
Confidential Information
Privacy & Security Policy
Central Texas Birth Fund (CTBF)
Effective Date: January 2026
Authorized Users and Authorized Purposes
CTBF maintains written privacy and security policies that define:
Authorized Users
Authorized Users are Workforce members, contractors, or subcontractors who:
-
Have a legitimate business need to access Texas HHS Confidential Information
-
Have completed required privacy and security training
-
Have signed confidentiality and data use agreements
-
Have been granted role-based system access
-
Appear on CTBF’s current Authorized User List
Access is limited to the minimum necessary to fulfill Authorized Purposes under the applicable Data Use Agreement (DUA) and Base Contract.
Authorized Purposes
Texas HHS Confidential Information may only be created, received, maintained, used, disclosed, accessed, or transmitted for Authorized Purposes, including:
-
Delivery of contracted non-medical services
-
Care coordination and service planning
-
Required HHSC reporting and monitoring
-
Quality improvement activities permitted under the DUA
Texas HHS Confidential Information shall not be used for marketing, fundraising, publication, research, or any other purpose not expressly permitted by the DUA or Base Contract.
Compliance with HIPAA and Applicable Law
CTBF requires all Workforce members to comply with:
-
HIPAA Privacy Rule (45 CFR §164.530)
-
HIPAA Security Rule
-
Applicable Texas privacy laws
-
HHSC Data Use Agreement (DUA)
-
Base Contract requirements
All policies govern the creation, receipt, maintenance, use, disclosure, access, and transmission of Texas HHS Confidential Information.
Minimum Necessary Standard
CTBF limits use and disclosure of Texas HHS Confidential Information to the minimum necessary to accomplish the Authorized Purpose.
Access controls, role-based permissions, and documented business need are required before access is granted.
Breach Response & Notification
CTBF maintains a documented Breach Response Plan that includes:
-
Immediate internal reporting of suspected breaches
-
Immediate notification to the Texas HHS agency in accordance with Article 4 of the DUA
-
Notification to regulatory authorities as required by law
-
Notification to affected Individuals as directed by Texas HHS
-
Documentation and corrective action measures
All suspected incidents are investigated promptly and documented.
Workforce Training
CTBF maintains a formal Workforce training program.
Training requirements:
-
Occurs at least annually
-
Occurs within 30 days of hire before access is granted
-
Covers privacy, security, DUA obligations, HIPAA requirements
-
Requires completion prior to system access
-
Maintains written documentation of training completion
-
Includes monitoring for delinquent training and corrective action
Training records are retained for audit purposes.
Individual Rights
CTBF maintains procedures to permit or deny individual rights of:
-
Access to their information
-
Amendment or correction requests
Such requests are processed in accordance with applicable law and HHSC contractual requirements.
Sanctions & Enforcement
CTBF maintains and enforces documented sanctions for:
-
Unauthorized access
-
Unauthorized use or disclosure
-
Failure to comply with Authorized Purposes
-
Failure to maintain confidentiality
Sanctions may include retraining, suspension, termination, or contract termination.
Proof of sanctions is documented and retained.
Policy Updates
CTBF updates privacy and security policies within 60 days of:
-
Identifying a material change in operations
-
Identifying a change in legal requirements
-
Identifying deficiencies through audit or incident review
De-Identified Data Restrictions
CTBF prohibits:
-
Re-identification of de-identified Texas HHS Confidential Information
-
Attempting to contact Individuals whose records are contained in data
-
Publishing data
-
Disclosure of work product
Unless expressly authorized in writing by Texas HHS or permitted under the Base Contract.
Offshore Data Restrictions
CTBF will not use, disclose, create, maintain, store, or transmit Texas HHS Confidential Information outside of the United States without:
-
Express prior written approval from Texas HHS
-
Compliance with all safeguarding conditions imposed by Texas HHS
Cooperation with Audits and Investigations
CTBF requires full cooperation with:
-
Texas HHS inspections
-
Federal regulatory inspections
-
Audits
-
Compliance reviews
-
Investigations related to the DUA or applicable law
Destruction and Disposal
CTBF maintains written procedures for destruction and disposal of Texas HHS Confidential Information consistent with:
-
HIPAA
-
DUA
-
Texas law
Methods include:
-
Secure shredding of paper records
-
Certified electronic destruction
-
Secure deletion procedures
-
Documentation of destruction
Privacy Safeguards
CTBF maintains Administrative, Physical, and Technical safeguards.
Administrative Safeguards
-
Workforce training
-
Access authorization procedures
-
Termination access revocation
-
Incident management
-
Disaster recovery plan
-
Business associate agreements
Technical Safeguards
-
Password protection
-
Role-based access
-
Encryption where appropriate
-
Secure data transmission
-
Logging and monitoring
-
Secure email practices
Physical Safeguards
-
Locked file storage
-
Restricted office access
-
Secure workstation placement
-
Clean desk practices
-
Secure disposal containers
Authorized User List Management
CTBF and any subcontractors:
-
Maintain a current Authorized User List
-
Monitor for terminated or role-changed employees
-
Remove access immediately upon termination or change in authorization
-
Review access permissions periodically