231.001 TakeChargeTexas (TCT) Security
| Policy Number | 231.001 |
| Effective Date | August 18, 2010 |
| Revision Date | December 27, 2023 |
| Subject Matter Expert | Services Data Internal Workgroup |
| Policy Owner | HIV/STD Section Director |
| Signed by | D’Andra Luna |
1.0 Purpose
This policy defines security standards for protecting the confidential information collected and maintained in the TakeChargeTexas (TCT) data application, the TCT Agency Portal. This policy addresses the administrative, physical, and technical safeguards for the security of TCT and the confidentiality of client information. This policy only applies to authorized users of the TCT Agency Portal. Employees of HIV service provider agencies, Administrative Agencies (AAs), and participating pharmacy staff use the TCT Agency Portal after obtaining authorization.
This policy describes the actions required of the Texas Department of State Health Services (DSHS) HIV/STD Section (Section), AAs, and HIV service providers handling confidential client information collected and reported through TCT.
This policy also outlines procedures for data managers and HIV service provider registration authorities to use when authorizing and assigning roles, rights, and permissions to users of TCT, as well as when securing data and systems, both physically and electronically.
2.0 Background
In fulfilling its mission to facilitate and assess the need for HIV services, the Section, its contractors, and external partners obtain, handle, and store confidential information to fulfill this need. The individuals who receive HIV services and to whom confidential information belongs entrust the Section to take every precaution to protect their health information to ensure confidentiality. The Section vigilantly maintains the integrity of TCT, which stores this confidential information. This policy conforms to Section Policy 2016.01, HIV/STD Section Confidential Information Security, and the Local Responsible Party (LRP) Handbook.
3.0 Authority
Ryan White HIV/AIDS Treatment Extension Act of 2009 (Public Law 111-87, October 30, 2009); 1351 Public Health Service Act, Title XXVI; HIV Health Care Services Program, Public Law 114-113, Texas Health and Safety Code Chapter 85, §85.031-§85.042, §85.040-§85.042, §85.061-85.065, and §85.115, §85.115. Texas Administrative Code, Title 1, Part 10, Chapter 202, Subchapter B; Texas Government Code 2054, Information Resources Management Act, Business and Commerce Code, Title 11, Personal Identify Information, Chapter 521, Subchapter AA.
4.0 Definitions
Administrative Agency (AA) – Entity responsible for ensuring a comprehensive continuum of care exists in their funded areas. AAs accomplish this through the management and oversight of HIV care and treatment services funded by federal and state funds under a contractual agreement with DSHS. For a list of AAs, their contact information, and coverage area, see: Texas DSHS HIV/STD Program - HIV Administrative Agencies.
AA Data Managers – Staff at an AA who provide support to HIV service providers to assure the quality and use of data in TCT, including protected health information (PHI), personally identifiable information (PII), and sensitive personal information (SPI).
Acceptable Use Agreement (AUA) – Informs authorized users of their responsibilities when using HHS information resources in accordance with the Health and Human Services (HHS) Information Security Acceptable Use Policy.
Authorized Access – As determined by the Overall Responsible Party (ORP) or designee, permission an authorized person receives to see confidential or potentially identifiable public health data, based on the public health role of the individual and their need to know.
Advanced Encryption Standard – The Advanced Encryption Standard (AES) specifies a Federal Information Processing Standards (FIPS)-approved cryptographic algorithm used to protect electronic data. The AES algorithm can use cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data.
Breach – A departure from established policies or procedures, or a compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or loss of control of PHI, PII, or SPI. A breach is an infraction or violation of a policy, standard, obligation, or law. A breach of data security includes the unauthorized use of data, even aggregated data without names. A breach may be malicious or unintentional.
Breach of Confidentiality – A breach, as defined above, which results in the release of PHI, PII, or SPI to unauthorized persons (i.e., employees or members of the general public).
Breach of Personally Identifiable Information – Defined by the Office of Management and Budget Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, to include the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to PII whether physical or electronic.
Breach of Protected Health Information – Unauthorized acquisition, access, use, or disclosure of confidential information in a manner not permitted by the HIPAA Privacy Rule or other applicable laws.
Breach of Sensitive Personal Information – Texas Business and Commerce Code, Chapter 521, defines a breach as a “breach of system security,” which means unauthorized computerized data that compromises the security, confidentiality, or integrity of SPI maintained by a person. This also includes encrypted data if the person accessing the data requires a key to decrypt the data.
Confidential Information – Any private information about an identifiable person who has not given consent to make that information public.
Confidentiality – Protection of personal information collected by public health organizations. The right to such protection is based on the principle that public health organizations must not release personal information without the consent of the person involved, except as necessary to protect public health.
Department of State Health Services Privacy Office – Entity that coordinates all privacy investigations and response activities within DSHS divisions and programs, performs monitoring activities such as tracking of third-party incidents to help mitigate risk to DSHS, and includes reviewing and approving privacy threshold analyses. In addition, this office coordinates its corrective action plans with the program involved to provide guidance on correcting the incident and steps to mitigate future reoccurrences. DSHS staff report privacy incidents to the DSHS privacy email box or DSHS privacy officer.
Encryption – Manipulation or encoding of information so that only parties intended to view the information can do so. The most commonly available encryption systems involve public-key and symmetric-key cryptography. In general, for both public and symmetric systems, the larger the key, the more robust the protection.
Fifty Rule – This refers to the acceptable threshold for the release of aggregate HIV/AIDS and STD surveillance, epidemiologic, and public health follow-up data. The underlying population of the statistics released is a population of greater than 50 people. The underlying population is also at least twice the number of cases. For further information, see DSHS Policy 302.001: Release of Tuberculosis (TB), Human Immunodeficiency Virus (HIV), Sexually Transmitted Disease (STD), and Viral Hepatitis Data.
Health Insurance and Portability and Accountability Act (HIPAA) of 1996, as amended – The HIPAA Privacy Rule establishes national standards to protect individuals’ medical information and other individually identifiable health information, collectively defined as PHI.
HIV Service Provider – Organization with a contractual agreement with an AA to provide HIV-related medical and support services to Person(s) Living with HIV (PLWH). At the sole discretion of DSHS, non-contracted providers of HIV services may use TCT.
HITECH Act – The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, promotes the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
Local Responsible Party (LRP) – An employee at an AA who accepts responsibility for overseeing the implementation, enforcement, and maintenance of TCT security and confidentiality policies and procedures at their agency, as well as entities with whom the AA has contractual relations (e.g., contracted providers, sub-contracted providers, etc.). The LRP also reports and assists in the investigative privacy incident process. DSHS designates the HIV Care and Medications Unit Director or their designee as the LRP for DSHS staff and grantees working with the Minority AIDS Initiative (MAI).
Minimum Necessary Standard – An authorized user may not use or disclose the entire medical record for a particular purpose unless it can justify the whole record as the amount needed for the purpose.
National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Publication 140-2, or FIPS 140-2 Standards – The Centers for Disease Control (CDC) Data Security and Confidentiality Guidelines for HIV, Viral Hepatitis, Sexually Transmitted Disease, and Tuberculosis Programs state the preferred method of securing data is with whole-device encryption that fulfills these standards. Additionally, device encryption ensures that “remnants” of any files opened or deleted from the device are fully secure. NIST FIPS Publication 140-2 details the protection of a cryptographic module within a security system necessary to maintain the confidentiality and integrity of the information protected by the module.
Non-HHS Government or Private Organization Worker – An employee of a government agency that is not HHS, or an employee who works for a non-government organization partnering with HHS. Both types of employees report to a supervisor in their organization, not an HHS agency.
Overall responsible party (ORP) – High-ranking official who accepts overall responsibility for implementing and enforcing data security standards.
This official should have the authority to make decisions about program operations that might affect programs accessing or using the data and should serve as contacts for public health professionals regarding security and confidentiality policies and practices. The ORP is responsible for protecting data as they are collected, stored, analyzed, and released and must certify annually that all security program requirements are being met. The state’s security policy must indicate the ORP(s) by name.
The HIV/STD Section Director accepts overall responsibility for implementing and enforcing data security standards.
Password Protected – After obtaining authorization, users gain access to protected files and directories by entering a username and password.
Personal Identifier – A datum or collection of data that allows the possessor to determine the identity of a single individual with a specified degree of certainty; a personal identifier may permit the identification of an individual within a given database. Bits of data, when taken together, may identify an individual. Personal identifiers may include name, address or place of residence, social security number, telephone number, fax number, and exact date of birth.
Privacy Incident – An unauthorized use or disclosure of individually identifiable information and individually identifiable health information that staff report internally to a supervisor or to the DSHS Privacy Office. TCT users report privacy incidents to the Section and to the agency’s LRP using the DSHS TB/HIV/STD Potential Privacy/Security Incident Report Form on the website. For more information, see DSHS Policy 2011.04, Breach of Confidentiality Response, regarding a privacy incident (breach) response.
Privacy Incident Report – Form completed by staff who initially identified the privacy incident of confidential information, such as PHI. Staff do not include confidential information in this report.
Protected Health Information (PHI) – Individually identifiable health information in any form created or received by a HIPAA-covered entity and relating to the individual's healthcare condition, provision of healthcare, or payment for the provision of healthcare, as further described and defined in the HIPAA Privacy Rule. PHI includes demographic information unless such information is de-identified, as defined above. PHI includes, without limitation, “Electronic Protected Health Information” as defined above and unsecure PHI. PHI includes the PHI of a deceased individual within 50 years of the date of death.
Registration Authority (RA) – An employee of a service provider agency recognized by the LRP. AA data manager or DSHS Central Office staff member verify the identity of the RA as a requirement for new authorized user requests. RAs initiate new account requests and training as well as changes to existing accounts, including account termination.
Removable Storage Device – A device allowing for the transportation of electronic information. Many types exist, including, but not limited to, universal serial bus (USB) port flash drives (memory sticks), diskettes, compact disk read-only memory (CD-ROMs), zip disks, tapes, smart cards, and removable hard drives.
Secure Area – Workspace with physical access controls where public health organizations keep or use confidential data with access granted only to authorized persons. The configuration of a secure area depends on resources and other program considerations (e.g., availability of physical space, locks, file cabinets, walls, doors, and other barriers).
Security – The protection of data and information systems for (1) preventing the unauthorized release of identifying surveillance information or data from the systems (e.g., preventing a privacy incident) and (2) protecting the integrity of the data by preventing accidental data loss or damage to the systems. Security includes measures to detect, document, and counter threats to the confidentiality or integrity of the systems.
TCT Authorized Users – Staff who have access to TCT confidential information. Authorized users only have access to the confidential information necessary to carry out job functions as outlined in their job duties, and the Section gives access to this information after the authorized user signs the TCT Confidentiality Agreement (TCT CA) and completes the required Section’s Security and Confidentiality Training on an annual basis. Authorized users also sign an AUA. The Section examines specific job functions before authorizing users.
TakeChargeTexas (TCT) – A web-based application providers use to report Ryan White and State services provided to eligible clients. TCT serves as the Ryan White Part B Uniform Reporting System (URS) for Texas. See HIV Medical and Support Services Categories.
Sensitive Personal Information (SPI) – Defined by the Texas Business and Commerce Code, Section 521.002(2), as an individual’s first name or first initial and last name combined with any or one of the following items: Social Security number, driver’s license number, government-issued identification number, account number, credit or debit card number combined with a required security code, access code, or password that permits access to an individual’s financial account. Also, any information that identifies an individual and relates to the physical health, mental health, condition of the individual, provision of health care to the individual, or payment for the provision of health care to the individual.
5.0 Policy
This policy ensures the security and maintenance of TCT as well as the client PHI collected and stored within TCT. In addition, this policy ensures the confidentiality of this information at all times. The minimum necessary standard applies to the use or disclosure of the information stored within TCT.
6.0 Persons Affected
This policy applies to the AA, authorized users, data managers, DSHS, LRP, data managers, registration authority, and other TCT authorized users who could potentially view, acquire, or have access to TCT and confidential information entered and stored in the TCT database.
7.0 Responsibilities
7.1 Administrative Agency (AA)
The AA manages HIV service provider contracts and designates staff as data managers.
The AA data manager fulfills the following duties:
- Maintain and monitor a list of local TCT users authorized to access confidential information in TCT.
- Maintain a record of the current Confidentiality Agreement (TCT CA) and the Section Security and Confidentiality Training Certificate.
- Ensure authorized users submit a signed confidentiality agreement and complete or renew the HIV/STD Security and Confidentiality Training on an annual basis within seven (7) days of completion. Users need to sign an AUA (Acceptable Use Agreement).
- Inform the Section when an Authorized User (AU) needs to have access suspended or revoked to the Section within five (5) business days.
- Report possible security risks, such as potential privacy incidents, to the LRP as soon as the subrecipient informs the AA, if no one has reported the risk to the LRP.
The AA communicates the following security and confidential information to TCT users:
- TCT users ensure the protection of the confidential information they work with. This includes protecting passwords, keys, and codes enabling access to confidential information.
- TCT users report possible security risks and potential privacy incidents to the data manager and the LRP as soon as the risk occurs or someone informs them of the risk occurrence.
- TCT users protect and secure their desk, work area, workstation, laptops, or other devices associated with confidential information.
- TCT users do not share TCT passwords with anyone, and no one accesses TCT using another person’s login credentials (not even other users).
- TCT users challenge and report those unauthorized persons who access confidential information as soon as possible.
- TCT users do not divulge confidential information gained in the course of work activity to unauthorized persons.
- Upon resignation or termination, users return confidential information and keys or devices, which enable access to physical and electronic locations where they store confidential information, to their immediate supervisor.
7.2 Authorized User
Authorized users who are not clients complete the confidentiality agreement, acceptable use agreement, and necessary security and HIPAA training per the guidelines set forth by the Section and local HIV service provider. Local policy may require additional training or documentation based on the user role or other requirements.
Non-client prospective authorized users register for TCT access through the identity and access management system. Refer to the Identity and Access Management user guide.
DSHS requires non-client prospective authorized users to complete the Section’s Security and Confidentiality Training and have a current and signed Confidently Agreement on file in the identity and access management system before the Section can approve them for TCT access. The Section requires authorized users to renew their security and confidentiality certification training and sign a confidentiality agreement to maintain TCT access every year. Authorized users must enter their Security and Confidentiality Training Certificate Number and Training Completion Date in the identity and access management system.
- TCT users ensure the protection of the confidential information they work with. This includes protecting passwords, keys, and codes which enable access to confidential information.
- TCT users report security risks to the LRP and data manager.
- TCT users protect their desk, work area, workstation, laptops, or other devices associated with confidential information.
- TCT users challenge and report those unauthorized persons who access confidential information as soon as possible.
- TCT users do not divulge confidential information gained in the course of work activity to unauthorized persons.
- Upon resignation or termination, TCT users return confidential information and keys or devices, which enable access to physical and electronic locations where they store confidential information, to their immediate supervisor.
7.3 Data Managers
AA data managers ensure TCT users have authorization, and each authorized user has the correct permissions within the system which meet the federal minimum necessary standard.
The data manager acts as the second-level approver for the authorization of users to have access to confidential information and can assist with requests for access to TCT.
Users request application access, manage network access, or access the TCT application through the identity and access management system. The service provider’s supervisor or data manager limits access to TCT data through the assignment of a user’s appropriate role.
Ensure authorized users submit a signed Confidentiality Agreement and complete or renew security and confidentiality training on an annual basis. DSHS requires users to sign an AUA.
Maintain a record of the current TCT Confidentiality Agreement (TCT CA) and the Section’s Security and Confidentiality Training, and ensure authorized users submit a signed Confidentiality Agreement and complete or renew security training on an annual basis. Authorized users need to sign an AUA.
Every quarter, data managers run the “TCT Staff Activity Audit Report” to ensure staff use TCT as per their assigned access rights in TCT and staff who have left the organization no longer have access to TCT. This action intends to meet federal HITECH and HIPAA measures.
7.4 Department of State Health Services
The Section is responsible for TCT user account access. The Section Privacy Coordinator handles security incidents and breaches. The Section reports potential breaches or incidents to the DSHS Privacy Office. The LRP, AA, data manager, or local HIV service provider agency must notify the Section Privacy Coordinator of security incidents or breaches as soon as they occur or make them aware of these occurrences. Section program staff secure confidential information from unintended disclosure to non-HIV/STD Section unauthorized staff.
7.5 Local Responsible Party
The LRP maintains security and confidentiality policies and procedures for their organization. The LRP approves the authorization of users to have access to TCT and confidential information.
For LRP responsibilities, see the Local Responsible Party Handbook.
8.0 Procedures
Agencies, providers, administrative agencies, and pharmacy staff register for TCT access through the identity and access management system.
See HHS Enterprise Portal Web Help for additional assistance with the Enterprise Portal.
8.1 Procedures for Managing TCT Users
The AA maintains the TCT user log and sends this log to the Section Privacy Coordinator annually. The LRP Handbook and Authorized User Spreadsheet are available on the HIV/STD Security Policies and Procedures webpage in the Local Responsible Party section.
8.2 Procedures for TCT Data Requests
AAs cannot make releases of electronic client-level data files to third parties for grant development, needs assessment, creation of reports, or another purpose without DSHS approval. Requests for client-level data for research meet the guidelines in 45 CFR 164.501, 164.508, and 164.512(I), and DSHS reserves the right to require the party requesting the data to submit the request to DSHS’ Institutional Review Board if the request appears to relate to research or includes a request for the release of client-identifying information.
AAs may release routine requests for utilization reports and aggregate profiles of clients served by staff other than funded providers or staff without consultation with DSHS but comply with DSHS Policy 302.001, Release of TB/HIV/AIDS and STD Data. AAs may release aggregate profiles of client characteristics, including cross-tabulated tables with cells not meeting the Rule of Fifty, only after redacting and replacing such cells with a mark indicating a small cell count, which precludes inclusion of the specific figure.
8.3 Procedures for Reporting Privacy and Security Breaches
See DSHS Policy 2011.04, Breach of Confidentiality Response. The DSHS Privacy Office determines a disclosure to be an incident until they investigate it.
9.0 Physical Security, Laptops and Portable Devices, and Handling Electronic Data
DSHS Policy 2016.01, TB/HIV/STD Section Confidential Information Security covers this information.
10.0 Evolving Technology
The security guidelines specified in this policy do not cover evolving technology. A good resource for more information is Health IT, which is the official website of the Office of the National Coordinator for Health Information Technology. Data managers or HIV service provider registration authorities should seek guidance from the DSHS Privacy and Security Officer with questions.
11.0 Associated Policies
| Policy Number | Policy Title |
|---|---|
| 2011.04 | Breach of Confidentiality Response |
| 2016.01 | TB/HIV/STD Section Confidential Information Security |
12.0 Revision History
| Date | Action | Section |
|---|---|---|
| 12/27/2023 | Revised for TCT replacement of ARIES | All |
| 5/26/2020 | Updated content to clarify process | 10.1 |
| 3/9/2020 | Updated policy to reflect changes in technology | All |
| 9/26/2014 | Converted format (Word to HTML) | - |
| 8/18/2010 | This is a new policy | - |