top of page

Confidential Information
Privacy & Security Policy

Central Texas Birth Fund (CTBF)
Effective Date: January 2026

Authorized Users and Authorized Purposes

CTBF maintains written privacy and security policies that define:

 
Authorized Users

Authorized Users are Workforce members, contractors, or subcontractors who:

  • Have a legitimate business need to access Texas HHS Confidential Information

  • Have completed required privacy and security training

  • Have signed confidentiality and data use agreements

  • Have been granted role-based system access

  • Appear on CTBF’s current Authorized User List

Access is limited to the minimum necessary to fulfill Authorized Purposes under the applicable Data Use Agreement (DUA) and Base Contract.

 
Authorized Purposes

Texas HHS Confidential Information may only be created, received, maintained, used, disclosed, accessed, or transmitted for Authorized Purposes, including:

  • Delivery of contracted non-medical services

  • Care coordination and service planning

  • Required HHSC reporting and monitoring

  • Quality improvement activities permitted under the DUA

Texas HHS Confidential Information shall not be used for marketing, fundraising, publication, research, or any other purpose not expressly permitted by the DUA or Base Contract.

 

Compliance with HIPAA and Applicable Law

CTBF requires all Workforce members to comply with:

  • HIPAA Privacy Rule (45 CFR §164.530)

  • HIPAA Security Rule

  • Applicable Texas privacy laws

  • HHSC Data Use Agreement (DUA)

  • Base Contract requirements

All policies govern the creation, receipt, maintenance, use, disclosure, access, and transmission of Texas HHS Confidential Information.

 

Minimum Necessary Standard

CTBF limits use and disclosure of Texas HHS Confidential Information to the minimum necessary to accomplish the Authorized Purpose.

Access controls, role-based permissions, and documented business need are required before access is granted.

 

Breach Response & Notification

CTBF maintains a documented Breach Response Plan that includes:

  1. Immediate internal reporting of suspected breaches

  2. Immediate notification to the Texas HHS agency in accordance with Article 4 of the DUA

  3. Notification to regulatory authorities as required by law

  4. Notification to affected Individuals as directed by Texas HHS

  5. Documentation and corrective action measures

All suspected incidents are investigated promptly and documented.

 

Workforce Training

CTBF maintains a formal Workforce training program.

Training requirements:

  • Occurs at least annually

  • Occurs within 30 days of hire before access is granted

  • Covers privacy, security, DUA obligations, HIPAA requirements

  • Requires completion prior to system access

  • Maintains written documentation of training completion

  • Includes monitoring for delinquent training and corrective action

Training records are retained for audit purposes.

 

Individual Rights

CTBF maintains procedures to permit or deny individual rights of:

  • Access to their information

  • Amendment or correction requests

Such requests are processed in accordance with applicable law and HHSC contractual requirements.

 

Sanctions & Enforcement

CTBF maintains and enforces documented sanctions for:

  • Unauthorized access

  • Unauthorized use or disclosure

  • Failure to comply with Authorized Purposes

  • Failure to maintain confidentiality

Sanctions may include retraining, suspension, termination, or contract termination.

Proof of sanctions is documented and retained.

 

Policy Updates

CTBF updates privacy and security policies within 60 days of:

  • Identifying a material change in operations

  • Identifying a change in legal requirements

  • Identifying deficiencies through audit or incident review

 

De-Identified Data Restrictions

CTBF prohibits:

  • Re-identification of de-identified Texas HHS Confidential Information

  • Attempting to contact Individuals whose records are contained in data

  • Publishing data

  • Disclosure of work product

Unless expressly authorized in writing by Texas HHS or permitted under the Base Contract.

 

Offshore Data Restrictions

CTBF will not use, disclose, create, maintain, store, or transmit Texas HHS Confidential Information outside of the United States without:

  • Express prior written approval from Texas HHS

  • Compliance with all safeguarding conditions imposed by Texas HHS

 

Cooperation with Audits and Investigations

CTBF requires full cooperation with:

  • Texas HHS inspections

  • Federal regulatory inspections

  • Audits

  • Compliance reviews

  • Investigations related to the DUA or applicable law

 

Destruction and Disposal

CTBF maintains written procedures for destruction and disposal of Texas HHS Confidential Information consistent with:

  • HIPAA

  • DUA

  • Texas law

Methods include:

  • Secure shredding of paper records

  • Certified electronic destruction

  • Secure deletion procedures

  • Documentation of destruction

 

Privacy Safeguards

CTBF maintains Administrative, Physical, and Technical safeguards.

 
Administrative Safeguards
  • Workforce training

  • Access authorization procedures

  • Termination access revocation

  • Incident management

  • Disaster recovery plan

  • Business associate agreements

 
Technical Safeguards
  • Password protection

  • Role-based access

  • Encryption where appropriate

  • Secure data transmission

  • Logging and monitoring

  • Secure email practices

 
Physical Safeguards
  • Locked file storage

  • Restricted office access

  • Secure workstation placement

  • Clean desk practices

  • Secure disposal containers

 

Authorized User List Management

CTBF and any subcontractors:

  • Maintain a current Authorized User List

  • Monitor for terminated or role-changed employees

  • Remove access immediately upon termination or change in authorization

  • Review access permissions periodically

Central Texas Birth Fund is a nonprofit organization registered with the Texas Secretary of State.

Registration does not imply endorsement by the State. Our federal 501(c)(3) tax-exempt status is pending.

Read our Privacy Policies.

© 2026 Central Texas Birth Fund

bottom of page