HIPAA is the acronym of the Health Insurance Portability and Accountability Act of 1996. HIPAA and its regulations protect the privacy of an individual's health information and govern the way certain health care providers and benefit plans collect, maintain, use and disclose protected health information (PHI). These regulations establish standards for protecting individually identifiable health information and for guaranteeing the rights of individuals to have more control over such information.

Entities covered by HIPAA are health care providers, health plans (including employer's sponsored plans), and healthcare clearing houses (e.g., billing agent).

Travis County is considered a hybrid entity, as some components of Travis County meet the definition of a covered entity under HIPAA and many others do not. Click here for more information on Travis County’s status as a hybrid entity, and to see what components are covered by HIPAA.

You may find the privacy policies here and the security policies here.

You may contact your supervisor or contact the Privacy Officer directly. If your department reports to an elected or appointed official other than the Commissioners Court, you may also contact your Privacy Liaison.

These items are exceptions to HIPAA. If you have a question or concern about how your information is handled, you should contact HRMD. If you participate in the County’s health plan, then your enrollment data and your health information related to the health plan ARE covered by HIPAA. If you have a question or concern about the privacy or security of your benefits information, you should contact the Privacy Officer.

Yes. The first thing that must be considered is that there is a risk of reputational harm and identity theft to individuals whose information is improperly disclosed. Travis County maintains a sanctions policy as required by HIPAA for both the privacy policies and the security policies. You should familiarize yourself with this policy. Covered entities, like Travis County, can be subject to federal audits at any time. The federal government can fine covered entities for non-compliance. In addition, the legislation carries personal, civil and criminal liability for failure to comply in certain cases. US DHHS Office for Civil Rights will enforce civil penalties that may include penalties from $100 per violation to $25,000 per calendar year.US Department of Justice will enforce criminal penalties which may include up to 10 years imprisonment and a $250,000 fine.

PHI includes all individually identifiable health information (including information in research databases and tissue bank samples with identifiers) relating to the: Past, present, or future physical or mental condition of an individual Provision of health care to an individual Past, present or future payment for the provision of health care to an individual

Health information is individually identifiable if it contains any of the following:

• Names
• Geographic subdivisions smaller than a state
• Dates (except year) directly related to an individual, including birth date, health care service admission or discharge dates, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age, unless aggregated into a single category of ages over 89
• Telephone numbers
• Fax numbers
• E-mail addresses
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/Driver’s license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice prints
• Full face photographic images and any comparable images
• Any other unique identifying number, characteristic or code

PHI that is either transmitted by electronic media or maintained in electronic media is referred to as electronic protected health information, or ePHI.

An employee who suspects a breach of information should immediately contact authorized individuals within their chain of command and the privacy and security officials. You are not required to notify your supervisors, but you are required to notify the Privacy and Security Officer.

Download the 10-Step Incident Reporting Guide.

View the Safeguarding Personally Identifiable Information (PII) Best Practices.

ENCRYPTME is used only for “external users only” (All internal email is encrypted)

• Open a new email message
• Type "encryptme" in the subject line (can also be EncryptMe, but it has to be in Subject line)

• Type contents of email message and hit Send
• The recipient will receive an email like the screenshot below
• Click on Click here to read the secure message

• If you have not registered, there will be a pop up asking you to Create an account and click Continue before the recipient can read the message

• If you have any questions, please contact: ITS Helpdesk: ITS.Helpdesk@traviscountytx.gov