GRACE STEPS – a Texas Off Site ISS

1. Scope & Covered Entities

This Privacy & Data Protection Policy describes how Taylor's Gift Individualized Skills and Socialization (TG-ISS) program, operating via the Taylor's Gift ISS Compliance & Habilitation System (TG-ICHS), collects, processes, stores, and protects Protected Health Information (PHI) and personal location data. This policy applies to all clients enrolled in our off-site ISS programs, their legally authorized representatives (LARs), and the service providers, facilitators, and Host Home caregivers employed to deliver these services.

As a provider of Habilitative Services under Texas Health and Human Services Commission (HHSC) waiver programs, Taylor's Gift ISS is a "Covered Entity" under federal law and the Texas Medical Records Privacy Act. The TG-ICHS mobile and web application portal serves as the primary system of record for service delivery verification, compliance oversight, and habilitation logging.

2. Regulatory Compliance Foundations

Our compliance architecture is built to meet and exceed the legal safeguards mandated by federal and state regulatory authorities:

• HIPAA Privacy & Security Rules (45 CFR Parts 160 & 164): We enforce strict administrative, physical, and technical safeguards. All electronic Protected Health Information (ePHI) is encrypted both in transit (using TLS 1.3) and at rest (using AES-256-GCM), with comprehensive access logs recorded to track user access.
• Federal Medicaid Safekeeping (42 CFR § 431.300): We restrict the use or disclosure of information concerning Medicaid applicants and recipients to purposes directly connected with program administration.
• Texas Medical Records Privacy Act (Texas Health & Safety Code Chapter 181): Recognizing that Texas state law imposes standards more stringent than HIPAA, we require customized training for all employees, provide detailed disclosures, and restrict PHI access to the minimum scope necessary to fulfill habilitative goals.
• Texas Human Resources Code Chapter 103: We ensure that all community-based programs maintain the highest standards of safety, dignity, and individual rights.
• Texas Administrative Code (26 TAC Chapter 559): Our services conform to HHSC operational requirements for Individualized Skills and Socialization (ISS).

3. Data Collection & GPS Geofencing Telemetry

To verify service delivery compliance in community settings, the TG-ICHS platform utilizes geofencing technology. We recognize the sensitive nature of location telemetry and implement a strict privacy-first model:

Instead, the device transmits only a cryptographically signed, binary validation signal (e.g., IN_BOUNDS or OUT_OF_BOUNDS) along with service start/stop timestamps.

Medicaid Billing Overlap Audits: In rural settings, primary Host Home caregivers are often employed as part-time off-site ISS attendants. To prevent overlapping billing blocks (double-dipping), the TG-ICHS system runs automated cron sweeps comparing electronic logs. It cross-references the caregiver's active ISS hours against their residential Host Home service logs. The system preserves verified compliance audit logs to demonstrate to state inspectors that no duplicate Medicaid billing occurred.

4. HIPAA Safe Harbor Dynamic Sanitization

To ensure client privacy is preserved during collaborative case reviews and administrative audits, our platform integrates a dynamic HIPAA Safe Harbor scrubbing engine.

Prior to compiling any reporting dashboards, public metrics, or audit exports, our software automatically identifies and sanitizes the 18 HIPAA Safe Harbor identifiers:

• Names, email addresses, and phone numbers.
• All geographic subdivisions smaller than a state (including street addresses, cities, and zip codes).
• All elements of dates (except year) directly associated with an individual (such as birth dates, admission dates, and discharge dates).
• Social Security Numbers, Medicaid IDs, National Provider Identifiers (NPIs), and device serial numbers.
• Device IP addresses, biometric identifiers, and full-face photographic images.

Any unstructured text field (such as daily habilitation narrative summaries) is parsed by our natural language processing (NLP) sanitization filter to prevent accidental inclusion of personal details.

5. Permitted Disclosures & Audit Rights

We restrict disclosures of client data to authorized entities in direct alignment with Texas Medicaid administration:

• Local Authority (LIDDAs) & Financial Management Services Agencies (FMSAs): Data sharing is restricted to required service plans, ISP authorization checks, and enrollment verification.
• Regulatory Authorities: Access is granted to state auditors (Texas HHSC, Texas Department of Family and Protective Services) and federal oversight bodies (CMS) during official reviews, ensuring complete compliance transparency.
• Emergency Services: In the event of a medical emergency during a community outing, the platform allows authorized facilitators to instantly transmit the client's medical profile (including hospital preferences, preferred physician, and emergency contacts) to first responders.

6. Client Rights & Contact Information

Clients and their Legally Authorized Representatives (LARs) hold the following rights regarding their information:

• The right to inspect and copy service records.
• The right to request an amendment to inaccurate or incomplete records.
• The right to obtain an accounting of disclosures.
• The right to request restrictions on certain uses and disclosures of their data.

For questions, rights requests, or to report a privacy concern, please contact our designated Privacy Officer at:

Advisory Engineering & Analytics, LLC
Attn: Privacy Officer / Compliance Desk
Email: privacy@taylorsgift-iss.com