users must request roles that align with their responsibilities, provide justification, and obtain required approvals through IAMOnline. The policy structures roles to support the principle of least privilege and ensures compliance with HIPAA, state confidentiality laws, and DSHS security standards.

Users may not hold roles across multiple programs without explicit DSHS authorization. The policy enforces non-transferable roles and mandates reassignment through approved channels when job duties change. Only HHS and DSHS personnel hold DSHS specific staff roles; external users must not request roles in restricted categories. Role requests must align with operational responsibilities  and are subject to semi-annual review for compliance.

Appendix A – TCT Roles Catalog provides detailed descriptions of authorized roles and serves as the authoritative reference for role selection and management.
 

5.10 Access Request and Approval Routing

IAMOnline routes TakeChargeTexas (TCT) access requests through a multi-level approval process to ensure users receive appropriate permissions based on organizational affiliation, job function, and documented need. Each access request requires validation that users have completed required training, signed confidentiality agreements, and requested roles appropriate to their job duties.

5.10.1 External User Approval Routing

5.10.1.1 Administrative Agencies, Service Providers, and Partner Organization

IAMOnline route’s role approvals are as follows: 

• First Level Approver: The immediate agency supervisor or manager validates that the requested access aligns with the employee's job duties and organizational role. 
• Second Level Approver: The AA DM who verifies role appropriateness, agency affiliation, and compliance with data governance standards. 
• Third Level Approver: The LRP provides final authorization and ensures compliance with DSHS security policies, confidentiality requirements, and agency-level access standards.

5.10.1.2 Pharmacy Personnel

DSHS routes role approvals for staff at participating THMP pharmacies through an alternative process:

• First and Second Level Approver: DSHS designates the internal Pharmacy Supervisor and Manager to validate pharmacy affiliation and role appropriateness for the pharmacy portal.
• Third Level Approver: The HIV Care and Medications Unit Manager or Designee provides final authorization and ensures compliance with THMP operational requirements.

5.10.1.3 Clients

Current and prospective clients requesting access to submit Ryan White Care and THMP eligibility applications create self-service accounts through the TCT client portal. Client access does not require multi-level approvals but requires identity verification and adherence to account security requirements. Clients maintain access to their profiles, applications, and supporting documentation regardless of eligibility determination status to support reapplication or appeals processes.

5.10.2 Internal User Approval Routing

IAMOnline routes employee role approvals through the following levels:

• First Level Approver: The employee's immediate supervisor validates that the requested access supports documented job responsibilities.
• Second Level Approver: The HIV Care and Medications Unit Manager or Designee verifies that the requested role aligns with agency priorities and does not duplicate existing access.
• Third Level Approver: The HIV Care and Medications Unit Director or Designee provides final authorization and ensures alignment with programmatic oversight responsibilities and state regulatory requirements.

5.10.3 Approver Validation Requirements

Approvers and Authenticators at each level verify that users meet eligibility criteria, complete required Data Security and Confidentiality Training, sign current confidentiality agreements, and request roles that adhere to the principle of least privilege. Approvers deny requests that lack adequate justification, exceed minimum necessary access, or fail to  align with documented job functions. Approvers work with subsequent approval levels to resolve questions regarding role appropriateness, access scope, or policy compliance. Local Responsible Parties have final authority to approve or deny access requests and initiate access modifications or deactivations based on compliance concerns or security requirements.

Appendix A – TCT Roles Catalog details TCT roles and permissions.
 

5.11 Inappropriate Users

Inappropriate users include: 

• Users who do not work at agencies receiving Ryan White (RW), HOPWA, or State Service (SS) funds to provide HIV services.
• Users who do not have a direct and ongoing need for the information to provide or coordinate client care. AA does not create users whose sole need for access relates to surveillance, research, grant reporting, or other ancillary uses for these data. Only DSHS may approve authorized users for these purposes.
• Users who request roles that do not align with their documented job functions.
• Users who request access levels that exceed the minimum necessary to perform their assigned duties.
   

5.12 Exceptions

DSHS considers users not meeting the criteria above on a case-by-case basis. Users requesting exceptions must submit written justification to DSHS for review and approval.
 

5.13 Access Management Overview

DSHS provisions, modifies, and deactivates TCT user access through IAMOnline. The system records approvals, automates notifications, and supports periodic access reviews. DSHS, Administrative Agencies, and Service Providers use IAMOnline to authenticate users, authorize access, and monitor account activity.

The procedures enforce role-based access control, apply the principle of least privilege, and maintain compliance with DSHS information security requirements and the Health and Human Services Information Security Control Catalog (HHS IS Controls).
 

5.14 Becoming an Authorized User

Prospective users must complete the DSHS Data Security and Confidentiality training, sign required agreements and obtain approval through the three-level authorization process. The TCT system automatically grants access only after the approver verifies documentation and completes the approvals. 
 

5.15 Access Monitoring and Deactivation

DSHS monitors TCT access to ensure roles remain appropriate and compliant with security standards. Supervisors, AA DMs, LRPs, and DSHS staff use IAMOnline reports to monitor active users, identify inactivity,  and initiate timely modifications and deactivations.

Staff must Deactivation Procedures within the TCT User Manual when removing or deactivating access. Staff must retain documentation of access changes according to DSHS records management requirements.
 

5.16 Periodic Role Reviews

DSHS conducts semiannual reviews of TCT user roles in coordination with Section Policy 231.001, TCT Security, to ensure access remains appropriate and compliant. Supervisors verify employment status, confirm job duties, and ensure assigned roles align with responsibilities. AA DMs oversee reviews across service areas, monitor reports for discrepancies, and compile summaries for submission to DSHS. Local Responsible Parties validate completion of reviews, confirm role alignment, and ensure documentation remains current.

Annual role recertification requires supervisors to review and confirm TCT user roles through IAMOnline to maintain alignment with current job duties. Supervisors verify role assignments, request modifications when necessary, and document recertification. The TCT Help Desk monitors compliance and may deactivate accounts that fail to complete recertification within required timeframes.
 

5.17 Local Procedures and Data Improvement Plans

Administrative Agencies must document role assignment and review procedures in their Annual Data Improvement Plans (DIPs) submitted to DSHS in accordance with Section Policy 231.003, TCT Data Improvement Plan. These plans outline local processes for verifying roles, define supervisor and Data Manager responsibilities, establish timelines for semi-annual reviews, and include quality assurance measures and training plans. DSHS reviews and approves DIPs to ensure alignment with this policy and provides technical assistance to support implementation.
 

5.18 DSHS Oversight and Quality Assurance

DSHS and the TCT Help Desk monitor state-wide access management compliance using IAMOnline reports, role-review reports, and Data Improvement Plans (DIP) that AA DMs and LRPs submit. DSHS provides technical assistance on role assignment and policy interpretation and initiates corrective action when audits or reviews identify non-compliance or systemic issues.
 

6.0 Procedures

The TCT Users Procedure Manual outlines procedures.
 

7.0 Revision History

8.0 Associated Policies

9.0 Associated Requirements and Documentation